[funsec] This is scary

Larry Seltzer Larry at larryseltzer.com
Wed Dec 19 07:08:50 CST 2007


Personally, if I were designing a database to store biometrics I would
authenticate it with biometrics. And I really doubt they would allow the
notebooks to update the central database from the field.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer at ziffdavisenterprise.com


-----Original Message-----
From: Steve Kalman [mailto:techauthor at gmail.com] 
Sent: Wednesday, December 19, 2007 8:01 AM
To: Larry Seltzer
Subject: Re: [funsec] This is scary

If the laptop can be used to update the database, its operator could put
bad-guy biomertics (DNA/fingerprints) on file under your name.
Have fun explaining that to the swat team at your door.

However good vs bad in these issues is all about risk management. NO
solution will be perfect. The question is whether the benefits outweigh
the monetary and social costs.

On Dec 19, 2007 6:04 AM, Larry Seltzer <Larry at larryseltzer.com> wrote:
> So you're saying it's impossible to make wireless communications
secure?
> This is a rather bold statement. I've never heard anyone go that far 
> before.
>
> And let's assume the worst, one of the boxes gets stolen and any local

> security features on it fail and there's no way to remotely disable
it.
> What abuse can you do with a fingerprint database?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> larry.seltzer at ziffdavisenterprise.com
>
>
> -----Original Message-----
> From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org]
> On Behalf Of scott
> Sent: Tuesday, December 18, 2007 11:52 PM
> To: funsec at linuxbox.org
>
> Subject: Re: [funsec] This is scary
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Linking back to a database through a RF medium is inherently 
> insecure.Almost regardless of encryption or RX methods.Satellite, 
> notwithstanding.
> MITM,possibly?Corruption of transmitted data?
>
> Also,just getting a hold of a box or laptop could set someone up in a 
> bad way!Same as now,only stepped up a notch.
>
> Any thoughts?
>
> Larry Seltzer wrote:
> > Why is it scary? Police have been using fingerprint evidence for 
> > about
>
> > 100 years.
> >
> > Larry Seltzer eWEEK.com Security Center Editor 
> > http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/
> > Contributing Editor, PC Magazine
> > larry.seltzer at ziffdavisenterprise.com
> >
> >
> > -----Original Message----- From: funsec-bounces at linuxbox.org 
> > [mailto:funsec-bounces at linuxbox.org] On Behalf Of scott Sent:
> > Tuesday, December 18, 2007 8:56 PM To: funsec at linuxbox.org Subject:
> > [funsec] This is scary
> >
> > - From the Washington Post
> > http://www.washingtonpost.com/wp-dyn/content/article/2007/11/30/AR20
> > 07
> > 11
> > 3002302_pf.html
> >
> > snip
> >
> > Duong's most recent innovation, the Joint Expeditionary Forensics 
> > Facilities (JEFF) project or "lab in a box," analyzes biometrics.
> > It will be delivered to Iraq at the beginning of 2008, the Navy 
> > said, to help distinguish insurgents from civilians.
> >
> > "The best missile is worthless if you don't know who to shoot,"
> > Duong said.
> >
> > Betro said the military has been scanning the irises and taking the 
> > fingerprints of Iraqis, feeding a biometrics data base in West 
> > Virginia 
> > <http://www.washingtonpost.com/ac2/related/topic/West+Virginia?tid=i
> > nf
> > or
> > mline>. To date, a few ad hoc labs have processed about 85,000
> > pieces of evidence taken from weapons caches or roadside devices.
> > Duong's mobile forensic labs, with an initial budget of $34 million,

> > will be deployed all over Iraq.
> >
> > snip
> >
> > Hmmm.When is this going to be in the hands of every cop on the
street?
> >
> > Scott
> >
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
>
>
> - --
> <b>redhowlingwolves</b>
> <br>Web:<a href=http://www.hacking-passion.com/>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHaKNoxajqy/aNaRsRAm0IAKCbht2jzkBKycMjlmQVntW2DvObFgCfb1p9
> XU8tv7IVNJgxF9ydpcrNLVU=
> =J/Zh
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>



--
Steve Kalman, JD
SSCP, CISSP-ISSMP, ISSAP



More information about the funsec mailing list