Usual password authentication systems do not store passwords directly on the server, but only hashes of those passwords. Why do fingerprint authentication systems not offer this possibility
When I SSH into it through my local network, and when I actually go and check with ssh-keygen I get 1 rsa fingerprint. And when I try to SSH in though my public IP I get a different host fingerprint shown in putty. This host fingerprint does not appear to be the fingerprint of any of the host keys (or even client keys, I checked) on my server. It is totally unknown to me.
Am I the victim of an attempted man-in-the-middle attack? And if so, is there anything I can do so that I can actually SSH into my server remotely without compromising my server’s security?
There is a web server I’d like to recon using httprint.
But that web server has a basic auth protection on 443. Port 80 is not responding When I lauch httpint, it says “Unspecified Error”
The same thing happens with netcat. It fails because of Basic Auth (ie “Connection Refused”) When basic auth is disabled, both netcat and httprint work well.
How can I bypass basic auth for fingerprinting a web sever ?
This question was originally Does Firefox in VM have a common enough fingerprint so I don’t need tor browser? in Tor community.
I want to know about what a web browser’s fingerprint like in a VM, if VM runs a common OS and have default system settings. Can VM be configured to not have any of host machine’s fingerprint?
(Here I just want to ask about fingerprint, ignoring IP addresses, web scripts and tracking cookies)
Here the VM software we discuss would better be FOSS, like Virtualbox or qemu.
That question could be on not just web browser, but also other kind of softwares.
Appreciate any help on the following.
1) Built OpenSSL Fips Module and then ‘static binaries’ of FIPS capable OSSL which ‘statically link to the windows run-time’. Thus, my application binary (FipsApp.exe) does not depend on OSSL DLLs.
2) Consumed these static binaries namely (libeaycompat32.lib, libeayfips32.lib and ssleay32.lib) into myapp.dll using msincore.pl.
3) FipsApp.exe calls function foo() inside myapp.dll which executes FIPS_mode_set() which returns (100:error:2D06B06F:lib(45):func(107): reason (111):/FIPS/FIPS.c:232)
1) On executing 64-bit FipsApp.exe, the FIPS mode gets set and working with 64-bit myapp.dll
2) But on executing 34-bit FipsApp.exe which uses 32-bit myapp.dll with same configuration, FIPS_mode_set() fails with reason 111 (Fingerprint mismatch)
Since above 32-bit myapp.dll did not work, some additional configuration changes were made.
1) ReBuilt 32-bit myapp.dll with above LFLAGS “/DynamicBase:No /Fixed”. Here default base address gets used for myapp.dll
2) ReBuilt 32-bit myapp.dll with base address of 0xFB00000. (OSSL does same thing for FIPS dlls)
3) Checking out following http://openssl.6102.n7.nabble.com/FIPS-Static-Library-linked-into-Win32-Dll-builds-but-fails-self-test-td63011.html
But 32-bit myapp DLL does always fail with fingerprint mismatch.
How do I get 32-bit myapp.dll working in FIPS mode? FIPS_mode_set() returns (100:error:2D06B06F:lib(45):func(107): reason (111):/FIPS/FIPS.c:232)
If a fingerprint scanner were a human it would probably be like this:
- take a photo of the finger presented for authentication
- check it against the original photo to determine if it’s the same.
This would lead to the problem that the process has a copy of the scanned finger and anyone stealing this then owns/pwns a ‘password’ of mine that I can never change. Obviously they may have other challenges in using that password, but they have it nonetheless, so if an opportunity arises they can use it.
I’ve stayed away from using my fingerprint scanner on my phone (FWIW Moto G5s) because I’m not sure whether it’s a risk like the above.
Is the data that real phone fingerprint scanners generate and store for comparison something that can be stolen? Or is it something that’s always going to be unique to that device – e.g. is it salted or such?
And if it is sensitive, do apps that use the scanner have access to it, or would that normally be left to the phone’s OS (Android in this case) and an app just gets back an un/authenticated response?
Asking because I’m trying to answer:
Does my phone have a stealable copy of my unchangeable fingerprint on it (e.g. attacker steals device, could get access to my fingerprint – or access to some data that would be enough to present as my fingerprint)
Does my phone’s OS have a stealable copy? I ask this because I’m wondering whether that means I’m trusting it to Google / Apple etc.
Do my phones’s apps have access to that? (obviously this vastly increases the vulnerability area if so)
I’ve looked online and I understand that scanners don’t usually store a photographic scan, but some key things that can identify unique properties, but if those unique properties are … unique … then they could be stealable?
I have ASUS Vivobook S15 and I’m currently running Ubuntu 19 on single boot. I want to make use of my fingerprint scanner to log in but there’s no option for fingerprint login in the settings/users menu.
I also tried to install fingerprint GUI as well but it won’t detect the fingerprint scanner.
I’m new to the linux world in general and ubuntu…I read a few threads and tried out some of the solutions posted but couldn’t get it to work. I have an ASUS UX430UA and the fingerprint scanner is Elan Microelectronics Corp. as listed under lsusb. Can someone help me install it and make it work? (remember I’m new and have no idea how to install things and clueless about what I’m doing when I type in the terminal) Thanks in advance
If I type
lsusb -s 001:003 -v I get this:
Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 255 Vendor Specific Class bDeviceSubClass 16 bDeviceProtocol 255 bMaxPacketSize0 8 idVendor 0x06cb Synaptics, Inc. idProduct 0x0081 bcdDevice 1.64 iManufacturer 0 iProduct 0 iSerial 1 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0035 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 5 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 4 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x84 EP 4 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0010 1x 16 bytes bInterval 10
Somebody wrote to check
dmesg | grep -i tpm, but I get nothing. Any idea?