Faulty fingertips
SC's “Biometric Tools” product review is the first such article I have seen that urges multiple authentication methods [SC Magazine, Oct. 2007]. Most computer/security magazines tout a single technology — fingerprint readers — as the magical solution.  Problematic? Definitely! How?
Fingerprint readers are useless for missing fingertips, environmentally damaged ridges and cut fingertips. Examples?

Environmental damage results from abrasion due to decades of rough handwork, corrosion due to chemical contamination by strong acids/bases, and today from exploded limbs due to Middle East warfare. Even the prosthetic hands prove useless for fingerprint readers. Try rolling an artificial finger 180 degrees for the required rolled fingerprint. Even if that could be done, the artificial skin is still smooth and ridgeless.

Without the telltale arches, deltas, loops and whorls, your fingerprints are as unreadable as smooth beach sand. Lesson learned from our hospital processing over 14,000 fingerprint impressions yearly.

Chief Donald E. White,
director of safety and security,
Northern Virginia Mental Health Institute,
Falls Church, Va.

Dr. Stephenson replies: I couldn't agree more. When we did this Group Test review, we heard the same things from vendors of other biometric approaches and, in fact, in the November issue we addressed one of the more innovative approaches, vascular scanning. This approach counters many, if not all, of the objections to fingerprint scanning.

 We feel that there is a place for fingerprint scanning. Fingerprint scanning, like any authentication mechanism, must be matched to its appropriate application.

For access to high security areas it is not likely to be appropriate. By reviewing a variety of products in the biometric space we hope that we have reflected that. 

However, the biometric space is evolving rapidly and we expect to have new things to review in the coming year when we do our biometric group again. Thanks for your letter – I always appreciate hearing from our readers.



MySpace fallout
I just wanted to comment on your article [“Justin Timberlake, Hilary Duff, Tila Tequila MySpace profiles...,” Dec. 6, 2007, www.scmagazineus.com] about Hilary Duff and the other MySpace pages that were exploited. I am one of many who moderates the bulletin board. It's frustrating that kids would do something like this and, sadly, this shows the true disconnect between executives, administrators, project management and developers. While Tesla has slowed our board down, what is truly frustrating is the fact that MySpace won't even comment. Quality expectations for software is appalling. I do not want to attack MySpace because they are not the root cause of the problem. Exploits are the results of lowered expectations and software development companies' commitment to quality. Software design is not being thought out at the expense of security.

The articulation of an exploits root to the executives demanding deadlines and benchmarks of improvement is absolutely necessary. I am working on a source code analysis project for a custom built ERP system I designed and implemented and every response was at a 10 percent source code review. That is the unacceptable standard with which source code is reviewed. So, with 10 percent reviewed and 500k lines of code, the likelihood of more bugs and exploitable code is  tremendous. I would like to see a follow-up article on the many exploits you've written about, including this one, hopefully keeping this email in mind.

A.J. Rembert,
Samscreen, Inc.

The opinions expressed in these letters are not necessarily those of SC Magazine.