|
oh cool i lost my last.fm password, now i don't have to bother reclaiming itDreddyMatt posted:
i only got some stuff that i was waiting for my local council to do done because i wrote a formal complaint to my local councillor who had an axe to grind and he went nuclear on them and emailed the head of their entire legal department to prioritise my case. just threatening a formal complaint works for public services as well because complaints gently caress up their statistics #firstworldhacks
|
# ? Sep 7, 2016 18:06 |
|
|
# ? Jun 6, 2024 22:05 |
|
Midjack posted:federal it, checks out
|
# ? Sep 7, 2016 18:07 |
|
Bhodi posted:Anyone else read the OPM report? It's dry but you should check out chapter 5 the government should not be allowed to keep records with any sensitive data
|
# ? Sep 7, 2016 18:37 |
|
YeOldeButchere posted:how's the security for this sort of rfid biometric data storage anyway? terrible and hilarious, in almost every case. One-way transformations of biometric data exist, work, are cryptographically secure just like a hash, but nearly nobody is using them. I worked for a startup just out of college that offered this exact service, and naturally, it flopped because none of our potential customers (including government) could be made to understand why they need to be doing things that way. YeOldeButchere posted:no one has adequately solved the fingerprint revocation problem either, as far as i know In fact that problem has been solved, the transformed biotokens can be revoked and new (but different) ones generated from the same finger/iris/whatever. I wrote my master's thesis on this poo poo, I could yak about it for hours. I made a giant post about biometrics in one of the previous secfuck threads, but it was like a year ago and I don't know how to find it
|
# ? Sep 7, 2016 20:58 |
|
Cowboy Mark posted:A vendor pitched this 1million bit encryption thingy to us: 1 million bits
|
# ? Sep 7, 2016 21:33 |
|
oh hey it was actually pretty easy to findquote:When stored digitally, fingerprints are nearly _always_ stored as a simple series of minutiae points which are just sets of 3 numbers: x/y coordinates and 'theta', which represents the angle, e.g. which direction that particular feature is facing. Some new systems include a fourth value for curvature' but almost nobody is using this. To elaborate slightly on storage: remember that you need to store a thing of some sort which you can compare new fingerprints against (the process is actually identical for fingerprint, iris, face, etc). This original impression is called the 'gallery' entry, and new impressions are called 'probes'. When someone claiming to be joe schmoe asks to be verified by the biometric system, he puts his finger down and the scanner creates a new impression to compare against the stored gallery entry. When it comes down to the storage of this gallery entry, there's 4 approaches: 1. Use a cool algorithm like the one I worked on which can give a yes/no response without actually storing any of the original fingerprint minutiae or any data that can be used to recover said data. There are multiple libraries for doing this. Analogy: Hashed+salted password. ISO has a standard that describes this: ISO-24745 2. Store raw minutiae points with reversible encryption and some kind of certificate system. This is better than nothing, but still exposes biometric data to possible recovery because the crypto is reversible. Analogy: reversibly encrypted passwords. EU's BSI TR-03110 falls into this category. 3. Store raw minutiae triplets without encryption, because it's just like, numbers, man. The problem here is that minutiae can be trivially used to reconstruct a facsimile of the original fingerprint. Analogy: ROT13'd passwords 4. Store a literal loving picture of your user's fingerprint, because you're an idiot. This still happens alarmingly often. As recently as last year HTC got caught storing bitmaps of their users fingerprints in user-accessible space on their android phones. Analogy: Plaintext passwords, hand written by a drooling idiot The vaaaaast majority of biometric systems out there now are doing either #2 or #3, and #4 isn't exactly rare either. Naturally, nobody is ever willing to talk about the security of their backend, ever. Part of my thesis was comparison to existing systems that claim to do the same or a similar thing, which lead to this, my favorite passage: quote:I was able to locate only one other example of currently deployable web-enabled biometric authentication: A software development kit called “Bio-Plugin™”, created by a company called M2Sys. Bio-Plugin provides te ability to authenticate users against a remote server through a web interface designed to be incorporated into existing web services, and is compatible only with biometric scanners produced by M2Sys. Notably, these devices are not limited to fingerprint biometrics.
|
# ? Sep 7, 2016 21:34 |
|
lol I bet they're generating 4,000 aes256 keys and chaining it all together
|
# ? Sep 7, 2016 21:36 |
|
I don't even what to think about the cpu time it would take to transmit 125kB of keys over DH
|
# ? Sep 7, 2016 21:38 |
|
https://twitter.com/AsherLangton/status/773622483576467456
|
# ? Sep 7, 2016 21:43 |
|
jesus. loving. christ.
|
# ? Sep 7, 2016 21:44 |
|
https://twitter.com/AsherLangton/status/773622636865662977 https://twitter.com/AsherLangton/status/773622962888904704 and i have already downloaded their app
|
# ? Sep 7, 2016 21:45 |
|
OSI bean dip posted:https://twitter.com/AsherLangton/status/773622636865662977
|
# ? Sep 7, 2016 21:48 |
|
lmfao that 'security through obscurity' bit
|
# ? Sep 7, 2016 21:48 |
|
Er guys I think it's legit, just see this watertight presentation https://www.youtube.com/watch?v=ISYyB3cTR3k
|
# ? Sep 7, 2016 21:53 |
|
OSI bean dip posted:https://twitter.com/AsherLangton/status/773622636865662977
|
# ? Sep 7, 2016 21:53 |
|
i got a word salad bingo!
|
# ? Sep 7, 2016 21:54 |
|
|
# ? Sep 7, 2016 22:29 |
|
COACHS SPORT BAR posted:oh hey it was actually pretty easy to find also this is a kickin' rad post
|
# ? Sep 7, 2016 22:29 |
|
it's written in realbasic
|
# ? Sep 7, 2016 22:35 |
|
OSI bean dip posted:it's written in realbasic lmbo
|
# ? Sep 7, 2016 22:39 |
|
|
# ? Sep 7, 2016 22:43 |
|
OSI bean dip posted:it's written in realbasic is it byte-level compiled on the server at the lowest possible place and heavily encrypted though
|
# ? Sep 7, 2016 22:43 |
|
https://twitter.com/afreak/status/773641837626007552
|
# ? Sep 7, 2016 23:00 |
|
tell me that the server connection happens in plaintext
|
# ? Sep 7, 2016 23:03 |
|
set phasers to pwn
|
# ? Sep 7, 2016 23:09 |
|
is that an animated scrolly number border around the edge i see this thing is amazing e: oh it's just your console and the thing has a weird borderless window I guess?
|
# ? Sep 7, 2016 23:10 |
|
everything is plaintext http
|
# ? Sep 7, 2016 23:10 |
|
OSI bean dip posted:everything is plaintext http
|
# ? Sep 7, 2016 23:12 |
|
OSI bean dip posted:everything is plaintext http Security Fuckup Megathread - v12.1.4 - everything is plaintext http
|
# ? Sep 7, 2016 23:15 |
|
OSI bean dip posted:it's written in realbasic i will not be convinced that this is anything other than realplayer + visual basic
|
# ? Sep 7, 2016 23:15 |
|
OSI bean dip posted:everything is plaintext http
|
# ? Sep 7, 2016 23:16 |
|
YeOldeButchere posted:no one has adequately solved the fingerprint revocation problem either, as far as i know pshaw, sure they did
|
# ? Sep 7, 2016 23:18 |
|
OSI bean dip posted:everything is plaintext http well I was going to quote the old version of this post where you said they were making it hard to debug things and I was going to snark that maybe they were good at at least one thing but welp
|
# ? Sep 7, 2016 23:18 |
|
Parallel Paraplegic posted:is that an animated scrolly number border around the edge i see
|
# ? Sep 7, 2016 23:26 |
|
anthonypants posted:that's the plaintext for the latest bletchley boffins challenge the challenge text was generated by this product, OSI kept it quiet for a few weeks and now is dropping clues in this thread
|
# ? Sep 7, 2016 23:28 |
|
McGlockenshire posted:well I was going to quote the old version of this post where you said they were making it hard to debug things and I was going to snark that maybe they were good at at least one thing but welp there are some headaches in RE'n this poo poo but we're still figuring out things i've already tested the crypto out that said
|
# ? Sep 7, 2016 23:28 |
|
Parallel Paraplegic posted:is that an animated scrolly number border around the edge i see i have it open in bin ninja
|
# ? Sep 7, 2016 23:30 |
|
dear security thread, I am going to bletchley park on friday, anything in particular I should look out for
|
# ? Sep 7, 2016 23:38 |
|
qntm posted:dear security thread, I am going to bletchley park on friday, anything in particular I should look out for take photos
|
# ? Sep 7, 2016 23:41 |
|
|
# ? Jun 6, 2024 22:05 |
|
lol but their awful promo video said the million-bit key was downloaded via a 4096-bit encrypted connection anthonypants posted:that's the plaintext for the latest bletchley boffins challenge qntm posted:dear security thread, I am going to bletchley park on friday, anything in particular I should look out for pick me up a boffin
|
# ? Sep 7, 2016 23:42 |