Identification by fingerprint is a bad idea for security, but a great idea for Security Theater and for wasting money. If your goal is to waste as much money as possible or to give an illusion of security then you might as well stop reading now.

Using biometrics such as fingerprints for identification is good for security theater because it is easy to understand, is physical, and can be dramatic. It is used often in movies and television to add drama and visual flair. It is common to watch a crime drama where investigators use special tools and expert skill to carefully lift fingerprints from a crime scene. Often the drama has a scene where the found fingerprint is matched to a print on file with a computer.

We have match! We found our perp!”

Another place where biometrics are used in dramatic fiction is where the protagonist is shown entering a super-secret, highly secure facility. Our hero presents his or her eye to a laser for a retina scan1 or hand for a hand scan. In the movie The Bourne Identity, Jason Bourne gets a full hand scan to capture his fingerprints to identify him before he is granted access to his assets in numbered bank box. That is a fun scene and shows how Bourne can access his assets without a memory for pass-phrases, etc. It is easy for us to recall these scenes from movies and television and associate biometric authentication factors with strong security. This association makes biometrics great for security theater but, of course, does not make biometrics good for actual security.


handprint2.jpg

A part of a song comes to mind. The lyrics goes something like “Money Money Money Money!”. Great theater can mean great potential for making money. The Transportation Security Administration (TSA) has used all kinds of expensive new equipment in their security efforts. The effectiveness and safety of said equipment and procedures are actively debated. It is however, important that the TSA appear to be doing something new and different or the traveling public might start asking uncomfortable questions. It is easy to accept biometrics as useful security since it is reinforced so often in popular media fiction. The security theature used by the TSA is a whole different subject that deserves, at least, its own article. Security expert Bruce Schneier has spoken volumes on this issue. If the subject interests you, check what Bruce has written.

Well that is the theater aspect, lets get back to biometrics. If you work as a licensed professional, that is to say, you work in some profession that is controlled by a government entity such that you are required to obtain permission, in the form of a license (see Licensure), then you may be required to provide this entity with your fingerprints. This concept of licensure smells like a scam to me, but then I admit that I do not understand it. It seems to me like its whole purpose it to make government seem important, or perhaps to control competition in profitable professions, or both. I suppose it is like getting knighted by your servants, in this case public servants, in order that you may prove that in addition to knowing how to practice medicine, or wash hair or whatever, you also know how to please the State. How grand it is to be knighted…


So why not capture biometric data for licensing? If you want to work as a licensed professional you will need to comply with whatever hair-brained requirement is asked of you. I understand that to renew a nursing license in Texas, at the time of me writing this article, one must provide a full set of fingerprints from both hands! What great security theater! Why not a retina scan and a stool sample too? Perhaps those will implemented in the future. What is especially nice is the money that can be made from getting these fingerprints. I applaud MorphoTrust for being so well connected to the State(s) and opportunistic to profit from State fingerprinting requirements. Make an appointment online, pay your money and then they will take handle the intensely difficult job of putting your hands in ink then pressing them to paper. Is a ceremony involved? I hope at least that they have a cha-ching sound every time they press your hand to paper. I wonder if these people are licensed?

Fingerprints are good for security theater, have potential for extracting money from licensed professionals, but what about their use as an authentication factor2? There are many smart folks who have devoted significant time and money to determine just how unique different biometric authentication factors are, and if you want the details you can find them proudly displayed all over the web. To simplify this lets just assume that something like your fingerprint is unique.

How do you expect that a fingerprint would be used? In the case of a professional license, do you think that perhaps the fingerprint would be digitized and stored in a database? Perhaps this print would then be compared with prints already stored in the database? This means that your very unique information is stored someplace outside of your physical control. Who has access to this information? How safe is this from unauthorized access, say from an identity thief? How long is this information stored? How do you know that your digitized fingerprint is correctly associated with your data? What do you think could happen to you if somehow your information got associated with a different set of prints? What happens to your information after it is no longer needed for authentication?

The most important problems with using biometric factors for authentication are the following.

Problem of Scope
Typically one would not want to use an authentication factor in one place that is identical to one used in another place because if the factor becomes compromised, then all places employing the factor will be compromised. An authentication factor’s use should be confined to one place so that it is targeted to the specific need. Some uses require better or different quality factors than others.
Problem of Longevity
A biometric factor such as a fingerprint should be persistent for one’s entire life. This expands the time that such a factor can be compromised beyond the typical need for the authentication. Imagine if your fingerprint was used to authenticate you for entrance to your place of employment. Most people do not stay employed with the same employer for their entire lifetime. If all employers authenticate employees using fingerprints then with each new employer, one would leave one’s fingerprint history with a prior employer for which authentication is no longer required. How well would one expect an employer to protect the biomentric data of former employees? Another example would be the fingerprint scanner on a company laptop. What happens to the stored representation of one’s fingerprint when the laptop is returned to the employer? The fingerprints may not be stored in the same place as the user’s files. Would every employer know or care to properly destroy this information on reciept of such a laptop?
Problem of Compromise
This is related to the Problem of Longevity, but deserves its own explanation. When a traditional authentication factor, such as a pass-phrase, is compromised, then one may simply take steps to invalidate the compromised factor and replace it with a fresh one. This is not feasible with a biometric factor such as fingerprint. Getting new fingers when one’s fingerprints are compromised is simply not realistic. One might think that a biometric factor like a fingerprint can not be compromised. This is incorrect. Biometric factors can and are compromised just like any other factor. Recall that to check the fingerprint pressed on a scanner, there must be a digitized and version to compare against. So to compromise a biometric factor one need not have any physical contact with an actual finger. All that would be needed would be to get a copy of digitized version then trick the scanner into reading a match. There are other ways to defeat biometrics, but that is not in the scope of this article.

Biometric identification such as use of a fingerprint scan is great for creating the illusion of security without actually providing true security. Because its use is dramatic, simple and reinforced in popular media, it is widely accepted and thus has good profit potential. What you can do to protect yourself is to avoid services that rely on biometrics for authentication. If you need a fingerprint to rent a car, perhaps you can find different transportation. Lets focus on actual security and leave the illusions to magicians.
 

  1. There seems to be no interest in what damage a laser would do to one’s eye for such a scan, but hey lasers look great on film. 
  2. An authentication factor is a measurable piece of information used to verify one’s identity. 
 
 
 

I believe that at least a small amount of organization is empowering. It is frustrating to spend time and effort finding or creating a document only to have to do it again next time it is needed because it gets lost or is otherwise unavailable.

I have many files that I like to have readily available on whatever computer I am using. These items are manuals, technical references, web links, notes, audio files and other things.

What they have in common is that they are:

  • Small, typically less than 10MB
  • Do not contain sensitive data
  • Useful for quick retrieval
  • Things that I, at times, need to share with one or more people
  • Revised over time, such as a notes and other personal documents
  • The result of an investment to create or otherwise obtain

I have experimented with various ways of managing the types of files described above and have found a free tool that works well for me. It is called 1. It is both piece of software and a service. It permits one to use cloud storage to safely manage files. One can interact with Wuala using the Wuala web portal and or the Java based Wuala client application. There are many alternatives to Wuala such as iDisk, Dropbox, GoogleDrive, even a USB thumb drive.

The following are the features that I find most useful. More information about Wuala can be found on the www.wuala.com web site.

Privacy/Security
I do not store sensitive documents using Waula, or any other service that employs cloud storage. It is my belief that one must maintain physical control, or fully understand and accept the physical stewardship of the data. These criteria can not be achieved with cloud storage. That being said, the most attractive feature of Wuala is in the way it implements privacy and security. My files even though they are not sensitive, are my property to share as I see fit. Files stored with Wuala are broken into fragments and stored using strong encryption. The details of how this done, can be found here. The pass-phrase is not kept with the managed files and the encryption/decryption process is performed on one’s local computer. This means that the file fragments are secure both during transmission to and from remote storage as well as on the remote servers/cloud storage. The data are thus protected even from Wuala employees.
Revision management
Wuala manages revisions of files. It seems reliable and is extremely simple to use. This is perfect for files that do not need a more elaborate revision control system like git.
Synchronization across multiple computers
It is useful to be able to have a folder of files synchronized across multiple computers. This way one may access files locally without network connectivity, then have revisions shared across participating computers when connectivity is restored. This is one of those features that is surprisingly nice.
Sharing
It is possible to define access controls for folders such that one may make some content public, some private and some shared with particular Wuala users. It is also possible to provide a non-wuala user a private2 URL link to content. This private link feature is great for one-off sharing.
Value
All of these features are available for a free account. A free account makes 5GB of storage available. More storage can be purchased for a reasonable price. You would surprised how many small files can be stored in 5GB. If you need to backup and entire disk or store large files then a different solution may be better suited to your needs.

I know this article sounds a bit like an advertisement, but I am not an affiliate for Wuala, though based on my experience with the product, I would surely consider it if such a program existed. I have tried so many solutions, it is exciting to finally find one that works so well!

  1. Likely a play on the French word Voil√†. 
  2. It is not exactly private but so long as you control access to the URL fewer people will find the content than one would expect for a public folder. This is not security but rather a handy way to make the content more difficult to find for anybody but the intended recipient. It may not be a secure solution, but it is often all that is needed. 
 
 
 

I love books, but find it can be difficult to read more than one at a time. This means that there are many books that I make a mental note to read; a kind of book interest queue. I work the queue when I next get a chance. One challenge is that my mental book queue often exceeds my capacity for good recall. There are also many books that I have read that have made some positive contribution to my life. These special books drive me to share the experience with others. Please see the following prior article “Three things you can do today to change the world” This just means that I need another book queue, a “wow that was a really great read” queue. As you might guess this creates an additional strain on the mental queue capacity.

I have tried many ways to track my books, movies and more with varying success. If you do the same, you have likely encountered some of the same challenges to each method. Paper for example can become quite large, onerous to update and slow to search. I have experimented with various software solutions and databases, each sported its pros and cons.

The solution that has worked best for me is Data Crow. Among other reasons, I like it because it is simple to use, works on various computing platforms and is free. I find it easy to insert new content, search and edit. The following is an example screen for browsing books in a category of read1.


Scale conversation

When you see a book, movie or other media described on this site, chances are high that I have details about it stored in my Data Crow library. Most will also have a page of their own2 on this site (as I get the pages added). You should be able to find them listed at the reviews page linked at the top of the site. I will include a simple export of the the Data Crow catalog card on the page as well, for those items defined in my own library.

The export will be in the form of a zip archive. One can download the archive, expand the zip file3 and import it into one’s own Data Crow library using the import wizard. I am adding new cards all the time for media that I “want to have”. Once I experience the item I update the entry while my reactions are still fresh.

I find it quite nice that Data Crow can produce reports. I find a “want to have” report to be handy when shopping or browsing the local library. Does anybody use mobile phones for making phone calls anymore?

I hope you will try Data Crow and share your thoughts about the experience, or share your experience with an alternate method. Read any good books lately?

  1. Why not some fun books for the example. :-) 
  2. Here is an example for a book about inflation. 
  3. Even though this archive does not contain any executable code, you should scan it for viruses just like you scan all content you download from the Internet. You do scan your downloads don’t you?