Re: biometrics target?
update: sample size upped to 2, got confirmation from the other one also!
80 posts • joined 30 Aug 2008
update: sample size upped to 2, got confirmation from the other one also!
Disclaimer 1: I am a strong opponent of Aadhaar (UIDAI) and I see Aadhaar issues everywhere so this may be some sort of bias on my part.
I know two people who took a Reliance Jio sim. Both were issued on the basis of India's new "papers please" card. In one case, the person was asked to submit his fingerprint to verify. (The other I could not reach in time to write this comment).
Disclaimer 2: As you can see, the sample size is ONE. Caveat reader!
That said, I strongly suspect that whoever snarfed the data (possibly our 'friendly" neighbour to the north) was after the fingerprint details, because everything else is already easy to obtain from other channels.
If the bank accounts (now forced to be linked to Aadhaar by our "papers please" government) of any of these people start seeing "action", we'll know for sure.
(The only defense Reliance will have if this happens is "there are so many other places people could have got these details". Sadly, that is also true!)
Subject line says it all.
I can imagine disagreement between the OS and systemd about what a valid user is -- can happen, though it should not.
But I can't imagine *continuing to run* when you find an invalid user!
Disclaimer: I am a TCS employee.
It appears that the filenames were more like the names of the customers the presentations were made for, rather than *data* pertaining to the customers themselves. I therefore suspect a lot of the content may have been the same (i.e., present to customer A, modify slightly, rename, present to customer B).
It's still a pretty stupid thing to do, but thank God it wasn't stupidER, I guess!
Unfortunately, I was one of the people shouting from the rooftops (a few years ago) that we need unfettered github access, so I'm getting a wee bit of -- good-natured, don't worry! -- ribbing for this!
But then, I couldn't do without this access. I estimate that a good percentage of the commits for gitolite are made at work and I push them from my work laptop, simply due to how I divide my time.
PS: gitolite is a fairly popular access control system for git that is used by Fedora, kernel.org, Gentoo, and several other open source projects, and probably thousands of others
And yes, I intentionally mentioned it, in a shameless and blatant attempt to suggest that if you've heard of it, or even better, used it, then *you* at least won't generalise about TCS :-)
It will fail, sooner or later. People (including myself) thought faking iris was going to be hard, would require consent, etc. Turns out... nope! I'm sure you saw the articles yesterday or the day before about CCC cracking Samsung 8's iris recog.
Biometrics is an arms race. I find it funny that people worry about quantum safe asymmetric crypto, which is much much further away than a biometrics fail, but maybe that's just my opinion.
Speaking as an Indian, I am worried sick about these things, especially if they ever start force-linking it to bank accounts. There **WILL** be massive theft of lots of money from lots of people.
I only hope they hit the really rich people, and not us poor bastards.
Why is it not an option? I am **pissed as hell** that the Indian government now wants to make Aadhaar mandatory even for paying taxes, which effectively means it's mandatory period. (The original idea was that it was mandatory only if you needed government benefits -- subsidised stuff for instance).
As a protest, I have now stopped using my credit card for anything less than 2000 rupees (an arbitrary limit I set; could vary depending on circumstances but that's the general idea).
Yes, ATMs have been (slyly, without any announcement or explanation, by the way) mostly dry for months now, but I go to my bank and get cash once in a couple of weeks or once in a month, and that works out fine. So far.
Am I at risk of being mugged or robbed, since this is cash? Maybe. I don't use public transport so I should be mostly OK. Does this form of protest actually register? Surely not -- its not as if Modi is worrying himself at night thinking "OMG, Sitaram is going against my cash-less dream". Is it any use then? Yes -- my own psychological satisfaction, plus the opportunity to talk about Aadhaar and explain its problems to everyone who asks me "why are you carrying so much cash".
I was a solid supporter of his anti-black money initiative last November, but Aadhaar is where I draw the line; I am now an ardent Modi- and Jaitley- hater.
But don't read too much into that -- Aadhaar was created by the corrupt crooks who are currently in opposition -- the Congress (spelled c-o-r-r-u-p-t-i-o-n) party. So, unless the Supreme Court does the right thing, all Indians are royally screwed in terms of their biometrics and other data being essentially public. Forever.
Probably not, actually. The projects cited are all government projects, AFAICT. Sad to say, government employment does not attract good people.
That said, "privacy and security" are still "unknowns" for most developers.
Governments have very little shame; the fear of ridicule is often an "individual" thing, not a collective thing.
Also, looking at the statement linked in the article, except a couple of points, the rest seem to be hinging on *regulatory* protections, (as opposed to, say, *technical* protections). This is akin to saying "murder is a crime". Sure it is, but it still happens, and it's not always caught either.
it could well be Aadhaar. In fact I hope it is -- better it happens now, when it has not yet taken root in all sorts of unrelated life (seriously, they want to make it mandatory for even buying TRAIN tickets online!) than a few years later, when the damage would be much much worse.
And the sooner the morons in charge realise this is a bloody landmine (or gold mine, depending on how you look at it), the better.
The security crowd has been screaming about "identification, not authentication" (or the less accurate but more understandable "biometrics are a userid, not a password") but no one has been listening.
Now they have (or will shortly have) an app that can draw money from your bank account with just that one factor -- a finger swipe. I'm advising friends and relations who have an Aadhaar linked bank account to keep only a minimum of money there, and put the rest in a completely different account -- preferably in a different bank -- without Aadhaar linkage. The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.
(Oh and I've also been told that the biometrics are safe and can't be faked; words like "liveness testing" have been bandied about. To which my response is "that's today's tech. It's an arms race and tomorrow the scene may be quite different, someone may figure out how to beat it".)
...how a *browser* update causes problems for the login screen?
Has Chrome become as essential to the working of an OS as MS used to claim IE was in the old days?
(This is a genuine question by the way; I'm not being snarky or something)
this is against POW systems only.
I am yet to see any "enterprise" or "banking/financial" blockchains proposing to use POW.
As such, the first line of the El Reg article, ("The financial sector's enthusiasm for blockchain technology might be misplaced, according to a pair of Australian distributed computing experts") is total bollocks.
Blockchain has value. POW does not. And I probably will never understand why academics continue to focus on POW when industry does not (AFAICT) care.
What planet do you live in?
"media pundit"? "[not a] real security professional"?
Moxie (and Trevor Perrin)'s Signal protocol is pretty much the only one that has been *proven* to be secure (at the protocol level at least). And that is the most recent one I can remember; I think even the cert pinning RFC was from them but I am not sure. Regardless, he *does* know his shit, and some anonymous coward saying it ain't so ain't gonna make it not be true.
watch especially 05:19 to 06:52, then 07:45 to 11:30
heck watch the whole thing; Moxie is a very clear, articulate, speaker with a great sense of humour *and* knows his shit
> And this is going to mitigate the problem, exactly how?
No direct connection from arbitrary external IPs to the weak device. The manufacturers leave upnp open because they want to talk directly to the device. Block that, because the app on the mobile (while in the same wifi network) should be able to proxy that traffic.
This also means you cannot control your home thermostat from your office, though. There's no easy way to allow that while disallowing attacks, unless you get into some kind of authentication dialog. With the *device*.
>> I'm pretty sure this is the most practical, scalable, solution for this.
> Oh, yes. Sure. If you say so.
a bit of uncalled-for hubris there I admit; mea culpa :-) Milord, I'd like that last comment of mine stricken from the record!
At least for the attacks we're seeing that caused krebsonsecurity.com and Dyn DDOS, disallowing external connections would have certainly stopped them cold.
the biggest failure is UPNP.
They should mandate disabling that. All communication to the "mothership" should go through a mobile phone which is on the same wifi network. Yes that would essentially be akin to XSS but in a good way.
I'm pretty sure this is the most practical, scalable, solution for this.
You're over-reacting. That was just a figure of speech. How can I tell? The rest of his post is perfectly sensible and reasonable. He even started out obliquely defending systemd. Does not come across as a person who even remotely thinks of that statement as a personal one in any sense.
...my good impressions of El Reg as a tech-savvy pub.
This attack does *not* give you anything you could not get by using a USB boot, CD boot, or PXE (network) boot.
The only situation where you *do* get more than that is in "kiosk" type situations (where the CPU/case/disks are locked away but the keyboard/mouse/monitor are accessible).
And even then, the statement "With access to the shell, an attacker could then decrypt Linux machines" is totally wrong.
They could have licensed it to the other party. I run a small project called "gitolite" which has just such a licence from the SFC, which owns the "git" trademark. It's free and it's only purpose is to protect their trademark.
is to capture the page before, then pay for the advertisement, capture again, and then sue. That's proof that this is a racket if the bad review goes away when you pay.
A lot more tangible, IMO.
I have been boycotting Dropbox since they took on Condoleezza (sp?) Rice as a board member. Since I never had a dropbox account, for me,"boycott" means refusing document links that others send me that they want to share.
Of course I don't use Apple either so this specific issue doesn't bother me.
On another note, I'm curious what other apps do stuff like this; i.e., this one was found, how many more are hiding?
I stopped listening because they concentrate so much on the storage industry, which is something I have zero interest in (not being an "enterprise" IT guy I suppose). Almost none of the companies they speak of are well known outside data center and similar operations folks.
On the plus side they give a decent breakdown of each episode with MM:SS timings so I do sometimes download and listen to segments.
On the minus side, I loved Sarah Vela's sense of humour, I loved her voice and I especially loved her laugh (like when she leg-pulled her cohorts), and she's now left the show. Sad...
Speaking for myself, I don't see anything wrong with millions of Apple users waking up to a zero bank balance... they're used to Apple robbing them blind anyway so this can only be a minor incremental pain.
(I know you didn't ask me, but still...)
I have a simple strategy that consists of actually reviewing the files that my incremental backup program reports as having changed. (The backup program itself is "borgbackup" -- awesome stuff; look it up. Unix only though).
A modification of this could be to keep a trend of number of files in each top level directory that are changed per day, and if something unusual happens, alert someone.
An even simpler way that often works (for single desktops) is to count how many files changed today, and alert if it is at least 1.5X larger than the maximum number of files changed in the last N days (adjust N to taste). The alert should list the actual files that were changed so someone can quickly determine if there was a problem or "oh yeah those files, we know what all those changes are".
The assumption is that the malware (if any) has not borked my borgbackup software to produce false reports of what it is seeing. I suppose in theory that could happen with a more popular backup tool so YMMV.
I think he meant "as opposed to Lenovo installing it themselves". Probably referring to the so-called "free" apps that come with a laptop which caused some consternation recently (if something affects only Windows, I tend to not remember details).
you MUST use windows, and a government proprietary activex control, in order to do any online banking etc.? (I'm sure I heard something like that a few years ago, maybe someone can correct me).
Stopped using FF for all but one or two fussy sites after the Pocket nonsense got in.
Qupzilla -- yeah I know, what a name! -- works great. It also has some serendipitous extras for me. For example, if I have many tabs from the same site, and I want to enable JS on one of them, in FF+NoScript, this touches ALL the tabs and they all start reloading. In Qupzilla it's only that tab.
Now if it could only do that for cookies also, that would be grrrreat!
I hate that POS. I especially hate their attitude to users, and the fact that you can never actually get used to something nice because they're likely to simply take it away next time.
as soon as you lot apologise for Gen Dwyer's https://en.wikipedia.org/wiki/Jallianwala_Bagh_massacre
Don't bring up such old stuff. It was very one-sided in many ways.
AC: your question is "Surely if you can inject a 301 in the response, you can manipulate the rest of the response anyway?"
Sure, but a 301 makes it permanent. Your MITM may be temporary, but you are making a permanent change to the app now.
Happy Ranter: regardless of what their motivations are, the fact is that an *app* (as opposed to a real browser, even on a mobile device) does not have a URL bar, so the minimum protection we normally have when we get a 301 -- the fact that we can *see* the new URL in the bar -- does not exist here.
That is the issue, I think.
...who have refused to touch facebook (and in my case have even forbidden my daughter from having an FB account) because of the "everyone in one bucket" problem.
We don't have to be doing anything bad/criminal/shameful/naughty to want to segregate our social networks. Compromises like "don't invite your mum" or "don't invite colleagues as friends" are signs that you're letting a technology FAIL drive your social network. And making excuses for the failed tech too.
So much for the value you place on this medium I suppose.
(Oh and I have been told that FB does have such a feature but it is such a badly done, hard to use, bolt-on that it may as well not be there. Clearly if an FB fanboi like you did not mention "we have it too" it must be well hidden indeed so whoever told me this was correct!)
I have helped people (on request) to set privacy settings properly on FB and have come away appalled. Last such experience was about 6 months ago.
I now have sent a G+ invite to my daughter (yes the same one who can't have an FB account!), because I looked at the settings and they make sense. She will still have to exercise caution in what she says to whom but that's life. I'll watch what she does for a few weeks but by and large I'm OK with this.
Yes I'll still watch Google's policies closely but I doubt they'll ever do the amazing amount of facepalm statements and actions that Zuckerburg/FB managed to do over the last few months/years. Nor will they, after the Buzz debacle, take this issue lightly either...
Domain Internet Groper? Are you sure that's what "dig" stands for?
your redhat comparision fails -- you realised it fails but you did not explain why.
Two words. Copyright assignment.
It's not the decision to sell that caused all this. It's the decision to have mandatory copyright assignment. Which allowed them to change the *client* libraries from LGPL to GPL for instance.
Tell me how that helps FOSS in any way, forcing the MySQL client libraries to be GPL? That was pure greed.
Now it's biting them, and they're running around crying about it...
this post just about made my day/week/month.
I've always considered Windows to be the biggest piece of malware floating around, and MS to be of questionable legality in various aspects (and not just the anti-trust stuff), so it's nice to know they're inspiring "the next generation" so to speak...
just run "dig +trace www.tcs.com"
If you're piggy-backing on someone else's DNS, like your ISP or openDNS or the chocolate factory, and you get a different answer than 188.8.131.52, you know what to do.
But actually, if you aren't running your own DNS, and didn't flush your caches as soon as you heard this, you shouldn't even be commenting on the issue.
"still see the bad page" ==> **reporting** on the issue
"fix had not taken" ==> **commenting** on the issue
[Same disclaimer applies as in previous comment]
please guys, I expected better from you lot...
[Disclaimer: I'm an employee of TCS, though naturally I'm posting this in my personal capacity]
tcs.com was NOT hacked yesterday. What did happen was that the DNS records that supply the IP were reset to some other IP.
Whether that was done by actually hacking netsol or by social engineering a valid change request I do not know.
I know the site was fine because going through the internal DNS got me the correct IP address and the correct content.
I believe the problem started sometime before 1am IST [this is a wild guess, from other symptoms; don't ask, heh heh!], and was resolved around noon or so [this guess is more accurate because I was semi-actively monitoring it].
In both instances, it would have taken a few hours for the bad data to expire from DNS caches. Depending on who your DNS provider is, you may have seen it "come back" at different times. If you were running your own DNS, you could have purged your DNS cache manually and would know more accurately when it came back.
At this point in time I am still receiving reports of other DNS servers still showing the bad data. Just tell them to purge their DNS caches if you know them, or switch to openDNS. They've got the right stuff, and have had it a lot longer than the chocolate factory's DNS :)
...is how many sheeple there must be if he got 15,000 petitions.
Anyone who thinks for 2 seconds can see this guy's cries of "oh no the sky is about to fall on our open source heads" are all bull. A few more seconds and you can even guess why he's doing it (hint: if you force Oracle to sell it, who would buy?)
There *may* be damage from Oracle, but it will only be to commercial licensees. Not to open source.
can't we just figure out the new rules from the details of the incident prompting them? I mean, surely no one still believes the TSA actually *thinks* before making rules do they?
I'm just waiting for the first guy to put both components of the bomb in his underwear, or two guys with one part each, and they combine them on board. TSA will have to ask everyone to take off their underwear.
Bruce Schneier, as usual, puts it very well. http://www.schneier.com/blog/archives/2009/12/me_and_the_chri.html says: I've started to call the bizarre new TSA rules "magical thinking": if we somehow protect against the specific tactic of the previous terrorist, we make ourselves safe from the next terrorist.
Listen up folks: the only reason more terrorism isn't happening is that the **bleeding terrorists are even MORE stupid than the TSA**!
...is the expression used in India for the kind of deal that I *very* srongly suspect has happened here.
The sdcard association has *standardised* on this format for their future cards: http://www.sdcard.org/developers/tech/sdxc. A format that they *know* requires money to be paid even by a consumer (since the terms prohibit a FOSS system from using it). In a day and age when awareness of FOSS has never been higher, so don't tell me they didn't realise this.
I refuse to believe this has happened without MS bribing people at sdcard.org. Either that, or gross incompetence/negligence at sdcard. No other explanation.
... of their computers are currently getting hacked by people more competent and less reachable/vulnerable than Gary McKinnon?
It seem unlikely that they've spent any time fixing the *real* problem, nor the people who caused it, from the effort they're making to "shoot the messenger". Which is what this is, if you come right down to it.
nice pun, if intentional... :)
I've long maintained that any admin who uses (or requires the use of) normal ftp for authenticated access of any kind should be taken out and shot [*]
In the two cases of gumblar infection I have seen so far, the infected party's hosting provider had given them plain ftp access to their space.
[*] ok I was half joking there... you dont have to take him out
I seem to recall hearing, over the years, about lots of spyware and rootkits that were undetectable by most AV, including this bozos self-named product. They leeched off the insecurity of Windows for as many years as they could, never once pointing out or attempting to help come up with any real, long term, cure for all of Windows' security ills. Naturally.
Now MS has gotten into that game (took 'em long enough...) these leeches stand to lose most of their blood supply, so they come up with bone-headed schemes like this.
Yes, I know someone said the original article is more of a "what if". So here's mine: what if we banned the use of Windows to access the internet? Seems to me a lot easier to do, and no downsides either.
Killing off leeches like this would be just a bonus, not the main focus...
windows was (re-(re-))built from the ground up as a multi-user addon to an inherently single user system. A Linux desktop is going the other way, so there's a lot of security already in there in terms of separation.
@David W ("No need for a trojan if you've got root...") -- clicking on an attachment does not execute anything, and even if desktops become like that (some are, sadly) they won't execute as root.
@Charles9 ("malware that slips through even NoScript") -- can you show me an example of anything that slips through NoScript? I haven't seen one yet
I've stopped wishing MS any ill.
I have now transferred all my ill will to organisations who make deals with MS. There's far more opportunities to gloat that way.
Serve t-mobile right.
The remote management thing is a good point (as of now anyway), but this article was about infected machines staying infected for months on end -- hardly likely in a "managed" environment like that.
On the "home" front, if someone wants to connect to her job, she should have a job-issued laptop/desktop. As a "personal go to guy", I might help with setting up Firefox+Adblock+basic precautions/education as someone up there suggested, but I probably wouldn't install Linux -- I don't mess with someone else's "work" stuff unless it is "work" for me too.
The video webchat thing -- lets just say you threw in "MSN" as bait. I'm not a big user but last time I checked, skype worked fine.
The old "everyone else is using it, so I have to use it too" argument may be genuine in *some* special cases, but in all but one of the dozen+ people I maintain computers for (personally, no cost) a little digging has revealed that there is no *real* need -- it was more a perception.
And finally, if you really are using Linux at home, the least you can do is stop calling us "fanboys". Most of us -- in real life if not on El Reg ;-) -- are perfectly reasonable people.
A: fail -- the web interface sucks even more, I constantly hear; I'll admit I haven't tried it myself, but in these comments someone said something, and I have my less fortunate colleagues to rely on for my opinions.
B: good point in theory. Oddly, MS-hater though I am, (haven't used Windows at work since 2004, and at home since 2000 or so), I find myself more angry at LN's designers/developers. Probably because my expectations of IBM were much higher than of MS. Plus I have a lot more friends (and former colleagues/bosses) in IBM than in MS, and so maybe I mentally rank it a much smarter company :-) Really, at the risk of repeating myself, LN didn't have "sort by subject line" till about 2004 or so -- now come on that's a deep scar, admit it.
C: irrelevant. I think this is the most important point LN apologists consistently fail to grasp. All we want is email. Don't tell us "oh it can do so much more".
We don't care. We don't care. We don't care.
I know this isn't slashdot so I'll resist using a car analogy :-)
E: helpdesk/incompetent admins? Sure maybe they have their share. Domino doesn't exactly make it easy, I'm told. Mostly because of the same reason -- they're not actually administering an email server, they're administering something "that can do soooo much more" to quote an AC up above somewhere.
F: and you just proved what I said. Although I doubt if you realise what a horrible idea that is. It's not just classical Unix evangelists -- most people realised long ago that you build multiple pieces that work together, not one big monolith that tries to do it all.
new phrase for you: synergestic FAIL :-)
G: see E.
as for your users not complaining, I either take my hat off to you for being a superhuman, or back off in haste because you're a BOFH who'll cut me off if I *do* complain ;-)
[you'd think *attacking* a corporate thing would need AC, not *defending* it, but I guess you know best...]
> I've never heard such irrational & emotional BS in my life. Sure, the UI of Notes was poor, but that was the only weak area in the whole Notes &
listen, bubba, your "only weak area" happens to be the only one a normal user cares about because it's the only one that makes his life miserable. Until you get that into your head, you'll never get the point of what you blithely call "emotional BS".
> infrastructure, Notes & Domino is sooooo much more than that, but most folk who look at Notes & Domino only see the eMail capability, rather than everything else it is capable of.
See above. Summary: *I* *DONT* *CARE*!!!
You know, I get the feeling you're one of those wannabe BOFH types who either doesn't have any "users" or no obligation to keep them happy. You're definitely *not* a user yourself.
> cognisant of the architectural implications of any decision , rather they focus on the user experience and
ooh yes -- we must never let *users* dictate terms, must we? what would the world come to...
> believe implicitly everything that Microsoft tell them as most of them have only seen a Microsoft environment, then they think that they only have the option of an Outlook client.
**Stop implying that anyone who opposes Notes must prefer MS Outlook** Those are not the only two mail clients out there, and if you don't know that, you shouldn't be out in public without your seeing eye dog.
You want to go head to head, try it with Thunderbird
Completely agree. Notes is major, MAJOR (bold red letters) FAIL.
Here's a funny story. I work for a fairly large IT services company, and my brother, working in a somewhat smaller one, wanted me to put his resume through the mill. I casually mentioned the word "Lotus Notes addressbook" in the context of trying to find out *who* to send his resume to (for his skillset and all...)
He sort of jumped back a bit, and said "you guys use Lotus Notes?" "Yes, it's the corporate email client", I said.
A brief pause. Then he says, "er, never mind about the resume; don't send it to anyone..."
I wish I had made that up, but I'm sorry to say it's true!
And they can make the newer versions as pretty as they please, but a POS that acquired "sort by subject line" in 2004 or thereabouts is not my idea of anything remotely clueful. Pigs and lipstick come to mind.
I have an open challenge to anyone in my company: find an arbitrary mail from more than 6 months ago, knowing only a part of the subject line and one of the recepients names. Lotus Notes head to head with Thunderbird + GMailUI. Once you've seen a long message list reduce itself automatically as you type more and more conditions in the search bar, you're hooked.
Biting the hand that feeds IT © 1998–2017