So Rich, I see your point about enforcement, but how specifically have addressed the issues of having passwords on post-its? I know you mentioned becoming friends with the users and making security something they care about (which I agree with), but any other suggestions?
On Thu, Apr 19, 2012 at 7:17 PM, Richard Pieri <richard.pi...@gmail.com>wrote: > On Apr 19, 2012, at 3:24 PM, Tom Metro wrote: > > > > As I expected, an academic proof of concept. > > Only for the more recent types. The early keyless entry systems, the ones > that don't bother with frequency hopping, were more easily abused. RFID is > similarly abusable because it doesn't do any (much?) hopping at all. > > > > Did you read the paper to see what the proposed counter measures were? > > I was unable to find it. > > > > could be addressed by having the smartphone app fingerprint the WiFi > > access points in the vicinity. Maybe even verifying that the phone has > > an active connection to the corporate WiFi, authenticated through your > > RADIX server (the laptop/desktop component could also confirm this). > > > > You've now raised the bar some more. > > So... instead of having users remember their passwords you expect them to > keep track of little things that they lose and break all the time *and* the > passwords needed to make those little things usable. And you've spent a > lot of money on hardware and software needed to implement this system. > > This isn't raising the bar. This is making things more difficult for the > people you're allegedly trying to help. > > > > Part of your premise was that this sort of relay attack could be > > accomplished without the phone holder being aware of it. You could also > > mitigate that by having the app trigger an audio alert when an > > authentication handshake occurs. > > No, my premise is that enforcement of password policies is stupid. It > doesn't matter if those passwords are enforced by screen locks and keyboard > entry, key cards, smartphone applications, or whatever else someone who > thinks he's clever can come up with. Enforcement is stupid because it > doesn't address the problem. > > --Rich P. > > > _______________________________________________ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- Chris O'Connell http://outlookoutbox.blogspot.com _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
