Frequently, scientists who know nothing about security come up with ingenious ways to solve non-existent problems. Take this, for example:
http://www.sciam.com/article.cfm?chanID=sa003&articleID=00049DB6-ED96-12E7-AD9683414B7F0000 Basically, some clever folks have found a way to "fingerprint" the fiber pattern in a particular piece of paper so that they know they have a particular piece of paper on hand. It is claimed that this could help stop forged passports. Unfortunately, the invention is wholely useless for the stated purpose. If the information is put onto the passport itself, nothing would stop someone from taking a new, forged passport and adding the fingerprint information onto the passport. If the information was protected by a public key, that could prevent such forgeries, except that if you already have a public key, you can protect the information printed on the passport with said public key already, bypassing any care about whether the paper in the passport is "original". You could, of course, put the fingerprint information on-line, but if you have an online database good enough to verify that the passport is real, why have a passport? Why not just store identifying information about the person far away from the ability to tamper with it? Anyway, I have a larger point. I read about such stuff every day -- wacky new ways of building "tamper proof tokens", "quantum cryptography", and other mechanisms invented by smart people who don't understand threat models at all. We already have the term "snake oil" for a very different type of bad security idea, and the term has proven valuable for quashing such things. We need a term for this sort of thing -- the steel tamper resistant lock added to the tissue paper door on the wrong vault entirely, at great expense, by a brilliant mind that does not understand the underlying threat model at all. Anyone have a good phrase in mind that has the right sort of flavor for describing this sort of thing? Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
