This is why I use Linux, the fingerprint device wouldn't be supported so this wouldn't be an issue /s
Technology
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
Mmm yes security by non-functionality. A pillar of the modern cybersecurity framework.
Can't hack a brick 🤷
And this is why I am typing this on a 1921 Royal No. 10 typewriter.
Found Tom Hanks's Lemmy account.
Works for my webcam. Tbh I'd like someone to hack it, would mean they would've written drivers for it
It is called zero trust, killing functionalities is zscaler core business
The fun thing about Linux is your realize physical control is ownership. You can just throw a Bootable Linux image with some utilities and remove the password from a Windows account in a second. If you really need to keep something safe, it has to be encrypted.
Nah I use fprint on my arch laptop so there is fingerprint login technology. Hopefully that doesn't have security vulnerabilities.
Correct answer.
Using any form of biometric 'login' under the US's "justice" system is supremely ill-advised.
That's funny, on my XPS Windows crashed when I tried adding a fingerprint. Works flawlessly under Arch.
Today I was fucking around with this shit. I can't even update my distro, otherwise ecryptfs will go adios, and fingerprinting will be broken.
It stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft's way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.
Wtf. It shouldn't even need those permissions. All it needs to do is scan if the fingerprint it stores matches you.
It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it's by design on Microsoft's end. You can then use the Windows Hello credential as a passkey but if you don't want that, you'd need another solution for biometric auth.
hastily integrating the browser into everything, regardless of it making sense
So software development in general in the last couple of years?
Yes. JavaScript is famously the best programming language ever, so why not? /s
Reading the article it doesn’t sound like it’s Microsoft’s issue but the vendor’s implementation and lack of using the secure communication protocol.
"vendors implementation" rings immediate alarm bells...
it sounds like microsoft's own laptops dont implement the spec properly!
Microsoft doesn't make fingerprint readers.
Yea, but they sourced the parts from a vendor, and still didn't make sure the vendor was properly following the spec.
Just goes to show how complicated it can be!
Not sure why you being downvoted, one of the three laptops they cracked was a Surface. Of course Microsoft doesn’t “make it” but very few tech brands actually manufacture the hardware. By the way the Surface was sufficiently different in its design from the others that hints it’s a custom build anyway, not just an off label hardware with Microsoft stamped on it.
Microsoft has marketed surface pro type covers with a fingerprint reader. I use one at work.
Stop using biometrics for authentication!!!!!
Edit: lots of opinions below. Biometrics are a username, a thing you are. Finger printed can be taken from your laptop with a little powder and masking tape.
Use an authentacator app or security key kids!!
Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.
Biometrics are two factor, because you need the fingerprint and the device they unlock.
You can't use the device without the fingerprint and you can't take someone's fingerprint then use them from a different device.
You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.
If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.
When we talk online accounts, I'd count device+fingerprint as one factor. Sure, the maid from the example above can't login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that's like a password. One factor.
Technically, it's slightly better than a password, because this token can be short-lived (although often it's not), could be cryptographic signature to be used exactly once (although...), you cannot brute-force guess the token.... But IF the token leaks, the attacker has full access (or enough to cause damage).
That's why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.
Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
A sufficiently motivated maid will be able to do it. The FBI eats that kind of stuff for breakfast.
Once upon a time, the then German minister of the interior wanted to collect all kinds of biometric data, in passports, in fully connected databases, whatnot. The CCC went ahead and swiped his print off a glass at a reception and published a DIY version to impersonate him in their magazine. Fingerprint authorisation is the security equivalent of a sticky note with your password on your coffee mug.
The good news? You can use ordinary gloves, no need for tinfoil.
In Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints
Who is surprised? Are you surprised?
This is the best summary I could come up with:
Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.
The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack.
Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor.
The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
The researchers found that Microsoft’s SDCP protection wasn’t enabled on two of the three devices they targeted.
Blackwing Intelligence now recommends that OEMs make sure SDCP is enabled and ensure the fingerprint sensor implementation is audited by a qualified expert.
The original article contains 474 words, the summary contains 145 words. Saved 69%. I'm a bot and I'm open source!
im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth
The main issue with biometrics is that you can't change them. If your fingerprints or retina are compromised you're fucked.
Unless I meet you in person, I'm not going to get your biometrics. The point of these is to protect your accounts from the global Internet.
And yet, as a service member that was part of the 2013 OPM data breech, my finger prints (and an estimated 5.5 million other peoples) were part of the dataset that was stolen.
So... What's your point about "Global Internet"? If my data was stolen, and sent to the "Global Internet"(The fuck does this even mean?)... There's no functional difference to an exposed password.