Xref: utzoo comp.windows.misc:844 comp.sys.next:1043 comp.sys.mac:24458 comp.cog-eng:746
Path: utzoo!attcan!uunet!husc6!bu-cs!encore!gloom!cory
From: cory@gloom.UUCP (Cory Kempf)
Newsgroups: comp.windows.misc,comp.sys.next,comp.sys.mac,comp.cog-eng
Subject: Re: One Step... (long!)
Message-ID: <268@gloom.UUCP>
Date: 28 Dec 88 15:54:52 GMT
References: <263@gloom.UUCP> <4498@xenna.Encore.COM>
Reply-To: cory@gloom.UUCP (Cory Kempf)
Organization: Alloy Computer Products, Framingham Mass.
Lines: 29

In article <4498@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes:
>
>Fun note but why do a password challenge when a retinal scan would
>have been more secure? (please, no disgusting remarks about how to fool
>a retinal scanner.)
>
Two reasons actually... first, I wasn't too sure about retinal
scans... the only place I have seen any refs. to them has been in SF
(haven't looked much though), so I didn't (and still don't) know how
practical they are for security.  

The second was that the engineer was actually doing an rlogin from his
workstation to a local mini.  Since the hardware to do the scanning
would necessarily have to be attached to the workstation, it would be
trivial to subvert (ie have it record the retinal image from the
authorized user and play it back to the verification program.  Login
simulators anyone?).  Thus, while it could be safely used in the
example I gave, it probably wouldn't be used for user verification
over a network from an untrusted host (ie a workstation).

It does bring up a point... user verification over a network from
untrusted hosts.  But that is a thread that is better suited for
comp.security.  

+C
-- 
Cory ( "...Love is like Oxygen..." ) Kempf
UUCP: encore.com!gloom!cory
	"...it's a mistake in the making."	-KT