It is the presentation day of your career-boosting idea: The most ingenious-super-whao authorization system featuring special StarTrek fingerprint recognition technology. Undefeatable. You are, of course, proud of it.

The CEO of your company comes first to try the new system. Smiling, he touches the fancy scanner screen, some LEDs blink and a pleasant woman Hollywood voice says "ACCESS GRANTED. Good day Mr. President. Welcome to Biotronics". And then the heavy steel doors open, letting the President go in. Then, just for the fun, a non-yet-authorized member of the company tries to use the system. Touching the scanner, the LEDs blink red and the voice announces proudly "ACCESS DENIED". Oh, yes, it works! Then you, the mind behind this beauty, puts the finger on the screen, the lights go green, and the steel doors open while the voice goes "ACCESS GRANTED. Good day Mr. Dogganos. Welcome to Biotronics". What a presentation! You are now getting this promotion you always wanted! Very-very-very satisfied, the President uses the system once more (he's a sucker for gadgets). You really glow!

As everybody comes to congratulate you, and, yes, the President also (your company will make big money with this gadget), somebody you see for the first time approaches the fingerprint recognition screen. You look very excited, not only because the President is watching, but because your precious little angel is getting the attention it deserves, with people trying to... deceive (heh, if ever possible) your creation.

What the hell??! The unknown man, instead of putting his finger on the touch screen, bends over, and... breaths, very close to it.

Sheer horror. The steel doors open as the pleasant voice announces happily "ACCESS GRANTED. Good day Mr. President. Welcome to Biotronics". Oh, that horrible contemptuous smile of the unknown man...

Real life is neither mathematics nor Hollywood. In mathematics, if you find a solid proof for some conjecture then it's over, it's a theorem. Whatever advances in mathematics may arise, no one, ever, will be able to "hack" your theorem and say that it does not apply. But in real life, you come up with the most ingenious security system and you see it breaking in a matter of hours. It is because, your idea, however ingenious, can never deal with all of its unknown Points Of Failure and the possible flaws that hide either in the original idea, or in the implementation.

Security systems have many Points-Of-Failure. They can fail because of (among others):

   1. Human error/stupidity  (bad administration of the system)
   2. Human ingenuity        (clever ways found to defeat your system)
   3. Insiders               (bad guys *inside* your system)
   4. Inadequate technology  (because it's fancy, it doesn't mean it works)
   5. Bad implementation     (OK, the idea is fine. What about those buffer overflows?)  
  1. Human error/stupidity. The administrator of your system, goes to the W.C., leaving the terminal on his office with a root shell. Somebody notices, and creates a new company account in order for the *bad guys* to sneak in, while the happy administrator relieves himself. And don't forget what they say: "never underestimate the ingenuity of human stupidity".
  2. Human ingenuity. As in our story, someone comes up with the thought that the print of the previous man who used the fingerprint recognition screen is still there, and the only thing that is needed, is to make the screen think that there is a finger on it. So he breathes on the screen, the heat and moisture in combination with the print left on the screen (actually, human oil/grease) does the job, et voila!
  3. Insiders. You bribe the administrator and if he does not accept, you threaten his family, no more needed to say.
  4. Inadequate technology. Technology never stays still. Whatever may you come up with, something better will be able to defeat it.
  5. Bad implementation. History has a lot to teach us. So many wonderful security systems failed because "there was found a buffer overflow in the code controlling the entrance-card, such that when a blank or invalid card (i.e. rub a strong magnet on the magnetic stripe) was inserted, the system would jump to the "access granted" routine..."

The key issue in security is NEVER, sing it along with me, NEVER ASSUME YOUR SYSTEM IS UNDEFEATABLE.

I had an IOMEGA ZIP drive once (those with the 95 MB diskettes, and not 100 MB as they claimed...) that had a feature to lock the disk so that without the password "nobody could ever read the disk, not even us (i.e. the IOMEGA company) in case you lost the password". Yeah right. Some smart guy came up with this: Set the sleep timer of the drive at, let's say, 3 minutes. Insert an unlocked diskette in the drive, lock it with a password and wait 3 minutes until the drive spins down. Take the disk out, not using the eject button, but using a pin in the emergency hole (same as the one every cd-rom has) that the drive has. Insert the really locked diskette and here's what happened: The drive did not understand the disk change, so it still thinks that it has the locked diskette inside, the one you just locked and, of course, you know the password. But, instead of that, it has the "unreadable" diskette with the unknown password. So, just go to the menu, give a command to unlock the disk, use the password you locked the other disk with, et voila!

There are innumerable facts to prove that everything that can be locked, can be unlocked. What should I say first? The hardware copy protection that I broke myself at the age of 13, of my mama's first (DOS based) word processor? (It used an intentionally damaged 3.5" diskette, and probably a software routine to try and read that sector, so I diskcopied the diskette to another diskette, ignoring the errors reported, and then using a pin, I damaged the copy at the same place where I found the damage in the original, and yes, it worked!) Should I say about the new SP1 copy-protection of the Windows XP? Broken in less than a week...

Even security systems related only to mathematics can be broken. For example, some days before, a paper was published which exhibited a serious flaw in the AES encryption algorithm. Cryptosystems base their security on the fact that we cannot compute in reasonable time the prime factors of vast numbers. But some weeks ago, a paper published by some Indian mathematicians introduced a really novel way to decide on the primality of big numbers in polynomial time. We can never be sure of anything.

And of course, never forget that "if you can't jump over an obstacle, just pass-by". A bad guy was using PGP to encrypt all the bad stuff he kept in his laptop. The FBI, the IRS and the National Guard knew they could just not decrypt the files. So, they just installed a keylogger on the bad guy's laptop (details found in every Hollywood movie), took the password, and once again... voila!

Biometrics, when first invented, were said to replace securely everything, special magnetic entrance cards, passwords etc. But then fingerprint recognition was defeated. The story at the beginning of the writeup is real (not the details of course :-) , but the method is working...). Voice recognition systems, even the ones that print a random sentence that you must read loudly, were defeated using voice synthesizers. Face scan systems were defeated by... high-resolution photographs. And never forget that if someone is really determined, your eye can be in front of the iris scan camera... without necessarily being in your head. Ooops! Don't you prefer a password?