Sunday, August 05, 2007

Biometric monkey Business

Kim Cameron has had a couple of posts recently on biometrics and some supposed flaws. There's the "Biometrics Dilemma" and the reversibility of biometric templates. But both of these posts appear to fall victim to the same fallacy, the same one that affected California Secretary of State Debra Bowen when she recently released her findings on electronic voting.

You may remember it in a different guise - the Infinite Monkey Theorem. Given enough time in an unfettered environment the electronic voting machines can be compromised, the biometric data can be reversed and the monkeys can type out the complete works of William Shakespeare. It's probably best illustrated in the theorem that Kim promotes aqs the "Biometric dilemma": "the more we use biometrics the more likely they will be compromised and hence become useless for security." We might even say this is a truism, but still note that the time necessary for the compromise to occur may be longer than the time we have left on earth!

Of course, an infinite number of monkeys with an infinite variety of paints could eventually re-create the Mona Lisa, so Kim might be on to something! :)


Guess you did not bother to follow up on the admittedly non-blogger friendly papers cited in the blog. Neither of the issues depend on "Monkey business" you suggest.

The biometric dilemma seems to be based on a risk analysis showing that with increasing deployments it will eventually be worth while to hack them. Showing there is a motivation to intelligent hackers and identity thieves, is quite different than monkeys just banging away. The time for the compromise might be the same as hacking into the windows boxes of DHS or who every has the weakest security and most data data. DHS "US VISIT" machines were already compromised with a virus. (See
The virus that ate DHS )

The reversibility is based on a paper that shows a direct estimation of the properties and ridge flows of the fingerprint from the template. Would probably not fool a human examiner, not clear about the computer based fingerprint systems.

Neither is about random co-occurances that just happens to match something of interest.
That particular "risk analysis" is, essentially, worthless. It simply shows that any system with enough usage will attract people willing to try to hack it. That's not limited to biometrics or even digital "things". It's really just a truism.
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]