Just set Auth to true [modified]
-
I worked for a company once where we were developing a website where the powers that be wanted the site to be ultra secure. For whatever reason, they decided to go with a secuirty option offered by a company I'll just call SecuriCorp. SecuriCorp specialized in using a dongle with your website to authenticate. There are no user names, no passwords. I wasn't on the project, but heard all about it since it was the biggest project in the company. Each dongle had hardware set 6 digit keys and every time you pressed a button the next key would come up. The software knew what keys each dongle had and in what order they would appear. Once you logged in with a key, you couldn't use that key or any of the other keys on that dongle (thus eliminating dongle sharing). It seemed like a great idea, until one of the software architects for the project started to look in to how SecriCorp's security model worked. (Coincidentally, this architect was dubbed the "Dongle Doctor") Their ultra security was setting a plaintext cookie named "Auth" with the value "true" Needless to say, the s$%# hit the fan. From that day on, any time on any project if you talked about security, someone would say "Just set Auth to true." When I left the company shortly after that, they were still in the midst of fighting with SecuriCorp to fix their "security" model.
Broken Bokken http://www.brokenbokken.com
modified on Thursday, April 17, 2008 9:28 AM
-
I worked for a company once where we were developing a website where the powers that be wanted the site to be ultra secure. For whatever reason, they decided to go with a secuirty option offered by a company I'll just call SecuriCorp. SecuriCorp specialized in using a dongle with your website to authenticate. There are no user names, no passwords. I wasn't on the project, but heard all about it since it was the biggest project in the company. Each dongle had hardware set 6 digit keys and every time you pressed a button the next key would come up. The software knew what keys each dongle had and in what order they would appear. Once you logged in with a key, you couldn't use that key or any of the other keys on that dongle (thus eliminating dongle sharing). It seemed like a great idea, until one of the software architects for the project started to look in to how SecriCorp's security model worked. (Coincidentally, this architect was dubbed the "Dongle Doctor") Their ultra security was setting a plaintext cookie named "Auth" with the value "true" Needless to say, the s$%# hit the fan. From that day on, any time on any project if you talked about security, someone would say "Just set Auth to true." When I left the company shortly after that, they were still in the midst of fighting with SecuriCorp to fix their "security" model.
Broken Bokken http://www.brokenbokken.com
modified on Thursday, April 17, 2008 9:28 AM
:-D
If the Lord God Almighty had consulted me before embarking upon the Creation, I would have recommended something simpler. -- Alfonso the Wise, 13th Century King of Castile.
This is going on my arrogant assumptions. You may have a superb reason why I'm completely wrong. -- Iain Clarke -
I worked for a company once where we were developing a website where the powers that be wanted the site to be ultra secure. For whatever reason, they decided to go with a secuirty option offered by a company I'll just call SecuriCorp. SecuriCorp specialized in using a dongle with your website to authenticate. There are no user names, no passwords. I wasn't on the project, but heard all about it since it was the biggest project in the company. Each dongle had hardware set 6 digit keys and every time you pressed a button the next key would come up. The software knew what keys each dongle had and in what order they would appear. Once you logged in with a key, you couldn't use that key or any of the other keys on that dongle (thus eliminating dongle sharing). It seemed like a great idea, until one of the software architects for the project started to look in to how SecriCorp's security model worked. (Coincidentally, this architect was dubbed the "Dongle Doctor") Their ultra security was setting a plaintext cookie named "Auth" with the value "true" Needless to say, the s$%# hit the fan. From that day on, any time on any project if you talked about security, someone would say "Just set Auth to true." When I left the company shortly after that, they were still in the midst of fighting with SecuriCorp to fix their "security" model.
Broken Bokken http://www.brokenbokken.com
modified on Thursday, April 17, 2008 9:28 AM
In the late 90's I was integrating a web project with our internal apps. Their dreaded app won't work unless I clear my temp folder and cookies every time I compile, which was very frequent given their buggy app. Hmmm, I wonder how well the "Set Auth to True" would have hold water. :^) :^) :^)
/* I can C */ // or !C Yusuf
-
I worked for a company once where we were developing a website where the powers that be wanted the site to be ultra secure. For whatever reason, they decided to go with a secuirty option offered by a company I'll just call SecuriCorp. SecuriCorp specialized in using a dongle with your website to authenticate. There are no user names, no passwords. I wasn't on the project, but heard all about it since it was the biggest project in the company. Each dongle had hardware set 6 digit keys and every time you pressed a button the next key would come up. The software knew what keys each dongle had and in what order they would appear. Once you logged in with a key, you couldn't use that key or any of the other keys on that dongle (thus eliminating dongle sharing). It seemed like a great idea, until one of the software architects for the project started to look in to how SecriCorp's security model worked. (Coincidentally, this architect was dubbed the "Dongle Doctor") Their ultra security was setting a plaintext cookie named "Auth" with the value "true" Needless to say, the s$%# hit the fan. From that day on, any time on any project if you talked about security, someone would say "Just set Auth to true." When I left the company shortly after that, they were still in the midst of fighting with SecuriCorp to fix their "security" model.
Broken Bokken http://www.brokenbokken.com
modified on Thursday, April 17, 2008 9:28 AM
The dongle thing is a standard security system. It was implemenred badly- implementation flaw.
Maruf Maniruzzaman Dhaka, Bangladesh. Homepage: http://www.kuashaonline.com
[Blog] [Silverlight Clone] [Resume] -
I worked for a company once where we were developing a website where the powers that be wanted the site to be ultra secure. For whatever reason, they decided to go with a secuirty option offered by a company I'll just call SecuriCorp. SecuriCorp specialized in using a dongle with your website to authenticate. There are no user names, no passwords. I wasn't on the project, but heard all about it since it was the biggest project in the company. Each dongle had hardware set 6 digit keys and every time you pressed a button the next key would come up. The software knew what keys each dongle had and in what order they would appear. Once you logged in with a key, you couldn't use that key or any of the other keys on that dongle (thus eliminating dongle sharing). It seemed like a great idea, until one of the software architects for the project started to look in to how SecriCorp's security model worked. (Coincidentally, this architect was dubbed the "Dongle Doctor") Their ultra security was setting a plaintext cookie named "Auth" with the value "true" Needless to say, the s$%# hit the fan. From that day on, any time on any project if you talked about security, someone would say "Just set Auth to true." When I left the company shortly after that, they were still in the midst of fighting with SecuriCorp to fix their "security" model.
Broken Bokken http://www.brokenbokken.com
modified on Thursday, April 17, 2008 9:28 AM
MrPlankton
-
The dongle thing is a standard security system. It was implemenred badly- implementation flaw.
Maruf Maniruzzaman Dhaka, Bangladesh. Homepage: http://www.kuashaonline.com
[Blog] [Silverlight Clone] [Resume]I thought the idea of a dongle for the login was great, but you are right, it was a bad implementation. As a standard at that company, all our cookies were encrypted using Triple DES. It's just sad to see that much money put into a solution less secure than the one we already had working. :sigh:
Broken Bokken You can't carry out a ninja-style assasination dressed as an astronaut. It's the luminous fabric; too visible. - Tripod http://www.brokenbokken.com
-
I worked for a company once where we were developing a website where the powers that be wanted the site to be ultra secure. For whatever reason, they decided to go with a secuirty option offered by a company I'll just call SecuriCorp. SecuriCorp specialized in using a dongle with your website to authenticate. There are no user names, no passwords. I wasn't on the project, but heard all about it since it was the biggest project in the company. Each dongle had hardware set 6 digit keys and every time you pressed a button the next key would come up. The software knew what keys each dongle had and in what order they would appear. Once you logged in with a key, you couldn't use that key or any of the other keys on that dongle (thus eliminating dongle sharing). It seemed like a great idea, until one of the software architects for the project started to look in to how SecriCorp's security model worked. (Coincidentally, this architect was dubbed the "Dongle Doctor") Their ultra security was setting a plaintext cookie named "Auth" with the value "true" Needless to say, the s$%# hit the fan. From that day on, any time on any project if you talked about security, someone would say "Just set Auth to true." When I left the company shortly after that, they were still in the midst of fighting with SecuriCorp to fix their "security" model.
Broken Bokken http://www.brokenbokken.com
modified on Thursday, April 17, 2008 9:28 AM
:laugh: :-D
