Announcement

**Koyaanisqatsi** · June 6, 2011, 13:33

Originally posted by Asher View Post

There's also the security question process. All of my banking sites now require I answer one of 5 or more security questions I set up before gaining access to the system. Stuff like "What was your first job?"

I truly hate this practice. It's like the password recovery options on most sites that only give you a handful of generic questions that could be easily guessed based on publicly known data. I stopped using a bank not long ago because they did this and the hardest question they could come up with was "what was your high school mascot?".

**loinburger** · June 6, 2011, 13:35

I give fake answers to those questions - ones that I'll be able to remember but that other people aren't likely to guess. "What street were you born on?" "Zim-Zam O'Pootertoot"

**Hauldren Collider** · June 6, 2011, 13:36

If your drive isn't encrypted, the password isn't worth anything if your physical access is compromised. TPM's pretty tough to crack if you do have encryption, though. But at the end of the day, you may as well assume a stolen drive = stolen data.

**Koyaanisqatsi** · June 6, 2011, 13:37

Originally posted by Jon Miller View Post

In Europe I have a little item, where I have to put in my card + password and a pass number (generated every time I need to get the number) and then I send the number onto the site.

It should be time dependent, but maybe not. But if it is... it requires a number in memory, a physical card in my possession, a specific time, a specific number, and a special apparatus.

JM

That's pretty much the direction things should go in general, although it's also what was used in the Lockheed/RSA mess.

**loinburger** · June 6, 2011, 13:38

I use a portable browser located on an encrypted partition, so if anybody steals my laptop they won't have access to my cookies or saved passwords.

**Hauldren Collider** · June 6, 2011, 13:38

Also, fingerprint scanners are awful. Facial recognition is worse. Just hold a photo of the person up to the webcam, bam, you're in the computer. Fingerprint scanners--a bit tricker, but if you have gel and a fingerprinting kit you can get into those pretty easily too.

**loinburger** · June 6, 2011, 13:39

I remember some researchers fooling fingerprint scanners with silly putty. Let me see if I can find the article.

**loinburger** · June 6, 2011, 13:39

Impact of Artificial "Gummy" Fingers on Fingerprint Systems

http://cryptome.org/gummy.htm

**Koyaanisqatsi** · June 6, 2011, 13:41

Vein maps

**Hauldren Collider** · June 6, 2011, 13:41

Also, no one with government security clearance should use fingerprint scanners. You have to get a ****ing fingerprint set made when you get the clearance. It's not that hard to bring up someone's fingerprints if you have access to a cop's computer.

**loinburger** · June 6, 2011, 13:42

Iris scanners are much more reliable, because the iris pattern doesn't change during a person's lifetime and is unique. The problem is that an iris scanner does not include a liveness test, because an iris from a severed eye looks the same as an iris from a living eye. However, it's possible to combine the iris test with a retinal scan; retinas are not as accurate as irises because the capillary pattern can change during somebody's lifetime (capillaries break and new capillaries are formed), but a retinal scan can include a liveness test - check to see if blood is pumping through the capillaries.

**Hauldren Collider** · June 6, 2011, 13:44

You could also rip out the sensor and replace it with something that sends data that will fool the computer. Ultimately a biometric scanner is just a complex way of entering 1's and 0's.

**loinburger** · June 6, 2011, 13:47

That's relatively easy to protect against - if the connection to the sensor is ever cut then the alarm goes off.

**Hauldren Collider** · June 6, 2011, 13:51

Originally posted by loinburger View Post

That's relatively easy to protect against - if the connection to the sensor is ever cut then the alarm goes off.

Not if it's a laptop. Remove the battery and coin cell. You can't make a fail safe for that.

**loinburger** · June 6, 2011, 13:51

Likewise a cryptoprocessor is surrounded by a wire mesh - if a wire is cut then the processor wipes its memory. The danger is that SRAM (which is what's typically used to store the keys) retains its charge for quite awhile if subjected to a very low temperature, so the danger is that somebody is going to dunk the cryptoprocessor in liquid nitrogen, destroy its battery, extract the memory, and read off the data before the SRAM loses its charge; without a battery the cryptoprocessor can't detect that its mesh is being cut and also doesn't have the power to wipe its memory. The solution is to include an environmental sensor that will wipe the memory if the temperature gets too low, but that makes it difficult to transport cryptoprocessors and also means they're not suitable to extreme environments. But, such is life.

Announcement

Cheap GPUs render strong passwords useless

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment