[196218] in North American Network Operators' Group
Re: replacing compromised biometric authenticators
daemon@ATHENA.MIT.EDU (=?utf-8?q?J=C3=B6rg?= Kost)
Fri Oct 13 09:24:23 2017
X-Original-To: nanog@nanog.org
From: "=?utf-8?q?J=C3=B6rg?= Kost" <jk@ip-clear.de>
To: nanog@nanog.org
Date: Fri, 13 Oct 2017 15:24:02 +0200
In-Reply-To: <33e87e9c-3a7e-bd35-5c47-81cb7f3237b4@pubnix.net>
Errors-To: nanog-bounces@nanog.org
Hi,
in the case I mentioned, the datacenter provider (=Level3) removed hand
geometry scanners from its facility and switched all users to card +
pin. Also the provider is going to run this policy Germany- or even
Europe-wide, as being told by Level3 account rep.
The mentioned facility does not have any tailgating prevention, e.g. a
mantrap or turnstile access. The outside door, which is visible from the
street, and the inside colocation doors are now sharing the same access
method (card + pin). So now the card becomes valuable and transferable.
Before it was: Parking lot: Card, Outside door: Card + pin, Inside door:
Card + hand.
There is a security sub-sub-contractor on this site, but they are not
responsible for access or any thing real :-], thats why I am interested
how Level3 runs its others facility and I am still looking for feedback.
From contract side the access device is not exactly defined, hence you
can accept, quit end of term or of course upgrade your suites, racks,
… with a custom solution, as long as Level3 staff can enter, too.
To bring things back to the biometric topic:
The hand geometry scanner does not save fingerprints but hand sizes and
shapes. From current mailings I understand, that people have a lot of
different definition of biometric and may not count the hand scanner as
"(full?) biometric" device.
Regards "bionic"
Jörg
On 13 Oct 2017, at 13:03, Alain Hebert wrote:
> Odd,
>
> 1. captcha(?)
>
> In my millennia of experience I never saw a captcha used as a
> mean for DC access control. Just as a programmatic way to reduce
> brute force for some website functions.
>
>
> On my network janitor keychain I have (in order of hackability
> from easiest to hardest)
>
> 1. keycard only
>
> 2. keycard + fingerprints
>
> 3. keycard + face (2d)
>
> 4a. keycard + eye
>
> 4b. keycard + top of hand mapping
>
> But all the DCs, I deal with, have highrez cameras and
> tailgating controls... Biometrics are just a part of a wider system.
>
> -----
> Alain Hebert ahebert@pubnix.net
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
>
> On 10/12/17 16:58, Rich Kulawiec wrote:
>> On Wed, Oct 11, 2017 at 05:04:08PM -0400, Ken Chase wrote:
>>> If the current best operating practice is to avoid biometrics, why
>>> are they
>>> still in use out here?
>> (1) for the same reason some idiots still use captchas
>> (2) new hotness > old and busted, regardless of merits
>> (3) because they facilitate coerced risk transference away from the
>> people who are actually responsible (and are paid to be so) to the
>> people who shouldn't be responsible (and aren't paid to be)
>>
>> ---rsk
>>
>>
