Why One-time Passwords Suck For MITM Attacks 138
whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."
The Love Triangle... (Score:5, Funny)
Coming to you this fall...Larry is...The Man in the Middle.
xkcd comic (Score:4, Funny)
http://xkcd.com/177/ [xkcd.com]
Eve
Re: (Score:2, Insightful)
Is anyone else on the Internet SICK TO FUCKING DEATH of every story/article/anything having a XKCD comic posted as a link in it?
Yes, it's funny.
Yes, we all read it and like it.
No, we don't need you to post a fucking link to it EVERY FUCKING TIME.
Posting as anon because obviously a lot of people are going to think this is a Troll. It's not. I like XKCD. I'm just sick of the 5th comment down every time linking to one of his comics...
Sigh
Re:xkcd comic (Score:4, Insightful)
You do know that you don't have to click on every link that you see on a web page, right?
Re:xkcd comic (Score:5, Funny)
Well just in case he doesn't know...
Knowing is half the battle. [goatse.cz]
Re: (Score:3, Informative)
He's not a dick, he's an asshole.
You should get your eyes checked.
Re:xkcd comic (Score:5, Funny)
http://xkcd.com/406/ [xkcd.com]
Re: (Score:2)
Hm. That comic was about as exciting as watching bubbles [is.gd].
Re: (Score:2)
Well, I thought it would be funny to post an xkcd comment in response to the rant about xkcd. Unfortunately, I wasn't dedicated enough to the joke to go searching for something really appropriate, so I just posted the first tangentially related one I came across.
Re: (Score:3, Funny)
Which, I take it, is why your post was not signed "Summer Glau".
Re: (Score:3, Informative)
Re:xkcd comic (Score:5, Funny)
No.
Summer Glau
Re: (Score:2)
That is no-where near an exhaustively-researched word-by-word rebuttal.
Re: (Score:3, Insightful)
Then, I must be the real one and not that poser from xkcd.
Re: (Score:3, Informative)
It frightens me that you got modded "insightful"
Re:xkcd comic (Score:4, Funny)
That is no-where near an exhaustively-researched word-by-word rebuttal.
OK...
Is
Isn't
anyone
everyone
else
this
on
off
the
Um... you win.
Re: (Score:3, Interesting)
Also, do you think you own this space or something? I mean your post sure took up alot of room with 0 useful content, while the parents one-liner was a much better use of space.
your comment (Score:2)
would make good fodder for an xkcd comic
perhaps someone already has the relevant comic to paste under your comment?
Re:xkcd comic (Score:4, Funny)
My hobby:
I like to post an xkcd link into every story I come across...
Re: (Score:1, Funny)
Coming to you this fall...Larry is...The Man in the Middle.
Not sure Larry is the best name, how about Malcolm?
Language nitpick (Score:2)
<nazism type="grammar">
The headline says "IT: Why One-time Passwords Suck For MITM Attacks", and the body says "
This article walks you through how using certificates, instead of OTP tokens [...] can increase the security of your SSL VPN [...]."
I'm "huh?", right now. If use of OTPs is the MITM problem and certificates is the solution, then surely OTPs are good for MITM attacks, in that they make them easier to execute and are well-liked by the perpetrators, while certificates are bad for MITM attacks.
frequency in the wild ? (Score:5, Interesting)
I know that there are some people that are very clever at doing these man in the middle attacks, but they usually happen in an academic setting as proof of concept.
Have there been documented cases of (successful) mitm attacks on banks or other high profile targets ?
Re: (Score:2)
Re: (Score:3, Funny)
http://www.imdb.com/title/tt0212671/ [imdb.com]
Yes. The above link was successful for 6 years.
Re: (Score:1)
Confusing Frankie Muniz with a man is a rookie mistake.
Re: (Score:1, Insightful)
One place where these attacks actually happen is in hosting facilities. Often the switches are not configured properly and without ARP monitoring MITM attacks are trivial. With unencrypted protocols like FTP still in use, attackers don't even have to work that hard.
Re: (Score:2)
I've done a demo of such an attack *long* ago, but I've never actually seen one in the wild. High profile because that means it would have likely been documented in the media.
Banks and such are notoriously tight lipped about their breaches, if one got mentioned at all it would likely be a serious breach.
A prime candidate to me would seem to be the ATM machines that are sitting in stores, they're much less secured than the bank variety and it would not be too hard to replace their innards with something 'cus
This is NOT an attack on SSL VPN (Score:5, Interesting)
This isn't an attack on anything, really.
Here is what the article says:
"They will then go to all of the trusted CAâ(TM)s and try to get them to issue them a valid âoeinternal onlyâ certificate with the FQDN of a target sslvpn URL. As soon as they get a success, that company now becomes their target of choice. Remember, the certificate they need can be issued from any trusted CA in the browser and does not need to match the CA that the SSLVPN gateway is using."
Now, may be I am not understanding the purpose of SSL certificates and the PKI infrastructure in general, but I was under distinct impression that the whole reason those authorities exist is to verify who they give the certificate to, and in such a way that we, users, can trust these certificates.
If this is not correct, and anyone can with relatively minor effort get certificate for a random domain name from one of recognized cert. authorities - game over, none of this matters, the entire PKI infrastructure is in the crapper.
So, either we have to deal with cert. authorities signing things they should not or this is not an attack that is worth discussing. Everything else is a half-measure.
Re:This is NOT an attack on SSL VPN (Score:5, Funny)
Cert authorities are notorious for poor checking. The main thing they check is that they are getting paid. There are things certificates are good for- knowing for sure the first time you see one for a site that they are who they claim they are without further checking is not one of them.
Roll yer own... IPCop and Zerina OpenVPN (Score:3, Interesting)
I made a VPN server using IPCop and added the Zerina OpenVPN package to it. Simple plug and play. It has it's own internal certificate authority, and issues it's own client certificates for each road warrior client you set up to be an OpenVPN client under the Zerina webgui. Very secure, since it will only accept the client certificates that were generated locally to the machine. The cost for the software, is of course FREE. The old AMD Athlon 2400 Compaq PC upon which I'm running it, is worth maybe $200 top
Re:This is NOT an attack on SSL VPN (Score:5, Insightful)
Re:This is NOT an attack on SSL VPN (Score:5, Informative)
You miss the point -- they are issuing a valid cert for an internal address.
"intranet" would be an example. Not intranet.mydomain.com.
Since your DNS will append mydomain.com automatically, it leaves you vulnerable to anyone who installs an "intranet" cert on a server they have spoofed into your DNS if you the browse to "intranet".
If "intranet" is an SSL VPN, then they can get in the middle and get your OTP.
Re: (Score:2)
Actually, SSL certificate signing is more about making money than security...
It's a way for a few select players to create an artificial market and keep their monopoly cartel in the name of "security".
Most of their checks are as rudimentary as "do you have an email at the domain? yes? ok then you can have a cert".
What would be better, is if organizations you do business with (banks especially) issue you a certificate out of band (ie they give you it on physical media when you go to a branch or when they sen
Re: (Score:2)
As far as CAs are concerned, it's a list, not a chain!
A user can always choose to *remove* 'Hong Kong Post Office' from his list of trusted CAs.
long story short... (Score:5, Interesting)
Please reveal the CA. They need to be shut down.
Re:long story short... (Score:5, Insightful)
Shutting them down is stopping short, all the certificates issued by them need to be revoked as well and reissued by another CA after thorough checking.
If there is one documented case there are likely to be many more undocumented cases.
Re:long story short... (Score:5, Insightful)
Somebody, preferably a government agency, should be in charge of testing CAs. CAs have very strong economic incentives to loosen verification rules in order to compete and sell more certificates. When one CA loosens its rules a little bit, all the others are compelled to do the same to stay competitive. It's a race to the bottom [wikipedia.org].
Market forces cannot solve the problem because there's a fundamental information asymmetry. Joe Myspace isn't going to understand what a root CA is, much less manually remove it from his browser. And even if he did understand what that meant, would he lose access to his favorite SSL-protected sites for some egghead's paranoid security fears?
We need regulation, and we need it now. We need several free, worldwide certificate revocation lists [wikipedia.org], and we need agencies running these lists to randomly and anonymous ensure CAs are following the verification rules.
Having just one CRL gives too much power to one authority, which is especially dangerous if these authorities are organs of government. Browsers should check all CRLs and consider a certificate invalid if, say, two-thirds of the CRLs say to do so.
In any case, the current situation is untenable.
Re: (Score:2)
Re: (Score:2)
You misunderstand my proposal. The FBI and CIA abused special investigatory powers. On the other hand, these bodies I'm proposing only need the power any private citizen would have. They're only likely to be government organizations because there's no profit in them.
And the whole reason for having multiple organizations here is to avoid any one of them being made into a DoS-a-matic.
Each organization only has the "power" to state "this certificate is invalid" or "this CA's certificates are invalid." It's up
Re: (Score:2)
If they are part of the government, they will be even more likely to cooperate with a warrant-less "search". Here is an example:
Re: (Score:2)
You don't buy certificates from these agencies. You buy them from CAs.
What these agencies would also do is attempt to buy certificates from these CAs as well, except they'd try to obtain certificates they weren't supposed to. When they did, they'd update their CRLs and shame the companies with lax verification.
Re: (Score:3, Interesting)
Replace "attempt to buy" with a "get a court order" (or whatever flimsy paperwork the FBI is giving out because our fearless leader says it's good thats an entirely different point) throw in a gag order. Hell simplify the whole process and have them sign a signing cert to make a NSA CA legit in most browsers.
The SSL cert process is broken by design because stopping MITM attacks is hard. It's also only a tech good for commercial encryption if a power government wants to subvert it it will. Military grade
Re: (Score:2)
We are discussing a (hypothetical) government agency in charge of issuing certificates (a CA). My point was, such an agency will be more cooperative with FBI, than a non-governmental entity.
Re: (Score:2)
No, we are discussing a consumer watchdog agency that issues nothing except warnings. You don't buy certificates from this hypothetical organization.
Re: (Score:2)
The CA just signs your cert. Only you hold the private key.
Re: (Score:2)
That's good, if I trust, that I obtained the matching public key via a reliable source — the key needs to be signed. Certificate Authorities are in charge of signing these keys — this way a browser needs only to know a handful of CAs and be able to use SSL with countless thousands of the CAs' customers.
If a CA issues a certificate for "Example, Inc." and, they can issue another one (with the same company name and domain), and give it t
Re: (Score:2)
Re: (Score:2)
I think this is bad idea, and here's why.
First, government regulation is going to add an air of trustworthiness to something we should already be increasingly skeptical of.
Second, letting them certify the certifiers, gives them a way to impose political agendas. We have already seen governments, when unable to attack a server directly, attack their DNS records. Now they'll make CAs revoke certs for whomever they don't like, reg
Re: (Score:2)
You misunderstand me. The TSA is a different beast, with real power. The organizations I'm talking about have purely an advisory role. They would be able to do nothing a private citizen couldn't. They'd could nonprofits. I only imagine them being organs of government because these organizations couldn't (legitimately) turn a profit.
It'd be up to browsers to consult them.
Of course, you can do the same thing with browser updates, albeit with a much larger latency.
Re: (Score:2)
Agreed. Doesn't revoking the signing root certificate then revoke all certificates signed by them? That's what needs to happen.
Re: (Score:2)
Yes, it does, but without checking all the certificates that were signed with that root we have no idea how many (and which!) other certificates they issued were bogus and that is very important information.
It will give people that were using these certificates a chance to review their records to see if anything bad happened to them.
The only other alternative is to mark all the parties that bought their certificates there as untrustworthy, but since there is probably nothing wrong with 99 % of the parties t
Why go halfway? (Score:3)
... and then the execs need to be drawn and quartered.
Only partly joking. This is such a flaming case of massive malfeasance that impacts **SO** much more than your run-of-the-mill corruption and other shenanigans. As other posters have noted, this shadiness means certs like this are, in general, complete crap, and given the extent to which many very vital businesses conduct online operations on the basis of these certs, a simple slap on the hand -- or even
Re: (Score:3, Funny)
...then they were taken out and beaten to a pulp.
...then they were ground up into this powder!
Thawte (Score:5, Informative)
I must say that in general I have been unsatisfied with thawte. They gave me a hard time about re-issuing my cert after the debian-ssl debacle and in general their tech support people don't know anything beyond what is already on their site.
Seriously, I pay over a hundred clams a year just to so that I can have ssl communication without the "OMFG THIS SITE IS GONNA HAXOR YOU" dialog box pop up in user's browsers, and they pull all kinds of monkey business.
But since verisign owns them, I wouldn't hold my breath for them to be shut down. My guess is the other CAs do this, too.
Re: (Score:2)
It doesnt necessarily mean it was Thawte, though. From an earlier article [networkworld.com]:
It's a little vague, but it might mean that a lot of CAs have this checkbox.
Re: (Score:2)
Even if all of the real CAs are fixed, how long before the blackhats start selling certs that are signed by their CA, whose certificate is added to people's trusted cert list by their trojan?
If a user's computer is zombified by a trojan, then the list of trusted root CA's in it's browser is far, FAR down on the list of concerns.
Re: (Score:2)
Even if all of the real CAs are fixed, how long before the blackhats start selling certs that are signed by their CA, whose certificate is added to people's trusted cert list by their trojan?
That's a real weakness. But you have to start somewhere. The only workaround for this is to burn in a master "CA of CAs" certificate into the software in such a way that trojan's can't interfere with this. But I'm not sure that that's a great solution, even with the assistance of something like Trusted Computing, because it is too easy to use to lock out genuine small operators.
Bleah. I don't have a solution to the combined power of stupidity and cute kitten screensavers. Best we can hope for is to be able
Hmm, it is and it isn't... (Score:2)
A client cert, stored on the computer, should NOT be considered one factor in a two factor scheme, because the client computer is far too easy to compromise.
OTOH, it makes a good point that a client cert (OR, hell, just caching the server cert and complaining when it changes!) should be used because its too easy to social engineer a valid cert from a CA
Re: (Score:2)
Re: (Score:2)
Interfering with email - especially if you're already faking certs or attacking DNS through it's recent vulnerability - isn't that hard. Two factors sent over the same pipe (at diffeent times) is better than nothing, but hardly a reliable defense.
Re: (Score:2)
All encryption is about sending the data split two (or more) ways. Sending the pieces on the same pipe is bad. Sending them on different pipes is good. CAs should use physical mail or phone calls (though the latter is increasingly becoming the same pipe) to validate the identity of a company before re-issuing a cert, but instead they use email, which is a substantial vulnerability, for wich exploits are known.
Re: (Score:2)
I wholehearted agree. Banks shouldn't be using CAs at all, since everyone (at least at some point) physically meets their bank. In that kind of situation, introducers are just solutions looking for problems.
Re: (Score:2)
Likewise, an OTP doesn't answer "who you are". I'm not really sure what this headline is about.
I get the gist of the journalism industry, with catchy headlines and so-so content, and the is Slashdot after all, but
"One-time Passwords Suck For MITM Attacks" implies an awful lot.
What does a OTP have to do with MITM anyway? I can't see how it can suck any more than normal password authentication and MITM attacks.
Is there some delusion that OTPs establish identity?? It's just a password you carry in your pock
Re: (Score:2)
A client cert, stored on the computer, should NOT be considered one factor in a two factor scheme, because the client computer is far too easy to compromise.
Well insofar as the client is who you're trying to protect, if the client computer is compromised, then you're already f*$ked. From the client-end of things, it should be sufficient to know, "if I'm not already compromised, then I won't become compromised by doing this."
So client-end root certificates serve a very important function in the security system. If the client is good, and the trusted root server is giving good information, then the subsequent certs should all be good too. The problem here is
Re: (Score:2)
If you're worried about the client machine being compromised you can't trust passwords, certificates, one-time passwords, or anything else attached to or entered into the client system other than isolated computing environments in a challenge-response configuration (i.e. smartcards, etc.). If your authentication system uses any data that is ever stored in the client RAM, it is possible to obtain that data if the client system is compromised.
You might not consider a host certificate plus a user password suff
Re: (Score:2)
If the client computer is compromised, then you have already lost everything. There is no authentication solution which can sustain that.
OTP - Depends what you are using (Score:1)
My thoughts exactly -- it's a bad headline. (Score:2)
This is not about one time passwords, it's about misusing them.
And, while it is about poor practices issuing certs, it is more about the inherent weakness of trying to do it all with a single browser. And about the inherent weakness in using certificates issued by the public CAs.
With the current tools, requiring the client to have a cert, too, mitigates things a bit, but the client should never have been allowed to connect without a cert anyway, and neither the client nor the server should be using certific
Re: (Score:2)
If you need security, you have to be willing to issue your own certs for day-to-day operations.
Today this is the main factor that distinguishes real security from pretend security in practice. I think banks and other financial institutions have to do this internally to meet auditing requirements - at least, the market for expensive boxes that do nothing but act as an automated internal CA is bigger than you'd think.
I can't think of any other way to validate that endpoints' identities without providing your own CA, and all the crypto in the world won't help if one endpoint is the attacker (MITM or ot
Re: (Score:2)
With dedicated browsers, we don't even need the root to be issued by a public CA.
has anyone experienced the following: (Score:2)
My wife has shown something to me today that really has been bugging me for the entire day, she connected to her work via VPN with a security token, a number generator that is given to her that is synchronized against a server number list I suppose and when she ran a search on something she mistyped, our provider, Rogers Canada, was able to get the mistyped word and injected their own search frame into the HTML that returned to her browser.
Now, I am not sure how this happened, I was under the impression tha
Re: (Score:3, Informative)
Most VPN Clients I've used support a split tunnel mode... the idea being that data going to your company's internal LAN goes through the VPN tunnel ; data going elsewhere goes outside the tunnel. The idea here is that if you're trying to do stuff on the public network (that's assumed to be less sensitive to begin with), you don't have to wait for the traffic to flow from your computer to your company and then to the site you want (worst case being if you wanted to say stream music off your music server on
Re: (Score:2)
You are probably correct, I am going to check that client. I wonder how it decides what is split, just by filtering out anything that is directed at an IP not within the company subnet or maybe there are lists of IPs that go through encrypted channel. Thanks.
Re: (Score:1, Interesting)
VPN may encrypt between her computer and the end point; but if she uses the endpoint connection to surf the web, then that activity may be unencrypted.
Does her company have the same service provider as you do at home?
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
that is the most likely possibility, I thought at first maybe her work uses Rogers as an ISP, but then I checked and it doesn't
Re: (Score:2)
too bad for the new blizzard authenticators (Score:3, Interesting)
Too bad that the new authenticators from blizzard are OTP's and people are convinced that it is 100% foolproof, as this article tends to prove otherwise.
Re: (Score:2)
The people who believe that probably also believe that they're getting keyloggers from addons. Or that copy-and-pasting your credentials will defeat a keylogger. Or one of many other numerous ill-conceived notions.
Re: (Score:2)
Yep.
I trashed the authenticators on wowinsider and got flamed to hell by people going "this thing is foolproof zomg how dare you doubt blizzard"
Re: (Score:2)
Hehe. Really? I probably read your posting.
For what it's worth... I think the tokens are a good step. They're probably better than the weak passwords and low-hanging-fruit desktops that make up the current environment. But people should understand their limitations and that they aren't invincible.
What do they look like? (Score:2)
Can anyone verify what, if any, difference these "testing ony" certificates are?
Do they come up with the name "TESTING ONLY - Mozilla corporation", or it it more like the sub-root key is named "Strictly testing only", which requires you to inspect the certificate fully for every connection?
Fortunately we've used client-side certificates for our 2 factor authentication for years. Its cheaper than tokens, and easier too.
I don't see how this is much better? (Score:4, Interesting)
I might be missing something here, but this article proposes, as a way of trying to make the management of keys/certs easier (which is necessary to implement the client-side certs), to use this "SecureAuth" system. . . which downloads an SSL cert to your computer. So. . . uhh, why can't an attacker intercept this? Well, the answer seems to be (maybe I'm misunderstanding here) that before the SecureAuth system will download the cert to you, it sends you some sort of one-time-password via phone or SMS, which you must enter to get the key . . . but once you've typed in this one time password you got by phone, what prevents the MITM from intercepting that passsword the exact same way it would have been attacking the other one-time-password generated by the keychain fob, and therefor be able to impersonate you to the SecureAuth server and get the client cert which should have been sent to you?
Security token for phones (Score:2)
Re: (Score:2)
The idea is cute, but if you're going to rely even partly on a hash, you should at least use a reasonably strong hash. Base it on HMAC(SHA-256), where the secret code is stored as a 256-bit hash and used as the key for the HMAC, hashing the minutes.
Re: (Score:2)
Re: (Score:2)
If it was that simple, you'd just use + as your hash function. No.
The minutes are well-known so that is already a lot of entropy you're giving the attacker for free. They don't know the string, but if they intercept the hash, they can work it out almost trivially because of how broken MD5 is. At least using HMAC and SHA256 (or better) will insulate the key from hash reversal.
Re: (Score:2)
Say I borrow your phone for a couple of hours
Well, if you can get hold of my phone, all bets are off, of course. You'd still need to know my username and password too though.
Huh? (Score:2)
Forgive my squirrelly ignorance, but is using an OTP even supposed to be a counter to a MITM attack? I that they were used so that there was no one password to be compromised, prevent "replay" attacks, that sort of thing...
Re: (Score:2)
Precisely. OTP is supposed to be a protection against password compromise. "Got my password? No prob! The one you got will never work again anyway."
That's only true for eavesdropping, not MITM. In case of MITM password doesn't make it to the destination server and thus doesn't get removed from the list of valid passwords. MITM attacker could just show you forged "Login failed" page and use the password later on.
OTP passwords aren't usually time limited; you can use them whenever you choose to do so.
Properly implemented secure tokens (SecurID and such) dish out passwords that are valid only at certain moment and are also single use. If the captured pass
bizarre (Score:2)
OTPs are meant to help against eavesdropping.
Anybody who feels the need to point out that they don't protect against MITM hasn't been paying attention somewhere in Security 101.
Not all OTP's are vulnerable to MITM! (Score:3, Interesting)
Not all OTP's are prone to MITM attacks; the Yubikey [yubico.com] for example has a (8hz) timer built in, initialized to a random value on connection. Next time a OTP gets generated the timestamp moves up too with a maximal difference of 10%. This timer prevents MITM attacks; without the use of a battery. Read more on their website.
I'm currently writing an authentication platform working with Yubico's demo and reprogrammed Yubikeys.
I'm not affiliated with Yubico, just a user of their product ; although I can tell this key has it done right!
They also seem to have a nice mindset allowing a large suite of usages with their product by focussing on the hardware only, leaving the software with 3rd party developers.
Oh, and did I mention it was open source?
You're getting it wrong here ... (Score:2)
You are not obliged to use their authentication server. As a matter of fact, I'm writing my own (distributed) authentication platform for that one reason.
You don't have to use their server to be authenticated; as long as you keep the counters and timers synchronized with your own database.
Since the Yubikey is open-source, you could decrypt the key in no-time without even needing a remote connection to anywhere.
Whenever using a keyfob, yubikey or rsa one time pad; you will always have to store your variables
Re: (Score:2)
Q. There are several types of OTP tokens out there. Which is the YubiKey?
A. Many OTP solutions today depend on time-synchronized tokens and verification service. Since each OTP is valid for only a limited time, this solution adds higher protection against phishing. Unfortunately the synchronization process is difficult to administer and out-of-synch tokens add frustration for users.
Other OTP solutions depend on a incremental internal sequence counter as the basis for the OTP generation. In this case an OTP does not expire, and thus the risks are higher, but at the same time it is generally an easier system to administer than time-based tokens.
YubiKeys combine the best of these two approaches. There is no need for the YubiKey tokens to be synchronized to a common server time. Each token has an internal sequence counter that is partly driven by its internal clock. YubiKey's unique design ensures that this counter is part of the generated OTP, so the system in effect lets the service check synchronization at the OTP validation time.
This might give you the answer to this question;
Also explained here [yubico.com] is:
Another feature to prevent OTP harvesting and Phishing is to use the timestamp field to calculate the delta between two generated OTPs. In a scenario where a bigger stake is at risk, the server would typically ask for one OTP when the user logs on and a second when "checking out". The server knows the exact time delta between the OTPs but the Phisher doesn't.
Rofl (Score:2)
From the article: ...he didn't disclose the CA that issued it to him but it was one that was trusted in IE by default.
Hey, let's blame the SSL, and not the retarded cert authority.
Re: (Score:1)
Re: (Score:3, Interesting)
We need more Red Dwarf references...
Re: (Score:3, Funny)
We need more Red Dwarf references...
A superlative suggestion sir, with only two minor drawbacks: one, we don't have enough boys from the dwarf and two, we don't have enough boys from the dwarf. I know that technically that's only one drawback, but I thought it was such a big one it was worth mentioning twice.