I think the best way to think about any biometric is as a very cheap,
moderately hard to copy identification token. Think of it like a good ID card that just happens to be very hard to misplace or lend to your friends.
Well, if I was smuggling capacitors into Iraq I certainly wouldn't use a thumbdrive! But the above is pretty much the way I see it: 'reglar' folks can't 'figure out' my thumbprint, and couldn't use binoculars or whatever to see my password. More importantly, I don't have a lot of time to try to come up with some soft/hard gadget on my own these days. I pretty much need to be able to BUY something and come up to speed pretty quickly on how to use it. I need it like sex: cheap/dirty/fast. I can't really spend a lot of time worrying about some hyper-evil, hyper-powerful fed (just yet). Aside from the deniability aspect, another "upgrade" would be for me to be able to use my thumbprint as a PGP password. Then this thumbdrive wouldn't be readable via some off-the-shelf pin reader that any helpdesk knucklehead could buy. SO both of these upgrades might be available by fairly simple hacks, or by pestering Trek for them. I wouldn't have to spend a few weeks down in Dexter's laboratory coming up with a completely new, God-proof device. And then as further easy upgrades become available, I'll grab 'em. And who knows? With enough little hacks, some gadgets may eventually morph into inexpensive but quite fierce little black boxes. (As guitarist Robert Fripp has said: "Incremental changes are transformative.") -TD Cheap, fast, easy, and MASSIVELY scalability: that's the real end-run.
From: John Kelsey <kelsey.j@ix.netcom.com> To: Eugen Leitl <eugen@leitl.org>, Thomas Shaddack <shaddack@ns.arachne.cz> CC: Ben Laurie <ben@algroup.co.uk>, Tyler Durden <camera_lumina@hotmail.com>, <cypherpunks@minder.net> Subject: Re: Deniable Thumbdrive? Date: Sun, 26 Jan 2003 22:16:52 -0500
At 10:06 PM 1/24/03 +0100, Eugen Leitl wrote: ...
Frankly, the fingerprint is a lousy secret: you leak it all over the place. You can't help it, unless you're wearing gloves all the time. Ditto DNA.
That's generally true of biometrics. Unless taking the measurement is so intrusive it's obvious when it's taken (e.g., maybe the geometry of your sinus cavities or some such thing that requires a CAT scan to measure properly), there's no secret. People constantly seem to get themselves in trouble trying to use biometrics in a system as though they were secret.
The best you can usually do is to make it moderately expensive and difficult to actually copy the biometric in a way that will fool the reader. But this is really hard. In fact, making special-purpose devices that are hard to copy or imitate is pretty difficult. It seems enormously harder to find a hard-to-copy, easy-to-use "token" that just happens to come free with a normal human body.
I think the best way to think about any biometric is as a very cheap, moderately hard to copy identification token. Think of it like a good ID card that just happens to be very hard to misplace or lend to your friends.
--John Kelsey, kelsey.j@ix.netcom.com
_________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus