[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

A (not) new security idea



    I've heard a lot about biometrics, but the durned things cost over
$100 (consumer grade) and only seem to work for legacy software.  The
cost isn't such a big deal, but the software sure is.

    But in the bigger picture, biometrics isn't enough.  I know there'll
be a couple of cocky jerks who'll tell you (and me) at great lengths how
stupid the idea is, mostly because they've not looked down the road as
far as I have.  Remember the GPG keys on repos and how that wasn't
suitable?  :)

    Keyfobs.  These little USB droplets of cyberspace.  How about we, as
one of the largest collections of Linux people out there, standardize
some software to fit into PAM to do this:

    1. Upon insertion, ask for the passphrase a'la local-agent.

    2. When validated, use these credentials for everything.

    Sounds like a simple idea, but for some reason the powers that be
can't seem to 'get off the pot' and placate hundreds of vendors to
define a standard.  Standards are what we're about.  Let's make our
own.  When the money stops flying and things get tight, we'll allow'em
to use our own.  

    Some issues:

    1. Web browsing with the key: It needs to unlock the password
storage there.  I don't think this is a big deal, but I doubt anyone's
written anything like it yet.  I suppose this'll require help from the
Mozilla team, mostly.

    If a Linux guy with a key is browsing, how about the Linux server on
the other side accepting this as authentication? (For existing accounts,
of course)

    2. GDM and logins: this might have to be modified, aye?  It would
have to be authenticated before the login.  And the name given the login
(username) would have to come from somewhere, no?)

    Think of how messed up this whole thing is: every site you have
another password to be lost, every machine on which you work you do
too.  People don't remember passwords- they get written down and never
changed.  That's why an internal test of the NYT staff was able to crack
70-80% of their passwords just by studying the office area.

    It's getting to the point that passwords are meaningless, and we're
only asking for more new ones.  Let's change that direction.

    What's it take? Do we start a group on Sourceforge? Is Redhat/et al
interested in pushing this?   I don't care if Debian, Suse or SCO
doesn't support it; this is something _we_ can do, it's not hard- let's
do it.  Let the rest of the world catch up to us.

    Gentlemen: Start your flamethrowers!  :>

    
-- 
------------------------------------------------------------------------
Brian FahrlÃnder                  Christian, Conservative, and Technomad
Evansville, IN                                 http://www.fahrlander.net
ICQ 5119262
AIM: WheelDweller
------------------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]