Adam Shostack wrote:
>Generally, that's true, but as a layer in a well thought out system,
>they may be helpful. (Eg, the guard watches you put your head up to
>the retina scanner before he lets you in to maintain the shiny

If you have actual guards, make the guard's job to verify
identities and know who they are dealing with. I.e.: a book
of names and photos is sufficient. If you want extra credit
and are worried about "mission impossible" style masks,
have the guard tug each person's nose and ears really

In the case where you have a human guard in the system,
the human guard will generally (assuming it's not a
$7/hr idiot) so dramatically out-perform a computer system
that you may as well omit the computer system entirely.

"Private Bob: these are the scientists that have access
the this lab. Get to know them well. If you see anyone
in the lab who doesn't belong; shoot them. Scientists:
this is Private Bob. He's a US Marine and he'll shoot
anyone he doesn't recognize. So I suggest that if you
are planning on changing your hair style or anything, it's
in your best interest to discuss it with Bob beforehand.
Carry on."

As in so many other places we want to over-rely on technology
when we really have no justification to do so. Several people
have used the words "cost, benefit, analysis" in this thread
but we as an industry really don't understand how to think
clearly about where technology is valuable and where it isn't.


firewall-wizards mailing list