houghi wrote:
> James Knott wrote:
>> Roy Schestowitz wrote:
>>
>>> I think biometrics are a better solution to the USB key solution. IBM
>>> are implementing the first biometric authentication system and they do
>>> so on Linux
>>
>> In some recent work, I was working on some T42 ThinkPads, that had the
>> finger print reader. While these systems were configured with encrypted
>> hard drives, the finger print reader wasn't used.
>
> On /. somebody once stated that biometrics should be used for entrance
> in certain buildings instead of badges. You know, those things where you
> put your hand on a surface and then the door opens. It would be better
> then with a basge. I remember one responce that made it clear how much
> better this is then a badge:
These have already been deployed in Britain. Also retina scan...
> Hey, mate, the system fucked up again, can you palm me in?
Better stay off chlorine too...
> I have been in a situation where I said I could not do a certain tast,
> because I did not had the permissions on the system. People willingly
> gave their login and password to help me out.
>
> I have been given admision to ALL rooms in the building. That was a
> mistaka, because I should not have gotten access to all the different
> serverrooms. The IT policy was that if you had gotten one level of
> security, they had no procedure to reverse that, so I kept it even after
> telling everybody about it.
>
> Security is as secure as the weakest link and that is not very strong. I
> still believe that 95% of hacking is done by social engenering. If you
> look at the transcripts of how Kevin Mitnick hacked, you will see that
> what he did was asking others for passwords and access. He barely did
> anything himself.
Fully agree on that one... passwords are a very social thing. Many times in
the past I reset the password for people whom I simply trusted. They
claimed their true identity using obvious things like name and username.
When I contact call centres, I am often, if not always, asked for full
address and phone number (and they are lenient when it comes to
correctness)... yeah, like addresses are not obvious... The illusionary
security... making the cutomer feel like there is a line of denfence...
Going back to my previous point, it is hard to prove one's identity over the
telephone and difficult to argue if a senior professor is on the other side
of the line. Also, how does the customer know that it is not, let us say, a
cleaner who answered to phone and is up to no good?
> Hacking (get used to it. It is synonim for cracking nowadays) is not so
> much some person logging into a system with all his knowledge. It is
> calling a company and ask the secretary what the pasword is and then
> another what the login is and let them tell you.
...or logging in using the default, uninitialised machine password, then
changing the desktop picture and leaving objects in the Desktop urging the
users to protect the system. (Script Kiddie Gary McKinnon)
> Then you will see if you have correct procedures and if they are
> followed. Just one example, IT should normally not ask your login and
> password. If they do, they are either incompetent, untrusworthy or both.
There is a need for development of encryption or authentication over the
phone, maybe with the aid of 2 nodes (machine at the both ends).
Roy
--
Roy S. Schestowitz
http://Schestowitz.com
|
|
