Slashdot Mirror
Bill Gates Proclaims End of Passwords
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
Nice!
Depends on how many patents Microsoft have quietly filed on the technology behind it
Brocklesby Park Cricket Club
How come there isn't an open source solution already?
If you were blocking sigs, you wouldn't have to read this.
Seriously, who cares about passwords when you can exploit all the flaws MS systems have ?
They'd better fix their software first.
Linux is missing an opportunity. Instead of writing software that insists that passwords be uncrackable, they should be innovating new technologies that make machines insensitive to dictionary attacks, or new technologies like the one described here that does away with the need for having passwords everywhere. Hmm, maybe Bill has some innovation in him afterall....
Laboratree - Scientific collaboration based on OpenSocial.
Think about this before assuming biometrics is the answer:
- then how do you get your identity back?
Isn't the best way to secure data *both* something you have (e.g. key) and something you know (e.g. password)? Something I know is also less likely to get stolen, so long as noone has a keylogger installed on my computer. Last time I checked, it's also a whole lot easier to change my password than it is to change the locks on my doors.
Its similar to the national identity card.. What if your card gets stolen. Any idiot can probably use it to connect to all of your accounts, without effort. Even worse, its a very poor idea to base your systems on a completely centralised system like passport authentication. It only takes 1 person at microsoft to trip on a cable then for all of your logins to fail.
.net because unlike a keylogger, the answer wont be obfuscated, you can just monitor the smartcard port, capture all the details sent, and you dont even need the smartcard.. You just emulate the smartcard hardware and fake the connection to the card, easy.
.NET are now mostly gone. This is nothing more then a publicity act that only stops people who tell others their passwords, and even then, they will just be able to borrow the smartcard.
.NET authentication, or you are putting yourself in a terrible position (it costs money anyway, so I think its time us as a programming community should get together and get jabber up to the point the same thing is possible in a decentralised way).
Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with
This system offers much less security then now, and the last few drops of respect I had for
Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine
It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use
1 billion GSM subscribers are using smart cards.
You may recall that RMS was strongly against passwords. We don't have to agree with everything he say or does - just the good stuff.
You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
HAND.
End of passwords? Umm, so, what is the other factor then?
Cig? No, thank you.
I can't RTFA (it's been slashdotted), but this makes lots of sense, and there *are* open source solutions to this, like public/private key pairs in OpenSSH. I do need to know a passphrase to unlock my key, but then I can log in to a number of different machines with it. In fact, I have my machines set up to not accept password logins except at the console, remote users *must* use key pairs.
Currently I keep a key on my desktop machine and another one on my laptop, but if I was worried that those would be stolen I could switch to a USB key.
you, like many others, assume that all criminals are psychos and will stop at nothing to commit a crime.
that is bullshit. a large ammount of crime is opprtunistic. if you leave your window open, they'll climb in. if you close it, they might smash it IF the house is empty and secluded. but it's not an arms race. if you install CCTV and alarms, they don't come back dressed in black with night vision goggles and a set of expensive tools to disable your security, they just go next door to the guy who HAS left his window open.
standards-based, stable OS
What OS? Smartcard doesn't need an OS, or an interpreter, or any shit like that. All it needs is an implementation of the authentication and communications protocols, nothing more, nothing less. Then again, Billy's shop has been known to overdesign stuff before. By, like, a factor of 10, maybe. I've written some Windows drivers where for 500 lines of functional code there is 5000 lines of code that has the single function of coping with the API. Now they've stuck a CLR on a smart card - what a great achievement of technology - it would be more appropriate stuck up their arse.
As usual, Gates has decided that the lowest common denominator of sophistication will dumb down computing for everyone. I don't want to have to carry around a smartcard, or anything else. Who wants to find their smartcard somehwere in their apartment early in the morning to check their email before their cup of coffee? Who wants their girlfriend to "borrow" it to check that email before that cup of coffee, before they wake up? How much identity theft will be perpetuated in the name of Gates' "convenience"?
The best access solution is a combination of HW token, biometrics and password. Two out of three should gain access to all but root, sending a message to the administrator (possibly attaching a picture, voiceprint and GPS). Too bad for Gates that this security architecture makes a mobile "phone" the best gatekeeper to cyberspace, where his Windows monopoly is most under threat. Too bad for us that his monopoly is in a position to derail even that engine of progress, making mobile phones as much a mess as Windows. Someone stop him before he destroys yet another dream of freedom!
--
make install -not war
I've long argued for a similar solution for Credit Cards. I want a credit card that is a smart card, has a numeric keypad and a small LCD display. you insert the card into the reader, the reader asks for $X.XX dollars for XYZ, Inc. from the central credit card computing system, which responds to the reader with a unique transaction ID. The Price/Company promptly appears on your screen, you press "YES" or "NO" and key your pin. The unique transaction ID, your secret key (unlcoked from smartcard using pin), $ amount, and billing company ID or name are all MD5'd together ON THE SMARTCARD, and the result is sent to the reader. The reader sends this back to the central credit card computing computers who verify it (they also have your secret key), and voila, you have a transaction that is safe for both sides and fully verified. Seems like the amount of money it would take to roll this out could be recovered in 5 or so years from the amount of credit card fraud it would cut down... but then again, i guess everyone is just doing identity theft and applying for the credit card under someone else's name these days.
I can count to 1023 on my hands. Ask me about #132.
The same applies for a smartcard, doesn't it ?
No, it doesn't. If your smart card gets compromised, destroy it and get a new card with a new key. If someone manages to steal your fingerprint, you cannot change the media or key you authenticate with: The person did not only steal a material token that is linked to your identity, an unchangable characteristic that should be uniquely assigned to you now is not referring only to your person, someone literally stole your identity; To the ATM machine, he's not only the one in posession of your ATM card anymore: He is you.
Life is just nature's way of keeping meat fresh.
Smart Card Module for J2SE:
http://www.gemplus.com/smart/r_d/publications/pdf/ GG00jaas.pdf
Cheers,
Tyler
So it is an arms race. Just not with the criminal, but with your neighbour.
Be wary of any facts that confirm your opinion.
Microsoft is good at taking something that exists, doing their own version of it, then spending huge money marketing it to people who've never heard of it.
This is actually a valid business model to some degree.
For those of us who don't like it, we've failed the world by not telling them about these things before Microsoft did.
Kerberos pre-existed Win2k3 by a long shot and directory services pre-existed it too. But who bothered telling the users that?
- Michael T. Babcock (Yes, I blog)
"Think about this before assuming biometrics is the answer:"
Even simpler. Biometrics is a layer on top of authentication that simply authenticates the key supplied by the biometrics. Even keycard access can be backed by pin number to authenticate that the holder of the card is who the card proclaims them to be.
The actual authentication is going to be a communication of ID to a server on a challenge/response basis; sidestepping the biometric step and cracking directly is likely to be a lot easier because of the _ASSUMPTION_ of security.
Oddly Draconis
Too cynical to live, too stubborn to die.
I never figured out why you can't use the same system as you do with passwords. Password, hash and *drumroll* salt. No, not NaCl, crypthographic salt.
If compromised, get a new device with a new salt. It is basicly like a new identity (you'd have to revalidate with every authentication you had). If the perp just got your salted code, it is worthless. If he got your fingerprint, he still needs to get your new device to get a valid biometric/salt *pair*.
Now top it off with a PIN, and you have the holy grail. Something you are, something you have, something you know. Use any subset which is enough. In most cases, what you are/have (fingerprint/salt) should be enough. It'd certainly raise the bar another notch or two.
Kjella
Live today, because you never know what tomorrow brings
Nope, this won't end passwords. For security, you have the following 3 options: something you have (smart card, signature), something you know (password, passphrase, PIN) and something you are (fingerprint, retina scan). For non-vital information (your hotmail account), choose one. For important information (medical, financial) choose two. For vital information (mission-critical applications, firing mechanisms, creating a will) use all 3.
Full-Featured GPL Web Hosting Control Panel
I once talked to representatvies of a vendor/integrator of cryptographic smartcards.
;-)
I also talked about Linux/OpenSource with them and it's not that they hate Linux and love MSFT - it's just that for any serious use (read: digital signatures, use of the smart-card instead of your written signature), any "applets", any application, and any hardware has to be "certified" for a specific platform.
With this certification-process, the vendor testfies that the software and hardware work as advertised and no "unpleasant surprises" happen.
Unfortunately, this is time-consuming and thus very expensive - and must be re-done for every platform. Naturally, smartcard-vendors only certify for the platforms where they have sufficient demand (XP, W2K).
About the only chance that something like this is going to come to the OSS-world is that someone is putting forward a lot of money and essentially pay the vendor for the certification.
In Europe, usually the taxpayer does something like this, but in slashdot's home-country, I hear that the government spending money for "the common good" has recently escaped the mind of the general public who instead believes in privatization, tax-cuts and "trickle down".
You can probably imagine when such a thing will "trickle down" onto OpenSource-software
cheers,
Rainer
Windows 2000 - from the guys who brought us edlin
... or "Bill Gates Declares"
translation:
Bill Gates has some new thing he wants to sell, which might be able to replace some tried-and-true technology.
Right. Though Kerberos existed even before Linux ;-)
cpghost at Cordula's Web.
A group of students are working on a neural net project. It comes time to decide what weight to put on the initial connections. One student says, "Set them all to 0 to start." Another student says, "No, that will introduce bias. We should set them all randomly." The smart professor replies, "You'll still have bias, only you won't know what it is."
:-)
So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though!
Im doing a uni course on security at the moment..
What they are teaching is that there are three main type of authentication:
Something you have - A smartcard, something physical.
Something you are - a fingerprint, biometrics.
Something you know - a password in ya head.
The whole idea is that you combine these for stronger protection.
To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.
Live in your skin. Keep changing the scenery.
Or like me, someone who has a cut on their thumb that left a scar on their thumb. If this was during usage of a biometric system, I've just lost my password!
-
ping -f 255.255.255.255 # if only
No matter how bad a piece of his company's technology is - I'm refering to the desaster that was the original passport which was hacked with remarkable speed and spurned by the industry almost unanimoulsy - the man just does not give up. Every time he launches yet another piece of drivel guaranteed to fail, he simply puts it back in the marketing department which is tasked with bringing it back at some later date under another name with one or two improvements, which they will keep on doing in an endless loop until, even if its ten years later, it finally gains traction.
What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?
A smart card contains a microprocessor that can sign stuff that the PC send to it. It contains a secret private key for signing that never leaves the silicon, so no PC can get at it.
The viruses can't steal the identity in the smart card. The smart card will happily prove its identity to the viruses. The important thing to understand is that while the smart card can prove its identity, it can't prove that its owner is actually at the keyboard or that the IE session withdrawing funds is run by a human in charge of the transactions... There are smart cards with built-in keyboard/display for that. Or you use a Palladium PC...
)9TSS
And you'd carry them back ... how?
"Stupid! Stupid stupid stupid stupid! I touched the hot wire right there - I'm an idiot!"