I'm a Security Consultant and I'm currently working on purchasing and installing some Biometrics authentication system at my company. This probably makes me biased towards Bio, but at the same time, it also means I've been studying and contemplating the issue for some time now.
Biometrics, like any other system, has it's flaws. Schneier himself points out in a previous article "Biometrics is a unique identifier, not a secret". And now it doesn't even appear to be a unique identifier. So what gives?
What gives is that it's quite possibly the best system around, at least when compared to all the others. What are your alternatives? Passwords? Digital Certificates? Smart (dumb) cards? SecureID tokens? None of these are as unique to a user as a Biometric is. As a matter of fact, NONE of these are unique to a user - Certs are unique to the computer or card they reside on, the cards and tokens are physical objects that anyone can have, and finally your password everyone knows because you wrote it on a Post-It(TM) note on your monitor (or under the keyboard or tape dispenser).
Now, that doesn't mean you can blindly put a Biometrics system in place and call it a day. Installing a setting up Biometrics requires thought, consideration and risk analysis.
To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.
Regarding anonymity, it will still exist. Nobody will stop you from going to the ATM and picking up cash before you head to the store to get the Goatse man's greatest gaps volume 16.
Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.
As for the "identification" issue with Biometrics, allow me to illustrate one simple point - most commercial Biometric fingerprint systems have a false acceptance rate of 1 in 100000 at most. Any decently sized organization compiling Biometric data will probably register a heck of a lot more. Identifying a user in a big population from a random biometric sampling is a data processing nightmare - that's why that whole Visionics video-camera-at-stadium thing sucked so bad. Biometrics however are really good for saying "My name is John Doe, and here's a fingerprint (or two) to prove it". Or, at a company case "my userid is jdoe and here's my fingerprint to prove it".
This problem is the identification (finding user in a population) versus authentication (verifying a claimed ID) problem, and it's much discussed in Biometric literature. God knows I've had to preach this one out about 600 times in the past few months when meeting with different departments.
So it really comes down to implementation, and alternatives. You can have your money tied to a credit card number, and when someone finds the receipt you threw away they can impersonate you at Amazon.com until the next bill arrives. Or, you can have it tied to you card, but need a fingerprint to access the card. The idea is enhancing, not necessarily replacing.
As a lot of you have heard, authentication/verification systems usually work with something you know (password, pin), something you have (token, smart card, mag card) or something you are (biometric). The best systems use all of the above.
Even then you still need to figure out your risk scenario. For your average office building with access controls at doors and other entry points a system asking for "userid" and "biometric" will probably be good enough. If you're running a DoD installation with nuclear weapons, I expect a system with ID check, Smartcard, 10 fingerprints, retina scan and password will be necessary (I hope).
Finally to address this cool gelatin crack - this is neat stuff. I'm glad to see that people are coming up with potential attacks - it makes the developers of this stuff work even harder to create systems that can't be fooled. The latest capacitive sensors I've seen might not even be fooled by this - they claim they read the second or third layer of skin, not the external one. But even if it does fool them, it won't in a few months.
Remember, biometrics are not your enemy - if anything they help keep your privacy stronger by providing better control of who gets to pretend to be you (imagine your PGP keys being protected by a passphrase AND a fingerprint or two). There will always be issues with this or any other system - I just can't think of one that will be better than a properly implemented Biometric system.
Working in security, I've been thinking about a similar line as Schneier for a while. Liability is what makes business go round. Software companies need to be held accountable for their mistakes, and made to pay.
But how do we protect some dude who simply sent some code out into the open for free from a lawsuit for millions of dollars in damages because of a bug he made? Simple:
Software companies are only liable for the software up to the amount paid for the software. In other words, if I download RedHat v11.2 and a bug within Sendmail 17 gets my machine r00t3d and my data lost it's my fault.
But if I paid $759.95 for the Datacenter version of the same and am supposed to be getting support I'm damn well getting my money back.
This would at the same time promote free software and guarantee the quality of software we all pay for. Of course there have to be limitations, and other such things, such as necessary registration for locating you to publish fixes. If a customer is notified and sent the patch and still they don't apply it, I mean, at least there was a good effort on part of the company. That could be money off the final lawsuit, or something like that.
Just imagine - my company buys one box of RH and pays $70, therefore RH is only liable for RH. My company buys a site license for Windows for a million, and Microsoft is liable for a million. Talk about a nice incentive.
-Jack Ash
WARNING: POSSIBLE TROJAN OR HOAX!!!
on
X-Box Emulated (Not)
·
· Score: 3, Redundant
I just downloaded it and tried to run Halo, no luck. I meet the published reqs: P3 1Ghz, GF3, SbLive, WinXP, 512MB ram, DVD player, so there's no reason for the software not to work. The program didn't even attempt to access my DVD drive.
Running strings on some of the files revealed a bunch of QuakeIII/Team Arena/Wolfenstein strings, and on another of the files a whole bunch of Microsoft Messenger/Trillian stuff.
This made it appear as though the software was a hoax of some type, and some of the files were just filler.
I tried logging connections at my Linksys while running the software but didn't see anything going on. At all.
I'd suggest to every interested party that they download the software - just in case it is proven to work later and Microsoft goes ballistic and forces people to take it down - but don't run it until someone posts a proper disassembly of the program. Please also keep in mind where this is coming from - some random site in Russia. Not to say anything bad about our frozen neighbors, but there's been a lot of scams from that area.
Judging by your comment that the cameras are black and white, I'm going to take a random guess and assume they are security cameras.
I unfortunately do not work in Physical Security, but I have managed to visit my buildings' security room. We use a system that stores video from 16 high res cameras to what is essentially a PC with a 30GB hard drive.
When I heard this I figured that if Tivo could store 30 hours from one video source, this would be two hours of video, and quite useless. Guess again. The software uses a pretty smart motion detection algorithm that reduces the cameras to 1 or 2 frames per second when there is no on-screen movement. The sensitivity is arbitrary - watch out for cameras focusing on monitors, the scan line refresh rate will trigger the movement sensor:). The system will even alert you if there is usage at night, or other prespecified hours. The upshot is you can get about 30 days worth of video, replayable on demand, through a system like this.
I'm sorry I do not remember the name of the vendor, but with your kind of system and a thousand cameras I'm sure you can do some of the research yourself. Good luck,
Code Red is dead baby, Zed is I mean Code Red is dead. Actually, I run the intrusion detection system at my company, and I can say that CodeRed v2 is all but gone (the decompile did say it would die in October - http://www.incidents.org/react/code_redII.php 3/4 down the page, "Infection Process"), however CodeRed v1 still knocks occasionally (we get 2 to 3 hits a day). Nimda is something else, it keeps hitting at about 10~20 per day.
Actually, Space Quest IV was not the first Sierra game to use sound. King's Quest IV was (The Perils of Rosella). Sierra almost singlehandledly created a market for sound cards by supporting the Roland MT-32 and the Adlib music cards with it.
It response to some other messages, the Sound Blaster was predated by the Game Blaster, a.k.a. Creative Music System (I had one). As many people have pointed out, that card used crappy AM synthesis, and the Adlib sounded much better with FM synthesis. The Creative came out with the Sound Blaster, which emulated the Adlib, the CMS (initially at least, later optional), and had the DAC that permitted it to play recorded samples (anyone remember the.VOC format?) It also had basic voice synthesis.
(Hello, my name is Dr. Sbaitso. I am here to help you. Please state whatever is on your mind freely. Our conversation will be kept in the strictest confidence. Memory contents will erased right after you leave. So, tell me about your problems.)
Space Quest III, released shortly after KQ4, was the first game to incorporate sound samples in it's design, although they were there unoficially - Sound Blaster support was added way AFTER the release. Play the game again, and during the intro sequence, when Roger wakes up, he states "Where am i?". When I heard that a few years after I pleayed the game I nearly flipped. I couldn't believe it had been there all along! Apparently Roberta Williams wasn't too thrilled the Space Quest guys had done so much more with the sound system than she had for KQ4, she said she didn't even know that was possible when she made her game.
Slashdot Mirror
I'm a Security Consultant and I'm currently working on purchasing and installing some Biometrics authentication system at my company. This probably makes me biased towards Bio, but at the same time, it also means I've been studying and contemplating the issue for some time now.
Biometrics, like any other system, has it's flaws. Schneier himself points out in a previous article "Biometrics is a unique identifier, not a secret". And now it doesn't even appear to be a unique identifier. So what gives?
What gives is that it's quite possibly the best system around, at least when compared to all the others. What are your alternatives? Passwords? Digital Certificates? Smart (dumb) cards? SecureID tokens? None of these are as unique to a user as a Biometric is. As a matter of fact, NONE of these are unique to a user - Certs are unique to the computer or card they reside on, the cards and tokens are physical objects that anyone can have, and finally your password everyone knows because you wrote it on a Post-It(TM) note on your monitor (or under the keyboard or tape dispenser).
Now, that doesn't mean you can blindly put a Biometrics system in place and call it a day. Installing a setting up Biometrics requires thought, consideration and risk analysis.
To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.
Regarding anonymity, it will still exist. Nobody will stop you from going to the ATM and picking up cash before you head to the store to get the Goatse man's greatest gaps volume 16.
Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.
As for the "identification" issue with Biometrics, allow me to illustrate one simple point - most commercial Biometric fingerprint systems have a false acceptance rate of 1 in 100000 at most. Any decently sized organization compiling Biometric data will probably register a heck of a lot more. Identifying a user in a big population from a random biometric sampling is a data processing nightmare - that's why that whole Visionics video-camera-at-stadium thing sucked so bad. Biometrics however are really good for saying "My name is John Doe, and here's a fingerprint (or two) to prove it". Or, at a company case "my userid is jdoe and here's my fingerprint to prove it".
This problem is the identification (finding user in a population) versus authentication (verifying a claimed ID) problem, and it's much discussed in Biometric literature. God knows I've had to preach this one out about 600 times in the past few months when meeting with different departments.
So it really comes down to implementation, and alternatives. You can have your money tied to a credit card number, and when someone finds the receipt you threw away they can impersonate you at Amazon.com until the next bill arrives. Or, you can have it tied to you card, but need a fingerprint to access the card. The idea is enhancing, not necessarily replacing.
As a lot of you have heard, authentication/verification systems usually work with something you know (password, pin), something you have (token, smart card, mag card) or something you are (biometric). The best systems use all of the above.
Even then you still need to figure out your risk scenario. For your average office building with access controls at doors and other entry points a system asking for "userid" and "biometric" will probably be good enough. If you're running a DoD installation with nuclear weapons, I expect a system with ID check, Smartcard, 10 fingerprints, retina scan and password will be necessary (I hope).
Finally to address this cool gelatin crack - this is neat stuff. I'm glad to see that people are coming up with potential attacks - it makes the developers of this stuff work even harder to create systems that can't be fooled. The latest capacitive sensors I've seen might not even be fooled by this - they claim they read the second or third layer of skin, not the external one. But even if it does fool them, it won't in a few months.
Remember, biometrics are not your enemy - if anything they help keep your privacy stronger by providing better control of who gets to pretend to be you (imagine your PGP keys being protected by a passphrase AND a fingerprint or two). There will always be issues with this or any other system - I just can't think of one that will be better than a properly implemented Biometric system.
-Jack Ash
Working in security, I've been thinking about a similar line as Schneier for a while. Liability is what makes business go round. Software companies need to be held accountable for their mistakes, and made to pay.
But how do we protect some dude who simply sent some code out into the open for free from a lawsuit for millions of dollars in damages because of a bug he made? Simple:
Software companies are only liable for the software up to the amount paid for the software. In other words, if I download RedHat v11.2 and a bug within Sendmail 17 gets my machine r00t3d and my data lost it's my fault.
But if I paid $759.95 for the Datacenter version of the same and am supposed to be getting support I'm damn well getting my money back.
This would at the same time promote free software and guarantee the quality of software we all pay for. Of course there have to be limitations, and other such things, such as necessary registration for locating you to publish fixes. If a customer is notified and sent the patch and still they don't apply it, I mean, at least there was a good effort on part of the company. That could be money off the final lawsuit, or something like that.
Just imagine - my company buys one box of RH and pays $70, therefore RH is only liable for RH. My company buys a site license for Windows for a million, and Microsoft is liable for a million. Talk about a nice incentive.
-Jack Ash
I just downloaded it and tried to run Halo, no luck. I meet the published reqs: P3 1Ghz, GF3, SbLive, WinXP, 512MB ram, DVD player, so there's no reason for the software not to work. The program didn't even attempt to access my DVD drive.
Running strings on some of the files revealed a bunch of QuakeIII/Team Arena/Wolfenstein strings, and on another of the files a whole bunch of Microsoft Messenger/Trillian stuff.
This made it appear as though the software was a hoax of some type, and some of the files were just filler.
I tried logging connections at my Linksys while running the software but didn't see anything going on. At all.
I'd suggest to every interested party that they download the software - just in case it is proven to work later and Microsoft goes ballistic and forces people to take it down - but don't run it until someone posts a proper disassembly of the program. Please also keep in mind where this is coming from - some random site in Russia. Not to say anything bad about our frozen neighbors, but there's been a lot of scams from that area.
Caveat Emptor.
JackAsh
Judging by your comment that the cameras are black and white, I'm going to take a random guess and assume they are security cameras.
:). The system will even alert you if there is usage at night, or other prespecified hours. The upshot is you can get about 30 days worth of video, replayable on demand, through a system like this.
I unfortunately do not work in Physical Security, but I have managed to visit my buildings' security room. We use a system that stores video from 16 high res cameras to what is essentially a PC with a 30GB hard drive.
When I heard this I figured that if Tivo could store 30 hours from one video source, this would be two hours of video, and quite useless. Guess again. The software uses a pretty smart motion detection algorithm that reduces the cameras to 1 or 2 frames per second when there is no on-screen movement. The sensitivity is arbitrary - watch out for cameras focusing on monitors, the scan line refresh rate will trigger the movement sensor
I'm sorry I do not remember the name of the vendor, but with your kind of system and a thousand cameras I'm sure you can do some of the research yourself. Good luck,
JackAsh
Code Red is dead baby, Zed is I mean Code Red is dead. Actually, I run the intrusion detection system at my company, and I can say that CodeRed v2 is all but gone (the decompile did say it would die in October - http://www.incidents.org/react/code_redII.php 3/4 down the page, "Infection Process"), however CodeRed v1 still knocks occasionally (we get 2 to 3 hits a day). Nimda is something else, it keeps hitting at about 10~20 per day.
Jack Ash
Actually, Space Quest IV was not the first Sierra game to use sound. King's Quest IV was (The Perils of Rosella). Sierra almost singlehandledly created a market for sound cards by supporting the Roland MT-32 and the Adlib music cards with it.
.VOC format?) It also had basic voice synthesis.
It response to some other messages, the Sound Blaster was predated by the Game Blaster, a.k.a. Creative Music System (I had one). As many people have pointed out, that card used crappy AM synthesis, and the Adlib sounded much better with FM synthesis. The Creative came out with the Sound Blaster, which emulated the Adlib, the CMS (initially at least, later optional), and had the DAC that permitted it to play recorded samples (anyone remember the
(Hello, my name is Dr. Sbaitso. I am here to help you. Please state whatever is on your mind freely. Our conversation will be kept in the strictest confidence. Memory contents will erased right after you leave. So, tell me about your problems.)
Space Quest III, released shortly after KQ4, was the first game to incorporate sound samples in it's design, although they were there unoficially - Sound Blaster support was added way AFTER the release. Play the game again, and during the intro sequence, when Roger wakes up, he states "Where am i?". When I heard that a few years after I pleayed the game I nearly flipped. I couldn't believe it had been there all along! Apparently Roberta Williams wasn't too thrilled the Space Quest guys had done so much more with the sound system than she had for KQ4, she said she didn't even know that was possible when she made her game.
Boy I feel old.