May 31, 2005 at 4:38 pm
Microsoft has a cool ad on the home page, or at least it was there.
Tired of Passwords? Replace them with your fingerprint.
Sounds like a good idea, at least at first. Think about how this works for a few minutes. But what if someone finds a way to read that data. Imagine that you implement this to secure your notebook and leave it lying around at the PASS Summit, which you registered for using the "SSC" source code :). It's secured to a table, but it's wireless network is enabled and since you usually have this at home, you have file sharing enabled.
Now some wise guy at the conference is a bit of a hacker and decides he's going to surf around looking for a wireless computer. He connects into your laptop and notices that you've got a keyboard with biometrics installed. How? It's Microsoft, there's got to be some easy default location for the drivers and db. This guy decides he's going to mess with you and he replaces the data files with his own. Now the data files contain your fingerprint. Well, not your actual fingerprint, but a digital representation of it. Since the software digitizes the print from the scanner in real time, it compares it to what's stored, which when you come back to log in, won't work.
Now hopefully the wise guy is still around so he can have a laugh and then log you into the computer. And then explain which files you need to replace. Hopefully he made a backup and since he's at PASS, we should hope he did.
Not a huge big deal and not likely to be a big problem, but what if this thing catches on in larger companies? With so many people sharing computers, there would have to be a central database of some sort to store the fingerprint data. It could be in Active Directory, but that's not exactly the most secure location. What if a script of some sort does an UPDATE (or the equivalent) to the AD or database and someone forgets the WHERE clause?
I'd hate to be on the help desk that day. Can you imagine the issues with people logging in first thing? Or after lunch? Would you want to field the CEO's call when his PC doesn't let him in? Or explain to the CIO what happened?
Biometrics might be a good idea at some point, but there's still a lot of work to be done to be sure that all the data and systems are extremely secure. People tend to trust things like this a little too much without understanding how they work.
Steve Jones
June 1, 2005 at 1:56 am
Using my own personal body parts to secure corporate data?
Look, I'm sure the techno weenies are fainting with pleasure over this but I've seen "Demolition man" with the eyeball on the scalpel.
Why not have a USB dongle? You can put it on a key ring and when the drug crazed psychopath demands you lap top you have at least hand it over and have some chance of retaining your own body parts.
June 1, 2005 at 7:00 am
One would hope that any such system would have a conventional password backup (I would certainly never trust one without an alternative method in). There are a lot of things that can confuse low cost fingerprint scanners ; imagine trying to log in with a bandaged finger.
...
-- FORTRAN manual for Xerox Computers --
June 2, 2005 at 6:39 am
I read an article (sorry, can't remember where it was) but a researcher in Japan proved it was lauginly simple to bypass these systems. Something about putting latex (or something similar) over their finger and getting it to read the last users fingerprint.
June 2, 2005 at 6:41 am
Certain kitchen cleaning products, such as bleach, damage your fingerprints. Yet another reason to delegate domestic chores!
June 2, 2005 at 8:18 am
Security devices, logins, locks, fingerprint scanners, whatever, are only a social reaction to the need to reenforce its 'mine not yours' and 'I am not you'. No secret can ever truly remain secret forever, and that goes for information as well.
Further musings, are any of us really the same person we were minute go. I'm not the same person I was 10 years ago nor twenty.
This may seem like lammentations so I'll apologise.
But were one looking for a solution for security maybe we should be looking at the reasons we are not willing to put the effort forward to even speak to let alone see the person who we want to use our service or access the 'data'.
Further, go to 10 random websites and see if the contact information, a phone number, an address is on the front page. Few do so and most make you do the clicking game.
Here are other examples of such diversions: voice mail, email, blogs, pagers, cell phones, none of these things bring us closer together.
They creates another layer of technological separation from our nieghbours, an imagined empowerment.
Maybe people dont want to know their fellow man better, for then you might care.
I do have an organ all those companies can scan for identification purposes but I think my offer might offend their senses and is probably too small as explained quite diligently from various sources which were emailed to me from what appear to be random sources.
June 2, 2005 at 8:23 am
GPF2^192, I don't really know what you are getting at, but if you're in healthcare (for one example), HIPPA requires data security and limited access to data. Besides, I would prefer to keep a layer of seperation when dealing with things such as my bank account, etc. ('They creates another layer of technological separation from our nieghbours, an imagined empowerment').
June 2, 2005 at 9:12 am
Your bank account and health information are only at risk because of the systems in place to make them accessable through remote technogical means.
If your files were stored on paper in box somewhere and your bank transactions and your bank manager would only let you have access to the information with you in front of them and they knew you by face and name there would be no risk to the data being stolen from someone in italy or romania living in their parents basement.
Its conveinence and greater distance from the source of your money or medical services that neccessitate the advanced encyrption and security.
Were your doctor and bank walking distance to your home there would be no need to invest in a computer, internet access and the fee associated with that. THe banks in turn would not have to have web server, certs, 'secure' transactions all of which cost money and the energy to power whether one uses them or not.
Just like bank machines, there is a cost to them whether or not people use them. These inflate the costs of services and compete with the workers within those businesses.
Im just on an anti technogical rant, btw.
June 2, 2005 at 9:14 am
Thta's it! We're going to start the Luddites' DBA group!
June 3, 2005 at 2:49 am
At least our bodily parts will remain attached.
June 3, 2005 at 8:43 am
And hopefully private
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply