Slashdot Mirror

Also, make sure the terrorists don't learn to use jello.

Bruce Scheier seems to think so. Scroll down to the authenticaion portion of the cryptogram.

Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source)

Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.

What makes PPTP a tempting VPN protocol is it's availibility among different plattforms. Although some plattforms offer built-in IPSec support, these implementations often differ in certain details which harms interoperability a lot. We have extensions like XAUTH, L2TP, DHCP-over-IPSec, not to mention the many different options to be configured, and even the new Mac OS X Panther release does strange things with it's IPSec-L2TP implementation. Yes, you get beer-free VPN IPSec clients in case you buy expensive iron, Cisco for example, but for many this is too much money...

PPTP is for poor man's VPN only, but if this is enough security for your setting (and you can increase this through tight password policies), you will have instant VPN access from all kinds of common plattforms, free and not free ones...

IPSec is great, but seldomly available and/or not trivially deployable. PPTP is less secure, but it's out there... Life isn't always that simple.

Your company is very naive then. They are probably using the "nobody else is using it, so it will be more secure" argument.

Give somebody who can make that decision the results of the following google search - security in obscurity

The first article in this Crypto-Gram also explains the problem - Secrecy, Security, and Obscurity

Thanks for the link at wired
I am making Free Fingerprint Imaging Software and have added you link. I also have the gelatin Artificial Gummy Fingers, link. And a link to Bruce Schneier saying Biometrics are unique identifiers, but they are not keys or secrets I think that biometrics by themselves can be badly misused and have things end up being worse.
I think that Bruce has said something like a false sense of security is worse then no security.
Intrinsicly fingerprints can only provide collabarating evidence if and only if some proper proceduces are in place. Washbins at border crossings might be amusing;-> Another thing though is that for example the 911 people didn't use fake ID, so what was the point again anyway? I think that banks using fingerprints on their customers when the open accounts etc, DMV when people get ID, seems more likely. Only real things I worry about is what about when the Justice system fails and people have legitament reasons to hide; What about stalkers, wife beaters,etc; What about the witness protection program, secret agents, etc;-> The government would have real problems getting proper cover stories for people if biometric information on people was widespread. I don't know why they are pushing it as much, it might actually end up hurting them more than it helps.

Thanks for the link at wired
I am making Free Fingerprint Imaging Software and have added you link. I also have the gelatin Artificial Gummy Fingers, link. And a link to Bruce Schneier saying Biometrics are unique identifiers, but they are not keys or secrets I think that biometrics by themselves can be badly misused and have things end up being worse.
I think that Bruce has said something like a false sense of security is worse then no security.
Intrinsicly fingerprints can only provide collabarating evidence if and only if some proper proceduces are in place. Washbins at border crossings might be amusing;-> Another thing though is that for example the 911 people didn't use fake ID, so what was the point again anyway? I think that banks using fingerprints on their customers when the open accounts etc, DMV when people get ID, seems more likely. Only real things I worry about is what about when the Justice system fails and people have legitament reasons to hide; What about stalkers, wife beaters,etc; What about the witness protection program, secret agents, etc;-> The government would have real problems getting proper cover stories for people if biometric information on people was widespread. I don't know why they are pushing it as much, it might actually end up hurting them more than it helps.

...I have a feeling I'll be reading about this in "The Doghouse" section of Crypto-Gram sometime soon.

I think Schneier makes a special point in Beyond Fear that extreme terms like "absolute security" and "any force known to man" don't even make sense in a security situation. They are only used by people who don't understand security in the first place!

He also has an interesting article dealing specifically with biometrics in airports, specifically facial recognition. Without explicitly showing the math, he applies Bayes rule to calculate the false positive rate of a fantastically accurate system. Since the frequency of terrorists is quite small, the rate of false positives is incredibly high and it such a system would simply train the human operators to ignore its positives.

Digital files cannot be made uncopyable, any more than water can be made not wet. -- Bruce Schneier

Sounds like the questions people put to Bruce Schneier after he made a serious and informed statement that enforcing copyrights by means of technology was absolutely impossible:

http://www.schneier.com/crypto-gram-0108.html#7

"Every time I write about the impossibility of effectively protecting digital files on a general-purpose computer, I get responses from people decrying the death of copyright. `How will authors and artists get paid for their work?' they ask me. Truth be told, I don't know. I feel rather like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked: `How do you expect us to get to the stars, then?' I'm sorry, but I don't know that, either."

I don't see a description. All I see is an assertion.

OK, did a little more google. Here are a couple of real source articles.


And you are forgetting that I already stated that fingerprints were a bad example. For fingerprints, fine, they're already being used, and they're easy to copy. So let's not use them for anything else. But that's a strawman argument against a single implementation of biometrics.

Fingerprints do make a convenient strawman, but unfortunately they are still the dominant form of biometric systems. Look around you, count the products or services that propose to rely on biometrics. The majority (60% according to the latest article linked from slashdot) is fingerprint based. The next largest group is facial recognition, which is also not very secure. The rest (hand, iris, voice, writing) may or may not be better, I do not know. Combination systems are very rare today. Don't you think the strawman arguments are valid while the strawman is real? :)


If an ATM used [fingerprints], and your fingerprints were stolen, there's no way you could be personally held responsible unless you were somehow negligent. This protection is being used by the bank, not by the person, so there isn't "anything else that might be protected by that ID," as far as the victim is concerned.

So fine, the fingerprint is for the protection of the bank, and I won't be liable if their system turns out to be less then secure. There is also no harm done if the bank is the only one entity in my lifetime (or in the lifetime of a given technology) that uses that biometric. But there are not enough unique biometric systems that each bank, each id card, each company could use an independent measurement, so there will be inevitable overlaps.

If [birth certificates, passports, etc.] were required day to day, they wouldn't be sufficient to "steal my identity." Actually, the whole concept of "stealing someone's identity" is rather ridiculous. For instance, this article talks about stealing people's identity's, but what actually happened is people stole a bunch of cash from an ATM.

This is a good argument. As long as the compromised systems are compartmentalized (ie. one bank and their atms) then such a compromise is not a big deal. The problem comes if multiple systems will depend on the same biometric id.


The way I think about them is like a public/private key system that you cannot change. Biometrics are easy to recognize, but hard to reproduce. That's the key to their security.

As long as they are difficult to reproduce, I agree. In my opinion though there is a limited window when that is true. Once someone figures out how to do it, then that given biometric will become weaker.

Keep in mind that the difficulty only exists for physical attacks, where a person is trying to impersonate you in front of a trusted system. Biometric signatures offer no protection against electronic attacks. If these rigged ATMs can copy the PIN number and magnetic card info in a re-usable form, then they can also copy your biometric signature.

No one is forcing people to use biometrics on anything.

Oh, good, I'm relieved. :) "use it at your own risk" (whether that risk is lower or higher then alternatives) is fine with me.

The private key is "me," perhaps. But the public key, which I give out is not me. It's the parts of me that are recorded in those particular conditions at that particular time. And that's not going to be the same among different systems.

Unlike in public key cryptography, it only matters if someone can produce a good imitation of your public "image

It seems that these sorts of sensors can be fooled using a geletin finger.

As has been mentioned before at many places and on this site a few times, but not in this article, bio metrics are great for ID but lousy for trusting. If any security device is compromised for a given user, e.g fake finger, fake face, fake eyeball, stolen tissue with DNA, stolen biometric data, that user cannot be revoked without locking out that user for life!

The article claims to address the authentication step, briefly mentioning "one-to-one comparison" but fails to define what that would mean for a given situation.

Bruce Schneier said it back 1998, and updated with application to airports.

As has been mentioned before at many places and on this site a few times, but not in this article, bio metrics are great for ID but lousy for trusting. If any security device is compromised for a given user, e.g fake finger, fake face, fake eyeball, stolen tissue with DNA, stolen biometric data, that user cannot be revoked without locking out that user for life!

The article claims to address the authentication step, briefly mentioning "one-to-one comparison" but fails to define what that would mean for a given situation.

Bruce Schneier said it back 1998, and updated with application to airports.

IDS is placed on a system to follow an attack. Audit trails on sensitive machines reveal all commands executed, to the detail you desire.

Here is the point. Bruce Schneier says that the important part of security is not that you were compromised, but rather that you can react within a time frame to keep the damage to acceptable levels. If you can tolerate having your system compromised for weeks, don't invest in a lot of security. The short response time (2 hours at 11pmEST) here indicates that the Gentoo administrators care about responsiveness enough to check on it frequently.

When the CVS gateway to Bitkeeper on the Linux Kernel was compromised, the developers of Bitkeeper were able to show that they care enough about security that they invested in many checks and balances that caught the error immediately. Since then, Bitkeeper developers, interested in protecting their good reputation (which is VERY difficult to replace), are considering even more drastic measures.

As a bonus, some cracker spent a good few days or weeks writing this exploit. We get to keep it and deploy the solution with little hassle. And the compromised system, because good security practices are in place, was mitigated to minimize damage.

Read Schneier's book Secret and Lies to find out how security is really a process. Yes, I know it's a plug, but I just thought the book hit-home to the real point - "When, not if" you get compromised.

Several other posts here hint that the world will think less of Linux for this. False. True CIOs should see that Linux has the tools to completely identify and contain attacks. Every CIO knows attacks cannot be stopped, but rather they must be contained to acceptable levels.

I use a password storage system with 256 blowfish encryption, but the idea that I have to store passwords in a password-protected system is a little scary.

He recommended it in an earlier Crypto-Gram.

The upshot of all this is that it allows you to generate good, strong passwords like series of letters, numbers, and special characters that have a high amount of entropy but are too difficult to remember. So long as you have a very strong login password (this was not possible in MacOS X 10.2.x and earlier), they will be protected by the keychain.

This is similar to Bruce Schneier's Password Safe and is more convenient in many respects than his solution of keeping his passwords written down on a piece of paper in his wallet. He argues that we all have a lot of real-world experience at keeping our wallets safe, but I have a lot of passwords. How many do you have? Does anyone else dig around in your wallet, like your wife? What if she found out you had a password to someplace you shouldn't, like... uh... Slashdot?

I like my keychain. I'm surprised Tog never mentioned it. Wasn't he an Apple guru at some time?

Well, the manufacturers of palm/retina scanners generally do include a feature that detects if the bodypart being scanned has a pulse.

One would hope so, but the evidence isn't as promising.

I totally agree. I can see you've read Applied Cryptography by Bruce Schneier or the Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone. Too bad that your comment while finally saying the most important thing about crypto algorithm secrecy was modded as only (Score:2, Informative). If Slashdot moderators knew anything about crypto, it would've been modded as (Score:2, Insightful). I just wanted to say that some people understood your comment, even if they are not moderators.

Cryptanalysis of the Cellular Message Encryption Algorithm by David Wagner, Bruce Schneier, and John Kelsey is worth reading, if one don't know the status quo of cellular encryption.

I don't know why all of these so-called "security experts" keep on advocating biometrics with little or no understanding of their real properties, much less how they should be properly used. Biometrics can be used as unique identifiers, but biometrics are not secrets. They can provide a unique identifier in an already trusted environment, but alone they cannot be used for authentication, which is what so many of these "experts" are ready to do. If I steal your fingerprint using any of the simple yet effective techniques (none of which require me to cut off your finger) described by Ton van der Putte, it can't be un-stolen, and nobody will be able to give you a "replacement" fingerprint.

A quote that iluustrates this naivete from the USA Today article: "Biometrics is one way to really identify the customer you're dealing with," he [Steve Vallance] says. What a foolish, naive statement. Alone, biometrics cannot really identify anybody.

I really can't do any better than point people out to an article in yet another issue of Crypto-Gram, which first came out five years ago: Biometrics: Truths and Fictions.

The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!

Speaking as a systems security consultant, I cannot disagree. But keep in mind that using that logic we'll have to thank burglars for door and windows security improvements, while in fact those improvements are only needed to keep our homes safe from those very same burglars in the first place. They are not part of the solution, but part of the problem, as Bruce Schneier would say.

Bruce Schneier's Password Safe.

Quantum Crypto allows for the possibility of data bring lost in the transmission: just as it allows for selecting the wrong filter at the recieving end.

Even if only a small amount of the photons sent are actually recieved, they can be used (although, obviously, the system wouldn't be as fast or efficient as if all photons had been recieved, since there's then the added problem of selecting the right filter!)).

We can always wait for Bruce Schneier's opinion whether it's snake oil or not in his next cryptogram
, due out in a week or so.

... when you go to cash a check with your tin-foil beanie on?

I'm being facetious, of course. Or is it fascist? I do worry about it a little, what with the Patriot act, etc.

I wonder, have you tried putting some Elmers glue or something on your finger before letting it scan your fingerprint? I bet this could be a fun thing to mess with. I'd be willing to try a gelatin fingerprint transplant like we heard of for foiling finger scanners before. I'll give someone my fingerprint to cash a check at Wachovia. Would this be considered some type of fraud?

...computer security flaws are inevitable. Systems break, vulnerabilities are reported in the press, and still many people put their faith in the next product, or the next upgrade, or the next patch. "This time it's secure," they say. So far, it hasn't been.

Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.

Now, for Bill to say "You don't need" instead of "we'll never have" is certainly a rather underhanded piece of spin control, because responsible vendors have to at least try to get it right, and the fact that we're busy putting processes in place to pick up the pieces when they blow it doesn't absolve them of that responsibility.

...computer security flaws are inevitable. Systems break, vulnerabilities are reported in the press, and still many people put their faith in the next product, or the next upgrade, or the next patch. "This time it's secure," they say. So far, it hasn't been.

Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.

Now, for Bill to say "You don't need" instead of "we'll never have" is certainly a rather underhanded piece of spin control, because responsible vendors have to at least try to get it right, and the fact that we're busy putting processes in place to pick up the pieces when they blow it doesn't absolve them of that responsibility.

ARGH!!!! (Bashes head on desk.)

Go into a corner and repeat this phrase till you automatically think of it when people ask you if product X is secure or not;

1. "Security is a process, not a product".

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

FWIW, Bruce is now saying that Applied Cryptography was too theoretical, and is now recommending Practical Cryptography instead for the common reader.

Good point, but...

once you register you get a link to automatically log you in here. The only time I've had to remember my slashdot password is when I move to a new computer. Also, I've never received any e-mail as a result of posting here. I just don't display my e-mail address...

To keep track of all the (important) logins I use Password Safe, free from here. That's the older version, sourceforge has a later version.

to his website.

Side channels. There's no way to tell if the poker hand I describe in an email is real or if it's part of a encrypted message.

Oh please, not Microsoft harping on the full disclosure topic again! This is getting really tiresome, but if you're interested in arguments for full disclosure, Bruce Schneier has a good writeup (from 2001...) here.

The fundamental problem is that Microsofts products were never designed with security in mind - it was features that counted. Taking care of this is probably going to involve rewriting every single application from scratch, possibly with a different functionality (ActiveX/ActiveScripting as we know them today will have to go, that's for sure). To be fair, Microsoft is in it for the money - and I have no problem with that -, and of course it's easier to sell new features than security against some vague threat (until today, that is...).

Internet Explorer is an excellent example of Microsoft not getting this security thingy at all. ActiveX controls and scripts with access to the file system downloaded from the frigging Internet? This must be one of the dumbest design decisions I ever heard of. I just finished a 50-page paper on IE security for my company. My conclusion is that continuing to use it as the default browser is going to entail serious security risks for which there are no practical solutions. Unfortunately, we have no short-term alternative, but my recommendation is to move to a different browser platform in the next 2-3 years.

To add insult to injury, Microsoft is moving IE into the OS service packs, which is a QA nightmare waiting to happen: install the service pack (for bug and security fixes) -> break a few dozen LOB intranet applications, don't install it -> have IT Production and Security breathing down your neck.

Please, Mr. Ballmer, go back to monkey-dancing. You're better at being an entertainer than you're at being a manager and a visionary.

However, most "normal people" relate well to ... general examples, and this book is full of them.

However, most "normal people" relate well to ... general examples, and this book is full of them.

The back of his previous book, 'Secrets and Lies', contained enthusiastic quotations from Mary Meeker, dotcom cheerleader at Morgan Stanley, and from Jay Walker, the founder of priceline.com. Now 'Beyond Fear' elicits yet another effusive remark from Jay Walker, now founder of U.S. HomeGuard. Is this because Schneier and Walker share the patent that invented buyer-driven e-commerce? Acknowledge the affiliation, Mr. Schneier...you aren't just slightly ashamed of this patent, are you?

The back of his previous book, 'Secrets and Lies', contained enthusiastic quotations from Mary Meeker, dotcom cheerleader at Morgan Stanley, and from Jay Walker, the founder of priceline.com. Now 'Beyond Fear' elicits yet another effusive remark from Jay Walker, now founder of U.S. HomeGuard. Is this because Schneier and Walker share the patent that invented buyer-driven e-commerce? Acknowledge the affiliation, Mr. Schneier...you aren't just slightly ashamed of this patent, are you?

http://www.schneier.com/crypto-gram.html

To do this yourself, just type:
<a href="http://foo/">bar</a>

Actually, what you'll find is that with Open Source there are 13,546 different versions of each vulnerable app, and since the patches dribble out every few days, the whole platform becomes a big forked mess. It becomes an administration nightmare to keep everything current and secured.

I'd ask a security expert about that 'security through obscurity' mantra that you keep bleating, but you keep shoving crypto hackers at us as if they are security experts.