This is why I use Linux, the fingerprint device wouldn’t be supported so this wouldn’t be an issue /s
Mmm yes security by non-functionality. A pillar of the modern cybersecurity framework.
Can’t hack a brick 🤷
But you can use a brick to hack windows.
Something something Soviet Russia…
When you could have said crack, but instead said hack.
But you can use a brick to hack windows
yes indeed, the good ol’ broken windows fallacy!
And this is why I am typing this on a 1921 Royal No. 10 typewriter.
Found Tom Hanks’s Lemmy account.
Works for my webcam. Tbh I’d like someone to hack it, would mean they would’ve written drivers for it
It is called zero trust, killing functionalities is zscaler core business
The fun thing about Linux is your realize physical control is ownership. You can just throw a Bootable Linux image with some utilities and remove the password from a Windows account in a second. If you really need to keep something safe, it has to be encrypted.
deleted by creator
Regardless, you can just read what’s on the disk anyway, so you don’t need to be able to log in.
Unless bitlocker is enabled by default, which is becoming more and more common unfortunately…
deleted by creator
The one on my Thinkpad works just fine :)
I got a T80s and the sensor doesn’t work. It’s an 8th gen Intel machine, that’s like four or five generations behind.
I’ve got a T440p and I just set it up through the menu in the KDE settings, it worked right out of the box.
Mine’s not in libfprint, libfprint-tod, or libfprint-goodix. Running GNOME because I heard fprintd was easier to implement instead of KDE, which is usually my pref DE.
Nah I use fprint on my arch laptop so there is fingerprint login technology. Hopefully that doesn’t have security vulnerabilities.
It has vulnerabilities for sure. But they haven’t been found because no one cares about hacking you or the 1 other person on earth that use Arch and fingerprint security.
Security by obscurity lol
Today I was fucking around with this shit. I can’t even update my distro, otherwise ecryptfs will go adios, and fingerprinting will be broken.
Correct answer.
Using any form of biometric ‘login’ under the US’s “justice” system is supremely ill-advised.
I have a Microsoft fingerprint reader that works fine on Linux lol
One of the major reasons I gave up on trying to run Linux on my laptop was lack of fingerprint reader support.
deleted by creator
So YES, from someone who was asked to do fingerprint authentication in a sensitive environment (and had to refuse, even to the salespeople pested me)
You can choose not to use it even if Linux supports it.
deleted by creator
Then I really don’t see how it’s a plus. Smaller kernel size? lol
deleted by creator
How is not having support for something a plus for you? I swear to god, some Linux users are so stuck up.
deleted by creator
What TV did you get that doesn’t have smart features?
I looked, but all the ones I could find were 1080p, no HDR, and either tiny or made for commercial/industrial installation.
deleted by creator
fingerprint login is not secure. period. Being stuck in using a password login is a plus
You could just disable fingerprint login, though.
deleted by creator
“what, you dont want to use the new door lock made from soggy white bread? You deadbolt losers are so stuck up”
It stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft’s way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.
Wtf. It shouldn’t even need those permissions. All it needs to do is scan if the fingerprint it stores matches you.
It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it’s by design on Microsoft’s end. You can then use the Windows Hello credential as a passkey but if you don’t want that, you’d need another solution for biometric auth.
Still, that does not explain the Edge dependency. Lots of programs can communicate with their respective servers without browser technology.
It kinda does though, if you look at it from a speed/competency aspect. I’m more and more convinced that the people who build out features only have tangential ideas on how it integrates into the overall system, so just throwing a browser at every problem gets you a cookie cutter backend with APIs and let’s you shove half baked features out the door without having to figure out how to wrap data in protocols since you just hand your payload so the browser and wait for a response.
Oh sweet summer child. No. That would have been the intelligent approach. It could have been fast and secure but it wouldn’t have had all that delicious telemetry nor taken another step towards charging you rent just to use your computer.
They locked it behind two online services. Welcome to the new Microsoft. If it doesn’t include charging you rent or using you & your private information to train a large ai model. They don’t care.
hastily integrating the browser into everything, regardless of it making sense
So software development in general in the last couple of years?
Yes. JavaScript is famously the best programming language ever, so why not? /s
Reading the article it doesn’t sound like it’s Microsoft’s issue but the vendor’s implementation and lack of using the secure communication protocol.
“vendors implementation” rings immediate alarm bells…
it sounds like microsoft’s own laptops dont implement the spec properly!
Microsoft doesn’t make fingerprint readers.
Yea, but they sourced the parts from a vendor, and still didn’t make sure the vendor was properly following the spec.
Just goes to show how complicated it can be!
Not sure why you being downvoted, one of the three laptops they cracked was a Surface. Of course Microsoft doesn’t “make it” but very few tech brands actually manufacture the hardware. By the way the Surface was sufficiently different in its design from the others that hints it’s a custom build anyway, not just an off label hardware with Microsoft stamped on it.
Microsoft has marketed surface pro type covers with a fingerprint reader. I use one at work.
Sounds like Microsoft doesn’t make anything
Stop using biometrics for authentication!!!
Edit: lots of opinions below. Biometrics are a username, a thing you are. Finger printed can be taken from your laptop with a little powder and masking tape.
Use an authentacator app or security key kids!!
Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.
In Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints
Exactly the point I’m trying to make!!
No… I get it totally. That why I know my girl’s worth my time, she’s willing to potentially give up her arm for me to still play DOOM 8 days a week
A username is not something “you are”, it’s something “you know”. Biometrics are not nearly the same as usernames.
A username is something you are. It’s you! You are 0xD.
A password is something you know. A security key is something you have.When we interview security analysts you don’t get past the first round if you disagree.
If your interview involves telling me a username is “something you are” rather than “something you know”, I’m running away from that job as fast as I can.
Other people know your username.
How hard is this?
I guarantee you I know thousands of people’s passwords as well, I just don’t know the username associated.
By this same logic, other people could know your fingerprint since it’s “something you are”. No, other people cannot know your fingerprint. It’s a complex mathematical equation to a computer. This is such a terrible take.
Source: CASP+ certified.
No, this username is one of the names I’ve chosen for the accounts I use on lemmy. It does not identify me, it identifies the lemmy accounts that I just so happen to know the password for. I was just about to create an account with your username on another instance but meh, that’s too much work. Just imagine me having done that and think about what you just wrote.
I would be vary of the people agreeing with you on something so basic yet so wrong.
An authentication factor is a unique identifier that shows that you possess something that others don’t. Biometrics are something you are because your fingerprints, your retinas, or your DNA are (mostly) unique to you. A security key is something you have because unique cryptographic material is saved on the hardware device that cannot be replicated somewhere else (which is why many mobile authenticators really aren’t). And a password is something you know because… Bla bla bla.
To be pedantic, a username is not a factor in this sense at all; It is an identifier for an account that you have to prove authorization for by presenting some kind of factor, sometimes multiple.
Exactly, it’s fundamentally insecure.
As with all things security, it depends entirely on your thread model and the value of what you’re trying to protect.
Biometrics can be a much more secure option than using a PIN or password, depending in circumstances.
For example: when I’m working on my laptop on the train or in a coffee shop and I need to log into some website I’d rather use my fingerprint to unlock the passkey than type in a password in a public place where I have no idea who is observing me entering my password.
Same goes for paying with your phone, you can either enter your phone PIN in a crowded supermarket or you unlock with FaceID.
Also, for phones, for a lot of people the alternative to biometrics wouldn’t be a PIN, it would be no authentication whatsoever. Biometrics lowers the barrier to having a form of authentication at all.
for a lot of people the alternative to biometrics
Full password Android user representing here… It’s surprising how few people bother to even stop any amount of snooping on their phones. but I guess it’s only surprising in that I wished more from society in general.
Can you explain how?
Biometrics can be spoofed, or the body part stolen in extreme cases.
Also, in the US at least, biometrics aren’t protected by the same rights that allow you to not incriminate yourself. IIRC they’re considered a thing you have, which you can be compelled to surrender or use to unlock a device, vs something you know (like a password or pattern) which you can withhold if it would be incriminating. Check with a lawyer on this one, I haven’t paid attention to the case law here for a bit.
If someone is stealing my body parts, what they access on my devices is the least of my worries!
They don’t have to be stolen. Imagine some clever thief drugging your drink, then when you’re incapacitated they take your phone and press your finger to it or hold it up to your face to unlock it, then transfer all your money out of Venmo or whatever money transfer app you have on your phone.
The comment I replied to said stolen, which is what I was getting at.
There’s also nothing to stop someone watching over your shoulder to see your PIN for your phone/laptop. Nothing is infallible.
God, the shit people dream up to worry themselves about. Nobody is drugging you to unlock your phone.
Ask OPM how they plan on getting my fingerprints back.
How are biometrics fundamentally insecure?
If it is low detail enough to consistently ‘work’, it isn’t complex enough to be better than something like a chip and pin approach.
They are repeatedly bypassed with easy hacks like silly putty and photographs. People’s biometrics are not unchanging. Burned fingers, swollen eyes, and sore throats are things that can change enough to make biosecurity unreliable. That is before cold and heat and how they effect biological things!
That is all before you take into account the fact that some people don’t have whatever is being used. Have fun using eye based biosecurity on someone with cataracts or is missing their eyes entirely due to injury or just being born without them fully developed. Or they have a physical issue that makes it hard for them to interact with the bio reader. Stephen Hawking needing to lean towards a mounted eye scanner would be impossible for example.
So either you have mediocre security that allows for a lot of false positives to get through or you end up having to add a bypass system for when it fails, and now you have two ways that security can be defeated! A non-biological solution with two factor authentication of an item and a PIN or other knowledge piece is far more secure than biosecurity can ever be.
So already insecure, but in addition to that anyone with physical access to the person can force them to do the biosecurity. Police are able to force someone to put their finger on their phone, or look at the screen for a face unlock. Maybe they aren’t legally able to, but it is a good example of not being secure.
I couldn’t have said it better.
Not to mention that a company could easily harvest this information, just look at FTC for example.
Well I could have, but simply chose not to.
Me too!
They aren’t 100% reliable and it has its’ challenges based on its implementation but I wouldn’t consider it fundamentally insecure. It’s as secure as a NFC token, TOTP, or a push notification as a form of authentication. It’s like birth control, no method is 100% safe and effective, but plain username and password auth is like pulling out, anything is better than that.
Not on my Lenovo. Fingerprint reader requires a swipe, no print left behind.
I have a lot of questions about what this guy thinks the rest of your device is covered in. Because spoiler, it’s fingerprints.
Mine does not work at all. I’d like to see the guy trying to take fingerprints for a few hours and realizing it won’t do shit lol.
Surprise. Or not.
deleted by creator
Who is surprised? Are you surprised?
Removed by mod
Pikachu is always surprised. And he doesn’t even speak or read English. So I was discounting him.
Removed by mod
This is the best summary I could come up with:
Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.
The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack.
Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor.
The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
The researchers found that Microsoft’s SDCP protection wasn’t enabled on two of the three devices they targeted.
Blackwing Intelligence now recommends that OEMs make sure SDCP is enabled and ensure the fingerprint sensor implementation is audited by a qualified expert.
The original article contains 474 words, the summary contains 145 words. Saved 69%. I’m a bot and I’m open source!
… Did that say “custom implementation of TLS”?
That’s like… The first rule of security. You don’t roll your own cryptographic implementation. Like, first you’re told that, then they tell you the difference between security and obscurity, say both those things in bold, and continue with whatever beginner topic
im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth
The main issue with biometrics is that you can’t change them. If your fingerprints or retina are compromised you’re fucked.
Of course it has. Microsoft Windows.
The Surface Pro X has a fingerprint reader? Is it on the keyboard or something? Mine sure doesn’t have one.
deleted by creator
