Educause Security Discussion mailing list archives

Re: Help explaining why LogMeIn.com type programs are bad.

From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Mon, 17 Jul 2006 17:09:21 -0500

Flagg, Martin D. wrote:

I have received a request to allow global use of LogMeIn.com.  I know
this has been discussed before but what are the top 5 reasons no to
allow this access?  Also, how are people blocking this type of access?
(I am blocking the FQDN)


The rationale for prohibiting this sort of access usually centers around
the little things, e.g., FERPA, HIPAA, and friends.  Page 5 of

        https://secure.logmein.com/wp_lmi_security.pdf


makes some interesting claims, notably:

        The client browser establishes a connection to www.logmein.com
        and authenticates itself.  The gateway then forwards the
        subsequent encrypted traffic between the client and the host.
        It is worth noting that the client will still need to
        authenticate itself to the host--the gateway mediates the
        traffic between the two entities but it does not require that
        the host implicitly trust the client.


To me this makes it sound like the gateway has full access to the
traffic it's proxying.  It *certainly* does some sort of arbitration for
connectivity.  My guess is that if your institution's auditors and
lawyers are willing to sign off on companies like logmein.com as
possible custodians of your data (or arbiters of authentication), it's
probably a safe policy decision to use it for protected data.

The fact that their paper mentions "overrun by armed bandits" as a
threat against their code-signing key sort of makes me wonder how
serious they are, though.  Sure, armed gunmen are a threat, but I would
expect a rogue/disgruntled/careless employee and inadequate safeguards
to be a far more credible/likely threat, and am disappointed that this
isn't mentioned.  They also describe NetBSD as "the Unix variant which
is usually regarded as the most secure operating system."  (I wonder if
anyone's told Theo.)  These obvious oversights and errors indicate to me
that perhaps they're not quite as serious as one might hope.

As far as I know, UofMN isn't actively blocking this sort of stuff.


--
Alan Amesbury
(not speaking on behalf of the) University of Minnesota

Current thread:

Help explaining why LogMeIn.com type programs are bad. Flagg, Martin D. (Jul 17)
- <Possible follow-ups>
- Re: Help explaining why LogMeIn.com type programs are bad. Alan Amesbury (Jul 17)