User Submitted Blog Post: Future Compliant, April 10 2008

So lets talk threats to your security. The last few posts have all been cool new gadgets and robots and weird web sites. A loyal reader might somehow forget that we're all in fact doomed! Well, maybe not 100% for sure doomed all the way, but at least doomed to be forced to endure misguided, wrong headed government policies passed without proper thinking in the name of our security from terrorists or some other boogey man. All of which brings me to the subject of biometric security.

Biometrics mean using some measurement of your body, like your fingerprint, as the security key to unlock a door or a computer or whatever else. Since each fingerprint is unique, then only you could ever open the lock, right? Right? Well, no. If you've seen any cop show ever you know we leave fingerprints all over the place, fingerprints which can be copied and cast to make duplicates of your fingerprints which have proven time and again capable of fooling the biometric locks currently on the market. So when the German government announced a plan to try and incorporate fingerprints into passport security, the fine folks at the Chaos Computer Club got a hold of the official in charge's fingerprints and published them in their magazine. Brilliant!

Here's the thing. Even if it wasn't possible right now to copy someone's fingerprint and use it to unlock a biometric seal, someday it probably will be. From what I've read, it's much harder to fake a retinal scan. But we've seen time and again that technology out innovates security and what seemed insuperable in the past is now easy as pie to overcome. The problem with biometrics is that, unlike a password or a particular kind of lock, you can't ever change your fingerprints. Or your retina. Or your DNA. Once those things get copied and cracked, they're not useful to you anymore as a security function. Moreover, unlike a password or even a key that you can hide somewhere, you're always carrying your biometrics around with you, offering thousands of opportunities each day for someone to swipe your information. It may seem all cool and James Bond and whatever, but really, in my opinion, it's sheer idiocy. OK, maybe not sheer, but certainly idiocy.

Disney World uses biometric fingerprint readers to control access to their parks. They claim that they only measure the length of the fingers and don't actually take fingerprints, but I'm not sure I believe it. But let's assume it is true. I'd love to see someone hack that system. How would you go about faking fingerlengths? I'm not sure, but it seems like there should be a way. Getting a hold of one of the Disney readers might be more difficult, but I don't imagine it's beyond the capabilities of some inventive hackers out there. Anyone want to give it a try?

Then there's this story, which I can't vouch for in any way but seems like it might be legit, about the NSA having backdoors into all the major label personal firewalls out there. I've seen enough demos at hacker cons to be less than trustworthy of these things in the first place, although I'm probably just being paranoid. Still, it wouldn't surprise me at all to find out that this story is true and that the firewalls do have back doors in them. That's why I tend to prefer open source applications for security (and most everything else) since they're theoretically not beholden to any corporate overlords who are in turn subject to government sanction. Plus the code's all out there in the open right, which theoretically would mean that you couldn't really hide a backdoor in it. That's assuming people are actually diligent about looking through such open source code for backdoors. I for one don't have any of he skills needed to do that and are just as much at the mercy of the open source community as I am to Symantec or Zone Alarm or Microsoft - except I trust the open source community a lot more. But it's still trust, and mostly blind trust at that. Which leads back to my original point that we are all in fact probably doomed.

On a lighter note, here's a link to what I think is the greatest Rickroll I've seen yet. With muppets.