Friday, 10 September 2004
Microsoft says: Don't rely on our fingerprint reader to secure really important data

Interestingly, in an article by the Associated Press posted on the Security Pipeline web site, Microsoft is quoted as saying that their new biometric authentication products, which I posted about the other day, should not be used for securing important/sensitive data or networks:

"Curiously, Microsoft warns that the Fingerprint Reader shouldn't be trusted to secure access to corporate networks or to protect sensitive data, such as financial information.

"Basically, the company says it's about convenience, not security. That seems to rule out password-protected Web sites for credit cards, utilities, banking and others for which I might want to be spared having to remember and type a litany of passcodes."

Hmmm, well I guess I probably won't be ordering any of these to evaluate for work, then. :-) Maybe at home though. From the review, it appears they work well and that they passed the Silly Putty test, which is good. Despite Microsoft's advice regarding use of the equipment, I'll look forward to getting my hands on one of the devices to try it out for non-critical purposes.



Add/Read: Comments [3] 		IT Security | Tech
Friday, 10 September 2004 20:31:15 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by:
http://www.touchtextbooks.com/ [Referral]
http://www.forumadd.co.uk/ [Referral]
www.toplevel-proxy.com (prar.info) [Referral]
http://search.daum.net/ [Referral]
http://veronicabelvin.com/ [Referral]
http://www.toplevel-proxy.com/web-proxy-sites [Referral]
http://www.greghughes.net/ [Referral]
http://www.toplevel-traduceri.ro/traduceri_rapide_Romana_Fin... [Referral]
Sunday, 12 September 2004 11:49:05 (Pacific Standard Time, UTC-08:00)
sorry this is OT... but what does it mean to pass the 'silly putty test'. I've heard that on occasion, but I don't quite know what it means. I looked around for a definition... but my theory is if it takes more than 5 minutes to research, ask someone who knows....

thanks
fonzaloon
Sunday, 12 September 2004 12:08:48 (Pacific Standard Time, UTC-08:00)
Not OT at all. The Silly Putty test refers to using Silly Putty or a similar material to reproduce the fingerprint mechanically. The idea is if you can get the print pattern in the Silly Putty, you can use the reproduction to fool the biomoetric device into thinking it's actually your finger (or worse that someone else could potentially use your fingerprint that way).

That's one reason that retina scanning is a highly-regarded biometric method by the way - hard to make a silly putty replica of the inside of an eyeball (although I imagine where there's a will, there's a way).

You'll have to scroll down on this page (although it's the whole story is interesting), which provides lots of great detail about the Silly Putty Test:

http://www.dansdata.com/uareu.htm

A formal paper on the subject here:

http://cryptome.org/gummy.htm

Silly Putty is a registered trademark of Binney & Smith, by the way:

http://www.sillyputty.com

:)
Greg Hughes
Tuesday, 26 October 2004 17:51:15 (Pacific Standard Time, UTC-08:00)
I bought the Microsoft fingerprint scanner (same as the the other day. I *LOVE* it! I have accounts on so many different websites (arstechnica, deviantart, slashdot, hotmail, gmail, nytimes, you get my point) and they all have different password requirements. I'm not stupid. I don't expect this to provide real protection against a h4x0r or anything (that's what PGP is for). All I want is something to remember my passwords for all these places so I don't have to. I use it to log on my home pc & so does my rommmate. We have a lot of people over that use our computers. It's a great way to keep his g/f or anyone else from "somehow" being on my account. Oh, and wtf would anyone have a silly putty copy of my fingerprint? But then again, if somebody's got a way to bypass this using the way Dan described then I can almost guarantee their smart enough to get past microsoft's weak ass security anyways.

audio aaron
Comments are closed.

© Copyright 2012 Greg Hughes  Send mail to the author(s)
 
Creative Commons License
This work is licensed under a Creative Commons License.
 
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.  RSS 2.0|Atom 1.0

This page was rendered at Thursday, 08 March 2012 17:20:02 (Pacific Standard Time, UTC-08:00)

newtelligence dasBlog 2.1.8015.804