Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!

From: Crispin Cowan (crispin@private)
Date: Tue Sep 03 2002 - 19:42:09 PDT

Next message: Greg KH: "Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"

Previous message: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"
In reply to: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"
Next in thread: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrew Plato wrote:

>>And the biometric mouse is even easier to spoof, as it is a 
>>USB device,
>>and USB is not a secure transport for data (there are free Windows USB
>>snoopers that people use to reverse engineer Windows USB drivers for
>>other operating systems.)  So you don't even have to fake up a
>>fingerprint, you can just send the host "valid" data from your USB
>>device, and the host thinks you are the correct user.
>>    
>>
>Oh, well then I guess we should all unplug our mice then and go back to typewriters.
>
If Andrew's other post is correct (that the bio-mouse and the 
authentication server share appropriate crypto secrets) then I side with 
Andrew here: it is possible to secure the communication such that the 
mouse's USB traffic cannot be effectively spoofed electronically.

My main argument is that if the same amount of crypto horsepower was put 
into a PIN code reader, it would be more secure, even if it was only a 
4-digit numeric PIN.

>Again, if you have corrupted drivers on your machine, you have bigger problems then spoofed biometrics. Trojans on computers and people swiping coke bottles for fingerprints strikes me as larger problems then merely faulty biometrics.
>
Why? What is so high-tech about stealing coke cans? If your enterprise 
security *depends* on these thumbprint things, that makes coke cans a 
very serious security threat.

>I mean using this same line of reasoning, everybody who isn't packing an anti-tank missle in his car is a fool because you could (theortically) have tanks invade your neighborhood.  Well, it seems to me if angry tanks are driving around your neighborhood, you have CONSIDERABLY larger problems than a lack of anti-tank rounds in you car. 
>
That is a *really* weak response to a serious security issue. Yes, you 
do have to do risk analysis to decide what the plausible threats are, 
and address the high runners first. But you also have to do that risk 
analysis iteratively after eacy piece of the security plan is 
(contemplated) in place. Fake rubber thumbs is not out on the fringe 
with anti-tank rockets; it is a close-up, real security threat if you go 
through with widespread deployment of biometric authentication. And that 
is exactly why biometric authentication is a sham that no one should 
ever use.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Greg KH: "Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"
Previous message: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"
In reply to: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"
Next in thread: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 20:28:24 PDT