Slashdot Mirror
Bill Gates Proclaims End of Passwords
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
So, years ago, Bill Gates proclaimed the software was better, now he gets back to some hardware key...
But what about biometrics ?
Trolling using another account since 2005.
This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...
Nothing for you to see here, Please move along.
Wasn't there a system in hitchhikers that meant you didn't require a password?
I always had trouble remembering the damn thing anyway. Now that I don't have to type it anymore, my life is complete.
Nice!
Smart cards aren't new
This doesn't sound like anything really new to me, I remember logging on to my W2K workstation with a smart card in 2001 if I remember correctly, what's new here (the techworld article didn't want to respond to me so I can't RTFA)?
So how do you 'unlock' the smart card to prove its you (and still you) at the keyboard...???
.NET to quickly build applications.
an PIN number...
a fingerprint...
Authentication is based around something you have (userid/smartcard/finger...) and something you know (password/PIN/....)
No change since the Secuure Single Sign On days of the mid 1990's. All they are doing is bringing it upto date using
Depends on how many patents Microsoft have quietly filed on the technology behind it
Brocklesby Park Cricket Club
Being "technology's ultimate triumph over both itself and common sense".
So we are meant to trust ALL of our security-- on any system that would have previously required a password-- to a single point of failure which
1. Is maintained by Microsoft
2. Can be stolen
Riiiight.
#passwd
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
#
Next thing you know, he is going to want to only allow access if we have a chip in our hand or our forhead. Hmmm, it's almost biblical...
Bill Gates Proclaims that 650k will be enough for anyone.
yeah i know its not true.
Well, considering Sun has been using smart cards for user identification for YEARS, when Solaris 10's source is released under an open source license, open source will have the same capability (well, no need for .NET though).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
How come there isn't an open source solution already?
If you were blocking sigs, you wouldn't have to read this.
Tough to hax0r a retinal scan, or a thumbprint.
Curb CO2 emissions: Kill yourself today!
Orville Redenbacher, speaking through an interpreter for the dead, announces an end to those pesky husks that end up between your teeth after a movie at the theater.
Announcing: Seedless corn.
Vos teneo officium eram periculosus ut vos recipero is.
Being a member of MySony, they sent me an email and had me take a short survey, then decided to give me a free "wavecard" which is a Smart card with Felica technology. This is the contactless tech mentioned in the article. It requires software provided by Sony, and since I had the .NET runtimes installed already, I can't tell if .NET is really needed , I can say MS wasn't the first.
- I got my free iPod and a free Nintendo DS....why not
This, coming from Captain BSOD? I'll stick with my superduper random passwords.
I wonder how long it would take to crack these "smart cards", proving their worthlessness, just as the $20 bills were when those were rolled out?
"Secure and reliable cryptographic operations, such as symmetric (DES, AES) and asymmetric (RSA) algorithms are accessible via an implementation of the standard Cryptographic Services architecture of the .NET Framework. This empowers existing solutions that use .NET cryptographic services to be easily modified to use smart cards"
Thanks to Mono, you can implement it now. http://www.go-mono.com/crypto.html
Rocket science is easy. Neurosurgery, now *that's* difficult.
and no details about its security. have they not learnt anything from pay-TV industry, which opted for security by obscurity in their smart card design and as results suffered from consequences? I have a feeling this whole thing will go terribly wrong.
I think BillG recently saw the movie Revolution OS http://www.imdb.com/title/tt0308808/ *ing Richard Stallman.
Long Ago Hackers in MIT saw this dream of havinf no passwords with the philosophy that they didnt want to be in control of any admin assigned.
It worked for sometime, RMS used to have no password of his unix account. All other too!, they had to just press the enter to login! but later they had to change themselves...
BillG will *not* succeed in his dream plan! Amen!
Seriously, who cares about passwords when you can exploit all the flaws MS systems have ?
They'd better fix their software first.
Linux is missing an opportunity. Instead of writing software that insists that passwords be uncrackable, they should be innovating new technologies that make machines insensitive to dictionary attacks, or new technologies like the one described here that does away with the need for having passwords everywhere. Hmm, maybe Bill has some innovation in him afterall....
Laboratree - Scientific collaboration based on OpenSocial.
Reading the Axalto press release they talk about their cards as an additional form of security, not a password replacement. I've used smart cards for a few things and each of them has been protected by a password too. You enter the smart card and are then asked for a PIN to ensure you have the right to be using that smart card. As another poster said, if there's no password all they have to do is get to your wallet if they want to Get Root. Hopefully if we do see an open source implimentation it won't be passwordless!
Isn't the best way to secure data *both* something you have (e.g. key) and something you know (e.g. password)? Something I know is also less likely to get stolen, so long as noone has a keylogger installed on my computer. Last time I checked, it's also a whole lot easier to change my password than it is to change the locks on my doors.
i know on windows 98 that if you just clicked cancel you didnt need a password to log on..... high security
No passwords. Sure beats clicking on cancel to get in!
None. Or if they did, Sun Microsystems has been using a similar system for years. Smart card readers are standard equipment on all currently available Sun workstations, and have been for the last 3-4 generations of workstations as well. Sun "deployed" this system at least 4 years ago when it introduced "Sun Rays" back in 2000-2001 timeframe. If MS tried to patent this, Sun is clearly prior art, and if it isn't, it should be construed as simply a logical progression of Sun's system, which means it should not be patentable, but then again, we are talking about people who have let though patents on the wheel in recent years...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Its similar to the national identity card.. What if your card gets stolen. Any idiot can probably use it to connect to all of your accounts, without effort. Even worse, its a very poor idea to base your systems on a completely centralised system like passport authentication. It only takes 1 person at microsoft to trip on a cable then for all of your logins to fail.
.net because unlike a keylogger, the answer wont be obfuscated, you can just monitor the smartcard port, capture all the details sent, and you dont even need the smartcard.. You just emulate the smartcard hardware and fake the connection to the card, easy.
.NET are now mostly gone. This is nothing more then a publicity act that only stops people who tell others their passwords, and even then, they will just be able to borrow the smartcard.
.NET authentication, or you are putting yourself in a terrible position (it costs money anyway, so I think its time us as a programming community should get together and get jabber up to the point the same thing is possible in a decentralised way).
Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with
This system offers much less security then now, and the last few drops of respect I had for
Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine
It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use
Dyslexia finally made sense to me...
www.weberseite.at
Is there no limit to Bill's powers of proclaimations of endings? (Okay, he still has a year to go on the spam, but it'll be ending any moment .. now. Now. Now! Any moment...)
One line blog. I hear that they're called Twitters now.
In other words, Bill Gates gives up on security. "You win. You hackers always seem to find a way to break into our OS, well fine. From now on, we're taking the ball back. NO SECURITY FOR YOU!". Or, perhaps "In the interest of customer service and ease of use, we will now automatically grant administrator access to anyone who can turn the machine on. Down with restrictions!"
In all seriousness, is anyone stupid enough to trust any security initiative put forth by Microsoft after the last few years have been so disastrous for them on that front?
You can accomplish anything you set your mind to. The impossible just takes a little longer.
I can't wait for the inevitable exploits and bugs that will cause cracker to be able to amass the personal information of everyone who is dumb enough to believe this man.
Can I get indemnisation from Microsoft for the problems this scheme will bring? No?
A little black book containing all your passwords that you keep on your person is the ONLY way to be safe.
I don't know the meaning of the word 'don't' - J
I actually like my password encrusted life. If I lose it all I have to do request another be emailed. If I forget my email password I just call my provider and anwser a slew of questions to prove my identity. Things are quick. Now, if my wife gets hold of a password "key" of any kind she will just lose it like she loses her ATM card 2-3 times per year. No thanks.
"Capital punishment makes the state into a murderer. Imprisonment makes the state into a gay dungeon-master"
After the 40th day where the D.A.M.N. Windows-based soul tracking system was offline due to spyware, God, CIO/CEO/Ruler of All You Know, has proclaimed the end of Bill Gates.
Vos teneo officium eram periculosus ut vos recipero is.
You may recall that RMS was strongly against passwords. We don't have to agree with everything he say or does - just the good stuff.
The answer, although everybody is recommending it is not biometrics. Lets say company A has your thumbprint/iris print on file for access to their system. Now, company B uses the same method. What's to stop company A from using that print to get information from company A. What if they use some iris scanning thing to get a key to encrypt your data. What if your eye gets messed up. Is your data lost, because it's going to take 5000 years to decrypt by some other hacking it? Compared the the alternative, passwords are nice. It's nice to be able to have different passwords for different companies, and to be able to choose passwords of differing levels of security for different things which require more or less security. I like to be in control of my own security. I'd rather not have one central organization, Microsoft or not, that's in control of my access to everything.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
HAND.
See this page:
http://www.ibutton.com/ibuttons/java.html
I've had one of these Java-powered iButtons since 2001. If you have the PKI in place it's a very easy technology to use. If you don't, it just gives you bragging rights in the my-computer-is-smaller wars.
Both good.
Phil
I guess today is a passable day to die.
Microsoft. Double-plus good chocolate ration increases for Party Members.
And it was called the "Java Ring"?
One of the things such sensors check for is blood flow. So naturally they'll just have to kill you afterwards, but you won't be needlessly mutilated.
End of passwords? Umm, so, what is the other factor then?
Cig? No, thank you.
Newer US Military ID cards (~last 2 years)have a 'chip' in them that allow instant login to DOD computer systems. It also stores the user's medical records.
...it's pretty easy, all things considered. Unless the tech has gotten better in the last year or so.
0 0.aspHere's one article that's 2 years old.
http://www.extremetech.com/article2/0,1558,13919,
Even simple breathing will do the trick of outwitting a capacitive fingerprint scanner.
There are more resources available via Google.
Mass market, affordable biometric systems are far from being foolproof.
"honey, where is my smart card.. i want to check email"
Doubt that 'yet another external device' is the future of anything..
---- Booth was a patriot ----
I can't RTFA (it's been slashdotted), but this makes lots of sense, and there *are* open source solutions to this, like public/private key pairs in OpenSSH. I do need to know a passphrase to unlock my key, but then I can log in to a number of different machines with it. In fact, I have my machines set up to not accept password logins except at the console, remote users *must* use key pairs.
Currently I keep a key on my desktop machine and another one on my laptop, but if I was worried that those would be stolen I could switch to a USB key.
Authentication is potentially based on three factors: Something you have, something you know, and something you are (biometric).
Passwords are the "something you know." That gets us down to two factors. Gates probably also has reasons the others should be eliminated.
Perhaps Gates is ultimately advocating "no-factor" authentication. What are the implications of that?
Yes, without those pesky "passwords", security on Windows boxes will once again rival that of Linux, et al.
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
First it was a single password, and now it is none.
Sun has been pushing smart-card signon systems for years -- along with plenty of little security vendors -- not to mention smart rings, smart money clips, hell, smart anything that can take on a key. Has anyone in the mainstream picked it up? No.
Of course, MSFT has a hell of a lot more clout than Sun, but I just don't see this as being technology that anyone other than a nerd who gets off on RFID actually wanting to bother with.
Now go forth, all ye' faithful, and code as thy supreme being hast commanded.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Isn't this the same guy that said we would never need more than 640k of memory?
Why would I want to have to carry a piece of plastic around just so I can log into my PC?
Also what about the increased security risk because now you have something someone can steal an use?
Passwords are more convenient and more secure because no one can see or steal whats in my head (I hope!).
And passwords can proclaim the end of Bill Gates - with about the same net effect:-) The nifty idea is really nothing more than putting the password on a physical medium so you don't have to remember it. It's an old idea; the problems with it are - you need to carry the damn thing, you need to not loose the damn thing, and you need to get the damn thing out every time you are logging in. The reason your bank's web site offers you to store your credit card number in a cookie is that people object to having to mess around with physical objects when they need to get access...
I have a smart card and a smart card reader that I have not used since 1998. I remember I was using it to test authentication technology. I remember writing something for this hardware in Java.
.NET. whooopeee. Not as interesting as the feedback from the Slashdotted article about finding Atlantis near Cyprus (the discussion devolved into something totally non-related, about Moses and writing. Is that slashdot normal?)
Now I can do it in
good times
just a web application developer and instructor in Toronto, ON Canada
"How long before we can get an open-source version of this?"
This sentence had some typos. I've corrected it:
How long before we can get a knockoff, blatant rip-off of this, like we do every other commercial app?
Hardware security solutions require software to work, software can be cracked, therefore hardware solutions don't work.
Look at dongles and other systems, they tend to be cracked. As long as you can snoop what's going on in the PC you can generally find a way of reading and injecting the required code.
Also what happens if your server in another country goes down and you can't get an engineer to sort it out as there's no local smartcard? why you use remote login with a smartcard. Therefore your access code will be sent down the Internet/VPN.
Bill needs to do some proper R&D instead of spouting obvious potential developments.
It's simple, here we go:
I predict the end of magnetic media.
The mouse will be replaced.
We will get tables where the whole surface is a touchscreen.
Keyboards with changing key caps, the keys alter to suit the application.
etc..
I don't know about the rest of you, but I'd feel safer authenticating using a password than using a smartcard, or any physical object that can be stolen.
Of course, you could protect the smartcard somehow...like, with a password.
Please correct me if I got my facts wrong.
There used to be a PAM module to use the Java iButton on Linux here:
i button.html
http://www-users.rwth-aachen.de/dierk.bolten/pam_
but it's 404 now, and I can't find a live mirror.
Anyone got it?
Phil
I guess today is a passable day to die.
So, the password crackers will need to cut fingers in future?! How will this be called?! Brute force?!
Whatever happened to checking a user's authenticity by analyzing typing style and rate? There were studies which proved it was almost always correct. I'm sure in a practical situation they could be made 99.999999% correct. So how come we don't see it anywhere? At least not publicly.
As for the card, just like everyone else I'm not impressed. Bill really needs to get out more. He's really out of touch.
Developers: We can use your help.
How long before we can get an open-source version of this?
Who knows? Bill was telling me it wont happen, and Linus told me next week!
I've not read completely TFA, but you can authenticate with a USB pen in Linux using the PAM USB module.
The local Air Force base here went to full implementation of smart cards for logins (the cards double as their building IDs). It was a debacle...they were recognized by the readers about 20% of the time, and misread another 60%. They finally modified the login to allow them to Cancel the smart card scan and log in manually while they slinked off in defeat.
Mutant Freaks of Nature: "Frighteningly Addictive"
In earlier news Bill Gates proclaims: "640K ought to be enough for everyone"
If Microsoft was mass, stupidity would be gravity.
Bill Gates Proclaims End of Passwords
Slashdot Proclaims End of Techworld.com
How much memory does such a smart card have? Around 640k? That shoud be enough for anyone I guess...
Life is just nature's way of keeping meat fresh.
Axalto has developed a Java-based version of this card, too.
This post is displayed with recycled electrons
...give him a break on that one. Those words will haunt him the rest of his life. When was the last time you said something stupid?
Because I just did.
Please stop stalking me, bro.
A classic case of Billy boy announcing something everyone else has. I saw a demo by Sony about 2.5 years ago now which demonstrated smart card + biometrics as an authentication mechanism.
Something like 98% of the world's new smart cards run Java as their programming language, and there are defined standards for security around it. This stuff is already being used in the wild, for instance by the DoD. Oh and if you have one of those "Blue" or clear Amex credit cards... its running Java too.
Or of course you could wait for Longhorn.
In terms of open source, you can do this in Java (which is published and the source is accessible), today.
I love Microsoft, "yesterday's technology, tommorow".
An Eye for an Eye will make the whole world blind - Gandhi
How does this protect us from Microsoft?
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Ah,
Thanks, but no thanks...
MS has enough power already without
giving them all the passwords in the world...
Ashcroft ends crime and terror, Gates ends passwords... what's next? Flying cars? A cure for cancer? Plutonian colonization?
The coolest voice ever.
Thanks, Bill.
Card support was in Java some time in the last centaury also. 1997 was it? Good to see Microsoft is so close to the cutting edge as ever.
As usual, Gates has decided that the lowest common denominator of sophistication will dumb down computing for everyone. I don't want to have to carry around a smartcard, or anything else. Who wants to find their smartcard somehwere in their apartment early in the morning to check their email before their cup of coffee? Who wants their girlfriend to "borrow" it to check that email before that cup of coffee, before they wake up? How much identity theft will be perpetuated in the name of Gates' "convenience"?
The best access solution is a combination of HW token, biometrics and password. Two out of three should gain access to all but root, sending a message to the administrator (possibly attaching a picture, voiceprint and GPS). Too bad for Gates that this security architecture makes a mobile "phone" the best gatekeeper to cyberspace, where his Windows monopoly is most under threat. Too bad for us that his monopoly is in a position to derail even that engine of progress, making mobile phones as much a mess as Windows. Someone stop him before he destroys yet another dream of freedom!
--
make install -not war
Then I won't have to keep entering my Banking and eBay details every time they send me an email to confirm my account details.
You do know that the "N" in PIN stands for "number", don't you?
What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?
One line blog. I hear that they're called Twitters now.
How long before we can get an open-source version of this?
Open-source geeks now want Gates technology? I thought everything that deals with Gates was EVIL and the open source crowd always had a better way? The more I see of the "open source revolution" the more it looks like Windows all over again except cheaper.
Mod me as a troll, but you know it's true. Anything that has ever had the "wow cool" factor with Windows has been leeched by the Linux heads as they scream that Windows will be the death of us all.
Something you have, something you know.
'Something you are' is just another form of 'something you have'. The limitation of biometrics is that 'something you are' cannot easily be decommissioned and reissued if it has been compromised.
The key to good security is to have the strength and number of controls increase as the value of the protected contents increases. A password alone may be perfectly appropriate to protect low value content.
Pluggable Authentication Modules Want a new method of authentication? Just write a PAM module!
He could retire and spend his money saving ill children around the world. And the let the computer evolve free of MicroSoft domination.
Smart Card Module for J2SE:
http://www.gemplus.com/smart/r_d/publications/pdf/ GG00jaas.pdf
Cheers,
Tyler
Oh yah he was wrong right? :-)
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
Isn't this just replacing "I forgot my password" with "I lost my smart card"? And cards will cost more than passwords to change, unless MS plan to bring in a per CPU licence fee for password changes.
I like the idea of using keycards or something for logging onto the computers at work. Usually employees already have a card they clock in with, get coffee at the machine, pay lunch etc. Why not use it also on the computer. Saves the helpdesk a lot of trouble on mondays unlocking accounts after another mandatory password change on fridays..
Sample this!
...but predicting the future isn't one of them. He does have a talent for molding the present to suit him, but he's more miss than hit when it comes to being an oracle of progress.
He's of course thinking about public/private keys and such, but they're overkill for almost all web-based applications that don't require money. Do you really want to use a public/private keyshare to log on to like, well for example Slashdot, just so you can post how wrong Bill Gates is?
I know I wouldn't. Fhew!
Luck favors the prepared, darling.
Time to burn some karma...
Rev 13:16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
Rev 13:17 And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
Rev 13:18 Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.
No one will ever need more than 640k...
Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.
Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.
Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.
If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.
with the luddites...
.NET smartcard - your passport to the universe
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Gates would be funny if it was not for the fact that he has influence and power.
IANAL but write like a drunk one.
It's apocryphal, but Bill Gate's number is not that one. Nearly: Six hundred twoscore.
I assume a fingerprint is used to unlock the card. If so, does this mean that Bill just gave everyone the finger?!
It's been pretty easy to add biometrics or hardware keys to your system now. Hell, you can hit thinkgeek and find no less than four devices, although they all appear to only work with Windows. I've seen fingerprint scanners working with Linux at past trade shows too. But of course the idea's not going to catch on until Microsoft "invents" it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
"No one will ever need more than 640K of RAM."
"Windows is stable and secure"
"Paper is dead"
Lets hear all the other insights of genious dripping from his bottom lip....
Gates now says "Just press enter for your password"
Acronynms Can be Read Out, so it's Not what You think it Means.
The term "acronym" originally referred ONLY to abbreviations that formed pronounceable words, such as RADAR, LASER, SCUBA, NATO, and even GNU. The term for an abbreviation made up of initials is an "initialism". However, due to common usage, the definition of "acronym" was weakened so that most people understand it to mean the same thing as "initialism".
Passwords proclaim end of you!
=)
Lost at C:>. Found at C.
Hmmm.... Tough choice....
Use passwords?
or
Sell your soul to Microsoft and let them proxy your most trusted information for you?
Hmmm....
Yes, this is a REALLY tough choice...
A physical object that can be taken from me, so that when someone steals my wallet, not only do they get my IDs, credit cards, and cash, but they'd also get access to all my e-holdings as well.
Fuck that.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
Passwords proclaim end of Bill Gates!
Nope, this won't end passwords. For security, you have the following 3 options: something you have (smart card, signature), something you know (password, passphrase, PIN) and something you are (fingerprint, retina scan). For non-vital information (your hotmail account), choose one. For important information (medical, financial) choose two. For vital information (mission-critical applications, firing mechanisms, creating a will) use all 3.
Full-Featured GPL Web Hosting Control Panel
Why wait for Microsoft's implementation, which will probably require WinCE or something (Passport for .NET for Windows for Passcards for Single Signon Computing) on the smartcard, driving up the price? All for that Windows logo that means it's not really secure, but will crash your car when you leave it too close to the stereo. You can already authenticate, over Bluetooth, without passwords, from your "universal remote" (mobile phone). It might not be tested secure, yet (relying on Bluetooth encryption), but when has that ever stopped Windows?
--
make install -not war
Why did we not think of this before? We could have just had locks to the building, room, PCs - which open with a single Key :-)
Naah passwords are not passwords - they are verification of the mind which thinks up a unique password.
In front of the vault is not going to make a difference!
:-)
Dot Net...or NOT!
I once talked to representatvies of a vendor/integrator of cryptographic smartcards.
;-)
I also talked about Linux/OpenSource with them and it's not that they hate Linux and love MSFT - it's just that for any serious use (read: digital signatures, use of the smart-card instead of your written signature), any "applets", any application, and any hardware has to be "certified" for a specific platform.
With this certification-process, the vendor testfies that the software and hardware work as advertised and no "unpleasant surprises" happen.
Unfortunately, this is time-consuming and thus very expensive - and must be re-done for every platform. Naturally, smartcard-vendors only certify for the platforms where they have sufficient demand (XP, W2K).
About the only chance that something like this is going to come to the OSS-world is that someone is putting forward a lot of money and essentially pay the vendor for the certification.
In Europe, usually the taxpayer does something like this, but in slashdot's home-country, I hear that the government spending money for "the common good" has recently escaped the mind of the general public who instead believes in privatization, tax-cuts and "trickle down".
You can probably imagine when such a thing will "trickle down" onto OpenSource-software
cheers,
Rainer
Windows 2000 - from the guys who brought us edlin
yeah, he's made a lot of proclamations.
Find a job you like and you will never work a day in your life.
...version of this (smart card)?"
The Smart Card Simulator
We must be alert to the danger that public policy could become captive to a scientific-technological elite. - Eisenhower
square 1: ...u insert this smart card and then Windows goes "Windows needs to be restarted for your hardware to work properly. Please remove the smartcard and click OK to restart" ..restart...back to square 1.
Find a job you like and you will never work a day in your life.
One of the assumptions of a smart card solution (or a USB solution or a biometrics solution) is that the user has access to a computer that supports such a solution. In my business, I deal with mobile professionals that use many computers and other devices, many of which they do not control and could not install hardware or software on to support those types of authentication tokens, even if they were technically capable of it. For those types of applications, standalone keyfob type tokens (Secure Computing, RSA, etc.) still seem to be the best choice.
You know, the land of weak encryption or die? I have to wonder just how effective a smart card can be from a country that doesn't allow it's people strong personal encryption.
What is the only Admin dies, in a ball of flames from a following Airplane shot out of the air by the US army.., or shot by the RIAA for downloading some crap file the same name as some crap film a US company made 20 years ago and think they own all right to the name forever......
I've stopped listen' to old Willy since the 640K comment.
I'll say. Here's a personal fave:
And somebody correct me if I'm mis-remembering, but didn't he also predict the death of the password back when he was pushing MS Passport some years ago?
I'm not tense. I'm just terribly, terribly, alert.
Well... it means nothing, but it sounds like asalto, which means mug. I find it to be a well suited name for any Microsoft partner.
Instead of using plain card authorization, I'm using third party software from inflexpoint, which offers usb key login.
This software allows me to embed user accounts to certain usb mass storage and if the usbkey is removed from the port, the machine automatically logs out current user and refuses to login another unless the correct drive assigned to the account is connected to the machine.
In addition to the token+password login, I'm using the EFS which is built-in to xp, which encrypts all my files with aes-256 on the fly.
Only downside is that currently the software doesn't support domain logins properly, so I have to manually mount all network drives but that's rather small annoyance for the cheap security it provides.
There are no atheists when recovering from tape backup.
...eventually.
/.'ers would rejoyce.
And I suspect many
... or "Bill Gates Declares"
translation:
Bill Gates has some new thing he wants to sell, which might be able to replace some tried-and-true technology.
Take a piece of paper and a paper envelope. Write your password onto the piece of paper and put it into the envelope.
This provides the exact same security as a smartcard.
"640kb should be enough for anyone"
Need I say anything more?
Got any other predictions Billy Boy?
Brielle
Anyone willing to wager which happens more often in the slashdot crowd? (autonomous sex excluded.)
"It's a very tangled subsystem." --Windows kernel guru
no end to prophecies by billy. what are his other predictions gone phut? does anyone have a tally of that ? wonder why people fprget it so soon!!!
If I was a non-US governmental entity, I'd love to give the access methods for all my data to Microsoft. After all, don't they make the most secure software in the world? And, its not as though they have some kind of official tie to the US government or anything like that...
Linux already has this sort of technology, it is even interoperable with Windows, Solaris, UNICOS and AIX. It is called Kerberos.
Bill is just blowing smoke. He'd rather y'all laugh at him or at ol' monkey boy than spend time with MS' anti-trust trouble in Europe, MSIE's security problems, XP SP2's incompatiblities and security problems, or ,worst , Linux or Free / Open Source Software.
A group of students are working on a neural net project. It comes time to decide what weight to put on the initial connections. One student says, "Set them all to 0 to start." Another student says, "No, that will introduce bias. We should set them all randomly." The smart professor replies, "You'll still have bias, only you won't know what it is."
:-)
So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though!
Don't SSH keys already provide an alternative to passwords for both shell access and file transfers?
(Not that I'd expect Microsoft to use an existing technology rather than making their own proprietary one...)
This psycho has the answer to all of our problems. Just submit...
A little web browsing or maybe outlook and after a short while NO passwords are needed to be r00t.
So will that mean that once MS integrates this technology into .Net, Java will play catch-up and provide a -free- PKCS11 implementation into its JCE?
Or even bouncycastle?
Please?
Pretty please with sugar on top?
How is this more secure? Items can be lost, stolen, duplicated etc. I realize this is an attempt to circumvent complacency and human slackness, but replacing passwords with an item in the grand scheme of things merely introduces a new technology of equal (at best) value. Hey, it gives you good press though. What's more, this has all been tried before. It's great to see tht Gates is hot on the innovation trail! And in true form, via a third party!
Im doing a uni course on security at the moment..
What they are teaching is that there are three main type of authentication:
Something you have - A smartcard, something physical.
Something you are - a fingerprint, biometrics.
Something you know - a password in ya head.
The whole idea is that you combine these for stronger protection.
To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.
Live in your skin. Keep changing the scenery.
Bill Gates has declared the end of passwords. I guess they'll burn in fiery pits of hell with the command-line they declared dead five years ago ...
Yes, he also predicted that 16Mb of system memory will be plenty for everyone in the future.
He isn't very good oracle after all.
There is definately a difference between how easily one could have a fingerprint "lifted" vs a retinal trace, but as noted it isn't that much more secure. Just like somebody can stick a little scanner device over the debit-card hole on a cash-machine, so could somebody easily enough steal your retinal scan whilst you are being authorized at a legit service - particularly if such services become more commonplace.
Of course, with such an imprint it wouldn't exactly be as easy to create a new retina as a new thumbprint, but I'm sure that if such technology became popular it wouldn't be that long before somebody found a way (some form of non-opaque contacts, perhaps?)
I read your password.. using your own eye
sorry, the hyperlink to the theoretical studies in the last post didn't show up.... http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.htm l
Smart cards are a good thing for multifactor identification -- if you have not only the username and password but also a smartcard, authenticity is pretty good. Toss in a biometric and you can be almost certain of who's logging in.
But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.
Comment removed based on user account deletion
There is only one way to use biometrics securely. If your office has a huge guy at the door who's good with faces, that's secure biometrics. He'll be much harder to dupe than a computer, and you can't steal his database. Of course, he's expensive, and you probably want at least one additional factor.
I hereby place the above post in the public domain.
No matter how bad a piece of his company's technology is - I'm refering to the desaster that was the original passport which was hacked with remarkable speed and spurned by the industry almost unanimoulsy - the man just does not give up. Every time he launches yet another piece of drivel guaranteed to fail, he simply puts it back in the marketing department which is tasked with bringing it back at some later date under another name with one or two improvements, which they will keep on doing in an endless loop until, even if its ten years later, it finally gains traction.
Now, not only do I have to rememeber 40 passwords, I'm going to have to carry 40 smart cards and remember 40 keys.
.Net architecture. So now it will be two, then Apache will require a different card for secure access to my bank's site, each credit card company will want to use their own credit card, my mortgage company will have to issue their own, then there's the cable company, satellite TV (and radio), cell phone, gas, electric, water... It will never end.
I know, I know, it's not supposed to work that way, but I already have one, and I don't think my datacenter ID is going to work with Mr. Gates'
I'll have to buy a bigger SUV to carry all this crap!!!
Find coupons in Greeley
When I was in college, a guy I knew was working on a software authentication scheme for this senior project. Here is how it works. As a new account, you select your user name. You go through a login trainer session, where you have to type that login name about 10 times, while it reads and stores the time intervals between the characters you enter. If you haven't established a certain degree of consistency, it will ask you to enter it a few more times. So that parameter of the natural rhythm with which you type your login name is stored in the system as your "password".
So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
One of the things such sensors check for is blood flow. So naturally they'll just have to kill you afterwards, but you won't be needlessly mutilated.
Yes. Some biometric sensors can be tricked with dead tissue or a photocopied fingerprint, but the good ones detect life signs. (This is the case for both good fingerprint sensors, reading electric impulses instead of light, and retinal scans that measure blood flow.)
Some sensors are even active, checking how the body reacts to stimuli, for example how the iris reacting to light, comparing it with a recorded sample.
Irene KHAAAAAAN!
Where did Billy Boy Gang stole this innovation from this time?
...version of this?"
Hopefully not too long...
Using biometrics is actually as said not that secure. That is since it's possible to fool any system with a fairly simple technique.
Maybe fingerprint checking, using the right sequence of fingers? But what happens if you have had a bad day injuring any of your fingers? Same goes for retina scans, how will they do the day after one heck of a party?
Brainwaves could maybe be something better, then you might have to think of something to create the right brainwave pattern! :-)
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
that passwords are always vulnerable to the "Rubber Hose Exploit"
i.e. apply a rubber hose smartly and often to the person who knows the password until he/she divulges it
--MAB
so why isn't this thing a patent and your buddy selling sofware to billy bob?
Depending on how you pronounce the "x" in your spanish speaking country but "Axalto" does sound a lot like "asalto" which in english means "robery". Nice.
This paid my last vacation, it mi
Will this unhackable smartcard be featured on the unhackable xbox?
on when it gets cracked first?
I would say give it a few months, myself, let's say April...
Isn't it obvious what this is all about - to get the public talking of some other aspect of security, so as to draw attention away from all the vulnerabilities, viruses, worms, spyware, popups, and other problems that plague Windows users. And to make it look like M$ was doing something about security, without actually solving any of those problems.
How long before we can get an open-source version of this?
Why is it whenever M$ comes out with a stupid idea, OSS wants to jump on this bandwagon? This seems like an amazingly stupid idea. Maybe if OSS community would come up with breakthrough ideas it would actually be seen as a viable alternative rather than a M$ catch up.
what happens if your card gets melted, where do you go for a new one?
then the larger question, who stores all of your information for such a retrieval?
Anything so entrenched can never be said to be heading the way of the Dodo. Things last, for better for for worse, things stick around:
floppy disks
command line interface (if this dies, I quit computers)
serial ports(also, on my own list)
ps/2 keyboards and mice
analog modems
Technically, all of these can be replaced, but they haven't been, for one reason or another, they still exist. You cannot dictate change in this industry, you just sort of have to create oppurtunity for change, and flow with it.
From the other side, people use floppies, people use their favorite keyboard into keyboard death, then buy the same one as a replacement. People hate passwords. No one who writes the admin password for their xp box on a postit note under the keyboard will ever miss passwords. If people find it easier, they might switch. But don't bet too much on it. Not that you venture capitalists will listen.
I'm pretty sure passwords will end up on that list someday and I will personally stand in the way of their demise. Why? Because I do not trust PKI's, especially dotNet.
--Nuintari
slashdot : where an opinion can be wrong.
1. How much will it cost? Axalto smart cards are still very expensive even for 10,000+ card orders. (A rough estimate about $7 a card for 10,000) Ouch! 2. Where's the infrastructure to handle this? Card issuing and management is still a double-secret custom application that will cost as much as the cards. 3. Based on the press release, (couldn't RTFA) it sounds like Axalto has a library that sends commands back to their existing smart card. Putting an application on the card to do this doesn't seem very smart because of the lack of computing resources on the card. Good luck to them.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Today, your wallet gets stolen or mugged form you. You make a few calls and move on with life.
Tomorrow, with biometrics, you can get knocked unconscious and:
- RFID/chip implants removed (cue bathtub/kidney urban legend)
- hands lopped off
- eyes removed
I like today's solution better.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Haha, and since when has prior art stopped M$ getting patents before?
US Federal Government has used similar system for years. It's called "Fortezza" and it's produced by Mykotronx.
This idea isn't new, though Fortezza is kinda expensive. On the other hand, Fortezza's price is most likely inflated due to limited customer base and FedGov supply system.
There are no mysteries, only unsolved puzzles.
What if the smart card stops working or goes bad?
I think this is fantastic! I beleive common user password are highly unsophisticated and are bad for security.
Smart card tokens, which replaces password among other possible usage of the smart card, can provide better password.
By using this, you don't have to fear that someone else knows you password. You have the card, you have the password. You've lost the card, you've lost the password.
I hope that RDFI won't develop into a problem : allowing other people to read you card remotly, form a close distance or a longer one.
I'm beginning to suspect my wife is a polygamist. :)
Do daemons dream of electric sleep()?
I guess Bill needs Security fundamentals 101 course ...
He never heard about 2-tier security:
1. something you have (access card)
2. something you know (password)
Yep Bill, who would nee more than 640k of RAM?
http://shit.slashdot.org/article.pl?sid=04/11/16/1 318210
... the key and barrel mechanism will be replaced by the more secure digital lock by the end of the 1980s. ... People will still give away sensitive information when threatened with a gun to the head or bribed with chocolate.
I'm Rod Shuffler and I'm a pornographer. Once the porn industry embraces smartcards, just watch the rest of the industry follow suit. Mark my words.
And he causeth all, both small and great, rich and poor, free and bond, to receive a biometric implant in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. Revelations 13:16-17 (flame not, it's just funny)
LOGIN FAILURE: Your password is dead. Please contact billg@microsoft.com for a replacement.
Microsoft is rather late. Smart card authentication is widely used already, even on Windows. Sun has been trying the same thing with JavaCard. Experience shows that it works in some environments and it doesn't work on others. And along with the security problems it solves, it also introduces new ones.
The underside of everyone's tongue is different. I verified this using basic research techniques over a series of weekends while I was in college. After obtaining a more permanent research assistant, I was unable to proceed with further "comparison-" however, I do encourage others to carry on my work in the spirit of cooperative science.
The beauty of this approach is that you could integrate the tongue reader with the computer's mouse. The user would insert his/her into an opening in the underside of the mouse, a laser light would illuminate the pattern of veins, and the resulting image would be captured and compared against the security database. The process is as simple as licking the filling out of a custard donut. In fact, in some companies I have worked for the users are so simple that care would be needed to ensure that they could tell the difference between a custard donut and a tongue reader or problems might occur. Utter panic ensues as user authentication fails at Dunkin' Donuts Wi-Fi access points... Well, you get the idea.
For those users on a low-carb diet, the process can be described as similar to that used for another research project I conducted while in college. One advantage of the tongue-reader biometric system is that computer mice, like research assistants, are much more responsive when properly lubricated. Some other method might be necessary when dealing with portable computers. Perhaps it would be possible to integrate a tongue reader with the touch-pad pointing device. Obviously, this would favor users with the ability to lick their own laptops. But isn't that already the case for much of life?
And in case anyone is wondering, yes this IS a tongue-in-cheek post.
no matter how you look at it, there is no foolproof protection scheme. take biometrics and fingerprinting and all that good stuff for example. all people will need is one drop of blood or a piece of your hair to gain access. and even if they dont, hackers will always find some way to get around it. if you're sending info over the internet, all they have to do is hook up a packet sniffer and capture the relevant packets and resend them when necesary. in my opinion, well-thought out passwords with hashes offer the best current protection. while its easier to replicate those, its very inexpensive and any good OS can provide safegaurds to make it extremely difficult to access. besides, anybody can steal a smartcard, but can anybody steal something stored in your head?
That's where Palladium (NGSCB for those abbreviation-challenged) comes in.
so hardware will be free, people will pay for software, and instead of remembering passwords we will have hardware that we paid??? m$ for?
Get your torrents...
Actually that raises a humorous point: People use their smartcards by extracting them from their wallet, WITH THEIR FINGERS. Anyone who gets the card, also gets a great set of fingerprints. D'OH.
Already have it. It's called ssh keys. etc. It's not missing from OSS it's just not applied.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
I think smart cards are the right way. Get the normal cryptoflex 32k egate card with a token connector, install openct and opensc (both http://www.opensc.org/), and use the opensc pam module for login, openssh for remote authentication, mozilla or firebird with the opensc pkcs#11 module for email signing and decryption, the opensc tools for initializing the card and diagnostics, openssl with the pkcs11 engine to create signed certificates, and so on.
:-)
you don't need microsoft to do that. opensc is available for linux and friends, mac os X and windows, and a CSP for windows is under development.
opensc supports cryptoflex, cyberflex, gemplus pk, siemens card os, telesec tcos, micardo, setec, ibm jcop, oberthur and openpgp smart cards. also the finnish, swedish, estonian and italian id cards are supported with full source code, the spanish linux user group has a special version with support for the spanish id card using a binary only plugin.
also note that opensc does not use a propriotory on card format (like most commercial alternatives), but implements the pkcs#15 standard.
disclosure: I'm one of the developers, doing some advertisement here
oh, except sun was doing it ten years ago.
You know, love Sun microsystems...but if one company has consistently been the victim of an idea whose time has not yet come, and won't come for another 10 years...it's got to be sun. Smart cards, JINI, SunRays...all brilliant...all dead because of being ahead of their time IMHO. They've seriously gotta start hiring some dumber people...I here you can find them in Redmond.
Because in order for MS to do this, they must *clearly* have bought a SmartCard Programmer...
help me i've cloned myself and can't remember which one I am
This does not even have to be a reality. It gets people talking about what MS is *going to do next*, and does so without invoking Linux or any other competitor. You see, to win the public, they do not have to be better, just better at marketing themselves and silencing the competition. The public does not hear whispers in the wind.
InnerWeb
Freud might say that Intelligent Design is religion's ID.
Haven't JavaCards been usable for this sort of thing since... well, forever?
This is just another ".NET tries to catch up to Java" article. Move along...
And even before then, I remember magnetic strip cards being usable for authentication. Heck, I helped hack a crappy magnetic-based system together for one of my previous jobs!
Karma: It's all a bunch of tree-huggin' hippy crap!
My balls are sweaty! Big, hairy, sweaty and SLAPPING YOU IN THE FACE!
Love TrollBurger
Assuming you have a Mac (or FreeBSD?) which implements /dev/random using Yarrow, you can encrypt using Mersenne Twister (initializing the large internal table according to the docs), on the fly, passing the key to an external USB or dongle, to seed AES in one or more of its less familiar modes. This has been in the public domain for years.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
A lot of people seem to have not read the article (including potentially the poster of the story)
.NET CLI and CLR on them. This means you can send ECMA compliant code, such as code compiled with Mono, to the smart card and it can run it, if you use their tool.
.NET why not Java." This is a third party, not Microsoft. Java involves purchasing a license from Sun for commercial use (to make a Java-logo compliant JVM), while .NET involves downloading a specification from ECMA for free.
.NET implementation on it, Microsoft bought a bunch of them and wants to use them for security.
1. Microsoft purchased smart cards to upgrade their existing smart cards that they use for system and facility access. This is said explicitly about 2/3 of the way down.
2. Microsoft was the first to purchase this particular type of smart card.
3. The smart cards have an ECMA-compliant implementation of the
4. The smart cards ship with the device driver and libraries to work with it.
People are going "why
So far as raw assembly being superior, I'm not even going to touch that one except to say that the processor is junk on these things, you need isolation of code, the best way to get it is a VM of some sort you might as well use a standard one for which tools are available as roll your own.
So this is the situation. Some company released a smart card with an ECMA compliant
This doesn't really involve anyone outside of Microsoft (it really doesn't), doesn't involve embrace and extend or FUD, or anything else that's been brought up in the comentary.
And it's not some great shocker that Microsoft doesn't like passwords, as a lot of people have said. For years, most of the industry preached passwords as the way to go. With a few exceptions, most people understand now that users are generally stupider than the chairs that they sit in, and either write down their password, chant it while they type, or use the same password everywhere. Also, if you require a user to change their password every 30 days, generally they achieve this by attaching a number and incrementing it.
The good news is hackers have been getting dumber, too, so they're unlikely to realize the user uses Pa$$word10 one month and Pa$$word11 the next...
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
telnet fluffy.microsoft.com /usr/src/windows
login: bgates
Last Login: Tue Nov 16 04:34:29 from 127.0.0.1
You have mail.
$ cd
$ rm -rf *
$ ^D
Unlike everybody, I use no passwords for a very long time. Just because nobody suspects me about it, it works!
There you are, staring at me again.
Marketing (aka Data Mining) costs money, now what if Microsoft owned the only way to collect marketing information, the biggest pool of marketing data?
.net stuff.. The other reason is so they can find the source of competition and attack it before it has chance to develop.
Now you know why they are trying to do this
Nice try Bill Gates but no go..
Just say no to license servers!!
But the reason I suspected for .net and centralized application use over a network, like subsribing to using MSWORD, I believe was a method of collecting information about people and then selling this information or using it to their advantage,
call me paranoid.
Just say no to license servers!!
Right?
http://www.g10code.de/p-card.html It as a smartcard that holds your pgp key. you can use it for authentication, encryption, and signing.
It's amazing how many people you could be friends with if only they'd make the first approach.
As always for the past five years, Bill is an idiot who is years behind, and his "visions" are only somewhat close because they're being adapted retroactively.
Smart cards, eh? Look, we've had them for a decade. We've had reliable, cheap smartcard-as-login solutions (both hardware and software) for several years.
They haven't replaced passwords so far, and they won't replace them in the future.
Smart cards are nifty, and very useful. But they aren't the end-all of security and anyone who says so in public is only making a fool out of himself.
For one thing, they can be lost, stolen and yes they can be copied (don't trust the marketing drones of the vendors, smartcard hacking has been public knowledge for at least 3 years).
Then, you are tied to a local system, or infrastructure. I can log on to my server from anywhere in the world where I can get an ssh client running. If you rely on smartcards, and you're in Tokio where the Internet cafe doesn't have them, or has a different system, you're fucked.
And then there's the frightening reliance on a closed system that's essentially a black box. If you fully automate the login process, I can fully automate the exploit. There's a reason manual intervention is sometimes a useful feature, but M$ didn't get that when they wrote Outlook, so I figure they still don't.
Fortunately, the market will kill this idea dead. I've yet to read one argument that would convince the CEO here to pump out ten thousand bucks or so to install the necessary infrastructure.
Assorted stuff I do sometimes: Lemuria.org
Oh, yeah, the death of passwords based on Microsoft's say-so. Somehow, while the technology is interesting, one has to wonder at ANY hardware based security method. Look at the supposedly "uncrackable" encryption devices on such things as cable TV signals and DVDs. Not to mention that Gates is looking for yet another way to literally control the transfer of ALL information in the world.
.Net and a whole new way for Gates to line his already incredibly well-filled bank accounts.
We must also remember that Microsoft has one of the poorest records on security in the computer software industry. I am willing to bet that this product, nifty tech though it seems to be, will be as full of holes, security-wise - as everything else that has come out of Redmond.
"One does not conquer the world with military force or economic pressure. One conquers the world by controlling what people think. Control the sources of information and you will control what people think." - me 1969.
Also, it's yet another assault on the open system of the web by
Lee Darrow, C.H.
try working in a stop and rob and watching your favorite fingertip split banging away at a touch screen. touchscreens are for people who cant figure out how to manipulate keys, mice, lightpens..;)
Cool.
This is the "Nectar" .NET virtual machine written by Tim Wilkinson's new company here in Berkeley - Hive Minded, Inc. (the name is a reference to the Borg in Star Trek).
Tim is the guy who wrote Kaffe - I used to work for him. He's no longer working on Kaffe, and I'm running the project now.
He's also the guy who wrote the first Java smart card implementation for Schlumberger (now Axalto), before Sun did their own implementation -- so he knows what he's doing. :-)
It's been said before that the best security works by using something people have and something people know. So what's the deal here? What's something they know if it's not a password?
Unless it's a trick. They'll use a passcpde or passphrase instead...
Biometrics, presumably
Irene KHAAAAAAN!