Andrew Plato wrote: >>What was it about your experience that convinced you that the threat >>presented by Tsutomu Matsumoto >><http://www.counterpane.com/crypto-gram-0205.html#5> is somehow not >>applicable? >> >> >What is the probability that a employee or user is going to go to the trouble of building a fake thumb, steal a thumbprint from a coke can, and then use it to get into a computer? Just because something is possible, does mean it is probable. Moreover, if a person was to undertake such measures to break into a computer, what is the likelihood that those ancillary actions (squirreling away coke cans) wouldn't also arise suspicion. > That depends entirely on your threat model: * Prevent nuisance wankers from logging in to each other's workstations to commit pranks: very low probability. In which case you don't need to spend the money on the biometric crap. * Prevent someone from committing industrial fraud/espionage with a value of (say) $10,000 or more: very high. The rubber thumb costs $10 and takes an hour. This is not a barrier to someone out to steal $10K or more. The only reason you don't see it more is that biometric deployment rates are low, and there are easier ways to hack in at the moment. >Furthermore, assuming 2-factor authentication was used with biometrics, our gummy thumb-maker would still need to know a password to get on to the system. So even after all his trouble to build a fake thumb, he is still straddled with ripping off a password. > That's nice. But there are other 2-factor authentication systems that are both better and cheaper than biometrics. >Hence my complaint with how security (or lack of security) is tested. People obsessively bang away on systems night and day looking for vulnerabilities. Cool. Then they report them. And security folks then uses these bugs as proof that XYZ technology is insecure. But merely finding a hole does not make something insecure. Security is not an absolute measure. Its a concept with an infinite amount of degrees from nothing to everything. > Finding a hole absolutely does demonstrate that a product is insecure. The only barrier to entry is the difficulty of deploying the attack. Some vulnerabilities are difficult to exploit, and they are marked "low risk." Other vulnerabilities may be difficult to exploit, but are easy to script, and they turn into worms like Code Red. Remember, exploits are easy to replicate. The attacker doesn't have to be skilled enough to write their own exploits when they have Internet access. >Therefore, the intense focus on security holes is very misleading. It places an extraordinary emphasis on locating holes, but virtually zero emphasis on the PROBABILITY of those holes ever being exploited. > Your intense resistance to looking at security holes is very disturbing. It suggests that your risk analysis is seriously flawed. Point vulnerabilities are deadly security flaws if they are easily scripted. Pay attention to them, or be 0wned. >Just because I CAN perform a certain kind of hack, doesn't mean the Internet will be flooded with those hacks. > It does if the attack is easy to script and the vulnerability is widely deployed. >Remember that guy Steve Gibson. He got famous back in 2000 screaming that the Internet was going to come to a halt when Microsoft released WinXP because it used "raw sockets." This would cause the hacker community to unleash hacks hereto unheard of and wipe out life as we know it. He was on every news show and web site there for a while. > As Seth said, Gibson is a wanker, and I'm not going to bother defending him. He is not representative of this discussion, and the raw socket issue you refer to is an example of crying wolf about a non-vulnerability. >None of it came true. Why? Gibson was about 25% correct. Yes, some of the hacks he cited as an > None of it came true because Gibson was 100% wrong :) Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 18:14:45 PDT