Implementing biometric authentication systems is not easy. Sure, you can log into your laptop easily enough, but can that be federated to your SAP solution, or the business intelligence suite in accounting, or the HR suite in marketing.
Since there are no good standards for federating those services, most often, they rely on things like NTLM challenge-handshake authentication, which necessarily, requires a password.
Even if you don't enter the password and have it in some sort of keyring that is only accessed by your biometric swipe, it's still there and distributing those to end-users is difficult. And what happens when you need to use Bertha's computer because yours isn't working properly? The common corporate directory based solution such as Active Directory, LDAP, NetWare, etc, don't support biometric data, necessarily, because there isn't a real standard on how to transmit it. What does a fingerprint look like, on the wire, and what standard define's its description? What is to stop me from intercepting that and replaying it, which is another issue of passwords?
At current, the biometric systems implement proprietary protocols for handling that. While I would love to see someone sponsor a standard (perhaps there is one I don't know about, I didn't check - it's not well known anyway), there won't be a way to federate those authentication credentials.
Keep in mind, in an organization, there are dozens of authentications happening for many sessions you use. There are machines establishing token trust with each other, there are services establishing the same. Your computer is talking to probably two dozen servers during a normal work day and they aren't all running the same operating system (usually). In fact, those communications are probably taking place over half a dozen different protocols, depending on what you're doing.
Kerberos is one option, but is fairly rarely supported and generally requires additional hardware, etc to implement. I'm sure there are others, but the point is that it's a very difficult problem and is most economically solved by maintaining status quo. Of course, if you have lots of money and expertise and the ability to custom design all of your various software services, you can implement anything you like from SAML to Kerberos, to OpenAM, etc. Making it work is another issue.
Additionally, commodity fingerprint scanners suck. Go check out the mythbusters on that topic.:-)
There are still huge hurdles to having the good technology. Sure, we can say "well fuck, why don't we make it?" but it just hasn't happened yet, so the IT staff has a limited subset of tools they can play with and passwords
Keep in mind, they're likely running parallel RAID configs to maximize throughput, meaning something like RAID 1 or RAID 5-1 or some other proprietary method that may provide only 1/3 or 1/5 the usable capacity in order to get the throughput required.
In fact, since these drives can theoretically be about 50x faster in random-seek reading of data, you could actually say that per the throughput AND size, they're actually cheaper than a comparably capable array of spinning discs.
Most scandinavian countries have strict rules about privacy of individuals, although criminal records are freely searchable by those with a need to know. Really any need to know is fine, but if it is determined later that you lied, you are in big trouble.
Seems alright. "Applying for a job" is sufficient need to know. So is a press pass. You get access.
"Scraping 10 million records" is not. You get a fine and are liable in civil court for breach of privacy.
While his initial statement is ill-informed, the general principal that a debt-based fiat system MUST be powered by continual growth is accurate....
Since continual exponential growth is theoretically impossible, the system IS broken.
How and when that must be resolved is still an open question. I suspect that economic "corrections" will continue to get worse until it becomes apparent that long-term growth has ceased. Perhaps it will all resolve itself in a series of massive debt-forgiveness programs, or somesuch, before transitioning to a steady-state system.
It sure would eliminate a lot of potential discomfort if we just decided to do it ourselves and began studying and implementing systems that are more tolerant to economic stagnation.
Energy is something definable by a physicist. He can write an equation that establishes hard bounds without making assumptions about quantities of reserves and things. He's not predicting the end of the world, merely wondering what are the implications of assuming current trends will continue.
I find it telling. But I prefer his article about economic growth on the same slant. We have averaged 2-5% annual economic growth for 500 years. It cannot continue. Each year, a smaller fraction of the economy is comprised of "direct action", meaning that more and more economics are simply "created" with things like services, intellectual property, interest payments, etc. Within the next 100-200 years, some massive (90%) of the economic activity would have to consist of non-physical (non energy consuming) activities, which is impossible. If that were the case, energy would be "nearly free", as would all other physical goods like food.
From a rational standpoint and combining it with knowledge of food distribution, energy scarcity, resource limitations, etc, its impossible. So the conclusion is that we simply cannot sustain 5% annual growth anymore.
However, a fiat currency system based on interest payments and loans simply cannot exist without growth. Therefore, the system will begin to self-correct. Periods of growth will be weaker, periods of decline will be stronger and the system will collapse spectacularly, repeatedly.... until a new economic model, based on a steady state, is developed.
There currently exists no tested model of this, except what was used during the middle ages, which is subsistence bartering in geographically isolated societies...
Users KNOW they should have strong passwords, but consistently, in my security audits of big companies without technical controls in place to prevent it, 30% or more of passwords are crap like "master" and "cookie" and "god".
I'm not kidding. People DONT see value. Even if they do, they think... "well, everyone needs to do that, but I am special". It's human nature.
Security is about fixing human nature, which is why it's so damn hard, and sometimes appears irrational and painful.
OF COURSE that's the right solution, but it's just going to reduce the problem, not fix it.
Listen, I do computer security audits and penetration testing and we break into 90% of the companies we attempt to break into. The simple fact is that password complexity and password changes is probably the #3 biggest risk in the enterprise, aside from simple patching and configuration/hardening issues.
Through a combination of techniques, we are able to obtain password hashes of various values. Frequently these are cached values. If you've ever logged into a windows workstation on a domain, your password is stored in a cached hash format on the system and that's what we consider a high value find, because we can run those through crackers very quickly to determine the result. Frankly, the first password you supplied is reasonably strong and would take a few days to crack if your attacker/tester was relatively skilled, the second would be picked up in the first pass after only about 10 minutes of a decent cracking system.
Changing passwords is an important part of keeping these caches from persisting in the long term. I can often tell how often password changes are forced, by looking at the number of valid cached credentials we obtain on the first batch of penetrated systems. Shops that require frequent password changes mean that 60-80% of our cracked cached credentials are going to be invalid (but we will see if there is an obvious pattern, like incrementing the digits by 1). Often we only get one set of valid credentials per machine, and it's for the user of that machine, which is almost inconsequential, since we could impersonate him anyway with the domain security tokens. But in a place with no password changes, or those that happen less than every 3 months or so, the value of those cracked credentials increases greatly.
Since security is a game of layering protections, it seems a rational thing to do. I recommend 60 days, rather than 30 days, however, just simply for the convenience.
Well, considering that remotely-exploitable network-stack-level overflow vulnerabilities are almost completely gone, either the programming techniques have improved, or these technologies are helping.
I would like to point out that the pervasive attitude at Sony seemed to be one of "well, nothing is perfect, so we don't need to spend too much money doing our best".
On the other hand, building a secure OS from the ground up IS the right approach, and I'm sure Mr Miller would agree, but, the simple fact is that IT WONT HAPPEN (yes, all caps). Functionality is the driver, not security. Security necessarily has to be an afterthought, simply for the business reality that many people approach the problem in the same vein as the recent post about iPads "consumerizing" IT. Business people still pay the bills.
So we take these approaches at making *Better* securityu out of commodity products, rather than deconstructing everything and coming up with a completely new model that is places security first.
Remember, too, that thus far, the high end pulls the low end along. So those people who need bleeding edge performace, be it database administrators, gamers, 3d modeling, etc... they tend to drag the desktop market around in terms of technology and software support, so you have to find a model to appease them and their needs in order to have your mythical "secure OS" project get off the ground.
Slashdot Mirror
Implementing biometric authentication systems is not easy. Sure, you can log into your laptop easily enough, but can that be federated to your SAP solution, or the business intelligence suite in accounting, or the HR suite in marketing.
Since there are no good standards for federating those services, most often, they rely on things like NTLM challenge-handshake authentication, which necessarily, requires a password.
Even if you don't enter the password and have it in some sort of keyring that is only accessed by your biometric swipe, it's still there and distributing those to end-users is difficult. And what happens when you need to use Bertha's computer because yours isn't working properly? The common corporate directory based solution such as Active Directory, LDAP, NetWare, etc, don't support biometric data, necessarily, because there isn't a real standard on how to transmit it. What does a fingerprint look like, on the wire, and what standard define's its description? What is to stop me from intercepting that and replaying it, which is another issue of passwords?
At current, the biometric systems implement proprietary protocols for handling that. While I would love to see someone sponsor a standard (perhaps there is one I don't know about, I didn't check - it's not well known anyway), there won't be a way to federate those authentication credentials.
Keep in mind, in an organization, there are dozens of authentications happening for many sessions you use. There are machines establishing token trust with each other, there are services establishing the same. Your computer is talking to probably two dozen servers during a normal work day and they aren't all running the same operating system (usually). In fact, those communications are probably taking place over half a dozen different protocols, depending on what you're doing.
Kerberos is one option, but is fairly rarely supported and generally requires additional hardware, etc to implement. I'm sure there are others, but the point is that it's a very difficult problem and is most economically solved by maintaining status quo. Of course, if you have lots of money and expertise and the ability to custom design all of your various software services, you can implement anything you like from SAML to Kerberos, to OpenAM, etc. Making it work is another issue.
Additionally, commodity fingerprint scanners suck. Go check out the mythbusters on that topic. :-)
There are still huge hurdles to having the good technology. Sure, we can say "well fuck, why don't we make it?" but it just hasn't happened yet, so the IT staff has a limited subset of tools they can play with and passwords
Keep in mind, they're likely running parallel RAID configs to maximize throughput, meaning something like RAID 1 or RAID 5-1 or some other proprietary method that may provide only 1/3 or 1/5 the usable capacity in order to get the throughput required.
In fact, since these drives can theoretically be about 50x faster in random-seek reading of data, you could actually say that per the throughput AND size, they're actually cheaper than a comparably capable array of spinning discs.
Hmmm..
What of this?
http://florida.arrests.org/Arrests/Daniel_Ulmaniec_5474799/?d=1
By the charges, I'd guess he broke a window and stole an xBox.
Pretty harsh to have the lifetime scarlet letter in the name of community data rights.
Most scandinavian countries have strict rules about privacy of individuals, although criminal records are freely searchable by those with a need to know. Really any need to know is fine, but if it is determined later that you lied, you are in big trouble.
Seems alright. "Applying for a job" is sufficient need to know. So is a press pass. You get access.
"Scraping 10 million records" is not. You get a fine and are liable in civil court for breach of privacy.
Seems very simple.
While his initial statement is ill-informed, the general principal that a debt-based fiat system MUST be powered by continual growth is accurate....
Since continual exponential growth is theoretically impossible, the system IS broken.
How and when that must be resolved is still an open question. I suspect that economic "corrections" will continue to get worse until it becomes apparent that long-term growth has ceased. Perhaps it will all resolve itself in a series of massive debt-forgiveness programs, or somesuch, before transitioning to a steady-state system.
It sure would eliminate a lot of potential discomfort if we just decided to do it ourselves and began studying and implementing systems that are more tolerant to economic stagnation.
Energy is something definable by a physicist. He can write an equation that establishes hard bounds without making assumptions about quantities of reserves and things. He's not predicting the end of the world, merely wondering what are the implications of assuming current trends will continue.
I find it telling. But I prefer his article about economic growth on the same slant. We have averaged 2-5% annual economic growth for 500 years. It cannot continue. Each year, a smaller fraction of the economy is comprised of "direct action", meaning that more and more economics are simply "created" with things like services, intellectual property, interest payments, etc. Within the next 100-200 years, some massive (90%) of the economic activity would have to consist of non-physical (non energy consuming) activities, which is impossible. If that were the case, energy would be "nearly free", as would all other physical goods like food.
From a rational standpoint and combining it with knowledge of food distribution, energy scarcity, resource limitations, etc, its impossible. So the conclusion is that we simply cannot sustain 5% annual growth anymore.
However, a fiat currency system based on interest payments and loans simply cannot exist without growth. Therefore, the system will begin to self-correct. Periods of growth will be weaker, periods of decline will be stronger and the system will collapse spectacularly, repeatedly.... until a new economic model, based on a steady state, is developed.
There currently exists no tested model of this, except what was used during the middle ages, which is subsistence bartering in geographically isolated societies...
You can't educate willful indifference.
Users KNOW they should have strong passwords, but consistently, in my security audits of big companies without technical controls in place to prevent it, 30% or more of passwords are crap like "master" and "cookie" and "god".
I'm not kidding. People DONT see value. Even if they do, they think... "well, everyone needs to do that, but I am special". It's human nature.
Security is about fixing human nature, which is why it's so damn hard, and sometimes appears irrational and painful.
OF COURSE that's the right solution, but it's just going to reduce the problem, not fix it.
Listen, I do computer security audits and penetration testing and we break into 90% of the companies we attempt to break into. The simple fact is that password complexity and password changes is probably the #3 biggest risk in the enterprise, aside from simple patching and configuration/hardening issues.
Through a combination of techniques, we are able to obtain password hashes of various values. Frequently these are cached values. If you've ever logged into a windows workstation on a domain, your password is stored in a cached hash format on the system and that's what we consider a high value find, because we can run those through crackers very quickly to determine the result. Frankly, the first password you supplied is reasonably strong and would take a few days to crack if your attacker/tester was relatively skilled, the second would be picked up in the first pass after only about 10 minutes of a decent cracking system.
Changing passwords is an important part of keeping these caches from persisting in the long term. I can often tell how often password changes are forced, by looking at the number of valid cached credentials we obtain on the first batch of penetrated systems. Shops that require frequent password changes mean that 60-80% of our cracked cached credentials are going to be invalid (but we will see if there is an obvious pattern, like incrementing the digits by 1). Often we only get one set of valid credentials per machine, and it's for the user of that machine, which is almost inconsequential, since we could impersonate him anyway with the domain security tokens. But in a place with no password changes, or those that happen less than every 3 months or so, the value of those cracked credentials increases greatly.
Since security is a game of layering protections, it seems a rational thing to do. I recommend 60 days, rather than 30 days, however, just simply for the convenience.
Well, considering that remotely-exploitable network-stack-level overflow vulnerabilities are almost completely gone, either the programming techniques have improved, or these technologies are helping.
I would like to point out that the pervasive attitude at Sony seemed to be one of "well, nothing is perfect, so we don't need to spend too much money doing our best".
On the other hand, building a secure OS from the ground up IS the right approach, and I'm sure Mr Miller would agree, but, the simple fact is that IT WONT HAPPEN (yes, all caps). Functionality is the driver, not security. Security necessarily has to be an afterthought, simply for the business reality that many people approach the problem in the same vein as the recent post about iPads "consumerizing" IT. Business people still pay the bills.
So we take these approaches at making *Better* securityu out of commodity products, rather than deconstructing everything and coming up with a completely new model that is places security first.
Remember, too, that thus far, the high end pulls the low end along. So those people who need bleeding edge performace, be it database administrators, gamers, 3d modeling, etc... they tend to drag the desktop market around in terms of technology and software support, so you have to find a model to appease them and their needs in order to have your mythical "secure OS" project get off the ground.
I have conducted user training on password complexity.
Then I did a password audit a few months later and the percentage of users using "password123" or a permutation of that had declined from 20% to 18%.
Disempowring them, was, unfortunately, the only effective solution.
Press release?
Our energy production has risen some percentage every year. That is exponential by definition...
Defcon is more akin to ComicCon... BlackHat is where the real industry heavyweights come out...