replacing compromised biometric authenticators
(forking the thread here..) Biometrics are still the new hotness out in North America. Cologix whom I deal with in Canada has a dozen and a half odd POPs in canada/usa and I think has fingerprinting at all sites. If the current best operating practice is to avoid biometrics, why are they still in use out here? Has anyone gotten the message? Is anyone in North America ripping them out yet? Other factors include your country's privacy regulations for storing irreplaceable personal information, the burden of which might not be worth the security 'benefit'. /kc On Wed, Oct 11, 2017 at 04:46:02PM -0400, William Herrin said:
On Wed, Oct 11, 2017 at 4:32 PM, J??rg Kost <jk@ip-clear.de> wrote:
Do you guys still at least have biometric access control devices at your Level3 dc? They even removed this things at our site, because there is no budget for a successor for the failing unit. And to be consistent, they event want to remove all biometric access devices at least across Germany.
Hi J??rg,
IMO, biometric was a gimmick in the first place and a bad idea when carefully considered. All authenticators can be compromised. Hence, all authenticators must be replaceable following a compromise. If one of your DCs' palm vein databases is lost, what's your plan for replacing that hand?
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Ken Chase - math@sizone.org Guelph Canada
Since I'm not squeamish about such things, I do have tin snips and will happily assist in revocation of compromised biometric authentication factors. Andrew On Wed, Oct 11, 2017 at 5:04 PM, Ken Chase <math@sizone.org> wrote:
(forking the thread here..)
Biometrics are still the new hotness out in North America. Cologix whom I deal with in Canada has a dozen and a half odd POPs in canada/usa and I think has fingerprinting at all sites.
If the current best operating practice is to avoid biometrics, why are they still in use out here? Has anyone gotten the message? Is anyone in North America ripping them out yet?
Other factors include your country's privacy regulations for storing irreplaceable personal information, the burden of which might not be worth the security 'benefit'.
/kc
On Wed, Oct 11, 2017 at 4:32 PM, J??rg Kost <jk@ip-clear.de> wrote:
Do you guys still at least have biometric access control devices at your Level3 dc? They even removed this things at our site, because there is no budget for a successor for the failing unit. And to be consistent,
On Wed, Oct 11, 2017 at 04:46:02PM -0400, William Herrin said: they
event want to remove all biometric access devices at least across Germany.
Hi J??rg,
IMO, biometric was a gimmick in the first place and a bad idea when carefully considered. All authenticators can be compromised. Hence, all authenticators must be replaceable following a compromise. If one of your DCs' palm vein databases is lost, what's your plan for replacing that hand?
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Ken Chase - math@sizone.org Guelph Canada
I would definitely not say that it is current best practice not to deploy biometrics. As part of a holistic approach, biometric systems can improve security greatly. As a singular approach, using it as a single factor for authentication and authorization of access/actions, it's as terrible an idea as any other. The difficult of passing a high-quality biometric authentication system, even knowing its success conditions, is non-trivial. The good ones check for basic signs of life, as well, so simply cutting off someone's hand and trying to use it would fail, for example. There are, of course, cheap biometric systems that are not as good, and ymmv depending on what and how you deploy biometrics. Taking the specific threat level you're up against is always relevant. All of the facilities I have in production have a three factor approach to access - "something you know, something you have, and something you are." Biometrics being the latter, plus a badge or dongle, and a four digit code. None of my production facilities can be access without all three. Take care, Matt On Wed, Oct 11, 2017 at 4:04 PM, Ken Chase <math@sizone.org> wrote:
(forking the thread here..)
Biometrics are still the new hotness out in North America. Cologix whom I deal with in Canada has a dozen and a half odd POPs in canada/usa and I think has fingerprinting at all sites.
If the current best operating practice is to avoid biometrics, why are they still in use out here? Has anyone gotten the message? Is anyone in North America ripping them out yet?
Other factors include your country's privacy regulations for storing irreplaceable personal information, the burden of which might not be worth the security 'benefit'.
/kc
On Wed, Oct 11, 2017 at 4:32 PM, J??rg Kost <jk@ip-clear.de> wrote:
Do you guys still at least have biometric access control devices at your Level3 dc? They even removed this things at our site, because there is no budget for a successor for the failing unit. And to be consistent,
On Wed, Oct 11, 2017 at 04:46:02PM -0400, William Herrin said: they
event want to remove all biometric access devices at least across Germany.
Hi J??rg,
IMO, biometric was a gimmick in the first place and a bad idea when carefully considered. All authenticators can be compromised. Hence, all authenticators must be replaceable following a compromise. If one of your DCs' palm vein databases is lost, what's your plan for replacing that hand?
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Ken Chase - math@sizone.org Guelph Canada
-- Matt Harris - Chief Security Officer Main: +1 855.696.3834 ext 103 Mobile: +1 908.590.9472 Email: matt@netfire.net
I agree that multiple levels are best and, for the moment, I'd frankly be hesitant to give anything like finger print data since one can never change that and the harm of it getting loose can not yet be determined. (Not that the data being taken by these scanners is necessarily all that grandiose.) I also would accept a facility that did something like handscan and pin to access the lobby/security desk and keycard or fob to move around once inside along with scan in/scan out enforcement. (No tail gating.) I've never really been keen on relying on biometrics though. The handscanners can be convenient for not having to carry anything around but when all is said and done, they are really not all that much better than just a keycard. -Wayne On Wed, Oct 11, 2017 at 04:10:51PM -0500, Matt Harris wrote:
I would definitely not say that it is current best practice not to deploy biometrics. As part of a holistic approach, biometric systems can improve security greatly. As a singular approach, using it as a single factor for authentication and authorization of access/actions, it's as terrible an idea as any other. The difficult of passing a high-quality biometric authentication system, even knowing its success conditions, is non-trivial. The good ones check for basic signs of life, as well, so simply cutting off someone's hand and trying to use it would fail, for example. There are, of course, cheap biometric systems that are not as good, and ymmv depending on what and how you deploy biometrics. Taking the specific threat level you're up against is always relevant.
All of the facilities I have in production have a three factor approach to access - "something you know, something you have, and something you are." Biometrics being the latter, plus a badge or dongle, and a four digit code. None of my production facilities can be access without all three.
Take care, Matt
On Wed, Oct 11, 2017 at 4:04 PM, Ken Chase <math@sizone.org> wrote:
(forking the thread here..)
Biometrics are still the new hotness out in North America. Cologix whom I deal with in Canada has a dozen and a half odd POPs in canada/usa and I think has fingerprinting at all sites.
If the current best operating practice is to avoid biometrics, why are they still in use out here? Has anyone gotten the message? Is anyone in North America ripping them out yet?
Other factors include your country's privacy regulations for storing irreplaceable personal information, the burden of which might not be worth the security 'benefit'.
/kc
On Wed, Oct 11, 2017 at 4:32 PM, J??rg Kost <jk@ip-clear.de> wrote:
Do you guys still at least have biometric access control devices at your Level3 dc? They even removed this things at our site, because there is no budget for a successor for the failing unit. And to be consistent,
On Wed, Oct 11, 2017 at 04:46:02PM -0400, William Herrin said: they
event want to remove all biometric access devices at least across Germany.
Hi J??rg,
IMO, biometric was a gimmick in the first place and a bad idea when carefully considered. All authenticators can be compromised. Hence, all authenticators must be replaceable following a compromise. If one of your DCs' palm vein databases is lost, what's your plan for replacing that hand?
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Ken Chase - math@sizone.org Guelph Canada
-- Matt Harris - Chief Security Officer Main: +1 855.696.3834 ext 103 Mobile: +1 908.590.9472 Email: matt@netfire.net
--- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/
On Wed, Oct 11, 2017 at 05:04:08PM -0400, Ken Chase wrote:
If the current best operating practice is to avoid biometrics, why are they still in use out here?
(1) for the same reason some idiots still use captchas (2) new hotness > old and busted, regardless of merits (3) because they facilitate coerced risk transference away from the people who are actually responsible (and are paid to be so) to the people who shouldn't be responsible (and aren't paid to be) ---rsk
On 2017-10-12 16:58, Rich Kulawiec wrote:
(3) because they facilitate coerced risk transference away from the people who are actually responsible (and are paid to be so) to the people who shouldn't be responsible (and aren't paid to be)
I think biometrics are seen as a means to reduce the possible errors/corruption of a security guard by shifting responsibility to a computer. When you have multiple tennants, the DC can't assume all tennants will keep all access cards secure so has to protect tennant 2 from tennant 1 having cards stolen by some crook intent on damaging tennant 2's cards. A security guard matching face to picture on card AND picture in his computer for that card can be very good, and woudl eliminate card counterfeiting (with match against the DC's database of images) but would not eliminate security guard making mistakes and allowing people whose face does not match (corruption or lazyness). This is very different from a data centre owned by a single tennant who has full control over staff and knows who is and isn't staff and authorized to go in.
Odd, 1. captcha(?) In my millennia of experience I never saw a captcha used as a mean for DC access control. Just as a programmatic way to reduce brute force for some website functions. On my network janitor keychain I have (in order of hackability from easiest to hardest) 1. keycard only 2. keycard + fingerprints 3. keycard + face (2d) 4a. keycard + eye 4b. keycard + top of hand mapping But all the DCs, I deal with, have highrez cameras and tailgating controls... Biometrics are just a part of a wider system. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 10/12/17 16:58, Rich Kulawiec wrote:
If the current best operating practice is to avoid biometrics, why are they still in use out here? (1) for the same reason some idiots still use captchas (2) new hotness > old and busted, regardless of merits (3) because they facilitate coerced risk transference away from the
On Wed, Oct 11, 2017 at 05:04:08PM -0400, Ken Chase wrote: people who are actually responsible (and are paid to be so) to the people who shouldn't be responsible (and aren't paid to be)
---rsk
Hi, in the case I mentioned, the datacenter provider (=Level3) removed hand geometry scanners from its facility and switched all users to card + pin. Also the provider is going to run this policy Germany- or even Europe-wide, as being told by Level3 account rep. The mentioned facility does not have any tailgating prevention, e.g. a mantrap or turnstile access. The outside door, which is visible from the street, and the inside colocation doors are now sharing the same access method (card + pin). So now the card becomes valuable and transferable. Before it was: Parking lot: Card, Outside door: Card + pin, Inside door: Card + hand. There is a security sub-sub-contractor on this site, but they are not responsible for access or any thing real :-], thats why I am interested how Level3 runs its others facility and I am still looking for feedback. From contract side the access device is not exactly defined, hence you can accept, quit end of term or of course upgrade your suites, racks, … with a custom solution, as long as Level3 staff can enter, too. To bring things back to the biometric topic: The hand geometry scanner does not save fingerprints but hand sizes and shapes. From current mailings I understand, that people have a lot of different definition of biometric and may not count the hand scanner as "(full?) biometric" device. Regards "bionic" Jörg On 13 Oct 2017, at 13:03, Alain Hebert wrote:
Odd,
1. captcha(?)
In my millennia of experience I never saw a captcha used as a mean for DC access control. Just as a programmatic way to reduce brute force for some website functions.
On my network janitor keychain I have (in order of hackability from easiest to hardest)
1. keycard only
2. keycard + fingerprints
3. keycard + face (2d)
4a. keycard + eye
4b. keycard + top of hand mapping
But all the DCs, I deal with, have highrez cameras and tailgating controls... Biometrics are just a part of a wider system.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 10/12/17 16:58, Rich Kulawiec wrote:
If the current best operating practice is to avoid biometrics, why are they still in use out here? (1) for the same reason some idiots still use captchas (2) new hotness > old and busted, regardless of merits (3) because they facilitate coerced risk transference away from the
On Wed, Oct 11, 2017 at 05:04:08PM -0400, Ken Chase wrote: people who are actually responsible (and are paid to be so) to the people who shouldn't be responsible (and aren't paid to be)
---rsk
participants (8)
-
Alain Hebert
-
Andrew Kirch
-
Jean-Francois Mezei
-
Jörg Kost
-
Ken Chase
-
Matt Harris
-
Rich Kulawiec
-
Wayne Bouchard