Slashdot Mirror
Verifying a User By Following the Movements of Their Mouse
Harperdog writes "Tom Jacobs has a very cool little story about an Israeli research team introducing a novel way of verifying a computer is being operated by its rightful user. Its method, described in the journal Information Sciences, 'continuously verifies users according to characteristics of their interaction with the mouse.'"
Is it indexical? Yes. Is it evidential? No.
Translation: unreliable.
i use a trackball and because of carpall tunnel switch hands often. i guess they could ID me from that alone. but really telegraph operatos could tell who was sending in the 1800's. it took us long enough.
But just like everything else, they'll come up with some sort of automation that replicates the some-what erratic mouse gestures a human does to get around this "security".
And then get locked out if you come from cold weather outside and cold hands somehow make you move differently...
I see several potential problems with this kind of identification. One of the biggies is switching hardware and the other - potential hand injuries.
Changing mice is the biggest issue, i think. Every mouse has a different shape and ergonomy, so it is being used differently by the same user, especially during the adjustment period. This also doesn't take into account the potential precision differences of the mouse. Plus, switching to an entirely different control scheme, like a tablet or trackball, screws up any tracking attempts.
The other problem is hand injuries - from a simple finger cut to advanced problems with nerve or bone structure. In addition to slowing down the usage, tracking movement will show an entirely different schemes of usage. This one hits especially close home to me, since having recently developed numbness and coordination problems in my dominant hand due to a relapse of Multiple Sclerosis, i now struggle to use a mouse at all and have almost completely switched to a thumb-operated trackball.
This identification method might be useful in highly integrated/high-security environments, where employees seldom change, or for protecting single-user terminals, but the hand injury problem trumps these uses, too.
"We are the music makers, and we are the dreamers of dreams [...]."
Seriously? Why does anyone even bother to publish computer science papers there, other than because the work is too poor to be accepted by a good IEEE or ACM conference or journal?
This is an interesting direction for collecting metrics, and could obviously be used to evil(tm)
Depending on how they collect the data there are multiple potential sources for data collection.
DPI/Sensitivity of the mouse (which users generally do not change)
Algorithm/mouse smoothing (with enough data resolution can even narrow this down the sensor and processor used or even brand and model of mouse)
speed of click/double click user inputs.
degree and pitch of side to side or top to bottom of screen mouse tracking.
Possibly even imperfections on the mousing surface or table.
Most people tend to use the same mouse for 1 - 5 years, so there is more than sufficient time to build up a usage patterns database, this would be a rather evil way of tracking users if it is eventually refined enough.
This is likely going to be far more useful for tracking and advertising than as a security mechanism.
If someone writes a javascript library that implements this algorithm, then you can decide if two users are using the same account.
Perhaps you can also use it to uncover bots in simple games in webgames.
Just place that right there, into the receptacle, while we are going to show you these images.
There are a few problems with this approach of-course, first of all signing into an ATM somewhere in public will look suspiciously like fucking a box, and secondly this excludes about half of the population from the technique, so I guess it's a bit discriminatory. Of-course they could have special attachments with sensors on them for the other half of the population.
You can't handle the truth.
*tap* *tap* *tap* *tap* *tap*
ZZ
vi more_code.cpp *tap* *tap* *tap* *tap* *tap*
ZZ
vi extra_code.cpp *tap* *tap* *tap* *tap* *tap*
ZZ
firefox http://www.slashdot.org/
INTRUDER ALERT! INTRUDER ALERT! AUTOMATIC LOGOUT AND SHUTDOWN IN PROGRESS!
F5 has been doing this for some time now.
A part of their Application Firewall will inject a javascript into HTTP requests if it suspects the access pattern is suspicious for any website it is protecting.
This javascript will then check for mouse movements and a few other things.
Depending on my mood, I'm likely to get locked out? God forbid I should start using a new app, that would also lock me out as mouse movement are sure to be different. Maybe I slept bad, and my arm hurts? Maybe it's just stress over review coming up?
Basically if any conditions change in user's personality of physiology, or computer's configuration, or your routine daily tasks security app would be useless.
If it was used as part of hybrid solution its still useless, why just not get timed user prompt in high-security areas to have user enter it every 30 minutes. That is more secure.
If it was used in some medical sense to identify changes in stress or personality,or mental issue outbursts about to occur by logging your mouse movements, then I'd say great!
Then you would get a screen which requires some additional authentication to solve the situation
If it were deployed on a site available to the public, the screen would likely say "Please call this telephone number during regular business hours." On a Friday evening before a bank holiday Monday. Or worse yet, "Please visit the nearest branch during regular business hours."
When I worked in a warehouse, I would ordinarily use the mouse attached to the Windows workstation at the desk in my office and the mouse attached to the Linux development workstation during the day. When developing fixes or new features for the warehouse automation software, I would also use the mouse attached to the computer at which orders were packed and the mouse attached to the computer at which packages were weighed and postage labels were printed.
Finally, using an aimbot will get you banned from your own PC.
About time.
Anonymous just announced they can imitate my mouse movement. Damn that was fast, I don't even have a more current reference for it.
Gently reply
I use three different types of mice during the day. Different types means different patterns due to the way they're used. Even if I use different mice of the same type, they vary wildly in sensitivity. Plus, if I use a mouse in a different pc, I'm never sited in the same way at the same exact distance (actually, I'm usually standing, leaning over the desk) which means that a different mechanic will be used by my body to get the cursor where I want it to be.
All in all, this is a cool idea but I can't see it have any practical use unless in very specific scenarios for very specific purposes.
A few things make me doubt this.
People whom are familiar with playing games that have a lot of hot keys (like mainstream MMOs), and take the time to look up the hot keys built into their OS tend to use those hot keys because it easier than moving the pointer across the screen to hit a 1 to 3 key combination. Same would likely hold true for modelers, coders, and people whom use Linux often, or any other scenario where learning the hot keys of a program simplifies usage a lot.
Then there are mice like Razer's, with DPI adjustment buttons built onto the mouse device itself. I love my Lachesis for those buttons, on days when my hand motions are particularly good just ramp it up to max DPI and whip through mousing like there's no tomorrow; days where I'm recovering from a full night of coding a lower DPI to compensate for sluggish response.
Memory impairments will be another roadblock. I've seen my mother whom has serious problems with remember things at times moues around a computer almost at random trying to find something she was looking for but not remembering where she put it. Other days she'll navigate menus with the precision of someone that's used the same computer for years on end.
Carpel tunnel and arthritis are another problem. Several people in my family suffer from these two, and I see just how detrimental it is to using a computer mouse everything I watch one of them use a computer. The shaking that comes with those isn't constant and would require a long sample period to identify a pattern if a pattern even exist at all outside of the inaccurate mouse movements.
Then there are programs like ten key. These are programs which allow screen navigation by dividing the screen into a grid, with buttons to press to divide a cell of the grid into a smaller grid, repeating until the desired point is reached on the screen. If it wasn't for the cost of such programs or I had a disability that allowed my medical insurance to cover it, my mouse would just be there for art and gaming (seriously $300 suite of programs just to gain access to the one is stupid).
I have no doubt mouse motion can be used to determine what type of user your dealing with, but it's far from a reliable virtual fingerprint. Even when it comes to identifying the type of user, requires a longer sample period than most websites will be given by a user that isn't satisfying intense curiosity.
These types of solutions are problematic.
My mouse use varies quite a bit from my mouse in my office, to my use of the Pointer Device on my ibm laptop to my home laptop with a touchpad. All yield very different mouse actions.
I also don't like these solutions that there are times when you want someone else to access your acct. For example, my brothers bank uses a validation system that measures how you type your password for an additional layer of security. My brother was in a situation where i needed to access his acct. he gave me the username and password but the damn system would not let me in since i type his password at a different cadence/pace/whatever then he does.
these things all suck.
I'll need to train 3 modes: 1) Optical/Laser mouse 2) Trackpad for my laptops 3) Optical/Laser mouse when I'm eating Cheetos
You must be Scotty.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Call friends at ICE and have them seize TPB but continue to operate
2. Install mouse-tracking software, build profile
3. Record clicks on magnetic links and tie to profile
4. Use conventional means to tie logged IP address(es) to profile
5. Use the judicial system to acquire subsciber data for IP address(es)
6. Send out settlement letters, detailing the identification process
7. Profit!
No ??? needed here.
Some one was doing this with keyboard bio-metrics. You may wanna take a look at that project.
http://www.reddit.com/r/netsec/comments/o9qzw/browser_securitey_using_keystroke_biometrics/
What about the times when my primary hand is umm, otherwise occupied?
Basically you have a dsp kitten chase the mouse looking for characteristic twitches. I planned to augment user experience with it.
There was a post about becoming aware of rhythmic mouse movement during reading, as revenge, I will make you aware of your breathing, manual breathing mode entered.
Back on topic: As geeks, we rarely move the mouse, I navigate with the keyboard and play with the mouse while reading (as previously mentioned). BUT: in a program or on a site where I can not use the keyboard to navigate or when playing a video game involving the mouse, my patterns change significantly. This would have to be a fairly smart and likely laggy program to determine the applications/processes running and adapt accordingly, it would also have to be aware of the application selected and the current condition of the application (which webpage, what part of a video game, etc.).
Is it worth it? I think a password is much easier, and locking more important files/data with a secondary password is just as reliable.
how do I install a mouse in a terminal
apt-get install gpm ?
will that work ?
I hereby announce and publicly disclose (for new usa patent law premption proof) writing a mouse driver to add a little "shimmy" to all input to prevent user tracking via mouse movements (take that Google - cause we know you are already thinking if mouse tracking can replace google analytics)
IBM has implemented, years ago (circa 2000), a security system which was able to verify the user judging by how he or she was typing. It was succesful to some extent. Sourcecode and papers should be still available on IBM web pages.
Could be a novel way to create passwords, instead of using alphanumeric 'words' you could have the computer remember mouse gestures. Two circles a triangle and a dong later... logged in.