There are pros and cons to biometric access control. On the one hand (no pun intended), such controls offer a high degree of assurance, especially systems that use fingerprint data. However, there are practical obstacles to instituting a wholly biometric approach.
First, when you expand biometric controls beyond the scope of your own workstation, you can face privacy issues. For example, suppose that you run a small ISP and you decide to institute biometric access controls systemwide. Even if your employees sign a release, they can later sue for invasion of privacy—and perhaps prevail.
Physical Security CHAPTER2 49
2
P HYSIC AL S ECURITYPrivacy concerns with biometric access control systems are very real, although they arise from arcane sources. It’s been argued, for example, that retinal scans contain personal med- ical information. Signs of drug abuse, hereditary disease, and even AIDS can be detected in retinal patterns. Hence, maintaining a retinal pattern database could conceivably leave you open to litigation. Similarly, fingerprints can reveal criminal convictions, which also consti- tute sensitive data.
N
OTEBeyond legal issues, biometric access control systems have social implications. Your employ- ees could resent such controls and perceive them as a privacy violation, whether or not they say so. This could foster a hostile work environment, even if it is not overt. Without a doubt, new and less-offensive biometric techniques will be developed to address these issues. In late 2000, Net Nanny Software announced a new biometric system that identifies a user based on his typing style, including rate and key pressure. Assuredly, systems like this will calm some users who are upset by the potential invasion of privacy caused by some biometric devices. Perhaps the strangest drawback of biometric access control systems lies in their effectiveness. Such systems perform at least rudimentary logging, and therefore they create an incontrovert- ible record of exactly who performed which duties and when they were performed. This deprives your personnel of plausible deniability. In certain lawsuits, records from your biomet- ric access control system could be used against you.
Finally, biometric access controls are unsuitable in environments that extend beyond your local network. For example, you can’t force remote users to use biometric devices, even if you’d like to.
These problems aside, biometric access controls are excellent when used in-house, in close quarters, among trusted coworkers. I certainly recommend employing them in your inner office on the machines used to control and administer your network.
Unfortunately, there aren’t many Linux-compatible biometric access control tools. Table 2.4 lists a few of them, what they do, and where to learn more about them.
TABLE2.4 Linux-Compatible Biometric Access Tools
Product or Service Description
BERGDATA BERGDATA is a fingerprint system that embraces the Linux software model and is written for easy use on multiple operating systems. For more information, look at http://www.bergdata.com/english/
evalkit.php3.
Biomouse This is a mouse from American Biometric that reads your fingerprints. It works well with Linux 2.0 or greater. Check it out at http://
www.biomouse.com/.
IrisScan This is a networked biometric authentication system that supports 256 workstations per LAN segment. Users are authenticated by random iris pat- terns, which are purportedly even more accurate and reliable than retina scans. Although IrisScan requires Windows NT on the server, it can be used to secure heterogeneous environments. Check out IrisScan at http:// www.iriscan.com.
VeriFinger Yet another fingerprint identification system for Linux 2.0+ systems. Demo software is available from http://www.neurotechnologija.com/. Verivoice This system, available for Linux 2.0+, verifies your identity using voice
recognition. Check it out at http://www.verivoice.com/.
Linux Security Basics
PARTI
50
I hope that you’re not using your computers for illegal activity. But if you are, you should probably pass on biometric access controls or at least disable their logging facilities. Nothing spoils an otherwise clean hack like incontrovertible logs.
C
AUTIONTo learn more about biometric identification, check out these sites:
• A View From Europe.An interview with Simon Davies that focuses on biometric pri- vacy issues. It’s at http://www.dss.state.ct.us/digital/news11/bhsug11.htm. • Biometrics Explained.A fine document by Gary Roethenbaugh, an industry analyst at
the International Computer Security Association (ICSA). It’s at http://www.ipc.on.ca/
english/pubpres/sum_pap/papers/biometric.pdf.
• Fight the Fingerprint.These folks see a biometric future, and they don’t like it. As their opening page explains, “We Stand Firmly Opposed to All Government Sanctioned Biometrics and Social Security Number Identification Schemes!” It’s at http://
www.networkusa.org/fingerprint.shtml.
• The Association for Biometrics (AfB) and International Computer Security Association (ICSA) Glossary of Biometric Terms.It’s at http://www.afb.org.uk/
public/glossuk1.html.
• The BioAPI Consortium.This group was established to help developers integrate bio- metric identification into existing standards and APIs. It’s at http://www.bioapi.org/. • The Biometric Consortium.“…the U.S. Government’s focal point for research, devel-
opment, test, evaluation, and application of biometric-based personal identification/ verification technology.” Hmmm. It’s at http://www.biometrics.org/.
• The Biometric Digest. The Biometric Digest contains the latest news releases related to biometrics. This is an excellent site to learn about the available technologies and where to find them. Take a look at http://webusers.anet-stl.com/~wrogers/biometrics/. • Infosyssec. The Infosyssec security portal has an excellent biometrics area that includes
links to hundreds of biometrics vendors and white papers. Check it out at
http://www.infosyssec.com/infosyssec/biomet1.htm.