His actions are moral because he pays for what he uses.
No. He only pays for what he uses and then decides he likes enough to purchase.
The artists, record companies, retail outlets and all the others involved in the process make the profit that they are not only legitimately entitled to but would not otherwise have made; I can't see him paying for an album without any idea what is on it.
Likewise myself and other people wouldn't pay for any RIAA album regardless of what is on it. So the artists, record companies, retail outlets, and all the others involved in the process make the profit that they are not only legitimately entitled to but would not otherwise have made.
And don't tell me I'm full of it. I haven't bought a CD from an RIAA-affiliated artist in 7 years, and I haven't used a P2P filesharing network in 2 years.
Finally, there is absolutely no moral requirement that one pay for what he uses. You've read my comments here on slashdot. You've found them interesting enough to respond to. But I don't see you sending me money, and I don't see anyone saying that you have a moral obligation to do so.
I don't see how they are trivial to copy. I want to copy my fingerprint. How can I do this?
I posted the link earlier, but here it is again from the cryptogram.
I don't see a description. All I see is an assertion.
The bad part is that now you have more to protect, and the potential damages of a security breach are higher --
This is the part I don't understand. Why do you have to worry about your irreplacable biometric ID, if your biometric ID isn't good for anything in the first place? And as for anything else that might be protected by that ID, you just don't protect lots of things by solely that ID.
besides a few hundred bucks in a checking account, now you also have to worry about your irreplacable biometric ID and anything else that might be protected by that ID.
If an ATM used this, and your fingerprints were stolen, there's no way you could be personally held responsible unless you were somehow negligent. This protection is being used by the bank, not by the person, so there isn't "anything else that might be protected by that ID," as far as the victim is concerned.
The way I think about biometric IDs is more like passwords that you cannot change.
The way I think about them is like a public/private key system that you cannot change. Biometrics are easy to recognize, but hard to reproduce. That's the key to their security.
What if you were forced to use that same password on random websites, vending machines, other email accounts, other online bank accounts, etc?
No one is forcing people to use biometrics on anything. Right now we're not using them on anything at all, so you're not making a good argument.
You are forgetting that fingerprints are already used for identification, and in rather serious contexts. It makes perfect sense not to get them mixed up in trivial day to day matters that increase my risk for no good reason.
And you are forgetting that I already stated that fingerprints were a bad example. For fingerprints, fine, they're already being used, and they're easy to copy. So let's not use them for anything else. But that's a strawman argument against a single implementation of biometrics.
Do you carry your passport, birth certificate, social security card, and similar ids on you? Would you feel comfortable if they were required day to day, if you'd have to submit copies of them to your grocery store knowing they would be sufficient to steal your identity?
If they were required day to day, they wouldn't be sufficient to "steal my identity." Actually, the whole concept of "stealing someone's identity" is rather ridiculous. For instance, this article talks about stealing people's identity's, but what actually happened is people stole a bunch of cash from an ATM.
Agreed, but with biometrics the systems are no longer isolated because the key (you) is necessarily shared between them.
The private key is "me," perhaps. But the public key, which I give out is not me. It's the parts of me that are recorded in those particular conditions at that particular time. And that's not going to be the same among different systems.
If your vending machine shared the biometric info with another system, then you could no longer think that it was only protecting a can of soda.
Nonsense. Knowing the information does not allow you to copy the information. I can show you a picture of me, but that doesn't help you very much in trying to recreate me.
My problem is with imperfect biometrics -- and I fear that all systems are imperfect, even if their designers believe or claim otherwise.
At least you recognize that everything is imperfect. Like I said, your girlfriend might mistake me for you, and therefore let me have the keys to your apartment.
Take fingerprints for example. They are trivial to copy, and they can be recreated from digital scans or photos.
I don't see how they are trivial to copy. I want to copy my fingerprint. How can I do this?
There is no practical reason why anyone should want to copy or fake my fingerprints today, so I'm OK if it is used in some limited context like INS or FBI records.
Umm, what if they wanted to commit a crime and frame you for it?
On the other hand, if fingerprint based identification became popular (and in case of ATMs, if it led to cash out of my account), then there would be great incentive for criminals to capture it from a compromised scanner somewhere. The stolen fingerprint would be good on _all_ systems that used fingerpritns for identification, today and in the future, not just the one it was stolen from.
No, it would only be good on all systems which do not have greater accuracy than the one used to capture your fingerprint. In other words, it would work today, not in the future.
I'd have no recouse to get back my previous level of security (or a systems trust in my identity), except to wait until all affected systems were replaced (even legal systems) or sufficiently improved.
Any system which relied solely on fingerprints is a bad system, clearly. But that doesn't mean that fingerprints don't add security to a system which already has other checks.
Besides, you've picked pretty much the least secure biometric system out there.
Some of my concerns would be addressed by different biometric systems in combination with more conventional security measures. I even think they would be more secure than current conventional systems... But I think the risks I would be exposed to would be greater, and the potential damage from a compromise would be greater, and I don't think that would be worth the added security.
I fail to see the risk. You're saying that a system which uses a biometric identification in addition to the current identification schemes is risky, because that biometric identification might fail. That makes absolutely no sense to me. If it's an additional check, it can only enhance security. Depending on the details of the scheme, it might not provide enough additional security to be worth the price and/or hassle, but that's a completely different story altogether.
Basically, you're afraid to use your fingerprint for identification, because then people will find out your fingerprint, and then you can't use it for identification. I don't get it.
As you've said yourself, no security system is perfectly secure. The goal of a security system should be to make defeating the system much more expensive than the value of whatever the system is securing. If all you're doing is buying a soda from a vending machine, fingerprint identification alone might be enough. If you're trying to stop people from stealing many thousands of dollars from an ATM, you're going to have to rely on more layers of security.
The transition is already being made, but the hold up is getting the machines upgraded/replaced.
Not to mention the $5/card. Is it really worth the additional expense? I doubt this type of ATM fraud is costing the industry $5 per ATM card.
The best thing you can do right now is go through the hassle of transferring money between accounts (only have an ATM card for one account on you at a time) and transfer money between them. That is unless you want to use a credit card, and just pay it via check every month instead... I don't think you can be held liable for fraud on CCs, or at least you won't if you get the right contract.
You're not liable for fraud on ATM cards either. I transfer money between accounts, but only because my account with the ATM card doesn't let me buy stock. If I could get an ATM card for my Ameritrade account, you better believe I would.
If ATMs recognized people like their significant others do, or if the attacker actually had to masquerade in front of another person, then I'd agree with you.
So your problem isn't with biometrics, you just feel that the current state of biometrics isn't up to the task, yet. I agree with you on that point. Other than the most expensive systems, I wouldn't trust a current biometrics system either. But the part about getting new eyeballs or fingerprints is not a good point. The reading technology will always be a step ahead of the copying technology.
An exact replica of a person is not required to fool one or two biometric scans.
My point is that since everyone has a phone anyway
Not everyone has a cell phone.
the cost of such a system is very small (per customer).
The cost in terms of time spent is small, but the cost (per customer) of fraud is even smaller.
So if it reduces fraud it would be profitable for the banks.
If people won't switch to it, because they either don't have a cell phone or don't feel like messing with their cell phone every time they use the ATM machine, then it will cost more than it's worth, and that's why the banks won't do it.
Sure, people would prefer to just type in a PIN, but they'd also prefer to have a real branch where a real person can hand out cash.
The cost to have a real person handing out cash is tremendously more than the cost of ATM fraud.
The normal problem of ignoring security and doing whatever is most convenient doesn't apply so much when people feel their own money is directly involved.
Security is not being ignored. We just aren't using the absolute most secure system possible.
You may find it difficult to explain why running the dancing elephants screensaver is a bad idea, but if people have it explained to them that keying in a PIN means more potential for their money to be stolen (even if this is a simplification of the real issues) they may be happy to switch to a more secure method.
Credit card companies have tried this, with one-time credit card numbers. For the most part, consumers haven't been fooled. They understand that they're protected against credit card fraud, and the extra hassle of generating a one-time number is rarely worth it.
Voiceprints, fingerprints, face recognition have been proven to be insecure.
Everything has been proven to be insecure. The secure/insecure dichotomy is meaningless.
Do you want to give criminals the incentive and the means to catpure any information about you that cannot be changed?
I don't want to, but I'm willing to. It's not that big of a deal.
Do you think that the police, FBI, courts and everyone else will stop using these biometrics if one such system is compromised?
I think once the system is "comprimised" it will be useless in a court of law.
Knowing someone's biometric information is much different from being able to copy someone's biometric information. I might know your voiceprint, fingerprints, facial structure, height, weight, positions of all birthmarks, etc., but creating an exact replica of you is much harder. I might as well just print counterfeit money, at that point. Or go to your girlfriend and tell her I lost my keys. After all, she wouldn't be able to tell the difference, right?
Can't you dispute the withdrawal? Whenever I get a bank statement there is a form on the back to dispute any ATM withdrawal. The bank was probably in the right for confiscating your counterfeit $20 and not replacing it. However, they were not right for deducting your account $100 (or whatever) and only giving you $80 (or whatever) and a counterfeit $20. I would think you could handle that the same way as if the machine had given you $80 and no counterfeit $20.
Thanks for the suggestion, but there are only 6 files in my Windows temp directory. So that's not it. Thee frustrating thing is I've even tried uninstalling and then reinstalling Acrobat. Nothing seems to work. Right now I'm using xpdf over vnc to view pdf files. It's quite frustrating, but so is reinstalling Windows. I'm not even sure where my Windows CD is.
The bank is waiting for f(x). Only the key can compute f, so the only way the bank is going to receive f(x) is if x was sent to the key without modification and f(x) was returned to the bank without modification.
Sure, but x doesn't encapsulate the recipient of the transfer. So if I get an x at one ATM, then I can use it at another fake-ATM, and learn the f(x).
Sure, you could do all of that, but it's much easier to just use your ATM card, and type in your pin. With the miniscule percentage of transactions which are fraudulent, the extra hassle of your solution outweighs its worth. We will have smart cards, once the cost of building them comes down, but they're not going to require you to copy authentication codes and other nonsense like that. Hell, a simpler version of your solution has been available for many years, now. But the banks aren't interested in it. The system they have now is more profitable, even with the small cost in fraud.
Re:Be careful! ATM/MAC/Debit is *NOT* Insured!
on
Fake ATM Fraud Expose
·
· Score: 1
If you loose money through the ATM/Debit network you will never see it!
Riiight. That's why the article says that "consumers are nearly always compensated by their banks."
I can't get Acrobat 6.0 to work at all, even with IE. Actually, I can't get any Acrobat to work. Something is seriously messed up with my computer, and I haven't had the time to reformat everything to fix it.
the spam filter is hopeless. I tagged well over 1000 spams, and it still was getting about 50% false negatives, and even worse, about 20% false positives.
Your data file probably got corrupted. That's what happened to mine. That's what happened to mine. When I looked at the file it said I only tagged a few hundred spams, while I actually taked many thousand. Maybe they're using a 4 byte integer and not checking for overflow? I guess if that's the case it's not the problem you're seeing, but it's possible I had marked over 65,000 spams (I do have a whole folder full of em).
Unfortunately, I've had Thunderbird corrupt some of my mail. I think the problem was that I was running filters and sending the filtered messages to an IMAP server. In any case, I lost about 10 messages. I turned filters off, and I'm thinking of going back to Outlook Express, at least until 1.0.
Re:I DON'T CARE -- I BUY MUSIC LATELY
on
Kazaa-lite Shut Down
·
· Score: 3, Interesting
So when I get a recommendation from my friends, I find the song. If I like it, I buy the album. If not, I delete the song. Others may not be as moral, but like most things in life, it's how you use something, not the item itself that really determines its value.
Right... And what if the artist doesn't want you to sample the song on Kazaa? You're amazing. You're more moral than I am because you only do it a little? Nonsense. Either copying without permission of the copyright holder is moral, or it's immoral. Personally I say it's moral. Actually, personally I say it's immoral to pay those bastards at the RIAA money when you could be donating it to charity or using it to make this world better. But hey, that's just me.
Slashdot Mirror
No, copyright law demands permission to create derivative works. Not everything based on something else is a derivative work.
His actions are moral because he pays for what he uses.
No. He only pays for what he uses and then decides he likes enough to purchase.
The artists, record companies, retail outlets and all the others involved in the process make the profit that they are not only legitimately entitled to but would not otherwise have made; I can't see him paying for an album without any idea what is on it.
Likewise myself and other people wouldn't pay for any RIAA album regardless of what is on it. So the artists, record companies, retail outlets, and all the others involved in the process make the profit that they are not only legitimately entitled to but would not otherwise have made.
And don't tell me I'm full of it. I haven't bought a CD from an RIAA-affiliated artist in 7 years, and I haven't used a P2P filesharing network in 2 years.
Finally, there is absolutely no moral requirement that one pay for what he uses. You've read my comments here on slashdot. You've found them interesting enough to respond to. But I don't see you sending me money, and I don't see anyone saying that you have a moral obligation to do so.
I don't see how they are trivial to copy. I want to copy my fingerprint. How can I do this?
I posted the link earlier, but here it is again from the cryptogram.
I don't see a description. All I see is an assertion.
The bad part is that now you have more to protect, and the potential damages of a security breach are higher --
This is the part I don't understand. Why do you have to worry about your irreplacable biometric ID, if your biometric ID isn't good for anything in the first place? And as for anything else that might be protected by that ID, you just don't protect lots of things by solely that ID.
besides a few hundred bucks in a checking account, now you also have to worry about your irreplacable biometric ID and anything else that might be protected by that ID.
If an ATM used this, and your fingerprints were stolen, there's no way you could be personally held responsible unless you were somehow negligent. This protection is being used by the bank, not by the person, so there isn't "anything else that might be protected by that ID," as far as the victim is concerned.
The way I think about biometric IDs is more like passwords that you cannot change.
The way I think about them is like a public/private key system that you cannot change. Biometrics are easy to recognize, but hard to reproduce. That's the key to their security.
What if you were forced to use that same password on random websites, vending machines, other email accounts, other online bank accounts, etc?
No one is forcing people to use biometrics on anything. Right now we're not using them on anything at all, so you're not making a good argument.
You are forgetting that fingerprints are already used for identification, and in rather serious contexts. It makes perfect sense not to get them mixed up in trivial day to day matters that increase my risk for no good reason.
And you are forgetting that I already stated that fingerprints were a bad example. For fingerprints, fine, they're already being used, and they're easy to copy. So let's not use them for anything else. But that's a strawman argument against a single implementation of biometrics.
Do you carry your passport, birth certificate, social security card, and similar ids on you? Would you feel comfortable if they were required day to day, if you'd have to submit copies of them to your grocery store knowing they would be sufficient to steal your identity?
If they were required day to day, they wouldn't be sufficient to "steal my identity." Actually, the whole concept of "stealing someone's identity" is rather ridiculous. For instance, this article talks about stealing people's identity's, but what actually happened is people stole a bunch of cash from an ATM.
Agreed, but with biometrics the systems are no longer isolated because the key (you) is necessarily shared between them.
The private key is "me," perhaps. But the public key, which I give out is not me. It's the parts of me that are recorded in those particular conditions at that particular time. And that's not going to be the same among different systems.
If your vending machine shared the biometric info with another system, then you could no longer think that it was only protecting a can of soda.
Nonsense. Knowing the information does not allow you to copy the information. I can show you a picture of me, but that doesn't help you very much in trying to recreate me.
Wow, you rock. 65,718 objects. For a second I thought Explorer was going to crash. Thanks a lot.
Took 4 days for word to get to Slashdot, maybe. Mathpuzzle.com reported this 3 days ago.
My problem is with imperfect biometrics -- and I fear that all systems are imperfect, even if their designers believe or claim otherwise.
At least you recognize that everything is imperfect. Like I said, your girlfriend might mistake me for you, and therefore let me have the keys to your apartment.
Take fingerprints for example. They are trivial to copy, and they can be recreated from digital scans or photos.
I don't see how they are trivial to copy. I want to copy my fingerprint. How can I do this?
There is no practical reason why anyone should want to copy or fake my fingerprints today, so I'm OK if it is used in some limited context like INS or FBI records.
Umm, what if they wanted to commit a crime and frame you for it?
On the other hand, if fingerprint based identification became popular (and in case of ATMs, if it led to cash out of my account), then there would be great incentive for criminals to capture it from a compromised scanner somewhere. The stolen fingerprint would be good on _all_ systems that used fingerpritns for identification, today and in the future, not just the one it was stolen from.
No, it would only be good on all systems which do not have greater accuracy than the one used to capture your fingerprint. In other words, it would work today, not in the future.
I'd have no recouse to get back my previous level of security (or a systems trust in my identity), except to wait until all affected systems were replaced (even legal systems) or sufficiently improved.
Any system which relied solely on fingerprints is a bad system, clearly. But that doesn't mean that fingerprints don't add security to a system which already has other checks.
Besides, you've picked pretty much the least secure biometric system out there.
Some of my concerns would be addressed by different biometric systems in combination with more conventional security measures. I even think they would be more secure than current conventional systems... But I think the risks I would be exposed to would be greater, and the potential damage from a compromise would be greater, and I don't think that would be worth the added security.
I fail to see the risk. You're saying that a system which uses a biometric identification in addition to the current identification schemes is risky, because that biometric identification might fail. That makes absolutely no sense to me. If it's an additional check, it can only enhance security. Depending on the details of the scheme, it might not provide enough additional security to be worth the price and/or hassle, but that's a completely different story altogether.
Basically, you're afraid to use your fingerprint for identification, because then people will find out your fingerprint, and then you can't use it for identification. I don't get it.
As you've said yourself, no security system is perfectly secure. The goal of a security system should be to make defeating the system much more expensive than the value of whatever the system is securing. If all you're doing is buying a soda from a vending machine, fingerprint identification alone might be enough. If you're trying to stop people from stealing many thousands of dollars from an ATM, you're going to have to rely on more layers of security.
The transition is already being made, but the hold up is getting the machines upgraded/replaced.
Not to mention the $5/card. Is it really worth the additional expense? I doubt this type of ATM fraud is costing the industry $5 per ATM card.
The best thing you can do right now is go through the hassle of transferring money between accounts (only have an ATM card for one account on you at a time) and transfer money between them. That is unless you want to use a credit card, and just pay it via check every month instead... I don't think you can be held liable for fraud on CCs, or at least you won't if you get the right contract.
You're not liable for fraud on ATM cards either. I transfer money between accounts, but only because my account with the ATM card doesn't let me buy stock. If I could get an ATM card for my Ameritrade account, you better believe I would.
If ATMs recognized people like their significant others do, or if the attacker actually had to masquerade in front of another person, then I'd agree with you.
So your problem isn't with biometrics, you just feel that the current state of biometrics isn't up to the task, yet. I agree with you on that point. Other than the most expensive systems, I wouldn't trust a current biometrics system either. But the part about getting new eyeballs or fingerprints is not a good point. The reading technology will always be a step ahead of the copying technology.
An exact replica of a person is not required to fool one or two biometric scans.
Nor did I ever say it was.
Can't Kazaa now just change the protocol for the initial handshaking, thereby breaking the old versions of kazaa lite?
My point is that since everyone has a phone anyway
Not everyone has a cell phone.
the cost of such a system is very small (per customer).
The cost in terms of time spent is small, but the cost (per customer) of fraud is even smaller.
So if it reduces fraud it would be profitable for the banks.
If people won't switch to it, because they either don't have a cell phone or don't feel like messing with their cell phone every time they use the ATM machine, then it will cost more than it's worth, and that's why the banks won't do it.
Sure, people would prefer to just type in a PIN, but they'd also prefer to have a real branch where a real person can hand out cash.
The cost to have a real person handing out cash is tremendously more than the cost of ATM fraud.
The normal problem of ignoring security and doing whatever is most convenient doesn't apply so much when people feel their own money is directly involved.
Security is not being ignored. We just aren't using the absolute most secure system possible.
You may find it difficult to explain why running the dancing elephants screensaver is a bad idea, but if people have it explained to them that keying in a PIN means more potential for their money to be stolen (even if this is a simplification of the real issues) they may be happy to switch to a more secure method.
Credit card companies have tried this, with one-time credit card numbers. For the most part, consumers haven't been fooled. They understand that they're protected against credit card fraud, and the extra hassle of generating a one-time number is rarely worth it.
Yeah, you're right... 2-byte integers... Hmm, that seems less likely to be what happened.
PIN's are entered into the ATM through the keypad and they are checked against a hash downloaded into the machine twice a day.
So you claim that every single ATM machine in the world has the PIN number of every single ATM cardholder in the world? I don't believe you.
If the entire machine is stolen, there are still no PIN's in it...only the hash.
There are only 10,000 possible pin numbers. It would be easy to brute force the pin number given a "hash." I don't believe you.
it doesn't matter if the artist doesn't want it.
I agree. That's why I said I don't have a moral problem with copyright infringement.
you have the RIGHT to be an informed consumer.
Only as much as you have the RIGHT to copy music.
Voiceprints, fingerprints, face recognition have been proven to be insecure.
Everything has been proven to be insecure. The secure/insecure dichotomy is meaningless.
Do you want to give criminals the incentive and the means to catpure any information about you that cannot be changed?
I don't want to, but I'm willing to. It's not that big of a deal.
Do you think that the police, FBI, courts and everyone else will stop using these biometrics if one such system is compromised?
I think once the system is "comprimised" it will be useless in a court of law.
Knowing someone's biometric information is much different from being able to copy someone's biometric information. I might know your voiceprint, fingerprints, facial structure, height, weight, positions of all birthmarks, etc., but creating an exact replica of you is much harder. I might as well just print counterfeit money, at that point. Or go to your girlfriend and tell her I lost my keys. After all, she wouldn't be able to tell the difference, right?
Can't you dispute the withdrawal? Whenever I get a bank statement there is a form on the back to dispute any ATM withdrawal. The bank was probably in the right for confiscating your counterfeit $20 and not replacing it. However, they were not right for deducting your account $100 (or whatever) and only giving you $80 (or whatever) and a counterfeit $20. I would think you could handle that the same way as if the machine had given you $80 and no counterfeit $20.
Thanks for the suggestion, but there are only 6 files in my Windows temp directory. So that's not it. Thee frustrating thing is I've even tried uninstalling and then reinstalling Acrobat. Nothing seems to work. Right now I'm using xpdf over vnc to view pdf files. It's quite frustrating, but so is reinstalling Windows. I'm not even sure where my Windows CD is.
The bank is waiting for f(x). Only the key can compute f, so the only way the bank is going to receive f(x) is if x was sent to the key without modification and f(x) was returned to the bank without modification.
Sure, but x doesn't encapsulate the recipient of the transfer. So if I get an x at one ATM, then I can use it at another fake-ATM, and learn the f(x).
Sure, you could do all of that, but it's much easier to just use your ATM card, and type in your pin. With the miniscule percentage of transactions which are fraudulent, the extra hassle of your solution outweighs its worth. We will have smart cards, once the cost of building them comes down, but they're not going to require you to copy authentication codes and other nonsense like that. Hell, a simpler version of your solution has been available for many years, now. But the banks aren't interested in it. The system they have now is more profitable, even with the small cost in fraud.
If you loose money through the ATM/Debit network you will never see it!
Riiight. That's why the article says that "consumers are nearly always compensated by their banks."
Data leaving the ATM does NOT include a customers PIN.
Then data going into the ATM must include a customers PIN. Otherwise, how could the PIN be checked?
I can't get Acrobat 6.0 to work at all, even with IE. Actually, I can't get any Acrobat to work. Something is seriously messed up with my computer, and I haven't had the time to reformat everything to fix it.
the spam filter is hopeless. I tagged well over 1000 spams, and it still was getting about 50% false negatives, and even worse, about 20% false positives.
Your data file probably got corrupted. That's what happened to mine. That's what happened to mine. When I looked at the file it said I only tagged a few hundred spams, while I actually taked many thousand. Maybe they're using a 4 byte integer and not checking for overflow? I guess if that's the case it's not the problem you're seeing, but it's possible I had marked over 65,000 spams (I do have a whole folder full of em).
modify? Then the bank won't accept the current transaction.
Why not?
Unfortunately, I've had Thunderbird corrupt some of my mail. I think the problem was that I was running filters and sending the filtered messages to an IMAP server. In any case, I lost about 10 messages. I turned filters off, and I'm thinking of going back to Outlook Express, at least until 1.0.
So when I get a recommendation from my friends, I find the song. If I like it, I buy the album. If not, I delete the song. Others may not be as moral, but like most things in life, it's how you use something, not the item itself that really determines its value.
Right... And what if the artist doesn't want you to sample the song on Kazaa? You're amazing. You're more moral than I am because you only do it a little? Nonsense. Either copying without permission of the copyright holder is moral, or it's immoral. Personally I say it's moral. Actually, personally I say it's immoral to pay those bastards at the RIAA money when you could be donating it to charity or using it to make this world better. But hey, that's just me.