Re: [fw-wiz] Re: Biometrics

From: Devdas Bhagat (
Date: 04/14/05

  • Next message: Marcus J. Ranum: "Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)"
    Date: Fri, 15 Apr 2005 01:04:08 +0530

    On 14/04/05 15:01 -0400, wrote:
    > The overall lesson I get from this is that one needs to do a true
    > cost-benefit analysis of every authentication scheme. Don't just take the
    > "it is more secure" mantra and apply it indiscriminately. We all agreed
    > that the value of the owner's finger is greater than the value of the
    > Mercedes, so a security technology that can cost the finger while
    > protecting the Merc is not a valid cost-benefit trade-off. This seems
    > obvious in hindsight, but it probably was not considered in creation
    > of the biometric authentication device for the Mercedes.

    Wasn't that supposed to be a basic requirement of the security process?
    Cost of the security system vs cost of loss of asset?

    > This is one problem with nearly all biometric devices. Since they depend on
    > biological characteristics for providing the authenticity check, they are
    > bypassed/breached by subverting those processes. But subversion of a biologic
    > process can have far more catastrophic consequences than bypass of other
    > processes such as binary processes.

    As Paul said, we need to actually look at failure modes of
    authentication systems, and the extent that an attacker will go to to
    breach your defenses. Traditionally, actual physical harm has been
    positioned as being in the domain of the three letter agencies rather
    than being in common use. But when the value of a system being secured
    is relatively[1] high enough, we need to consider additional failure
    modes as well.

    Devdas Bhagat
    [1] Relative to the gain available to the attacker in local currency. A
    1000 USD laptop is much more valuable to sell in a country where the
    monthly income is below 100 USD.
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)"

    Relevant Pages

    • Solaris Security Summary
      ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
    • RE: Concepts: Security and Obscurity
      ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
    • RE: Concepts: Security and Obscurity
      ... International Journal of Social Economics ... Security is an economic decision. ... risk and always cost. ... Subject: Concepts: Security and Obscurity ...
    • Re: Enabling telnet, ftp, pop3 for root...
      ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... DON'T have access to the port. ...
    • RE: Impact of Global recession on Security !
      ... Intimate with clients? ... Cost and efficiency projects still need security. ... Impact of Global recession on Security! ...