It is the presentation day of your career-boosting idea:
The most ingenious-super-whao authorization system featuring special StarTrek
fingerprint recognition technology. Undefeatable. You are, of course, proud
of it.
The CEO of your company comes first to try the new system. Smiling, he touches
the fancy scanner screen, some LEDs blink and a pleasant woman Hollywood
voice says "ACCESS GRANTED. Good day Mr. President. Welcome to Biotronics".
And then the heavy steel doors open, letting the President go in. Then,
just for the fun, a non-yet-authorized member of the company tries to use
the system. Touching the scanner, the LEDs blink red and the voice announces
proudly "ACCESS DENIED". Oh, yes, it works! Then you, the mind behind
this beauty, puts the finger on the screen, the lights go green, and the
steel doors open while the voice goes "ACCESS GRANTED. Good day Mr.
Dogganos. Welcome to Biotronics". What a presentation! You are now getting
this promotion you always wanted! Very-very-very satisfied, the President
uses the system once more (he's a sucker for gadgets). You really glow!
As everybody comes to congratulate you, and, yes, the
President also (your company will make big money with this gadget), somebody
you see for the first time approaches the fingerprint recognition screen.
You look very excited, not only because the President is watching, but because
your precious little angel is getting the attention it deserves, with people
trying to... deceive (heh, if ever possible) your creation.
What the hell??! The unknown man, instead of putting
his finger on the touch screen, bends over, and... breaths, very close to
it.
Sheer horror. The steel doors open as the pleasant voice announces happily
"ACCESS GRANTED. Good day Mr. President. Welcome to Biotronics". Oh,
that horrible contemptuous smile of the unknown man...
Real life is neither mathematics nor Hollywood. In mathematics,
if you find a solid proof for some conjecture then it's over, it's a theorem.
Whatever advances in mathematics may arise, no one, ever, will be able to
"hack" your theorem and say that it does not apply. But in real life, you
come up with the most ingenious security system and you see it breaking
in a matter of hours. It is because, your idea, however ingenious, can never
deal with all of its unknown Points Of Failure and the
possible flaws that hide either in the original idea, or in the implementation.
Security systems have many Points-Of-Failure. They can fail because
of (among others):
1. Human error/stupidity (bad administration of the system)
2. Human ingenuity (clever ways found to defeat your system)
3. Insiders (bad guys *inside* your system)
4. Inadequate technology (because it's fancy, it doesn't mean it works)
5. Bad implementation (OK, the idea is fine. What about those buffer overflows?)
Examples.
- Human error/stupidity. The administrator of your system, goes
to the W.C., leaving the terminal on his office with a root shell. Somebody
notices, and creates a new company account in order for the *bad guys* to
sneak in, while the happy administrator relieves himself. And don't forget
what they say: "never underestimate the ingenuity of human
stupidity".
- Human ingenuity. As in our story, someone comes up with the
thought that the print of the previous man who used the fingerprint recognition
screen is still there, and the only thing that is needed, is to make the
screen think that there is a finger on it. So he breathes on the screen,
the heat and moisture in combination with the print left on the screen
(actually, human oil/grease) does the job, et voila!
- Insiders. You bribe the administrator and if he does not accept,
you threaten his family, no more needed to say.
- Inadequate technology. Technology never stays still.
Whatever may you come up with, something better will be able to defeat it.
- Bad implementation. History has a lot to teach us. So many wonderful
security systems failed because "there was found a buffer overflow in the
code controlling the entrance-card, such that when a blank or invalid card
(i.e. rub a strong magnet on the magnetic stripe) was inserted, the system
would jump to the "access granted" routine..."
The key issue in security is NEVER, sing it along with me, NEVER
ASSUME YOUR SYSTEM IS UNDEFEATABLE.
I had an IOMEGA ZIP drive once (those with the 95 MB
diskettes, and not 100 MB as they claimed...) that had a feature to lock
the disk so that without the password "nobody could ever read the disk,
not even us (i.e. the IOMEGA company) in case you lost the password".
Yeah right. Some smart guy came up with this: Set the sleep timer of the
drive at, let's say, 3 minutes. Insert an unlocked diskette in the drive,
lock it with a password and wait 3 minutes until the drive spins down. Take
the disk out, not using the eject button, but using a pin
in the emergency hole (same as the one every cd-rom has) that the
drive has. Insert the really locked diskette and here's what happened:
The drive did not understand the disk change, so it still thinks that it
has the locked diskette inside, the one you just locked and, of course, you
know the password. But, instead of that, it has the "unreadable" diskette
with the unknown password. So, just go to the menu, give a command to unlock
the disk, use the password you locked the other disk with, et voila!
There are innumerable facts to prove that everything
that can be locked, can be unlocked. What should I say first? The hardware
copy protection that I broke myself at the age of 13, of my mama's first
(DOS based) word processor? (It used an intentionally damaged 3.5" diskette,
and probably a software routine to try and read that sector, so I diskcopied
the diskette to another diskette, ignoring the errors reported, and then
using a pin, I damaged the copy at the same place where I found the damage
in the original, and yes, it worked!) Should I say about the new SP1 copy-protection
of the Windows XP? Broken in less than a week...
Even security systems related only to mathematics can be broken. For example,
some days before, a paper was published which exhibited a serious flaw in
the AES encryption algorithm. Cryptosystems base their security on the
fact that we cannot compute in reasonable time the prime factors of
vast numbers. But some weeks ago, a paper published by some Indian mathematicians
introduced a really novel way to decide on the primality of big numbers in polynomial time.
We can never be sure of anything.
And of course, never forget that "if you can't jump over an obstacle,
just pass-by". A bad guy was using PGP to encrypt all the bad stuff
he kept in his laptop. The FBI, the IRS and the National Guard knew
they could just not decrypt the files. So, they just installed a keylogger
on the bad guy's laptop (details found in every Hollywood movie), took the
password, and once again... voila!
Biometrics, when first invented, were said to replace
securely everything, special magnetic entrance cards, passwords etc.
But then fingerprint recognition was defeated. The story at the beginning
of the writeup is real (not the details of course :-) , but the method is
working...). Voice recognition systems, even the ones that print a random
sentence that you must read loudly, were defeated using voice synthesizers.
Face scan systems were defeated by... high-resolution photographs. And
never forget that if someone is really determined, your eye can be in front
of the iris scan camera... without necessarily being in your head. Ooops! Don't you prefer a password?