replacing compromised biometric authenticators
jk at ip-clear.de
Fri Oct 13 13:24:02 CST 2017
in the case I mentioned, the datacenter provider (=Level3) removed hand
geometry scanners from its facility and switched all users to card +
pin. Also the provider is going to run this policy Germany- or even
Europe-wide, as being told by Level3 account rep.
The mentioned facility does not have any tailgating prevention, e.g. a
mantrap or turnstile access. The outside door, which is visible from the
street, and the inside colocation doors are now sharing the same access
method (card + pin). So now the card becomes valuable and transferable.
Before it was: Parking lot: Card, Outside door: Card + pin, Inside door:
Card + hand.
There is a security sub-sub-contractor on this site, but they are not
responsible for access or any thing real :-], thats why I am interested
how Level3 runs its others facility and I am still looking for feedback.
From contract side the access device is not exactly defined, hence you
can accept, quit end of term or of course upgrade your suites, racks,
… with a custom solution, as long as Level3 staff can enter, too.
To bring things back to the biometric topic:
The hand geometry scanner does not save fingerprints but hand sizes and
shapes. From current mailings I understand, that people have a lot of
different definition of biometric and may not count the hand scanner as
"(full?) biometric" device.
On 13 Oct 2017, at 13:03, Alain Hebert wrote:
> 1. captcha(?)
> In my millennia of experience I never saw a captcha used as a
> mean for DC access control. Just as a programmatic way to reduce
> brute force for some website functions.
> On my network janitor keychain I have (in order of hackability
> from easiest to hardest)
> 1. keycard only
> 2. keycard + fingerprints
> 3. keycard + face (2d)
> 4a. keycard + eye
> 4b. keycard + top of hand mapping
> But all the DCs, I deal with, have highrez cameras and
> tailgating controls... Biometrics are just a part of a wider system.
> Alain Hebert ahebert at pubnix.net
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
> On 10/12/17 16:58, Rich Kulawiec wrote:
>> On Wed, Oct 11, 2017 at 05:04:08PM -0400, Ken Chase wrote:
>>> If the current best operating practice is to avoid biometrics, why
>>> are they
>>> still in use out here?
>> (1) for the same reason some idiots still use captchas
>> (2) new hotness > old and busted, regardless of merits
>> (3) because they facilitate coerced risk transference away from the
>> people who are actually responsible (and are paid to be so) to the
>> people who shouldn't be responsible (and aren't paid to be)
More information about the NANOG