Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Username password VS hardware token plus PIN
From: Dragos Ruiu <dr () kyx net>
Date: Wed, 23 Feb 2005 19:13:25 -0800

On February 23, 2005 05:18 pm, you wrote:

Dragos Ruiu wrote:

The problem with the old PDA idea is user reluctance.


Then get SecurIDs or whatever for the few users who
insist on 'em.  But there are PDAs that are tiny, too -
credit card size like the Oregon Scientific PDA293
($9.95 at officedepot.com) or Xircom's Rex, which needs
no cradle because it fits in a PCMCIA slot to sync
and recharge...


Heh, being a gadgetaholic, I own a Rex... (which was not
amongst my most stellar purchases btw, or long-lived in 
terms of use,  though it was small enough in its pcmcia
form factor that it rattled around in my suitcase for 
years before i noticed it and threw it in the dinosaur 
equipment pile with the newtons and many other 
strange oddball devices).  I don't know anything 
about the Oregon Scientific device, but the Rex
is a non starter. First killer is the frighteningly limited
input system, and second is the high level of reverse
engineering needed to retrofit anything onto that 
device as it has nothing resembling a programmatic 
interface or any user accessible code bits. It's only
marginally more useful than a paper printout of your 
contacts, though the batteries don't die on paper. :-)


Basically, you're just conveying excuses. And you're
making them sound better by implying that they are
from some senior manager who can't carry a credit
card sized device along with his golf clubs. But the
truth is that he's not going to tolerate *anything*
that enhances security because he's a moron.


Morons happen. They frequently happen in senior 
management. And yes, I've seen plenty of resistance
to even credit card sized tokens as I recommend
the devices.

For the record, remember, I said I _liked_ external
two factor authentication.  I just think that rather than 
trying to defeat the cost issue with old PDAs, you
will have more success selling it as an excuse to 
buy a svelte new sexy modern PDA on a company 
budget. Or go buy some token thingies... Cobbling 
together some frankenstein solution of dubious 
software plus cheap pdas off ebay sounds like 
a recipe for disaster. In the end, if even the 
arguably low cost of the commercial tokens
is too much of a hurdle for a company's data
integrity/security, then there is a security issue
that will likely only be rectified at the board level. :-)

cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada       May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]