I was in a meeting earlier today where my machine was connected to the projector and someone wanted me to display their presentation for them. In normal circumstances I’d expect to be passed a USB memory stick (“thumb drive”) containing the PPT which I’d copy to my local disk and display as requested. This time though I was passed a wierd looking USB token that included an integrated biometric finger print scanner. The owner of the token was “into security” and perceived that the biometric bought him some form of authentication – don’t get me started on that one except to say that it’s actually providing just identity unless accompanied by a form of authentication which this device didn’t do.
The “security theatre” came in when I inserted the token, an executable had to be executed on the device to unlock it’s contents – the owner swiped the biometric and then nothing happened! It turned out that we couldn’t unlock the device AS I WASN’T RUNNING WITH ADMIN PRIVILEGES.
In order to use the device (that claimed to improve my security) I’d have had to LOWER my security by using excessive privileges! What’s worse is that the token could easily have included additional unknown malicious software that could even have autoexecuted if I’d had the default configuration!!!
I can see that the owner of the device might have gained some security when transfering files from and to their own system as they’d have chosen to install the required software (using administrative credentials) – assuming of course that some form of authentication was used in addition to the biometric identity.
Incidentally my system was running Windows XP Service Pack 2 in a low privilege configuration hence the software failed to install by default.