this post was submitted on 22 Nov 2023
417 points (98.4% liked)

Technology

59346 readers
7298 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] stom@lemmy.world 378 points 11 months ago (17 children)

This is why I use Linux, the fingerprint device wouldn't be supported so this wouldn't be an issue /s

[–] Gork@lemm.ee 127 points 11 months ago (2 children)

Mmm yes security by non-functionality. A pillar of the modern cybersecurity framework.

[–] SpaceNoodle@lemmy.world 81 points 11 months ago (1 children)
[–] agent_flounder@lemmy.world 15 points 11 months ago (1 children)

And this is why I am typing this on a 1921 Royal No. 10 typewriter.

[–] AbidanYre@lemmy.world 8 points 11 months ago

Found Tom Hanks's Lemmy account.

[–] Kusimulkku@lemm.ee 26 points 11 months ago

Works for my webcam. Tbh I'd like someone to hack it, would mean they would've written drivers for it

[–] Cethin@lemmy.zip 20 points 11 months ago (1 children)

The fun thing about Linux is your realize physical control is ownership. You can just throw a Bootable Linux image with some utilities and remove the password from a Windows account in a second. If you really need to keep something safe, it has to be encrypted.

[–] kadu@lemmy.world 10 points 11 months ago (2 children)

remove the password from a Windows account

That used to be true, but no longer works

load more comments (2 replies)
[–] Hubi@feddit.de 17 points 11 months ago (1 children)

The one on my Thinkpad works just fine :)

[–] canis_majoris@lemmy.ca 6 points 11 months ago* (last edited 11 months ago) (1 children)

I got a T80s and the sensor doesn't work. It's an 8th gen Intel machine, that's like four or five generations behind.

[–] Hubi@feddit.de 4 points 11 months ago (1 children)

I've got a T440p and I just set it up through the menu in the KDE settings, it worked right out of the box.

load more comments (1 replies)
[–] pineapplelover@lemm.ee 16 points 11 months ago (1 children)

Nah I use fprint on my arch laptop so there is fingerprint login technology. Hopefully that doesn't have security vulnerabilities.

[–] locuester@lemmy.zip 4 points 11 months ago (1 children)

It has vulnerabilities for sure. But they haven’t been found because no one cares about hacking you or the 1 other person on earth that use Arch and fingerprint security.

load more comments (1 replies)
[–] RFBurns@lemmy.world 9 points 11 months ago

Correct answer.

Using any form of biometric 'login' under the US's "justice" system is supremely ill-advised.

[–] loutr@sh.itjust.works 9 points 11 months ago

That's funny, on my XPS Windows crashed when I tried adding a fingerprint. Works flawlessly under Arch.

[–] PeWu@lemmy.ml 9 points 11 months ago

Today I was fucking around with this shit. I can't even update my distro, otherwise ecryptfs will go adios, and fingerprinting will be broken.

load more comments (10 replies)
[–] ChaoticNeutralCzech@feddit.de 85 points 11 months ago (2 children)

It stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft's way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.

[–] pineapplelover@lemm.ee 38 points 11 months ago* (last edited 11 months ago) (2 children)

Wtf. It shouldn't even need those permissions. All it needs to do is scan if the fingerprint it stores matches you.

[–] TORFdot0@lemmy.world 21 points 11 months ago (1 children)

It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it's by design on Microsoft's end. You can then use the Windows Hello credential as a passkey but if you don't want that, you'd need another solution for biometric auth.

[–] ChaoticNeutralCzech@feddit.de 5 points 11 months ago (1 children)

Still, that does not explain the Edge dependency. Lots of programs can communicate with their respective servers without browser technology.

[–] Unaware7013@kbin.social 6 points 11 months ago

It kinda does though, if you look at it from a speed/competency aspect. I'm more and more convinced that the people who build out features only have tangential ideas on how it integrates into the overall system, so just throwing a browser at every problem gets you a cookie cutter backend with APIs and let's you shove half baked features out the door without having to figure out how to wrap data in protocols since you just hand your payload so the browser and wait for a response.

load more comments (1 replies)
[–] pycorax@lemmy.world 15 points 11 months ago (1 children)

hastily integrating the browser into everything, regardless of it making sense

So software development in general in the last couple of years?

[–] ChaoticNeutralCzech@feddit.de 9 points 11 months ago

Yes. JavaScript is famously the best programming language ever, so why not? /s

[–] ramble81@lemm.ee 81 points 11 months ago (2 children)

Reading the article it doesn’t sound like it’s Microsoft’s issue but the vendor’s implementation and lack of using the secure communication protocol.

[–] killeronthecorner@lemmy.world 31 points 11 months ago

"vendors implementation" rings immediate alarm bells...

[–] Smokeless7048@lemmy.world 11 points 11 months ago (1 children)

it sounds like microsoft's own laptops dont implement the spec properly!

[–] Aux@lemmy.world 13 points 11 months ago (2 children)

Microsoft doesn't make fingerprint readers.

[–] Smokeless7048@lemmy.world 11 points 11 months ago

Yea, but they sourced the parts from a vendor, and still didn't make sure the vendor was properly following the spec.

Just goes to show how complicated it can be!

load more comments (1 replies)
[–] Luci@lemmy.ca 32 points 11 months ago* (last edited 11 months ago) (22 children)

Stop using biometrics for authentication!!!!!

Edit: lots of opinions below. Biometrics are a username, a thing you are. Finger printed can be taken from your laptop with a little powder and masking tape.

Use an authentacator app or security key kids!!

[–] TORFdot0@lemmy.world 18 points 11 months ago (1 children)

Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.

[–] MostlyHarmless@sh.itjust.works 8 points 11 months ago (1 children)

Biometrics are two factor, because you need the fingerprint and the device they unlock.

You can't use the device without the fingerprint and you can't take someone's fingerprint then use them from a different device.

[–] _s10e@feddit.de 10 points 11 months ago (2 children)

You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.

If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.

When we talk online accounts, I'd count device+fingerprint as one factor. Sure, the maid from the example above can't login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that's like a password. One factor.

Technically, it's slightly better than a password, because this token can be short-lived (although often it's not), could be cryptographic signature to be used exactly once (although...), you cannot brute-force guess the token.... But IF the token leaks, the attacker has full access (or enough to cause damage).

That's why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.

[–] barsoap@lemm.ee 7 points 11 months ago* (last edited 11 months ago)

Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

A sufficiently motivated maid will be able to do it. The FBI eats that kind of stuff for breakfast.

Once upon a time, the then German minister of the interior wanted to collect all kinds of biometric data, in passports, in fully connected databases, whatnot. The CCC went ahead and swiped his print off a glass at a reception and published a DIY version to impersonate him in their magazine. Fingerprint authorisation is the security equivalent of a sticky note with your password on your coffee mug.

The good news? You can use ordinary gloves, no need for tinfoil.

load more comments (1 replies)
[–] Bootheal0179@lemmy.world 16 points 11 months ago (2 children)

In Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints

load more comments (2 replies)
load more comments (20 replies)
[–] MonkderZweite@feddit.ch 21 points 11 months ago (1 children)
[–] psudojo@infosec.pub 8 points 11 months ago (1 children)

im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth

[–] Herowyn@jlai.lu 14 points 11 months ago (1 children)

The main issue with biometrics is that you can't change them. If your fingerprints or retina are compromised you're fucked.

[–] MostlyHarmless@sh.itjust.works 12 points 11 months ago (2 children)

Unless I meet you in person, I'm not going to get your biometrics. The point of these is to protect your accounts from the global Internet.

https://xkcd.com/538/

[–] Herowyn@jlai.lu 6 points 11 months ago (1 children)

It doesn't need to be physical breach. If it's stored somewhere it can (and might) be accessed by someone else and reconstructed.

load more comments (1 replies)
[–] Saik0Shinigami@lemmy.saik0.com 5 points 11 months ago (6 children)

And yet, as a service member that was part of the 2013 OPM data breech, my finger prints (and an estimated 5.5 million other peoples) were part of the dataset that was stolen.

So... What's your point about "Global Internet"? If my data was stolen, and sent to the "Global Internet"(The fuck does this even mean?)... There's no functional difference to an exposed password.

load more comments (6 replies)
[–] autotldr@lemmings.world 5 points 11 months ago (1 children)

This is the best summary I could come up with:


Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.

The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack.

Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor.

The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.

The researchers found that Microsoft’s SDCP protection wasn’t enabled on two of the three devices they targeted.

Blackwing Intelligence now recommends that OEMs make sure SDCP is enabled and ensure the fingerprint sensor implementation is audited by a qualified expert.


The original article contains 474 words, the summary contains 145 words. Saved 69%. I'm a bot and I'm open source!

load more comments (1 replies)
load more comments
view more: next ›