×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Hack Biometric Faces

kdawson posted more than 5 years ago | from the face-off dept.

Security 244

yahoi sends in news from a week or so back: "Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

244 comments

hacking? (5, Funny)

Anonymous Coward | more than 5 years ago | (#26896877)

Shouldn't they get charged with hacking the researchers faces off? That is kind of brutal no?

Terrible News! Please read! (-1, Troll)

Who Is The Drizzle (1470385) | more than 5 years ago | (#26897045)

At 10:28pm EST Rob Malda was rushed to the emergency room and was found to have a microscopic penis. Yes, folks, Rob "CmdrTaco" Malda, hero to many millions of slashdot nerds around the world, is hung like a 3 year old Asian boy.

Insolence! (0)

Anonymous Coward | more than 5 years ago | (#26897291)

Hey, how dare you insult the 3 years old asian boy!

Re:Terrible News! Please read! (4, Insightful)

Anonymous Coward | more than 5 years ago | (#26897595)

I can't understand the mindset that people must have to actually post trollish crap like this under their username.

It boggles the mind that we as a society are producing a generation of kids that actually takes pride in being anti-social and disruptive. Yet we have the arrogance to wage wars in an effort to make other nations emulate our social paradigm.

Perhaps it's not them that needs liberating from dictatorial governments, it's us that needs liberating from a downward spiral into social implosion.

Yes, yes I'm ready for the off topic mods now.

Re:hacking? Huh? (2, Interesting)

davidsyes (765062) | more than 5 years ago | (#26897155)

Not for that. But they should be careful because they probably just pissed off a load of laptop and biometrics software manufacturers who will likely lobby for their being arrested if they land in the US, or if they commence their presentation.

Haven't they heard of Russian and other national's programmers being arrested or threatened with arrest if they land here?

But, if they are REALLY good, they've come up with a solution (for however long decent solutions can be expected to last...), and boost Vietnam's programmer prominence. They're doing not too shabby in the shipbuilding industry

Vinashin:

http://www.vinashin.com.vn/english/Capacity.asp [vinashin.com.vn]

Hyundai-Vinashin:

http://www.hyundai-vinashin.com/ [hyundai-vinashin.com]

Maybe they can help out with the US TSA/TWIC/Port Security algorithms?

But, if they get arrested, I don't think Vietnam will take this lightly. The US better go light on this one because if the biometric software touted as good enough for consumers is a fraud, or shoddy at best, then these programmers are nothing less and probably a little bit more than responsible whistleblowers in my book. Why stand by and watch vapor/failure/crapware enter the market if it can be headed off?

Re:hacking? Huh? (1)

interkin3tic (1469267) | more than 5 years ago | (#26897297)

Haven't they heard of Russian and other national's programmers being arrested or threatened with arrest if they land here?

I don't know about them, but I sure haven't. Is this something that's supposed to be common knowledge or do you have a link?

Anyway, what could they be arrested for? They don't appear to have done much besides hold up pictures of other people's faces and notice that the computers were unlocked. Don't tell me companies have made it illegal to notice the huge flaws in their products. I'm cynical, but not paranoid-delusional.

Re:hacking? Huh? (2, Informative)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26897365)

I assume that grandparent is alluding to the Dmitry Sklyarov case. Some years back; but fairly big news, in geek circles, at the time.

Re:hacking? Huh? (1)

MadnessASAP (1052274) | more than 5 years ago | (#26897865)

That's about it, hell I did this to my own laptop a few months ago. I took a shitty photo of my face with my shitty cameraphone and held the image up too the camera and it accepted it. The first thing I did after that was disable the facial recognition.

Re:hacking? (5, Funny)

Anonymous Coward | more than 5 years ago | (#26897739)

Being an average, white American, I reckon an Asian having a biometric face-secure laptop is just plain stupid. 9 billion Chinese probably all can get into each other's raptops, no shit, G.I. They all sure do look alike, don't they? My Pa sure thinks so. So does his wife, my sister. Man, she's hot.

Ok then... (4, Interesting)

going_the_2Rpi_way (818355) | more than 5 years ago | (#26896881)

He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed.

If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

If you get your laptop lifted at the coffee shop, they better lift your wallet too I guess.

Re:Ok then... (5, Funny)

Sir Groane (1226610) | more than 5 years ago | (#26896955)

Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in.

The point is facial recognition alone is so vulnerable! All you need is a cameraphone and a photo printer - and you can't revoke your face as your password either. At least with fingerprints you can get hacked nearly 10 times (on average) before it becomes a problem.

Re:Ok then... (0, Flamebait)

macraig (621737) | more than 5 years ago | (#26897367)

Exactly how is someone going to get photo of you of sufficient quality to fool the recognition system without you knowing about it? You'll see the person taking the photo, and thus be able to deal with the potential breach before it ever happens.

As far as friends/wives trying to snap shots of you for later misuse, I'd suggest you wear a bakclava all the time, or a burlap sack if you're ugly enough. Or find yourself friends/wife you can actually trust not to screw you over.

Re:Ok then... (2, Funny)

macraig (621737) | more than 5 years ago | (#26897393)

Ummm... balaclava the headwear, not baklava the tasty Greek pastry! I guess you can still wear bakclava for your wife, if that will help, but maybe not in public.

Re:Ok then... (1)

princessproton (1362559) | more than 5 years ago | (#26897487)

Thank god for facebook and other social networking sites where anyone can post your picture...not all thefts are by strangers. Or maybe we'll just see a sudden increase in missing family photos after home invasions...

In other news, mmmmmm baklava.... /Homer

Re:Ok then... (1)

macraig (621737) | more than 5 years ago | (#26897665)

We just all need to re-learn how to be camera-shy?

Hey, I wear baklava all the time. It's a great way to make friends.

Re:Ok then... (2, Informative)

Rog-Mahal (1164607) | more than 5 years ago | (#26897517)

"One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly." (From the article) Doesn't sound like you need an amazing quality photo.

Re:Ok then... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#26897639)

Exactly how is someone going to get photo of you of sufficient quality to fool the recognition system without you knowing about it? You'll see the person taking the photo, and thus be able to deal with the potential breach before it ever happens.

Apparently you've never seen a telephoto lens in action.

Re:Ok then... (1)

Afforess (1310263) | more than 5 years ago | (#26897433)

Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in.

The point is facial recognition alone is so vulnerable! All you need is a cameraphone and a photo printer - and you can't revoke your face as your password either. At least with fingerprints you can get hacked nearly 10 times (on average) before it becomes a problem.

Regular locks are SO vulnerable too. Why do we use them? Because it deters petty thieves. If I see $10 on the ground, I grab it. If I see it behind a locked locker door, I keep walking.

Re:Ok then... (5, Insightful)

GrenDel Fuego (2558) | more than 5 years ago | (#26896967)

I definitely disagree here. While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

There is a difference between identification and authentication (your claim of who you are, and your proof of that claim). What you look like is identification.

Re:Ok then... (4, Insightful)

Panzor (1372841) | more than 5 years ago | (#26897475)

While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

Also, you could say that face recognition is just as secure as writing a reasonably long password on your forehead. Someone takes a picture and boom. Access.

Personally, I refrain from writing my passwords on my forehead - regardless if I can see a suspicious-looking character taking a picture of me square-enough in the face to capture all the digits. And, I also refrain of using or buying face recognition devices...

Re:Ok then... (1)

Wild Wizard (309461) | more than 5 years ago | (#26896971)

There is no need to take your wallet, most mobile phones have cameras in them that could be used to get a photo of your face.

1. Walk into cafe looking for a target
2. Photograph the target's face
3. Steal the targets laptop
4. Profit

Re:Ok then... (1)

going_the_2Rpi_way (818355) | more than 5 years ago | (#26897059)

It was a bit of a joke. But I don't think your scenario would work anyways given their need to adjust lighting conditions as they mentioned.

More to the point, you could use something like an Iphone with a DB of randomly generated photos until it cracked. This is what the researchers here did. This is the real vulnerability. But it's brute force attack, and on any proper 'secured' system it would have to be one of several.

Re:Ok then... (4, Insightful)

Herby Sagues (925683) | more than 5 years ago | (#26897579)

What puzzles me is the comment in the article: > This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords Considered by whom? Their dog? No one that has three working neurons can think that how your face looks is a stronger secret than some word you have in your mind. When they announced this "security mechanism" every security specialist I know said it was worse than nothing, it didn't even qualify as weak security, and it would be abandoned within months. It is sad when security features of computers are designed in the marketing department.

Re:Ok then... (1)

PeanutButterBreath (1224570) | more than 5 years ago | (#26896991)

Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

With the ubiquity of digital cameras, "determined intruder with infinite resource" no longer includes "scumbag with camera".

As such, this security feature seems particularly useless.

Re:Ok then... (4, Insightful)

Jurily (900488) | more than 5 years ago | (#26897005)

If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

Not quite. Biometrics are horrible for security, because 1. they're not secret, 2. they're not easily replaceable. Once they have a picture of you, facial recognition is broken. Once they have your fingerprint, that's broken as well.

Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

Re:Ok then... (1)

going_the_2Rpi_way (818355) | more than 5 years ago | (#26897133)

Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

I take your point, but I don't understand the either/or philosophy of security. Besides, in most cases that matter, once they have your 'password', they have you. Period.

To me, security is all about layering anyways. Adding a biometric layer that works well for the user (i.e. effortless) and typically involves a brute force attack to defeat? Why not?

Re:Ok then... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26897413)

In single-system scenarios, you are correct. Once the password or biometric ID is cracked, the system is cracked, game over, etc. In that sense, they are equivalent. The problem is that your life, which is ultimately the use case you care about, isn't a single-system scenario, it is a long series of systems and accounts and whatnot over your entire life. If a password is broken, and your email account or whatever is compromised, that sucks; but you can generate a new one for future rounds. If a biometric ID is cracked, you can't generate a new one, so any and all systems, for the rest of your life, that are "secured" by biometrics aren't secure. That is where biometrics really falls flat.

Re:Ok then... (1)

Jurily (900488) | more than 5 years ago | (#26897491)

If a password is broken, and your email account or whatever is compromised, that sucks; but you can generate a new one for future rounds. If a biometric ID is cracked, you can't generate a new one, so any and all systems, for the rest of your life, that are "secured" by biometrics aren't secure.

Which reminds me. What do you do with an iris scan if you lose your eyes? Fingerprint if you lose that finger? Facial recognition after a fight with the neighbor...

Re:Ok then... (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26897583)

A Responsible Citizen would have safeguarded his identity, and would never have engaged in physical conflict. I'm afraid that, in addition to your re-authentication penalty charge, that will be going on your permanent record...

Re:Ok then... (1)

Jurily (900488) | more than 5 years ago | (#26897601)

A Responsible Citizen would have safeguarded his identity, and would never have engaged in physical conflict. I'm afraid that, in addition to your re-authentication penalty charge, that will be going on your permanent record...

Heh. Now it's even illegal if you didn't cause that car crash :)

Re:Ok then... (2)

ITEric (1392795) | more than 5 years ago | (#26897789)

...Facial recognition after a fight with the neighbor...

I had been thinking about this aspect - and although I believe the facial recognition systems aren't yet ready for prime-time, at least if you're subjected to this hack, [xkcd.com] it could save your face!

Re:Ok then... (1)

IndustrialComplex (975015) | more than 5 years ago | (#26897707)

That is where biometrics really falls flat.

Are you saying that we should remove the photos from our IDs?
Card + Code + fingerprint = a very hard nut to crack. Biometrics can be faked, but so can every other singular security precaution. That's why you couple them with other security features and never rely on one aspect alone.

Besides, which fingerprint did you plan on using?

Re:Ok then... (1)

John Hasler (414242) | more than 5 years ago | (#26897887)

> Are you saying that we should remove the photos from our IDs?

You probably can't convince a security guard that you are me by pasting a photo of me to your forhead.

Re:Ok then... (3, Insightful)

ratnerstar (609443) | more than 5 years ago | (#26897153)

Biometrics are one part of a good authentication system. But there are always trade-offs: to lower FRR (False Reject Rate, or rate of false negatives) you have to raise FAR (False Accept Rate, or rate of false positives). Iris and fingerprint recognition are mature technologies; they can deliver low false negatives with virtually no false positives. There are well-defined and effective ways of preventing spoofing. But yes, they are only a single component, and should be combined with password and/or physical tokens.

On the other hand, facial recognition is much, much less developed. Using it for your sole authentication modality is absurd. In order to prevent an extremely high level of false negatives, you'd have to accept an unacceptably high level of false positives. This makes spoofing easy.

Re:Ok then... (4, Insightful)

Jurily (900488) | more than 5 years ago | (#26897377)

Iris and fingerprint recognition are mature technologies; they can deliver low false negatives with virtually no false positives.

Passwords deliver 0% false negatives and 0% false positives. If it rejects you, just type it again.

There are well-defined and effective ways of preventing spoofing.

Like what? A hash of my whole eyeball?

Anyway, nice job twisting my point. Let me repeat:
1. Not secret. Unique, but not secret. Which means, if someone gets the technology to spoof one, they can spoof all. What, fingerprints? They use them to catch criminals because we leave them all over the place.
2. Not replaceable. If you find out someone can spoof your iris, what do you do? Grow new ones?

Just because the technology isn't available yet, don't assume it never will be.

There is only one thing that biometrics add to security: noone has to tell the Big Boss he can't juse his initials as password anymore. Apparently it's worth it.

Re:Ok then... (0)

Anonymous Coward | more than 5 years ago | (#26897419)

Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

Maybe its time I got in touch with that bully I knew in kindergarten. He seemed to have a natural gift in that area.

Re:Ok then... (3, Funny)

Jurily (900488) | more than 5 years ago | (#26897445)

Maybe its time I got in touch with that bully I knew in kindergarten. He seemed to have a natural gift in that area.

He had two faces?

Re:Ok then... (1)

princessproton (1362559) | more than 5 years ago | (#26897549)

Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

We're getting there [cnn.com] ...

Re:Ok then... (0)

Anonymous Coward | more than 5 years ago | (#26897857)

there's a reason you don't usually see photographs of any of these face transplant patients.
It sounds good until you realize the surgery takes these people from needing feeding and breathing apparatus,
to "merely horribly disfigured."

Re:Ok then... (1)

going_the_2Rpi_way (818355) | more than 5 years ago | (#26897615)

Here's how you do it with a face: instead of using your own face, you a photo of Brad Pitt on your Iphone or related device. When they brute force that, you switch to a picture of Jennifer Anniston. You can change your 'biometric-based' password just as easily as they can brute force it. Just don't limit yourself to your own biometrics.

Re:Ok then... (0)

Anonymous Coward | more than 5 years ago | (#26897761)

Just don't limit yourself to your own biometrics.

Funny you should mention Brad Pitt. I use single frames of pornography for my biometrics.
What an amazing coincidence.

Re:Ok then... (0)

Anonymous Coward | more than 5 years ago | (#26897765)

I'm John Travolta, you insensitive clod!

Re:Ok then... (1)

CityZen (464761) | more than 5 years ago | (#26897021)

I think the laptop makers shouldn't have the security software depend upon this single metric.

But it would still be good to have a system whereby this is just one metric among many to help keep something secure.

Having more hurdles, even "easy to bypass" ones, helps increase the overall security, by making it just that much harder to get through. As long as it doesn't make it that much harder to use for the legitimate user (and thus make it more likely to not be used), it's good to have the option of using this.

Of course, if someone *really* wants to get your data, that will be difficult to prevent.

Re:Ok then... (1)

iamhigh (1252742) | more than 5 years ago | (#26897053)

Instead of thinking about this in the sense of some random hacker trying to get into your computer, think about the more probable situation of your office. Do you have, or could you easily get a good face shot of the CEO of your organization?

Now do you see how this could be a real problem? And yes, C-level's love biometric stuff because they don't have to remember passwords.

Re:Ok then... (1)

Beardo the Bearded (321478) | more than 5 years ago | (#26897199)

Instead of thinking about this in the sense of some random hacker trying to get into your computer, think about the more probable situation of your office. Do you have, or could you easily get a good face shot of the CEO of your organization?

A picture of the CEO? Like the picture of the CEO that's on just about any company's website?

Nearly impossible to get at is my guess.

Re:Ok then... (1)

MichaelSmith (789609) | more than 5 years ago | (#26897213)

Do you have, or could you easily get a good face shot of the CEO of your organization?

Of course. Its right there on page one of the newsletter.

Re:Ok then... (5, Interesting)

spleen_blender (949762) | more than 5 years ago | (#26897057)

I don't comment that often but does anyone have any idea on the viability of stereoscopic facial recognition? Wouldn't that make a 3d model required to be presented to the input instead just a 2d one? Or two 2d images offset at the right angle for the distance from the cameras?

Re:Ok then... (0)

Anonymous Coward | more than 5 years ago | (#26897351)

Not much use for current laptops which just have the one camera above the screen, but it could be done easily enough with a single camera if the user looks from side to side.

Re:Ok then... (1)

Chabil Ha' (875116) | more than 5 years ago | (#26897115)

You see kids, this is just another reason why you need *layered* security. Biometrics, PKI, keyfobs, enryption, uids/passwords, alone they all suck. When you start using them in combination, *then* you start putting up reasonable barriers to would be adversaries.

Re:Ok then... (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26897329)

Thing is, in this case, that the vulnerability is difficult to control for, even under the practical limits of a low skill attacker. Passwords, say, are vulnerable if you use ones that are short, weak, obvious, or written on a post-it note on your monitor. All problems; but well understood, and easy to mitigate by doing the right thing. Facial recognition, by contrast, has multiple vulnerabilities, as TFA describes; but it is also hard to get right. Barring horrible accident, you are always carrying your face around, attached to your skull, in public. Never mind facebook et al.

If it is unreasonably hard to make a security tech unreasonably hard, it is broken.

Finally (1, Funny)

Anonymous Coward | more than 5 years ago | (#26896897)

A use for this life-sized photo of Sarah Palin's face.

Re:Finally (1)

Mr. Conrad (1461097) | more than 5 years ago | (#26897277)

Your friends/family must give out horrible Christmas presents. This year, you may want to ask for socks, coal, a sweater, or some other apolitical gift.

Ummm... (3, Insightful)

Darkness404 (1287218) | more than 5 years ago | (#26896903)

Any security measure other than a (secure) password for computers are not going to provide much security. Fingerprint scanners can be bypassed, physical dongles can be duplicated, and other things are trivial to remove. A secure password with encryption is the only way that you can really make sure a computer is 100% secure. But most people don't need 100% security. There are very few robbers who would steal a laptop then proceed to attempt to remove data on it via fingerprints or other biometrics. So for the average user, it isn't a security risk. Its like saying that locking your door at night isn't good enough because a determined person can break through the glass.

Re:Ummm... (3, Funny)

QuantumG (50515) | more than 5 years ago | (#26896925)

Heh, if you have physical access the game is over. "Lock your terminal" is merely a poor defense against bored pranksters (beating their head in if they touch your machine is the only effective deterrent).

Re:Ummm... (1)

MichaelSmith (789609) | more than 5 years ago | (#26897051)

Heh, if you have physical access the game is over. "Lock your terminal" is merely a poor defense against bored pranksters (beating their head in if they touch your machine is the only effective deterrent).

Lets say that the terminal only gives you a remote desktop on a secure remote system, and your credentials are required to authenticate.

Re:Ummm... (1)

mysidia (191772) | more than 5 years ago | (#26897455)

Presumably, there is still the risk someone could find a bug in your terminal in order to allow them to unlock it and resume your remote desktop session.

Or more likely: modify your terminal to record all keystrokes (could be a trap or snooping device they install on your PS/2 port, a hidden camera above KB, or a decoy keyboard), and later come to collect the log and reconstruct all your credentials at their convenience.

Re:Ummm... (1)

tepples (727027) | more than 5 years ago | (#26897757)

Lets say that the terminal only gives you a remote desktop on a secure remote system

For one thing, the cost of access to the secure remote system would then include $40[1] per month for mobile Internet access, which is $40 more than a system running on a laptop or other computer without a continuous Internet connection would require. Take this into account in your cost/benefit analysis. For another, the attacker could still install a keylogger on the terminal to capture your credentials.

[1] Price of T-Mobile's cheapest plan for a USB mobile broadband dongle. AT&T charges even more.

Re:Ummm... (1)

Quest4RelativeTruth (1473873) | more than 5 years ago | (#26897325)

High level encryption (with a short out password) could force you to erase the data on the hard disk, or make it unusable, if the computer is stolen, but that would also wipe the data if the user forgot their password. Without high level encryption, just plug in a live disk and you have access to all the data. If you want to secure data, make sure your disk is secure, and don't leave it on the table at your favourite cafe. The concept that software can protect hardware is nonsense. Once someone has access to your hardware they can wipe your software security programs.

Re:Ummm... (1)

mysidia (191772) | more than 5 years ago | (#26897501)

A skilled enough attacker can halt your running system and make a perfect image of system memory, CPU, and hard drive on another system.

Also, once they have multiple block-level image copies of your HD, no software trick can erase all data, because the attacker has multiple copies of the data (some of them on read-only media).

Re:Ummm... (2, Interesting)

xwizbt (513040) | more than 5 years ago | (#26897111)

My iPhone locks itself after a minute and demands a four digit passcode.

It's not the perfect solution, I know, but I don't mind tapping a four digit key out on my keypad after a minute's inactivity on my Mac. Maybe 5. Maybe 10.

That's enough - once you've stolen my Mac, you need to be with it every ten minutes... forever.

Re:Ummm... (0)

Anonymous Coward | more than 5 years ago | (#26897261)

Mine also erases itself after entering the wrong password 10 times.

Re:Ummm... (1)

mysidia (191772) | more than 5 years ago | (#26897539)

Because thieves+hackers (thackers) have no clue how to copy your precious data to WORM media, reset your password, and change your screensaver timeout duration?

Changing the password (1)

tepples (727027) | more than 5 years ago | (#26897771)

I don't mind tapping a four digit key out on my keypad after a minute's inactivity on my Mac. Maybe 5. Maybe 10.

That's enough - once you've stolen my Mac, you need to be with it every ten minutes... forever.

Or the thief can just change the PIN to 1337 and have access whenever he wants.

Re:Ummm... (1)

mysidia (191772) | more than 5 years ago | (#26897431)

Passwords can be cracked, once the hash has been found. Anything shorter than 10 characters can be very easily cracked.

So if by 'secure password', you mean password so secure it's essentially 'impossible for a human to remember' or discover, then yes.

Oh, and once the attacker has physical access to the running machine, all is lost, the exceptional cases are full-hard-drive encryption, machine powered off. And even then, passwords as secure as you can make them, but within normal human ability to generate and remember, can be cracked.

(Anything written down is insecure: attacker can steal the paper)

... Wow. (3, Interesting)

Valdrax (32670) | more than 5 years ago | (#26896905)

The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user [...]

Tragically, sadly obvious. Not even a hack, really.

one small problem (1, Interesting)

westlake (615356) | more than 5 years ago | (#26897673)

Tragically, sadly obvious. Not even a hack, really.

if it is not an inside job - how does the thief get his photograph of the "authorized user?"

when the sensor is a webcam - why not include motion or depth perception in the authentication process?

if the camera is sensitive to infrared why not confirm that the heat signature of a live body is present as well?

Do not look... (0)

Anonymous Coward | more than 5 years ago | (#26896915)

... into laptop authentication device with remaining eye.

Hmmm, maybe I should change my password... (1)

InsertWittyNameHere (1438813) | more than 5 years ago | (#26896917)

My password is 'penis'. If you know what I mean.

Re:Hmmm, maybe I should change my password... (1, Funny)

Anonymous Coward | more than 5 years ago | (#26897077)

So many choices...

1. Hi there! Normally I have to chop off a user's
right index finger to successfully pass authentication. I'm sorry to tell you that it seems your finger won't be enough...

2. I hope your laptop's biometric device comes with a built-in microscope. If not, will you be able to sue for being told it was one-size-fits-all?

3. So rather than hold up a photo of your face to authenticate myself to your laptop, I should instead hold up a sewing needle?

4. My password is 'castrate'. If you know what I mean.

captcha: heckle (ha!)

Neither can... (1)

Puffy Director Pants (1242492) | more than 5 years ago | (#26896921)

the vulnerability of any Password system, if you have sufficient time and access.

Well, I suppose you could sit up a system to self-destruct after a number of failed attempts, but really, how many of us need that?

Last season in Burn Notice (3, Interesting)

HomerJ (11142) | more than 5 years ago | (#26896941)

Even made a point of saying "facial recognition systems aren't all that secure. They can't tell the difference between a person and a photo of the person". Then he proceeded to break into the room by holding up a picture of someone that had access.

Re:Last season in Burn Notice (3, Insightful)

ari_j (90255) | more than 5 years ago | (#26897437)

And Mythbusters has fingerprint scanners covered. As others have pointed out, use your faceprint or fingerprint for identification and a password or the like for authentication. Hell, even in Star Trek you have to say "Authorization Picard Alpha Two" in Picard's voice to blow up the ship.

Re:Last season in Burn Notice (2, Informative)

citizenr (871508) | more than 5 years ago | (#26897521)

yes, and in last episode they showed how you can defeat cellphone jammer using Ethernet patchcord connected into mainframe as an antena .. this show is full of GARBAGE Science

good security (0)

Anonymous Coward | more than 5 years ago | (#26897031)

Good security includes at least two methods of authentication: 1) something you have (smart card), 2) something you know (password/passphrase), and/or 3) something you are (biological property of you). Facial biometrics would be classified as something you are. Combining this technology with a sufficiently complex password in a 2-stage authentication process would be plenty strong for home/consumer use. Of course security is vulnerable when you only use one method. Password crackers have been available for decades.

I'm against facial recognition because... (3, Insightful)

Coder4Life (1396697) | more than 5 years ago | (#26897091)

...your average joe-6-pack criminal isn't going to have the brain cells for black hat cracking stuff like this. If they can't get into the laptop, they are probably going to part it out and sell it for any money they can get. On the other hand, if they have full access and can get wifi somewhere, then having Adeona (http://adeona.cs.washington.edu/) installed might pay off. A chance of getting your laptop back is probably better than none at all... If you're really concerned about security, true crypt + usb key would probably be a better choice imo. I guess it all comes down to how_secure you want your laptop to be...

Gesture + facial recognition (4, Interesting)

Anonymous Coward | more than 5 years ago | (#26897167)

Wonder if, when you 'enrolled' your face in the recognition software, you held your hand(s) up in the image forming a symbol -- peace sign, one finger salute, whatever. Then someone would have to capture your image at the instant you authenticated.

It would be customizeable and and changeable, unlike your face, and hard to duplicate blindly.

Stereo cameras and multiple pictures (1)

ModernGeek (601932) | more than 5 years ago | (#26897173)

From my point of view, it seems this could be combatted by using two cameras and depth perception, movement detection. The same way we are able to judge these things. Then the cameras would be able to tell of it was a picture or not. Also, if the cameras could move on a track, and look up, down, left or right, this would make it even more accurate.

Re:Stereo cameras and multiple pictures (1)

squidinkcalligraphy (558677) | more than 5 years ago | (#26897503)

for two cameras, just use two photos (taken with a stereo camera). Depth perception is already reliant on this, so adds nothing. But it seems unlikely laptop manufacturers would add a second camera just for this purpose. Unless they also do cool 3D video stuff. But if that's the case then you could just plonk a similar laptop (which has previously recorded a 3d video grab of the subject) in front of the stereo cameras. It's the same thing, just a little more complex

You expect us to be surprised? (2, Interesting)

thethibs (882667) | more than 5 years ago | (#26897197)

Of course they broke it. "Biometric Authentication" is an oxymoron. The correct phrase is "Biometric Identification". A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.

No Id and no authentication is "public". Id but no authentication is "public, but stupid about it".

Re:You expect us to be surprised? (1)

ChatHuant (801522) | more than 5 years ago | (#26897571)

A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.

Yup, it's Lenovo et al.'s mistake, for using face recognition for both identification and authentication, The two functions are different, and should remain separate. Via Schneier's Cryptogram, here [microsoft.com] 's a good article explaining why merging them is a bad idea

So this is the reason (0)

Anonymous Coward | more than 5 years ago | (#26897237)

A sentry won't shoot a spy wearing a paper mask.

Mythbusters & fingerprint recognition (2, Insightful)

mattack2 (1165421) | more than 5 years ago | (#26897279)

Well, Mythbusters got past fingerprint recognition systems with a Xerox and a Sharpie (after getting the fingerprint off of a can or glass, IIRC). My comment at the time to the group I was watching it with was approximately "I hope their stocks drop hugely tomorrow".

Re:Mythbusters & fingerprint recognition (2, Informative)

Cobra Spaz (1480491) | more than 5 years ago | (#26897447)

Fingerprint readers are very easy to crack if you have someones finger print. The last company I worked for they had to types of fingerprint readers. You could crack them both by placing a scanned image of the fingerprint on the reader. The only difference between the two was that one of them only scanned if it sensed enough heat and the of scan plate was grounded by being touched. So it was slightly more difficult to crack. It took awhile to find the right paper that allowed enough heat to come through and then we pass the grounding check by barely touching the edge of the scanner with one of our fingers. Biometric protection is great when it is part of a multi-layered scheme however by itself it is too easy to bypass. I still think that facial recognition and/or a fingerprint scanner is a great addition to a strong password, but it should never be used by itself to begin with.

Re:Mythbusters & fingerprint recognition (1)

0123456 (636235) | more than 5 years ago | (#26897567)

"I still think that facial recognition and/or a fingerprint scanner is a great addition to a strong password, but it should never be used by itself to begin with."

Yeah, rather than the bad guys just beating your password out of you, now they get to cut off your fingers and your face too.

Re:Mythbusters & fingerprint recognition (0)

Anonymous Coward | more than 5 years ago | (#26897785)

There are also vein-reading biometric systems which are a bit more difficult to crack.

well sure (3, Insightful)

Drumforyourlife (1421647) | more than 5 years ago | (#26897311)

but wouldn't those hackers be pissed if they go through all the trouble to get a good face pic of the user only to find out that there's a password screen immediately after that. i'd say it's a great addition to a layered security system.

So much for "biological signatures". (1)

Ungrounded Lightning (62228) | more than 5 years ago | (#26897313)

In a recent posting [slashdot.org] I pointed out how fingerprint and retinal scanners could be fooled.

An AC followed up claiming that "devices designed for actual security" also checked "biological signatures" to avoid being fooled by static images, fake fingerprints, and the like.

I responded that security vendors have a long history of claiming their stuff is testing for much more than it actually is, counting on this to deter attempts to actually break it. I expected that, as past behavior is a good predictor of future behavior, it would be reasonable to expect that this is also true of the "biometric" security measures currently sold to both the public and the government.

I'd say this puts the lie to any "biological signature" claim for at least this face recognition product, doesn't it?

And for dinner... (0)

Anonymous Coward | more than 5 years ago | (#26897345)

...they have a nice biometric chianti with some biometric fava beans.

Prior "art"? (1)

Amarok.Org (514102) | more than 5 years ago | (#26897411)

I'm pretty sure we demonstrated this technique back in Space Quest III...

Oh come on, I'm not the only one who remembers that game!

why is this new (0)

Anonymous Coward | more than 5 years ago | (#26897553)

this has been done what over a million times before back in what 2000 or so I rememebr doing this to another program that we had setup in our high school class room

Motion detection and/or eye tracking? (1)

marciot (598356) | more than 5 years ago | (#26897735)

I guess this can't be perfect, but there might be ways to improve it. For instance, one could combine it with motion detection and refuse to authenticate if the source image was perfectly steady. This would force the attacker to use video. Or, they could use eye-tracking and move a dot around the screen in some pattern, only authenticating if the user was fixating on the dot. This would prevent the attacker from using a video recording.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...