Biometric security question

[someone_else]

however you will have to KNOW that I use fingerprint security AND know which finger I use. Unless you plan to steal data from me while you broke in, you are unlikely to have stolen something that has a good fingerprint.

Serious thieves (anyone doing it for a living that does not end up in prison in the first year of his career if ever) do select carefully their prey before doing anything, so yes they will know everything they need to know and set up every kind of equipment they need before they go against law in obvious ways.
Casual thieves (the ones that go in without any preparation, usually the dumb kids and the poor/desperate, the people that will come after your things 99% of the times) will be much more inclined to steal the whole computer and deal with passwords later (so how you encrypt data is pointless since the computer is lost anyway, it's much more useful to set up an unpassworded bait account and install spy softwares that can help you track down the computer when the idiot powers the thing up and uses the bait account).

Casual thieves are inherently stupid since not having preparation exposes them to the risk of breaking into the house and find a marine and his whole team just back from Shitholistan/a gun-nut with nightvision goggles wielding a silenced assault rifle per arm/booby-trapper and traps out of Addams Family/martial-arts-master/otherwise-dangerous-owner and getting their ass seriously kicked.

Plus, if you have stolen something from me, you likely have accidentally wiped the fingerprint in process of transport.

They won't break in unless they have already a fingerprint ready to use (and have assembled the thing to fool the scanner with). They can systematically steal all the fucking glasses you drank from at the pub, stuff you used at the office or whatever (depending from where they can go), taking stuff you drop at the cinema, or by sending an attractive woman/man or someone dressed as police or someone with an uniform (mail man requesting to sign papers to give you a letter someone mailed to you, for example it's classic method).
Going into the home to get fingerprints isn't a so awesome idea, since it's a HIGH risk area where you already said there are fucktons of fingerprints at various ages (the fresher it is the better), whereas a pub or places where they can go legally it's far less risky and they get far better quality fingerprints.

Now, I don't see the point for this conspiracy-grade fuss. It's a computer defending at most your porn collection (and this means as long as fends off children and nosy puritans its security level is ok). Just stealing the lappy is sufficient to give them access to what they want, since laptop fingerprinting are usually so crappy that just resetting the BIOS (open up the machine, desolder the small battery from motherboard and leave it out for 30 mins, resolder and close up everything) gives you access to the machine since all BIOS passwords are cleared (this assuming the thing had fingerprints for BIOS password, usually not the case and none left passwords to protect bios), then a quick run of Offline NT Password & Registry Editor to nuke the windows passwords and you're in.

On average they just want to resell the laptop on Ebay, they don't give a shit about your data.

If fingerprints is all they need (let's say they can log into your banking account with them even if it's a fuckling dumb idea), then it's a piece of cake looking at you when you log in to see what is the finger and then recover that fingerprint as discussed above.

Okaaay. And just how much of these are recoverable to anyone without very specialized expertise?

General rule of thumb, if Mythbusters can do it (see the linked video in my post above), then it's not hard.
It's murderously expensive if you use pro tools though.

Besides, if the enemy has physical access to the machine AND just wants to see your porn collection and not stealing your laptop why wasting time with fingerprints?, you either blocked the access to the whole HDD with a OS-indipendent tool (so that I cannot just bypass it with Puppy Linux on a pendrive or by physically mounting the drive into an external HDD enclosure and accessing it with another computer) or they copy (or if it's totally encrypted clone) the HDD and then have all the time of the world to figure out how to decrypt its contents.


I personally favor an approach consisting of "I keep all stuff I need from removable drives, what is on the computer is all clean and expendable". There is a good OS password and I'm not using an admin account, to keep out children and keep virus at bay, but that's it.
Not that I have massively secret stuff anyway.

Biometric requirements enforce a certain level of "security".

If you use it in conjunction with human guards it is Pretty Fucking Safe, but if it's there by itself either is very high-end like retinal scans or it's totally worthless.

[Zixinus]

Nope. I just have to credibly suspect that you do. Though I wonder if a "move finger over scanner" message at startup wouldn't give me a clue.

If you see that message without my consent, then you already have stolen my laptop. If you have already stolen my laptop, you only THEN realize that you will need to make a fingerprint.

Again, it does not completely eliminate you from accessing my computer. However, at the rate of you trying to make a copy of my fingerprint from my stolen dildos or whatever, you might as well try to find BIOS-resetting measures to erase the security measures on the computer. If they are applicable.

Nope. I just use every print I find. It's not like trying ten times at the most is going to kill me.

Every print? Will you cross-examine all the prints you have collected until you boil it down to a set of same patterns? Then try all of those? Repeatedly? That sounds like a lot of work. A lot more than what a casual thief would bother. Or is it less difficult than resetting the computer's BIOS-security to factory defaults?

erious thieves (anyone doing it for a living that does not end up in prison in the first year of his career if ever) do select carefully their prey before doing anything, so yes they will know everything they need to know and set up every kind of equipment they need before they go against law in obvious ways.

Very true. I would however have far less defense against such a threat. What can you do against a guy like this, who will tailor his approach to counteract my security measures?

install spy softwares that can

I didn't know about this, this looks awesome, thanks for telling me about it!

[someone_else]

Very true. I would however have far less defense against such a threat. What can you do against a guy like this, who will tailor his approach to counteract my security measures?

Now, assuming they are after your laptop and not after the data on it, they choose the target by patrolling Wifi hotspots or similar places with high concentration of laptops, not looking like a target is your main defence. So not use gold-plated Alienware gaming laptops or otherwise easily resellable stuff. (Apple stuff has written STEAL ME all over it, since even used they sell at 1000$ or more)
Avoid carrying bags that clearly advertise that you are carrying a lappy, NEVER LEAVE THE LAPPY ALONE even when shut off (you won't believe how much idiots walk away from a Mac Donald hotspot, pack it back in the car while everyone sees them and then get back to their group of friends), fuck with stickers and shit to make your laptop look like a pain to clear up for resale, and similar things.

Don't bother with trying to place passwords and shit on the machine or on the BIOS (well, keeping BIOS settings passworded is a good thing to keep it safe from your cat and kids pressing buttons at random during startup, but won't stop serious threats). If worse comes to worse, they can order a new bios chip and phisically replace the damn thing. I actually had to do that myself on a friend's lappy with a dead BIOS so it's a pain but doable.

OS passwords are equally crap. They can stop viruses and shit (by using a non-admin account and running as admin only the programs that really ask for it, in Win 7 it's pretty cool) but not a man with the right tools. You can find dozens of cheap-ass OS password removers.

Keep tons of backups, and keep the really important data physically off the machine in pendrives you always carry with you (or can be hidden easily).

Now, this is pretty much extreme for most people, but that's the best I thought of for myself.

But again, these kinds of thieves tend to prey on not-so-geeky people since it's so much easier, just looking geeky is usually enough to keep them off your stuff since there are far better targets. Which is why they prefer Apple users.

If they are after your porn collection, then it's likely they are badass with much more resources than you. Encrypt your stuff and keep it on pen drives or small HDDs, don't use cloud services. Note that most systems I talked about can easily remove passwords, but not crack them (apart from Ophcrack that isn't so bad for OS passwords), so doing it will leave traces. Just so you know, if they decent resources and they don't feel like emplying a software keylogger (that would require scamming you) they can make their own hardware keyloggers for laptops that fit in the mini picie slots and place it into your machine to steal your passwords (while for civilians there is only this, an obsolete one from 2007 that fits in Mini PCI). I would have sweared I saw one on sale for 200$ some time ago but I canot find it again now.
But this is serious paranoia for no reason anyway.

I didn't know about this, this looks awesome, thanks for telling me about it!

Plus, looking at the page where they list all success stories of computers saved by Prey, you can see what the most interesting stuff for a thief of the most common kind is.
Hint: Apple stuff.

[Pendleton]

[Besides, if the enemy has physical access to the machine AND just wants to see your porn collection and not stealing your laptop why wasting time with fingerprints?, you either blocked the access to the whole HDD with a OS-indipendent tool (so that I cannot just bypass it with Puppy Linux on a pendrive or by physically mounting the drive into an external HDD enclosure and accessing it with another computer) or they copy (or if it's totally encrypted clone) the HDD and then have all the time of the world to figure out how to decrypt its contents.

They need literally all the time in the universe to crack something like a symmetric 128-bit AES cipher. There is no way they are breaking into a fully encrypted hard disk without the key, unless they have a means of elucidating the key remotely by spyware on the computer before (in which case, they probably already have the data they're looking for) or by icing the RAM immediately after the user has shutdown the computer.

The only flaw in the system I use is fast user switching, which I turned off after reading a paper about how it can be used to bypass the encrypted volume in a roundabout attack.

If the implementation of the cipher is good and your pass key is suitably long and random enough to make full use of the 128-bits (or more) on offer, then it's really not worth worrying about the data being read. The problems come from bad implementations, or stupid keys that are part of a dictionary attack, hence using a pass phrase with varying symbols and a random combination of words is better than a single word and maybe number. There's really no need for biometric if you just use the tools already available out there properly.

[TronPaul]

Some OS level drive encryption schemes can be bypassed if the computer is asleep. Some implementations leave the decryption key in RAM when the computer is asleep which can be grabbed relatively easily.

Also symbols, numbers and camel case really don't help passwords (xkcd). I usually use alliteration to help me remember long pass phrases. Password length restrictions on web sites become more annoying when you do this.

[Pendleton]

Some OS level drive encryption schemes can be bypassed if the computer is asleep. Some implementations leave the decryption key in RAM when the computer is asleep which can be grabbed relatively easily.

Also symbols, numbers and camel case really don't help passwords (xkcd). I usually use alliteration to help me remember long pass phrases. Password length restrictions on web sites become more annoying when you do this.

Yeah, just substituting one or two letters for numbers or special characters in a single word password is a bit crap. A pass phrase it the way to go. The one I use for my HDD encryption is 22 characters long, with alphanumerics and special characters. Good luck brute forcing it.

The exploit you mention is the one where I moved to disabling the rather useless fast user switching function and also making sure my computer doesn't sleep when I'm out in public. There is a CLI tweak for OS X I can use to purge the RAM and write over it in gibberish in the sector used for holding the hash, but I think that's overkill. If I want secure, I'll just shutdown and not sleep it.

[Skgoa]

Um, actually: nope, you are wrong. The reason numbers, camelcase and symbols are used in passwords is to increase the search space. While it is optimal for a single person to use a passphrase right now, it would drastically reduce the number of necessary tries, were it ever common practice. That's what Munroe is missing.

[TronPaul]

That's true. If everyone used only regular characters the search space (ie number of characters to try and guess) would be smaller, but there is a difference between the number of characters on average in each. Pass phrases tend to be longer, while shorter passwords tend to rely on camel casing and special characters to enlarge the search space (and number of guesses needed).

If you have 26 regular characters and 90 characters including special characters (there could be more or less, those are just the ones I counted on my keyboard) you would have 90^n or 26^n possibilities where n is the number of characters. If we put them on both sides of an equation 90^y = 26^x we can find how many characters for each would have equal possibilities. So roughly 4.5y = 3.2x and 1.406y = x. This means that if I have a password using only lower case letters it needs to be longer than ~1.4 times the length of a password with all characters to be better. Most passwords are currently required to be between 8 and 13 characters in length. A non-special password needs to be only 12 or 19 characters in length to match it (in terms of number of possibilities).

So yes, a long password with special characters is better than one without, but a long password without is much easier to remember and still much better than a average one with special characters. I myself have a long password with special characters, but only a few more characters in length and I wouldn't need to bother.

[someone_else]

They need literally all the time in the universe to crack something like a symmetric 128-bit AES cipher

I said "figure out how to decrypt its contents". There are other ways to get the password that don't involve dividing by 0 or pulling a computer out of Star Trek to bruteforce it.
If you fail one of these, you have lost your 2 TB of porn.

-installing a hardware keylogger (IF the machine has a slot for it or a way to connect it and they have one compatible with modern hardware, anyway, worse case they'll have to custom-make it for you and fit it between the ribbon cable that runs from the keyboard to the motherboard)

-installing a software keylogger (this is if they have geeks far better than you OR you do massively stupid things like leaving the machine unattended for a few minutes while logged as admin)

-placing spy cameras (they are pretty cheap these days and have ludicrous quality)

-sending guy to look at what you do (with or without binoculars)

Hardware keyloggers are pretty easy to find if you know where to look, but taking apart the whole machine every fucking time you turn it on is a pain. Placing a stealthy way to detect tampering on the machine is the best choice imho.

Software keyloggers that install without your direct consent (or by tricking you) are basically virus. You don't need me to tell you how to avoid computer virus.

For the record, there are ways to hamper both, but most I've seen work at OS level, so won't be really useful to keep OS password, HDD passwords and machine passowrd secure.
The way for software keyloggers is using programs called keyboard scramblers. They work in different ways, and not all work for 100% of the programs you may need to use, so choose well.
Hardware keyloggers can be hampered by using Keyboard remappers that alter the keyboard output at a OS level. Since the hardware kinds are passive devices they record what is physically pressed on the keyboard, but won't know what is actually received by the OS.

Next! The cameras work well if you have any kind of habit. Especially in places where you feel safe. They don't have to be necessarily wireless kinds (or may store the movie and transmit only when receiving a "all clear" signal from their base) so don't waste time hunting them down with those funny detectors like in movies.

The guy with binoculars is a pain in the ass since he follows you (ideally unseen, not always the case), but his viewing angles are kinda obvious to defend against even when you don't know where he is. Just be wary of reflections.

elucidating the key remotely by spyware on the computer before (in which case, they probably already have the data they're looking for)

Uhm well, spyware and any computer virus is usually installed remotely by using baits for the target. Convincing a target to install something cool (or piggybacking the installation of stuff he needs to install by tampering with his CDs or doing some network magic) is doable if they have resources since the keylogger needs to send home only tiny quantities of data (KBs at most), while a virus that searches for and uploads the sensitive info or the whole HDD contents (how do you know how the file with the data you need is called? this isn't a movie) is going to be much more obvious.

icing the RAM immediately after the user has shutdown the computer.

RAM was volatile last time I looked at it. That's an option if it's in sleep or hybernation maybe (one of these leaves active the banks of RAM). I have no idea on how they are supposed to extract data from the RAM without extracting them and thus cutting power, though.

Some OS level drive encryption schemes can be bypassed if the computer is asleep.

OS-based encryption does allow any enemy to clone the disk, or common thieves to DBAN it with impunity.
Passwording the HDD itself should protect you more. In theory anyway, since removing the passowrd isn't that hard, but reading it without leaving traces is a bit more involved (it's in italian, google translated here).

Anyway, it's years I keep hearing about Self-Encrypting Drives, but never had one in my hands. They seem awesome in theory but are they a good choice, if you find someone selling them?
I hope they don't feature dumb bypass systems like all BIOS I had to reset (and most HDD passords). I mean hell, most motherborads even have dedicated jumpers to reset the BIOS to factory default and thus clear passwords.

Hell, if you are too idiot to remeber a fucking password (or to not have written a good but safe hint to help you remeber them in a safe place) you deserve to lose the hardware.

[TronPaul]

icing the RAM immediately after the user has shutdown the computer.

RAM was volatile last time I looked at it. That's an option if it's in sleep or hybernation maybe (one of these leaves active the banks of RAM). I have no idea on how they are supposed to extract data from the RAM without extracting them and thus cutting power, though.

I've seen a demo of this for a laptop. The bottom of the laptop (where the ram is located) is opened up and sprayed with something cold (to ice the RAM). This is done while the computer is still asleep. Then the laptop is restarted to a bootable CD that reads the RAM. This would not work on a computer shut down for some time, and I'm not sure how well it would work if you iced a running computers RAM then shut it down.

Video
Wiki Article

I'm at work so I haven't been able to watch the video in full. I think it was the one I first saw this attack in.