Wednesday, April 8, 2015

Biometrics - To catch a spy

Just read this interesting article about biometrics making it hard for those in the spy agencies to go undetected and to go un-noticed.  It really drove home the need for multifactor authentication in our systems and networks.  In order to secure our networks and our systems we need more information about those that require access and to ensure that several forms of identification are provided that cannot be easily forged, copied, or otherwise stolen for the purposes of entry. 

Of course this does nothing if the system itself is compromised either through poor design, lax administration, or flaws in the software and devices themselves that allow security to be circumvented.   Or worse yet large persistent and well funded and connected entities have created their own back doors so that they have access.  None of these really can be addressed by biometrics directly with the current control mechanisms we have today.

I thought this article made some interesting points, however the idea that every person walking down a street, into a building, or using any kind of transportation will be scanned, identified, and monitored is really just creepy.  I long for the days where there needed to be probable cause before you could rifle though peoples lives and track their every move.  It is one thing when a person is entering into a "controlled area", but the entire world outside of my home is NOT a "controlled area" where this level of identification, authorization, and accounting is needed....  We very quickly become a prison state if we continue down this path. 

I believe the internet needs to be treated the same way.  If your in a "public" area then who you are and what your doing is none of my business unless we have probable cause to suspect your up to something.  The bar needs to be set high before we start tracking and monitoring.  However once you log into someone else's network either as a customer or as a user of their services then you will have to consent to being monitored and granted access to the services or areas you are interested.   It is in the best interest of the company or service provider to ensure that their systems stay secure and that your only given access to the things you have a need to access. 

So there needs to be a differentiation between what is public and what is private, and the grounds in which someone can or should be required to identify themselves and to be monitored.  I think in the case where someone is required to provide identification that biometrics makes sense... Something you have, something you know, and something you are...  Ensure you know who is accessing your network and what they have access to.

Here is the article that talks about this topic...
Biometrics - To Catch a Spy

1 comment: