> The whole point (and why I think it's important to continue
> this thread a bit past its due date) is that in the case of biometric
> authentication, the authenticator is *probably* more important to the user

> than the thing being protected- especially when the attack is a
> denial-of-service attack (be it as a precursor to a new attack, or malice
> because the attacker decides that if it won't work for them, it won't work

> for you either.).

Paul, that's a great way to summarize it, and reminds me to mention
something else I should've said in an earlier post -- compare this to the
asymmetry of the defense sector, where some of these biometric or bio-linked
technologies originated.

Take the "nuclear football" handcuffed to the officer's wrist. This is a
case where the value of the wrist and its owner is viewed as much lower than
the country's strategic nuclear launch capability. Similarly, the biometric
technologies used for controlling access to very sensitive defense
facilities may have been deployed with full understanding of this tradeoff
between the value of the authenticator and the protected asset. When this
same technology gets commercialized for protecting cars, the tradeoff is
neither considered nor appropriate.

("Yes, General, we expect that someone may maim & kill the guard. That's
what happens to the poor guys on guard duty, but the photos of ***'s nuclear
facilities must be protected.")

("Yes, honey, I know your finger may get cut off and eye poked out, but we
have to take every measure to protect my new Mercedes SLK convertible. It's
worth it to me and to the country.")

\\ Eugene Kuznetsov, Chairman & CTO : eugene@datapower.com
\\ DataPower Technology, Inc. : Web Services security
\\ http://www.datapower.com : XML-aware networks

firewall-wizards mailing list