[funsec] This is scary

Larry Seltzer Larry at larryseltzer.com
Wed Dec 19 08:54:53 CST 2007 

>>I didn't read the discussion, what was it about?

Scott found this news story
(http://www.washingtonpost.com/wp-dyn/content/article/2007/11/30/AR20071
13002302_pf.html) and thought it was scary.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer at ziffdavisenterprise.com


-----Original Message-----
From: Gadi Evron [mailto:ge at linuxbox.org] 
Sent: Wednesday, December 19, 2007 9:50 AM
To: Larry Seltzer
Cc: Steve Kalman; funsec at linuxbox.org
Subject: RE: [funsec] This is scary

On Wed, 19 Dec 2007, Larry Seltzer wrote:
> Personally, if I were designing a database to store biometrics I would

> authenticate it with biometrics. And I really doubt they would allow 
> the notebooks to update the central database from the field.

I'd authenticate it to a level I'd feel comfortable with, biometrics may
be one of the tools I'll choose to put into my design.. but I won't buy
a biometrics system, I;'d fit it into my whole process.

And no, that authentication naturally won't be done against the database
it authenticates entry into. Trusting trust, separation.

I didn't read the discussion, what was it about?

 	Gadi.

>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> larry.seltzer at ziffdavisenterprise.com
>
>
> -----Original Message-----
> From: Steve Kalman [mailto:techauthor at gmail.com]
> Sent: Wednesday, December 19, 2007 8:01 AM
> To: Larry Seltzer
> Subject: Re: [funsec] This is scary
>
> If the laptop can be used to update the database, its operator could 
> put bad-guy biomertics (DNA/fingerprints) on file under your name.
> Have fun explaining that to the swat team at your door.
>
> However good vs bad in these issues is all about risk management. NO 
> solution will be perfect. The question is whether the benefits 
> outweigh the monetary and social costs.
>
> On Dec 19, 2007 6:04 AM, Larry Seltzer <Larry at larryseltzer.com> wrote:
>> So you're saying it's impossible to make wireless communications
> secure?
>> This is a rather bold statement. I've never heard anyone go that far 
>> before.
>>
>> And let's assume the worst, one of the boxes gets stolen and any 
>> local
>
>> security features on it fail and there's no way to remotely disable
> it.
>> What abuse can you do with a fingerprint database?
>>
>> Larry Seltzer
>> eWEEK.com Security Center Editor
>> http://security.eweek.com/
>> http://blogs.pcmag.com/securitywatch/
>> Contributing Editor, PC Magazine
>> larry.seltzer at ziffdavisenterprise.com
>>
>>
>> -----Original Message-----
>> From: funsec-bounces at linuxbox.org 
>> [mailto:funsec-bounces at linuxbox.org]
>> On Behalf Of scott
>> Sent: Tuesday, December 18, 2007 11:52 PM
>> To: funsec at linuxbox.org
>>
>> Subject: Re: [funsec] This is scary
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Linking back to a database through a RF medium is inherently 
>> insecure.Almost regardless of encryption or RX methods.Satellite, 
>> notwithstanding.
>> MITM,possibly?Corruption of transmitted data?
>>
>> Also,just getting a hold of a box or laptop could set someone up in a

>> bad way!Same as now,only stepped up a notch.
>>
>> Any thoughts?
>>
>> Larry Seltzer wrote:
>>> Why is it scary? Police have been using fingerprint evidence for 
>>> about
>>
>>> 100 years.
>>>
>>> Larry Seltzer eWEEK.com Security Center Editor 
>>> http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/
>>> Contributing Editor, PC Magazine
>>> larry.seltzer at ziffdavisenterprise.com
>>>
>>>
>>> -----Original Message----- From: funsec-bounces at linuxbox.org 
>>> [mailto:funsec-bounces at linuxbox.org] On Behalf Of scott Sent:
>>> Tuesday, December 18, 2007 8:56 PM To: funsec at linuxbox.org Subject:
>>> [funsec] This is scary
>>>
>>> - From the Washington Post
>>> http://www.washingtonpost.com/wp-dyn/content/article/2007/11/30/AR20
>>> 07
>>> 11
>>> 3002302_pf.html
>>>
>>> snip
>>>
>>> Duong's most recent innovation, the Joint Expeditionary Forensics 
>>> Facilities (JEFF) project or "lab in a box," analyzes biometrics.
>>> It will be delivered to Iraq at the beginning of 2008, the Navy 
>>> said, to help distinguish insurgents from civilians.
>>>
>>> "The best missile is worthless if you don't know who to shoot,"
>>> Duong said.
>>>
>>> Betro said the military has been scanning the irises and taking the 
>>> fingerprints of Iraqis, feeding a biometrics data base in West 
>>> Virginia 
>>> <http://www.washingtonpost.com/ac2/related/topic/West+Virginia?tid=i
>>> nf
>>> or
>>> mline>. To date, a few ad hoc labs have processed about 85,000
>>> pieces of evidence taken from weapons caches or roadside devices.
>>> Duong's mobile forensic labs, with an initial budget of $34 million,
>
>>> will be deployed all over Iraq.
>>>
>>> snip
>>>
>>> Hmmm.When is this going to be in the hands of every cop on the
> street?
>>>
>>> Scott
>>>
>>
>> _______________________________________________
>> Fun and Misc security discussion for OT posts.
>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>> Note: funsec is a public and open mailing list.
>>
>> _______________________________________________
>> Fun and Misc security discussion for OT posts.
>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>> Note: funsec is a public and open mailing list.
>>
>>
>>
>> - --
>> <b>redhowlingwolves</b>
>> <br>Web:<a href=http://www.hacking-passion.com/>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFHaKNoxajqy/aNaRsRAm0IAKCbht2jzkBKycMjlmQVntW2DvObFgCfb1p9
>> XU8tv7IVNJgxF9ydpcrNLVU=
>> =J/Zh
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Fun and Misc security discussion for OT posts.
>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>> Note: funsec is a public and open mailing list.
>>
>> _______________________________________________
>> Fun and Misc security discussion for OT posts.
>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>> Note: funsec is a public and open mailing list.
>>
>
>
>
> --
> Steve Kalman, JD
> SSCP, CISSP-ISSMP, ISSAP
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>

More information about the funsec mailing list