Marcus J. Ranum wrote:

>In the case where you have a human guard in the system,
>the human guard will generally (assuming it's not a
>$7/hr idiot) so dramatically out-perform a computer system
>that you may as well omit the computer system entirely.
>
>

I roll to disbelieve. This study shows 71% of people will give up their
password for a candy bar
http://www.enterpriseitplanet.com/se...le.php/3342871
Kevin Mitnick was most successful with exploits that involved social
engineering. I don't actually believe that "Private Bob" is
significantly resistant to a social engineering attack.

* Scientist: Bob, this here is my girlfriend, and I don't want my
wife to find out, so could you look the other way?
* Bob: Why, sure ...

Like other multi-factor authentication systems, I suspect that
biometrics + human guard works much better than either in isolation.

Crispin

--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards