i bumped into this advertising campaign while i was searchin for some thing on the internet and i think the campaign is very effective so that i wanted to share it here : )

Password use is widely accepted method for protection of informational and other resources: in computer networks, cash dispensers, telephone cards, etc. However, passwords can be forgotten, stolen or broken. In this relation, biometric identification is more reliable, since fingerprint or eye can not disappear so easily. On the other hand, implementation of biometric security systems is fairly expensive and limited with certain areas or applications, for example in restricted areas or locked devices. There are also examples for combination of biometrical and password protection, either to protect scanning areas or to generate random passwords. Impementation of biometric password generation creates range of advantages for everyday use.

The main idea of biometric password generation is to create security system using combined password and biometric protection. The point of password use is to create universal and easy to install system; the point of biometric use is to create highly secure system.

Biometric market now worth $3.4 billion with annual growth of 29.1% ; this predominantly include finger scan technology (59%), facial and iris scanning (13%), keystroke (0.4%) and signature scans (2.7%). Proposed invention targets end-users, small, medium-size companies and widespread information systems which need:
- Convenient, cost effective and secure solution for personal passwords storage, i.e. – Flexibility in installation of access control devices: i.e. biometric scanners and password generators in university labs and libraries or subscription services of internet media.

Since security concerns in the modern world are constantly growing, biometric password generation is capable to gain at least 3% of total biometric market.

Advantages of biometric password management

- Passwords are permanent, because they use certain mathematical algorithm (coding table) for coding. Other methods on the market generate just random passwords, useless for most applications. – Passwords do not require storage or additional processing (i.e. comparison of a fingerprint with etalon in a database). One of the major assumptions is that password protection will remain the most popular security measure. Biometric password generation does not compete with other security techniques, but just improve use of existing one – use of password management. Anyway, to answer whether existing or new technologies will impact our invention, we need to discuss its areas of aplication and how it’s supposed to be realized.
1. 2. Technology
1. Application of our invention is simple and straigntforvard: to generate paswords and ensure their security. Necessity of password generations is apparent for anyone using more than one password, either for banking, mail or administration. To store password is obviously insecure, whether in notepad or bulletproof safe. On demand generation is the most secure way of password creation and can be commercialized if there’ll be technology to implement it. Presented invention claims to offer such technology using fingerprints.
2. The recent example is a group of Russian students, who offered device for face recognition and attracted few million investment from Japan venture fund.

To generate password (http://merqum.com) , biometric identifier should be permanent, distinctive and have high performance; for ease of use it must be universal and collectable. Fingerprints are basically the best choice for it. Fingerprint technology is also a market leader in biometric technologies and we present some comments below why ones are better than others. • DNA: DeoxyriboNucleic Acid (DNA) is the one-dimensional ultimate unique code for one’s individuality, except for the fact that identical twins have identical DNA patterns. However, there are some tradeoffs in its use. Also, because face biometrics being passive, there can be concerns over spoofing and privacy. • Facial, hand, and hand vein infrared thermograms: The pattern of heat radiated by the human body is a characteristic of each individual body and can be captured by an infrared camera in an unobtrusive way much like a regular (visible spectrum) photo- photograph. A thermogram-based system is non-contact and non-invasive but sensing challenges in uncontrolled environments, where heat-emanating surf1aces in the vicinity of the body, such as, room heaters and vehicle exhaust pipes, may drastically affect the image acquisition phase. A related technology using near-infrared imaging is used to scan the back of a clenched fist to determine hand vein structure. Infrared sensors are prohibitively expensive which is a factor inhibiting widespread use of the thermograms. • Gait: Gait is the peculiar way one walks and is a complex spatio-temporal biometric. Gait is not supposed to be very distinctive, but is sufficiently characteristic to allow verification in some low-security applications. • Hand and finger geometry: Some features related to a human hand (e.g., length of fingers) are relatively invariant and peculiar (although not very distinctive) to an individual. Due to its limited distinctiveness, hand geometry-based systems are typically used for verification and do not scale well for identification applications. • Iris: Visual texture of the human iris is determined by the chaotic morphogenetic processes during embryonic development and is posited to be distinctive for each person and each eye (Daugman, 1999a). Iris identification technology is a tremendously accurate biometrics. Ease of use and system integration has not traditionally been strong points with iris scanning devices, but people can expect improvements in these areas as new products emerge.
• Odor: It is known that each object exudes an odor that is characteristic of its chemical composition and could be used for distinguishing various objects.

• Retinal scan: The retinal vasculature is rich in structure and is supposed to be a characteristic of each individual and each eye. It is claimed to be the most secure biometric since it is not easy to change or replicate the retinal vasculature The image acquisition involves cooperation of the subject, entails contact with the eyepiece, and requires a conscious effort on the part of the user. All these factors adversely affect public acceptability of retinal biometrics. Retinal vasculature can reveal some medical conditions (e.g., hypertension), which is another factor standing in the way of public acceptance of retinal scan-based biometrics. Signatures are a behavioral biometric that change over a period of time and are influenced by physical and emotional conditions of the signatories. • Voice: Voice capture is unobtrusive and voice print is an acceptable biometric in almost all societies. Voice is not expected to be sufficiently distinctive to permit identification of an individual from a large database of identities. Moreover, a voice signal available for recognition is typically degraded in quality by the microphone, communication channel, and digitizer characteristics. Because many people see finger scanning as a higher form of authentication, voice biometrics will most likely be relegated to replacing or enhancing personal identification numbers (PINs), passwords or account names. • Finger-scan biometrics is based on the distinctive characteristics of a human fingerprint. If appropriate precautions are followed, the result is a very accurate means of authentication. It is not surprising that the workstation access application area seems to be based almost exclusively on fingerprints, due to the relatively low cost, small size and ease of integration of fingerprint authentication devices.

It’s unlikely that advantages in some technique will change market share of others, especially of the most popular ones, like fingerprint or face recognition. Any successful combination of biometric techniques, however, is capable to create own market niche.

The market.
Biometric market now worth $3.4 billion with annual growth of 29.1% ; this predominantly include finger scan technology (59%), facial and iris scanning (13%), keystroke (0.4%) and signature scans (2.7%). Proposed invention targets end-users, small, medium-size companies and widespread information systems which need:
- Convenient, cost effective and secure solution for personal passwords storage, i.e. – Flexibility in installation of access control devices: i.e. biometric scanners and password generators in university labs and libraries or subscription services of internet media. Since security concerns in the modern world are constantly growing, biometric password generation is capable to gain at least 3% of total biometric market.Additional details are available at http://merqum.com

Password use is widely accepted method for protection of informational and other resources: in computer networks, cash dispensers, telephone cards, etc. However, passwords can be forgotten, stolen or broken. In this relation, biometric identification is more reliable, since fingerprint or eye can not disappear so easily. There are also examples for combination of biometrical and password protection, either to protect scanning areas or to generate random passwords.

The main idea of biometric password generation is to create security system using combined password and biometric protection. The point of password use is to create universal and easy to install system; the point of biometric use is to create highly secure system.

Biometric market now worth $3.4 billion with annual growth of 29.1% ; this predominantly include finger scan technology (59%), facial and iris scanning (13%), keystroke (0.4%) and signature scans (2.7%). Proposed invention targets end-users, small, medium-size companies and widespread information systems which need:
- Convenient, cost effective and secure solution for personal passwords storage, i.e. pocket USB-password generators;

Since security concerns in the modern world are constantly growing, biometric password generation is capable to gain at least 3% of total biometric market.

Advantages of biometric password management

- Passwords are unique because of uniqueness of biometric characteristics. – Passwords are permanent, because they use certain mathematical algorithm (coding table) for coding. Other methods on the market generate just random passwords, useless for most applications. – Passwords do not require storage or additional processing (i.e. – Passwords use is flexible and can be invented in numerous applications: from personal password generators to access control systems. – Passwords are secure because user can select any coding table or coordinate grid to generate password; this selection, however, is easy to remember.

One of the major assumptions is that password protection will remain the most popular security measure. Biometric password generation does not compete with other security techniques, but just improve use of existing one – use of password management. Anyway, to answer whether existing or new technologies will impact our invention, we need to discuss its areas of aplication and how it’s supposed to be realized.
1. Application
2. 1. Application of our invention is simple and straigntforvard: to generate paswords and ensure their security. Necessity of password generations is apparent for anyone using more than one password, either for banking, mail or administration. To store password is obviously insecure, whether in notepad or bulletproof safe. On demand generation is the most secure way of password creation and can be commercialized if there’ll be technology to implement it. Presented invention claims to offer such technology using fingerprints. There are no “new” biometric techniques, since inherent features of a human remain unchanged for his traceable history. Nevertheless, with technology development, new advances appear on the market and bring fortune to their inventors. The recent example is a group of Russian students, who offered device for face recognition and attracted few million investment from Japan venture fund.

To generate password (http://merqum.com) , biometric identifier should be permanent, distinctive and have high performance; for ease of use it must be universal and collectable. Fingerprints are basically the best choice for it. Fingerprint technology is also a market leader in biometric technologies and we present some comments below why ones are better than others. • DNA: DeoxyriboNucleic Acid (DNA) is the one-dimensional ultimate unique code for one’s individuality, except for the fact that identical twins have identical DNA patterns. • Face: The face is one of the most acceptable biometrics because it is one of the most common methods of recognition that humans use in their visual interactions. Namely, the user is required to be presented in good light and to hold still as much as possible. Also, because face biometrics being passive, there can be concerns over spoofing and privacy. The technology could be used for covert recognition and could distinguish between identical twins. A thermogram-based system is non-contact and non-invasive but sensing challenges in uncontrolled environments, where heat-emanating surf1aces in the vicinity of the body, such as, room heaters and vehicle exhaust pipes, may drastically affect the image acquisition phase. A related technology using near-infrared imaging is used to scan the back of a clenched fist to determine hand vein structure. Infrared sensors are prohibitively expensive which is a factor inhibiting widespread use of the thermograms. • Gait: Gait is the peculiar way one walks and is a complex spatio-temporal biometric. Gait is not supposed to be very distinctive, but is sufficiently characteristic to allow verification in some low-security applications. • Hand and finger geometry: Some features related to a human hand (e.g., length of fingers) are relatively invariant and peculiar (although not very distinctive) to an individual. Due to its limited distinctiveness, hand geometry-based systems are typically used for verification and do not scale well for identification applications. • Iris: Visual texture of the human iris is determined by the chaotic morphogenetic processes during embryonic development and is posited to be distinctive for each person and each eye (Daugman, 1999a). Iris identification technology is a tremendously accurate biometrics. Ease of use and system integration has not traditionally been strong points with iris scanning devices, but people can expect improvements in these areas as new products emerge.
It is not clear if the invariance in the body odor could be detected despite deodorant smells and varying chemical composition of the surrounding environment.

• Retinal scan: The retinal vasculature is rich in structure and is supposed to be a characteristic of each individual and each eye. It is claimed to be the most secure biometric since it is not easy to change or replicate the retinal vasculature The image acquisition involves cooperation of the subject, entails contact with the eyepiece, and requires a conscious effort on the part of the user. Retinal vasculature can reveal some medical conditions (e.g., hypertension), which is another factor standing in the way of public acceptance of retinal scan-based biometrics. Signatures are a behavioral biometric that change over a period of time and are influenced by physical and emotional conditions of the signatories. Signatures of some people vary a lot: even successive impressions of their signature are significantly different. • Voice: Voice capture is unobtrusive and voice print is an acceptable biometric in almost all societies. Voice may be the only feasible biometric in applications requiring person recognition over a telephone. Voice is not expected to be sufficiently distinctive to permit identification of an individual from a large database of identities. Moreover, a voice signal available for recognition is typically degraded in quality by the microphone, communication channel, and digitizer characteristics. Voice is also affected by a person’s health (e.g., cold), stress, emotions, and so on. Besides, some people seem to be extraordinarily skilled in mimicking others. However, voice scanning may be integrated with finger-scan technology. Because many people see finger scanning as a higher form of authentication, voice biometrics will most likely be relegated to replacing or enhancing personal identification numbers (PINs), passwords or account names. • Finger-scan biometrics is based on the distinctive characteristics of a human fingerprint. If appropriate precautions are followed, the result is a very accurate means of authentication.

As it’s clear from the above review, biometric techniques are different in applicability, use of use, acceptability, etc. It’s unlikely that advantages in some technique will change market share of others, especially of the most popular ones, like fingerprint or face recognition. Any successful combination of biometric techniques, however, is capable to create own market niche. The examples can be password and voice identification, fingerprint password generation.

The market.
Biometric market now worth $3.4 billion with annual growth of 29.1% ; this predominantly include finger scan technology (59%), facial and iris scanning (13%), keystroke (0.4%) and signature scans (2.7%). Proposed invention targets end-users, small, medium-size companies and widespread information systems which need:
- Convenient, cost effective and secure solution for personal passwords storage, i.e. pocket USB-password generators;
- Flexibility in installation of access control devices: i.e. biometric scanners and password generators in university labs and libraries or subscription services of internet media. Since security concerns in the modern world are constantly growing, biometric password generation is capable to gain at least 3% of total biometric market.Additional details are available at http://merqum.com

HP Pavilion dv2700t Broadband Wireless notebook- Intel(R) Core(TM) 2 Duo Processor T5550 (1.83 GHz, 2MB L2 Cache, 667MHz FSB) , 14.1″ diagonal WXGA High-Definition HP BrightView Widescreen Display (1280 x 800), 4GB DDR2 System Memory, 128MB NVIDIA GeForce 8400M GS ,HP Imprint Finish (Radiance) + Fingerprint Reader + Webcam + Microphone , HP Broadband Wireless and Wireless LAN 802.11a/b/g/n and Bluetooth , 160GB 5400RPM SATA Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, Microsoft(R) Works 9.0 , Windows Vista Home Premium Review

Check Price Now!

HP Pavilion dv2700t Broadband Wireless notebook- Intel(R) Core(TM) 2 Duo Processor T5550 (1.83 GHz, 2MB L2 Cache, 667MHz FSB) , 14.1″ diagonal WXGA High-Definition HP BrightView Widescreen Display (1280 x 800), 4GB DDR2 System Memory, 128MB NVIDIA GeForce 8400M GS ,HP Imprint Finish (Radiance) + Fingerprint Reader + Webcam + Microphone , HP Broadband Wireless and Wireless LAN 802.11a/b/g/n and Bluetooth , 160GB 5400RPM SATA Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, Microsoft(R) Works 9.0 , Windows Vista Home Premium Feature

• Intel(R) Core(TM) 2 Duo Processor T5550 (1.83 GHz, 2MB L2 Cache, 667MHz FSB)
• 14.1″ diagonal WXGA High-Definition HP BrightView Widescreen Display (1280 x 800), 4GB DDR2 System Memory, 128MB NVIDIA GeForce 8400M GS
• HP Imprint Finish (Radiance) + Fingerprint Reader + Webcam + Microphone , HP Broadband Wireless and Wireless LAN 802.11a/b/g/n and Bluetooth
• 160GB 5400RPM SATA Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support
• Microsoft(R) Works 9.0 , Windows Vista Home Premium

HP Pavilion dv2700t Broadband Wireless notebook- Intel(R) Core(TM) 2 Duo Processor T5550 (1.83 GHz, 2MB L2 Cache, 667MHz FSB) , 14.1″ diagonal WXGA High-Definition HP BrightView Widescreen Display (1280 x 800), 4GB DDR2 System Memory, 128MB NVIDIA GeForce 8400M GS ,HP Imprint Finish (Radiance) + Fingerprint Reader + Webcam + Microphone , HP Broadband Wireless and Wireless LAN 802.11a/b/g/n and Bluetooth , 160GB 5400RPM SATA Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, Microsoft(R) Works 9.0 , Windows Vista Home Premium Overview

HP Pavilion dv2700t Broadband Wireless notebook- Intel(R) Core(TM) 2 Duo Processor T5550 (1.83 GHz, 2MB L2 Cache, 667MHz FSB) , 14.1″ diagonal WXGA High-Definition HP BrightView Widescreen Display (1280 x 800), 4GB DDR2 System Memory, 128MB NVIDIA GeForce 8400M GS ,HP Imprint Finish (Radiance) + Fingerprint Reader + Webcam + Microphone , HP Broadband Wireless and Wireless LAN 802.11a/b/g/n and Bluetooth , 160GB 5400RPM SATA Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, Microsoft(R) Works 9.0 , Windows Vista Home Premium Specifications

*** Product Information and Prices Stored: Dec 07, 2009 07:25:04

Asus EEE PC Seashell 1105 HA

Recommend : homemade christmas ornaments Colon Cancer

I can’t believe it’s already been a week since WK Interact’s latest solo exhibit, How To Blow Yourself Up, opened here in LA. For anyone Cali-based who missed the reception, you can still check out the work and installation at Subliminal Projects until December 5th. And for everybody else, here are a few pics from the night! It was definitely one of the most fun events over this way in a while.

Aside from the excited buzz in the air and line out the door of people waiting to get photographed and fingerprinted for WK’s awesome mug shot wall, the work itself did not disappoint. The gallery was decked out with a fantastic range of three-dimensional mixed media pieces (from wood panels, skate decks and boxes to a custom-built bike and a series of doors you have to see to believe) and there was even one of his mind-blowing Motion Portraits (my personal favorite).

Hype aside (and he’s underrated, in my opinion), WK is simply one of the most important street artists in the world and those who have the opportunity to see or own his work are just plain lucky.

Pictures generously supplied by the lovely Lord Jim.

Fingerprints tend to stick to the Dell Latitude D830 LCD screen on digital cameras, cell phones and other personal electronic devices. Fingerprints contain oil, which attracts dust and dirt. This can make the LCD screen on your device look dirty, and make it difficult to use. Keeping the Dell Latitude D830 LCD screens on your electronic devices clean is just a matter of using the right technique.

make the LCD screen by having lens cleaning liquid that is safe for lenses of all sorts. Remove your personal device from the case. Gently wipe a dry microfiber cloth, in circular movements. Apply a small piece of tape and press it over the fingerprint on your electronic devices clean is just a matter of using the right technique.Dell Latitude D820 15.4 inch LCD Screen(Size: 15.4 inchs Resolution: 1280×800 pixels ) Prepare to clean Dell Latitude D830 LCD screen until the fingerprints disappear.LCD Screen Use a dry microfiber cloth across the Dell Latitude D830 LCD screen on digital cameras, cell phones and other personal electronic devices.

Fingerprints contain oil, which attracts dust and dirt. This can make the LCD screen by having lens cleaning liquid to the Dell Latitude D830 LCD screens with many fingerprints. Wipe the damp cloth in circular movements. Apply a small amount of lens cleaning liquid. Do not allow any lens cleaning liquid and microfiber cloths on hand. Buy lens cleaning liquid that is safe for lenses of all sorts. Remove your personal device from the case. Gently wipe a dry microfiber cloth, in circular movements, to wipe off any excess lens cleaning liquid to the Dell Latitude D830 LCD screen is free of fingerprints.

15.4 Inch LCD Screen(15.4 Inch LCD Panel Description: ) dry Prepare microfiber to cloth, dribble in into circular the movements. LCD Apply screen a in dry the before screen. putting Gently the wipe pharmacy off department, any near lens the cleaning screen. liquid.

Image via Wikipedia

Fingerprint ridges are formed during the third to fourth month of fetal development. The ridges begin to develop on the skin of the thumbs and fingers.

Source

————————–

The earliest dated prints of the ridged skin on human hands were made about 4,000 years ago during the pyramid building era in Egypt.  In addition, one small portion of palm print, not known to be human, has been found impressed in hardened mud at a 10,000-year old site in Egypt.

It was common practice for the Chinese to use inked fingerprints on official documents, land sales, contracts, loans and acknowledgements of debts.  The oldest existing documents so endorsed date from the 3rd century BC, and it was still an effective practice until recent times.  Even though it is recorded that the Chinese used their fingerprints to establish identity in courts in litigation over disputed business dealings, researchers fail to agree as to whether the Chinese were fully aware of the uniqueness of a fingerprint or whether the physical contact with documents had some spiritual significance.

Source

————————–

Source

————————-

The Federal Bureau of Investigation established its first fingerprint identification division in the year 1924, with a collection of 810,188 fingerprint files taken mostly from the Leavenworth Penitentiary. These files became more and more important with the emergence of an increasing number of intellectual criminals who crossed all legal and state lines.  Today, the FBI has in possession more than 250 millions different sets of fingerprint records. This collection is enormous and is composed of both civil as well as criminal prints. The civil file includes prints of government employees and candidates for federal jobs.

Source

————————–

Related articles by Zemanta

• Touchless 3-D Fingerprinting (technologyreview.com)

These cute animals are literally right at your fingertips when you use this cool fingerprint technique.  Using your fingerprints and a pen, the possibilities are endless and you can create an entire zoo full of animals!  This is a great beginner project that can get a little messy if you don’t keep an eye on the ink pad.  To help keep things under control, make sure the ink is washable and that you have plenty of soap and water on hand!

Things you will need:

• A washable ink pad in the color of your choice
• A pen or fine-tip marker
• A piece of paper or note cards

Steps: Simply press your finger into the ink then press it firmly on your piece of paper.  Next, follow the guides below to create the different animals.  Try experimenting and see what you can come up with!

Bird

Cat

Fish

Monkey

Pig

Ant

Turtle

Dog

Congratulations!  You are well on your way to creating a thumbprint zoo!  Use your imagination and see how many different animals you can come up with.  Have you done this project?  Did you do it differently?  Please feel free to share your comments and pictures in the comments section!

So today I decided to wipe it all and start everything new with my HP TouchSmart tx2 and Windows 7 Ultimate. Just thought I should list down some snags that I encountered and how i resolved it. Might help those who are also facing the same problems.

Quick Launch Buttons: Top Button – Windows Mobility Center, Middle Button – haven’t figured this out , Bottom Button – Screen Rotation Button. Since I have installed Windows 7 (RC) these haven’t worked. Tried looking for drivers at the HP site, nada. I did find an FTP link that had the right drivers ftp://ftp.hp.com/pub/softpaq/sp45001-45500/sp45058.html  so now its working! Am just wondering how come this is not on the HP Drivers site…

AuthenTec Fingerprint Sensor Driver – When I was using RC, this was one of the drivers that was listed when I did Windows Update. After installing the RTM though, it wasn’t in the Windows Update list. So I went to the HP Driver site and found the latest version sp45355 – AuthenTec AES1610 Fingerprinter Driver.  I proceeded with downloading it but then again, it didn’t work (probably tried installing and un-installing a half a dozen times). After a lot of searching, I did find this obscure AuthenTec site that has the Win7 Beta drivers http://win7beta.authentec.com/  and guess what, it worked.

There is a superstition in our family. When you are going out for an exam or interview or traveling, once you have stepped outside the house, you should not go back in. It is not considered auspicious.

Today, we set out to the Bangalore VFS office to submit our visa applications and documents. We had appointments at 11.30 am. We step out of the house at 11.30. I slung my handbag on my shoulders, DH took the laptop bag.

“Where are the files with the passport and documents?” DH asks.

“Oops, they are still inside,” sez me. In he goes to get them and then locks the door behind him. In the late morning traffic, there wasn’t much trouble. But we still reached after 12. After finding a parking spot with some difficulty, we walk the rest of the way. That’s when I remember that bags (handbags or laptop bags) are not allowed inside. Back DH goes while I proceed to the VFS office. Later he joins me (yes, they allowed us in despite our tardiness), which is when I remember to look through my documents for the tourist category. Oops, my appointment letter to ANZ is not there. Do I panic now? It’s ok, assures DH.

At the counter, all goes well for DH for his busines visa application. Next is me. They ask for the appointment letter – despite my mentally crossed fingers. No leave letter from ANZ. Shoot. Ok, back we race home to get the missing offer letter from ANZ and get some more docos to prove that I have no intention of sticking around in that country longer than necessary.  On the way back n forth, I berate myself for not using the checklist I’d prepared.

So we are back before the deadline when they close up and then all goes good. Next it’s the fingerprinting. First the kind lady at the next counter sez: place your forefinger on the scanner. Which forefinger, left or right? I am baffled.

No ma’am. Except your thumb, the four fingers on your right hand. Ah! Light trickles in through that tunnel.

I place my four fingers. Press them with your left hand ma’am, the young lady requests again.

Damn, I don’t have fingerprints. She hands me some moisturizing lotion and I repeat the process. I drag my four fingers all over the scanner, until she finally got some lines. No issues with the left hand four fingers nor the thumbs on both hands. (Yea, I am lucky enough to have 10 fingers).

It’s the winter guys. They tend to strip the strata. And no, I am not contemplating robbery or criminal activities coz I won’t leave prints behind. That auspicious thing might just have some truth, eh? Let’s see what happens with the visa.

I feel so blessed that you have stopped by my blog to sample my writing, and that your eyes have landed here, as this is such a special message from my heart about our individuality and gifts, and I wish to share it with the world.

God has placed so many messages on my heart, they seem to appear out of no where and sometimes I can’t even find the time to make note of them amid the business of life. This weekend, as I was trying to sort through some of the glimpses of lessons and studies that have become apparent most recently, I began to pray. I prayed mainly for clarification and direction, to have some guidance as to which lesson to delve deeper into, which message was most critical both for me to hear myself, and to share with others. The answer came immediately,with my eyes still closed and my mind still quiet. It was one word, as audible as if He was sitting right beside me: thumbprints. so, I will expand on a lesson God brought to my attention last week, that has been rattling around in my head ever since.

It occurred to me that the best physical evidence that God created the heavens and the earth (in case the inspired Word of God just won’t convince you) is right there on the undersides of our fingertips. My thumbprint is completely unique to me, and yours is to you. No one else who has ever lived before or will ever be borne shares this exact mark. This is a phenomenal, wonderful, powerful realization for me. It warms my heart that God placed His special mark on each of us and that mark makes us unique, but at the same time, one in the body of Christ.

The Psalms tell us that He determines the number of the stars and calls them each by name (Psalms 147:4, NIV). He has a very special name for each of us, as well. Do you think that when we get to heaven, we are still going to be called by our earthly names? Marilyn? Morgan? Kelsey? Bob? Joe? Sally? No, He has a special name for you and a special name for me, and he named us even before he created the earth (see  John 17:24, 1 Peter 1:20).

And just as we rejoice that God has put this special thumbprint on our natural bodies, and given each our heavenly bodies a name, Jesus tells us that we also rejoice that your names are written in heaven” (Luke 10:20, NIV). Oh yes, brothers and sisters, we are like the stars in the sky. We are too numerable for the human mind to comprehend, but to God we are special and unique. We are like stars in His eyes!

Thumbprints are funny little things. Some are more curvy or wavy, some are straighter or even swirly. There are many ways of classifying thumbprints and categorizing their styles, yet in the end they each have variations that make them different. We arent much removed from our thumbprints. But each man has his own gift from God (1 Corinthians 7:7, NIV). And although those gifts may be categorized or compartmentalized, only He knows each of our precise purpose within those realms.

It was he who gave some to be apostles, some to be prophets, some to be evangelists, and some to be pastors and teachers, to prepare God’s people for works of service, so that the body of Christ may be built up until we all reach unity in the faith and in the knowledge of the Son of God and become mature, attaining to the whole measure of the fullness of Christ. (Ephesians 4:11-13)

We are meant to serve together and on our own, but always on His behalf.

Just in studying for this lesson, I came across a verse that I had read before but this evening it seemed to absolutely jump off the page at me. For God’s gifts and his call are irrevocable (Romans 11:29). I so enjoy reading the book of Romans, but when I came across that short verse, it was as if I had never seen it before (I love how God works that way!).

For this reason I remind you to fan into flame the gift of God, which is in you through the laying on of my hands. For God did not give us a spirit of timidity, but a spirit of power, of love and of self-discipline. (2 Timothy 1:6-7)

If you don’t have a clear picture of His will for your natural life, don’t sweat it. Pray about it! He will reveal His plan to you, but on His timeline, not ours.Continue to pray and to listen. The pastor at our home church loves to say, “There’s a reason we have two ears and only one mouth.” So true, Pastor Marty, so true! Talk to God through prayer, but then allow yourself to be comfortable in the quiet and just listen. He knew you before the creation and He knows you still; He calls you by name and you wear His special mark of unfailing love on your fingertips. He is there.

His divine power has given us everything we need for life and godliness through our knowledge of him who called us by his own glory and goodness. (2 Peter 1:3)

Make it a great day,

Marilyn

Dear God, Thank you for giving me such a special mark and for calling me your own. Please God, continue to live and work through me and using me as a servant of your will. I am yours completely. Amen.

DAY 2

Misurarae le performance: il Tracking

Emanuele Inforzato – Regional Product Manager Zanox

Le tracce tecniche  consentono di ricostruire l’esperienza dell’utente secondo dei meccanismi regolati anche dalla legislazione internazionale (leggi sulla privacy).

Attraverso il tracciamento è possibile

1) deduplicare: contare un evento (es. vendita) una sola volta

2) assegnare: attribuire al corretto canale il successo dell’evento

3) convertire: misurare l’efficacia della sua comunicazione per ottimizzare

4) integrare : aggregare i canali di pianificazione nel rispetto delle loro modalità di funzionamento e di specifico tracciamento

5) monetizzare

Il tracking consente di raccogliere e analizzare le azioni degli utenti in modo da conoscere per esempio quali pagine sono state visualizzate, quando e da quale link l’utente è arrivato sul sito(referrals) ,e monitorare le ACTION che l’utente ha compiuto sul sito.

ZANOX SPOT - SINGLE POINT OF TRACKING

il tracciamento è legato alla THANK YOU PAGE dell’advertiser (nulla va installato sul server del cliente)

Unito alla tecnologia GAP (Global Alliance Partner) il “Single Point of Tracking” consente al cliente di  non rifare il suo sito ogni volta che accende un canale su internet, ma demanda a Zanox l’ installazione del codice di tracking sul suo pannello per distinguere i canali di arrivo.

Immaginiamo infatti che l’advertiser abbia attivvato più canali per le sue campagne di web marketing, e che quindi sulla sua thank you page avrà installato più codici di tracciamento (o tag di conversion)  afferenti per es. a google, yahoo e altri.

Questo comporterebbe una sorta di competizione tra i players per la remunerazione delle ACTION generate (ipotizziamo il caso in cui un unico utente abbia raggiunto la stessa pagina attraverso diversi canali) e una grave sovrastima delle action da remunerare ai diversi canali.

Il concetto sottostante è che “l’ultimo che porta l’utente a cliccare sul sito del cliente è il più meritevole ai fini della remunerazione”.

Tramite il sistema di deduplica , la CONVERSION viene assegnata SOLO all’ultimo canale visitato dall’utente.

Il sistema di tracciamento Zanox SPOT si basa su un sistema di page tagging di una singola pagina del sito dell’advertiser: restituisce dati su impressions, click , lead e/o sale.

I metodi di Tracking (oltre il cookie)

Bisogna andare oltre il cookie per motivi legislativi.

Esistono già alcune tecnologie che consentono la “navigazione anonima” e che quindi dribblano il tracciamento cookie based.

Si aggiungono quindi ai tradizionali metodi cookie based,

il FINGERPRINT Tracking e l’ ADVANCED SESSION Tracking (AST= senza disporre dei dati cookie, il tracciamento è riferito al contatto/vendita generato durante la stessa sessione browser in cui si è verificato il click).

I tracking methods permettono di gestire un completo tracciamento via

- POSTVIEW: viene salvato un cookie sul computer dell’utente già nel momento in cui viene visualizzato il mesaagio pubblicitario. Condizione necessaria perchè il tracciamento possa funzionare, è che il codice di tracciamento venga implementato in modo permanente (es. sono su un portale, vedo un banner turistico interessante ma non clikko in quel momento , magari 5 giorni dopo però andrò sul sito legato a quel banner e acquisto un pacchetto vacanze…)

- TRUE POST VIEW (TPW) : consente all’advertiser di allargare i confini della pibblicità display a CPM , monetizzandola a CPA. Qui è una guerra tra chi riesce a dimostrare di aver portato l’utente sul sito.

FINGERPRINT TRACKING: (utilizzata soprattutto per la navigazione anonima) è un metodo che consente di associare corretamente uina transazione (contatto/vendita) al rispettivo publisher. tramite uno speciale algoritmo, al momento del click sul mezzo pubblicitario viene generata una “impronta digitale” sulla base di diversi dati (indirizzo IP, versione browser e OS  dell’utente, ID univoco del visitatore/dispositivo).Il tracciamento del fingerprint è legato molto spesso al provider dei servizi intenet : Fastweb per esempio riconduce tutti i suoi utenti ad un unico fingerprint (perchè dietro la rete)

Affiliate Marketing

Modelli di misurazione e forecast del business

Paolo Artioli – Executive Sales Director, Zanox

Modelizzare per:

1)Gestire serenamente il rischio

2) Anticipare invece che subire

3) Passare da qualunque modello (CPM, CPC) al CPA

Approccio di modellizzazione PREDITTIVO: ho sempre il focus su LEAD e SALE , ma è importante anche

- capire lo storico (come si comportano i publisher)

- capire le interazioni tra i vari parametri (Click Through e Conversion Rate)

-costruire una base di conoscenza

- gestire serenamente il rischio

-anticipare invece che subire

-passare da qualunque modello (dal CPC, CPM al CPA)

Il CPM è il parametro base di valorizzazione del traffico internet, il CPC mi dice quanto costa un click, e il CTR è il rapporto tra questi due parametri.

Tra il CPC e il LEAD , il rapporto è dato dal ConversionRate

La misurazione delle performance avviene attraverso la gestione dei principalei kpi dell’adv online (impression, click, e CR)

E’ possibile quindi fare previsioni di lead (o sale) in funzione del traffico e della sua qualità attesa (ClickThrough e CR)

LE METRICHE IN PRATICA

1)La misurazione del traffico

- Impression x CTR = Click

- Click x CR= LEAD (o Sale)

- Lead: CR= Click

- Click: CTR= Impression

2) La valorizzazione del traffico

- CPM*/CTR = CPC  (occore dividere il CPM per 1000 e ottenere il costo della singola impression) l’Equivalent CPC è il valore più importante che un publisher guarda

- CPC/CR= PPL pay per lead (o PPS pay per sale)

- PPL x CR = CPC

- CPC x CTR = CPM

A seconda del tipo di publisher (ad alta conversione non scalabile vs a bassa conversione scalabile) potremo poi ponderare i valori del traffico e dei lead effettivi su ciascun canale attivato.

Grazie Zanox

HP Pavilion dv9700t 17″ Notebook PC (Intel Core 2 Duo Processor T8100 at 2.1GHz, 2GB RAM, 250GB Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, 1023MB NVIDIA GeForce Go 8600 w/1.3mg Webcam, Bluetooth, Fingerprint Reader, Vista Ultimate) Review

Check Price Now!

HP Pavilion dv9700t 17″ Notebook PC (Intel Core 2 Duo Processor T8100 at 2.1GHz, 2GB RAM, 250GB Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, 1023MB NVIDIA GeForce Go 8600 w/1.3mg Webcam, Bluetooth, Fingerprint Reader, Vista Ultimate) Feature

• Business-Entertainment notebook PC with 17-inch (1680×1050) screen, HP Imprint finish, and 2.1 GHz Intel Core 2 Duo T8100 processor
• 250GB 5400RPM Hard Drive, 2GB RAM, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, integrated WebCam
• Connectivity: Fingerprint Reader, 3 USB, 1 FireWire, 1 VGA, 1 S-Video, expansion port 3 connector, ExpressCard 54/34, 5-in-1 memory card reader
• Fingerprint Reader, Bluetooth, quad-mode Wi-Fi (802.11a/b/g/n), 10/100 Ethernet, 1023MB NVIDIA GeForce Go 8600 w/1.3mg Webcam
• Pre-installed with Windows Vista Ultimate

HP Pavilion dv9700t 17″ Notebook PC (Intel Core 2 Duo Processor T8100 at 2.1GHz, 2GB RAM, 250GB Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, 1023MB NVIDIA GeForce Go 8600 w/1.3mg Webcam, Bluetooth, Fingerprint Reader, Vista Ultimate) Overview

PROCESSOR Intel Core 2 Duo T8100 (2.1GHz) MEMORY 2GB DDR2 SDRAM HARD DRIVE 250GB 5400 RPM SATA Hard Drive. DISPLAY 17.0″ WXGA BrightView Wide Viewing (1680×1050) MULTIMEDIA DRIVE Blu-Ray ROM with SuperMulti DVD+/-R/RW Double Layer (Store up to 25GB of Data on one Blu-Ray Disk. VIDEO GRAPHICS up to 1023MB NVIDIA GeForce Go 8600M w/Webcam DIGITAL MEDIA 5-in-1 media card reader COMMUNICATION Intel PRO/Wireless 4965AGN Network Connection. KEYBOARD Full-Size with Number Pad POINTING DEVICE Touchpad with dedicated vertical scroll up/down pad DIMENSIONS 15.16″ (L) x 11.65″ (W) x 1.57″ (H) WEIGHT 7.7 lbs. PC CARD SLOTS ExpressCard/54 slot (also supports ExpressCard/34) EXTERNAL PORTS Expansion Port 3 connector Four USB 2.0 IEEE 1394 Firewire port S-video TV-out Integrated Consumer IR (remote control receiver) Two headphones out Microphone in RJ-11 (modem) RJ-45 (LAN) VGA port SOUND Integrated Altec Lansing stereo speakers POWER Standard Lithium-Ion battery OPERATING SYSTEM Microsoft Windows Vista Ultimate SOFTWARE HP PhotoSmart Premier RealRhapsody Muvee AutoProducer DVD Edition with Burning Adobe Acrobat Reader Microsoft Works Microsoft Money Microsoft Windows Media Player HP Games Powered by Wild Tangent Intuit Quicken New User Edition Sonic Digital Media Plus HP QuickPlay

HP Pavilion dv9700t 17″ Notebook PC (Intel Core 2 Duo Processor T8100 at 2.1GHz, 2GB RAM, 250GB Hard Drive, LightScribe SuperMulti 8X DVD+/-RW with Double Layer Support, 1023MB NVIDIA GeForce Go 8600 w/1.3mg Webcam, Bluetooth, Fingerprint Reader, Vista Ultimate) Specifications

*** Product Information and Prices Stored: Nov 05, 2009 20:30:04

034435     การวิเคราะห์ลายพิมพ์ดีเอ็นเอ     DNA Fingerprint Analysis

การวิเคราะห์ลายพิมพ์ดีเอ็นเอ โดยใช้เทคนิคเซาเทิร์นไฮบริไดเซซันและเทคนิคพีซีอาร์ การใช้ประโยชน์ลายพิมพ์ดีเอ็นเอในการหาความสัมพันธ์ทางพันธุกรรมของเชื้อพันธุกรรม การตรวจสอบลูกผสมและการควบคุมคุณภาพ

(DNA fingerprint analysis using Southern hybridization and Polymerase Chain Reaction techniques. Utilization of DNA fingerprint in identifying genetic relationship of germplasm, hybrid verification and quality control.)

(034435 มหาวิทยาลัยเกษตรศาสตร์)

[I never knew what is "love" until you come to my life...Now I know less!] hahahaha

I keep thinking of how we first met and about the way you looked at me for the first time.
Yeah, I can remember how and where, was so unsual and funny…
Do you remember babe our “first-first” kiss? Do you remember the faces of people around…
I remember that! Was just for fun and so unexpected. At least was just for an instant but always meant so much, already seams so fresh this memory inside me…
And after everything that happens in our lives (I met new people, you too…) we remained friends like before.
Maybe destiny or for some other reason, I dont know…the time gave us more than expected, we were “together” lately for a while and was great kiss you for real ahhahah
So next time I´ll do it again and again and again…

I miss you babe!

(L)

.

he is the best ever!

1 Introduction

Welcome to the world of Fuzzy Fingerprinting, a new technique to attack cryptographic key authentication protocols that rely on human verification of key fingerprints. It is important to note that while fuzzy fingerprinting is an attack against a protocol, it is not a cryptographic attack and thus does not attack any cryptographic algorithm.

This document covers the theoretical background and the generation of fuzzy fingerprints and also details on the implementation ffp [FFP] and its usage. For people who don’t want to waste their time reading pseudo-academic Blabla it is essential to skip to the more pratical part of this document 3, the details on the implementation and the provided sample session using SSHarp [SFP].

2 Theoretical background

2.1 Key exchange using public-key cryptography

Asymmetric cryptography has revolutionized the classic cryptography and created new cryptographic techniques such as hybrid cryptosystems or digital signatures. In order to cover the background of fuzzy fingerprinting, this document focuses on the hybrid cryptosystems and their key exchange protocols. Fuzzy fingerprinting may also have an impact on digital signatures or integrity verification systems, for now we simply ignore these aspects.

Let’s introduce the classical problem of communicating using a symmetric cypher. Two parties that want to encrypt a communication using a fast symmetric cipher need to exchange a secret session key before starting to communicate. This problem is not easy to solve, meeting in real life or exchanging the session key via telephone are solutions, but often impossible to realize.

Using public-key cryptography both parties can elegantly and securely exchange the session key: Both parties first exchange their public keys, then one chooses a session key and transmits it to the other encrypting it with its public key. Both continue communicating using the session key. An outside attacker is not able to able to read the secret session key if he just passively eavesdrops the communication of both.

While public-key cryptography looks like a really good solution to the problem, it introduces a new problem into the scenario. An active attacker might intercept the communication between both parties and replaces the transmitted public keys with his own public key. Both parties would exchange keys, but in fact each would receive the public key of the attacker. Any communication first goes to the attacker who decrypts the messages using his private key and then re-encrypts them using the target’s public key. He’s now able to read the session key in cleartext and can also read the following secure communication that uses this session key. This attack is known as man-in-the-middle attack.

2.2 Cryptographic fingerprints for key verification

Several protocols have been proposed to prevent man-in-the-middle attacks when using public-key cryptography, e.g. the interlock protocol [ILP]. Other protocols rely on digital signatures or trusted key distribution centers to verify the integrity of the public keys. Unfortunately in most situation such methods are not available and the initially exchanged public keys are verificated using so called cryptographic fingerprints

.

Cryptographic fingerprints (also called messages digests) are short blocks generated by cryptographic one-way hash functions (also called collision-free hash functions). These cryptographic fingerprints act similar to real fingerprints, if two fingerprints match it is very likely that they have been made by the same person. In order to verify the integrity of a public key the sender and receiver both generate a cryptographic fingerprint from the key and compare these fingerprints, e.g. by phone.

The longer a fingerprint is, the better is its security against collisions but the harder it is for a common human subject to compare the fingerprint against another fingerprint. It has been observed that most people tend to compare only a sequence at the start and at the end of the fingerprint instead of checking every single digit. Some more sophisticated human subjects also compare a sequence in the middle – but only very few have been spotted that compare all digits. This observation led to the idea of fuzzy fingerprints.

2.3 Fuzzy fingerprint quality

The intention of fuzzy fingerprinting is no to collide against a target fingerprint, but to find a fuzzy fingerprint that would pass lazy human comparison. This attack has been proposed by Plasmoid and Skyper in a private discussion at HAL2001.

There are some methods for the generation of fuzzy fingerprints. The most basic is the fuzzy map weighting that was introduced by Plasmoid.

Each digit of a cryptographic fingerprint is weighted according to a map of importance. The weights range from 0 to 1 and represent the importance for a comparison, so that first and last digits have a higher importance than middle ones. If a digit of the fuzzy fingerprint and the target fingerprint match the weight is added to the quality of the fuzzy fingerprint. The sum of the weighted digits is the quality of the fuzzy fingerprint and equal fingerprints have a quality of 1 or 100

In order to imitate the natural laziness an inverse gaussian distribution could be used to generate the fuzzy map. The following example shows an inverse gaussian distribution for a small 2 byte fingerprint.

Eventhough only 2 digits of 6 are equal the calculated quality is near 50because the important digits at the start and at the end do match. At the first glance a gaussian distribution might be an overkill for such a simple map, but it allows the generation of variable-length maps that can be generated for several one-way hash functions, e.g. MD5 [MD5] with 16 bytes fingerprints or SHA1 [DSS] with 20 bytes fingerpints.

Instead of the gaussian distribution a cosine function might be used with 3 maxima. This can be achieved if the map is generated within the interval from -2p to 2p. Important parts of the fingerprint therefore become the start, the end and the middle sequence.

An extension for finding fuzzy fingerprints has been proposed by Heinrich Langos eventhough he probably can’t remember that. In addition to the fuzzy map, a map of common key confusions is added to the quality calculation. Digits like 6 and 9 or 1 and 7 are often mixed up depending on the format of the digits, e.g. down written or graphic fonts. A confusion key map contains the confusion and a quality representing the probability of the confusion. The following example shows just a few confusions.

A confusion map adds more granularity to the quality function of fuzzy maps, fuzzy fingerprints generated with confusions maps not only contain similar start and end-sequences in comparison to the target fingerprint, but also feature digits that might easily be confused with digits from the target fingerprint.

It is important to note that such a key mapping is not necessary symmetric and also that such a confusion key map has not been implemented in this release but may be added later.

2.4 Finding fuzzy fingerprints

With the fuzzy quality as an instrument to order fuzzy fingerprints, an attacker is able to search for fingerprints with the best fuzzy quality. This search involves two major calculation components, the one-way hash function and the key generation, because the attacker has to bruteforce for keys that have a good fuzzy fingerprint generated using a hash function.

Cryptographic one-way hash functions are collision-resistant (or try to be), therefore changing just one bit of the input data should result in a complete different fingerprint (50issues into account, it should be very hard to predict the output of a hash function so that there would be any other way than bruteforcing to receive good fuzzy fingerprints. Any performance optimisations need to be done in the key generation component.

For this document the RSA [RSA] and the DSA [DSS] key generation have been reviewed. The intention was to improve the performance of the key generation under the new aspect that the resulting keys not necessary have to be cryptographic secure but still need to work.

2.4.1 Tweaking RSA key generation

The RSA algorithm uses the following interesting variables

• p, q and n = pq, two strong prime numbers
• f(n)=(p-1)(q-1)
• e with gcd(e,f(n))=1, the public key

There are two possible approaches to the generation of an RSA key pair

• The first step is to randomly choose the public key e and continue to search for two prime numbers p and q so that p and q meet gcd(e,f(n))=1 or in other words e and f(n) are relative prime. This approach has been implemented by the OpenSSL Project [SSL].
• The other approach is to first calculate the two prime numbers p and q and then search for an e so that e meets gcd(e,f(n))=1. This approach is integrated in the ffp implementation [FFP].

While both approaches create the same result the second one better fits into the needs of bruteforcing, because the expensive prime number generations are only performed once. An attacker could calculate the two primes p and q at the start of the bruteforce process and then search successivly for public keys e.

In order to improve the performance even the check for e being relative prime can be skipped, this is called sloppy key generation. While this step dramatically increases the performance, it is not guaranteed that the generated keys still work. Test allow the assumption that only very few keys are broken and if an attacker stores a list of best keys, e.g. 10 there is more than a fair chance that more than one key is working.

2.4.2 Tweaking DSA key generation

The algorithm uses the following interesting variables

• p, a prime number of variable length
• q, a 160-bit prime factor of p-1
• x with x < q, the private key
• g, something different [Do we need to discuss any detail?]
• y = g^x mod p, the public key

Increasing the performance of the DSA key generation is a diffcult problem. At the first step one would start the key generation process similar to the improvements done to the sloppy RSA key generation by first calculating the two prime numbers p and q. Note that p and q in case of DSA old more constraints than in the RSA algorithm.

After two primes have been found, it is possible to bruteforce over the private key x that only needs to meed x < q which is a simple and fast comparison. Unfortunatley it is necessary for each x to calculate the appropriate public key y which involves calculating a modulus and an exponentiation with very big numbers and thus is very time consuming.

Tests with the ffp implementation show that DSA is about 1000 times slower than RSA key generation and therefore will only be available to the bruteforce process for fuzzy fingerprinting in the next centuries.

3 Implementation details

Now you have read through a rather strange description of the background and honestly I know that some points have been discussed far from complete, nevertheless I also like to present an implementation of the discussed ideas that is callesd ffp and available at The Hacker’s Choice website. This implementation uses the fuzzy fingerprinting technique in order to attack the key verification protocol used in the client of SSH protocol version 2. As a good victim the implementation OpenSSH [SSH] has been chosen, because it is free and really good software that can mess with all commercial implementations (Humble me says so!).

OpenSSH makes use of the routines from the free crypto and SSL libraries provided by the OpenSSL Project [SSL]. Therefore several implementation issues have been looked up in the OpenSSL source code and some parts have even been taken from the actual implementations of the RSA and DSA key generation.

OpenSSH uses a hybrid cryptosystem: public-key cryptography is used to exchange a session key between the client and the server and the following client-server-communication is encrypted with a symmetric cipher, but OpenSSH, strictly implementing the SSH protocol, fully relies on the user verificating of an initially received public key by asking for confirmation if the generated cryptographic fingerprint is known and matches.

$ ssh foo@fluffy
The authenticity of host 'fluffy (10.0.0.2)' can't be established.
RSA key fingerprint is 54:3a:12:db:d4:35:71:45:3d:61:51:c1:df:47:bc:bc.
Are you sure you want to continue connecting (yes/no)?

Once the fingerprint and the key have been approved the key is stored in a file called known_hosts or known_hosts2 and upon further connections the retrieved public key is compared to the stored key an no user interaction is necessary. It has also been shown that there exists tricks to force the SSH client to ask again for the confirmation of a key eventhough a correct version has already been retrieved [SFP]. Using these techniques, a man-in-the-middle tool and ffp form a quite mailicous attack that can be launched against any SSH connection using the SSH protocol version 2.

Therefore ffp acts an extension to common man-in-the-middle tools such as dsniff [DS] or ettercap [EC]. If the attacker sends a public key to the victim that has a fuzzy fingerprint that nearly looks like the target fingerprint, the victim might easier be fooled to accept the public key and continue the eavesdropped connection. Because all those theory is gray, we are quickly installing our implementation and then start to actively generate a fuzzy fingerprint to be used with Sebastian Krahmer’s tool SSHarp.

3.1 Installation of ffp

In order to install this release, you need a Unix environment or at least something very similar such as Cygwin or QNX. You will also need a mathematical library which is present in most Unix system and the OpenSSL libraries available at http://www.openssl.org

.

If everything is place, follow the boring GNU autoconf/automake installation process:

$ ./configure
$ make
$ su -c "make install"

If you want to you can use the -prefix option to install this software to a specific direction. The default location is /usr/local. If you need to you can use the -with-ssl-dir option to specify the directory of your OpenSSL installation.

If during the compilation or installation process errors occur ask yourself at first, if you have done anything wrong, wait for a time, say 2 minutes, and ask yourself again if you have been honest to yourself. If it turns out that there is really something wrong with the code of ffp drop a mail to Plasmoid plasmoid@thc.org and describe your problems. Please understand that you are on your own if you try to fiddle with any Windows release and Cygwin.

3.2 Usage of ffp

The current release of Fuzzy Fingerprint is a command line tool called ffp that has the following command line option

Usage: ffp [Options]
Options:
  -f type       Specify type of fingerprint to use [Default: md5]
                Available: md5, sha1, ripemd
  -t hash       Target fingerprint in byte blocks.
                Colon-separated: 01:23:45:67... or as string 01234567...
  -k type       Specify type of key to calculate [Default: rsa]
                Available: rsa, dsa
  -b bits       Number of bits in the keys to calculate [Default: 1024]
  -K mode       Specify key calulation mode [Default: sloppy]
                Available: sloppy, accurate
  -m type       Specify type of fuzzy map to use [Default: gauss]
                Available: gauss, cosine
  -v variation  Variation to use for fuzzy map generation [Default: 4.3]
  -y mean       Mean value to use for fuzzy map generation [Default: 0.08]
  -l size       Size of list that contains best fingerprints [Default: 10]
  -s filename   Filename of the state file [Default: /var/tmp/ffp.state]
  -e            Extract SSH host key pairs from state file
  -d directory  Directory to store generated ssh keys to [Default: /tmp]
  -p period     Period to save state file and display state [Default: 60]
  -V            Display version information

If you have read the theoretical background covered in this paper you should already have an idea how some of these options work and which parameters they influence. Due to the fact that ffp is not a kernel module, you run through the classical try and error phase and find the rest out yourself. Instead of discussing each detail of the implementation, this document demonstrates a sample session of ffp and SSHarp.

3.3 Sample session using ffp and SSHarp

This part of the documentation demonstrates how to use ffp in conjunction with a man-in-the-middle tool and describes a sample session that finally demonstrates the transmission and display of a fuzzy fingerprint. Other nasty techniques, such as ARP spoofing, that are necessary for the successful interception and manipulation of SSH connections, have been wisely left out because the author doesn’t have any idea how these things actually work, but hopes to know some bad guys who do.

3.3.1 Investigating the victim host

The first step could be to investigate the victim SSH server in order to find out which version of SSH is used and which public key algorithms are available. The OpenSSH package [SSH] provides all tools we need for gathering information from a remote SSH server. Our victim will be the server skena.foo.roqe.org which luckily is not available outside the sample network.

foo@fluffy:doc> ssh-keyscan -t rsa skena.foo.roqe.org > /tmp/skena-sshd
# skena.foo.roqe.org SSH-1.99-OpenSSH_3.4
foo@fluffy:doc> cat /tmp/skena-sshd
skena.foo.roqe.org ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAtE/CTgGl2HSUZUiCiSqhJafup [...]

It turns out that skena.foo.roqe.org is using an OpenSSH v3.4 server able to run the SSH v2 protocol and also has an RSA public host key available. This is good news for us, because ffp only support SSH v2 keys and RSA key generation is faster than DSA 2.4.2. The SSH server version is important to play banner tricks on the server as they have been covered in Sebastian’s paper.

Now let’s take a closer look at the bits used in the RSA algorithm and of course at the MD5 fingerprint of the host key we retrieved from skena.foo.roqe.org.

foo@fluffy:doc> ssh-keygen -f /tmp/skena-sshd -l
1024 d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87 skena.foo.roqe.org

Again excellent news, good old skena.foo.roqe.org is only using a 1024 bit RSA key and we also note the cryptographic fingerprint d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87. So using a 2048 or even 4096 host key is not only a good necessary protection against cryptographic attacks but also a protection against cheap attacks such as fuzzy fingerprinting.

3.3.2 Generating a key pair with a good fuzzy fingerprint

The next step is to generate a public key and a private key for an OpenSSH server so that the public key has a fuzzy fingerprint that nearly matches the target fingerprint. In order to do so we launch ffp with the appropriate options. ffp will output a lot of information and then start to crunch. This process can take several days, the longer you wait the better the fuzzy fingerprint can get. Please note that the process is not linear at all or in any way predictable, therefore you’ll need a lot of time or a lot of luck, best is both.

foo@fluffy:doc>./ffp -f md5 -k rsa -b 1024 \
                     -t d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87

Periodically ffp will send some status information to the screen and also show the best fuzzy fingerprint that was generated so far. Internally ffp keeps a list of best fuzzy fingerprints, so that you are later able to choose the best yourself. The output of ffp during the crunching process looks like this:

---[Current State]--------------------------------------------------------
 Running:   0d 00h 02m 00s | Total:   2216k hashs | Speed:  18469 hashs/s
--------------------------------------------------------------------------
 Best Fuzzy Fingerprint from State File /var/tmp/ffp.state
    Hash Algorithm: Message Digest 5 (MD5)
       Digest Size: 16 Bytes / 128 Bits
    Message Digest: d1:bc:df:32:a2:45:2e:e0:96:d6:a1:7c:f5:b8:70:8f
     Target Digest: d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87
     Fuzzy Quality: 47.570274%

The program displays the time it is running the number of hashs it has been tested in “kilohashs” and the speed. An 1.2 GHz PC has a fair speed of 130000 hashs per second, where my poor UltraSparc machine only calculates 20000 hashs per second.

You can interrupt a running session, by pressing the keys CTRL-C, ffp will abort and store the current environment in a so called state file that is usually stored in /var/tmp/ffp.state. Issuing again simple command ffp without any options continues the crunching process from the saved state file.

Please note that while writing this documentation, the author did not find the time to search for a good fuzzy fingerprint and therefore used a fingerprint that was achieved after only a few minutes of intensive crunching on an Ultra 10. Extraction of the fingerprints is done using the following command.

foo@fluffy:src> ./ffp -e -d /tmp
---[Restoring]------------------------------------------------------------
Reading FFP State File: Done
    Restoring environment: Done
 Initializing Crunch Hash: Done
--------------------------------------------------------------------------
Saving SSH host key pairs: [00] [01] [02] [03] [04] [05] [06] [07]

The generated public and private SSH host keys in the /tmp directory can be investigated using the following command. The attacker should use the key that looks best in a human sense. Eventhough fuzzy map weighting is a nice measure for the quality of fuzzy fingerprints the human eye may best choose which fingerprint has the greatest chance to be confused with the original target fingerprint.

foo@fluffy:doc> for i in /tmp/ssh-rsa??.pub ; do ssh-keygen -f $i -l ; done
1024 d6:b7:8f:a6:fa:21:0c:0d:7d:0a:fb:9d:30:90:4a:87 /tmp/ssh-rsa00.pub
1024 d6:b5:d0:34:aa:03:ca:9b:7f:66:b4:79:0a:86:74:a7 /tmp/ssh-rsa01.pub
1024 d6:87:6f:71:9d:2c:5d:fb:57:54:03:a2:2d:09:51:87 /tmp/ssh-rsa02.pub
1024 d6:b2:3f:ac:13:ce:ca:59:3f:b1:4b:c2:f0:03:44:97 /tmp/ssh-rsa03.pub
1024 d6:b9:0f:31:85:b3:34:1e:19:f5:d9:60:79:be:f4:85 /tmp/ssh-rsa04.pub
1024 96:57:df:31:8d:11:f2:b1:28:a4:fd:6d:34:5f:b2:87 /tmp/ssh-rsa05.pub
1024 d0:b0:df:0e:7c:f6:54:94:46:12:72:94:3a:07:a4:87 /tmp/ssh-rsa06.pub
1024 d6:b7:dd:be:f3:52:d9:8f:7e:53:30:49:f1:a8:94:5a /tmp/ssh-rsa07.pub

In this sample session the private key /tmp/ssh-rsa00 and the public key /tmp/ssh-rsa00.pub have been chosen for the attack against the host skena.foo.roqe.org. But also note that only after a few minutes of crunching there are already several fingerprints that contain a good start and end sequence and two fingerprints that share the correct first two bytes.

3.3.3 Launching ssharp with the generated keys

The special thing about the SSHarp implementation is the fact that this tool is build upon the OpenSSH server and therefore the configuration is very similar to the OpenSSH server configuration. We are now going to start a simple man-in-the-middle session. We launch the ssharpd server on the host fluffy.foo.roqe.org on port 10000.

foo@fluffy:ssharp> ./ssharpd -f /etc/ssh/sshd_config -d \
                             -h /tmp/ssh-rsa00 -4 -p 10000

Dude, Stealth speaking here. This is 7350ssharp, a smart
SSH1 & SSH2 MiM attack implementation. It's for demonstration
and educational purposes ONLY! Think before you type ... (<ENTER> or
<Ctrl-C>)

debug1: Seeding random number generator
debug1: sshd version OpenSSH_2.9p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
Disabling protocol version 1. Could not load host key
debug1: Bind to port 10000 on 0.0.0.0.
Server listening on 0.0.0.0 port 10000.

While this example looks very simple it might be necessary to study the details of the SSHarp implementation by reading the file README.sharp in order to setup a working environment. It has already been noted in the beginning that this session doesn’t demonstrate all necessary steps to setup a man-in-the-middle attack and only focuses on the parts that are relevant to see ffp in active process.

We can now connect to our host fluffy.foo.roqe.org at port 10000 and see our faked public key and its fuzzy fingerprint in action using the normal SSH client

foo@fluffy:ssharp> ssharp -l foo fluffy.foo.roqe.org -2 -p 10000
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
RSA key fingerprint is d6:b7:8f:a6:fa:21:0c:0d:7d:0a:fb:9d:30:90:4a:87.
Are you sure you want to continue connecting (yes/no)?

What we are seeing is in fact our fuzzy fingerprint and our client is asking for confirmation. If the user has got a headache, trouble with his/ger girl/boyfriend or is not that concentrated, pressing yes at this situation might allow an attacker to eavesdrop all following communications with the host skena.foo.roqe.org

.

In order to complete your man-in-the-middle setup, you need to redirect the traffic to skena.foo.roqe.org to our fake server at fluffy.foo.roqe.org, e.g. by using ARP spoofing. You also need to use port forwarding on fluffy to redirect port 10000 to 22, so that normal SSH connection will be accepted. That’s it.

4 Thanks and greetings

2

• Skyper
  Who invented the idea with me and is still working on a different approach to very fast RSA key generation.
• Wilkins and Arrow
  For the classical old-fashioned booze-ups and the obligatoric action.
• Hannes and Heinrich
  Who really believe this is serious, academic work and code. Indeed, it is!
• TTEHSCO Fusion
  This is the first unofficial release for TTEHSCO. Cheers to all fellows and rockers at The Hacker’s Choice and Team TESO.
• All that jazz around

References

[FFP]

Implementation of Fuzzy Fingerprinting for RSA, DSA, MD5 and SHA1

Plasmoid

http://www.thc.org/releases.php

[RSA]

A Method for Obtaining Digital Signatures and Public-Key Cryptosystems

Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. Communications of the ACM 21,2 (Feb. 1978), 120-126.

http://theory.lcs.mit.edu/ rivest/rsapaper.pdf

[ILP]

How to Expose an Eavesdropper

R. L. Rivest, Adi Shamir, Communications of the ACM, v. 27, n. 4, February 1978, pp. 120-126.

[MD5]

The MD5 Message Digest Algorithm

R. L. Rivest, RFC 1321. April 1992

http://theory.lcs.mit.edu/ rivest/Rivest-MD5.txt

[DSS]

Digital Signature Standard (DSS)

National Institute of Standards and Technology, NIST FIPS PUB 186, U.S. Department of Commerce, May 1994.

http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf

[SFP]

SSH for Fun and Profit

Sebastian Krahmer, July 2002

http://stealth.7350.org/ssharp.pdf

[SSH]

OpenSSH Suite

Free version of the SSH protocol suite of network connectivity tools.

http://www.openssh.org

[SSL]

OpenSSL Project

Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols.

http://www.openssl.org

[DS]

DSniff – Tools for network auditing and penetration testing

Dug Song

http://www.monkey.org/ dugsong/dsniff

[EC]

Ettercap Multiprupose Sniffer/Interceptor/Logger

A. Ornaghi, M. Valleri

http://ettercap.sourceforge.net

I struggled with this for quite a while.  No matter what I tried, I couldn’t get the fingerprint software to recognize the reader on the Windows 7 x64 install (x86 works fine).  The drivers were installed, everything looked ok, but I would get a “fingerprint device not installed” error when launching the Upek Protector Suite software.

Turns out, Upek has a newer version out (Protector Suite 2009 for Windows 7)  and its free to download.  I uninstalled the driver and old software, rebooted, then installed the new Upek software, and lo and behold, the reader is recognized and I was able to add my fingerprints.

Dopo l’arresto della ventola del mio vecchio amico compaq NX7300, con mio conseguente arresto cardiaco, ho finalmente cambiato portatile in vista di qualcosa di più moderno e meno compatibile con Ubuntu! E’ così che sono andato alla ricerca di laptop nuovi ed usati per non superare il budget massimo di 400 € che mi ero prestabilito, limite dato dalla tradizione che mi ha visto partecipe di acquisti che non hanno mai sforato tale cifra.

Detto ciò, posso ritenermi particolarmente soddisfatto dell’acquisto in quanto, nonostante questo VGN-SR220J sia un VAIO, Ubuntu Karmic (Baby) Koala 9.10 ha riconosciuto perfettamente quasi tutto l’hardware che avevo sottomano in questo piccolo gioiello (dopo la dialisi da Vista a Linux). Faccio prima a scrivere cosa non ha funzionato immediatamente che fare un elenco delle cose che sono andate bene.

Diciamo pure che funziona TUTTO tranne:

• Microfono integrato (Vedi sotto la soluzione)
• Trusted Platform Module (TPM 1.2) Security Chip , Fingerprint reader: 147e:1000 Upek (Vedi sotto la guida per installarlo)

e non ho avuto modo di testare:

• Fax / modem 56 Kbps
• Porta Firewire

Microfono integrato

La soluzione da me adottata, è quella di cambiare il metodo di riconoscimento della scheda audio interna, forzando il modello rilevato. Per farlo ho solo modificato il file /etc/modprobe.d/alsa-base.conf con:

sudo gedit /etc/modprobe.d/alsa-base.conf

Dopo di chè, ho aggiunto alla fine del file

options snd-hda-intel model=toshiba-s06

Per far si che il sistema vedesse la scheda audio come quella di un toshiba. Questo risolve i miei problemi in quanto model=vaio o model=sony-assamd non funzionavano per questo pc.

Se al riavvio il microfono non dovesse comunque funzionare (prima di giudicare giocate un po’ con i parametri degli ingressi di Pulseaudio ), aprite un terminale e date:

alsamixer -V all

e scorrete tra i comandi per modificare il parametro Input Source da Mic a Int DMic:

Fingerprint Reader – Lettore di impronte digitali

Seguite questa guida con un occhio di riguardo per questo post, in cui evidenzio quali differenze ho riscontrato in questo VAIO e con la nuova Ubuntu Karmic.

Se avete qualcosa da aggiungere o avete trovato altre difficoltà, lasciate un commento e sarete ricontattati!

A Devon school delays the introduction of fingerprinting to pay for meals after some parents objected…. From BBC News. Full story

This site may contain information about: online course. The blog is also related to: primary school.