This is why I use Linux, the fingerprint device wouldn't be supported so this wouldn't be an issue /s
this post was submitted on 22 Nov 2023
417 points (98.4% liked)
Technology
59346 readers
7275 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Mmm yes security by non-functionality. A pillar of the modern cybersecurity framework.
Can't hack a brick 🤷
And this is why I am typing this on a 1921 Royal No. 10 typewriter.
Found Tom Hanks's Lemmy account.
Works for my webcam. Tbh I'd like someone to hack it, would mean they would've written drivers for it
The fun thing about Linux is your realize physical control is ownership. You can just throw a Bootable Linux image with some utilities and remove the password from a Windows account in a second. If you really need to keep something safe, it has to be encrypted.
remove the password from a Windows account
That used to be true, but no longer works
load more comments
(2 replies)
The one on my Thinkpad works just fine :)
I got a T80s and the sensor doesn't work. It's an 8th gen Intel machine, that's like four or five generations behind.
I've got a T440p and I just set it up through the menu in the KDE settings, it worked right out of the box.
load more comments
(1 replies)
Nah I use fprint on my arch laptop so there is fingerprint login technology. Hopefully that doesn't have security vulnerabilities.
It has vulnerabilities for sure. But they haven’t been found because no one cares about hacking you or the 1 other person on earth that use Arch and fingerprint security.
load more comments
(1 replies)
Correct answer.
Using any form of biometric 'login' under the US's "justice" system is supremely ill-advised.
That's funny, on my XPS Windows crashed when I tried adding a fingerprint. Works flawlessly under Arch.
Today I was fucking around with this shit. I can't even update my distro, otherwise ecryptfs will go adios, and fingerprinting will be broken.
load more comments
(10 replies)
It stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft's way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.
Wtf. It shouldn't even need those permissions. All it needs to do is scan if the fingerprint it stores matches you.
It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it's by design on Microsoft's end. You can then use the Windows Hello credential as a passkey but if you don't want that, you'd need another solution for biometric auth.
Still, that does not explain the Edge dependency. Lots of programs can communicate with their respective servers without browser technology.
It kinda does though, if you look at it from a speed/competency aspect. I'm more and more convinced that the people who build out features only have tangential ideas on how it integrates into the overall system, so just throwing a browser at every problem gets you a cookie cutter backend with APIs and let's you shove half baked features out the door without having to figure out how to wrap data in protocols since you just hand your payload so the browser and wait for a response.
load more comments
(1 replies)
hastily integrating the browser into everything, regardless of it making sense
So software development in general in the last couple of years?
Yes. JavaScript is famously the best programming language ever, so why not? /s
Reading the article it doesn’t sound like it’s Microsoft’s issue but the vendor’s implementation and lack of using the secure communication protocol.
"vendors implementation" rings immediate alarm bells...
it sounds like microsoft's own laptops dont implement the spec properly!
Microsoft doesn't make fingerprint readers.
Yea, but they sourced the parts from a vendor, and still didn't make sure the vendor was properly following the spec.
Just goes to show how complicated it can be!
load more comments
(1 replies)
Stop using biometrics for authentication!!!!!
Edit: lots of opinions below. Biometrics are a username, a thing you are. Finger printed can be taken from your laptop with a little powder and masking tape.
Use an authentacator app or security key kids!!
Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.
Biometrics are two factor, because you need the fingerprint and the device they unlock.
You can't use the device without the fingerprint and you can't take someone's fingerprint then use them from a different device.
You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.
If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.
When we talk online accounts, I'd count device+fingerprint as one factor. Sure, the maid from the example above can't login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that's like a password. One factor.
Technically, it's slightly better than a password, because this token can be short-lived (although often it's not), could be cryptographic signature to be used exactly once (although...), you cannot brute-force guess the token.... But IF the token leaks, the attacker has full access (or enough to cause damage).
That's why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.
Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
A sufficiently motivated maid will be able to do it. The FBI eats that kind of stuff for breakfast.
Once upon a time, the then German minister of the interior wanted to collect all kinds of biometric data, in passports, in fully connected databases, whatnot. The CCC went ahead and swiped his print off a glass at a reception and published a DIY version to impersonate him in their magazine. Fingerprint authorisation is the security equivalent of a sticky note with your password on your coffee mug.
The good news? You can use ordinary gloves, no need for tinfoil.
load more comments
(1 replies)
In Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints
load more comments
(2 replies)
load more comments
(20 replies)
Surprise. Or not.
im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth
The main issue with biometrics is that you can't change them. If your fingerprints or retina are compromised you're fucked.
Unless I meet you in person, I'm not going to get your biometrics. The point of these is to protect your accounts from the global Internet.
It doesn't need to be physical breach. If it's stored somewhere it can (and might) be accessed by someone else and reconstructed.
load more comments
(1 replies)
And yet, as a service member that was part of the 2013 OPM data breech, my finger prints (and an estimated 5.5 million other peoples) were part of the dataset that was stolen.
So... What's your point about "Global Internet"? If my data was stolen, and sent to the "Global Internet"(The fuck does this even mean?)... There's no functional difference to an exposed password.
load more comments
(6 replies)
This is the best summary I could come up with:
Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.
The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack.
Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor.
The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
The researchers found that Microsoft’s SDCP protection wasn’t enabled on two of the three devices they targeted.
Blackwing Intelligence now recommends that OEMs make sure SDCP is enabled and ensure the fingerprint sensor implementation is audited by a qualified expert.
The original article contains 474 words, the summary contains 145 words. Saved 69%. I'm a bot and I'm open source!
load more comments
(1 replies)
view more: next ›