Re: Biometrics (was Re: [fw-wiz] Username password VS hardware token plus PIN)

From: Marcus J. Ranum (
Date: 04/15/05

  • Next message: Shimon Silberschlag: "[fw-wiz] Out of Band management"
    To: Adam Shostack <>
    Date: Thu, 14 Apr 2005 21:51:34 -0400

    Adam Shostack wrote:
    >Generally, that's true, but as a layer in a well thought out system,
    >they may be helpful. (Eg, the guard watches you put your head up to
    >the retina scanner before he lets you in to maintain the shiny

    If you have actual guards, make the guard's job to verify
    identities and know who they are dealing with. I.e.: a book
    of names and photos is sufficient. If you want extra credit
    and are worried about "mission impossible" style masks,
    have the guard tug each person's nose and ears really

    In the case where you have a human guard in the system,
    the human guard will generally (assuming it's not a
    $7/hr idiot) so dramatically out-perform a computer system
    that you may as well omit the computer system entirely.

    "Private Bob: these are the scientists that have access
    the this lab. Get to know them well. If you see anyone
    in the lab who doesn't belong; shoot them. Scientists:
    this is Private Bob. He's a US Marine and he'll shoot
    anyone he doesn't recognize. So I suggest that if you
    are planning on changing your hair style or anything, it's
    in your best interest to discuss it with Bob beforehand.
    Carry on."

    As in so many other places we want to over-rely on technology
    when we really have no justification to do so. Several people
    have used the words "cost, benefit, analysis" in this thread
    but we as an industry really don't understand how to think
    clearly about where technology is valuable and where it isn't.


    firewall-wizards mailing list

  • Next message: Shimon Silberschlag: "[fw-wiz] Out of Band management"