Re: Biometrics
- From: "Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx>
- Date: Wed, 16 Jul 2008 20:13:58 -0700
Dan, I recommend you rethink your logic.
The Windows 3.1/9x code was designed and written in an entirely different age -- one in which TCP/IP was not the standard networking protocol, one in which indeed networks were rare, and one in which everyone (we and our customers) assumed that only good guys used computers.
The world no longer lives in that age. If you take any kind of system (operating system, engineering system, whatever) and place it in an environment that is wildly different than the original assumptions, that system will fail catastrophically. There is simply no way we can retrofit that very old code to function correctly in today's world of intentional attacks.
I'm not exactly sure how you can make the statement that "a 9x machine with the proper safeguards such as a wired router that has wireless broadcast signal turned off" is more secure than XP or Vista. Firstly, an XP or Vista box behind such a router would be equally "safe" from attack. Secondly, disabling SSID broadcast in reality does not accord you any security -- see my article here: http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx.
You quote a specific vulnerability below, about DNS, and you then make the argument that this is a reason the military should be using 9x instead of XP/Vista. How does that follow? How do you know that 9x doesn't have the same vulnerability? No one can know, because we don't test 9x anymore. It's simply too old.
And you mention our password checker. Actually, I think its recommendations aren't strong enough, and I'm working with the folks who own that feature to improve its strength.
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:175E7266-E50E-40A2-BE3C-305165779621@xxxxxxxxxxxxxxxx
Thank you, Steve. I appreciate your feedback. Another problem we face in.
computing today is the industry is not fully backing tougher security and
safety protocols. An example of this is the American Express website which
will only allow me to input a password that is less than optimal according to
Microsoft's password checker. Microsoft is doing their part in many ways but
the rest of the industry must catch up.
http://www.microsoft.com/protect/yourself/password/checker.mspx
It is critical in this day and age to have alternatives to just the main
Windows operating system that includes Internet Explorer. I am very pleased
with Microsoft and their technologies so I will continue to use them
frequently. However, as a power user, I am very pleased that users have
alternatives such as Mozilla Firefox as an option and it does indeed remain
for use with Windows 98 Second Edition at least until December 2008 because
that is when Mozilla Firefox 2.x support is scheduled to end.
http://en.wikipedia.org/wiki/Mozilla_Firefox
This is most unfortunate in my view since the 9x source code has definite
advantages over the NT business line of source code. 9x computers were meant
as stand-a-lone machines and thus are great for consumers who do not need or
want the ability to have others tinker with their machines. The many
services provided in XP allow for their to many greater points of access to a
fully patched XP machine than a fully patched 98 Second Edition machine using
Mozilla Firefox compared to Internet Explorer since Internet Explorer patches
for Windows 98 Second Edition ended July 11, 2006. The NT source code is at
risk as can be seen by the postings of US-Cert which is the computer
readiness team and part of the Department of Homeland Security.
http://www.us-cert.gov/cas/bulletins/SB08-196.html
Microsoft -- windows-nt
Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, XP SP2 and
SP3, and Server 2003 SP1 and SP2 allows remote attackers to conduct cache
poisoning attacks via unknown vectors, aka "DNS Cache Poisoning
Vulnerability," a different vulnerability than CVE-2008-1447.
unknown
2008-07-08
9.4 CVE-2008-1454 MS
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
I know a fair amount about computer security and safety and helped beta test
Windows Vista Ultimate 32 bit edition for Microsoft as a volunteer. I got
the DVD with the ISO image from a friend named Jeff who was a systems
engineer and also testing Vista for Microsoft and then got approval from
Microsoft to test it and inputed the given product key that Microsoft gave me
for the evaluation version. The problem is that Microsoft has only one line
of code and that makes it that much easier for hackers to target many
machines and take them over.
With Windows 98 Second Edition, a single machine might have been compromised
but not the whole network. I have had problems with a workplace that I
recently worked at that stupidly switched to all XP machines and did not
leave any 98 Second Edition machines in place and that included my own
Windows 98 Second Edition machine there. That was a huge mistake that I
don't think the business will repeat. With the 98SE machine, I knew and I
was right that my machine would be very unlikely to be hacked compared to the
compromised machines of the NT (XP Professional) in this case. The incident
happened in the summer of 2007. I will give you more details via secure
email if you like.
I have read in a book about Microsoft that early system engineers complained
that NT did not have a true maintenance operating system like DOS. Chris
Quirke, MVP. has a good article about the safety and security concerns.
Windows 9x is safe at its core compared to Windows NT line which includes
2000, XP and Vista of course. There was also a rumor a while back that parts
of the NT source code were leaked over the Internet compared to the 9x source
code which was never leaked over the Internet, AFAIK.
http://cquirke.blogspot.com/
(Note: Chris Quirke's 9x website talks about the 9x compared to NT security
and safety discussion)
There is also Unix/Linux technologies and I have played around a little bit
with Ubuntu Linux but I am in no way proficient with it and have only read a
small portion of a big book about Ubuntu Linux.
Finally, my question to you is that I know about the economics and how
costly it would be for Microsoft to continue the 9x line or even overall it
to make it usable in today's environment but wouldn't the economic cost be
worth the great reward. I have friends of mine at summer camp who are
planning mainly on building 98 Second Edition machines just for the ability
to play older games and secondly because these friends feel as I do about how
it is harder to hack into a 9x machine with the proper safeguards applied
such as a wired router that has the wireless broadcast signal turned off so
as not to attract unwanted or uneeded attention from hackers.
If Microsoft will not develop the 9x source code then at least sell it to
the United States Military so that the Defense Department can more fully
protect their military infrastructure from external threats and even better
from potential internal threats from their network of computers from a
potential spy. The possibilities for 9x are endless and so please I ask you
as a professional to have Microsoft sell 9x kernel unless Microsoft is
willing which I think would be a smart business move to invest money in the
another Windows 9x that would not subtract features such as easy access to
DOS and ideally the ability to play old classic games like Windows Millennium
(ME) did.
I am a gamer who is a Generation X'er who got his start on an IBM PCjr
playing King's Quest 1 on a 5.25 inch floppy disk that was made by Sierra On
Line and had 16 colors and the speaker on the machine supported 3 sounds at
once which was cool. The game had 128 kilobytes on one disk and how is that
for compression despite the obvious limitations compared to today's games. I
still have this machine in storage and it still works! The interesting thing
is that a poster to Game Informer which I read posted about how he was 17 and
liked older classic games and his friends made fun of him for it and his
first name was Daniel too. <grin>
I also enjoy reading PC World, 2600 which is a hacker magazine (I must keep
up to prevent hackers from compromising all of us), and other computer and
network books. I took several computer classes in college and who knows I
may go back and get another undergraduate degree but this time in computer
science. I know that a dream will allow a little guy like me change the
world despite all the challenges life has thrown at me. Please feel free to
contact me by email or I can contact you by email. My email address is with
Microsoft and on their records. I can also give you an srx number on a
recent case with Microsoft if you need to confirm my identity. Thanks again
for all you do, Steve and Go Microsoft!
"Steve Riley [MSFT]" wrote:
Biometrics can never replace passwords, because they aren't secrets.
It's me, and here's my proof: why identity and authentication must remain
distinct
http://technet.microsoft.com/en-us/library/cc512578(TechNet.10).aspx
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:774EE7CB-CA2B-4E7B-82CD-20D2B56C04B4@xxxxxxxxxxxxxxxx
> Bingo! You solved the issue and yes it is one of those cheap > fingerprint
> scanners where you just swipe your finger so it must have already had > the
> image of my fingerprint on the scanner. It sounds like someone would > need
> to
> clean the fingerprint scanner each time and it does indeed seem very > easy
> to
> fool. So much for the security of Biometrics at least cheap Biometric
> devices
>
> "Juergen Nieveler" wrote:
>
>> Dan <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> > How secure and safe is biometric technology? The reason I bring >> > this
>> > up is because I was able to log in using my finger with a band-aid
>> > attached and this definitely makes me question the security and >> > safety
>> > of biometric technology at least as far as laptops go. I imagine
>> > there probably is lots of articles on this already but I wanted the
>> > opinions of this newsgroup. Thanks in advance for the replies.
>>
>> If this was one of those fingerprint readers where you simply put your
>> finger on (as opposed to those where you rub your finger along the
>> contact plate in a swipe motion), chances are that the camera inside
>> picked up the latent fingerprint that was still on the glass - this is
>> a common vulnerability of those cheap camera-based readers. All they >> do
>> is notice "Oh, something is pushing on the glass, and I recognise the
>> pattern" - if the person who last used it had greasy fingers, the
>> fingerprint would still be on the glass, so putting something on the
>> glass that doesn't have OTHER fingerprints will force the camera to >> use
>> the weak fingerprint image still visible to it...
>>
>> The swipe-type readers are safer in that there can't be an image left
>> on the reader... but many of them still can be fooled by a fake
>> fingerprint made by taking the fingerprint off something somebody
>> touched (lots of how-to's available for that...).
>>
>> Juergen Nieveler
>> -- >> A feature is a bug with seniority.
>>
- Follow-Ups:
- Re: Biometrics
- From: Dan
- Re: Biometrics
- From: Dan
- Re: Biometrics
- References:
- Re: Biometrics
- From: Dan
- Re: Biometrics
- Prev by Date: Re: corrupted profiles and much more
- Next by Date: Re: Biometrics
- Previous by thread: Re: Biometrics
- Next by thread: Re: Biometrics
- Index(es):
Relevant Pages
|
