Don't you have something better to do Crispin? :-) > >I'll have a cool BIOMETRIC mouse on display and if our > wireless router is working I can demo its use on the Internet. > > > At the risk of further aggevating Andrew ... IMHO, biometric > authentication for computer systems are bogus snake oil. It's > a theorem > that your fingerprints are all over your desk (coffee cups, > soda cans, > pens, even the big greasy fingerprints on the screen :) so it is > actually much *easier* for a bad guy to snarf your > fingerprint than your > password. See here for how easy it is to spoof a fingerprint scanner > http://www.counterpane.com/crypto-gram-0205.html#5 The problem with biometrics is again marketing, not reality. Of course they can be beaten. So could an excellent firewall, and IDS, even I dare say, Crispin's own Wirex technologies. Once again the idea is RISK REDUCTION. When used as part of a two-factor logon process (passwords and prints) there is a significant increase in security and decrease in potential for abuse. To successfully crack the system somebody would need BOTH thumb and password. Even without two-factor logon, you can significantly improve security by removing passwords from people's heads. Using their thumb to logon, people no longer need to remember logon passwords. Which means you can enforce 30 character passwords (randomly generated) on all user accounts - making brute force password cracking virtually impossible. And when a person leaves - just delete their thumb from the database. No need to even worry about the password or any remnant passwords on any systems since the user NEVER KNEW their own password. Sure, abuse COULD still happen. The sun could also explode tomorrow rendering everything on earth a scorched cinder. Is anybody here turning down a technology because it fails the Sun Explosion Test? "Sorry, I can't use this hardened Linux server, it won't survive solar explosion and still authenticate my email." Okay, I am being glib, but consider the REALITY of abuse: Our hacker would have to take a mold of my thumb, carefully build a replica, and break into my laptop. But you know what - if there are people running my company taking plastic molds of my thumb - my company has bigger problems then cracked biometrics. The act of fingerprint lifting had better raise some eyebrows around the office. > Biometrics' other huge vulnerability is sniffing: a biometric > scan is an > identifier, not an authenticator. If you send it clear > text, it can > be sniffed and spoofed. To prevent that, you would have to put a full > crypto engine in the biometric scanning device. This is possible, but > few do it. Once you go to the trouble, then the primary value of the > device is the crypto authentication storage, and the biometric part > becomes pretty redundant. Done and done. The biometrics we sell are integrated with a crypto. Nothing clear text goes anywhere. The thumbs are stored as mathematical models based on 125 points. That is CONSIDERABLY more than even what the police consider for positive id. The templates are stored as encrypted binary streams, dynamically generated by a public/private key infrastructure. In short, they are not easily sniffed, cracked, or forged. > * For cheap & cost-effective: use a strong password > policy enforcer, > and ensure that passwords are not sent in the clear > (i.e. use SSL > or SSH everywhere, especially for e-mail). > * For high security, strong authentication for computer systems is > 2-factor tokens: a smart card with a PIN keyboard on it, so that > to break in you have to both steal the smart card and know the > user's PIN code. Here's some resources on 2-factor tokens > o http://www.itsecurity.com/asktecs/may901.htm > o > http://www.rsasecurity.com/products/securid/securid_softwareto ken_for_windows.html * Biometrics are ok for securing physical access (big steel door locks) but basically useless for computers. This is because the reference repository for the door can be right behind the door, and thus not subject to sniffing, and the door can be subject to physical security (video cameras, armed guard) and other forms of 2-factor authentication (need a metal key to go with that finger print). None of this is true for computer authentication. Do you have any idea what a RSA token deployment costs? Suffice to say it is WELL outside the budget most of the firms in Oregon. Compared to a $95 mouse or even the full-on enterprise deployment, the savings is enormous. Tell you what, Crispin. If you want, I can get you one of the mice. I'll even sell it to you wholesale as professional courtesy. Beat it up, play with it, see if you can crack it. If you can - COOL - tell me how you did it. I'd be interested to see what you could do to it. ------------------------------------ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com ------------------------------------
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 17:11:43 PDT