Re: [fw-wiz] Re: Biometrics

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 04/14/05

  • Next message: Marcus J. Ranum: "Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 15 Apr 2005 01:04:08 +0530
    
    

    On 14/04/05 15:01 -0400, broyds@rogers.com wrote:
    > The overall lesson I get from this is that one needs to do a true
    > cost-benefit analysis of every authentication scheme. Don't just take the
    > "it is more secure" mantra and apply it indiscriminately. We all agreed
    > that the value of the owner's finger is greater than the value of the
    > Mercedes, so a security technology that can cost the finger while
    > protecting the Merc is not a valid cost-benefit trade-off. This seems
    > obvious in hindsight, but it probably was not considered in creation
    > of the biometric authentication device for the Mercedes.

    Wasn't that supposed to be a basic requirement of the security process?
    Cost of the security system vs cost of loss of asset?

    > This is one problem with nearly all biometric devices. Since they depend on
    > biological characteristics for providing the authenticity check, they are
    > bypassed/breached by subverting those processes. But subversion of a biologic
    > process can have far more catastrophic consequences than bypass of other
    > processes such as binary processes.

    As Paul said, we need to actually look at failure modes of
    authentication systems, and the extent that an attacker will go to to
    breach your defenses. Traditionally, actual physical harm has been
    positioned as being in the domain of the three letter agencies rather
    than being in common use. But when the value of a system being secured
    is relatively[1] high enough, we need to consider additional failure
    modes as well.

    Devdas Bhagat
    [1] Relative to the gain available to the attacker in local currency. A
    1000 USD laptop is much more valuable to sell in a country where the
    monthly income is below 100 USD.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)"

    Relevant Pages

    • Solaris Security Summary
      ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
      (comp.unix.solaris)
    • RE: Concepts: Security and Obscurity
      ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
      (Security-Basics)
    • Re: Enabling telnet, ftp, pop3 for root...
      ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... DON'T have access to the port. ...
      (alt.os.linux)
    • RE: Concepts: Security and Obscurity
      ... International Journal of Social Economics ... Security is an economic decision. ... risk and always cost. ... Subject: Concepts: Security and Obscurity ...
      (Security-Basics)
    • RE: Impact of Global recession on Security !
      ... Intimate with clients? ... Cost and efficiency projects still need security. ... Impact of Global recession on Security! ...
      (Security-Basics)