Marcus J. Ranum wrote:

>In the case where you have a human guard in the system,
>the human guard will generally (assuming it's not a
>$7/hr idiot) so dramatically out-perform a computer system
>that you may as well omit the computer system entirely.

I roll to disbelieve. This study shows 71% of people will give up their
password for a candy bar
Kevin Mitnick was most successful with exploits that involved social
engineering. I don't actually believe that "Private Bob" is
significantly resistant to a social engineering attack.

* Scientist: Bob, this here is my girlfriend, and I don't want my
wife to find out, so could you look the other way?
* Bob: Why, sure ...

Like other multi-factor authentication systems, I suspect that
biometrics + human guard works much better than either in isolation.


Crispin Cowan, Ph.D.
CTO, Immunix

firewall-wizards mailing list