Linked by Adam S on Fri 5th Jun 2015 15:26 UTC
Android In June of last year, I finally decided to commit to an Android device. I had carried every flagship iPhone up through that point from the original iPhone to the 5S. To the world around me, I heaped the praise into a life transforming device, but in my tech circles, and on my blog, I frequently posted about my frustration, mostly with shackles and intentional limitations imposed. So last year, why I decided to make the jump to Android. I outlined 10 reasons why I was finally ready to make the jump to Android’s 4.4 release, KitKat. A year has passed. It's time to revisit my original assertions and complaints with some follow up and see where I stand one year later.
Thread beginning with comment 612094
To view parent comment, click here.
To read all comments associated with this story, please click here.
Bill Shooter of Bul
Member since:
2006-07-14

Biometrics are very democratic in that they offer the same level of security to any human user regardless of any special skill they have.

Passwords are dependent on the user to derive good ones, and to keep them safe. There is a good deal of human error here.

If you wanted a system that provided a greatest common denominator of security, you'd probably pick Biometrics.

If you wanted a system with the highest possible theoretical security, you'd devise a multi factor auth system that relied on more than just a password.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

Bill Shooter of Bul,

If you wanted a system that provided a greatest common denominator of security, you'd probably pick Biometrics.


I disagree, I predict this kind of "identity theft" will become more and more prevalent as biometrics becomes more common and the technology for replicating our biometrics advances too. Biometrics can be replicated without your knowledge. Biometrics can even be copied from a database.

While passwords share some of these problems, at least you have the benefit of choosing a unique password for different services, and you can always change the password. With biometrics...your security is gone for life.

If you wanted a system with the highest possible theoretical security, you'd devise a multi factor auth system that relied on more than just a password.


Agreed.

Reply Parent Score: 4

Lennie Member since:
2007-09-22

If you wanted a system that provided a greatest common denominator of security, you'd probably pick Biometrics.

First of all biometrics is not secure, at all. Just like passwords suck most of the time.

I've been following the debate around biometrics for years and seen what the results of studies are. These studies are usually from governments that try to create a biometric passport of some kind.

And when you see those results then as an identity tool it clearly is not a common denominator, because for one it is basically age discrimination:

Take a good look at somebody past 65 years of age.

The iris sucks for doing biometrics because of things like cataract.

The finger prints have less fat and other 'juices' which give you the 'prints' and have basically worn down a lot so the grooves are much less deep.

Facial recognition sucks because your skin doesn't fit tightly around your bones any more, so a camera can't see the structure of your face.

I'm sure I'm forgetting other examples.

And the ease with which biometrics can copied is just ridiculous.

The Chaos Computer Club proves this again and again.

I'm sorry that the video doesn't have English subtitles though.

In the latest presentation from the end of last year they prove a whole bunch of things. I'm going to list them in chronological order:
- you think you control your own finger ? The photo is funny, but in the US passwords are under the first amendment, but by law you don't control your own fingerprints, the police does:
https://www.youtube.com/watch?v=vVivA0eoNGM#t=1m33s

- there are lots of ways to get fingerprints, for example here is finger prints from paper:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=7m41s

For example modern photo camera's in for example mobile phones are ridiculously good at taking pictures.

- you can use the camera in your smartphone to see from the reflections in the subjects eyes how they are typing the unlock code of their phone:

for a 13 megapixel camera you get 6 pixels wide per virtual keyboard button:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=11m31s

It also works with passwords on virtual keyboard, but obviously that keyboard has more keys so that makes it more difficult.

Researches in an other conference so far were able to reliably get passwords from up to 3 pixels per keyboard key with special software:
https://www.youtube.com/watch?v=vVivA0eoNGM#t=14m01s

Reflections in sunglasses also work really well:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=14m55s

Iris-recognition it's ridiculously easy to fool, you take a picture of someones face and just print it out on paper,

Here they are testing with a system which is about 1000 euro's a piece and is used by organizations like for example banks:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=15m41s

Now if you take not your smartphone camera but a photo camera like from Canon, you can take usable photos from up to 10 meters:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=17m53s

They couldn't get this to work for people with dark eyes before, but if you take an infrared-camera (or dismantle your camera and remove the infrared filter) it will work just fine:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=18m06s

The picture you see there is from 6.5 meters, it gives you 75 pixels which is enough to fool any recognition software.

But that were lab conditions, so let's try this for real.

This is a picture from a press conference made by a professional photographer at 5 meters which gives us 110 pixels so 10 meters should be easily doable:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=20m53s

How about from pictures from a political campaign you get large signs next to the road like 8+ meters wide, you get 175 pixels wide:

https://www.google.nl/search?q=wahlplakat&tbm=isch&tbo=u

https://www.youtube.com/watch?v=vVivA0eoNGM#t=21m22s

Face recognition is really easy:

You have face recognition at the borders, but they get easily fooled even by a photo on a smartphone.

The only some what interesting barrier for fooling those systems is the 'liveliness recognition', but turns out all that adds is they check if you blink your eyes.

But that can be easily fooled with the use of a pen:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=22m53s

The next thing they tried to do is take pictures from fingers, this is a picture from 7 meters and 3 meters, the 3 meters picture works a lot better:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=25m11s

Infrared at 6 meters works:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=27m14s

How about from outside of the lab, yep that will work too:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=27m36s

But these newer camera's where you can afterwards change the focus of the photo (I believe later in the talk someone from the audience mentioned that
on many modern camera's you can replace the non-vendor supplied firmware and you can probably use a normal camera for that too):

https://www.youtube.com/watch?v=vVivA0eoNGM#t=29m28s

So now we know why Merkel always stands like so:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=30m35s

This is the older video on how to make fake fingerprints you can use to break into an iPhone with pretty cheap stuff you might already have at home
and some of things used might look some what more professional but you can do this process in your kitchen:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=30m40s

Because they've done this before when the newer iPhones became available at the time they were able to break the iPhone 'security' within 2 days.

There are also scanners which check for veins, they did some have a look at it and with the infrared camera they got some interesting results, but they
didn't have time to do some proper research yet:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=37m30s

A question from the audience was about how to fight facial recognition in public places:

https://www.youtube.com/watch?v=vVivA0eoNGM#t=44m00s

Basically, just do an online search lots of people have figured out ways to deal with this:
- beards work
- drawing a 3rd eye on your forehead works

I'm going to stop 'live blogging' the video now. :-)

___

basically, it's easy.

Edited 2015-06-06 10:43 UTC

Reply Parent Score: 5

Bill Shooter of Bul Member since:
2006-07-14

If you think security is a Boolean value, you need to relearn security.

Reply Parent Score: 2