Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!

From: Greg KH (greg@private)
Date: Tue Sep 03 2002 - 21:00:39 PDT

  • Next message: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"

    On Tue, Sep 03, 2002 at 05:33:33PM -0700, Andrew Plato wrote:
    > 
    > > No, this means I can just walk up to your machine, and plug 
    > > my mouse in,
    > > replacing your biometric mouse.  Then when the host asks for the
    > > biometric info, my mouse sends back the proper info, and access is
    > > granted.
    > 
    > Actually no - that isn't how the Biolink biometric system system works
    > (that's the one we sell). The templates for prints are not stored
    > anywhere on the mouse. They are stored within the actual computer or
    > within a secured network appliance. Even if you stole the templates
    > off the computer, you couldn't just input them into any old computer -
    > you would have know the private key / template combination to use as
    > well as pass in a live print.
    
    Ok, I looked at the marketing stuff for this device, and it is different
    from the device I have looked at previously.  Sorry for jumping to
    conclusions.  But marketing fluff is often much different than reality.
    
    > > In short, a broken design :)
    > 
    > Yes, but what you describe is not how the biometric system we sell works. 
    > 
    > > See the c't article for more technical info on how to do this 
    > > if you are interested.
    > 
    > I've read it. Its fascinating. We've tried it at work. Its not that
    > easy to do. You have to be pretty commited and have resources at your
    > disposal. But that's true of virtually ALL hacking activities. 
    
    Heh, ok then, I imagine that you would have no problem a Linux driver
    being created for this device?  When I asked the previously alluded to
    company, they rebuffed me saying, "We can not reveal our proprietary USB
    protocol, so no Linux driver can be written."  I am pretty sure that the
    c't article refers to this device, and points out all of the problems
    that I stated (you can't hide USB data...)
    
    So would you mind me writing a Linux driver?  If what you say is true
    about the protocol and design of the system, an open-source driver would
    do a lot to make people feel better about such products.  If you aren't
    the person to talk to about this, do you know who I can talk to?
    
    And yes, I have a bit of USB and Linux experience... :)
    
    thanks,
    
    greg k-h
    



    This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 21:45:48 PDT