Controls based on personal characteristics are the ultimate in computer access control - when they work properly. Known as biometric systems, these devices limit access to a computer or the computer room by verifying physical attributes of a person. A biornetric system may look at any one of these individual traits to
verify user identity: fin-gerprints, voiceprint, handwritten signature, palm print, hand geometry, or retinal patterns.
Biometric systems are costly to implement, but they are not always as accurate as television would have one believe. For example, a legitimate user's voiceprint may be rejected because of a change in voice pattern or voice speed due to illness or stress, or because of interference from outside noises. One system I tested would occasionally offer responses to the noise my finger made as it scratched the microphone! Similarly, finger and palm print technology can be thrown for a loop due to cuts and scratches on the hand, dirt on the hands, bandages and blisters, or scrapes in the glass tray on which a user places his finger or palm for scanning. Signature and handwriting analysis systems sometimes fail to pick up nuances in pressure, style
and velocity; people do not always write their names the same way every day. I imagine this would be especially true for someone rushing into the computer room to print out a report three hours past deadline. Hand injuries could also make a person's signature look different.
Hand geometry devices - those which meas-ure the length and translucency of fingers - don't seem to have much going against them, although again a Band Aid or scraped machine tray could easily cause the rejection of an otherwise legitimate system user. Finally there are retinal pattern rec-ognition systems, which look at
the pattern com-posed by blood vessels in the eyes. These too have been shown to be reliable in their accep-tance/rejection rates when user cQmplicity is high. I point out the flaws in these systems so you will get a feeling for what it must be like to work in a building where you're required to get your eye-balls scanned every
time you want to walk through a door. Or imagine being in a place where you have to speak foolishly aloud to switch on the computer. The first few times it may be seen as a novelty, but soon these gadgets become another ho-hurn part of office life. Add to that the time delays these devices cause, the frustration when they
don't work prop-erly, the feeling of subservience that comes from having to remove gloves and glasses, speak dis-tinctly into a microphone, present a clean hand, or hold one's face immobile, and you will find a bunch of people who - even under the strictest of security conditions - are sick of the whole damn thing!
Unless there is some incentive for workers to use these biometric devices - for example if their time cards will be punched depending on the time they register in, or if their actions are being moni-tored by guards - unless there is a motivation to follow the rules, you know very well that everyone is going to try their hardest to
break them. People like showing how friendly they are. People like to show that they are not a part of the stupid bureauc-racy that runs the place - they like holding doors open for others, even for strangers. They don't mind allowing others to use their own clearance to gain access to a room. Nobody wants to look like she is so caught up in protocol that she has ceased being a human being! And after a while, people don't Re that their humanness has been reduced to a digitized picture of their thumbs, or the snaky red rivers in their eyes.
So, you will sometimes find these costly ma-chines turned off and unplugged. You'll find gar-bage cans placed in the doorways to prevent them from shutting anyone out. You will find helpful, smiling personnel who will open doors for you and hold doors open behind them to let you through -even when they've never seen you
before in their lives. Look what has happened here, and what does happen: the most effective way of
ensuring user legitimacy is overthrown by the users themselves. Well, that's good for you, the hacker. Don't abuse the access that has been offered you by being mali-cious in your explorations of the facilities you find laid out before you.
