BreachExchange mailing list archives
Forward of moderated message
From: dataloss-bounces () attrition org
Date: Mon, 31 Mar 2008 16:36:49 +0000
--- Begin Message --- From: "Jim Kerr" <james.kerr () ceelox com>
Date: Mon, 31 Mar 2008 12:26:16 -0400
Hello, I enjoy the emails I get from your organization. Unfortunately one of the bloggers has personally attacked me and now has sent my email address on multiple SPAM lists. I am not sure what I can do but it's a shame that your valuable resource has negatively effected me. When did I ever say passwords are safer than biometrics? In every response to you, I've been saying I'm not comparing biometrics to passwords. I'm comparing passwords to secure authentication methods such as one time pads, x.509v3 certificates, etc. You may benefit from learning how to read. On 3/31/08, Jim Kerr <james.kerr () ceelox com> wrote:Passwords are broken everyday, yet your position is that passwords aresaferthan biometrics. I have not seen you provide any evidence that passwordsarea better methodology. Our software has never been broken. There has never been one false positive reported in the 4 years we have provided the software to hundreds of customers with thousands of users. I am sorrythat'sas honest as I can be. As far as false negatives..how come this doesn't apply to passwords? A fat fingered password is the equivalent to a false negative and resets are a major problem yet my biometric customers do not have this taxation ontheirhelp desk resources. Your passwords are 30-50% of help desk call activity. If a user occasionally swipes incorrectly, it is much more of aconvenienceto swipe a second time than typing that password a second time don't you think? Especially when the end user realizes it's the wrong password andnowhe is locked out. Something that might happy customers using biometrics never have to deal with. Advantage biometrics hands down. "I don't believe that biometrics can have something of value." Hence you cannot be objective. -----Original Message----- From: Walt Williams [mailto:walt.williams () gmail com] Sent: Friday, March 28, 2008 8:55 PM To: Jim Kerr Subject: Re: On Fri, Mar 28, 2008 at 5:18 PM, Jim Kerr <james.kerr () ceelox com> wrote:The condition is predicated on the thought that why should I bother convincing you and taking the chance that you would send my trialsoftwareback if ultimately you won't buy it? I have nothing to gain and allrisk.Atleast this way I know when you fail to spoof it that you would have toownit. I would even refund your money if you found a way to break. How many vendors will do that?I've evaluated tons of software and never had to pay a dime. I'm not about to start now.How many hackers have tried? Several Did you go to folks who are notorious for breaking devices previously thought to be FIPS compliant? But why do you care Walter??.You have no interest in seeing atechnologycontradict your belief system. You have your mind made up because in you perception all people who offer biometrics as a security solution are greedy, no good, out for themselves, hucksters who really have nointerestin genuinely helping people protect their data so there is no possiblewayatechnology company could really have something of value. It's nice to be innocent until proven guilty.I appreciate that.You are correct in only one thing: I don't believe that biometrics can have something of value. The rest is just an emotional reaction to some one who looks at the product you've invested time. money, and effort in to make it the best you can and sees the wrong idea. Sorry, deal with it. There isn't a solution invented yet that can't be broken, and I've noticed you still haven't been upfront with your false positive and false negative rates. How can I believe you to be anything other than a huckster under such conditions? The US government may be OK on spending a billion on a solution that gets it wrong a certain percentage of the time, but I will never see such a solution as being one that I will trust for security. If you can't deal with the reality that you are peddling software that fails a certain percentage of the time, then that is your problem, not mine. If you're comfortable with yourself knowing what you are selling will fail a certain percentage of the time well good for you. I wouldn't be. My ethics are different than yours. -- Walt Williams, CISSP, SSCP-- Walt Williams, CISSP, SSCP
--- End Message ---
Current thread:
- Forward of moderated message dataloss-bounces (Mar 12)
- <Possible follow-ups>
- Forward of moderated message dataloss-bounces (Mar 31)