Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««1234»»»

The Security of You Expand / Collapse
Author
Message
Posted Monday, November 10, 2008 12:20 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 4:56 PM
Points: 31,168, Visits: 15,612
But we can remove the old ones!






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #600114
Posted Monday, November 10, 2008 2:57 PM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, June 24, 2013 11:26 AM
Points: 208, Visits: 380
I've always been skeptical of biometric security simply because it assumes secure endpoints, which is precisely the least logical assumption that a security system should make. With USB fingerprint devices becoming much more common, are you just going to trust that my USB reader isn't sending a digitized copy of somebody else's prints? Do I really want to send a digitized copy of my fingerprints across the wire to a website to sign in?

Imagine the DBA scenario: "Hey, Bob. We've got 40k rows of orphaned fingerprint records in here. Those developers must've dropped the foreign keys again. What do we do with 'em?"

I do think that biometric security makes for more interesting replay attacks. Along the same lines as high quality video spoofing that the Pentagon has been worrying about for years. Is it real? Or is it Memorex? Or completely fabricated? The cost of very believable, utterly fabricated video is going down, too.

I have a tablet with a fingerprint reader on it @ home and unless I am very careful to go slowly (with any of my ten digits), it's about 2:3 correct scans or less. Cold or very dry fingers make it even harder.

Which reminds me... We need to invent a new protected class (in advance)! The fingerprint-challenged. My wife is one of them. Every time she's fingerprinted for her concealed carry permit, digitally or with old-school ink, the police officer or fingerprint technician has a really hard time getting a clean print from any of her digits. Her hands are so dry and prints so thin that even an FBI-trained expert gave up once and signed a notarized letter stating that "the attached fingerprints" (such as they are) were the best effort they could muster and that she should be issued a permit anyway, even though the prints probably couldn't be scanned successfully into NICS.

Because you know that it would be descriminatory to deny someone a job just because they don't have proper fingerprints, now wouldn't it? Heh.
Post #600236
Posted Monday, November 10, 2008 3:59 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, March 27, 2014 3:45 AM
Points: 33, Visits: 83
Security is a fascinating topic, and a long one if you really wanted to go into it.

Lets go for the most common, bond/mission impossible inspired security: fingerprint readers. Is it easier to take a copy of a fingerprint, or just to chop a finger off and use that? Sometimes the latter will be easier, and it happens (http://www.schneier.com/blog/archives/2005/04/security_risks_2.html). This kind of story isn't uncommon.

What is more interesting is gait-recognition. How is someone going to steal your gait? If a camera watching you walk down the corridor could verify you are you, not requiring any knowledge inside your head, or bits off your body to let you in the door then isn't that a great concept? Ah, but you'd have to make sure that putting a video playback of your walk in front of the camera wouldn't fool it, like the photocopied fingerprints.

So now lets revisit the laptop thing. Gait recognition is presumably impractical - I'm not up for walking around the opposite side of the room in starbucks just to login (http://uk.youtube.com/watch?v=IqhlQfXUk7w). Fingerprint recognition I'll stay well clear of for as long as I can. If you work for a company that wants to make fingerprint recognition mandatory it might be worth asking them if they are going to pay all the employees danger money on a per-finger basis.

How about a simpler approach? Let them steal the laptop, and even give them the password if your life or limb is risked (http://www.truecrypt.org/docs/?s=hidden-operating-system), they don't have to know its the wrong one. You might have to make sure you can turn if off before they get to it so that it boots up when they first switch it on. Less practical with cars though, I'm not sure what you'd have as the alternative to the real OS - lock them in and spray laughing gas through the aircon?

Andy
Post #600278
Posted Monday, November 10, 2008 4:44 PM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, June 24, 2013 11:26 AM
Points: 208, Visits: 380
The recent defeat of drive encryption by researchers using a spray can of chilly stuff and a RAM reader will also defeat the hidden o/s trick, I would imagine. Turning it off isn't guaranteed to be off-enough anymore.

I was watching a cryptography special on one of the Discovery channels (I think) with the kids yesterday (in between games of Shadowrun and Gears of War 2), and I laffed out loud when the featured researchers were pronouncing the imminent demise of the cryptanalyst because we can make our key sizes so large now as to make them "uncrackable". Even so, it was an interesting (very high-level) overview of the history of crypto for my eight and nine year olds.



To get back to Andy's point, it was interesting that most of the well-known exploits of military cryptanalysis in WWI and WWII were primarily "social engineering" to provide the wedge, despite all of the heavy mathematical attacks.

Note to self: When I become an evil overlord, I will not encrypt my messages in both the shiny new encryption algorithm AND the old encryption algorithm that I don't trust anymore in order to deprive my enemies of plaintext messages, even if it makes it harder to communicate with my minions. (See Wikipedia entry for the Japanese Purple cipher, if you need a reminder.)
Post #600299
Posted Monday, November 10, 2008 7:29 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, May 27, 2014 7:17 PM
Points: 197, Visits: 459
There are much more fundamental problems that are easily obscured by technical issues.

The entire principle of fingerprint evidence is scientifically flawed. In spite of what most people think they know, it does not even meet the basic criteria defined for other forensic evidence. Of course fingerprint experts will get it right many times, but there is no substance to their usual claim that their judgement is infallible. This has nothing to do with any technical issues, but comes from the fact that attempts to create a scientific basis for the reliability of fingerprint evidence have not been carried out. As a result nobody knows how reliable a positive match based on fingerprint evidence really is. And to prove that this is not a theoretical issue there the case of the terrorist attack in Madrid in which 4 FBI agents claimed a 100% match between a suspect and somebody else's fingerprint (this is not the only case of failure, but probably the one with the highest profile).

So if this is the "golden standard" against which other types of biometrics will be measured, we should expect the worst, even if we get the underlying technology right.
Post #600338
Posted Tuesday, November 11, 2008 3:35 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 4:30 AM
Points: 2,885, Visits: 3,253
Why worry about fingerprints when you can use DNA. Scientists tell us that every person's DNA is unique, so here we have an infallible way of proving identity and family relationships!

Except that the more science knows about this grossly immature disipline of DNA, the more it discovers that infallibility is not guarenteed. There are now witnessed cases of women giving birth to children whose DNA does not match the mother's - a godsend to the mother who was accused of stealing her children from other families. Given another 20 to 50 years for this disipline to mature and I reckon we will know about a whole load of other oddities about DNA that will have to be taken into account by any system that uses DNA to 'prove' identidy.


Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2014, 2012, 2008 R2, 2008 and 2005. 18 October 2014: now over 31,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Concept: "Pizza Apartheid" - the discrimination that separates those who earn enough in one day to buy a pizza if they want one, from those who can not.
Post #600529
Posted Tuesday, November 11, 2008 4:35 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, May 27, 2014 7:17 PM
Points: 197, Visits: 459
But at least with DNA, because it is relatively immature, an attempt is made to quantify the error rates.

The possibility that more of us are (at least to some extent) Chimeiras than is generally assumed is indeed very interesting. Of course the way to deal with that is also to try to quantify the occurence and deal with it rather than ignore it.
Post #600559
Posted Tuesday, November 11, 2008 7:02 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, November 11, 2013 2:42 AM
Points: 150, Visits: 245
Another well-documented case is that of Shirley McKie
Not only does this show that things can go wrong, but how hard it can be to prove your side of the story, and of the dangers of indiscriminate recording of bio-metrics.

For those of you who don't know, a quick re-cap:

Shirley was a police officer. Following a drugs-raid, a finger-print was found at the scene. When checked against the Police database, it was stated that this was categoric evidence that she had been in that location. She was asked why, and naturally denied it. Since they had 'proof' that her denial was a lie, she was sacked.
MUCH later on, she was able to prove that the identification process had gone wrong, and there was actually no match, but it is easy to imagine a situation where a single print actually DID match - fingerprints are not unique: it is extremely unlikely that a full set of prints on two people would match, but it is not that uncommon for two single fingers to match.
Of course, the only reason this was a problem, was that Shirley's prints were on file, so that they could be eliminated from situations where she had genuinely, officially participated. Had she been an ordinary member of the public, she would not have been 'fingered'.
Unless we had all had our fingerprints taken for some sort of 'National Entitlement Card' ...


Throw away your pocket calculators; visit www.calcResult.com

Post #600638
Posted Tuesday, November 11, 2008 7:03 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Yesterday @ 7:41 AM
Points: 249, Visits: 1,744
Several of my previous positions have employed biometric security hardware, and I have always found it to be of questionable value, at least in its current incarnation, largely due to inordinately high failure rate. When I was compelled a few years ago to use a SecuGen thumb-scanning mouse (which apparently at the time only worked under Novell, and thus became an albatross after the agency was switched over to MS, btw) I happily passed this link along to the agency security officer:
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
Post #600639
Posted Wednesday, November 12, 2008 2:28 PM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Wednesday, May 9, 2012 10:26 AM
Points: 891, Visits: 1,958
mike brockington (11/10/2008)
... These will then be published on the Internet, allowing anyone to make their own latex copies, or whatever. Other studies have shown that a simple photo-copy is enough to fool most finger-print scanners.

I didn't hear about this Jacqi Smith case, I'll have to look it up.

On Mythbusters, they did a segment on defeating fingerprint locks. They copied the print, scanned it, and found that a printed copy (scaled properly) didn't work. So they enlarged the print and used a felt tip marker to fill in the voids that the lifting process lost. Scanned it again, printed at proper scale, and the paper copy of the print worked just fine.

Fingerprint matching is an interesting process. The Federal system spits out 6-8 matches and near matches, then a certified fingerprint technician does a match between the crime scene print and the ones provided by the computer, then further identification can be made. So you're not going to be convicted on a computer match, a person must do it and can be cross-examined in court.

It is quite a problem. I saw a piece this morning on Slashdot (IIRC) saying that scents are unique per person and don't change based on diet. I'm not sure I buy that, it'll be interesting to read further on it.
Post #601719
« Prev Topic | Next Topic »

Add to briefcase ««1234»»»

Permissions Expand / Collapse