Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo

Windows Hello, the face scanning security feature in Windows 10, has been defeated with the use of a printed out picture. From a report: In a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software -- the doomsday scenario of using a printed photo of the device's owner. Researchers say that by using a laser color printout of a low-resolution (340x340 pixels) photo of the device owner's face, modified to the near IR spectrum, they were able to unlock several Windows devices where Windows Hello had been previously activated. The attack worked even if the "enhanced anti-spoofing" feature had been enabled in the Windows Hello settings panel, albeit for these attacks SySS researchers said they needed a photo of a higher resolution of 480x480 pixels (which in reality is still a low-resolution photo). [...] Microsoft released updates earlier this month to patch the vulnerability.

Color me suprised

Color me suprised!

Re: Color me suprised

Whoever is using winblowd deserves that

Re: Color me suprised

Microsoft is a joke these days sigh...

Re: Color me suprised

Microsoft is a joke these days sigh...

These days? What are you - newborn?

Re:Color me suprised

[OneHundredAndTen]

I'll say! Who would have thought that MS would do something stupid.

A photo of anyone?

That's not good. That's not good at all.

You need a 3d scanner

[aglider]

To start scratching real facial recognition

Re:You need a 3d scanner

I think a bandaid to put over the camera might be a better idea.

Re:You need a 3d scanner

So in future a picture on one side , and some conductive heat patches that might be 3d printed on the other side, so you will need a photo and a small battery to modulate the IR warmer spots. maybe some black metal based paint and an IR lamp to warm the paper , and as it cools - it lets you in.If necessary a laser scanner to warm the back of the photo correctly,

Re:You need a 3d scanner

[AvitarX]

Shouldn't a video be able to interpret enough 3d with a little motion?

Re:You need a 3d scanner

A bust would bust it.

waiting for DNA sequencing authenetication

spit into this tube to log into your computer

you just know someone will try jack off into it

Re:waiting for DNA sequencing authenetication

You are sick

Re:waiting for DNA sequencing authenetication

> spit into this tube to log into your computer
> you just know someone will try jack off into it

(oldie but goodie):

One day Bill complained to his friend that his elbow really hurt. His friend suggested that he go to a computer at the drug store that can diagnose anything quicker and cheaper than a doctor.

''Simply put in a sample of your urine and the computer will diagnose your problem and tell you what you can do about it. It only costs $10." Bill figured he had nothing to lose, so he filled a jar with a urine sample and went to the drug store. Finding the computer, he poured in the sample and deposited the $10. The computer started making some noise and various lights started flashing. After a brief pause out popped a small slip of paper on which was printed: "You have tennis elbow. Soak your arm in warm water. Avoid heavy lifting. It will be better in two weeks."

Later that evening while thinking how amazing this new technology was and how it would change medical science forever, he began to wonder if this machine could be fooled. He mixed together some tap water, a stool sample from his dog and urine samples from his wife and daughter. To top it off, he masturbated into the concoction. He went back to the drug store, located the machine, poured in the sample and deposited the $10. The computer again made the usual noise and printed out the following message:

"Your tap water is too hard. Get a water softener. Your dog has worms. Get him vitamins. Your daughter is using cocaine. Put her in a rehabilitation clinic. Your wife is pregnant with twin girls. They aren't yours. Get a lawyer. And if you don't stop jerking off, your tennis elbow will never get better."

TFA says

"a printed photo of the device's owner."

Re:TFA says

"a printed photo of the device's owner."

That could be anyone.. the manufacturer.. the phone company.. the NSA.. the malware author running down your bulging battery.. All you own is a license to pay it's bills.

Re:TFA says

Hurr hurr hurr...

Poor management or deliberately bad?

Windows 10 is possibly the worst spyware ever made.

Missing step

What does "modified to the near infrared spectrum" mean?

My printer can't print "near infrared" or radio waves. It can't even print gamma rays.

Re:Missing step

[Oswald+McWeany]

What does "modified to the near infrared spectrum" mean?

My printer can't print "near infrared" or radio waves. It can't even print gamma rays.

Infrared ink could come in handy in cold climates. I think Newspapers should start printing papers in infrared ink to help the homeless people keep warm.

Re:Missing step

Give a man fire and he's warm for a day. Set a man on fire and he's warm for the rest of his life.

Re:Missing step

[omnichad]

You know how printing red works, right? It prints a pigment or dye that reflects red light. Your printer does not print red light wavelength radio waves.

This is the same thing, except the ink is reflective in the near infrared range.

Re:Missing step

You either take a picture with a camera that is sensitive to near IR, or you look at reference images of a human face taken by such a camera, and then modify an ordinary visible light image to correspond. The implication is that the matching is sloppy enough that an approximation of what it would look like in near IR is good enough.

Re:Missing step

[drew_kime]

Someone give that man some mod points.

Such a dumb idea!

[140Mandak262Jamuna]

Who comes up with such stupid ideas like using the camera and face detection as authentication method?

Re:Such a dumb idea!

[The+Rizz]

60's scifi writers?

Re:Such a dumb idea!

[Anubis+IV]

How about everyone? After all, when was the last time you started a conversation with someone you know by asking someone to authenticate their identity, rather than recognizing who they were and talking to them like normal? These companies are attempting to mimic the way things work in reality, which, generally speaking, is a good thing...when it’s done right.

Re:Such a dumb idea!

>when was the last time you started a conversation with someone you know by asking someone to authenticate their identity, rather than recognizing who they were and talking to them like normal?

Nonsense, it's all contextual. We authenticate by voice for phone calls, by phone number for texts, etc. The key point is that the authentication method must match the context. Computers are not yet good enough at this to rely on it for security. Let it bake another 5-10 years, maybe then it'll be good enough to thwart today's tech; but by then there will be new spoofing methods. Moving target.

Key point: don't release a security feature that's not mature enough to be secure.

Re:Such a dumb idea!

[Rhipf]

Key point: don't release a security feature that's not mature enough to be secure.

To be fair, if security features weren't released until they were truly secure than we would have no security features. It is almost impossible for a small group of people in some software development space to think of all the various ways that the general population will come up with to defeat your security feature.

Re:Such a dumb idea!

[cascadingstylesheet]

How about everyone? After all, when was the last time you started a conversation with someone you know by asking someone to authenticate their identity, rather than recognizing who they were and talking to them like normal? These companies are attempting to mimic the way things work in reality, which, generally speaking, is a good thing...when it’s done right.

You beat me to it. We all use visual and auditory recognition all the time and thereby assume we know the identity of the people we talk to.

Re:Such a dumb idea!

[holophrastic]

Actually, in-person, we may use facial-recognition to *identify* a person, but never to authenticate their request. For that, we use a signature -- because no one can accidentally give their signature, and we all understand that my signature means you can act, everything else is merely conversation.

The problem here is that the digital facial recognition isn't being used to populate "Hello Jonathan". It's being used to accept commands like "reveal private information", "spend money", "install software", "delete everything".

In the digital world, we like to put the major security up-front (the login credentials), and then the brief security last-minute (the are you sure confirmation). In the real world, we use brief security (you're here to close your account?) at the start of the conversation, and the major security (sign this waiver) at the last minute.

That's because in the real world, getting past the front door gives you physical access, but doesn't really grant you control over anybody. Sure you can steal trinkets, but you can't command someone to do something.

The signature has two benefits. The first is as mentioned above -- we know it means "go". The second is that it is VERY illegal to forge someone else's signature. There are real consequences to that. So it's not something to worry about.

The awesome thing about a password (in theory, of course) is that no one can get it from you without your willingness to give it to them. It's not written anywhere, except in your head, and we've yet to figure a way to read someone's brain memory. Pick the right password, protect it properly, and you needn't worry.

My face, my fingerprints, my dna, my iris, are all scattered around the world, everytime I touch something, go somewhere, or look at something. That's why those things are so great for forensics -- it's very difficult to avoid leaving them as evidence.

Passwords (in theory) are far better. Come up with a type/method/system of password generation/management/transmission, and they'll be infinitely better than anything else imaginable.

Re:Such a dumb idea!

[tirnacopu]

Actually that's only true if you assume none of the people involved are competent enough to create a provably safe solution - see EAL levels 5-7 https://en.wikipedia.org/wiki/...

Re:Such a dumb idea!

Bad 60's scifi writers, please.

Re:Such a dumb idea!

The only conversation I'd start with anyon wearing a 480x480 picture of someone I know would start: "who are you and what the fuck are you doing?"

Humans employ considerably more bandwidth to recognize others than this. Not just what they look like, but also characteristic gestures, sound of their voice, etc.

Re:Such a dumb idea!

[SCVonSteroids]

Worse, how does something like this get past QA?

They're either too dim to consider using an image of the person as a test against the functionality, or literally had someone with decision making powers shrug off the fact that you could do this.

Both cases equally make me scratch my head in wonder.

Re:Such a dumb idea!

[thegarbz]

Why not? Hell I use it on my laptop. Not everyone needs to secure their device. Hell the pin-code on my mobile is 000000 and that's just to conform with a generic company policy.

It's one of the areas where good enough wins the day.

Re:Such a dumb idea!

[omnichad]

It's just fine if it's used for your user ID (which is part of authentication).

Re:Such a dumb idea!

[Anubis+IV]

You make some really great points, especially regarding the flipped security prompts between the real and digital worlds, as well as the benefits that passwords provide. And I agree as well that I glossed right over the distinction between identification and authentication, so thank you for calling attention to that. That said, while I heartily agree with most of your overarching points, let me quibble with some of the specifics of what you said.

For instance, you seem to be suggesting that signatures are good because they're an explicit action, with the implication being that facial recognition is bad because there's nothing explicit about providing a facial scan. The problem with that analysis, however, is that it's conflating authentication (i.e. establishing one's identity) and authorization (i.e. giving permission). While my signature serves as both authentication (because I'm ostensibly the only one that can provide my signature) and authorization (because the act of providing it grants permission for the requested activity), a facial scan merely provides authentication. Authorization is given via a separate set of explicit steps, such as—in the case of an iPhone X at a cash register—double-tapping the power button and then holding the phone near the reader.

Really, this drives at something important that I think you were trying to get at: authorization should be an active, explicit step. But there's nothing saying authentication needs to be too. It can be (in which case, like with signatures, it can serve as authorization as well), but it doesn't need to be. In fact, I'd suggest that authentication is better when it's passive, since it means the user isn't being needlessly interrupted.

But on the topic of using facial recognition for authorizing activities, I don't think that's a valid concern, since so far as I know we're not actually doing that today. Certainly, none of the examples you gave do so, since we authorize "install software" and "delete everything" by clicking buttons or swiping in UIs, with facial recognition merely being used as a means for authenticating our identities as a prerequisite to authorization. Even with "reveal private information" there is an authorization happening: the act of trying to access your private information on your device is itself a confirmation of your intent to reveal that private information to yourself. Again, facial recognition isn't being used for authorization.

Even so, I have no desire to see passwords go away. There are different situations we deal with, different concerns at play, and, frankly, different preferences and tolerances between different users. To me, a facial scan in the hands of a government that may use it for all sorts of nefarious purposes is very different from a facial scan being securely stored on-device by a device I trust. Likewise, if I deal with highly-sensitive information, a facial scan may never cross my/my organization's threshold for being "good enough" at establishing one's identity, whereas a password does. And for those sorts of situations, a password will almost certainly continue to be better (until we come up with the hypothetical replacement that you talked about).

But, setting aside the very real, very valid concerns about the accuracy of the current implementations we have for facial recognition, I'd assert that in a few years' time facial recognition will actually be better than passwords in the vast majority of everyday situations, since they'll be providing "good enough" authentication without any form of interruption to the user, making for a better design.

And really, that's what we should be striving for, since it more closely mimics reality. I don't authorize requests from coworkers before I initiate face-to-face discussions, nor would I make them go through a separate step to authenticate their identity before our discussions. Our continued presence in the conversation acts as an authorization to share information with each other, and our faces serve as "good enough" forms of authentication. An ideal device design is one that's able to achieve something comparable.

Right now, that design comes with a long list of trade-offs, but I'm hopeful that in a few years that won't be the case.

Re:Such a dumb idea!

[holophrastic]

I do conflate, almost for a living. But I do so in much that same way that when I circle a word, the circle is made big to be obvious, even though it winds up encompassing other words as a result. Similarly, indicating an angle with a short line is not as obvious as using a long line, and it must be understood that the magnitude of my line is not to scale.

So please allow me to delve into the specifics that you quibbled so well!

You mentioned my desire for an "active" authorization. You and I very much disagree about what constitutes "active". When my touch-screen phone rings, and I reach into my pocket to pull it out, sometimes I wind up answering the call, merely by reaching for the phone in my dark pocket, behind my keys, under my wallet, past the dog poo bags. My reaching was an action, and meets your definition of active. It doesn't come close to mine.

My definition of active includes a few sides. It must be your definition of active, that's side one. It must also be intentional. That basically requires that it cannot be (reasonably) done by accident. Touching a part of an object while handling the object as a whole can be done accidentally. Swiping in a straight line isn't much harder. Entering a pattern or a code would be intent, but I've seen no phone that requires anything like that to answer a ringing call.

And that hurts me. If I'm james bond, or ethan hunt, or a homeowner, or a business owner, and someone calls me, and I've left my phone on my desk as I go to the bathroom, or just face the other way, and someone calls me, my LOCKED-with-a-password phone allows any passer-by to answer that call.

So now a random person walking by my desk, even while I'm there, can grab the ringing phone and talk to the person, short of me tackling them to the ground. Maybe it's my wife, maybe it's my child. Maybe it's an automated message from my child's school saying something private. I'll never know what got divulged.

So that's intent to act in the active manner.

The third side is comprehension. I need to know both what my action is, and the consequence of my action. A big prompt that says: "click here" isn't valid. "click here to agree" is required. Otherwise "click here" could mean deny, read more, or just for fun. But, obviously, it's really not enough. click here to agree to what? The sentence before? after? the title of the document?

A long time ago, we had shareware games. And a few of them started with an screen of text explaining what shareware is, and how it's a trial in the hopes that you'll buy the full game. It didn't say "click here to agree", it said: "type the following phrase: 'I support the shareware concept' ". I'll never forget that. It becomes highly explicit, and there's no denying to what I agree.

So that's active intent with comprehension. There's one more facet. Ability -- to comprehend.

I type for a living. I type fast. I program. Lots of letters, lots of clicks, lots of tab, space, enter. Guess how many times windows throws up a dialog box a split second before I hit enter, space, or tab-enter. I have no idea what the dialog said. I just effectively approved or denied something. I'll never know. That's not true. Because moments later, my computer reboots. I approved a reboot, mid-work-flow.

I'm sure you've seen contracts that say things like "I've consulted my own counsel/attorny or choose not to do so". You'll also find contracts that require a time period to elapse to consider the ramifications of agreeing -- because instant agreement is suspect and possibly coerced. I don't know why windows lets me click the OK/CANCEL button on a dialog box that's been open for a tenth of a second, when it knows that I couldn't possibly have read it that fast, nor even diverted my eyes from the other monitor in which I was typing. Humans have a maximum speed. It knows. It doesn't care.

So, active, with intent, comprehension, and enough time/effort to justify the action.

Back to my touchscre

Re:Such a dumb idea!

[The+Rizz]

No, good ones used it, too. Typically, they used it with advanced AI that can tell real people from paper, though.

Re:Such a dumb idea!

Who comes up with such stupid ideas like using the camera and face detection as authentication method?

Cops.

Re:BREAKING NEWS

Seems this was fake news. SAD

Is this really a surprise?

[evolutionary]

Okay, it's not the first time simple ways have been found to circumvent so-called "biometrics" especially the poor man's version of these tools. The Windows 10 version is mostly likely a low end version with very limited pixel resolution recognition on the camera (to be compatible with the low end cameras that come in most laptops and cameras), plus an routine to distinguish a live face (with facial movements/ticks as supposed to a 100% static picture) was probably never even considered because it would add to cost and time to development. So when you think about it, it's really a TERRIBLE idea. even with that taken into account, a camera with a high enough resolution to recognize a video would add costs too.

We tried finger print recognition which is also terrible because it is too easy to lift a fingerprint from a victim (or even bypass the finger print scanner in many cases). Anything that is easy to lift/take from the user is inherently insecure: Finger prints (scotch tape/talcum powder will get that from any surface including keyboards and coffee cups), facial recognition (just lift a picture from facebook or any social media site where people often publish high resolution photos, even easier than getting a finger print). Voice print is a LITTLE better but voice patterns have been successfully simulated/recorded from everyday conversation or even YouTube lectures. (techies often love to give these).

There is absolutely NO substitute for a good old fashion typed passwords (even better, in combination with typing sampling for speed/patterns). Even voice passwords are potentially easy to copy with a long or even short range microphone The password is proven most secure because it requires you to look into someone's memory or stand over them and watch them type it, unless of course they use the same password across but that requires more time/research than getting a facial picture or even a fingerprint if you know or work with the victim. Perhaps these could be used IN ADDITION to a password, but should NEVER be a substitute. The key to secure is the remember this old axiom: Security comes at the price of convenience. Without exception. Of course common sense rules like password rotation on a regular basis are essential. It is possible to lift a password I imagine using the amount of body oil on each key or even thermal patterns on a keyboard to lift a password, but look at all the effort/equipment required to do that. It feels like every new biometric security toy is less secure than the last.

Re: Is this really a surprise?

Bullshit. Passwords are terrible and have been proven so over and over again. The current truly best option is a smart card or one time password (token based, not SMS or otherwise), but biometrics arenâ(TM)t far behind.

Re:Is this really a surprise?

[phayes]

Simple means have been shown to be useful for simple biometrics. Simple means are of much less use when some thought is put into the sensors and how to use them.

The claim that FaceID is easily/cheaply bypassed can be laid to rest after a month where no-one other than the people from Bkav were able to duplicate it without resorting to using the passcode to train FaceID to recognize the 3D model.

As for being fingerprints, I've talked with some police forces lab techs who look for and scan crime scene fingerprints. The vast majority of liftable prints are from the balls of your fingers so don't use them for TouchID.

As anyone who has had their fingerprints taken for whatever reason knows, they only ask for the balls of your fingers though they often roll your fingers to get the sides too. What they rarely take is the ends of your fingers -- because with the exception of your dominant hand index, it is much less common that people leave them as usable prints.

By using just the tip of a a non-index finger for TouchID one it makes it much harder to gain that liftable print but still works fine with TouchID.

Even with people generally using the balls of their fingers with TouchID there have been zero reports of a lifted and duplicated print being used to bypass device security. If it were such a danger, one would expect there to have been at least a one story, but no.

Re:Is this really a surprise?

Facial recognition, fingerprints, iris scans, social security number ... any of that stuff ... should at best be used as a username, never as a password.

Re:Is this really a surprise?

[Skuld-Chan]

Windows 10 is a bit more complex than the first versions of Android or iPhone face recognition - it actually requires infrared capable cameras (it won't work with just any webcam). The theory behind requiring an IR photo was that is was less susceptible to photograph attacks.

One of the cool demos they do is unlock the machine while wearing glasses, sun glasses or no glasses, or with and without hats. It's really up to the enterprise to configure this fully - you can require multiple authentication methods on windows for example - like windows hello/password or windows password/smartcard or password/otp etc. Out of the box I think its fine for most end users.

That said - it's still a difficult attack to carry out because you'd still need a portrait photo taken with enough data to print out a near IR photo (which I didn't know was possible) - most jpeg's I would think strip out that information during compression - there's not enough details sadly on the article linked and of course physical access to the PC.

Re: Is this really a surprise?

[evolutionary]

Password are terrible if they are used badly, like most things. Passwords are bad if one has say a 5 letter password out of the dictionary. (all too easy). Passwords without rotation, or are less then, say 12 characters, using at least 1 upper case, 1 lower case, 1 number and one special characters. Smart cards can be copied, stolen or hacked. (Perhaps in bypassed). Much harder to hack someone's memory and login limits, especially with 2-factor authentication are harder to break.

Re:Is this really a surprise?

Can't this attack be carried out on the X's FID? They're the same technology. Perhaps those people didn't think of carrying out this attack: Project a bunch of invisible light (infrared), and uses a combination of infrared/normal camera to analyze find facial geometry and features.

I was kind of wondering why they were making 3d models and such, when a specially crafted printer could absorb and reflect infrared selectively.

Side note: Windows Hello distinguishes between twins ( http://www.businessinsider.com/windows-hello-twins-wins-recognition-2015-8 ), so it's still better after this is patched =P

Re: Is this really a surprise?

"Windows 10 is a bit more complex than the first versions of Android or iPhone face recognition"

What? The first version of facial recognition for iPhone was released this year on the iPhone X. And you needed more than a low res photo to defeat it. From what I can remember you needed to craft a 3D head and superimpose the picture over top of it to make it look 3D.

Microsoft and android only required you take a picture of the person. That's it.

Re: Is this really a surprise?

apparently you didn't read what he said. Requires a near IR photo. Apple fanboy inability to read

Re: Is this really a surprise?

Passwords are terrible yes, they are however the least terrible singe factor. Their only real issue is that it's difficult to remember good ones, and used correctly you need to remember many of them. This leads to people using bad passwords because they aren't able or willing to exert the effort to use strong ones. Passords can be the strongest factor, and on average are pretty solid.

Physical tokes can be lost stolen or imitated, and if you sue them for anything electronic the reduce to passwords. However they can be revoked if needed, and they aren't constrained in their complexity by human memory/creativity. They make a good second factor, and a passable only factor.

Biometrics are the worst. You can'r easily revoke them, you can't rely on them remaining unchanged either. And they can generally be recreated from observation of the subject. They are only useful when you would seriously consider having no security as a viable alternative or if you are already using a password and physical token and want additional security.

Re:Is this really a surprise?

[phayes]

They're not the same tech. FaceID uses active scanning to construct a 3D map. Windows Hello matches flat pictures - mostly in IR but can add regular camera info to make it harder to spoof. The problem is that it fails back to the easily spoofable IR if the other camera is blocked. I've also read that Windows hello can use 3D cameras but other than for fewer and fewer Xbox-1s people don't have them on their Windows Hello devices.

As for the claim that Windows Hello is able to distinguish between identical twins (subtext FaceID doesn't), six samples do not a rule make. FaceID distinguishes between identical twins even better but exceptions _have_ been found (also with children of registered adults). Until someone takes the time to test FaceID and Windows Hello on a _Large_ sample size all we have is conjecture.

Re: Is this really a surprise?

You're the one with the reading comprehension failure.

Microsoft's face recognition doesn't require a near IR photo, but an IR camera, the photo used to fool it was a normal photo modified to the IR spectrum.

Apple's iPhone face recognition requires you to build a 3D model of their head.

The implementation of face recognition included with the iPhone X was the first implementation Apple released for the iPhone. Now can you explain how Microsoft's face recognition is superior to Apple's?

Re:Christopher Reimer, dead at 48

I'm confused. Is this supposed to be amusing?

Gimmicks have no place in security

Not like Microsoft has ever shown any acumen in security matters but this face unlock stuff really needs to die.

Re: Christopher Reimer, dead at 48

Yes it is. The mods have been targeting him for some time now... for good reason.... but maybe not to this extreme. He sort of deserves it.... like no one deserves it including him, but out of everyone he derserves it more than any one else... so he kinda deserves it but not really.

Two words

[SuperKendall]

Shouldn't a video be able to interpret enough 3d with a little motion?

Live Photo.

Or any other brief video clip of the person can be played back to easily bypass a system that relies on motion in a camera.

Re:Two words

So add a captcha like feature : The authenticator asks the user to perform certain actions in randomized order. e.g. lean forward, look up, pause, look left, look forward, wink left eye, smile, stick tongue out, raise eyebrow like The Rock.

Re:Two words

[gnick]

Or any other brief video clip of the person can be played back to easily bypass a system that relies on motion in a camera.

That sounds much more difficult than printing the person's picture.

Re:Two words

[SuperKendall]

That sounds much more difficult than printing the person's picture.

Printing a persons pictures is actually much more difficult these days than taking a brief video or picture from your phone, then re-playingit for the login camera. All iPhone photos by default are short video clips too, so...

Re: Two words

That sounds a lot more convenient than typing asdf1234.

So Commercial Facial Recognition Is Crap

[Chas]

Basically, at this point, it's a giant gimmick.

Re:So Commercial Facial Recognition Is Crap

[vux984]

Its good enough to use for targeted ads. Its good enough to use to guess who is in photos to suggest tags if you are into that.

Its not good enough to be secure. And on some level, it can't be. For logging in it should be used to pre-populate your user name... that's it. It shouldn't login based on that alone, it shouldn't give you full admin access to everything on your PC... that's idiotic.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I'm certainly no expert...

but isn't stuff like this just an inherently bad idea? It seems like assigning the task of authentication to the device (instead of the human user) is always going to be flawed. Of course humans are flawed too, but humans have the ability to trick machines, not the other way around.

Testing?

Don't these idiots do any testing of these "security" measures?

You mean at a multi-billion dollar enterprise like MS, no one thinks to try some pictures to fake the recognition?

Almost makes one think it was intentional.

Re:Christopher Reimer, dead at 48

There you are faking your own death with yet another fake account, you revenue stream hogging disgusting fat sexist tube of lard, Christopher Dale Reimer!

You can be sure I will be watching this fake account too. I know this is you because you told me you were working on your freepass 11 file server and you are so dumb that you can't even masquerade yourself properly.

Now, I told you I was out of meds last week and you didn't even care to contact me you lazy fucker.

How many times do I have to express the emergency of the situation??????

The python click script you wrote for my pheromone revenue stream web site suddenly stopped to work!!!!!!

You fucking incompetent python script writer!!!

When it works, I get 4000+ clicks a day on my pheromone revenue stream web site but only 5 or 6 without it!!!!

Now, it seems like you dont care and that you have abandoned me you heartless fucking pig!

Bonus:
Here is a story that creimer told me when convincing me what a hard life he had:

The tree was him and the tree knot was his butt hole!

So, his uncle packed his fat ass with lard and with his cock! Not that it makes much of a difference but anyway, there it is!

Signed:
The girl that used to love you and now hates you, burn in hell where you belong you sexist pig!

Re:Christopher Reimer, dead at 48

CREIMER' SUBMISSIONS UPDATE:
Note also that creimer is trying to regain karma by getting his submissions published as articles on /. so make sure to go to:
https://slashdot.org/~cdreimer
https://slashdot.org/~Anonymou...
https://slashdot.org/~FatCashe...
https://slashdot.org/~ILoveFat...
https://slashdot.org/~IHateFat...
https://slashdot.org/~IAteFatC...
https://slashdot.org/~ITapeFat...
https://slashdot.org/~IApeFatC...
https://slashdot.org/~IPrayFat...
https://slashdot.org/~FatCashe...
and mod down his submissions as well. The great thing is that you don't even need mod points to mod down a submission, just click on the "minus" icon!

Yes, believe it or not, creimer owns all the above sock puppet accounts. It is a mystery why Slashdot management tolerates it!

creimer wrote:

I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the number ? to move cdreimer's karma from neutral to excellent without ever being exposed to the capricious mods. Mmmmmwwwwahahahahahahaha!

https://slashdot.org/comments....

Danger, Will Robinson, Danger! Creimy is posting more than 2 posts a day. Hurry! mod down otherwise /. will go to hell again!

Note: you can mod down even if already at -1 to lower karma and to prevent lost /. users to accidentally mod up.

creimer wrote:

All you need to do is find a website with a permissive TOS, say, Slashdot, create a Python script to scrape your own comments, sprinkle Amazon affiliate links in various posts, and then re-post past links whenever possible. Won't be long before you start making "coffee money" each month.

https://slashdot.org/comments....

C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."

But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!

Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.

Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?...

With "Vice President Pence Vowing US Astronauts Will Return To the Moon", we are sure they will need miracle workers up there, here is what it would look like. Note that Creimy takes care of bringing a lot of food to the moon as depicted below:
https://www.youtube.com/watch?...

Creimy's real pictures:
Before the sex change:
https://ibb.co/cc7Ddw
After the sex change:
https://ibb.co/gVad65

Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:
http://www.keynamics.com/image...

Creimy's head, while his supervisor was talking to him, not with him, since it is impossible to do with Creimy:

Re:Christopher Reimer, dead at 48

Here are some posts from creimer's old accounts. I'll start with his love of child brides.

If all my assets were liquidated, I would still have enough cash to buy a new car and head off to Mexico to find a chica to marry.
https://slashdot.org/comments....

You're aware that are some states in the U.S. that allow underage marriage as young as 14 years old?
https://slashdot.org/comments....
As for my comment, I've heard stories of engineers retiring at 50, moving to Mexico and marrying underage girls. Since I work with ex-military, the Philippines is a popular retirement spot for marrying underage girls as well. It's all about getting the most bang for your retirement dollars.
https://slashdot.org/comments....
That only works if you retire to Mexico, build a mansion (by local standards), marry an underage sweet thing and bequeath all your possessions to the village.
https://slashdot.org/comments....

You need to be more specific. I wrote 3,000+ comments this year.
https://slashdot.org/comments....

Nah... I just do it to piss off my trolls and make coffee money off of them.
https://slashdot.org/comments....
We have different priorities. You want to climb the corporate ladder. I want to own the corporate ladder.
https://slashdot.org/comments....

Your bitch licks your balls. Most people don't brag about practicing bestiality. Is there a reason why you married a dog and not a goat?
https://slashdot.org/comments....

My employers don't care about what my Slashdot trolls think. Now go off and lick your balls somewhere else.
https://slashdot.org/comments....
iPhone 6s and reduce my monthly bill from $80 to $50. As a phone and a video camera, the iPhone 6s isn't obsolete. As a Sprint customer for 20+ years, Sprint will always offer me a new iPhone if I decide to stop using the 6s as a phone in the next several years.
https://slashdot.org/comments....
Miracle workers are never afraid to ask for a second opinion. Supervisor gave me his opinion ? and a mess to clean up. Lesson learned from this incident: if something isn't quite broken, break it.
https://slashdot.org/comments....

So you can turn around call me a liar again? People have been playing that game with me for years.
https://slashdot.org/comments....
Based on what I've read about Uber, he need to tell the boys to clean up their locker room behavior, zip up their pants, and attend sensitivity training until everyone agrees that women are not sexual objects.
https://slashdot.org/comments....

Which doesn't violate the Slashdot TOS. If you got a problem with that, take it up with management.
https://slashdot.org/comments....
This year I've posted ~4,000 comments.
https://slashdot.org/comments....

I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the

Any QA at all?

[lq_x_pl]

Before the usual retort of "You know this is Microsoft, right" rolls in, this question does deserve consideration.
Was this not tested against, at all?
Did they not attempt to circumvent this method with a photo? I write code for a living, and something that's continually running through my mind is "how can this fail or break?" I'm certain there are devs at Microsoft who are similarly afflicted.
So I guess the real question is: Was it tested, and everyone just hoped no one in meat-space would also think to try a photo, or was there some pointy-haired manager who decided that enough dev time had been spent, and it was time to turn the profit faucet on?

Re:Any QA at all?

In good old /. I haven't read the article, but the summary indicates the photo they used was modified. So I assume it isn't susceptible when someone tries an unmodified photo.

Now you need a photo 1280x1024

[ripvlan]

MS probably patched the issue by upping the resolution required. That's the super-enhanced security feature.

You probably don't even need a photo - rather just need one that triggers the geometry math. I'll bet a b&w photo with some edges on it would work - if you understood the underlying algorithm. Think of those "masks" (or makeup) intended to hide you from facial recognition in a crowd, it's the anti-geometry.

This has been the fear of bio-metrics. Cut off a hand or pop out an eyeball. 3D printers. But - the hand & eyeball scanners can (now) tell if you're dead, I think by measuring blood flow or lack of something in the iris. Will facial scanning have to go deeper? Seems good enough for security "that might be the person" - but not "that IS the person"

Windows...

Bwahahahahaha, fucking hillaryious.

As used in Space Quest III

[jellomizer]

I remember the 1989 Game Space Quest III one of the final puzzles before the action sequences for the end game. Was to wonder the cubes of a software company, being a janitor, cleaning the garbage in each cube you walked by. Working your way to the CEO office taking his ID Card, and on the way back going to the photocopier taking his portrait and make a color copy of it. Using his ID Card and the portrait to gain access to the End Game area. As there was a super advance card reader with a face scanner on it.
There were two more puzzle actions, pushing a button to extend a bridge, and using your trash vaporizer to free some software developers from their lime gelatin imprisonment. But those were rather easy.

With this explanation it is easy to tell the game didn't take itself too seriously. And this spoof of a software company was a jab at Microsoft calling it Scumsoft. and the CEO being a kid CEO as Bill gates was considered at the time.

The Face ID Apple has while not perfect seems to have done it better then anyone else. Because they are a hardware company first, they took a hardware approach to the problem, by adding an IR dot projection of your face to aid in matching. Vs. Microsoft and Google who took a software approach using existing hardware try to get a match.

Re:As used in Space Quest III

[eneville]

Just wondering, does the IR dot projection scan slow down with age?

Re:BREAKING NEWS

I can deal with 3 year of Pence as president. While not my choice and I have political issues with him, at least he will work for the American public.

Alternatives

Put a piece of scotch tape over the camera lense, so it can constantly detect movement and changes but nothing positive about you.

Re:BREAKING NEWS

I can deal with 3 year of Pence as president. While not my choice and I have political issues with him, at least he will work for the American public.

Ask all us Indianians about that...

Re:BREAKING NEWS

...at least he will work for the American public.

Yes. Keeping us safe from marijuana and abortions and all those other dangerous things.

Face Captcha

I can see this progressing to Face Captcha:
-Blink left eye once, blink right eye twice, twich right eyebrow up and left eyebrow down to unlock.

Re:BREAKING NEWS

That means he got better?

Re:Christopher Reimer, dead at 48

Yep. It’s hilarious in fact.

Can be bypassed with a photo

of Bill Gates.

Who else read...

[SurenEnfiajyan]

Bypassed with a Potato?

Re: BREAKING NEWS

Lol yeah that'll fix EVERYTHING

With a Picture

The picture of Microsoft Bob works particularly well.

Re: Christopher Reimer, dead at 48

I chuckle every time I see it. It is hilarious Chris.

Do they ever think things thru?

[See+Attached]

Since when are all the test / usage cases reviewed. Next they will want us to change our Retina Layout, and Fingerprints every 90 days.