- Is Microsoft preparing us to move beyond Vista?
- Why Google wanted to lose wireless spectrum auction
- iPhone shortage fuels rumors of imminent 3G phone
- XP for cheap PCs: a second crack in the wall
- Darts into data: Leveraging random action to competitive advantage
- Most iPhone buyers are existing Apple customers
- AT&T's so-called open network principles
- Mono dev tool offered
- ActiveState upgrades IDE
- Serena plans SaaS products
March 27, 2006 | Comments: (0)
Thumbs down for biometric security
Authenticating users to computer systems via biometric technologies may be the rage with some, but it certainly does not have unanimous backing.
Author and enterprise systems consultant Ted Neward, serving on a panel at TheServerSide Java Symposium in Las Vegas on Saturday afternoon, pointed out that even biometric systems are not foolproof.
Neward said if someone steals his password, he can always get a new password. The same type of functionality is not offered with biometric systems, he pointed out.
"What if somebody gets the digitized representation of my thumb? Do I go out and get a new thumb?" he asked.
USB key-based security is preferable, Neward said.
Also during the session, panelists noted that security is not a glamorous subject for developers.
"Security is bloody boring," said Jeremiah Grossman, founder and CTO of WhiteHat Security.
"Security is just the most boring thing. What happens when something's secure? Nothing," Jeremiah said.
Neward also questioned Microsoft's Passport security system, saying it would have user information stored with the most attacked company in the world. But he applauded Microsoft's focus on security in the development process.
"They've mandated that their developers go through security training," and the company enforces security reviews, Neward said. Open source projects do not have these same requirements, he said.
Panelists also discussed the current phishing issue. As more history and consciousness grows around phishing, these schemes will lose their effect, Neward said.
Panelist Justen Stepka, an author and technologist affiliated with Authentisoft, said the issue of security must be addressed at three levels: the network, code and the social level. All three pieces together comprise a proper solution, he said.
Posted by Paul Krill on March 27, 2006 09:50 AM
RATE THIS ARTICLE:
-
- COMMENTS
What is your take on authentication? With all the online banking security frenzy and the laws mandated by Federal regulators now requiring banks to strengthen security for Internet customers-- do you think the market is too crowded? I don't want to stop banking online, but I also want some sort of guarantee that my funds will be safe, without the fear of having to sacrifice a thumb.
Posted by: Linsey Krauss at March 27, 2006 10:37 AMHaving had my ATM card fraudulently reproduced once and used in Israel (where I've never been), I'm a little bit sceptical of online banking. But I don't actually do any banking online.
On the other hand, I've done my taxes and used my credit cards online for years with no problems. So it's a mixed bag for me.
Biometric devices do not only use thumbs to authenticate a user. There's also retinel scanners and voice recognition. But then again, that might just mean you'll lose your tongue and eyes. There's no foolproof security method, since technology only takes it so far, so another alternatice would be to use multi-factor security.
Posted by: Antonio Victor at March 28, 2006 09:58 AMThe whole point of security is to slow the person down not give them the whole farm and say "well I'm just going to put a massive door here you can't get trough.' There is always a way in the system and if that massive (bimetric) door breaks down you're in large trouble.
We are not invulnerable unless we live forever. Think of a castle and how it usually has a multi-teered outer wall system. It slows down the attackers enough so they can be dealt with but never stops them completely alone. That's your job through hiding the password etc. So it's a time factor in order to have more time then the intruder to stop him form coming in. You have the advantage because of the sytem he's trying to attack. Like with open source there are usually more walls put up I think. Otherwise you're just marked for death. There attacking your person instead of just a code wtc. Real creepy. Say someone needs to hack a system for some emergency reason across national lines. Who is going to kill that person for the info or completley steal that person's identity.
This is just silly as the movie 'Minority Report' already warned about this. Why do we make films like this for our own personal enjoyment or to help us too? People should heed more warnings from famous books and films.
There is a technology, Light Emitting Sensor, that is now available by our company Integrated Biometrics, that will not work unless the fingerprint is presented by a living human being with a pulse. It does not require a password, it is a USB connected device and can be an enterprise level solution. The spoof that happened in National Treasure will not work on our physical and logical product. www.integratedbiometrics.com See for yourself.
Posted by: Charles at March 29, 2006 04:23 PMBiometrics may not be perfect. Does anyone really think passwords are?
I've done enough security work to know all too well the limitations of password based security. Yet 99% of all authentication systems are based on an account/password challenge.
Let's give biometrics a chance. The security world badly needs some new tools and implementations in this area.
TOP STORIES
ADDITIONAL RESOURCES
- Application Grid: Oracle's Vision for Next-Generation Application Servers and Infrastructure
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Document Management 2.0 - Web-based Collaboration and the Road to Compliance
- Content Management Integration - The Triumph of the foot soldier
- Class of Service: Myths and Misconceptions
