On Wed, 19 Dec 2007, Larry Seltzer wrote:
Personally, if I were designing a database to store biometrics I would authenticate it with biometrics. And I really doubt they would allow the notebooks to update the central database from the field.
I'd authenticate it to a level I'd feel comfortable with, biometrics may be one of the tools I'll choose to put into my design.. but I won't buy a biometrics system, I;'d fit it into my whole process.
And no, that authentication naturally won't be done against the database it authenticates entry into. Trusting trust, separation.
I didn't read the discussion, what was it about?
Gadi.
Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: Steve Kalman [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 8:01 AM To: Larry Seltzer Subject: Re: [funsec] This is scary If the laptop can be used to update the database, its operator could put bad-guy biomertics (DNA/fingerprints) on file under your name. Have fun explaining that to the swat team at your door. However good vs bad in these issues is all about risk management. NO solution will be perfect. The question is whether the benefits outweigh the monetary and social costs. On Dec 19, 2007 6:04 AM, Larry Seltzer <[EMAIL PROTECTED]> wrote:So you're saying it's impossible to make wireless communicationssecure?This is a rather bold statement. I've never heard anyone go that far before. And let's assume the worst, one of the boxes gets stolen and any localsecurity features on it fail and there's no way to remotely disableit.What abuse can you do with a fingerprint database? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of scott Sent: Tuesday, December 18, 2007 11:52 PM To: [email protected] Subject: Re: [funsec] This is scary -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Linking back to a database through a RF medium is inherently insecure.Almost regardless of encryption or RX methods.Satellite, notwithstanding. MITM,possibly?Corruption of transmitted data? Also,just getting a hold of a box or laptop could set someone up in a bad way!Same as now,only stepped up a notch. Any thoughts? Larry Seltzer wrote:Why is it scary? Police have been using fingerprint evidence for about100 years. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of scott Sent: Tuesday, December 18, 2007 8:56 PM To: [email protected] Subject: [funsec] This is scary - From the Washington Post http://www.washingtonpost.com/wp-dyn/content/article/2007/11/30/AR20 07 11 3002302_pf.html snip Duong's most recent innovation, the Joint Expeditionary Forensics Facilities (JEFF) project or "lab in a box," analyzes biometrics. It will be delivered to Iraq at the beginning of 2008, the Navy said, to help distinguish insurgents from civilians. "The best missile is worthless if you don't know who to shoot," Duong said. Betro said the military has been scanning the irises and taking the fingerprints of Iraqis, feeding a biometrics data base in West Virginia <http://www.washingtonpost.com/ac2/related/topic/West+Virginia?tid=i nf or mline>. To date, a few ad hoc labs have processed about 85,000 pieces of evidence taken from weapons caches or roadside devices. Duong's mobile forensic labs, with an initial budget of $34 million,will be deployed all over Iraq. snip Hmmm.When is this going to be in the hands of every cop on thestreet?Scott_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. - -- <b>redhowlingwolves</b> <br>Web:<a href=http://www.hacking-passion.com/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHaKNoxajqy/aNaRsRAm0IAKCbht2jzkBKycMjlmQVntW2DvObFgCfb1p9 XU8tv7IVNJgxF9ydpcrNLVU= =J/Zh -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.-- Steve Kalman, JD SSCP, CISSP-ISSMP, ISSAP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
