[59955] in North American Network Operators' Group
Re: User negligence?
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Sun Jul 27 23:51:23 2003
From: "Stephen Sprunk" <stephen@sprunk.org>
To: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
Cc: <wb8foz@nrk.com>, <chris@UU.NET>,
"North American Noise and Off-topic Gripes" <nanog@merit.edu>
Date: Sun, 27 Jul 2003 22:38:20 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Thus spake "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
> All that user end security devices do is put more non-repudiable
> onus on the user, so that when it fails, the service provider is
protected,
> and the user is cryptographically guaranteed to be SOL.
> ... and when the database gets compromised, nobody will believe that
> the user isn't responsible, because "The System is Perfect".
I hope this was in jest... All it will take is one expert witness to show
the system is not perfect and there's hundreds of ways the bank (or even a
smart criminal) could defraud the user.
> Biometrics are an excellent example of this. They are a single factor
> authentication technology, maybe two factor if there is a PIN,
There are now techniques to copy latent fingerprints off surfaces and
produce counterfeits that have been shown to fool _all_ commercially
available fingerprint gear -- and it costs less than $2 per use.
Biometrics is a failure because there is no shared secret; once a user
submits to a test (either knowingly or not), the validator has all the
information necessary to spoof that person _for the rest of their life_.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
