Andrew Plato wrote: >I'll have a cool BIOMETRIC mouse on display and if our wireless router is working I can demo its use on the Internet. > At the risk of further aggevating Andrew ... IMHO, biometric authentication for computer systems are bogus snake oil. It's a theorem that your fingerprints are all over your desk (coffee cups, soda cans, pens, even the big greasy fingerprints on the screen :) so it is actually much *easier* for a bad guy to snarf your fingerprint than your password. See here for how easy it is to spoof a fingerprint scanner http://www.counterpane.com/crypto-gram-0205.html#5 Biometrics' other huge vulnerability is sniffing: a biometric scan is an identifier, not an authenticator. If you send it it clear text, it can be sniffed and spoofed. To prevent that, you would have to put a full crypto engine in the biometric scanning device. This is possible, but few do it. Once you go to the trouble, then the primary value of the device is the crypto authentication storage, and the biometric part becomes pretty redundant. Summary: * For cheap & cost-effective: use a strong password policy enforcer, and ensure that passwords are not sent in the clear (i.e. use SSL or SSH everywhere, especially for e-mail). * For high security, strong authentication for computer systems is 2-factor tokens: a smart card with a PIN keyboard on it, so that to break in you have to both steal the smart card and know the user's PIN code. Here's some resources on 2-factor tokens o http://www.itsecurity.com/asktecs/may901.htm o http://www.rsasecurity.com/products/securid/securid_softwaretoken_for_windows.html * Biometrics are ok for securing physical access (big steel door locks) but basically useless for computers. This is because the reference repository for the door can be right behind the door, and thus not subject to sniffing, and the door can be subject to physical security (video cameras, armed guard) and other forms of 2-factor authentication (need a metal key to go with that finger print). None of this is true for computer authentication. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 15:51:15 PDT