[vpn] Schneir's 'Weak Link' Observation (was Two Factor Authe ntication)

Dan McGinn-Combs Dan.McGinn-Combs at geac.com
Thu Apr 11 16:07:26 EDT 2002 

Of course you are correct about hackers and compliance. But the problem is
that policies and procedures are there to provide a baseline against which
the hacker will show up like a sore thumb (whatever that means).

In general, you are right, there are no "fool proof" security schemes. Any
fool can break them (and often do) by schmoozing someone for a passkey, pin
number, skey card, etc. But if a company doesn't have policies for how to
implement security -- AND AUDIT AGAINST THEM -- it will never be able to
maintain any kind of security.

Dan


> -----Original Message-----
> From: Christopher Gripp [mailto:cgripp at axcelerant.com] 
> Sent: Thursday, April 11, 2002 2:47 PM
> To: Rick Smith at Secure Computing; vpn at securityfocus.com
> Subject: [vpn] Schneir's 'Weak Link' Observation (was Two 
> Factor Authentication)
> 
> 
> Schneir often seems stuck on the concept of 'the weakest 
> link' when discussing security issues.  It's a valid point 
> but he tends to focus on, what I consider to be an elementary 
> topic, quite a bit.
> 
> Everyone understands that if I give my PIN and my token to 
> someone then there is a security breach.
> 
> The problem with policies and procedures is that they require 
> COMPLIANCE to be effective and the bad guys don't usually 
> COMPLY with the rules.
> 
> I don't believe there are ANY full proof authentication 
> mechanisms.  Unless there is a piece of information known 
> only by one person, such as a PIN, and that person is willing 
> to go to the grave vs. revealing it, then multiple factors of 
> authentication are only slightly more difficult to subvert.
> 
> Christopher Gripp 
> Systems Engineer 
> Axcelerant
> 
> "Impartiality is a pompous name for indifference, which is an 
> elegant name for ignorance."  G.K. Chesterton
> 
> > 
> > Someone posted an observation attributed to Bruce Schneier
> > that deprecates multi-factor authentication mechanisms in 
> > cases where technical or procedural weaknesses allow one or 
> > more factors to be undermined. I disagree with Schneier on 
> > this point of terminology, since such weaknesses exist in 
> > just about every authentication technique. It's better to 
> > call it "weak" or "poorly implemented" two-factor 
> > authentication than try to spin new terminology to capture 
> > the distinctions in Schneier's example.
> > 
> > 
> > Rick.
> > smith at securecomputing.com            roseville, minnesota
> > "Authentication" in bookstores http://www.visi.com/crypto/
> > 
> > 
> > VPN is sponsored by SecurityFocus.com
> > 
> > 
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list