Identification By Typing

crazy_speeder writes: "Musicrypt.com is developing a biometric identification system that captures user keystrokes to verify the user's purchase of specific copyrighted materials (i.e. downloaded music), and only that user can use it." I'm really skeptical about them getting something like this to work, I mean, I make typos in my 12 charachter password, but to be expected to type a sentence with the same rhythm? I still want retina scanners.

This actually makes sense

[dbarclay10]

I learned how to touch-type when I was very young. I'm even hesitant to say "learned." I learned how to touch type like I learned how to speak. I just grew into it. After 16 years, a friend of mine said something to me as I was working on the computer(this is about 4 years ago, now). I was writing a letter for her(she was dictating), and then she stopped, and looked a bit mad. She said "are you actually typing anything?" I was sort of dumbfounded, and said "Yes, of course, look." Anyways, the gist of it was that I apparently don't type in a usual way - I guess all the keypresses are more evenly spaced, and I use different fingers for different keys(but not like you're supposed to). So, if you could track, for a while, how a user types, you'll find interesting relationships, ie: 90% of a time, there's a 0.35 second pause in between hitting the "r" key and hitting the "t" key. This particular user often puts a space in "often", like "of ten", and doesn't notice until the word is written, at which point the user goes back and corrects it, hitting the backspace key approx. 2.4 times a second.

I imaging these things are extremely individual. It really does make sense, you know.

Dave

P.S.: It'd be moderatly hard to reproduce someone's typing style, but it'd still be harder than re-producing their password :)

Re:This actually makes sense

[bwalling]

I don't think that this could be properly implemented. I have four computers at my house. Each has a different keyboard. The keyboards are different enough that I type differently on each. As well, each keyboard is in a different place, which also affects my typing. Sometimes I lean back and prop my feet up, which affects the angle at which I access the keyboard. This also affects my typing.

Each of those things affects my typing so much that I notice each different position/keyboard. So, I would have different settings on each computer? I would have to sit upright to use 'protected' software?

How inconvenienced do software manufacturers think they can make consumers before we will scream? Forcing me to have the CD in the drive is enough of a pain. Forcing me to register on the internet before the software will run is a bigger pain (I travel and don't always have access to the internet). Telling me that since I am on an airplane, or in a hotel with a different desk height and my typing has been affected, I can't run my software or listen to my music will make me hunt you down and kill you.

Intoxication

[Municipa]

Though I don't drink, a good number of my online friend do, and I've personally watched their typing skills degrade as the night grew darker and their empty bottles accumulated. How is this supposed to help them?
Also, I know my own typing varies from keyboard to keyboard dramatically, as I expect is the case for many others. I bet my mood alters it slightly too.
Not that this thread needed more people downing the idea, but hey, it really is stupid.

Uhmm.. NO

[koa]

I really do not think this will work. Because what happens if someone is a (newby)? y'know; the guy who types 1 word an hour with 2 fingers for the first 3 months that they start using their computer, once a little practice kicks in, their typing faster. Plus, what about factors like lack-of-sleep?! (c'mon, don't aim to tell me that you type the same from when your perfectly awake, and sober, and when the average 2AM hacker doodt has been sitting at the terminal for 36 hours straight. Typing styles ARE gonna change, and I for one think that it would be a royal pain-in-the-ass to TRY and CALCULATE a specific typing style whenever you want to validate for a download. Blech. My 2cents.

Re:What if you own cats?

[dr_eaerth]

CAT LIKE TYPING DETECTED!

Dammit! This happens every type I'm cybering the Hanson fans.

Gestural Passkeys

[Psychogizmonator]

I know that credit card companies are trying to do this with those electronic pads you see in electronics stores, the idea is that any merchant can fake themselves as you, but they can't emulate your 'fist' so to speak. It uses some amthematical analysis stuff to see if you are moving the pen the same way with relation to time. My real question, probably completely off topic here, is has anyone read 'Holy Fire', by Bruce Sterling? His descriptions of a gestural passkey system sounds really cool to me, like a sort of pictogram combined with the above technology.

Re:Still flawed though...

[penguinboy]

that little file that is the representation of your retina.

Not really. The key in a file that represents your retina scan is not necessarily anything more than useless. Let me explain: Take, for example, the way passwords (non-shadow) work in Linux (probably other systems as well, but I only know this for sure). When a user first sets their password, the string is run through crypt() (note that this is a one-way function - the original password cannot be derived from the cyrpt()ed text) and save in a file. Then, when the user logs in, the login program runs the supplied string through crypt() and compares the result to see if it matches what's stored in the file. If it matches, that means the user entered the same string as was used to set the password.

Now, to apply this to retina scanning, the scans would probably be converted to some sort of identifying number (or possibly just a bitmap image), which would then be one-way encrypted. The same procedure outlined before would be used to see if the same retina was being scanned.

You can see, then, that it is possible to store a representation of the password that is not compromising if stolen (it can make brute-forcing easier, but it does not give away the actual password).

It is trie that the signals from the scanner to the computer could be caputured, but remember that this would be the same as capturing the signals from a keyboard to a computer.

Re:Sperm Scanners

[georgeha]

Umm, that would immediately prevent more than 50% of the population from being able to "log into something".

Au contraire, ~50% of the population would be able to crack a sperm scanner with ease, as long as they could get to it within a few hours of the deed, and they had non-porous panties.

Exactly why this isn't going to work in a home...

[drinkypoo]

...environment: Drugs, Alcohol, and other fun modifiers to your typing -- Not to mention, you're websurfing. How much typing are you doing?

When I'm sober, I type fairly efficiently, with a minimum of backspacing, and I'm pretty speedy -- Something on the order of 75wpm. Hardly the fastest typist anywhere on the planet, but me and my IBM keyboard manage to band together and kick some a** for truth and justice! Er, whatever.

After a couple Sapphire and Tonics, though, my typing goes to crap for short periods, and then I manage to get a few paragraphs out at like 90 wpm, perfectly clean, zero errors, just flow through it... right before my typing goes into the toilet.

Now, there WILL be some common elements between my typing sober and drunk, but I think there's going to be more dissimilarities than anything else - Your brain just gets busy doing other things and it steals cycles from what you were supposed to be doing, like typing for example -- And this is going to introduce semi-random latencies, which is exactly the kind of thing which will break a system like this.

Granted, it could probably learn your typing in those conditions as well, but it's going to think you're someone else until it's trained. It would be terribly amusing if the computer decided that you were your child when you were high -- It would certainly tell you something about your habits.

In any case, the only way to really get around the lack of typing input which one will experience while websurfing is to make you type something when you sit down at the computer. Running you through some text that you would ordinarily type, and some that you wouldn't as well would be the optimal situation, though eventually the text you wouldn't ordinarily type is going to become familiar... Also, what happens when your keyboard dies and you get a different one? Suddenly, nobody is who they used to be.

Re:There's a reason they're called GPS receivers..

[rdmiller3]

Something which tells where you are?

It's called, "wireless phone".

Law enforcement in the UK has already used cell phone system logs (which track roughly where you are in relation to their towers) to disprove falsified alibis.

"You say you were still in London that day?"
"Yes."
"...and you received a call from so-n-so?"
"Yes."
"That call, as logged, was answered by a cell phone operating through a wireless station in Edinburgh!"

Security-Token of the Week fads

[Old+Man+Kensey]

Seems like security methods are second only to management as the subject of quick changes in "fashion". First it was plain old passwords, followed by access cards. Then fingerprint scanners. Then it was voice-printing. Lately we're seeing retinal scanners and stuff like this, and few people are paying attention to actually designing systems and facilities to be secure.

Part of this is expense. The most secure building that's still useful is one with one door and no windows. But that's an emergency-evacuation and traffic-control disaster waiting to happen, as well as a workplace-standards tragedy, so you add a freight dock, a rear entrance, a bunch of windows in the Managers' offices, a skylight with louvers that close automatically at sunset (oops, pardon me, too much MI:2...)

Now you have to secure all these potential access points (windows count too, unless they're built like arrow-slits) and sheer numbers work against you -- the first time somebody leaves a window unlatched when the room is empty the probability wave of an undetected intrusion starts to spike.

(You can think of intrusions in a quantum fashion -- given how long that access point was left unguarded, and the configuration of the facilities, and the traffic patterns, what is the probability that someone had access to various points and no one's noticed yet? Los Alamos take note...)

The rules for system security much resemble those for facility security in many ways:

1. Don't have open access points you don't need. (closing off access to ports with ipfilter/ipchains and other such tools)
2. Keep the ones you do have under close surveillance (logwatch, iptraf and such)
3. Don't assume your perimeter is unbreachable. (keeping up with what binaries are setuid, who has which sudo permissions, etc.)

Anyway, that's just rambling on a bit. The dominant paradigm of strong security is "something you have, something you know, and something you are". Any security system where one of these is sufficient to grant access is inherently insecure. Any system where all three are required in a specific form is probably very secure, but probably also very annoying to its users.

A system where you have to satisfy, say, two of the three in one of various ways is probably going to be OK for most purposes. Say you can use a voice-print, retinal scan or fingerprint scan plus your electronic access card, or you can show another form of ID to the guard (there better be a guard) and he can optionally clear you in manually if the other check is passed. Filling out your I-9 form for Immigration (to prove you are allowed to work in the US) works sort of like this. Note also that by this method ordinary shell password authorization is very insecure, (right, we knew that) while the SSH model of key + password is relatively secure (unless you set your ssh up to authenticate solely off the key, in which case you should now go back to grinding out code for IIS you sick little monkey!)

But real security takes real thinking and real money, and most companies don't want to expend either if they can help it. They'd rather have something that looks cool so they can brag about it. In this case they're not only using a single fallible authentication method, they're using one that, as pointed out before, has so much inherent noise in it that it's easy to defeat and thus nearly useless.

The article doesn't say whether you're typing a set sample text or a user-selected passphrase. The "right" (well, not right, but at least better) way to do this is to have the software try to verify the user through both a passphrase (something you know) and the typing biometric (something you are). If they both match, fine. If either one matches perfectly and the other is close, that should by default allow use, not restrict it (which is to say, the system should "fail open" like an emergency door).

But what are the odds of that happening?

Re:Security-Token of the Week fads

[Psychogizmonator]

Just throwing this out there, but if you got the typing biometric somehow, wouldn't you also be able to find the password easily? I mean, if you use some sort of computer-based strategy to grab the biometric, would it really be that much harder to grab the substance of the keystrokes, as well as the pattern?

Re:Security-Token of the Week fads

[Erataikasu]

My usual security paradigm is 'Something you lost, something you forgot, something you used to be'

Do you know how many freakin' passwords I have?

I'm getting the wrinkles out!

[SaintAlex]

http://www.plif.com/archive/wc207.gif

Cat haters will understand.



Observe, reason, and experiment.

Broken Hand = No Music

[Groundskeepr]

The real issue is not whether this will work; it is whether such an idea could ever work for this specific application. What if I break/burn or otherwise injure my hand and want to listen to the soothing sounds of my favorite record while I recover? What about quadriplegics or those otherwise unable to type? In the cases where this technology has been used, for instance, the security of a workstation, it can be assumed that persons unable to type will not be at work. For the public sale of music, the technology is just not a good fit. Really, there is no way to apply this to recorded music. Let the idiots who don't know any better blow their time and money working on this. It will never gain acceptance.

Re:Still flawed though...

[bluGill]

I think what he is saying as to get through a retnal scan he only needs to get a scan of your eye, and then do someplace and replace the scanner with something that inputs your retnal scan.

A retnal scanner is hardware that produces electrical signals. Those signals can be faked if you know what they are.

While passwords are not very good, I generally know if I reveal one, and there is no way someone can build a machine to get my password from a distancce. (Baring brainwave scanners which currently we don't even think are possibal) Someone could build a retnal scanner that works from 20 feet, put it in a room where you are likley to be, and store your scan. There is no way to change your retnal scan, so once I build a device to impersonate you I can fool any machine.

Re:Usually I don't respond...

[carlos_benj]

Usually I don't respond to idiots, but in your case I'll make an exception.

Doh! So, if I make all kinds of typos like Rob you'll respond, but if my brain shifts a bit out of phase and I misread something you type I become an idiot?

Yep. My post was plain stupid when I read the original (I even quoted it for cryin' out loud). That doesn't make the one who posted it stupid. By your reasoning I'd have to judge you abusive and would urge you to get professional help.

Thanks for finding me exceptional though!

carlos

All in vain

[MisterDruid]

These guys are kidding themselves. I'm sure that by the time they release the software or soon after there will be available a program to bypass it.

Exactly.

[The+Queen]

I do not type consistantly from moment to moment.
Right! When I'm coding, I type pretty fast; when I'm writing an email or a piece of literature, I type REALLY fast, and when I'm filling out order forms for online purchases, I type SLOW to make sure I'm not making any errors.
Not only is the premise flawed, but the original idea is pretty silly, too. Now give me a good Wacom tablet and some handwriting recognition software...no, no, somebody could trace my sig. Retina scan, CmdrTaco? Sure...now is that pre- or post-LASEC? :-)

The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

Re:Why Keystrokes and not Digital Certificates

[PigleT]

1) Digital IDs do not prove personal identity, they make it blydi unlikely that a link between particular identities is fake. ("I" is one identity of mine; I might own two keys, I have records with assorted authorities in the UK, there is a "me" who ordered from Apple computers, you name it. I can have *different* signatures for each of the above mails, as well.)

2) Digital certificates are issuable by people for anyone for free. Try GPG for size.

3) See part (1), but you can't *guarantee* anything. You need to double-check fingerprints of keys, but even then if they used telnet to access their mail remotely and somebody sniffed the private key password then all you'd know is that they are one of the people on the planet who can unlock that key (not the best example but the point holds. It's no *guarantee*.)

4) DCs don't cost money. You accept my GPG key, you can talk to me. Nice, Free, free, open-souce, you name it.
~Tim
--
.|` Clouds cross the black moonlight,

Various whines about legality aside,the tech works

[Derek+Pomery]

I agree, if you worked at it, you could probably confuse the system. But for the majority of users, it will work!
One of our instructors has on a couple of occasions related his experiments with similar password software (Don you reading? Fill in the details...) He stated that with the software on its most setting forgiving setting, and with him deliberately trying to vary his typing speed, it still recognized him most of the time, and foiled the majority of attempts by others in the lab to duplicate his keyrate (he had given them the password). On it's strictest setting, he, still trying to vary his keystrokes, got in about half the time, but no one else succeeded in doing the same.

I think this could easily catch on. People will not go out of their way to foil it, and our typing patterns can be almost as individual as a retina scan.

Re:This Won't Work

[orpheus]

Damn, I got a nasty papercut on my index finger. Now I won't be able to listen to my music for a week.

...burns, jammed fingers, scraped knuckles, fingers caught in doors, arthritis flareups, changed keyboards, same keyboard but dirty, having a few beers -- even hand lotion can make me type a little different.

There's no shortage of reasons why this won't fly.

Bad idea! Bad! Bad!

[Galahad]

I'm skeptical as well. I use the keyboard all day long, but I know I don't always type with the same rhythm. Perhaps for password entry since it's burned into my brain, but even then it varies when I'm jazzed on caffiene or if I'm on the phone and typing with one hand or if my son is in my lap.

What about when typing on a laptop, or one of those ergonomic (not!) keyboards?

Of course, this must be doomed to failure. I hope.

Key capture anyone?

[Rastralcaz]

Great. Now we'll all have to load up a keystroke sniffer so we can record our rythim. After all, if my hand's in a cast, I'm still going to want to listen to music.

They're really desperate, aren't they...

[Leghorn]

I can't imagine anyone actually paying good money for music with these kinds of restrictions.

May their business die a slow and painful death.

From the makers of "Net Nanny"

[CountZer0]

Not only is this a blatently bad idea, but it comes from the same great minds that brought us Net Nanny.

I do not type consistantly from moment to moment. Heck, I don't even "type" I hunt and peck really fast... Sometimes I type one handed... sometimes two... This software has NO chance of correctly identifying me.

Add that to the great "hit rate" that is consistant with Net Nanny, and you will find that this software will more often than not block legitimate users from accessing the music.

Besides, as another user mentioned, this whole idea is based on a flawed premise. Music purchases are not tied to a single user. I may be buying this music as a gift. I may be buying this music to transfer to my car mp3 player (which has no keyboard) Or my Lyra (also no keyboard)

When I buy music, I get FAIR USE RIGHTS ... BY LAW... Technology such as this is taking away my rights. I will never purchase any music that I can no longer exercise my fair use rights. If I can not copy the music to multiple media forms/playback devices, then I do not buy it. It's that simple. Until the music industry understands this (or is FORCED to acknowledge this) they will continue to throw good money after bad attempting to develop technologies that infringe on customers LEGAL rights.

Copying music is NOT a crime. This is the reality. The RIAA is the fiction...

-Count Zero

Re:From the makers of "Net Nanny"

[Mike1024]

Hey!

This program sounds stupid to me. They claim it's 98% accurate. That doesn't sound very good to me. Are 2% of thier customers going to be denied access to what they pay for?

What's more, I think that 98% accuracy is a bit optomistic. In a test with lots of nice, fresh suit-and-tie computer programmers first thing in the morning at a work terminal it may be very accurate, but I type differently when I'm at home. Sometimes I turn sideways to watch TV and put my feet up. My typing style changes completely because my body is at a 90-degree angle to the keyboard. What if the user talkes a typing course? I bet they havn't tested things like this.

My other thought on the subject is how anazingly easy this coul be to break... VERY simple scripting/programming language Visual DialogScript has the command:

WINDOW SEND, ,

WINDOW SEND sends the contents of to the specified window as simulated keystrokes. Text can be entered as ordinary text.

People will write programs using a system like this to simulate typing. Feed that in as the initial input instead of your 'real' typing and you'd be past the security in no time. I think.

Who knows? maybe I'm totally wrong.

Michael Tandy

Re:From the makers of "Net Nanny"

[Sebastopol]

This software has NO chance of correctly identifying me.

Hmmm. That's a bold statement.

Suppose the software made you type a passage, like "The quick brown fox...". I think it is very plausible that within a reasonable margin of error everyone would have a distinct way of typing this phrase.

From years of using an Apple //e I still can type the words "catalog" and "pr#3" and "brun fid" with lightning accuracy. And I bet no one types them with the same delays and speed that my musculature tends toward.

I wouldn't dismiss the idea that quickly.
---

Re:From the makers of "Net Nanny"

[CountZer0]

"From years of using an Apple //e I still can type the words "catalog" and "pr#3" and "brun fid" with lightning accuracy."

And I also type load"*",8 fast as shit, on a Commodore 64 keyboard. I had to pause and re-train myself to type it on the IBM keyboard. In fact, when I use VICE, I automagically revert to C=64 keyboard mode and type just fine even though the keys are not marked ... (Just so you know, "shift"-2 is the " on the Commodore Keyboard, and the * has its own key, roughly in the same place as the ] key on the IBM.)

But ya know what? I don't type that phrase the same way on a C=64 keyboard as I do on a IBM keyboard, or even on my C=128 keyboard (which has the same layout as the 64, but uses more IBM'ish keys)

And when I am eating, I type one handed. When I am on the phone I also type one handed, hell, sometimes one fingered... All of these things change my typing style. DRAMATICALLY.

Of course, you also chose to ignore the second half of my post which is simply, "They have NO RIGHT to limit my fair use of music" ...

Even IF (and its a big IF) their magic typing decoder ring accurately identified me 100% of the time, I PAYED for the music. This gives me unlimited right (under US law) to USE the music in any manner which I see fit, as long as it is for personal use. This is called FAIR USE, and has been upheld by the US courts as long as there have been audio cassettes and VCR's, and perhaps even earlier. This "technology" attempts to circumvent the LAW. It attempts to hinder my usage of music that I have PAYED for. I suspect that this is illegal, and if not, it is definately something that the market will not stand for. If I purchase a song, either via CD, Cassette, Record, or file transfer, I have unlimited free use of that song on any equipment I wish to use it. I can make unlimited copies of that song, as long as said copies are for my personal use. Trust me, I have many LEGITIMATE fair use reasons to do so. I personally own an RCA Lyra mp3 player. (Copy One) I listen to music in mp3 format on my computer at work (Copy Two) I listen to music in mp3 format, stored on my notebook, in my car (Copy Three) I listen to music in mp3 format on my home computer (Copy Four) and finally I listen to music via standard Audio CD on my roommate's stereo system in our living room (Copy five) Do any of these violate fair use? NO. Are any of these copies illegal? NO. Does the keyboard copy protection prevent me from doing any of these things? YES!

Any Questions?

-CZ

Re:From the makers of "Net Nanny"

[Sebastopol]

And when I am eating, I type one handed. When I am on the phone I also type one handed, hell, sometimes one fingered...

And when I'm chatting, I type one-handed... ;-)

Of course, you also chose to ignore the second half of my post which is simply, "They have NO RIGHT to limit my fair use of music" ...
:
:

I completely agree with everything you said in both posts about fair use, despite you the fact that my ears are still ringing from your reply. ;-) I only commented on the 1st 1/2 because I'm more interested in the uniqueness of peoples' typing styles and being able to differentiate them via statistical/frequency analaysis.


---

I'm against it

[RMS]

In case you don't know: I'm against such identification.

downloadable music

[room100]

This is a loosing battle Recording a persons keystroke pattern and inserting it into a downloaded music file will only increase the popularity of MP3. On top of this - how long will it take for 'Keystroke Pattern Eliminator' software to spread like wildfire through Gnutella? Most multimedia formats that impose listening and/or viewing restrictions end up failing (DivX).. You can block a stream .. dam a river .. but what do you do with an ocean? - Jump In.

I'll bet it doesn't work.

[DeadSea]

I'm thinking about all the factors that cause me to become a different typist. The first of course is keyboard layout. I usually use dvorak and can type about 90 wpm but I can use qwerty and can type about 50. When I use one, I make totally different errors than on the other and type with different patterns and speed. The music would have to be tailored for one, keeping me from listening to my music. When I'm not at one of my computers I usually don't have the option of switching to dvorak easily.

I also hunt and peck for passwords most of the time so that I can keep my hand on the mouse. Or how about network lag between keystrokes over a slow network connection when using telnet, WinVN, or other remote access? Or how about as your typing changes over time as you get better, or as you develop carpal tunnel syndrom and it gets worse?

I don't think I'll be buying music with this security. Sounds a bit too easy for me to lose it or not be able to listen to it.

What about...

[LightningTH]

What about someone like me that constantly (pause, thinking) either pauses in sentences randomly to think or do something else or someone that keeps getting better at typing? i rarely make a mistake in typing now but i use to all the time. Of couse i have to type on certain keyboard types to not mess up :)

98% Reliability?!

[Maryck]

So what do you do when it fails to detect that it's you 2% of the time? Unless they can achieve 100% reliability on this, I can't imagine it ever flying. Plus, what happens if you injure one or both of your hands, or, god forbid, you take a professional typing course. Presumably this will affect your typing rhythm, which means that suddenly, you can't access your own legally purchased music.

Re:Charlatans selling magic boxes

[Skinny+Rob]

They do seem to be going to ever-greater lengths to stop people from copying music and videos, with more and more protective layers being wrapped around the media on the customer's machine. I wonder how long it would take from the launch of a system like this for a workaround to appear? Cue a repeat of DeCSS. There's a nice little article in the Cryptogram about how this sort of trusted client-side software always seems to come unstuck.

Here's a quick extract which pretty much sums it up... "Against all of these systems -- disappearing e-mail, rights management for music and videos, fair game playing -- there are two types of attackers: the average user and the skilled attacker. Against the average user anything works; there's no need for complex security software. Against the skilled attacker nothing works. And even worse, most systems need to be secure against the smartest attacker. If one person hacks Quake (or Intertrust or DisappearingInc), he can write a point-and-click software tool that anyone can use. Suddenly a security system that is secure against almost everyone can now be compromised by everyone."
An extract from the Crypto-Gram Newsletter, ladies and gentlemen. A fine publication.

Re:Where do I start?

[in8]

That's why the only good solution is an onboard urinanalysis machine, bolted to your computer's case. This will indisputably verify your identity, and will also help prevent you from buying products on Ebay while drunk. Of course, you will need a six-pack on hand by your computer if you want to listen to a long playlist, but then again, who doesn't have that already?

Then we could hook that urinanalysis machine to the cpu heatsink and OC this baby! Be the first on your block to have a liquid cooled 1.8Ghz dual celeron system! Weeh! umm, no I meant - wee-wee! (btw - OC=over clocked)

Re:What if you own cats?

[Andrew+Cady]

PawSense[tm] detects whether cat or human is typing, and disables the keyboard if the former.

Not all that new

[borud]

The first time I heard about identifying individuals by the way they type was 7 or 8 years ago. The system was supposed to monitor workstations in order to detect if an unauthorized user was using the workstation and apparently they had a very high success rate.

A more recent paper by Fabian Monrose and Aviel Rubin with the title Authentication via Keystroke Dynamics might enlighten those interested in this, and I am sure that you'll find some interesting references on the above web page.

Scepticism is often healthy, but when it comes to new ideas, "new" being used in a very relative sense here since the idea is apparently "new" to Slashdot staff, one should be more keen to understand them before writing them off.

-Bjørn

Re:Not all that new

[streetlawyer]

Actually, the ability to recognise Morse Code operators by their "fist" has been around for literally ages, and, IIRC, was described in a James Bond book ("Diamonds Are Forever")

Re:This Won't Work

[orpheus]

Speak'o'the devil. This is the second most recent article on CmdrTaco's page: TacoHell

I'm baking this kellogs pastry thingee in a toaster oven. Now I'm a veteren of many a pop-tar, but this is a variation on the theme that I'm unfamiliar with... the little bell goes off and I excitedly whip the glas door open. I rish inside to grab the tasty treat, only to overshoot, and plunge my fingers into the surface.

Now poptart frosting is made of some bizarre substance that nobody has ever quite reverse engineered. Scientists have heated it to thousands of degrees, yet it never leaves its solid form... I assumed that this pastry would behave similiar, but I erred with painful results. This frosting melted. I stuck my finger into it. It was hot. Real hot.

I yelp and begin sucking my fingers and making hurt noises as loud as can be expected considering my mouth is full of crisped fingers. The frosting tastes good, but my hands hurt. CowboyNeal laughs at me and I stick my fingers under the tap and run cool water over the pain.

Now I have burn blisters on 2 fingers. Damn pastry.


Bad Taco! On behalf of the RIAA I hereby suspend your music privilages.

Some things you never forget...

[sstorkel]

It's pretty interesting to hear that somebody is actually working on this seriously. I first heard about it back in the 80's. Believe it or not, it was a Michael Crichton story that mentioned the concept. Here's the link:

Mousetrap

I seem to recall that the article I read included this story as well as some sample code, probably in Applesoft BASIC, which attempted to implement the mousetrap technique. It was certainly crude, but it worked better than I might have expected...

NO BENFITS TO CONSUMERS + RESTRICTIONS = BAD SALES

[FireReaper]

Wow, this sounds like another company who's going to take a big hit when their product comes out.

I mean.. seriously, when it comes to music transport over the net, it can very likely be said that mp3 is the currently favoured format. Introducing another format which only plays on a restricted system requiring an odd and at best, sometimes workable password/locking mechanism is doomed to failure.

Given the differences in keyboards, styles, alternating hands, sometimes single handed or single finger typing, or for those of us too lazy to move the chair over a foot or two, typing with a stick. Or typing when exhausted or half asleep or loaded on coffee.

It would be like: You entered the original pass phrase while you were standing up. But when you're in need of listening to the music, you're sitting down. Oops. What do you know, now you have just doomed yourself to having to enter the code in while standing up while using a particular keyboard.

I mean seriously, is it REALLY that hard to figure out what will not work in the public? Privacey is an issue. Free transport/playback is an issue. A biometric scan of someone's keystrokes which can identify them is something that would be a privacy issue. Making it a requirement to play music is a free transport/playback issue. {free as in freedom, not beer}.

Simply slapping on restrictions onto a custom player which offers NO BENFITS OR ENHANCEMENTS TO THE CUSTOMER is not going to work. Divx offered nothing benficial and actually resulted in lower quality because of all the encoding required. Sony's mp3 stick/wand/thing is like that as well. No real new benefits to the consumer but adding on a truckload of restrictions.

Do companies think this sells a product? It's like selling a computer case that's made of cast iron with a lock that only the company can open and you need to make an appointment to do so. And to boot, they charge you a whopping extra for the case with nothing in it.

Seriously, this is the kind of thing that makes me think that while the collective IQ of these companies may be formiddable, their collective understanding and common sense is sorely lacking.

NO BENEFITS TO CONSUMER + RESTRICTIONS = BAD PRODUCT & NO SALES.

I think the music industry is where that Sprint Representative in the black trenchcoat should go to offer those nice clearing up phone services. Maybe then, things will be clearer and better. But then again, that would be abuse to the poor representative.

- Wing
- Reap the fires of the soul.
- Harvest the passion of life.

Identification by Typo

[Anomalous+Canard]

It must be Rob, look at all the typos!

Anomalous: inconsistent with or deviating from what is usual, normal, or expected

Re:Yeah, right

[phil+reed]

2. This one is blatently obvious... run your sound output back into your input and make a perfect digital copy without the copy protection.

Then they will probably try to hang you out to dry via the DMCA provisions about defeating a copyright control mechanism.


...phil

Some Manger went to Comdex and .....

[mlfallon]

Why do I get the impression that some manager went to Comdex saw the bells and whistles presentation, the people at Net Nanny put on, heard all the usual buzzwords and said "That is for us".
There is more details about this system at BioPassword. There entire presentation looks like a smoke screen with a brief mention of Statistics and a frequently mentioned but no explaination of their pateneted method.

The only advantage I see of this over say hand writing verification is that it does not require any special hardware, but what happens in all of these cases:
1) I'm tired so I type slower.
2) I have hurt my hand or I am suffering from repetitive strain injuries.
3) I change my keyboard.
4) I spill coffee on my keyboard and the keys are a little sticky.
5) I have been working at my keyboard for months and my typing speed goes up (I have advanced from two fingers to four).
6) Since this is only available for windows at the moment and windows has crashed on me again and I am mad, so I hammer the keys home when typing the password.

I am sure others could add many more scenarios to this list.

Every biometric system has its faults, the more accurate the system the more expensive, but this has to be the cheapest and least accurate.

What if you own cats?

[imac.usr]

One day, I'd probably come home to find I'd bought 337 copies of "Gilligan's Island Collector's Edition DVD Box Set" or something like that.

Cat owners will understand.

Re:What if you own cats?

[arivanov]

Quite often it is better to disable the keyboard if the latter.

Re:What if you own cats?

[GregWebb]

OK, but how much is this a problem? I've _never_ had to get our cat off the desk while I was typing.

There's two machines I regularly use in the same house as the cat. Both are in rooms where the door is normally shut, while the cat has been shoo'd off on many, many occasions.

I can see that this is cool tech but there are better things to spend our time on...

Re:Fatal flaw

[PigleT]

Another fatal flaw, probably quite literally:

"MIS! They copied my authentication! I need a new set of hands!"

Oops.

Oh yeah, by the way:

"Slashdot requires you to wait 1 minute between each submission of /comments.pl in order to allow everyone to have a fair chance to post.

It's been 60 seconds since your last submission!"

Yes, I *do* type that fast.......
~Tim
--
.|` Clouds cross the black moonlight,

Ummm

[Duke+of+URL]

So I have to type in a magic sentance now to listen to my music if its on my computer.

What if a family memeber wants to listen to my music and I'm not at home? They can't listen to it because they don't type the same as me? Do they have to buy their own copy? Or does the music industry really expect each individual to buy their own copy even if they're family?

In the future, am I going to have to speak my password out loud to listen to music on my walkman?

I don't like this.

Re:Ummm

[Ma�djeurtam]

Dear Mr. Moderator,

May I know why this guy's posting was moderated as Flamebait ? He posted his idea on the subject and it seems to me that it's a valid point.

I'd like to add that I don't like the idea of an identification system to listen downloaded music : it's a move in the wrong direction.

The present system of audio CDs, which you buy once and on which you have property rights (usus, fructus, abusus) is far better than those fuzzy rights. For me it's OK to buy music I like, but please, don't turn my music experience in a techno-nightmare.

Stéphane

Have you checked out Badtech The daily online cartoon?
Have you checked out Badtech The daily online cartoon?

Re:Ummm

[ogre2112]

He's overreacting just a _little_ bit. Is he gullible enough to believe that even with the slightest remote chance of the recording industry actually adopting this stupid technology, that that would be the -only- way to listen to your own bought-and-paid-for music? (Long sentence whew..)
So in a nutshell, it took him 3 paragraphs when saying, "No, that sucks" would've done the same job.
Moderators, moderate this sideways please.

12 Character Password

[22984]

Excellent, now my extended efforts in cracking Malda's password will take one hundredth of the time thanks to that useful little tidbit...

This sounds like...

[Decklin+Foster]

Hm, biometric identification to ``protect'' intellectual property. Is anyone reminded of The Right To Read?

Don't Forget

[twjordan]

That this wonderful invention is also produced by NetNanny! Better hope your passphrase isn't "profane"!

I can't type and I rarely do things the same way twice, I wonder if this would still work for me.

This Won't Work

[tealover]

I worked for a company that was trying to implement the exact same technology. They found that differences in keyboards and ergonomics made a world of difference. I don't know if this other company has overcome these obstacles.

Re:This Won't Work

[unny]

Right. We've performed experiments on this in our CS class (University of Karlsruhe, Germany). They showed that you can imitate a typing pattern of another person within reasonable tolerance. And you need this tolerance to allow for the "noise" in your own typing.

Tough luck.

Re:This Won't Work

[LoonXTall]

They won't be willing to implement it on too many platforms, either. Then we can have a DeMCS lawsuit (de MP3 Cryptography Scheme) because Linux users want to be able to use their computers.

Wait a sec... what stops me from writing a program (in assembly) to fill the keybuffer at a particular rhythm? I'm not sure about Linux or Win32, but I know it's possible under DOS...

-- LoonXTall

Re:This Won't Work

[C.Lee]

How will this silly technology deal with hunt-and-peck typists?

Re:This Won't Work

[DonkPunch]

even hand lotion can make me type a little different

No kidding!

Oh wait, we're not talking about the same thing are we?

Re:This Won't Work

[chialea]

and since Win is just a nice little DOS wrapper...

and I'll bet that it's more than possible to do this in Linux... after all, we have the Power of the Source! :)

Lea

Re:evil thoughts

[seanmeister]

I thinnk ya missed one there:

4.5: If you attempt to type your password into a non-free, closed-source biometric identification system, you have to listen the god-awful free software song.

;-)
seanmeister

Retna Scan

[Ron+Harwood]

"Identification please: Insert Retna in slot below..." - eww.

Another Brilliant Idea.....

[Crypt0pimP]

Defeated by a "wiley hacker"..... if your rythm is recorded, use a steady rythm, say, one keystroke every other second. Suddenly their "ingenious protection technology" is about as useful as the old X-wing method.

Re:Another Brilliant Idea.....

[alenp]

Her e's a little webpage that lets you see how easy and accurate (or not) keystroke biometrics can be.

This was a project for a machine-learning course, and it uses a really simple k-nearest neighbor approach, so it could be improved quite a bit. Keystroke biometrics are nothing new. They are rather cool -- but not when you apply them to locking down content.

Now, using this biometric to "protect" music seems insanely lame, not because it can't be accurate, but because keystroke biometrics, like all other biometrics, *can* be rather easily compromised when used as access tokens. Recording my own keystroke pattern, providing a "re-player", and then distributing it on the net with all my mp3s would be fairly simple.

Retinal scans? Same problem. It's optical. It doesn't take long to figure out how to produce a copied image of someone's retina that would trick a scanner. Even if the scanner uses some of it's own tricks (measuring refraction, etc), it all ultimately becomes a stream of bits, and it just isn't that hard to replicate a stream of bits to an application... So it all boils down to how hard the case is glued together between the scanner's input and its encryption encoder.

The only thing any of these biometrics does is *increase* the difficulty, which *is* a deterent. Of course, adding this crap to music downloads is even more of a deterent from adopting it at all, so don't worry -- market forces will doom it anyway.

Re:Where do I start?

[carlos_benj]

Of course, knowing the software industry, the first product to include a license management scheme that locks you out if your keyboard skills change will be "Mavis Beacon Teaches Typing"...

It would do it by default. By lesson 5 or so your typing style just might possibly change!

"I'm sorry. You're not the same 'hunt-and-peck' typist that registered this product. Access Denied."

carlos

I'll believe it when I see it.

[diabloii]

I can see this being possible, but not for the application they are looking to target it for. I can't say anything about the accuracy, but I would guess that the analysis has to be rather complicated. If they get out an actual product that works I'll be impressed.

Different keyboard types

[ParticleGirl]

I know what you mean in terms of certian words just "spitting" themselves out; however, different keyboard types make for different patterns. What if you're one of those people who likes to switch between different key layouts? (QWERTY vs more ergonomic layouts) Or someone who has a funky split-vertical keyboard at home and a standard bad-for-your-wrists one at work? Your patterns would be different. Switching keyboards could mean not accessing your accounts.

Re:Different keyboard types

[friskyotter]

Good point. Another possibility is having the keyboard configured differently, i.e. a different country's keyboard layout. When I was in Switzerland last fall this problem was tripping me up. My friends kept getting emails with lots of "z"s in inappropriate places! Thought about trying to change the configuration (the little web cafe ran linux), but my memory on how to do it was a bit fuzzy, and I didn't want to be "that dumbass American who mangled our box's setup".

Re:spelling

[Tigger's+Pet]

Call me stupid (well why not - my wife does all the time), but surely the point was that he was trying to show how easily he could mis-spel relitavely simpel wurds.

Will they never stop trying?

[Bob+Ince]

Sigh.

Time for another /. round of "spot the holes in the crap copy protection system".

The type-speed thing works on a specific pass-phrase rather than a computer-generated one-time "type this please" string, so typing speed should be easily duplicatable. Or one could set the input keypresses to a constant rate, to make it easy to fake.

And I presume this system is just as vulnerable to the likes of unfuck as anything else. Not much use being resistant to distribution schemes "like Napster and Gnutella" if you can turn them into MP3s or OGGs at the flick on an audio capture.

This is a particularly worrying part of musicrypt's 'technology' spiel (black text on a black background in my browser - nice):

When a connection to the Net does become available, the Client software transparently issues a 56-bit secure "back-channel" communication to our central Server module in order to give and receive updates on new and existing licenses.

Read: the publisher can at any time revoke your right to listen to the music you have purchased. And knows about every bit of music you listen to, but that's kind of obvious and expected these days, isn't it.

Once again, musicrypt, you lose. Once again, legitimate customers, you lose. Pirates? Well you're kind of unaffected. Hey ho.

--
This comment was brought to you by And Clover.

Re:Will they never stop trying?

[orangecat]

If the software was really intelligent, it would take change over time into account. I wouldn't think that it would be all that difficult to implement something that allowed for gradual change - especially gradual change in an expected manner (such as an increase in typing speed/accuracy).

In fact, expecting some amount of deviation from the baseline would improve the security of the system, as you wouldn't be able to simply record the keystrokes and play them back at a later time.

Re:Will they never stop trying?

[mikpos]

Indeed. There are so many things wrong with this.

First off, there's the obvious "what if I'm an amputee/don't use a keyboard" scenario, which is very valid. And it leads to the second point.

Secondly, any operating system worth using (yes, that includes Windows) will allow you replace input devices either with other input devices or with virtual devices. Some OSes will need more hackery than others, but I can't think of an OS where this would not be possible. So just set up a keystroke logger, pass around the log of you typing to all your friends, and get them to install a keyboard log player-backer.

Finally, they didn't go into the technology side of things, but it sounds a bit iffy. Presumably the data would be encrypted, and your keystroke rhythm would be hashed in some manner in order to get the key to decrypt it? If so, it should (a) not take long for someone to crack the binary (in a similar fashion to the crackers of olde who would modify entry-points, etc. to get past copy protection in Stunts and 4D Boxing and whatnot); and (b) not take long (unless the technology were *REALLY* well thought-out. Considering this is from the NetNanny people, I'd be surprised if their "design" stage consisted of more than a drunken bachelor party) for someone to figure out techniques to "fudge" keystrokes into getting the right hash (me thinks the hashing algorithm would have to be really fuzzy).

Re:Will they never stop trying?

[Anomie-ous+Cow-ard]

The type-speed thing works on a specific pass-phrase rather than a computer-generated one-time "type this please" string, so typing speed should be easily duplicatable.

Quick poll: How many of you use rather random passwords like "U{.Z!Li}"? How many of you type them slowly at first, but can type these very quickly after using them for a week or so? I though so.

Yet another hole in this scheme, if it's a constant passphrase then you'll naturally become faster with practice, and then lose your access because your typing style has changed.

-----

Sniffing

[hidden]

It is very simple to write programs that record and playback keystrokes, it is even possible for them to write directly into the keyboard buffer... it seems to me that a spoofing program for this would be exceptionally simple it would just simplify piracy...you wouldn't even have to download the whole song from those slow servers any more... you could just download a key from some guys warez server, and the song from the music company's multiple fiber line...

Something like this at the Rand Corporation

[aschlemm]

It was some 8 years ago when I was taking a pattern recognition class and my professor mentioned that he worked on a system that monitored the time between keystrokes when users where logging in. This simple scheme worked pretty well since it was difficult for any other user to enter the same password with the exact same time between keystokes since each individual types a bit differently.

My instructor was invoked in this work back when he was working at the Rand Corporation. I'm sorry I don't know the exact timeframe of this work. Maybe late 60s early 70s. I would guess that today's biometrics may use much more exotic means for this that are more robust against forgery.

Re:Something like this at the Rand Corporation

[Mr.+Protocol]

See my post below about R. Stockton Gaines's work at RAND around 1978-1980. You don't happen to remember your instructor's name, do you?

Consistency? Dvorak?

[blackwizard]

Okay.

What happens in the case where you haven't listened to the music in two years, and your typing skills have dramatically improved or changed?

I can see how something like the authentication system you are talking about might work, but that is something that is used on an ongoing basis. If I change the way I type I can't access my music any more?

Besides, what if I decide to switch to the DVORAK layout?

security by blinders

[sallen]

This isn't obscurity, they've got blinders on. I can't believe this is a well thought out process. First, I agree that intellectual property does exist, things shouldn't be for free. But others have already mentioned that when one purchases, for example a CD, all members of the family or guests can listen to it at will. The purchaser doesn't have to be present, just give permission (access). This has nothing to do with the original holder of the copyright (unlike a couple comments made.) But even if I buy into this, what are the problems. I buy it when I've had a few beers, so what happens now, they say I can only listen to it if I'm drunk? I'm an old guy, but I still workout. What happens on those days my arms are so damn sore I can hardly move them. Sorry, out of luck. You can't listen to your music after a workout. And if I break a finger or wrist? Hmm, guess one isn't allowed to listen to music after an injury (how do they put THAT in their EULA). And EULA or not, disclaimers or not, it seems there'd be enough problems the courts would be a tad crowded. (Not really, there are enough bottom feeder firms to take on class actions which in this instance, wouldn't be so bad.) And if I'm running some heavy crunching software that intterupts the responsiveness of the keystrokes in the buffer? Oh, that's right. Can't listen to music and multi-task. On the flip-side (for those old timers who remember 45's), how secure is this anyway. Who'll be the first to capture keystrokes and stuff them into the buffers at the appropriate time? The sellers are going to wonder how one person can be in 2 million places at a time. Or the first to capture output to the sound drivers? hmm, then maybe all I have to do is punch up 'song title, audio driver format' and we've got a new distribution method. Finally, since DIVX was mentioned in the article, what happens to the company that distributes this from a site and you've paid for it. They go belly-up? I guess you're right to use it has just terminated. That seemed to be a bad perception to the original DIVX, and then you even had the 'source', just needed the access to the site for authorization. With the net-ignorant (sorry, meant netnanny plan), I'm guessing there's a good chance one may not even have that. And finally, If I buy a new computer and keyboard and it acts even the slightest bit differently, I have to go out and buy all new music? (forget about the key that might stick in your keyboard and interrupt your normal flow of typing.. diry keyboard = no music? hmm) I'm surprised this is a 'music' thing. It sounds more like something a Jack Valenti type from MPAA would think up first. And one more finally, the old parties where everyone would bring some music. I guess that disappears, though quite legal today. In the future, I guess everybody has to buy a copy for their party. Hmm, this sounds more like a Microsoft plan than Valenti. I do think there has to be a way to protect both the originator of the intellectual property AS WELL AS the purchaser. This seems inept, not thought out, and basically something a 3 year old might think up (maybe the kids instead of the nanny has taken over the company).

Death of Free Enterprise

[EEE]

Apparently if Microsoft goes down it wants to take down free industry with it. This is ridiculous. Almost as ridiculous as Intel PIII that sends out a digital signal of id on the web. My feeling is free enterprise will live forever.

Internet Hackers Strike Again

[unclei]

In recent news, internet hackers have broken the secret codes which protect music online. The software, created by a company called Musicrypt.com, uses powerful security techniques to make it safe for musicians to place their music online. The software created by Musicrypt uses a complicated security technique (called random guessing). It works by verifying that the listener is actually the legal owner of the song in question, by being so innacurate as to force the listener to purchase a new copy every time they wish to listen to the music.

An RIAA spokesperson was quoted as saying, "These internet pirates are stealing the food from our mouths! We hardly have enough money to light the pilots on our gas stoves. The government needs to step in and once again make the world safe for music, puppies, and the American Dream." The RIAA has issued an injunction against anyone using the internet pirate hacker technique (called "typing slowly" in hacker jargon). All users of the MP3 software are required to type in a normal way, as defined in the Musicrypt EULA.

Retina Scanners & Reference

[kspett]

Retina scanners may sound great for biometric identification, but they have a pretty big flaw. Pregnant women develop new veins in their retinas, so that the pattern changes.
Iris scans work fine though. British telecom has a device that will capture an iris pattern through a car windshield at 50mph.
For some good reading on biometrics, check out _Database Nation_ by Simson Garfinkel... published by ORA, no less.


Kspett

Secure hardware

[jovlinger]

The thing about biometrics is that they rely on secure hardware/software. Ie, it's a great idea for ATMs because the bank has incentives to make it tamperproof.

But for home computers in a hostile setting ("cmon, Johnny, help mom get rid of this annoying password scheme on my Bette Midler collection") it is completely unworkable. It is relatively easy to figure out where the biometric input is collected and collated (ie, after the NN has had a chance to guess on whether the variances in typing speed / retina patterns are pass/fail).

It can't stand up to more than five minutes of reverse enginnering.

This isn't a "new" idea ...

[diatribe]

A BeOS application, BHand, was released last year in August at BeBits. Here is the basic description:

"BHand (Bastard Hand) is a new type of user authentication software. BHand doesn't use a password, it "learns" to recognize the users' keyboard typing style. Unlike the use of a password, it should be very difficult to forget (or to lose) your typing style... BHand uses one component of the Think Factory : Braininabox."

I haven't used the application, so I can't comment on its accuracy, but the concept has been around for a while.

Re:Where do I start?

[Wellspring]

That's why the only good solution is an onboard urinanalysis machine, bolted to your computer's case. This will indisputably verify your identity, and will also help prevent you from buying products on Ebay while drunk. Of course, you will need a six-pack on hand by your computer if you want to listen to a long playlist, but then again, who doesn't have that already?

This is an end-run around first-sale

[jms]

This has very little to do with anti-piracy and a lot to do with the intense, ongoing effort of the recording industry to do away with all of the "details" of copyright law that they don't like.

The DMCA is designed to outlaw fair use. They don't like that you can legally use excerpts from copyrighted works, so they purchased a law that effectively allows them to "opt out" of fair use by simply encrypting their material.

Now they are out to do away with the first sale doctrine. First sale means that once you buy a copyrighted work, you have the right to turn around and resell your copy. That's why used record stores are legal. That's why you can go to a used record store and buy an old record that is out of print.

If the recording industry is successful in adopting biometrics (which I don't think they have a chance in hell of), then old music will, by design, wither away and die after it goes out of print. Think about it ... Right now if you want an album that is out of print, you can buy it on the used market. This new system will eliminate that. Once an album goes out of print, no one will be able to buy that album anymore. That album will in effect cease to exist when the last person passes away who purchased that album.

The industry is well aware that their biggest competitor is their own body of old work. If people spend their time purchasing and listening to old music, that is less money and time they are spending listening to the brand new music that the industry wants us to pay attention to.

That's what this is about ... it has nothing to do with "piracy."

Re:Ridiculous.

[Tower]

The only time I've ever had anyone take any exception with my signature was when I closed my old checking account (after moving 1200 miles away). I had signed the signature card ~8 years earlier (at the age of 14), and my signature had undergone several evolutions since then... so I showed them my license with my photo and new signature, and they let me go.

Heck, most restaurants just bring back the slip, tell you to sign it and leave it on the table... pay-at-the-pump doesn't offer much in the way of sig checking either...

And even if they did, I'm barely consistent enough to be sure it's really me 8^)

Re:Still flawed though...

[ncc74656]

So what your saying is, to brute force passwords, people are gonna be stealing other peoples eye-balls?

It worked for Wesley Snipes' character in Demolition Man... :-)

_/_
/ v \
(IIGS( Scott Alfter (remove Voyager's hull # to send mail)
\_^_/

Re:This worries me..

[Tower]

or if you are drinking Dew/coffee/jolt with one hand, or eating a snack, or are just feeling lazy... half the time for short bursts I just type with my left hand, since the right one is on the trackball or helping with food/drink...

this is just a bad idea...

oh, not just that

[MenTaLguY]

If someone gets into the backend and gets your retinal hash (or whatever stored representation they used), that could the could conceivably use it as a "password-eqivalent" later to impersonate you.

Can't change that shared secret once it's compromised, no sir. (well, maybe you could switch eyes, once)

And then, even though more recent systems depend on the eye being alive to work, there are still the stupid uninformed goons who would go around gouging people's eyeballs out.

Not to mention you're SOL if you have an accident or something.

Biometrics are BAD.

[angst_ridden_hipster]

This is a bit long winded, but bear with me here. I actually have a point, not only about technology but also about privacy.

I used to work at a government related thing. One of the places had a very secure computing center.

They discontinued using retinal scanners when it turned out that an identical twin had a better than 10% possibility of fooling the system. That was just as well. No-one wanted to have access to the "retina room." The thinking was that if the Russians or Libyans wanted in, they'd just borrow what they needed to open the door. Obviously, borrowing just your eye wouldn't work very well (it would damage a lot of delicate blood vessels), so we figured they'd borrow your whole head if they really wanted in. Well, that probably wouldn't work either, but we wanted to avoid the risk just in case they'd try it.

So after the retina scanner went away, they put in a palm scanner. Evidently, early environment effects fingerprints sufficiently that a palm scanner (which gets prints from four fingers, and several different areas on the palm itself) has a higher discrimination, and can much more reliably detect tricks like identical twins. Of course, using the same logic we all used before, we tried to avoid having access. If we had to get signed up for that room, we'd ask if we could get our left hand keyed (at least those of us who are right handed).

Of course, the actual risk was probably infinitesimal. But just the same, why should we have taken those risks? If the "enemy" wants your password enough, they'll get it, whether it's a phrase, body-part, typing pattern, DNA sample, or whatever. They may have to kill you for it, or threaten someone you love. But if they want it enough, and they have the means to access you, they'll be able to get your password.

If we extrapolate out to music, it's a bit ridiculous. No-one's gonna cut your hand off so they can listen to your MP3s. But it's the wrong direction to be taking this. By emphasizing biometrics, we not only give credence to the idea that they're secure (which they're not), but we also start irrevocably linking our security to our selves.

Think about it. The Evil entity snags your computer: if the data is protected by a password, there's no way that they can prove that the data is *yours*. You might know how to decrypt it, but the ownership is not provable by that fact. You could plausibly argue that the file was placed on the server by someone else. Now, if that same file was encrypted by your palm-print, that defense is gone. Suddenly, they KNOW that they're your DeCSS sources, or Metalica MP3s, or $cientology documents...
-
bukra fil mish mish
-
Monitor the Web, or Track your site!

Re:Biometrics are BAD.

[JimBobJoe]

I wanted to add just a bit to this...I agree with you wholeheartedly, and I point out that criminals will do whatever it takes depending on the thing to be gained.

For instance, drivers licenses weren't protected by social security numbers, photographs and fingerprints, and yet, they were almost never used in fraudulent situations. Why? Because the license was a piece of paper that could only allow you to drive. Once a photo was added, then it became an age verification document, and then making a forgery was justified for some purposes. So they increased the security of the document...which also led to the increase of the usefullness of the document. Now, despite all the security measures, there are significantly more fake licenses out, because now you can get credit and open bank accounts with a good fake license. So now people are willing to spend hundreds or thousands of dollars for a fake license...a bribe at your local DMV can go quite a long way....

This idea can be extended to biometrics...nothing is 100% secure. And if your fingerprint or your retina can only turn on your computer, no criminal may find it worth their while to fool the system. But if your fingerprint turns on your computer, allows entry into your home and office, gets access to your bank account and investments and starts your car, well, maybe the cost of faking the systems will be high, but the payout will be high.

The point is, biometrics is doomed, and the only people who can make money off them are people who sell biometrics crap, who make a more secure system every year to unwise institutions.

Re:Chicken or Egg

[koa]

Wow, I thaught I was the only one, I'm a percussionist. Thus I type in-time. whenever conveneint. heh.

I need this

[Lozzer]

... for my email system, I'd love to not be able to get in and send random abuse when I'm drunk IQ_4Beer Why dont my
tags work properly in preview? (cue for them to work in submit...)

Re:I need this

[Lozzer]

And of course the tag did suddenly work... and then I got this message Slashdot requires you to wait 1 minute between each submission of /comments.pl in order to allow everyone to have a fair chance to post.

It's been 1 minute since your last submission!

The real problem...

[Amphigory]

The real problem with this is that, undoubtedly, it's functionality will be a patented, closed source, trade secret. As such, it is unlikely to be available for anything but Windows and Mac anytime in the near future.

--

Re:The real problem...

[slickwillie]

Here comes DeKSS - De-Keyboard Scanning System, available soon for Linux (or is that Linux BSD?).

Re:The real problem...

[BeBoxer]

Undoubtedly, it will. Why? It absolutely has to. All of these schemes such as typing rhythm, retina scan, fingerprint, are all nothing but disguised password schemes. It doesn't matter if your password is the word "secret", your credit card number, your SSN, a vector of your typing speed, or a GIF of your finger. In ALL cases, a program on the client gets the "password" and sends it to the server. In ALL cases, the client software has to be "trusted" by the server. In other words, any kind of open source is completely out of the question. Otherwise, the server can't stop someone from putting together a version of the program that reads it's input from a file instead of from the "legit" source. And how are you going to know whether or not the client is saving your ID to a file? Actually, you can't stop them even with a binary-only solution. It's just security thru obscurity.

What's worse, is that all of these schemes rely on you giving the server all the information the server needs to impersonate you every time you sign in. What if your bank and your favorite pr0n site both use a fingerprint scan to ID you? Congratulations, the only thing keeping your pr0n dealer out of your bank account is their skill with a debugger! It's just like the crappy security on credit cards. Every single vendor you do business with has all the information they need to impersonate you. It's a testament to how honest the majority of people are that the entire industry hasn't gone belly up.

But the biometrics are the absolute worst, since you can't change your password. At least you can close a credit card account and get a new one. I don't know where to buy new fingers or retina's, however. The only long term solution will be based on some sort of public-key algorithm. Anything else is just a scam. Actually, the one place where a fingerprint scanner might be handy is to authenticate you to a hardware smart-card that does your public key for you. Since the whole thing is built by a single vendor in hardware, it could be made pretty secure. At a minimum, a crook would have to steal the card and have a fair amount of hardware skill to get anything useful out of it. But this whole idea of using biometrics over the internet is just a bunch of snake oil. And poisonous snake oil at that. You're better off sticking with what you have now, at least then you can be concious of that fact that your security sucks.

Re:The real problem...

[disenfranchised]

Amazon isn't going to start impersonating me and using my limited credit. The greasy looking kid working the counter at hollywood video, however, might use my card to fill in the gaps in his gf's hello kitty collection.

If he's got my fingerprint now instead of my card number, he's got my purchasing power for life.

Re:The real problem...

[ethereal]

It's a testament to how honest the majority of people are that the entire industry hasn't gone belly up.

Maybe I'm more cynical, but I imagine it has more to do with the combination of giant credit card companies that want their money back and laws that make credit card frauds over $50 the responsibility of the card company, not the cardholder (assuming adequate notification, reasonable security on the part of the cardholder, etc.). I don't think a business that starts impersonating its customers through their credit cards is going to be filling credit card orders for much longer.

There's a reason they're called GPS receivers...

[JatTDB]

They RECEIVE. They do not transmit.

You know where you are, but they do not know where you are. The receiver figures out where you are by the signal coming from the nearest few satellites.

Typical password sequence ...

[Forager]

Input Password:
***** - sorry, you missed a beat
Input Password:
***** - ::zzzt:: your timing was a bit off
Input Password:
***** - nope, i got at least a 5 ms discrepancy there
Input Password:
***** - maybe it's just lag, but that one was WAY off
Input Password:
***** - you just don't get it, do you
Input Password:
***** - Keystoke rythm confirmed; password incorrect.

At this point the user will be forced to find a new monitor after he puts his keyboard through the one he's using now.

--Forager.

Deja-vu

[Pig+Hogger]

Doesn't anybody else recall a story published some 15-20 years ago, probably in OMNI, where some kid sold trade secrets to a japanese competitor, only to be busted by a honeypot trap?

The story emphasized the geek's contempt of older users and human-engineering issues; the kid was caught by an older engineer who identified his fake logins by his typing pattern.

As soon as he was identified, he was switched to a honeypot where the trade secrets were replaced by porn files. His "customers" were pissed enough to leave the kid have a very intimate explanation with a sumo wrestler...

--
Here's my mirror

If Quake can...

[yerricde]

They can get the sequence of the characters you type, but can they get the time between the characters?

If Quake can read the time (to within 15 ms) when you pressed a key, then this biometric software can.

No thanks! But a positive outlook...

[Tom7]

If the idea is to allow you to download and use your purchased material on different computers than I really doubt this is going to work. I type very differently on different keyboards (not many places have a split one like I use at home)...

Anyway, it bothers me that technology like this is being developed, but it's easy for the consumer to stop. Consumers caught onto the ridiculous DivX scheme. I don't expect we'll be very keen on digitally-protected music (SDMI). We fell for DVD, but that's OK, since there's DeCSS. Just keep on the lookout, and if something abuses your consumer "rights", exercise your best defense and don't buy it!

Easy work around

[saider]

Just adjust your keyboard driver to buffer the keyboard inputs and feed the keystrokes to the system at a certian rate. Then distribute this modification to all of your friends. Everybody does a quick recompile of the kernel, and now everybody types the same ( at least as far as the software is concerned. )

Re:What About Keyboard ID's

[QuMa]

try:

ifconfig whatever whatever whatever hw ether any:mac:adresss

You can have whatever mac you want, see man ifconfig.

Re:why not?

[acidrain]

The thing to understand here is that if you are making use of someone else's property, you should expect to abide by the conditions imposed on its use.

The whole point is that the music is your property, and they are depriving you of your rights. You should be able to treat electronic property in the same way you can a book. Sell, lend but not copy.

This technology should be made illegal as it steals these rights from you.

Never mind securing music

[mOdQuArK!]

This might be more useful to help someone log in w/o having to memorize long, obscure passwords.

The login screen can just display a sentence or two, the user types those sentences (mistakes and all), and the biometric algorithm will allow them in or not.

If you want to combine this with a normal password-type situation, then just don't display the sentences - expect the user to remember them. If you combine the entropy of the words in the sentence with the entropy of the biometric authentication, then you might have entropy for a decent password (even if you build in a little error correction for discrepancies in the biometric or typing the sentence).

Yeah, right

[dsplat]

I guess I am the only person in the world who uses several different computers with several different keyboards. Oh, and my typing patterns is absolutely identical across all of them. Not! Has anyone else had the misfortune of trying to play Rogue/Hack/Angband/etc. on an ergo keyboard that was clearly split by someone who doesn't understand that programmers type differently?

How about ID by playing music?

[ecloud]

From Willy Wonka and the Chocolate Factory...

people scare me sometimes

[MenTaLguY]

It's not like this is food or anything: you don't need, say, Metallica's Black Album to keep breathing for another week.

Some would argue that point.

You're right, and quite frankly that scares me.

security software..

[eldios]

wasn't there a link here a while back, maybe it was elsewhere, concerning gait recognition. overlapping camera fields in an airport and this mystical software allowing you to single out people and record bizarre behavior.. (such as a person leaving a piece of baggage alone for an inordinate amount of time?) and letting you to track a person's movements throughout the monitored area.

RIAA backs DVORAK in 2010

[Sloppy]

Hmm.. so if you get a new keyboard (with either a new feel or a new layout), you need to buy all new keyboards.

If this takes off, I expect there to be an explosion of new types of keyboards on the market. A return of the IBM hard clicking keyboard (god I love these), "chicklet" keyboards (remember Atari 400 and ZX81?), ergonomic and "split" keyboards, and DVORAK layouts, etc. All secretly backed by RIAA's slush fund. :-)

---

Re:why not?

[generic-man]

The thing to understand here is that if you are making use of someone else's property, you should expect to abide by the conditions imposed on its use.

That's true. However, if I play music in my house, chances are that my family will be able to hear it. If I turn up the volume REALLY loud, my neighbors will probably be able to hear it. However, they haven't paid for the rights to listen to the music; I have. Can I call the cops on them for breaking the copyright -- before they call the cops on me for disturbing the peace? ;)

Two different keyboards

[Lizard_King]

I have two different keyboards that have drastically different characteristics. My typing style is much different depending on the hardware that I am using. The problem here is obvious.

Yeah, right

[KilobyteKnight]

This software has no chance of working as the developers expect. In the course of reading the article I came up with two ways to defeat it as a copy protection scheme.

1. A program that monitors the keyboard and records a "profile". This profile can be distributed along with the file and there goes the copy protection.

2. This one is blatently obvious... run your sound output back into your input and make a perfect digital copy without the copy protection.

What do these morons think they are going to accomplish?

*burp*

[soulflakes]

What if I get half-lit on 40 of OE and want to order some ICP? I don't know about you, but I can't type when I've been hittin' the sauce...

Retina Scan is bad.

[jmv]

From what I heard, people are backing away from retina scan. Though it is a very good identification method, it has an evil side effect: Your retina can tell a lot about your health. The problem is thus not reliability, but privary issues. You don't want retina scan as an identification when signing up for a life insurance!

Re:Retina Scan is bad.

[dublin]

The biggest problem with retinal scans is public acceptance.

In addition to the fact you mentioned that it's possible to sureptitiously determine a great deal about the user's health and habits (alcohol, drugs, late night web binges, etc.) there's the more formidable problem that most people view the process as unsanitary. I read a paper about this some time back. (In The Lancet??) Bottom line, they noted these perceptions were the primary impediment to retinal IDs, and that people would not accept retinal scans as routine.

Too Late!

[cybertad]

I already patented this along with fecal, rectal and, nostral scans.

As I am sure you can imagine, scanning the nostral after the first two really sucks.

Hopefully this will be implemented for root passwd

[bitwize!]

Who knows what I'd do with root access when I come home drunk. You'll have to drink more to make your box as secure as possible.

"Come onn, i knoe im drubnk, but i need to upgraade my kerrnel"

Can this be used for tracking web users?

[MrShiny]

Is it possible to use JavaScript to collect timing information when someone is typing into a text field? You could then embed that information in a hidden field and send it back to the server. This could be used to identify users who mistakenly believe they are typing anonymous information into a form.

Even if it only works 2/3 of the time, it would still be useful to banner ad companies.

Uh oh.. they know!

[Hynman]

Now everyone will know I type one handed
#include <evil.grin>

Oh, can't I just use copy and paste and statistically bump my typing rate to like 100cps to confuse it?

Even better yet, have a filter that makes you keystrokes fit a pattern.... find someone's pattern and you have thier identity... no need to practice at all.

this is too variable to be good...

[bigmaddog]

I think the way you type can be affected by too many things for it to be reliable as identification. So I fell down the stairs this morning and smashed myself up real good - now what, I can't log in? Or I have allergies and I drugged myself up to the point where I can barely see... Or it's early in the morning, or late at night... Or my developing RSI becomes particularily bothersome... Or I'm using a keyboard with a layout I'm not used to... Just about anything affect the speed whit which I type, or whetehr I use two hands or one. Then there is the fact that the guy in the cubicle next to me types the same way I do, or fairly close. To make sure that he can't pretend to be me, you have to crank up the sensitivity of the system, but that in turn means that the system becomes more sensitive to all the factors that affect the way you type as well. I say we just go with DNA identification - that way only my evil twin will be able to pretend to be me, disease will spread through the testing mechanisms and insurance companies will be able to buy my DNA from my employer and find out how succeptible I am to cancer. Perfect!

Re:spelling

[phawley]

I doubt it's intentional...it's just Cmdr Taco.

His spelling is notoriously bad - his handle is Cmdr because he didn't know how to spell Commander! ;)

Re:What About Keyboard ID's

[Phroggy]

IS there anyway to extrapolate a Unique ID from the Keyboard like a mac address for an ethernet card? If so use that Your Key Board can be the Key. Much better than having to worry about weather or not you can type approximately with the same rythm

...until you buy a new keyboard, or you've got several computers (each with a different keyboard).

Many cable modem ISPs use your MAC address to filter IP addresses, so your service won't work if you swap NICs or computers. The problem with this is, some of them will refuse to set up your service unless you have a Windows box (or an iMac, but no other Mac model), and once they set it up you can't just swap computers. If you're smart, you'll just call them and give them your new MAC address, lying to them and claiming it's in the same computer - but if you ever need a technician to come out and fix something, you're screwed.

Hmm, I seem to have drifted off topic. Sorry.

--

Re:And they probably want us to pay for it too...

[BilldaCat]

I'm not sure how we made the jump from retina scanners to Metallica and Napster, but this has to be a sign that Slashdot is saturated with this stuff. :(

I guess I can see the jump in a "If I listen to Metallica on Napster, I will want to prod my retinas with a hot poker" sort of way..

Cryptonomicon again; morse-code styles

[Sebastopol]

Sounds like Cryptonomicon's theory of identifying morse code messengers by their "wrist" (is that the term he used?). Apparantly the individuals could be identified based on their morse-code styles.

I suspect the same would be true if we were all disciplined typists, like the stereotypical 1940's-era business offices crammed with female typists pounding on keyboards round-the-clock.

I think this method would require that the person to be identified has been typing for some time. A newbie typist would require several months (years?) to develop a distinct style.

But I can see where they got the idea.


---

Re:Cryptonomicon again; morse-code styles

[wowbagger]

Actually, the term is "fist": the way in which a Morse code sender composes his dots and dashes. An operator with a good "fist" is easier to copy than a some "ham-fisted" operator.

None of this applies to me, as I am a dirty stinkin' no-coder.

Re:moneky

[LoonXTall]

Eye scanners would be cool, cause to crack though, you would have to cut out the users eye, remove your glass eye, insert their's into the empty socket and crack that puppy open like a nice cold beer.

Or just hijack the scan data... it has to be stored somewhere to make a comparison, and it has to be sent there to be stored.

-- LoonXTall

Hack already published

[zTTTz]

That will be the headline when this ridiculous technology is released. A person, masquerading as a non-existant person using a stolen credit card number downloads 10's of thousands of songs. As he types in his password into a third party program, it records his typing to the T. Using the appropriate API (i.e. VB SendKeys), the third party programmer passes it to the Biometric validater and the user listens away. All this assuming someone didn't put a few "jmp" and "nop" commands in the Biometric validator to begin with!

Re:There's a reason they're called GPS receivers..

[JatTDB]

Hmm...my guess would be a separate transmitter...I've seen plenty of Everest climb specials on PBS and the like, I've only ever seen them use radios for communication back to the base station.

Speaking of the whole "toy" aspect, you CAN be tracked down by your mobile phone's signals...and a lot of people do use those as toys. Of course, when this became widely known, the companies said, "We'll just use it to locate you when you call 911 for an emergency!" Yeah. Right. And JoeSchmoeInternetCo just wants my email address to send me the rare special offer...

Does anyone remember that "viavoice" by IBM?

[Mr.roboto]

It was supposed to be the greatest thing, supposed to "know" you. It really turned out to be trash, cause tons of errors, and not eve un-install right. I imagine there'll be many ppl who can't get access to their data because the "digital fingerprint" isn't right, then I'll laugh because someone has found an ingienous way to exploit the security.

evil thoughts

[geekpress]

I can think of a number of delightfully mean things to do with such software.

1. If you type your Smashing Pumpkins passphrase in too perkily, the program forces you to listen to Brittney Spears instead.

2. If you make a spelling error in your passphrase, you have to listen to Hason's "Mmm-bop" at least 4 times.

3. If you type too slowly, you have to listen to Leonard Nimoy's redition of Proud Mary -- but only once.

4. If your passphrase isn't politically correct, you have to listen to a Tracy Chapman song before your perferred choice.

5. All other errors require the playing of Motley Crue at the highest possible volume.

-- Diana Hsieh

why is it your property?

[MenTaLguY]

You paid and own a laser-engraved piece of metal and plastic, but how does that make you the owner of its semantic content (at the very least, legally, it doesn't)?

Strictly speaking, these sorts of "protection" schemes don't take that plastic disc away from you, they only limit the manner in which you may interact with certain aspects of its symbolic content.

They aren't stopping you from playing frisbee with it, using it to resurface your roof along with your AOL CDs, or cleaning the toilet with it.

Fingerprint Identification

[frotter]

I looked into this company a while back:
http://www.digitalpersona.com
They have a fingerprint ID system (USB based). I think this is more to scare the users than to actually provide security.

let me try that again...

[MenTaLguY]

You're basically just worried about the right of first sale, aren't you?

That's not specifically addressed or infringed by these technologies.

It seems to me that the state of affairs that the record companies have brought about is this:

When you buy a CD, you buy that round piece of laser-engraved metal and plastic, and you also buy a license to use its information content. (The latter accounts for most of the price of the CD)

The piece of plastic is your property. The information content is just licenced to you.

That's just how it works now.

In this context, right of first sale just means that the license must be transferred with the CD, and nobody is allowed to prevent that.

Where there IS no spoon .. er ... CD, and the licensed information is transmitted digitally, then the aforementioned "right of first sale" really doesn't have much meaning anymore. There's no physical media to tie the license to.

Sorry.

I'd also like to note that it's not really possible (semiotically or practically) to impose restrictions on the copying of information while simultaneously allowing its use in any way.

(just try to come up with a 100% consistent definition of a practical "no copying" rule -- keep cacheing and related techniques in mind)

It is relatively more practical to achieve some semblance of control over use directly, however, hence the sort of draconian things that the industry is suggesting.

Well, the general idea, at least, could have merit

[esjewett]

Though I think that we've all agreed that copy-protection is pretty generally a dumb idea, the biometric identification via typing habits could concievably be a good idea. We do all have pretty unique typing styles, at least those of us who use a keyboard much, and, if correctly analyzed, these styles could identify a person. This is especially attractive because everyone has a keyboard so no other hardware is really necessary.

Ethan Jewett
E-mail: Now what spa I mean e-mail site does Microsoft run again?

This idea is more than 20 years old

[Mr.+Protocol]

There's an existence proof for this. R. Stockton Gaines developed a system called "Keyprint" at The RAND Corporation over fifteen years ago, in the days when RAND invented the MH mail system and other cool stuff (they've now assassinated all their high-tech efforts and gone in for policy analysis).

We researchers had our reservations about that one, based on many of the same concerns shown here. Imagine our surprise when the blamed thing actually worked. There were enough degrees of freedom that the aggregate of the correlations it used was immune to "off days" and other such variations. This is described in Rand Report R-2526-NSF.

A Missed Point

[NReitzel]

Musicrypt has missed the point. If music can be copied and shared, it will be copied and shared. Huge charges for prerecorded music came about when recording and duplication called for million-dollar physical plants - and like it or not, those days are over.

It's not that people will steal things just because they can - though of course some will - it's simply that a whole lot of people look at a performing group that has made tens of millions off of a song or a CD, and simply figure (rightly or wrongly) that a few million dollars ought to be enough, and that the five cents they potentially deny an artist by downloading a copy of one of their songs isn't materially going to affect their lifestyle.

Of course, the lifestyle that will be affected most in the near future will be that of RIAA executives - their free ride is coming to an end and they are in the unenvyable position of stable managers trying to outlaw the horseless carriage a hundred years ago. Their cause is lost; they just don't yet know it.

Artists, on the other hand, can still make a decent living on prerecorded music. In a recent visit to Phoenix, I came across a slew of CD's published by relatively unknown artists under handwritten labels, all selling well at five dollars per disk. One wonders if these lesser names know something that their famous bretheren do not... They know that most people will pay a nominal fee for prerecorded music, especially if, like many of the CD's I examined, the material is already in MP3 format, ready to compute. Since the actual cost of producing a real CD (not a CD-W) is around five cents, one would think that current performing artists could easily be competative with the price of hard disk space needed to store their wares.

Let us not lose perspective on who is stealing from whom. When a user copies an MP3, even against copyrights, they are costing that artist a nickel. Every time an artist sells a CD under RIAA auspices, the RIAA is raking about ten bucks. Back in the days when it took tens of millions of dollars to cut an album, this might have made sense. These days, any geek with a computer can handle the technical end of the business.

Copyrights as we know them, expecially on works of art, are as dead as buggy whip manufacturers.

Identification by typo

[Imhmo]

It must be Emmet, look at all the typos!

Moderation stupidity

[DonkPunch]

What moron moderated that post "Flamebait" when it was CLEARLY "Offtopic"?

Get it right!

Re:why not?

[Duke+of+URL]

Well the reason I used a family member as an example rather than say a friend or something is there are laws in the US which allow families to share property and money and such and not be penalized. I'm thinking about how you can work for a family business and be taxed differently or how you can gift a certain amount of money to a family memeber and not be taxed, etc. So there's this idea that a family can legally share property . So a father can buy a Disney video for their kids, but its ok if the wife watched Sleeping Beauty too. If they make you ID youself eachtime you listen to a song or a video, then your family can't share the property anymore. Thats the question I was trying to ask, is are we going to end up that way? No more sharing of family property amoung family memebers? I certainly wasen't trying throw out flame-bait. That's the first time one of my posts have been labeled flame-bait that I can remember. Odd.

Re:This could be robust if done properly

[ore]

I would tend to agree with you on this. But the "if done properly" caveat needs to be explored a bit more.

For details of this "new" biometric savior check out the following:

http://www.netnanny.com/Downloa ds/PDF/BioPassword.pdf

The authorized user develops an "electronic signature" by typing his ID and/or Password on the keyboard several times. When the user subsequently enters his ID and/or Password to access the computer, BioPassword compares the typing dynamics to the "electronic signature" on record. If the pattern matches, the user is accepted. If someone other than the authorized user attempts to access the computer using the authorized user's ID and password, he will be rejected, as his typing pattern does not match the "electronic signature" of the authorized user.

Although they do not delve into the intricacies of their recognition algorithm, I would bet you have to go through a more extensive traning to finely tune this system. If it is only to be trained with a 6 to 12 character password, can you imagine how many false positives this security scheme would create? If would almost have to be a pass phrase rather than password, because the timing of your average touch typist differs greatly from typing a random password, and "In Xanadu did Kubla Kahn a stately pleasure dome decree." Another issue, when I first change to a new randomly generated password, I can't type it worth shit, but after a few days, it rolls off my fingers as fast (or faster) than regular text. This simple truism would wreak havoc on this system.

As already mentioned, this system is crackable. Whether through X11 or BO sniffing, keystrokes and timing can be recorded, stored remotely and played back ad infinitum. They might have some fancy keystroke velocity juxtipostion ratio involved that allows them to deal with lag in the net traffic, but this will only insure that cracked keystroke files played back from various locations would still work.

While reading Cryptonomicon references are made to the "fist" attributed to a given morse code operator sending encrypted messages out. At one point in the book, this "fist" is accurately forged by a musician IIRC to send false messages to the Germans after the Allies had cracked Enigma.

More disconcerting to me is the investent that NetNanny has in this technology...

In 1989, NNS acquired all rights, patents, trademarks, and copyrights associated with BioPassword ® , an access system utilizing the biometrics of "keystroke dynamics" - the manner and rhythm in which each individual types. The technology was originally developed by SRI International (formerly Stanford Research Institute) between 1979 and 1985 in an effort to create a computer-based security access and identification procedure that would present greater protection than keys, cards, passwords or codes. From 1985 through 1988, SRI and a privately funded company jointly continued development of a prototype utilizing the technology called BioPassword ® . An estimated $US 6 million had been invested through 1989 to develop this keystroke dynamics technology when NNS acquired it.

And the FUD they will spread attempting to ensure their system is adopted...

In recent years, media reports about data-wrecking viruses like SATAN have certainly raised the profile of computer security and data losses from both outside and within organizations. Sales of firewalls - combinations of hardware and software that act as a barrier between companies' internal network and the Internet - have increased. These can provide a measure of protection against outside intruders but not from within, by companies' employees for example.

Sounds like business as usual to me.

Re:What About Keyboard ID's

[generic-man]

I guess what we really need to do is make a device that anylizes urine. Would'nt that be perfect at the office...

I'm sure my cubicle-neighbors would just love that.

"DEAR LORD, JASON WHY ARE YOU PEEING INTO THE COMPUTER?"

"Relax. I just want to hear some music. I'm also signing in to post things on Slashdot."

(confused employee runs away terrified, notifies security)

smells fishy to me

[James+McKay]

since everyone has already decided that this typing pattern recognition thing is just not going to work, has anyone looked at the possibility that maybe it's just an excuse to develop applications to memorize your keystrokes. For example what if this is all just an attempt to make a type of cookie mainstream, which just sits there and eats up all of your keystrokes in the name of copyrights and then conveniently sends it all back to the creator of the cookie...just a thought anyways.

What about lag?

[Life+Blood]

Last time I checked, IP was not really a time sensitive protocol. It makes sure the packets get there but not when, hence the trouble with webphones and streaming media in the early days. So to use this they're either going to have to record the whole string in a trusted client, a bad idea when security is an issue, or they are going to send the sentence letter-by-letter across the internet, where noise is going to cause serious problems with their time-based metrics. I sense possible implementation problems coming in the future...

Still it might be an interesting way to encrypt stuff on your computer. Not only would you have to know the password phrase to type, but you would also have to be able to type it properly to get access to the data. It makes passwords lots harder to crack and the extra security is almost transparent to the user.

the inevitable Cryptonomicon mention

[georgeha]

every thread must have one.

In 'Between Silk and Cyanide' the writer talks about the 'signature' of a wireless operator - a pattern of the rythem of their keystrokes that was kept on file, to compare suspicious messages.

They call this the fist in Cryptonicon, and use it in a counter intelligence operation to save our heroes.

I'm not sure if this is true, though.

George

Re:the inevitable Cryptonomicon mention

[davebooth]

Yes, its true.. Ask any of the still-surviving telegraph operators if they could tell who was sending by the style of his keying - even if they were sending a stock test phrase like "best bent wire" (-... . ... - -... . -. - .-- .. .-. . picked for its distinctive rythym) They'll tell you they could. Fist recognition was even used in allied intelligence ops in WW2 where a common practice on capturing a resistance member along with their codes was for german counterintelligence to impersonate the resistance operator and send fake transmissions. Many of these attempts were detected by experienced operators in England realising that the fist was wrong for the person they expected to be sending.

# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking

Typing Lessons

[giminy]

Will we start to see Doogie Howser typing lessons now?

The one true answer...

[little+alfalfa]

Buttcheek scanners!

Re:Still flawed though...

[xianzombie]

So what your saying is, to brute force passwords, people are gonna be stealing other peoples eye-balls?

Creeeeepiieeeee

XZ

What happens...

[siokaos]

What happens if you are drunk?

ACCESS DENIED!!
User: _siokaos_
does not type 1 wpm

This is just plain stupid

[SurfsUp]

Speaking as a musician I know that:

Repeating the exact same rhythm accurately is a skill that takes years to master. It sure doesn't happen by accident.

Memory of rhythm fades rapidly. Unlike the patterns that grow on the ends of your fingers.

Supposing that people did have characteristic patterns - by ear, a trained musician can easily copy and conterfeit them.

On top of that, *nobody* is going to be happy about getting a retinal scan or anything remotely resembling that before they can play a piece of music they bought and paid for. This idea is so far out in left field that I can't see it as anything other than grasping at a straw - an act of desperation.

I was reading a fine piece today that sums up exactly my thoughts, better than I could. The problem is defined perfectly, and the reasons why recorded music is *never* going to be expensive and restricted again, like it has for much of the 20th century. (The solutions he proposes for compensating musicians in that piece are too utopian, IMHO, but other solutions *will* work.)

The RIAA and their toadies are on the run. They may be able to attack dotcom's and bring them to heel, but they can't successfully overwhelm the entire net.

Disclaimer: I would *never* encourage anyone to violate a copyright, even to hasten the demise of an evil cartel like the RIAA - instead, listen to the music of musician's that *want* you to, and don't unfairly restrict you.
--

Cut Copy Paste

[heliocentric]

So, what if we all just tpye our sentances in vi, then cut copy paste them to the input field?? Wouldn't it be the same pattern for all of us??

Not that nutty.

[KahunaBurger]

I dunno, I make a lot of typo's too, but I still think this would work. Even though I don't touch-type, certain words just "spit" themselves out when I'm writing something. The rhythm of those words is probably tied to my particular brand of hunting and pecking, and there's no good reason that couldn't be analysed.

Saying it wouldn't work because people make typos might be like saying that gait analysis won't be able to identify people who stumble sometimes.

My question would be, does it work better or worse on people who actually learned to touchtype "properly"?

-Kahuna Burger

Old-School Neuro-Chips

[ZahrGnosis]

I remember the University of Louisville messing with this technology almost 10 years ago... they were using chips that were suppossed to better simulate Neural Nets so that they could "learn" how an authenticated person typed and then later recognize them by that typing. Glad to hear someone finally got this stuff to work.

Dvorak

[chris.bitmead]

Mostly I use dvorak keyboards. Sometimes I don't. My speed and everything is completely different on each. I would be swearing like hell if I can't login because I have the wrong keyboard.

Not interested in retinal scanners

[thaigan]

While I think retinal scanning is an interesting idea, I don't want to be that identifyable(sp?).
If ten years ago, the US govt. asked the public to carry something that uniquely identified them and let them know where we are at all times, like GPS, we would've screamed NO! But now, we beg for it and would even pay big bucks to have it before our neighbors.

Who says...

[Joe_NoOne]

you can't get venture capital for any crazy idea...

Re:What About Keyboard ID's

[Phroggy]

Umm, I thought the MAC address was determined entirely by hardware, not software? And MAC addresses are centrally registered, to be sure that each one is unique. Definition at everything2.com.

--

So much criticism of a proven method?

[.havoc]

Gee, I don't see the problem in using a preven method of identification that was used with terrific success all the way back in Worl War II.

The underground radio operators that transmitted info to the British listening stations by moris code (that dash-dot-dash stuff for you kiddies that don't even remember it). Each operator had an identifiable characteristic to the way they operated the key. I can't remember the term they used, but if the operators were captured by occupying forces, they were instructed to change their "hand" (we'll call it) to show distress without having to send a "I'm in trouble, and there's a very nice German officer with a Mauser pointed at the back of my head, making sure I don't tell you this," message to the listening post. At that point, the listening post would know to disreguard that operator's info as false inteligence.

Don't be too quick to write off proven technology, after all, it's been around and working well longer than the semiconductor.

Where do I start?

[FascDot+Killed+My+Pr]

What if I become handicapped (blind, lose arm/hand/finger)? Suddenly I can't use my software because I don't type the same?

What about other people in the same house? What if I sell the software? What if what if what if?

This is just dumb. Of course, knowing the software industry, the first product to include a license management scheme that locks you out if your keyboard skills change will be "Mavis Beacon Teaches Typing"...
--
Compaq dropping MAILWorks?

Another flaw...

[SvnLyrBrto]

Anyone else use multiple keyboards?

Anyone else type differently on each?

Lessee...

At work I have one of those nifty ergonomic jobs on the pc, and a generic extended board on the Linux rack.

At home, one of those little iMac boards on my G3 tower, and an IBM 101key (better tactile/audio feedback than other brands) on the Linux box.

Plus, I have an old beater of a Thinkpad, with keyboard oddities of its own, I use for email on the road.

And by the end of the summer, I plan to have a new Powerbook.

Five keyboards (now... six in a couple months), all with different feel and feedback, and almost certianly, all with different typing habits.

I don't think it'll work.

john
Resistance is NOT futile!!!

Haiku:
I am not a drone.
Remove the collective if

This could be robust if done properly

[zyqqh]

I'm really skeptical about them getting something like this to work, I mean, I make typos in my 12 charachter password, but to be expected to type a sentence with the same rhythm? I still want retina scanners.

I would hope that the system they're developing does NOT expect the user to put conscious effort into typing with the "same rhythm." The process of typing a full sentence, with timing data, has much higher dimensionality than any human observer could possibly take advantage of. Whether or not there are relevant parameters to be extracted from this remains to be seen, but I would stay clear of making statements such as the above until a good learning algorithm spends some quality time with the data. The only way this will work is if a learning algorithm manages to extract parameters which uniquely identify the user no matter what the user "tries" to do.

nope.

[MenTaLguY]

You're the one distributing (performing?) the music without a license, not them.

Why this is a bad idea

[twjordan]

When I worked on tech support people forgot their passwords in under 60 seconds! I used to say that if we used retinal scanners, people would go on vacation and lose their eyeballs!

I can see this now, "I jsut went away for a few days and now I can't remmember how to type!"

What is the answer to that? "Ok let me reset your cadence."?

spelling

[YoJ]

charachter doesn't have any character

Re:Still flawed though...

[scrod]

Also, don't forget that these retinal scanners won't be looking for EXACT pictures; people could never, ever look at the scanner exactly the same way. These scanners would only be looking at patterns in one's retina, not at a picture of the retinal itself. Thus, it is safe for the retinal scanner to assume that pictures identical in every single way to the original retinal print are invalid.

Signature biometrics

[Anal+Surprise]

Last night at Circuit City (yeah, I know...) I was asked to sign my credit card slip on one of those damned pen tablets. I refused, claiming that it was against my religion (Western Sect Freedonianism). She just made a photocopy instead, but it was a nuisance.

I couldn't figure out why I was so annoyed then, but now I understand better. A system like this could ensure that my signature looks the same *and* is produced with some kind of similar beat/regularity.

I notice that banks have little fingerprint pads now, too, like you're a criminal or something. Woo! I really do hope that more atheists "get religion", specifically one that says little more than "leave me the fuck alone and stop trying to measure my dick size".

Expect

[Urmane]

Should be fairly simple to defeat with Expect. ;-)

Lame, lame idea.

[Bowie+J.+Poag]

I'd give it... oh, I dunno..5 minutes before someone comes up with a Perl script to replicate someone's typing style?

I remember doing this when I was like 12. Dialing into local Commodore 64 warez BBS'es acting like I had a terrible grasp of English, and typing terribly slow to convince the Sysop I was dialing in from l33t-land, Europe. A whole big charade to give me an unlimited ratio. Worked nearly every time.

There are so many holes in a technology like this that i'd shitcan it before it even got off the ground. If you're going to identify someone, there are far, far better ways of going about it than this, i'm afraid.



Bowie J. Poag

Re:What About Keyboard ID's

[JatTDB]

You gonna carry your keyboard to the office, to you're friend's house, to wherever besides its normal location?

Didn't think so. I wouldn't either.

Since such a system would only be practical for single-system use anyway, why not just use...hrm...the mac address?

Re:Sperm Scanners

[slickwillie]

Umm, that would immediately prevent more than 50% of the population from being able to "log into something".

Telegrapher's "signature" rhythm...

[Paul+Neubauer]

is indeed referred to as his (or her) 'fist'.

And decoding/copying someone with a 'bad fist' is very difficult, while a 'good fist' is much much easier.

Being told, while using a straight key (the kind most most people think of) that one has a good fist is quite a compliment.

Can't you capture keystrokes and play them back?

[gelfling]

It seems a simple matter to capture not only keystrokes but the time/interval relationships among them and play them back with a macro. Hell it sounds like the next mail macro virus in the making - - send someone the capture prog, have it snag keystroke signatures and send them back out again....

Typos Included

[Chasuk]

_I'm really skeptical about them getting something like this to work, I mean, I make typos in my 12 charachter password, but to be expected to type a sentence with the same rhythm?_

The typos are part of that rhythm.

If this were speech recognition, then every slur, drawl and lisp would be part of that rhythm. That's how biometric identification works: it doesn't measure and record EXACT patterns, it is looking for _rhythmic_ approximations that are typical, or representative, of user X. Further, it is amazingly effective. Think how often, when proofreading, that you discover exactly the same errors - teh instead of the - again and again and again. And that is just a trivial example. I'm sure there are many others.

Are you kidding me?

[StoryMan]

The point that everyone seems to be missing here -- the RIAA especially -- is that we're talking about taking draconian measures to control access to art. Or, to put it another way: no one here is actually talking about "art"; instead everyone is talking about controlling the access to the art.

And it's utterly absurd.

Think about it: do we really need retinal scans and fingerprint scanners or biometric typing tutors to ... er ... listen to MP3s? Or even to watch "Big Daddy?"

All of these "copy control measures" are in place solely to *guarantee* the flow of profits not to the artists but to the corporations that contract the artist.

I mentioned this in today's Napster story, but -- and come on, where is Katz when we need him? -- no one is talking about what's really going on here: the fact that 'intellectual property' as the studios would have us believe it is dying a slow, expensive death.

And, if that wasn't enough, all this should start people thinking about the notions of 'intellectual property' in the first place.

Come on, Katz, for chrissake: write one of your grand editorials about this -- about how technology is (finally) questioning the very notions of "property" -- and what it is that makes this a so-called "property" in the first place.

What we're witnessing with all this biometric nonsense and CSS absurdity is the very loud gasps of corporations attempting to stay afload on yesterday's notions of 'property' and 'profit.'

This, finally, may be the single most important contribution of the internet: the paradigm shifting notion that yesterday's 'intellectual property' cannot survive in an age where 'democracy' plays itself out not in parchment 'constitutions' or 'declarations' but across fiber optic cables and digital switches.

'Property' has always depended as much on the presence of an object as much as its absence. Property has value when, say, you have a Lexus and you know that not everyone else does. This makes your Lexus valuable in the marketplace. Everyone *could* have a Lexus, sure, but not every one does. Everyone *could* own a house, but not everyone does.

But what happens when you realize that your highly prized commodity (as determined by an artificially designed marketplace) suddenly loses its intrinsic value?

Short of the specific things we need for survival -- food, shelter, sex -- the value of everything else is artificially assigned by the culture in which it is commodified.

You go ape shit and attempt to preserve its value. But the question is this: for whom is this value being preserved for? And, more importantly, why? Are you preserving its value because without value the object will disappear? Well, this is what Jack Valenti will have us believe. If there is no copy protection for the next Brad Pitt movie, there will be no Brad Pitt movies. (Now, if this means that there will be no more absurd films like 'Fight Club', I'd be delighted. But Valenti would have us believe that even another 'Seven' -- a brilliant film -- would never get made, which would, indeed, be a shame.)

Of course, this is bullshit. Art won't stop if suddenly there are no more corporations to exploit it. All that will happen is that a lot of the dead weight will be jettisoned.

My point is that the link between 'art' and its earning potential for corporations is an artificial link. Art will always exist -- and art will continue to exist, even when it loses its status a 'property' by the corporations that use it to make money.

Re:There's a reason they're called GPS receivers..

[thaigan]

Ahh, thanks. I didn't know they were only receivers. I'd only heard of them as Global Positioning SYSTEMS. I still think most people would gladly welcome a device that does broadcast where they are as long as it was marketed as a "toy". Also, I once heard of a hiker that was climbing Everest and using GPS to report his health status(blood pressure, temp, etc.) Any idea what that was all about if they're only receivers?

keyboard wedges

[dublin]

Somewhere in a junk box in my garage is an old AT-style keyboard adapter box commonly called a "keyboard wedge". These are still used sometimes to do things like provide input from barcode scanners and the like.

The one I've got has a small 8-bit micro in it that also has the ability to capture and replay keystroke sequences delimited by truly odd and awkward command key sequences. Heck, IIRC, someone even posted something here a while back about a keyboard with a built-in capture and playback buffer. One thing I noticed about the way mine works is that it preserves the timing of the input in order to make sure it doesn't get ahead of the applicaiton. Any such gadget would defeat this scheme.

Demolition Man

[mxu]

Retina scanners? No Way. I don't wanna be the one that gets eyeball sticked in the top of a pencil.

Re:Ridiculous.

[bluGill]

Huh? Where did you find a saleperson who even checks the signature. I signed my credit card with my right hand, and typically sign all the slips with my left. The signature is very different. Most clerks don't even look at what is on the card. Of those that do (5% maybe look at it) only one has accually noticed that there was a difference. (He then looked at my license, saw my picture and noted the signature on the license was the same as the card and the names matched)

One-handed typing?

[Mignon]

There could be trouble if they encrypt porn files this way, unless you always type with one hand...

Fatal flaw

[Signal+11]

The fatal flaw is that if it records, it can be played back. Sorry guys, no dice.. digital protection is flawed for exactly one reason - you can't obscure whether the bit is there or not. Solve that and I have a quantum physicist that wants to talk to you.

why not?

[MenTaLguY]

[ begin devil's advocate mode ]

What if a family memeber wants to listen to my music and I'm not at home?

Then they should pay to hear it, the same as you.

The thing to understand here is that if you are making use of someone else's property, you should expect to abide by the conditions imposed on its use.

If you don't like the conditions, don't use it. It's not like this is food or anything: you don't need, say, Metallica's Black Album to keep breathing for another week.

The music is the property of its owner. If someone wants to, they may let you or your family members use it for free if they want, but they shouldn't be forced to do so.

It's only now that technologies like this are giving the owners an option in these matters. Forcing them to let people use their property for free is morally wrong and it's only now that we're beginning to see technology that can rectify the situation.

[ end devil's advocate mode ]

In my own opinion, while I believe that private property rights are a consequence of natural law (woo, look at the cute widdle 18th century philosophy), they are such only because of exclusivity. Two people physically can't posess or control a physical object.

I don't think the notion of "property" should be perverted to include things that aren't naturally, in enconomic parlance, excludable, and I don't think scarcity should be imposed where there is naturally none soley for the sake of making a profit.

If people get mad when someone creates artificial scarcity even in a naturally scarce good (e.g. OPEC with oil), why is making a naturally non-scare good scarce just for the sake of making money suddenly okay with everyone?

Now, making sure artists eat is a different matter, but the record companies aren't generally doing any better -- the majority of musicians would be living in cardboard boxes on the street (and not eating) if they relied on revenue from the record companies for their livelihood.

Personally, I think we need to start thinking more about artists as people who actually do WORK (they do, you know, composing ain't easy) for which they should be paid (they generally aren't now, except when they're paid for performing), rather than thinking of them as people who need to be subsidized by someone playing tollkeeper to their ideas.

The new technology is also enabling schemes like the Street Performer Protocol area which are I think a good start in the right direction. I only hope more people pursue them, instead of strangling ourselves like we are now.

We have real world scare resources that have economic value: scare creative talent (labor). There is no real need to make "pretend" scarcity in information-space to subsidize that labor, unless you expect <sarcasm>the lazy artists to do their thing for free (they're not really DOING anything, after all)</sarcasm>.

Impared users?

[heliocentric]

What about impared users of computers (Steven Hawkings for examples) that don't ever type, but use another system to generate text for them?

Ridiculous.

[Colol]

This is as stupid as when a newbie salesperson scrutinizes the differences between your credit card signature and the signature on the sales slip, and calls a manager over because you didn't dot your i.
This is easily the most moronic approach to security I've ever seen... Most humans don't type anything consistently -- well, now there's an idea. Since the chances of you never typing closely enough to pass the security check are rather low, more money for the vendor, since you'll have to re-buy it for each additional use. Brilliant!
This is almost as good as Microsoft conveniently finding drivers to be "incompatible" with Windows Millennium so you have to buy new hardware.

Standard passwords

[Kanasta]

I propose that from now on, files which need to be shared will be locked with the password 'asdfg', typed in 1 second intervals.


---

This worries me..

[Stskeeps]

Does it mean that if I break my wrist - so that I cannot write at same speed, that I cannot buy music/things online? Worries me if people make a unix login with authentication like that - I mean, lower WPM will cause incorrect password, what if im tired? --Stskeeps

will be very poor if ever used.

[bwalling]

this won't ever work, and the people working on it should realize this. do you type the same way when the keyboard is in your lap as you do when it is on a desk? how about when you are leaning back? or using your laptop?

this is absolutely stupid. i wouldn't be surprised to find out it was a hoax.

What a horrifically stupid idea

[Sick+Boy]

"Rythm" is hardly a biometric. Ask anyone who's been in a freaking band. It will take about 40 seconds for there to be a "standard" typing rythm for *everything*. I recommend that old "shave and a haircut" thing that everyone already knows.

<rant>

And another thing. Copy protection is REALLY starting to piss me off. I wanted to play a game yesterday, that's all, just play a game. And I had to track down the fscking CD. It takes an additional minute to jump into a game. Not a lot in the long run, but since I only wanted to jump in, frag a few people, and get out, we're looking at an additional 10% of the time I'd spend playing.

HEY! "Intellectual property" owners! I'm only going to say this once:

The only people you're slowing down are the legitimate consumers. And they're getting pretty pissed about it.
Now I'm off to find a crack for my game, so I can play without the CD.

</rant>
--

Re:I know what you meant, really...

[rifter]

Campfire singalongs do not violate copyright, neither does playing another person's song (as many bands will attest, most do play "covers" which are songs they did not write).

The reason it does not violate copyright is that the song you sing is your rendering of the song. It is not an exact copy. If you were to play a tape of Metallica and lip synch at a concert, that would be copyright infringement. Playing "Kumbaya" or even "Enter Sandman" yourself and singing with others, all singing themselves, is not infringement because that is your work.

New product idea, defeats security

[lbrlove]

"Mavis Beacon Teaches Identity Change"

-L

Limerick

[575]

There once was a company hyping
A program that knew you by typing
They miswrote the checkers
It hunted the peckers
And left all the touch-typists griping

Big Brother is MegaCorp

[vcc]

Does it alarm anyone else the ease with which identification schemes come through here with nothing more than joking? One day, one of these will work along with all the smaller solutions that already do. I really don't care to be identified by anyone other than another human being.

What do you think?

Re:Big Brother is MegaCorp

[Ageless]

Wow, really?
You are tired of crazy schemes like pay at the pump, ATMs, using a credit card for groceries, phone numbers, keys to get into your house and car?
Perhaps we should each have a person that walks around with us that will tell other people that you are really who you are.
But then, why the hell should they believe him?
Unfortunatly, human beings are a lot less trustworthy than a deadbolt and a key.

Did I work with these people?

[shippo]

I sounds like the stupid idea of someone who used to work for the same company as myself. A typical clueless suit.

He was supposedly leading our solutions's provider into new directions, but had zero technical skills. The company wasted 1000s of pounds sterling promoting ideas like this. One was signature recognition software which just didn't work. When I mentioned digital signatures he just looked at me blankly!

Still flawed though...

[Crypt0pimP]

Retinal scans are a nice whizz-bang toy, but consider... what is that scan of your retina.. it's your password. Your password has to be converted to a key of some sort and stored for authentication. Well, what's the preferred method of entering a system? Not by brute forcing the passwords, but by getting a hold of current user's passwords... that little file that is the representation of your retina. (probably offtopic, but still something to consider.)

Re:Still flawed though...

[xianzombie]

Yes, I undestand all that, however the problem with building a retnal scanner to work at a distance that far has several flaws in itself.

Primarily, getting the person your scanning to remain stationary long enough to get the scan (i dunno how long those scans take) and also getting them to look at the scanner to begin with.

I'm not even going to begin to question how much it would cost to get something like that either....

XZ

And they probably want us to pay for it too...

[Anders+H�ckersten]

In the end, they're gonna want retina scans or something similar anyway, and every user is gonna need a retina scanner. Who's gonna pay for this "secure technology"? I know who:
We are.

Why don't they lower prices on CDs instead? That would probably help solve their problems. The bottom line is: If I'm not ready to pay for the latest Metallica CD or whatever, I'm not going to. I'm going to find a way to get it for free, no matter how hard it becomes. Most people don't use Napster since they don't want to support the artists, they use it since they want that one good song by that otherwise crappy artist, and aren't willing to pay lots of $$$ to the greedy record industry.

moneky

[jbarnett]

I will just get a monkey to randomly mash and bash the keyboard with it's hairy paws, now that is security.

But, say you wanted to crack this, couldn'y you just get a realtime video cam and record the rate system admin mashes the keyboard with his fat hands? Get the rhytem from the tape and then make a robtic device to mimic system admin bob's keystroke rate.

Eye scanners would be cool, cause to crack though, you would have to cut out the users eye, remove your glass eye, insert their's into the empty socket and crack that puppy open like a nice cold beer.

On thing I seriously though about doing is a IR interface that is embedded into the body and can send the signal automatic when a correct password is typed into the machine.

Seriously though, the above is just bs. Let's thinkg about this, what if you are drunk or stoned and want to check email? do you think your type rate will be the same? What if you are intoxicated on large amounts of caffeine when you "insert" the password rythems, then when you wake up slow in the morning and try to see what is on slashdot, you type rate is differant. What if you finally get one of those big ass old sytle IBM "click" keyboards that slows down your type rated compared to your sleek space age "fluffy" keyboard?

And most of all, what if you a typing class?

I know what you meant, really...

[MenTaLguY]

...but apparently some people don't.

I suspect the goober will probably get smacked down in metamoderation, anyway.

Family situations aside, though, there are a lot of things that we do now (e.g. campfire singalongs) that violate copyright, it's just that there isn't (currently) a good mechanism to enforce it in those circumstances. (except some ASCAP sabre-rattling now and then)

People ignore the inequities in the law because it's not consistently enforced. Technology is changing that.

Really, my only reservation is that I'd like to make sure there are other ways artists can get equitably paid for their work BEFORE the copyright system falls apart.

Re:What About Keyboard ID's

[JourneymanMereel]

It's burned into the hardware and passed on by the software. All you have to do is modify the passing on routine. Because this is so commonly done, it can normally be done with a config file.

Linux module

[zCyl]

What I want is a Linux module that monitors the typing of whoever is logged in as root, and sends an email to a remote address of mine when a violation is detected. That would be extremely useful.

Forget this music crap. If I can route it to my speakers, I can burn it to cd, make an mp3, or record it to tape and take it to my car. Let them develop the technology, then eventually we'll put it to good use.

morse fist

[gcoates]

During WWII army intelligence were able to identify individual enemy radio operators from intercepted morse signals, due to the fact that each opererator had a distinctive style, known as a fist.

Given that this was possible in 1940 with no computing power, biometrics based on keyboard style is probably not so stupid...

Type In Rhythm

[eGabriel]

Typing to the rhythm of "shave and a haircut" or something will become the equivalent of "cypherpunks/cypherpunks"

the difference

[cara]

There are two issues that come into play here. I would bet that a password is more secure than the typing rhythm identifier. However, the music companies are not worried about the same type of security that individuals are worried about, so passwords are not as good of a solution for them. They are worried about users knowingly compromising their security by giving out the password to friends so that they can listen to the music too. There is no way a user can "give out" the way they type a sentence.

As to the typing rhythm method of security, it is probably not as secure because the technology is imprecise. It has to allow for variations in a single users typing patterns so it will be at least a little fuzzy. Most likely, there are other people who have similar typing patterns and could "break in" to some users account. The thing is that it is coincidental as to what human beings would happen to have similar typing rhythms. It is not something someone can give out to their friends, so the music companies are safe.

I know where I'd like to see this technology used

[YASD]

Computer: Welcome to Microsoft Windows 2005! Please enter your password using your normal rhythm.

User: i-a-m-a-l-u-s-e-r [enter]

Computer: I'm sorry, that rhythm did not match. Please try again.

User: i-a-m-a-l-u-s-e-r [enter]

(Three tries later...)

Computer: I'm sorry, you have failed login too many times. Your account has been locked. Please call Microsoft Tech Support at 1-900-SCREWME for assistance. Only $5 a minute!

------

What about lending music to friends

[SIGFPE]

It used to be fun to share CDs with friends so that you could discover new types of music (I don't mean to rip them, I mean to *listen* to them). Now you're going to have to have a biometric scan before playing your music. Is the lending of music (and an important part of our culture) going to come to an end?
--

Why Keystrokes and not Digital Certificates

[Xrkun]

Why do companies keep trying to come up with new ways to identify people on the net? The best way to my knowledge is via digital certificate. Perhaps digital certificates should be issued to everyone for free. That way, vendors could guarantee that the person that they are exchanging data with is in fact the person who paid for this particular service. I'm sure a company that wants to offer Music etc... over the net can do this if they implement a DC strategy. The only reason that DC's are not being used is because they cost money. Why doesn't the US government take control of this and issue DC's to people who want them. (Hell maybe we could even vote on-line if something like this was available.)

Re:I know where I'd like to see this technology us

[KilobyteKnight]

Computer: I'm sorry, you have failed login too many times. Your account has been locked. Please call Microsoft Tech Support at 1-900-SCREWME for assistance. Only $5 a minute!

MS Tech Support: Hi may I help you?

User: Yes, my system locked up when I tried to enter my password.

MS Tech Support: Please hold.

... 45 minutes later ...

MS Tech Support: Just click the cancel button, it'll let you right in. The charge of $225.00 will be double billed to your credit card.

But I don't always type at the same speed!

[Dust+Puppy]

If I'm eating my lunch, I might be typing with one hand whilst holding a cheese sandwich in the other - substantially changing my typing speed characteristics. If I'm drunk I make many more typos, which I expect would also confound this system.

Fortune says:

[Yarn]

... an anecdote from IBM's Yorktown Heights Research Center. When a
programmer used his new computer terminal, all was fine when he was sitting
down, but he couldn't log in to the system when he was standing up. That
behavior was 100 percent repeatable: he could always log in when sitting and
never when standing.

Most of us just sit back and marvel at such a story; how could that terminal
know whether the poor guy was sitting or standing? Good debuggers, though,
know that there has to be a reason. Electrical theories are the easiest to
hypothesize: was there a loose with under the carpet, or problems with static
electricity? But electrical problems are rarely consistently reproducible.
An alert IBMer finally noticed that the problem was in the terminal's keyboard:
the tops of two keys were switched. When the programmer was seated he was a
touch typist and the problem went unnoticed, but when he stood he was led
astray by hunting and pecking.
-- "Programming Pearls" column, by Jon Bentley in CACM February 1985

Re:What About Keyboard ID's

[JourneymanMereel]

I seem to remember not too long ago, Intel treid to put a unique serial number into every processor they made so it could be used to identify a machine to software. Well, I'm sure you remember how well that turn out (see below if you don't). Do you really think that a unique keyboard will go over any better? And of course that still leaves us with all the other aformentioned problems (my keyboard broke, I'm at the office, I own 5 different PC's, etc.).

I guess what we really need to do is make a device that anylizes urine. Would'nt that be perfect at the office... network authentication and drug test all in one!

Below:
Intel did infact put the serial numbers into their processesors, but by default, that functionality is turned off.

Thinking outside the box

You know, instead of biometric security features that rely on what your retina looks like, what your finger print is, or how you type a sentence, why not have a system that analyzes what you DON'T type. A system that could read between the lines, as it were.

For example, if you wanted to log into ./ with this system you would type something that DIDN'T contain the string

"gosh this article is topical and makes sense"

or perhaps

"slashdot amazed me again with yet another post that wasn't a troll, flamebait, redundant, off-topic, or just plain stupid"

I think a system like this would be great, because everyone knows that the things we don't say are the universal truths. Plus, women would be instantly acclimated to this system, since they never say what they mean anyway. :-)

what if you change computers?

[myc]

I own two desktop machines and a laptop, not to mention I use at least 3 different computers at work. Each one has a different keyboard. I'm sure that on each machine I have slightly different timings in typing the same passwords or sentences. Is this to say that I can only listen to an mp3 that I buy online on one computer? Nuts to that. Even if I only own one computer, what happens when my keyboard dies and I have to get a new one?

The quick brown fox....

[heliocentric]

Download file....

Type in:

The quick brown fox jumped over the lazy dog.

Enjoy music.

Type in:

The quick brown fox jumped over the lazy dog.
(hey, I typed it quicker and more accurately this time around since I just got practice a few seconds ago)

Don't enjoy music... I didn't match...

The quick brown fox...

Still no music... become totally frustrated and decided to download napster instead.

Its already been done!! :)

[alwyns]

Hi

While I was doing my final year Electronic Engineering project at University in 1995, one
of my fellow students was implementing this using neural nets as his final year project. The system was used for user verification on a unix system. I don't know about the end of the project, but someone was definitively doing it.

What About Keyboard ID's

[SirStanley]

IS there anyway to extrapolate a Unique ID from the Keyboard like a mac address for an ethernet card? If so use that Your Key Board can be the Key. Much better than having to worry about weather or not you can type approximately with the same rythm

Discrimination!

[(void*)]

So if you lose your fingers in some accident, not only will you lose a lot of money, you suddenly can't listen to your own, legally bought, collection of music anymore.

And to people like Stephen Hawking, they can forget about listening to music this way.

And if I want to play a huge collection of songs, legally bought by myself, I must authenticate each and every time the song advances.

Do the companies that think of this "innovative" stuff even bother to think about what they are doing? Are these people morons for thinking that such a thing would work?