Biometrics

[Dan]

How secure and safe is biometric technology? The reason I bring this up is
because I was able to log in using my finger with a band-aid attached and
this definitely makes me question the security and safety of biometric
technology at least as far as laptops go. I imagine there probably is lots
of articles on this already but I wanted the opinions of this newsgroup.
Thanks in advance for the replies.

 

[Milo]

Finger with the band aid on?....

For finger print technology it has to match a significant or set numbers of
marker points in your fingers to accept to validate you... Mind if we ask
what notebook are you using and including its model. ( for a test )

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:711C6B3D-E988-4C54-870E-98B985992282@microsoft.com...
> How secure and safe is biometric technology? The reason I bring this up
> is
> because I was able to log in using my finger with a band-aid attached and
> this definitely makes me question the security and safety of biometric
> technology at least as far as laptops go. I imagine there probably is
> lots
> of articles on this already but I wanted the opinions of this newsgroup.
> Thanks in advance for the replies.

 

[Dan]

Thank you for your feedback. This vulnerability must be reported through the
proper channels for safety and security reasons. Have a nice day.

"Milo" wrote:

> Finger with the band aid on?....
>
> For finger print technology it has to match a significant or set numbers of
> marker points in your fingers to accept to validate you... Mind if we ask
> what notebook are you using and including its model. ( for a test )
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:711C6B3D-E988-4C54-870E-98B985992282@microsoft.com...
> > How secure and safe is biometric technology? The reason I bring this up
> > is
> > because I was able to log in using my finger with a band-aid attached and
> > this definitely makes me question the security and safety of biometric
> > technology at least as far as laptops go. I imagine there probably is
> > lots
> > of articles on this already but I wanted the opinions of this newsgroup.
> > Thanks in advance for the replies.
>
>

 

[~BD~]

Dan

I think Milo works for Microsoft!

What harm can giving up the make and model of your laptop do?

Dave


"Dan" <Dan@discussions.microsoft.com> wrote in message
news:F987783D-FB49-49AE-8290-2325C6F5EBB5@microsoft.com...
> Thank you for your feedback. This vulnerability must be reported through
> the
> proper channels for safety and security reasons. Have a nice day.
>
> "Milo" wrote:
>
>> Finger with the band aid on?....
>>
>> For finger print technology it has to match a significant or set numbers
>> of
>> marker points in your fingers to accept to validate you... Mind if we ask
>> what notebook are you using and including its model. ( for a test )
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:711C6B3D-E988-4C54-870E-98B985992282@microsoft.com...
>> > How secure and safe is biometric technology? The reason I bring this
>> > up
>> > is
>> > because I was able to log in using my finger with a band-aid attached
>> > and
>> > this definitely makes me question the security and safety of biometric
>> > technology at least as far as laptops go. I imagine there probably is
>> > lots
>> > of articles on this already but I wanted the opinions of this
>> > newsgroup.
>> > Thanks in advance for the replies.
>>
>>

 

[Dan]

I do volunteer work for US-Cert and so I must go through the proper channels.
Thanks for your feedback anyway, BD.

"~BD~" wrote:

> Dan
>
> I think Milo works for Microsoft!
>
> What harm can giving up the make and model of your laptop do?
>
> Dave
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:F987783D-FB49-49AE-8290-2325C6F5EBB5@microsoft.com...
> > Thank you for your feedback. This vulnerability must be reported through
> > the
> > proper channels for safety and security reasons. Have a nice day.
> >
> > "Milo" wrote:
> >
> >> Finger with the band aid on?....
> >>
> >> For finger print technology it has to match a significant or set numbers
> >> of
> >> marker points in your fingers to accept to validate you... Mind if we ask
> >> what notebook are you using and including its model. ( for a test )
> >>
> >> "Dan" <Dan@discussions.microsoft.com> wrote in message
> >> news:711C6B3D-E988-4C54-870E-98B985992282@microsoft.com...
> >> > How secure and safe is biometric technology? The reason I bring this
> >> > up
> >> > is
> >> > because I was able to log in using my finger with a band-aid attached
> >> > and
> >> > this definitely makes me question the security and safety of biometric
> >> > technology at least as far as laptops go. I imagine there probably is
> >> > lots
> >> > of articles on this already but I wanted the opinions of this
> >> > newsgroup.
> >> > Thanks in advance for the replies.
> >>
> >>
>
>
>

 

[~BD~]

You're welcome, Dan

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:4F9FC3F4-2D95-4BC7-8FD8-07DC0FF07034@microsoft.com...
>I do volunteer work for US-Cert and so I must go through the proper
>channels.
> Thanks for your feedback anyway, BD.

 

[Juergen Nieveler]

Dan <Dan@discussions.microsoft.com> wrote:

> How secure and safe is biometric technology? The reason I bring this
> up is because I was able to log in using my finger with a band-aid
> attached and this definitely makes me question the security and safety
> of biometric technology at least as far as laptops go. I imagine
> there probably is lots of articles on this already but I wanted the
> opinions of this newsgroup. Thanks in advance for the replies.

If this was one of those fingerprint readers where you simply put your
finger on (as opposed to those where you rub your finger along the
contact plate in a swipe motion), chances are that the camera inside
picked up the latent fingerprint that was still on the glass - this is
a common vulnerability of those cheap camera-based readers. All they do
is notice "Oh, something is pushing on the glass, and I recognise the
pattern" - if the person who last used it had greasy fingers, the
fingerprint would still be on the glass, so putting something on the
glass that doesn't have OTHER fingerprints will force the camera to use
the weak fingerprint image still visible to it...

The swipe-type readers are safer in that there can't be an image left
on the reader... but many of them still can be fooled by a fake
fingerprint made by taking the fingerprint off something somebody
touched (lots of how-to's available for that...).

Juergen Nieveler
--
A feature is a bug with seniority.

 

[Dan]

Bingo! You solved the issue and yes it is one of those cheap fingerprint
scanners where you just swipe your finger so it must have already had the
image of my fingerprint on the scanner. It sounds like someone would need to
clean the fingerprint scanner each time and it does indeed seem very easy to
fool. So much for the security of Biometrics at least cheap Biometric devices

"Juergen Nieveler" wrote:

> Dan <Dan@discussions.microsoft.com> wrote:
>
> > How secure and safe is biometric technology? The reason I bring this
> > up is because I was able to log in using my finger with a band-aid
> > attached and this definitely makes me question the security and safety
> > of biometric technology at least as far as laptops go. I imagine
> > there probably is lots of articles on this already but I wanted the
> > opinions of this newsgroup. Thanks in advance for the replies.
>
> If this was one of those fingerprint readers where you simply put your
> finger on (as opposed to those where you rub your finger along the
> contact plate in a swipe motion), chances are that the camera inside
> picked up the latent fingerprint that was still on the glass - this is
> a common vulnerability of those cheap camera-based readers. All they do
> is notice "Oh, something is pushing on the glass, and I recognise the
> pattern" - if the person who last used it had greasy fingers, the
> fingerprint would still be on the glass, so putting something on the
> glass that doesn't have OTHER fingerprints will force the camera to use
> the weak fingerprint image still visible to it...
>
> The swipe-type readers are safer in that there can't be an image left
> on the reader... but many of them still can be fooled by a fake
> fingerprint made by taking the fingerprint off something somebody
> touched (lots of how-to's available for that...).
>
> Juergen Nieveler
> --
> A feature is a bug with seniority.
>

 

[Juergen Nieveler]

Dan <Dan@discussions.microsoft.com> wrote:

> Bingo! You solved the issue and yes it is one of those cheap
> fingerprint scanners where you just swipe your finger so it must have
> already had the image of my fingerprint on the scanner. It sounds
> like someone would need to clean the fingerprint scanner each time and
> it does indeed seem very easy to fool. So much for the security of
> Biometrics at least cheap Biometric devices

There's a reason why Microsoft warns not to use their fingerprint
reader for any security-sensitive stuff, it won't allow you to log on
to a domain, for example...

Juergen Nieveler
--
Line noise provided by German Telekom!

 

[Dan]

Thank you, Steve. I appreciate your feedback. Another problem we face in
computing today is the industry is not fully backing tougher security and
safety protocols. An example of this is the American Express website which
will only allow me to input a password that is less than optimal according to
Microsoft's password checker. Microsoft is doing their part in many ways but
the rest of the industry must catch up.

http://www.microsoft.com/protect/yourself/password/checker.mspx

It is critical in this day and age to have alternatives to just the main
Windows operating system that includes Internet Explorer. I am very pleased
with Microsoft and their technologies so I will continue to use them
frequently. However, as a power user, I am very pleased that users have
alternatives such as Mozilla Firefox as an option and it does indeed remain
for use with Windows 98 Second Edition at least until December 2008 because
that is when Mozilla Firefox 2.x support is scheduled to end.

http://en.wikipedia.org/wiki/Mozilla_Firefox

This is most unfortunate in my view since the 9x source code has definite
advantages over the NT business line of source code. 9x computers were meant
as stand-a-lone machines and thus are great for consumers who do not need or
want the ability to have others tinker with their machines. The many
services provided in XP allow for their to many greater points of access to a
fully patched XP machine than a fully patched 98 Second Edition machine using
Mozilla Firefox compared to Internet Explorer since Internet Explorer patches
for Windows 98 Second Edition ended July 11, 2006. The NT source code is at
risk as can be seen by the postings of US-Cert which is the computer
readiness team and part of the Department of Homeland Security.

http://www.us-cert.gov/cas/bulletins/SB08-196.html

Microsoft -- windows-nt

Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, XP SP2 and
SP3, and Server 2003 SP1 and SP2 allows remote attackers to conduct cache
poisoning attacks via unknown vectors, aka "DNS Cache Poisoning
Vulnerability," a different vulnerability than CVE-2008-1447.

unknown
2008-07-08
9.4 CVE-2008-1454 MS

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454

http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

I know a fair amount about computer security and safety and helped beta test
Windows Vista Ultimate 32 bit edition for Microsoft as a volunteer. I got
the DVD with the ISO image from a friend named Jeff who was a systems
engineer and also testing Vista for Microsoft and then got approval from
Microsoft to test it and inputed the given product key that Microsoft gave me
for the evaluation version. The problem is that Microsoft has only one line
of code and that makes it that much easier for hackers to target many
machines and take them over.

With Windows 98 Second Edition, a single machine might have been compromised
but not the whole network. I have had problems with a workplace that I
recently worked at that stupidly switched to all XP machines and did not
leave any 98 Second Edition machines in place and that included my own
Windows 98 Second Edition machine there. That was a huge mistake that I
don't think the business will repeat. With the 98SE machine, I knew and I
was right that my machine would be very unlikely to be hacked compared to the
compromised machines of the NT (XP Professional) in this case. The incident
happened in the summer of 2007. I will give you more details via secure
email if you like.

I have read in a book about Microsoft that early system engineers complained
that NT did not have a true maintenance operating system like DOS. Chris
Quirke, MVP. has a good article about the safety and security concerns.
Windows 9x is safe at its core compared to Windows NT line which includes
2000, XP and Vista of course. There was also a rumor a while back that parts
of the NT source code were leaked over the Internet compared to the 9x source
code which was never leaked over the Internet, AFAIK.

http://cquirke.blogspot.com/

(Note: Chris Quirke's 9x website talks about the 9x compared to NT security
and safety discussion)

There is also Unix/Linux technologies and I have played around a little bit
with Ubuntu Linux but I am in no way proficient with it and have only read a
small portion of a big book about Ubuntu Linux.

Finally, my question to you is that I know about the economics and how
costly it would be for Microsoft to continue the 9x line or even overall it
to make it usable in today's environment but wouldn't the economic cost be
worth the great reward. I have friends of mine at summer camp who are
planning mainly on building 98 Second Edition machines just for the ability
to play older games and secondly because these friends feel as I do about how
it is harder to hack into a 9x machine with the proper safeguards applied
such as a wired router that has the wireless broadcast signal turned off so
as not to attract unwanted or uneeded attention from hackers.

If Microsoft will not develop the 9x source code then at least sell it to
the United States Military so that the Defense Department can more fully
protect their military infrastructure from external threats and even better
from potential internal threats from their network of computers from a
potential spy. The possibilities for 9x are endless and so please I ask you
as a professional to have Microsoft sell 9x kernel unless Microsoft is
willing which I think would be a smart business move to invest money in the
another Windows 9x that would not subtract features such as easy access to
DOS and ideally the ability to play old classic games like Windows Millennium
(ME) did.

I am a gamer who is a Generation X'er who got his start on an IBM PCjr
playing King's Quest 1 on a 5.25 inch floppy disk that was made by Sierra On
Line and had 16 colors and the speaker on the machine supported 3 sounds at
once which was cool. The game had 128 kilobytes on one disk and how is that
for compression despite the obvious limitations compared to today's games. I
still have this machine in storage and it still works! The interesting thing
is that a poster to Game Informer which I read posted about how he was 17 and
liked older classic games and his friends made fun of him for it and his
first name was Daniel too. <grin>

I also enjoy reading PC World, 2600 which is a hacker magazine (I must keep
up to prevent hackers from compromising all of us), and other computer and
network books. I took several computer classes in college and who knows I
may go back and get another undergraduate degree but this time in computer
science. I know that a dream will allow a little guy like me change the
world despite all the challenges life has thrown at me. Please feel free to
contact me by email or I can contact you by email. My email address is with
Microsoft and on their records. I can also give you an srx number on a
recent case with Microsoft if you need to confirm my identity. Thanks again
for all you do, Steve and Go Microsoft!

"Steve Riley [MSFT]" wrote:

> Biometrics can never replace passwords, because they aren't secrets.
>
> It's me, and here's my proof: why identity and authentication must remain
> distinct
> http://technet.microsoft.com/en-us/library/cc512578(TechNet.10).aspx
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:774EE7CB-CA2B-4E7B-82CD-20D2B56C04B4@microsoft.com...
> > Bingo! You solved the issue and yes it is one of those cheap fingerprint
> > scanners where you just swipe your finger so it must have already had the
> > image of my fingerprint on the scanner. It sounds like someone would need
> > to
> > clean the fingerprint scanner each time and it does indeed seem very easy
> > to
> > fool. So much for the security of Biometrics at least cheap Biometric
> > devices
> >
> > "Juergen Nieveler" wrote:
> >
> >> Dan <Dan@discussions.microsoft.com> wrote:
> >>
> >> > How secure and safe is biometric technology? The reason I bring this
> >> > up is because I was able to log in using my finger with a band-aid
> >> > attached and this definitely makes me question the security and safety
> >> > of biometric technology at least as far as laptops go. I imagine
> >> > there probably is lots of articles on this already but I wanted the
> >> > opinions of this newsgroup. Thanks in advance for the replies.
> >>
> >> If this was one of those fingerprint readers where you simply put your
> >> finger on (as opposed to those where you rub your finger along the
> >> contact plate in a swipe motion), chances are that the camera inside
> >> picked up the latent fingerprint that was still on the glass - this is
> >> a common vulnerability of those cheap camera-based readers. All they do
> >> is notice "Oh, something is pushing on the glass, and I recognise the
> >> pattern" - if the person who last used it had greasy fingers, the
> >> fingerprint would still be on the glass, so putting something on the
> >> glass that doesn't have OTHER fingerprints will force the camera to use
> >> the weak fingerprint image still visible to it...
> >>
> >> The swipe-type readers are safer in that there can't be an image left
> >> on the reader... but many of them still can be fooled by a fake
> >> fingerprint made by taking the fingerprint off something somebody
> >> touched (lots of how-to's available for that...).
> >>
> >> Juergen Nieveler
> >> --
> >> A feature is a bug with seniority.
> >>

 

[Daniel Petri]

So, to make a long story short, you claim the the "Windows 9X" source code
and entire OS is far more secure than today's "Windows NT" - i.e. Vista?

--
Sincerely,

Daniel Petri
MVP, Senior IT consultant, trainer
www.petri.co.il

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:175E7266-E50E-40A2-BE3C-305165779621@microsoft.com...
> Thank you, Steve. I appreciate your feedback. Another problem we face in
> computing today is the industry is not fully backing tougher security and
> safety protocols. An example of this is the American Express website
> which
> will only allow me to input a password that is less than optimal according
> to
> Microsoft's password checker. Microsoft is doing their part in many ways
> but
> the rest of the industry must catch up.
>
> http://www.microsoft.com/protect/yourself/password/checker.mspx
>
> It is critical in this day and age to have alternatives to just the main
> Windows operating system that includes Internet Explorer. I am very
> pleased
> with Microsoft and their technologies so I will continue to use them
> frequently. However, as a power user, I am very pleased that users have
> alternatives such as Mozilla Firefox as an option and it does indeed
> remain
> for use with Windows 98 Second Edition at least until December 2008
> because
> that is when Mozilla Firefox 2.x support is scheduled to end.
>
> http://en.wikipedia.org/wiki/Mozilla_Firefox
>
> This is most unfortunate in my view since the 9x source code has definite
> advantages over the NT business line of source code. 9x computers were
> meant
> as stand-a-lone machines and thus are great for consumers who do not need
> or
> want the ability to have others tinker with their machines. The many
> services provided in XP allow for their to many greater points of access
> to a
> fully patched XP machine than a fully patched 98 Second Edition machine
> using
> Mozilla Firefox compared to Internet Explorer since Internet Explorer
> patches
> for Windows 98 Second Edition ended July 11, 2006. The NT source code is
> at
> risk as can be seen by the postings of US-Cert which is the computer
> readiness team and part of the Department of Homeland Security.
>
> http://www.us-cert.gov/cas/bulletins/SB08-196.html
>
> Microsoft -- windows-nt
>
> Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, XP SP2 and
> SP3, and Server 2003 SP1 and SP2 allows remote attackers to conduct cache
> poisoning attacks via unknown vectors, aka "DNS Cache Poisoning
> Vulnerability," a different vulnerability than CVE-2008-1447.
>
> unknown
> 2008-07-08
> 9.4 CVE-2008-1454 MS
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454
>
> http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
>
> I know a fair amount about computer security and safety and helped beta
> test
> Windows Vista Ultimate 32 bit edition for Microsoft as a volunteer. I got
> the DVD with the ISO image from a friend named Jeff who was a systems
> engineer and also testing Vista for Microsoft and then got approval from
> Microsoft to test it and inputed the given product key that Microsoft gave
> me
> for the evaluation version. The problem is that Microsoft has only one
> line
> of code and that makes it that much easier for hackers to target many
> machines and take them over.
>
> With Windows 98 Second Edition, a single machine might have been
> compromised
> but not the whole network. I have had problems with a workplace that I
> recently worked at that stupidly switched to all XP machines and did not
> leave any 98 Second Edition machines in place and that included my own
> Windows 98 Second Edition machine there. That was a huge mistake that I
> don't think the business will repeat. With the 98SE machine, I knew and I
> was right that my machine would be very unlikely to be hacked compared to
> the
> compromised machines of the NT (XP Professional) in this case. The
> incident
> happened in the summer of 2007. I will give you more details via secure
> email if you like.
>
> I have read in a book about Microsoft that early system engineers
> complained
> that NT did not have a true maintenance operating system like DOS. Chris
> Quirke, MVP. has a good article about the safety and security concerns.
> Windows 9x is safe at its core compared to Windows NT line which includes
> 2000, XP and Vista of course. There was also a rumor a while back that
> parts
> of the NT source code were leaked over the Internet compared to the 9x
> source
> code which was never leaked over the Internet, AFAIK.
>
> http://cquirke.blogspot.com/
>
> (Note: Chris Quirke's 9x website talks about the 9x compared to NT
> security
> and safety discussion)
>
> There is also Unix/Linux technologies and I have played around a little
> bit
> with Ubuntu Linux but I am in no way proficient with it and have only read
> a
> small portion of a big book about Ubuntu Linux.
>
> Finally, my question to you is that I know about the economics and how
> costly it would be for Microsoft to continue the 9x line or even overall
> it
> to make it usable in today's environment but wouldn't the economic cost be
> worth the great reward. I have friends of mine at summer camp who are
> planning mainly on building 98 Second Edition machines just for the
> ability
> to play older games and secondly because these friends feel as I do about
> how
> it is harder to hack into a 9x machine with the proper safeguards applied
> such as a wired router that has the wireless broadcast signal turned off
> so
> as not to attract unwanted or uneeded attention from hackers.
>
> If Microsoft will not develop the 9x source code then at least sell it to
> the United States Military so that the Defense Department can more fully
> protect their military infrastructure from external threats and even
> better
> from potential internal threats from their network of computers from a
> potential spy. The possibilities for 9x are endless and so please I ask
> you
> as a professional to have Microsoft sell 9x kernel unless Microsoft is
> willing which I think would be a smart business move to invest money in
> the
> another Windows 9x that would not subtract features such as easy access to
> DOS and ideally the ability to play old classic games like Windows
> Millennium
> (ME) did.
>
> I am a gamer who is a Generation X'er who got his start on an IBM PCjr
> playing King's Quest 1 on a 5.25 inch floppy disk that was made by Sierra
> On
> Line and had 16 colors and the speaker on the machine supported 3 sounds
> at
> once which was cool. The game had 128 kilobytes on one disk and how is
> that
> for compression despite the obvious limitations compared to today's games.
> I
> still have this machine in storage and it still works! The interesting
> thing
> is that a poster to Game Informer which I read posted about how he was 17
> and
> liked older classic games and his friends made fun of him for it and his
> first name was Daniel too. <grin>
>
> I also enjoy reading PC World, 2600 which is a hacker magazine (I must
> keep
> up to prevent hackers from compromising all of us), and other computer and
> network books. I took several computer classes in college and who knows I
> may go back and get another undergraduate degree but this time in computer
> science. I know that a dream will allow a little guy like me change the
> world despite all the challenges life has thrown at me. Please feel free
> to
> contact me by email or I can contact you by email. My email address is
> with
> Microsoft and on their records. I can also give you an srx number on a
> recent case with Microsoft if you need to confirm my identity. Thanks
> again
> for all you do, Steve and Go Microsoft!
>
> "Steve Riley [MSFT]" wrote:
>
>> Biometrics can never replace passwords, because they aren't secrets.
>>
>> It's me, and here's my proof: why identity and authentication must remain
>> distinct
>> http://technet.microsoft.com/en-us/library/cc512578(TechNet.10).aspx
>>
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:774EE7CB-CA2B-4E7B-82CD-20D2B56C04B4@microsoft.com...
>> > Bingo! You solved the issue and yes it is one of those cheap
>> > fingerprint
>> > scanners where you just swipe your finger so it must have already had
>> > the
>> > image of my fingerprint on the scanner. It sounds like someone would
>> > need
>> > to
>> > clean the fingerprint scanner each time and it does indeed seem very
>> > easy
>> > to
>> > fool. So much for the security of Biometrics at least cheap Biometric
>> > devices
>> >
>> > "Juergen Nieveler" wrote:
>> >
>> >> Dan <Dan@discussions.microsoft.com> wrote:
>> >>
>> >> > How secure and safe is biometric technology? The reason I bring
>> >> > this
>> >> > up is because I was able to log in using my finger with a band-aid
>> >> > attached and this definitely makes me question the security and
>> >> > safety
>> >> > of biometric technology at least as far as laptops go. I imagine
>> >> > there probably is lots of articles on this already but I wanted the
>> >> > opinions of this newsgroup. Thanks in advance for the replies.
>> >>
>> >> If this was one of those fingerprint readers where you simply put your
>> >> finger on (as opposed to those where you rub your finger along the
>> >> contact plate in a swipe motion), chances are that the camera inside
>> >> picked up the latent fingerprint that was still on the glass - this is
>> >> a common vulnerability of those cheap camera-based readers. All they
>> >> do
>> >> is notice "Oh, something is pushing on the glass, and I recognise the
>> >> pattern" - if the person who last used it had greasy fingers, the
>> >> fingerprint would still be on the glass, so putting something on the
>> >> glass that doesn't have OTHER fingerprints will force the camera to
>> >> use
>> >> the weak fingerprint image still visible to it...
>> >>
>> >> The swipe-type readers are safer in that there can't be an image left
>> >> on the reader... but many of them still can be fooled by a fake
>> >> fingerprint made by taking the fingerprint off something somebody
>> >> touched (lots of how-to's available for that...).
>> >>
>> >> Juergen Nieveler
>> >> --
>> >> A feature is a bug with seniority.
>> >>

 

[Steve Riley [MSFT]]

Dan, I recommend you rethink your logic.

The Windows 3.1/9x code was designed and written in an entirely different
age -- one in which TCP/IP was not the standard networking protocol, one in
which indeed networks were rare, and one in which everyone (we and our
customers) assumed that only good guys used computers.

The world no longer lives in that age. If you take any kind of system
(operating system, engineering system, whatever) and place it in an
environment that is wildly different than the original assumptions, that
system will fail catastrophically. There is simply no way we can retrofit
that very old code to function correctly in today's world of intentional
attacks.

I'm not exactly sure how you can make the statement that "a 9x machine with
the proper safeguards such as a wired router that has wireless broadcast
signal turned off" is more secure than XP or Vista. Firstly, an XP or Vista
box behind such a router would be equally "safe" from attack. Secondly,
disabling SSID broadcast in reality does not accord you any security -- see
my article here:
http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx.

You quote a specific vulnerability below, about DNS, and you then make the
argument that this is a reason the military should be using 9x instead of
XP/Vista. How does that follow? How do you know that 9x doesn't have the
same vulnerability? No one can know, because we don't test 9x anymore. It's
simply too old.

And you mention our password checker. Actually, I think its recommendations
aren't strong enough, and I'm working with the folks who own that feature to
improve its strength.


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@discussions.microsoft.com> wrote in message
news:175E7266-E50E-40A2-BE3C-305165779621@microsoft.com...
> Thank you, Steve. I appreciate your feedback. Another problem we face in
> computing today is the industry is not fully backing tougher security and
> safety protocols. An example of this is the American Express website
> which
> will only allow me to input a password that is less than optimal according
> to
> Microsoft's password checker. Microsoft is doing their part in many ways
> but
> the rest of the industry must catch up.
>
> http://www.microsoft.com/protect/yourself/password/checker.mspx
>
> It is critical in this day and age to have alternatives to just the main
> Windows operating system that includes Internet Explorer. I am very
> pleased
> with Microsoft and their technologies so I will continue to use them
> frequently. However, as a power user, I am very pleased that users have
> alternatives such as Mozilla Firefox as an option and it does indeed
> remain
> for use with Windows 98 Second Edition at least until December 2008
> because
> that is when Mozilla Firefox 2.x support is scheduled to end.
>
> http://en.wikipedia.org/wiki/Mozilla_Firefox
>
> This is most unfortunate in my view since the 9x source code has definite
> advantages over the NT business line of source code. 9x computers were
> meant
> as stand-a-lone machines and thus are great for consumers who do not need
> or
> want the ability to have others tinker with their machines. The many
> services provided in XP allow for their to many greater points of access
> to a
> fully patched XP machine than a fully patched 98 Second Edition machine
> using
> Mozilla Firefox compared to Internet Explorer since Internet Explorer
> patches
> for Windows 98 Second Edition ended July 11, 2006. The NT source code is
> at
> risk as can be seen by the postings of US-Cert which is the computer
> readiness team and part of the Department of Homeland Security.
>
> http://www.us-cert.gov/cas/bulletins/SB08-196.html
>
> Microsoft -- windows-nt
>
> Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, XP SP2 and
> SP3, and Server 2003 SP1 and SP2 allows remote attackers to conduct cache
> poisoning attacks via unknown vectors, aka "DNS Cache Poisoning
> Vulnerability," a different vulnerability than CVE-2008-1447.
>
> unknown
> 2008-07-08
> 9.4 CVE-2008-1454 MS
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454
>
> http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
>
> I know a fair amount about computer security and safety and helped beta
> test
> Windows Vista Ultimate 32 bit edition for Microsoft as a volunteer. I got
> the DVD with the ISO image from a friend named Jeff who was a systems
> engineer and also testing Vista for Microsoft and then got approval from
> Microsoft to test it and inputed the given product key that Microsoft gave
> me
> for the evaluation version. The problem is that Microsoft has only one
> line
> of code and that makes it that much easier for hackers to target many
> machines and take them over.
>
> With Windows 98 Second Edition, a single machine might have been
> compromised
> but not the whole network. I have had problems with a workplace that I
> recently worked at that stupidly switched to all XP machines and did not
> leave any 98 Second Edition machines in place and that included my own
> Windows 98 Second Edition machine there. That was a huge mistake that I
> don't think the business will repeat. With the 98SE machine, I knew and I
> was right that my machine would be very unlikely to be hacked compared to
> the
> compromised machines of the NT (XP Professional) in this case. The
> incident
> happened in the summer of 2007. I will give you more details via secure
> email if you like.
>
> I have read in a book about Microsoft that early system engineers
> complained
> that NT did not have a true maintenance operating system like DOS. Chris
> Quirke, MVP. has a good article about the safety and security concerns.
> Windows 9x is safe at its core compared to Windows NT line which includes
> 2000, XP and Vista of course. There was also a rumor a while back that
> parts
> of the NT source code were leaked over the Internet compared to the 9x
> source
> code which was never leaked over the Internet, AFAIK.
>
> http://cquirke.blogspot.com/
>
> (Note: Chris Quirke's 9x website talks about the 9x compared to NT
> security
> and safety discussion)
>
> There is also Unix/Linux technologies and I have played around a little
> bit
> with Ubuntu Linux but I am in no way proficient with it and have only read
> a
> small portion of a big book about Ubuntu Linux.
>
> Finally, my question to you is that I know about the economics and how
> costly it would be for Microsoft to continue the 9x line or even overall
> it
> to make it usable in today's environment but wouldn't the economic cost be
> worth the great reward. I have friends of mine at summer camp who are
> planning mainly on building 98 Second Edition machines just for the
> ability
> to play older games and secondly because these friends feel as I do about
> how
> it is harder to hack into a 9x machine with the proper safeguards applied
> such as a wired router that has the wireless broadcast signal turned off
> so
> as not to attract unwanted or uneeded attention from hackers.
>
> If Microsoft will not develop the 9x source code then at least sell it to
> the United States Military so that the Defense Department can more fully
> protect their military infrastructure from external threats and even
> better
> from potential internal threats from their network of computers from a
> potential spy. The possibilities for 9x are endless and so please I ask
> you
> as a professional to have Microsoft sell 9x kernel unless Microsoft is
> willing which I think would be a smart business move to invest money in
> the
> another Windows 9x that would not subtract features such as easy access to
> DOS and ideally the ability to play old classic games like Windows
> Millennium
> (ME) did.
>
> I am a gamer who is a Generation X'er who got his start on an IBM PCjr
> playing King's Quest 1 on a 5.25 inch floppy disk that was made by Sierra
> On
> Line and had 16 colors and the speaker on the machine supported 3 sounds
> at
> once which was cool. The game had 128 kilobytes on one disk and how is
> that
> for compression despite the obvious limitations compared to today's games.
> I
> still have this machine in storage and it still works! The interesting
> thing
> is that a poster to Game Informer which I read posted about how he was 17
> and
> liked older classic games and his friends made fun of him for it and his
> first name was Daniel too. <grin>
>
> I also enjoy reading PC World, 2600 which is a hacker magazine (I must
> keep
> up to prevent hackers from compromising all of us), and other computer and
> network books. I took several computer classes in college and who knows I
> may go back and get another undergraduate degree but this time in computer
> science. I know that a dream will allow a little guy like me change the
> world despite all the challenges life has thrown at me. Please feel free
> to
> contact me by email or I can contact you by email. My email address is
> with
> Microsoft and on their records. I can also give you an srx number on a
> recent case with Microsoft if you need to confirm my identity. Thanks
> again
> for all you do, Steve and Go Microsoft!
>
> "Steve Riley [MSFT]" wrote:
>
>> Biometrics can never replace passwords, because they aren't secrets.
>>
>> It's me, and here's my proof: why identity and authentication must remain
>> distinct
>> http://technet.microsoft.com/en-us/library/cc512578(TechNet.10).aspx
>>
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:774EE7CB-CA2B-4E7B-82CD-20D2B56C04B4@microsoft.com...
>> > Bingo! You solved the issue and yes it is one of those cheap
>> > fingerprint
>> > scanners where you just swipe your finger so it must have already had
>> > the
>> > image of my fingerprint on the scanner. It sounds like someone would
>> > need
>> > to
>> > clean the fingerprint scanner each time and it does indeed seem very
>> > easy
>> > to
>> > fool. So much for the security of Biometrics at least cheap Biometric
>> > devices
>> >
>> > "Juergen Nieveler" wrote:
>> >
>> >> Dan <Dan@discussions.microsoft.com> wrote:
>> >>
>> >> > How secure and safe is biometric technology? The reason I bring
>> >> > this
>> >> > up is because I was able to log in using my finger with a band-aid
>> >> > attached and this definitely makes me question the security and
>> >> > safety
>> >> > of biometric technology at least as far as laptops go. I imagine
>> >> > there probably is lots of articles on this already but I wanted the
>> >> > opinions of this newsgroup. Thanks in advance for the replies.
>> >>
>> >> If this was one of those fingerprint readers where you simply put your
>> >> finger on (as opposed to those where you rub your finger along the
>> >> contact plate in a swipe motion), chances are that the camera inside
>> >> picked up the latent fingerprint that was still on the glass - this is
>> >> a common vulnerability of those cheap camera-based readers. All they
>> >> do
>> >> is notice "Oh, something is pushing on the glass, and I recognise the
>> >> pattern" - if the person who last used it had greasy fingers, the
>> >> fingerprint would still be on the glass, so putting something on the
>> >> glass that doesn't have OTHER fingerprints will force the camera to
>> >> use
>> >> the weak fingerprint image still visible to it...
>> >>
>> >> The swipe-type readers are safer in that there can't be an image left
>> >> on the reader... but many of them still can be fooled by a fake
>> >> fingerprint made by taking the fingerprint off something somebody
>> >> touched (lots of how-to's available for that...).
>> >>
>> >> Juergen Nieveler
>> >> --
>> >> A feature is a bug with seniority.
>> >>

 

[Dan]

"Daniel Petri <MVP>" wrote:

> So, to make a long story short, you claim the the "Windows 9X" source code
> and entire OS is far more secure than today's "Windows NT" - i.e. Vista?
>
> --
> Sincerely,
>
> Daniel Petri
> MVP, Senior IT consultant, trainer
> www.petri.co.il

The NT source code has much more security. The external security of Windows
Vista is especially good. The internal safety and core of 9x is safer than
the core of NT being based upon MS-DOS which is the maintenance operating
system of 98 Second Edition. What maintenance operating system does Vista
have? Please see Chris Quirke, MVP website.

http://cquirke.spaces.live.com/blog/cns!C7DAB1E724AB8C23!336.entry

I am talking about the debate that Chris Quirke, MVP talks about the safety
and security comparison. The best example I can give is to think of a major
fortress with great fortifications that is extremely hard to break through.
This major fortress represents the Windows NT source code and is especially
good right now in Windows Vista Service Pack 1 which I am using right now and
writing this post from Windows Vista Service Pack 1. Heck, I would not have
been a volunteer tester for Windows Vista on security if I did not like
Microsoft products and did not feel Windows NT was secure. For mobile
technology such as laptops I would highly suggest Windows Vista over any
other Windows when a person is traveling. However, with the proper
safeguards Windows 98 Second Edition can be made fairly secure if a user is
connected by a wired router to the Internet with anti-spyware programs such
as Spybot Search and Destroy and SpywareBlaster and using a currently
supported browser in 98 SE such as Mozilla Firefox which is currently
supported 98SE at least until December 2008 with Mozilla Firefox 2.

The problem here is that the Windows NT source code that includes Windows
2000, Windows XP and Windows Vista is meant to be managed by the IT
Professional and not by individual users. This is usually great in an office
environment that needs to limit the user's rights and grant usually the
majority of users a standard account and a few limited users an administrator
account. However, for home users such as when I am at home and not at work,
I like Windows 98 Second Edition because I enjoy playing older DOS games and
using older DOS programs that will not run in XP or Vista. In addition, if
someone does manage to break through all the external security of XP (not
sure about Vista since it is so new and indeed more secure than XP) then the
hacker(s) can wreck havoc on the network. This is what happened at my old
workplace when I went away on vacation during the summer and the higher-ups
decided it was time to get rid of Windows 98 Second Edition for good and only
have Windows XP Professional computers at my workplace.

Apparently, during the summer someone hacked the network and whether it was
an inside job (which I now suspect) or an outside job the individual(s) knew
their stuff really well. They undid all my work that took me a full year to
implement and bring the workplace from really bad computer problems to a well
functioning network and undid it in a matter of 3 months while I was gone.
If you have not figured it out yet, it was indeed a school that according to
the main computer network administrator Stephanie she said that former
individual(s) had left the school prior and destroyed the computer network
because these individual(s) were mad at the school and took their vengeance
on the computer network since they did not want to physically hurt the
children but it certainly hurt the children's ability to learn which really
makes me annoyed. Perhaps these individual(s) still had some prior access
that had not been revoked and were able to wreck havoc on the network during
the summer and it seems like they may have had to get on site and what better
opportunity while the main computer guy was out of the city.

However, if the few Windows 98 Second Edition machines had not been phased
out that summer then I would have been able to lean back upon those machines
since they were not accessible via the general school network and indeed did
not rely upon remote access which can be problematic when turned on as it was
with Windows XP Professional and with the Public School Network. I am
deliberately being vague about the specifics because this may end up being a
legal issue. In addition, Chris Quirke, MVP talks about the problem that
Windows Vista has because it lacks a true maintenance operating system like
MS-DOS in 98 Second Edition which had easy access to MS-DOS and good
backwards compatibility which Windows ME lacked. Windows ME looked good and
worked okay and did have better general USB support than 98SE but it really
was a joke and crippled operating system in my opinion since it lacked so
much and broke so easily. Finally, this proves the importance of the 9x
source code for the safety such as using one 98 Second Edition computer for
backup of the workplace that only one trusted individual who has been with
the company for many years is allowed to access. I have heard from my friend
John about how some businesses in New York State have used a 98 Second
Edition machine in the past as a gateway to the computer network which sounds
like a really smart idea. Windows 98 Second Edition also allowed consumers
who want to play old games to play the older games and individuals like
myself to work in a true text based interface and do away with the
limitations of a GUI interface. Just my two cents for what it is worth.

 

[Dan]

Exactly. Thank you for your feedback.

"Juergen Nieveler" wrote:

> Dan <Dan@discussions.microsoft.com> wrote:
>
> > Bingo! You solved the issue and yes it is one of those cheap
> > fingerprint scanners where you just swipe your finger so it must have
> > already had the image of my fingerprint on the scanner. It sounds
> > like someone would need to clean the fingerprint scanner each time and
> > it does indeed seem very easy to fool. So much for the security of
> > Biometrics at least cheap Biometric devices
>
> There's a reason why Microsoft warns not to use their fingerprint
> reader for any security-sensitive stuff, it won't allow you to log on
> to a domain, for example...
>
> Juergen Nieveler
> --
> Line noise provided by German Telekom!
>

 

[Daniel Petri]

Just like Steve Riley said, I strongly suggest you re-think your security
concepts Dan. Sitting behind my desk and reading your post about how your
school network was hacked all I can think of is that someone should have
done a better job in protecting their network. How can you even begin to
compare the strength of a properly-configured (I emphasize
"propery-configured"!!!) Windows XP/Vista machine with ANY Windows 9X
machine, when related to security??? Saying that 9X is better just because
someone hacked into a poorly-protected and wrongfully-configured network is
like claiming that a VW Beatle is far better than a modern car because
modern cars use computers to control almost any aspect of their engine and
behavior, therefore if someone hacks into that computer, all modern cars
will stop working. Right. Let's all just use MS-DOS because you "like to
play DOS games"... Sorry. Posting long answers doesn't qualify them as
correct.

--
Sincerely,

Daniel Petri
MVP, Senior IT consultant, trainer
www.petri.co.il

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:B7ECB637-506D-4DF7-B636-923D0520D1BD@microsoft.com...
>
>
> "Daniel Petri <MVP>" wrote:
>
>> So, to make a long story short, you claim the the "Windows 9X" source
>> code
>> and entire OS is far more secure than today's "Windows NT" - i.e. Vista?
>>
>> --
>> Sincerely,
>>
>> Daniel Petri
>> MVP, Senior IT consultant, trainer
>> www.petri.co.il
>
> The NT source code has much more security. The external security of
> Windows
> Vista is especially good. The internal safety and core of 9x is safer
> than
> the core of NT being based upon MS-DOS which is the maintenance operating
> system of 98 Second Edition. What maintenance operating system does Vista
> have? Please see Chris Quirke, MVP website.
>
> http://cquirke.spaces.live.com/blog/cns!C7DAB1E724AB8C23!336.entry
>
> I am talking about the debate that Chris Quirke, MVP talks about the
> safety
> and security comparison. The best example I can give is to think of a
> major
> fortress with great fortifications that is extremely hard to break
> through.
> This major fortress represents the Windows NT source code and is
> especially
> good right now in Windows Vista Service Pack 1 which I am using right now
> and
> writing this post from Windows Vista Service Pack 1. Heck, I would not
> have
> been a volunteer tester for Windows Vista on security if I did not like
> Microsoft products and did not feel Windows NT was secure. For mobile
> technology such as laptops I would highly suggest Windows Vista over any
> other Windows when a person is traveling. However, with the proper
> safeguards Windows 98 Second Edition can be made fairly secure if a user
> is
> connected by a wired router to the Internet with anti-spyware programs
> such
> as Spybot Search and Destroy and SpywareBlaster and using a currently
> supported browser in 98 SE such as Mozilla Firefox which is currently
> supported 98SE at least until December 2008 with Mozilla Firefox 2.
>
> The problem here is that the Windows NT source code that includes Windows
> 2000, Windows XP and Windows Vista is meant to be managed by the IT
> Professional and not by individual users. This is usually great in an
> office
> environment that needs to limit the user's rights and grant usually the
> majority of users a standard account and a few limited users an
> administrator
> account. However, for home users such as when I am at home and not at
> work,
> I like Windows 98 Second Edition because I enjoy playing older DOS games
> and
> using older DOS programs that will not run in XP or Vista. In addition,
> if
> someone does manage to break through all the external security of XP (not
> sure about Vista since it is so new and indeed more secure than XP) then
> the
> hacker(s) can wreck havoc on the network. This is what happened at my old
> workplace when I went away on vacation during the summer and the
> higher-ups
> decided it was time to get rid of Windows 98 Second Edition for good and
> only
> have Windows XP Professional computers at my workplace.
>
> Apparently, during the summer someone hacked the network and whether it
> was
> an inside job (which I now suspect) or an outside job the individual(s)
> knew
> their stuff really well. They undid all my work that took me a full year
> to
> implement and bring the workplace from really bad computer problems to a
> well
> functioning network and undid it in a matter of 3 months while I was gone.
> If you have not figured it out yet, it was indeed a school that according
> to
> the main computer network administrator Stephanie she said that former
> individual(s) had left the school prior and destroyed the computer network
> because these individual(s) were mad at the school and took their
> vengeance
> on the computer network since they did not want to physically hurt the
> children but it certainly hurt the children's ability to learn which
> really
> makes me annoyed. Perhaps these individual(s) still had some prior access
> that had not been revoked and were able to wreck havoc on the network
> during
> the summer and it seems like they may have had to get on site and what
> better
> opportunity while the main computer guy was out of the city.
>
> However, if the few Windows 98 Second Edition machines had not been phased
> out that summer then I would have been able to lean back upon those
> machines
> since they were not accessible via the general school network and indeed
> did
> not rely upon remote access which can be problematic when turned on as it
> was
> with Windows XP Professional and with the Public School Network. I am
> deliberately being vague about the specifics because this may end up being
> a
> legal issue. In addition, Chris Quirke, MVP talks about the problem that
> Windows Vista has because it lacks a true maintenance operating system
> like
> MS-DOS in 98 Second Edition which had easy access to MS-DOS and good
> backwards compatibility which Windows ME lacked. Windows ME looked good
> and
> worked okay and did have better general USB support than 98SE but it
> really
> was a joke and crippled operating system in my opinion since it lacked so
> much and broke so easily. Finally, this proves the importance of the 9x
> source code for the safety such as using one 98 Second Edition computer
> for
> backup of the workplace that only one trusted individual who has been with
> the company for many years is allowed to access. I have heard from my
> friend
> John about how some businesses in New York State have used a 98 Second
> Edition machine in the past as a gateway to the computer network which
> sounds
> like a really smart idea. Windows 98 Second Edition also allowed
> consumers
> who want to play old games to play the older games and individuals like
> myself to work in a true text based interface and do away with the
> limitations of a GUI interface. Just my two cents for what it is worth.

 

[Dan]

Thank you for your feedback, Steve. I was wondering since the Windows 9x
source code is now so old and not really useful then would Microsoft be
willing to sell it. I can think of some buyers who would be willing to pay
good money for the 9x source code and since it is no longer useful to
Microsoft because it is so old then why not just get rid of it and be done
with this now useless technology.


The NT source code was leaked:

http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.mspx

"Steve Riley [MSFT]" wrote:

> Dan, I recommend you rethink your logic.
>
> The Windows 3.1/9x code was designed and written in an entirely different
> age -- one in which TCP/IP was not the standard networking protocol, one in
> which indeed networks were rare, and one in which everyone (we and our
> customers) assumed that only good guys used computers.
>
> The world no longer lives in that age. If you take any kind of system
> (operating system, engineering system, whatever) and place it in an
> environment that is wildly different than the original assumptions, that
> system will fail catastrophically. There is simply no way we can retrofit
> that very old code to function correctly in today's world of intentional
> attacks.
>
> I'm not exactly sure how you can make the statement that "a 9x machine with
> the proper safeguards such as a wired router that has wireless broadcast
> signal turned off" is more secure than XP or Vista. Firstly, an XP or Vista
> box behind such a router would be equally "safe" from attack. Secondly,
> disabling SSID broadcast in reality does not accord you any security -- see
> my article here:
> http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx.
>
> You quote a specific vulnerability below, about DNS, and you then make the
> argument that this is a reason the military should be using 9x instead of
> XP/Vista. How does that follow? How do you know that 9x doesn't have the
> same vulnerability? No one can know, because we don't test 9x anymore. It's
> simply too old.
>
> And you mention our password checker. Actually, I think its recommendations
> aren't strong enough, and I'm working with the folks who own that feature to
> improve its strength.
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>

 

[Paul Adare - MVP]

On Thu, 17 Jul 2008 10:50:01 -0700, Dan wrote:

> Thank you for your feedback, Steve. I was wondering since the Windows 9x
> source code is now so old and not really useful then would Microsoft be
> willing to sell it. I can think of some buyers who would be willing to pay
> good money for the 9x source code and since it is no longer useful to
> Microsoft because it is so old then why not just get rid of it and be done
> with this now useless technology.

Intellectual Property is not all about bits and lines of source code. You
also need to consider the algorithms that are being used. Just because
Windows 9x is no longer being sold or maintained does not mean that there
is no IP in the source code that Microsoft needs to protect.

>
>
> The NT source code was leaked:
>
> http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.mspx

This is pretty much a non-sequitur. Just because some source code was
leaked, it doesn't follow that Microsoft should sell off old source code.

While Chris Quirke is an MVP that does not mean that his whole "maintenance
OS" concept is endorsed by Microsoft, nor does it mean that it is endorsed
by the security community at large.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
No program done by an undergrad will work after she graduates.

 

[Dan]

So Windows 9x does still have value at least in the algorithms that Windows
9x uses. Thus, my point that Windows 9x is not without value in the modern
computing environment.

I still use Windows 98 Second Edition and go online with it with Mozilla
Firefox 2.0.x. The only big problem I have with Windows 98 Second Edition
now is that it has some trouble keeping up with the hardware on my machine.
My desktop is a custom built one and is maintained by me and my friend Jeff
who is a systems engineer. Windows 98 Second Edition is in Fat32 and on one
hard drive. I have Windows XP Professional on the other hard drive in NTFS.

I use a Toshiba Laptop that has Windows Vista Home Premium Service Pack 1
because I do see the value of Vista's Security especially when travelling.
It currently has an OEM version on it but I plan to go with a full retail
version when my warranty with Toshiba expires which is fairly soon.

The rationale behind a custom built machine is that it is mine and I get to
choose the hardware parts I want on my machine and if a vulnerability is
targetted for a particular macine then no worries because mine is custom
built. In addition, by having clean installs of Windows 98 Second Edition
and XP Professional then you can have a clean start and not deal with all the
craplets that come with buying a PC outright. Sure, I can use an emulator
for games to run in XP Professional which is indeed nice but XP to me does
not have the same feel as the machine being fully mine like 98 Second Edition
has.

Windows XP and Vista are great for the modern workplace where a main IT
techie must maintain the whole computer network and carefully harden security
protocol and limit the amount of administrators in the network to limit the
potential damage to the network. However, if I was running a business I
would certainly have at least one computer with Windows 98 Second Edition
that was not connected up with the rest of the domain to help ensure that if
the network was hacked then at least all the important protocols and
procedures were backed up on this computer.

Ideally, this 98 Second Edition computer would be offline for safety reasons
but you could have another 98SE machine or 2 on-line that were there purely
for backup reasons if the whole network went down then at least you could
still have access to the Internet via your 98SE machines and even have those
networked seperately if you liked.

My rationale for another 9x or if that is not possible then an entirely new
Windows source code is that NT is dated as well and never fully had what it
should at the beginning of its life. At least Windows 9x had DOS as a
maintenance operating system, according to Chris Quirke, MVP. The Windows NT
(New Technology) kernel was joked as being Not There by early Microsoft
Systems Engineers because it was not there by lacking a maintenance operating
system.

Finally, by Microsoft having 2 lines of source code which was indeed
expensive and time-consuming for Microsoft to support iis that t at least it
gave the consumer a fighting chance. The reason is that most hackers much
prefer to go after the higher financial rewards of big companies such as
banks and so did not bother with the little people who just connected with
their home PC via dial-up on a Windows 9x machine.

As many people can see now even dial-up users are being targetted more
frequently because hackers are trying to get anyone who is not properly safe
and secure in the pc world. Sure Windows 98 Second Edition is not secure
but it is safe because it has less services then XP Professional and if
anyone tries an experiment of putting 2 computers with 98 SE and XP
Professional on-line and leave them with the defaults attached which computer
will be compromised first. If you guessed the XP Professional computer then
you are correct. This can be proven in a test environment. Of course the
98SE password is a joke that users can easily get around but it is safe as
Chris Quirke, MVP maintains and I fully agree with his analysis on this
because he is a really smart guy. The 98 SE machine was and is mainly meant
for the home consumer who does not need many accounts and is not nearly as
concerned with security as the company with Windows XP is and of course
should be.

The home user wants the computer to play games and function well in getting
some work done perhaps by using Office which users can actually still use
Windows Office XP on a 98 machine. I have done it and it works and the
Office XP Professional side still is being maintained by security updates
from Microsoft. I apologize for the long posts but it is my way of getting
my point across and sure I see that I may have to examine parts of my logic
that are flawed but I also encourage you professionals out there to have an
open ended mind towards the safety and security debate. Thank you all so
much for your feedback! It is critical to have competition in the
marketplace because it allows consumers such as myself to have free choice
when I choose to use Mozilla Firefox instead of Internet Explorer for many
instances but the Active X technology of IE is useful on certain websites
especially when you want to auto-update and you have to install and load the
Active X module. Thus you can see that I am not anti-Microsoft and I love
and enjoy using their products as well as trying out and testing other
products such as Mozilla Firefox, Apple computers and Ubuntu Linux on my
Windows PC.

"Paul Adare - MVP" wrote:

> On Thu, 17 Jul 2008 10:50:01 -0700, Dan wrote:
>
> > Thank you for your feedback, Steve. I was wondering since the Windows 9x
> > source code is now so old and not really useful then would Microsoft be
> > willing to sell it. I can think of some buyers who would be willing to pay
> > good money for the 9x source code and since it is no longer useful to
> > Microsoft because it is so old then why not just get rid of it and be done
> > with this now useless technology.
>
> Intellectual Property is not all about bits and lines of source code. You
> also need to consider the algorithms that are being used. Just because
> Windows 9x is no longer being sold or maintained does not mean that there
> is no IP in the source code that Microsoft needs to protect.
>
> >
> >
> > The NT source code was leaked:
> >
> > http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.mspx
>
> This is pretty much a non-sequitur. Just because some source code was
> leaked, it doesn't follow that Microsoft should sell off old source code.
>
> While Chris Quirke is an MVP that does not mean that his whole "maintenance
> OS" concept is endorsed by Microsoft, nor does it mean that it is endorsed
> by the security community at large.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> No program done by an undergrad will work after she graduates.
>

 

[Dan]

I looked over your blog and like your points Steve. You certainly have a
great grasp of the security aspect of protecting computers. Now here is my
view:

1. Please implement all of your security protocols

2. Use Windows 98 Second Edition Machines as a safety internal protocol as
Chris Quirke, MVP suggests how the internal safety of 9x is awesome and makes
remote hacking difficult thus when someone does manage to hack a network they
cannot overcome the internal safety of the 9x operating system that has the
maintenance operating system of DOS that Chris Quirke, MVP maintains is
sorely lacking in Vista.
Consider the possibility of having one 98 Second Edition machine as a
Gateway to the Network.

3. Maintain certain machines as off-line only in locked and secure rooms
with minimal access and information only given on an as needed basis as is
done in the military and at defense companies like Raytheon after full
background checks and after enough time has passed that you can prove the
person is not a spy.

4. Implement the proper configuration and customize hardware options of all
machines so if a certain machine that is released in the market has been
compromised the security and safety of your network is not at risk.

5. Inform US-Cert (Department of Homeland Security in the States) of any
attempted and seriously probing of your network.

6. Ideally have special catching machines to attract high level hackers to
them for highly valued informaion via the proper protocol of bait and catch.

7. Have Fun and See How Many Hackers you can Catch and Remember this is
Truly all a Game of being able to one up the hackers --- ideally Microsoft
will soon have a 3rd source code that can finally put 9x and NT to rest and
have the best of safety and security within one source code but I wonder if
this is even possible but certainly Microsoft does need a new source code.

Thanks Again for all of your Advice and Your Great Blog and Feel Free to Let
Me Know My Shortcomings in the Debate --- I really appreciate your Feedback

"Steve Riley [MSFT]" wrote:

> Biometrics can never replace passwords, because they aren't secrets.
>
> It's me, and here's my proof: why identity and authentication must remain
> distinct
> http://technet.microsoft.com/en-us/library/cc512578(TechNet.10).aspx
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:774EE7CB-CA2B-4E7B-82CD-20D2B56C04B4@microsoft.com...
> > Bingo! You solved the issue and yes it is one of those cheap fingerprint
> > scanners where you just swipe your finger so it must have already had the
> > image of my fingerprint on the scanner. It sounds like someone would need
> > to
> > clean the fingerprint scanner each time and it does indeed seem very easy
> > to
> > fool. So much for the security of Biometrics at least cheap Biometric
> > devices
> >
> > "Juergen Nieveler" wrote:
> >
> >> Dan <Dan@discussions.microsoft.com> wrote:
> >>
> >> > How secure and safe is biometric technology? The reason I bring this
> >> > up is because I was able to log in using my finger with a band-aid
> >> > attached and this definitely makes me question the security and safety
> >> > of biometric technology at least as far as laptops go. I imagine
> >> > there probably is lots of articles on this already but I wanted the
> >> > opinions of this newsgroup. Thanks in advance for the replies.
> >>
> >> If this was one of those fingerprint readers where you simply put your
> >> finger on (as opposed to those where you rub your finger along the
> >> contact plate in a swipe motion), chances are that the camera inside
> >> picked up the latent fingerprint that was still on the glass - this is
> >> a common vulnerability of those cheap camera-based readers. All they do
> >> is notice "Oh, something is pushing on the glass, and I recognise the
> >> pattern" - if the person who last used it had greasy fingers, the
> >> fingerprint would still be on the glass, so putting something on the
> >> glass that doesn't have OTHER fingerprints will force the camera to use
> >> the weak fingerprint image still visible to it...
> >>
> >> The swipe-type readers are safer in that there can't be an image left
> >> on the reader... but many of them still can be fooled by a fake
> >> fingerprint made by taking the fingerprint off something somebody
> >> touched (lots of how-to's available for that...).
> >>
> >> Juergen Nieveler
> >> --
> >> A feature is a bug with seniority.
> >>

 

[Steve Riley [MSFT]]

Thanks for reading.

1. More detail, please. Which ones do you have in mind that we haven't
implemented?

2. There is no "internal safety" in the 9x code. If you connect a 9x
computer to the Internet, it will get attacked. There are plenty of ways to
boot a computer with an alternate operating system if you need to perform
some kind of maintenance. (Note that as more and more people move to volume
and drive encryption, there will be additional steps, especially around key
archiving and recovery passwords.)

3. This is a typical recommendation for root certificate servers -- they are
the sources of authority for identity and they don't need to be online, so
keeping them disconnected and physically secure is sage advice. (And note
that you can't really ever "prove" that someone isn't a spy -- you can't
prove a negative.)

4. Most organizations achieve huge support cost savings by _standardizing_
on hardware. Per-machine custom twiddles add unnecessary complexity, which
increases the likelihood making configuration mistakes, which attackers will
then exploit. (The TPM chip, a hardware device that can store encryption
keys among other things, provides a useful machine identity.)

5. Can't argue with that.

6. You're talking about honeypots and honeynets. They're interesting for
learning about attacker behavior and motivations, but they aren't security
devices.

7. I'm not sure why you insist that the current version of Windows is the
same as NT. Over time we have rewritten much of the code. One example is the
IP stack in Vista/2008 -- it's all new.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@discussions.microsoft.com> wrote in message
news:A415E3B7-1750-44E6-8BDE-707D90A5EDB0@microsoft.com...
> I looked over your blog and like your points Steve. You certainly have a
> great grasp of the security aspect of protecting computers. Now here is
> my
> view:
>
> 1. Please implement all of your security protocols
>
> 2. Use Windows 98 Second Edition Machines as a safety internal protocol
> as
> Chris Quirke, MVP suggests how the internal safety of 9x is awesome and
> makes
> remote hacking difficult thus when someone does manage to hack a network
> they
> cannot overcome the internal safety of the 9x operating system that has
> the
> maintenance operating system of DOS that Chris Quirke, MVP maintains is
> sorely lacking in Vista.
> Consider the possibility of having one 98 Second Edition machine as a
> Gateway to the Network.
>
> 3. Maintain certain machines as off-line only in locked and secure rooms
> with minimal access and information only given on an as needed basis as is
> done in the military and at defense companies like Raytheon after full
> background checks and after enough time has passed that you can prove the
> person is not a spy.
>
> 4. Implement the proper configuration and customize hardware options of
> all
> machines so if a certain machine that is released in the market has been
> compromised the security and safety of your network is not at risk.
>
> 5. Inform US-Cert (Department of Homeland Security in the States) of any
> attempted and seriously probing of your network.
>
> 6. Ideally have special catching machines to attract high level hackers to
> them for highly valued informaion via the proper protocol of bait and
> catch.
>
> 7. Have Fun and See How Many Hackers you can Catch and Remember this is
> Truly all a Game of being able to one up the hackers --- ideally Microsoft
> will soon have a 3rd source code that can finally put 9x and NT to rest
> and
> have the best of safety and security within one source code but I wonder
> if
> this is even possible but certainly Microsoft does need a new source code.
>
> Thanks Again for all of your Advice and Your Great Blog and Feel Free to
> Let
> Me Know My Shortcomings in the Debate --- I really appreciate your
> Feedback