this post was submitted on 22 Nov 2023
456 points (98.7% liked)

Technology

59596 readers
3431 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] stom@lemmy.world 410 points 1 year ago (23 children)

This is why I use Linux, the fingerprint device wouldn't be supported so this wouldn't be an issue /s

[–] Gork@lemm.ee 130 points 1 year ago (3 children)

Mmm yes security by non-functionality. A pillar of the modern cybersecurity framework.

[–] SpaceNoodle@lemmy.world 88 points 1 year ago (2 children)
[–] AbidanYre@lemmy.world 67 points 1 year ago (3 children)

But you can use a brick to hack windows.

[–] fmstrat@lemmy.nowsci.com 6 points 1 year ago

When you could have said crack, but instead said hack.

load more comments (2 replies)
[–] agent_flounder@lemmy.world 15 points 1 year ago (1 children)

And this is why I am typing this on a 1921 Royal No. 10 typewriter.

[–] AbidanYre@lemmy.world 8 points 1 year ago

Found Tom Hanks's Lemmy account.

[–] Kusimulkku@lemm.ee 38 points 1 year ago

Works for my webcam. Tbh I'd like someone to hack it, would mean they would've written drivers for it

[–] Zeth0s@lemmy.world 12 points 1 year ago

It is called zero trust, killing functionalities is zscaler core business

[–] Cethin@lemmy.zip 23 points 1 year ago (1 children)

The fun thing about Linux is your realize physical control is ownership. You can just throw a Bootable Linux image with some utilities and remove the password from a Windows account in a second. If you really need to keep something safe, it has to be encrypted.

[–] kadu@lemmy.world 12 points 1 year ago (3 children)

remove the password from a Windows account

That used to be true, but no longer works

load more comments (3 replies)
[–] Hubi@feddit.de 17 points 1 year ago (1 children)

The one on my Thinkpad works just fine :)

[–] canis_majoris@lemmy.ca 7 points 1 year ago* (last edited 1 year ago) (2 children)

I got a T80s and the sensor doesn't work. It's an 8th gen Intel machine, that's like four or five generations behind.

load more comments (2 replies)
[–] pineapplelover@lemm.ee 16 points 1 year ago (2 children)

Nah I use fprint on my arch laptop so there is fingerprint login technology. Hopefully that doesn't have security vulnerabilities.

load more comments (2 replies)
[–] RFBurns@lemmy.world 12 points 1 year ago

Correct answer.

Using any form of biometric 'login' under the US's "justice" system is supremely ill-advised.

[–] loutr@sh.itjust.works 9 points 1 year ago

That's funny, on my XPS Windows crashed when I tried adding a fingerprint. Works flawlessly under Arch.

load more comments (17 replies)
[–] ChaoticNeutralCzech@feddit.de 96 points 1 year ago (2 children)

It stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft's way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.

[–] pineapplelover@lemm.ee 41 points 1 year ago* (last edited 1 year ago) (2 children)

Wtf. It shouldn't even need those permissions. All it needs to do is scan if the fingerprint it stores matches you.

[–] TORFdot0@lemmy.world 24 points 1 year ago (2 children)

It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it's by design on Microsoft's end. You can then use the Windows Hello credential as a passkey but if you don't want that, you'd need another solution for biometric auth.

load more comments (2 replies)
load more comments (1 replies)
[–] pycorax@lemmy.world 14 points 1 year ago (1 children)

hastily integrating the browser into everything, regardless of it making sense

So software development in general in the last couple of years?

[–] ChaoticNeutralCzech@feddit.de 13 points 1 year ago

Yes. JavaScript is famously the best programming language ever, so why not? /s

[–] ramble81@lemm.ee 96 points 1 year ago (2 children)

Reading the article it doesn’t sound like it’s Microsoft’s issue but the vendor’s implementation and lack of using the secure communication protocol.

[–] killeronthecorner@lemmy.world 34 points 1 year ago

"vendors implementation" rings immediate alarm bells...

[–] Smokeless7048@lemmy.world 17 points 1 year ago (1 children)

it sounds like microsoft's own laptops dont implement the spec properly!

[–] Aux@lemmy.world 13 points 1 year ago (3 children)

Microsoft doesn't make fingerprint readers.

[–] Smokeless7048@lemmy.world 13 points 1 year ago (1 children)

Yea, but they sourced the parts from a vendor, and still didn't make sure the vendor was properly following the spec.

Just goes to show how complicated it can be!

[–] mint_tamas@lemmy.world 13 points 1 year ago

Not sure why you being downvoted, one of the three laptops they cracked was a Surface. Of course Microsoft doesn’t “make it” but very few tech brands actually manufacture the hardware. By the way the Surface was sufficiently different in its design from the others that hints it’s a custom build anyway, not just an off label hardware with Microsoft stamped on it.

[–] atrielienz@lemmy.world 8 points 1 year ago* (last edited 1 year ago)

Microsoft has marketed surface pro type covers with a fingerprint reader. I use one at work.

https://www.microsoft.com/en-us/d/surface-pro-type-cover-with-fingerprint-id/8x1n09mrq5d0?activetab=pivot:overviewtab

load more comments (1 replies)
[–] Luci@lemmy.ca 36 points 1 year ago* (last edited 1 year ago) (31 children)

Stop using biometrics for authentication!!!!!

Edit: lots of opinions below. Biometrics are a username, a thing you are. Finger printed can be taken from your laptop with a little powder and masking tape.

Use an authentacator app or security key kids!!

[–] TORFdot0@lemmy.world 22 points 1 year ago (1 children)

Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.

[–] MostlyHarmless@sh.itjust.works 9 points 1 year ago (2 children)

Biometrics are two factor, because you need the fingerprint and the device they unlock.

You can't use the device without the fingerprint and you can't take someone's fingerprint then use them from a different device.

[–] _s10e@feddit.de 10 points 1 year ago (2 children)

You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.

If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.

When we talk online accounts, I'd count device+fingerprint as one factor. Sure, the maid from the example above can't login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that's like a password. One factor.

Technically, it's slightly better than a password, because this token can be short-lived (although often it's not), could be cryptographic signature to be used exactly once (although...), you cannot brute-force guess the token.... But IF the token leaks, the attacker has full access (or enough to cause damage).

That's why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.

[–] barsoap@lemm.ee 9 points 1 year ago* (last edited 1 year ago)

Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

A sufficiently motivated maid will be able to do it. The FBI eats that kind of stuff for breakfast.

Once upon a time, the then German minister of the interior wanted to collect all kinds of biometric data, in passports, in fully connected databases, whatnot. The CCC went ahead and swiped his print off a glass at a reception and published a DIY version to impersonate him in their magazine. Fingerprint authorisation is the security equivalent of a sticky note with your password on your coffee mug.

The good news? You can use ordinary gloves, no need for tinfoil.

load more comments (1 replies)
load more comments (1 replies)
[–] Bootheal0179@lemmy.world 17 points 1 year ago (2 children)

In Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints

load more comments (2 replies)
load more comments (29 replies)
[–] MonkderZweite@feddit.ch 26 points 1 year ago

Surprise. Or not.

[–] FlyingSquid@lemmy.world 21 points 1 year ago

Who is surprised? Are you surprised?

[–] psudojo@infosec.pub 9 points 1 year ago (1 children)

im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth

[–] Herowyn@jlai.lu 15 points 1 year ago (1 children)

The main issue with biometrics is that you can't change them. If your fingerprints or retina are compromised you're fucked.

[–] MostlyHarmless@sh.itjust.works 14 points 1 year ago (3 children)

Unless I meet you in person, I'm not going to get your biometrics. The point of these is to protect your accounts from the global Internet.

https://xkcd.com/538/

[–] Saik0Shinigami@lemmy.saik0.com 7 points 1 year ago (6 children)

And yet, as a service member that was part of the 2013 OPM data breech, my finger prints (and an estimated 5.5 million other peoples) were part of the dataset that was stolen.

So... What's your point about "Global Internet"? If my data was stolen, and sent to the "Global Internet"(The fuck does this even mean?)... There's no functional difference to an exposed password.

load more comments (6 replies)
load more comments (2 replies)
[–] autotldr@lemmings.world 8 points 1 year ago (1 children)

This is the best summary I could come up with:


Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.

The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack.

Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor.

The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.

The researchers found that Microsoft’s SDCP protection wasn’t enabled on two of the three devices they targeted.

Blackwing Intelligence now recommends that OEMs make sure SDCP is enabled and ensure the fingerprint sensor implementation is audited by a qualified expert.


The original article contains 474 words, the summary contains 145 words. Saved 69%. I'm a bot and I'm open source!

load more comments (1 replies)
load more comments
view more: next ›