Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometric Thumb Drives?

Posted by ryuzaki0 on from the portable-data-storage-with-a-twist dept.

osopolar asks: "I work as a security analyst for a 10 billion dollar bank and we are currently looking for biometric thumb drives as emergency backup/recovery solutions for our local branches. We do not have IT people at every branch so the backup must be done by a branch manager, so the device needs to be easy to use. How would you backup information securely? What thumb drives do you recommend?"

5 of 66 comments (clear)

  1. er... by fiddlesticks · · Score: 5, Insightful

    You work for a '10 billions dollar' business that can't afford enough IT staff in its branches and gets hardware recommendations from 'ask slashdot'?

    --
    http://milkshake.dexy.org
  2. With your title by Incongruity · · Score: 5, Interesting
    Were I your employer, I'd be a bit concerned that you're asking slashdot this question....

    No offense really intended, but the question is too vague and too open-ended to really be answered well here and it's that lack of specificity that makes me worry a bit about your qualifications for the position you're in. By all means, please, bring in outside help for any situation that you need advice on -- for the sake of your employer and customers, but slashdot is not the best place for high-quality, industrial grade advice that you should hang your hat, job, and other people's money on. That having been said, what exactly are you trying to back up? How frequently does it need to be done? How quickly? How will restores be handled -- who will do them, when and why? What are the demands of the media? Does it need to be simply stored on site or will it be transported? How (mailing? courier?) Would a networked option work for backing up? If not, why not?

    That's just a start to the questions that are really unanswered (and need to be) for anyone to answer your question "How would you backup information securely?" It sounds like you think a thumb-drive will be an acceptable answer to you, but it's unclear why you've settled on that...What makes such a system better than a well scripted encryption scheme and commodity media (anything from CD-Rs to removable tape or hard disks?)

    Without knowing the specifics, any answer would be incomplete at best, shooting blind at worst...

    1. Re:With your title by halcyon1234 · · Score: 5, Funny
      but slashdot is not the best place for high-quality, industrial grade advice that you should hang your hat, job, and other people's money on.

      Phsaw! Ignore him. I'll get you a good deal on the thumb drives. They're 1GB ones, but they're bulk discounted because the label on the front (and Windows) misreports the size as 16MB. (Since G and 6 are so similar, the isolinear pro-recgonization dll don't properly link). To get the biometric security working, you just need to download additional drivers. I can't remember the website off hand, but it ends with .fl It adds on an additional level of security by co-hashing the thumbprint recogniztion with a non-alpha numerator string of indetermened length. For the best security, you should use a long number, and one that isn't known outside of the upper echelons of your company. Your expense account credit card number should do.

      Oh, and if your IT guys start spouting off nonsense about "remote access of datadrive contents", you can tell them what's really going on. The thumb drives (courtesy of the additional drivers) use sporatic cross-referenced data layer technology. Whenever the drive is connected to an internet-capable machine, it automatically hides parts of its data throughout the Internet for safe keeping. After all, if the thumbdrive gets lost, you don't want all the data to be gone, too? It's an additional security feature. (And your IT guys SHOULD know that, shouldn't they? I mean, they are supposed to be knowledged professionals. Unless they lied on their resumes. Better check that out...)

      --
      UTF-8: There and Back Again
  3. Other Suggestion by Vandilizer · · Score: 5, Insightful

    Fist off asking slashdot is a fantasist idea you might get an off the wall idea as it to follow or just some good general advice. Being vague might just be a problem with and NDA. Paying some one or going only with in your own department you are only going to get what is familiar, which is not the best answer.

    Now as for the biometric key drives in personally research they do not provide enough protection to secure such data.

    What I would suggest is just a portable USB hard drive. With all the data encrypted using a key generated from the unique serial numbers on the computer and an additional random generated number stored on a key such as this one (http://www.marx.com/en/products.php) or just any public key, each branch could also have one key with the privet key to decrypt the data in case they need to recover it locked in a vault preferably requiring at lest 2 different people to access this key since (if you are in a bank as you say this should not be that hard to arrange) they would never need this key unless they were doing a recovery and you could also key one at a central site incase of an unforeseen events or not, but I suspect if they ever loses theirs you would just replace the entire set (though you would have a much bigger problem on your hands I would think).

    Seeing as there small key has 4kb of storage using a large key with AES (probably SHA-512 or again what ever tickles you) would keep your data pretty safe or at lest the government would think so.

    The only other thing I would recommend in keeping 2 backups in 2 completely different locations, people do walk off with stuff, or more politely they misplace things.

    Hope this helps or gives you some ideas, I am just babbling a little from things I have done. Post if you have a question or want to strike up a conversation.

    Injoy

  4. Where to start... by Zadaz · · Score: 5, Informative
    I'm going to get modded down as "redundant" but this whole thing feels like such an overwhelmingly bad idea I can't think straight.

    1) To answer you question: Trek makes one that doesn't require external drivers. But it's only up to 512k and USB 1.1, and I can't find any indication to see if it actually encrypts the info. (My bet: no)

    2) What kind of "security analyst for a 10 billion dollar bank" are you, and can you be put in a room with the rest of us who are answering this question that we might have a chance to kill you, take your salary and put an untrained monkey in your job?

    3) Or are you just being clever and trolling for answers to a stupid idea your VP had?

    If it's the last one:

    Why Biometric? Biometrics are awful security. Terrible terrible terrible. The only advantage they have is, when it actually works, it works and a person doesn't have to think about it. And that's one of it's problems: People should be thinking about security. After that, it's less reliable than passwords (which have a 100% pass/fail reliability) and the whole issue of not being able to change your biometrics. If someone figures out how to fake my thumb, my whole life is fucking over. I can't get new thumbs. (or a new face or whatever). And the other stuff that's been talked about ad nauseam.

    Biometric thumb drives are even worse because it anyone who wants what's "protected" on it just has to steal the thing. Given physical access to the device, it's trivial to circumvent the biometrics.

    What information at individual branches is important that needs to be backed up? And why the hell isn't it being done already, and off site? Seriously. You're a "10 billion dollar bank" You should have private data lines between your branches and central computers.

    And lastly, under what circumstances would you want backups done by unskilled people? I mean C'mon. Are you telling me that you don't know that these guys are the weakest link in your security anyway?

    A better security idea would be to automate your backups through your private lines and disable all access to removable media drives in your whole company. Why you'd allow someone to be able to connect a USB drive to a computer that has access to information that needs to be protected makes my nerve endings hurt.