Slashdot Mirror
Identification By Typing
crazy_speeder writes: "Musicrypt.com is developing a biometric identification system that captures user keystrokes to verify the user's purchase of specific copyrighted materials (i.e. downloaded music), and only that user can use it."
I'm really skeptical about them getting something like this to work,
I mean, I make typos in my 12 charachter password, but to be expected to type a sentence with the same rhythm? I still want retina scanners.
Part of this is expense. The most secure building that's still useful is one with one door and no windows. But that's an emergency-evacuation and traffic-control disaster waiting to happen, as well as a workplace-standards tragedy, so you add a freight dock, a rear entrance, a bunch of windows in the Managers' offices, a skylight with louvers that close automatically at sunset (oops, pardon me, too much MI:2...)
Now you have to secure all these potential access points (windows count too, unless they're built like arrow-slits) and sheer numbers work against you -- the first time somebody leaves a window unlatched when the room is empty the probability wave of an undetected intrusion starts to spike.
(You can think of intrusions in a quantum fashion -- given how long that access point was left unguarded, and the configuration of the facilities, and the traffic patterns, what is the probability that someone had access to various points and no one's noticed yet? Los Alamos take note...)
The rules for system security much resemble those for facility security in many ways:
Anyway, that's just rambling on a bit. The dominant paradigm of strong security is "something you have, something you know, and something you are". Any security system where one of these is sufficient to grant access is inherently insecure. Any system where all three are required in a specific form is probably very secure, but probably also very annoying to its users.
A system where you have to satisfy, say, two of the three in one of various ways is probably going to be OK for most purposes. Say you can use a voice-print, retinal scan or fingerprint scan plus your electronic access card, or you can show another form of ID to the guard (there better be a guard) and he can optionally clear you in manually if the other check is passed. Filling out your I-9 form for Immigration (to prove you are allowed to work in the US) works sort of like this. Note also that by this method ordinary shell password authorization is very insecure, (right, we knew that) while the SSH model of key + password is relatively secure (unless you set your ssh up to authenticate solely off the key, in which case you should now go back to grinding out code for IIS you sick little monkey!)
But real security takes real thinking and real money, and most companies don't want to expend either if they can help it. They'd rather have something that looks cool so they can brag about it. In this case they're not only using a single fallible authentication method, they're using one that, as pointed out before, has so much inherent noise in it that it's easy to defeat and thus nearly useless.
The article doesn't say whether you're typing a set sample text or a user-selected passphrase. The "right" (well, not right, but at least better) way to do this is to have the software try to verify the user through both a passphrase (something you know) and the typing biometric (something you are). If they both match, fine. If either one matches perfectly and the other is close, that should by default allow use, not restrict it (which is to say, the system should "fail open" like an emergency door).
But what are the odds of that happening?
-- Old Man Kensey
Damn, I got a nasty papercut on my index finger. Now I won't be able to listen to my music for a week.
...burns, jammed fingers, scraped knuckles, fingers caught in doors, arthritis flareups, changed keyboards, same keyboard but dirty, having a few beers -- even hand lotion can make me type a little different.
There's no shortage of reasons why this won't fly.
If you can go to bed, knowing you did a valuable thing today, you're very lucky. If you can't... it's not bedtime
Not only is this a blatently bad idea, but it comes from the same great minds that brought us Net Nanny.
... BY LAW... Technology such as this is taking away my rights. I will never purchase any music that I can no longer exercise my fair use rights. If I can not copy the music to multiple media forms/playback devices, then I do not buy it. It's that simple. Until the music industry understands this (or is FORCED to acknowledge this) they will continue to throw good money after bad attempting to develop technologies that infringe on customers LEGAL rights.
I do not type consistantly from moment to moment. Heck, I don't even "type" I hunt and peck really fast... Sometimes I type one handed... sometimes two... This software has NO chance of correctly identifying me.
Add that to the great "hit rate" that is consistant with Net Nanny, and you will find that this software will more often than not block legitimate users from accessing the music.
Besides, as another user mentioned, this whole idea is based on a flawed premise. Music purchases are not tied to a single user. I may be buying this music as a gift. I may be buying this music to transfer to my car mp3 player (which has no keyboard) Or my Lyra (also no keyboard)
When I buy music, I get FAIR USE RIGHTS
Copying music is NOT a crime. This is the reality. The RIAA is the fiction...
-Count Zero
A more recent paper by Fabian Monrose and Aviel Rubin with the title Authentication via Keystroke Dynamics might enlighten those interested in this, and I am sure that you'll find some interesting references on the above web page.
Scepticism is often healthy, but when it comes to new ideas, "new" being used in a very relative sense here since the idea is apparently "new" to Slashdot staff, one should be more keen to understand them before writing them off.
-Bjørn
It must be Rob, look at all the typos!
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
One day, I'd probably come home to find I'd bought 337 copies of "Gilligan's Island Collector's Edition DVD Box Set" or something like that.
Cat owners will understand.
I use Macs for work, Linux for education, and Windows for cardplaying.
I worked for a company that was trying to implement the exact same technology. They found that differences in keyboards and ergonomics made a world of difference. I don't know if this other company has overcome these obstacles.
-- You see, there would be these conclusions that you could jump to
Sigh.
Time for another /. round of "spot the holes in the crap copy protection system".
The type-speed thing works on a specific pass-phrase rather than a computer-generated one-time "type this please" string, so typing speed should be easily duplicatable. Or one could set the input keypresses to a constant rate, to make it easy to fake.
And I presume this system is just as vulnerable to the likes of unfuck as anything else. Not much use being resistant to distribution schemes "like Napster and Gnutella" if you can turn them into MP3s or OGGs at the flick on an audio capture.
This is a particularly worrying part of musicrypt's 'technology' spiel (black text on a black background in my browser - nice):
Read: the publisher can at any time revoke your right to listen to the music you have purchased. And knows about every bit of music you listen to, but that's kind of obvious and expected these days, isn't it.
Once again, musicrypt, you lose. Once again, legitimate customers, you lose. Pirates? Well you're kind of unaffected. Hey ho.
--
This comment was brought to you by And Clover.
That's why the only good solution is an onboard urinanalysis machine, bolted to your computer's case. This will indisputably verify your identity, and will also help prevent you from buying products on Ebay while drunk. Of course, you will need a six-pack on hand by your computer if you want to listen to a long playlist, but then again, who doesn't have that already?
The story emphasized the geek's contempt of older users and human-engineering issues; the kid was caught by an older engineer who identified his fake logins by his typing pattern.
As soon as he was identified, he was switched to a honeypot where the trade secrets were replaced by porn files. His "customers" were pissed enough to leave the kid have a very intimate explanation with a sumo wrestler...
--
Here's my mirror
Undoubtedly, it will. Why? It absolutely has to. All of these schemes such as typing rhythm, retina scan, fingerprint, are all nothing but disguised password schemes. It doesn't matter if your password is the word "secret", your credit card number, your SSN, a vector of your typing speed, or a GIF of your finger. In ALL cases, a program on the client gets the "password" and sends it to the server. In ALL cases, the client software has to be "trusted" by the server. In other words, any kind of open source is completely out of the question. Otherwise, the server can't stop someone from putting together a version of the program that reads it's input from a file instead of from the "legit" source. And how are you going to know whether or not the client is saving your ID to a file? Actually, you can't stop them even with a binary-only solution. It's just security thru obscurity.
What's worse, is that all of these schemes rely on you giving the server all the information the server needs to impersonate you every time you sign in. What if your bank and your favorite pr0n site both use a fingerprint scan to ID you? Congratulations, the only thing keeping your pr0n dealer out of your bank account is their skill with a debugger! It's just like the crappy security on credit cards. Every single vendor you do business with has all the information they need to impersonate you. It's a testament to how honest the majority of people are that the entire industry hasn't gone belly up.
But the biometrics are the absolute worst, since you can't change your password. At least you can close a credit card account and get a new one. I don't know where to buy new fingers or retina's, however. The only long term solution will be based on some sort of public-key algorithm. Anything else is just a scam. Actually, the one place where a fingerprint scanner might be handy is to authenticate you to a hardware smart-card that does your public key for you. Since the whole thing is built by a single vendor in hardware, it could be made pretty secure. At a minimum, a crook would have to steal the card and have a fair amount of hardware skill to get anything useful out of it. But this whole idea of using biometrics over the internet is just a bunch of snake oil. And poisonous snake oil at that. You're better off sticking with what you have now, at least then you can be concious of that fact that your security sucks.
What if I become handicapped (blind, lose arm/hand/finger)? Suddenly I can't use my software because I don't type the same?
What about other people in the same house? What if I sell the software? What if what if what if?
This is just dumb. Of course, knowing the software industry, the first product to include a license management scheme that locks you out if your keyboard skills change will be "Mavis Beacon Teaches Typing"...
--
Compaq dropping MAILWorks?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I'm really skeptical about them getting something like this to work, I mean, I make typos in my 12 charachter password, but to be expected to type a sentence with the same rhythm? I still want retina scanners.
I would hope that the system they're developing does NOT expect the user to put conscious effort into typing with the "same rhythm." The process of typing a full sentence, with timing data, has much higher dimensionality than any human observer could possibly take advantage of. Whether or not there are relevant parameters to be extracted from this remains to be seen, but I would stay clear of making statements such as the above until a good learning algorithm spends some quality time with the data. The only way this will work is if a learning algorithm manages to extract parameters which uniquely identify the user no matter what the user "tries" to do.
// zyqqh
I'd give it... oh, I dunno..5 minutes before someone comes up with a Perl script to replicate someone's typing style?
I remember doing this when I was like 12. Dialing into local Commodore 64 warez BBS'es acting like I had a terrible grasp of English, and typing terribly slow to convince the Sysop I was dialing in from l33t-land, Europe. A whole big charade to give me an unlimited ratio. Worked nearly every time.
There are so many holes in a technology like this that i'd shitcan it before it even got off the ground. If you're going to identify someone, there are far, far better ways of going about it than this, i'm afraid.
Bowie J. Poag
Bowie J. Poag
[ begin devil's advocate mode ]
Then they should pay to hear it, the same as you.
The thing to understand here is that if you are making use of someone else's property, you should expect to abide by the conditions imposed on its use.
If you don't like the conditions, don't use it. It's not like this is food or anything: you don't need, say, Metallica's Black Album to keep breathing for another week.
The music is the property of its owner. If someone wants to, they may let you or your family members use it for free if they want, but they shouldn't be forced to do so.
It's only now that technologies like this are giving the owners an option in these matters. Forcing them to let people use their property for free is morally wrong and it's only now that we're beginning to see technology that can rectify the situation.
[ end devil's advocate mode ]
In my own opinion, while I believe that private property rights are a consequence of natural law (woo, look at the cute widdle 18th century philosophy), they are such only because of exclusivity. Two people physically can't posess or control a physical object.
I don't think the notion of "property" should be perverted to include things that aren't naturally, in enconomic parlance, excludable, and I don't think scarcity should be imposed where there is naturally none soley for the sake of making a profit.
If people get mad when someone creates artificial scarcity even in a naturally scarce good (e.g. OPEC with oil), why is making a naturally non-scare good scarce just for the sake of making money suddenly okay with everyone?
Now, making sure artists eat is a different matter, but the record companies aren't generally doing any better -- the majority of musicians would be living in cardboard boxes on the street (and not eating) if they relied on revenue from the record companies for their livelihood.
Personally, I think we need to start thinking more about artists as people who actually do WORK (they do, you know, composing ain't easy) for which they should be paid (they generally aren't now, except when they're paid for performing), rather than thinking of them as people who need to be subsidized by someone playing tollkeeper to their ideas.
The new technology is also enabling schemes like the Street Performer Protocol area which are I think a good start in the right direction. I only hope more people pursue them, instead of strangling ourselves like we are now.
We have real world scare resources that have economic value: scare creative talent (labor). There is no real need to make "pretend" scarcity in information-space to subsidize that labor, unless you expect <sarcasm>the lazy artists to do their thing for free (they're not really DOING anything, after all)</sarcasm>.
DNA just wants to be free...
During WWII army intelligence were able to identify individual enemy radio operators from intercepted morse signals, due to the fact that each opererator had a distinctive style, known as a fist.
Given that this was possible in 1940 with no computing power, biometrics based on keyboard style is probably not so stupid...