Re: Biometrics
- From: Dan <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 22 Jul 2008 03:19:00 -0700
Courtesy of Chris Quirke, requesting his feedback be copied and copied due to
his inability to view this post. From Chris Quirke posted via Windows Live
Mail (aka Hotmail)
-------------------------------------------------------------------------------
I can't find the thread, but you could paste from this reply if you like...
In summary; because 9x was designed as a stand-alone rather than
network client OS, it is indeed potentially safer than NT. But the code
base is too outdated to deal with modern hardware, and what makes it
safer as a stand-alone OS, also makes it less secure as a network OS.
As pro-IT folks will point out; 9x has no effective per-user security, as
NT on NTFS can provide. Server-centric networks need this security
to work, to manage users (rather than PCs) and to create artificial
scopes in a pervasively networked environment.
The underlying technologies of this security could be more useful for
consumers, if freed from the user-centric mindset that pervades pro-IT.
If you were to align these technologies according to code, and to
maintain scopes between data vs. code, local vs. remote, etc. then
they could play a meaningful role in keeping stand-alone consumer
PCs safe from web and malware attack.
But as long as the design is based on user accounts and logon,
with the ASSumption that all code running during the user's session
represents the will and intentions of the user who logged in, we aren't
going to get anywhere. As long as all code within even the most
limited of user accounts giving all code the right to see, change and
destroy user data, this system won't protect user's interests.
As long as the Internet is treated as a big network, safety failures
will abound. The core difference between Internet and networking
is that the former requires interaction between untrusted parties;
that is in fact the standard interaction in that environment.
It's not helpful to prove a stranger has a particular name, if you have
no template of expectations for that proven identity. Only when a
proven identity can be matched with such expectations, do you
shift into networking between trusted entities.
Instead, you need to limit the potential impact of interactions - and
that boils down to the distinction between data that is safe to view
or edit, vs. code that is dangerous to run.
Pro-IT could not tolerate the inability to scope between users, via
NT's user rights security. As Internet consumers, we need a similar
ability to scope between data safety and code risk.
Both scopes are artificial; just as there's no hard line between users,
so it is argued there is no hard line between data and code. However,
just as pro-IT strives to create an artificial line between users, so we
should strive to create and maintain a line between data and code.
------------------------------------------------------------------------------
"Steve Riley [MSFT]" wrote:
Dan, I recommend you rethink your logic..
The Windows 3.1/9x code was designed and written in an entirely different
age -- one in which TCP/IP was not the standard networking protocol, one in
which indeed networks were rare, and one in which everyone (we and our
customers) assumed that only good guys used computers.
The world no longer lives in that age. If you take any kind of system
(operating system, engineering system, whatever) and place it in an
environment that is wildly different than the original assumptions, that
system will fail catastrophically. There is simply no way we can retrofit
that very old code to function correctly in today's world of intentional
attacks.
I'm not exactly sure how you can make the statement that "a 9x machine with
the proper safeguards such as a wired router that has wireless broadcast
signal turned off" is more secure than XP or Vista. Firstly, an XP or Vista
box behind such a router would be equally "safe" from attack. Secondly,
disabling SSID broadcast in reality does not accord you any security -- see
my article here:
http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx.
You quote a specific vulnerability below, about DNS, and you then make the
argument that this is a reason the military should be using 9x instead of
XP/Vista. How does that follow? How do you know that 9x doesn't have the
same vulnerability? No one can know, because we don't test 9x anymore. It's
simply too old.
And you mention our password checker. Actually, I think its recommendations
aren't strong enough, and I'm working with the folks who own that feature to
improve its strength.
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:175E7266-E50E-40A2-BE3C-305165779621@xxxxxxxxxxxxxxxx
Thank you, Steve. I appreciate your feedback. Another problem we face in
computing today is the industry is not fully backing tougher security and
safety protocols. An example of this is the American Express website
which
will only allow me to input a password that is less than optimal according
to
Microsoft's password checker. Microsoft is doing their part in many ways
but
the rest of the industry must catch up.
http://www.microsoft.com/protect/yourself/password/checker.mspx
It is critical in this day and age to have alternatives to just the main
Windows operating system that includes Internet Explorer. I am very
pleased
with Microsoft and their technologies so I will continue to use them
frequently. However, as a power user, I am very pleased that users have
alternatives such as Mozilla Firefox as an option and it does indeed
remain
for use with Windows 98 Second Edition at least until December 2008
because
that is when Mozilla Firefox 2.x support is scheduled to end.
http://en.wikipedia.org/wiki/Mozilla_Firefox
This is most unfortunate in my view since the 9x source code has definite
advantages over the NT business line of source code. 9x computers were
meant
as stand-a-lone machines and thus are great for consumers who do not need
or
want the ability to have others tinker with their machines. The many
services provided in XP allow for their to many greater points of access
to a
fully patched XP machine than a fully patched 98 Second Edition machine
using
Mozilla Firefox compared to Internet Explorer since Internet Explorer
patches
for Windows 98 Second Edition ended July 11, 2006. The NT source code is
at
risk as can be seen by the postings of US-Cert which is the computer
readiness team and part of the Department of Homeland Security.
http://www.us-cert.gov/cas/bulletins/SB08-196.html
Microsoft -- windows-nt
Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, XP SP2 and
SP3, and Server 2003 SP1 and SP2 allows remote attackers to conduct cache
poisoning attacks via unknown vectors, aka "DNS Cache Poisoning
Vulnerability," a different vulnerability than CVE-2008-1447.
unknown
2008-07-08
9.4 CVE-2008-1454 MS
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
I know a fair amount about computer security and safety and helped beta
test
Windows Vista Ultimate 32 bit edition for Microsoft as a volunteer. I got
the DVD with the ISO image from a friend named Jeff who was a systems
engineer and also testing Vista for Microsoft and then got approval from
Microsoft to test it and inputed the given product key that Microsoft gave
me
for the evaluation version. The problem is that Microsoft has only one
line
of code and that makes it that much easier for hackers to target many
machines and take them over.
With Windows 98 Second Edition, a single machine might have been
compromised
but not the whole network. I have had problems with a workplace that I
recently worked at that stupidly switched to all XP machines and did not
leave any 98 Second Edition machines in place and that included my own
Windows 98 Second Edition machine there. That was a huge mistake that I
don't think the business will repeat. With the 98SE machine, I knew and I
was right that my machine would be very unlikely to be hacked compared to
the
compromised machines of the NT (XP Professional) in this case. The
incident
happened in the summer of 2007. I will give you more details via secure
email if you like.
I have read in a book about Microsoft that early system engineers
complained
that NT did not have a true maintenance operating system like DOS. Chris
Quirke, MVP. has a good article about the safety and security concerns.
Windows 9x is safe at its core compared to Windows NT line which includes
2000, XP and Vista of course. There was also a rumor a while back that
parts
of the NT source code were leaked over the Internet compared to the 9x
source
code which was never leaked over the Internet, AFAIK.
http://cquirke.blogspot.com/
(Note: Chris Quirke's 9x website talks about the 9x compared to NT
security
and safety discussion)
There is also Unix/Linux technologies and I have played around a little
bit
with Ubuntu Linux but I am in no way proficient with it and have only read
a
small portion of a big book about Ubuntu Linux.
Finally, my question to you is that I know about the economics and how
costly it would be for Microsoft to continue the 9x line or even overall
it
to make it usable in today's environment but wouldn't the economic cost be
worth the great reward. I have friends of mine at summer camp who are
planning mainly on building 98 Second Edition machines just for the
ability
to play older games and secondly because these friends feel as I do about
how
it is harder to hack into a 9x machine with the proper safeguards applied
such as a wired router that has the wireless broadcast signal turned off
so
as not to attract unwanted or uneeded attention from hackers.
If Microsoft will not develop the 9x source code then at least sell it to
the United States Military so that the Defense Department can more fully
protect their military infrastructure from external threats and even
better
from potential internal threats from their network of computers from a
potential spy. The possibilities for 9x are endless and so please I ask
you
as a professional to have Microsoft sell 9x kernel unless Microsoft is
willing which I think would be a smart business move to invest money in
the
another Windows 9x that would not subtract features such as easy access to
DOS and ideally the ability to play old classic games like Windows
Millennium
(ME) did.
I am a gamer who is a Generation X'er who got his start on an IBM PCjr
playing King's Quest 1 on a 5.25 inch floppy disk that was made by Sierra
On
Line and had 16 colors and the speaker on the machine supported 3 sounds
at
once which was cool. The game had 128 kilobytes on one disk and how is
that
for compression despite the obvious limitations compared to today's games.
I
still have this machine in storage and it still works! The interesting
thing
is that a poster to Game Informer which I read posted about how he was 17
and
liked older classic games and his friends made fun of him for it and his
first name was Daniel too. <grin>
I also enjoy reading PC World, 2600 which is a hacker magazine (I must
keep
up to prevent hackers from compromising all of us), and other computer and
network books. I took several computer classes in college and who knows I
may go back and get another undergraduate degree but this time in computer
science. I know that a dream will allow a little guy like me change the
world despite all the challenges life has thrown at me. Please feel free
to
contact me by email or I can contact you by email. My email address is
with
Microsoft and on their records. I can also give you an srx number on a
recent case with Microsoft if you need to confirm my identity. Thanks
again
for all you do, Steve and Go Microsoft!
"Steve Riley [MSFT]" wrote:
Biometrics can never replace passwords, because they aren't secrets.
It's me, and here's my proof: why identity and authentication must remain
distinct
http://technet.microsoft.com/en-us/library/cc512578(TechNet.10).aspx
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:774EE7CB-CA2B-4E7B-82CD-20D2B56C04B4@xxxxxxxxxxxxxxxx
Bingo! You solved the issue and yes it is one of those cheap
fingerprint
scanners where you just swipe your finger so it must have already had
the
image of my fingerprint on the scanner. It sounds like someone would
need
to
clean the fingerprint scanner each time and it does indeed seem very
easy
to
fool. So much for the security of Biometrics at least cheap Biometric
devices
"Juergen Nieveler" wrote:
Dan <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
How secure and safe is biometric technology? The reason I bring
this
up is because I was able to log in using my finger with a band-aid
attached and this definitely makes me question the security and
safety
of biometric technology at least as far as laptops go. I imagine
there probably is lots of articles on this already but I wanted the
opinions of this newsgroup. Thanks in advance for the replies.
If this was one of those fingerprint readers where you simply put your
finger on (as opposed to those where you rub your finger along the
contact plate in a swipe motion), chances are that the camera inside
picked up the latent fingerprint that was still on the glass - this is
a common vulnerability of those cheap camera-based readers. All they
do
is notice "Oh, something is pushing on the glass, and I recognise the
pattern" - if the person who last used it had greasy fingers, the
fingerprint would still be on the glass, so putting something on the
glass that doesn't have OTHER fingerprints will force the camera to
use
the weak fingerprint image still visible to it...
The swipe-type readers are safer in that there can't be an image left
on the reader... but many of them still can be fooled by a fake
fingerprint made by taking the fingerprint off something somebody
touched (lots of how-to's available for that...).
Juergen Nieveler
--
A feature is a bug with seniority.
- Follow-Ups:
- Re: Biometrics
- From: Steve Riley [MSFT]
- Re: Biometrics
- References:
- Re: Biometrics
- From: Dan
- Re: Biometrics
- From: Steve Riley [MSFT]
- Re: Biometrics
- Prev by Date: Re: POSSIBLE HACK...PLEASE, PLEASE HELP!
- Next by Date: Re: POSSIBLE HACK...PLEASE, PLEASE HELP!
- Previous by thread: Re: Biometrics
- Next by thread: Re: Biometrics
- Index(es):
Relevant Pages
|
