Identification By Typing 222
crazy_speeder writes: "Musicrypt.com is developing a biometric identification system that captures user keystrokes to verify the user's purchase of specific copyrighted materials (i.e. downloaded music), and only that user can use it."
I'm really skeptical about them getting something like this to work,
I mean, I make typos in my 12 charachter password, but to be expected to type a sentence with the same rhythm? I still want retina scanners.
This actually makes sense (Score:2)
I imaging these things are extremely individual. It really does make sense, you know.
Dave
P.S.: It'd be moderatly hard to reproduce someone's typing style, but it'd still be harder than re-producing their password
Intoxication (Score:1)
Also, I know my own typing varies from keyboard to keyboard dramatically, as I expect is the case for many others. I bet my mood alters it slightly too.
Not that this thread needed more people downing the idea, but hey, it really is stupid.
Uhmm.. NO (Score:1)
Re:What if you own cats? (Score:1)
Dammit! This happens every type I'm cybering the Hanson fans.
Gestural Passkeys (Score:1)
Re:Still flawed though... (Score:1)
Not really. The key in a file that represents your retina scan is not necessarily anything more than useless. Let me explain: Take, for example, the way passwords (non-shadow) work in Linux (probably other systems as well, but I only know this for sure). When a user first sets their password, the string is run through crypt() (note that this is a one-way function - the original password cannot be derived from the cyrpt()ed text) and save in a file. Then, when the user logs in, the login program runs the supplied string through crypt() and compares the result to see if it matches what's stored in the file. If it matches, that means the user entered the same string as was used to set the password.
Now, to apply this to retina scanning, the scans would probably be converted to some sort of identifying number (or possibly just a bitmap image), which would then be one-way encrypted. The same procedure outlined before would be used to see if the same retina was being scanned.
You can see, then, that it is possible to store a representation of the password that is not compromising if stolen (it can make brute-forcing easier, but it does not give away the actual password).
It is trie that the signals from the scanner to the computer could be caputured, but remember that this would be the same as capturing the signals from a keyboard to a computer.
Re:Sperm Scanners (Score:1)
Au contraire, ~50% of the population would be able to crack a sperm scanner with ease, as long as they could get to it within a few hours of the deed, and they had non-porous panties.
Exactly why this isn't going to work in a home... (Score:1)
When I'm sober, I type fairly efficiently, with a minimum of backspacing, and I'm pretty speedy -- Something on the order of 75wpm. Hardly the fastest typist anywhere on the planet, but me and my IBM keyboard manage to band together and kick some a** for truth and justice! Er, whatever.
After a couple Sapphire and Tonics, though, my typing goes to crap for short periods, and then I manage to get a few paragraphs out at like 90 wpm, perfectly clean, zero errors, just flow through it... right before my typing goes into the toilet.
Now, there WILL be some common elements between my typing sober and drunk, but I think there's going to be more dissimilarities than anything else - Your brain just gets busy doing other things and it steals cycles from what you were supposed to be doing, like typing for example -- And this is going to introduce semi-random latencies, which is exactly the kind of thing which will break a system like this.
Granted, it could probably learn your typing in those conditions as well, but it's going to think you're someone else until it's trained. It would be terribly amusing if the computer decided that you were your child when you were high -- It would certainly tell you something about your habits.
In any case, the only way to really get around the lack of typing input which one will experience while websurfing is to make you type something when you sit down at the computer. Running you through some text that you would ordinarily type, and some that you wouldn't as well would be the optimal situation, though eventually the text you wouldn't ordinarily type is going to become familiar... Also, what happens when your keyboard dies and you get a different one? Suddenly, nobody is who they used to be.
Re:There's a reason they're called GPS receivers.. (Score:1)
It's called, "wireless phone".
Law enforcement in the UK has already used cell phone system logs (which track roughly where you are in relation to their towers) to disprove falsified alibis.
"You say you were still in London that day?"
"Yes."
"...and you received a call from so-n-so?"
"Yes."
"That call, as logged, was answered by a cell phone operating through a wireless station in Edinburgh!"
Security-Token of the Week fads (Score:3)
Part of this is expense. The most secure building that's still useful is one with one door and no windows. But that's an emergency-evacuation and traffic-control disaster waiting to happen, as well as a workplace-standards tragedy, so you add a freight dock, a rear entrance, a bunch of windows in the Managers' offices, a skylight with louvers that close automatically at sunset (oops, pardon me, too much MI:2...)
Now you have to secure all these potential access points (windows count too, unless they're built like arrow-slits) and sheer numbers work against you -- the first time somebody leaves a window unlatched when the room is empty the probability wave of an undetected intrusion starts to spike.
(You can think of intrusions in a quantum fashion -- given how long that access point was left unguarded, and the configuration of the facilities, and the traffic patterns, what is the probability that someone had access to various points and no one's noticed yet? Los Alamos take note...)
The rules for system security much resemble those for facility security in many ways:
Anyway, that's just rambling on a bit. The dominant paradigm of strong security is "something you have, something you know, and something you are". Any security system where one of these is sufficient to grant access is inherently insecure. Any system where all three are required in a specific form is probably very secure, but probably also very annoying to its users.
A system where you have to satisfy, say, two of the three in one of various ways is probably going to be OK for most purposes. Say you can use a voice-print, retinal scan or fingerprint scan plus your electronic access card, or you can show another form of ID to the guard (there better be a guard) and he can optionally clear you in manually if the other check is passed. Filling out your I-9 form for Immigration (to prove you are allowed to work in the US) works sort of like this. Note also that by this method ordinary shell password authorization is very insecure, (right, we knew that) while the SSH model of key + password is relatively secure (unless you set your ssh up to authenticate solely off the key, in which case you should now go back to grinding out code for IIS you sick little monkey!)
But real security takes real thinking and real money, and most companies don't want to expend either if they can help it. They'd rather have something that looks cool so they can brag about it. In this case they're not only using a single fallible authentication method, they're using one that, as pointed out before, has so much inherent noise in it that it's easy to defeat and thus nearly useless.
The article doesn't say whether you're typing a set sample text or a user-selected passphrase. The "right" (well, not right, but at least better) way to do this is to have the software try to verify the user through both a passphrase (something you know) and the typing biometric (something you are). If they both match, fine. If either one matches perfectly and the other is close, that should by default allow use, not restrict it (which is to say, the system should "fail open" like an emergency door).
But what are the odds of that happening?
I'm getting the wrinkles out! (Score:1)
Cat haters will understand.
Observe, reason, and experiment.
Broken Hand = No Music (Score:1)
Re:Still flawed though... (Score:1)
I think what he is saying as to get through a retnal scan he only needs to get a scan of your eye, and then do someplace and replace the scanner with something that inputs your retnal scan.
A retnal scanner is hardware that produces electrical signals. Those signals can be faked if you know what they are.
While passwords are not very good, I generally know if I reveal one, and there is no way someone can build a machine to get my password from a distancce. (Baring brainwave scanners which currently we don't even think are possibal) Someone could build a retnal scanner that works from 20 feet, put it in a room where you are likley to be, and store your scan. There is no way to change your retnal scan, so once I build a device to impersonate you I can fool any machine.
Re:Usually I don't respond... (Score:2)
Doh! So, if I make all kinds of typos like Rob you'll respond, but if my brain shifts a bit out of phase and I misread something you type I become an idiot?
Yep. My post was plain stupid when I read the original (I even quoted it for cryin' out loud). That doesn't make the one who posted it stupid. By your reasoning I'd have to judge you abusive and would urge you to get professional help.
Thanks for finding me exceptional though!
carlos
All in vain (Score:1)
Exactly. (Score:1)
Right! When I'm coding, I type pretty fast; when I'm writing an email or a piece of literature, I type REALLY fast, and when I'm filling out order forms for online purchases, I type SLOW to make sure I'm not making any errors.
Not only is the premise flawed, but the original idea is pretty silly, too. Now give me a good Wacom tablet and some handwriting recognition software...no, no, somebody could trace my sig. Retina scan, CmdrTaco? Sure...now is that pre- or post-LASEC?
The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk
Re:Why Keystrokes and not Digital Certificates (Score:2)
2) Digital certificates are issuable by people for anyone for free. Try GPG for size.
3) See part (1), but you can't *guarantee* anything. You need to double-check fingerprints of keys, but even then if they used telnet to access their mail remotely and somebody sniffed the private key password then all you'd know is that they are one of the people on the planet who can unlock that key (not the best example but the point holds. It's no *guarantee*.)
4) DCs don't cost money. You accept my GPG key, you can talk to me. Nice, Free, free, open-souce, you name it.
~Tim
--
Various whines about legality aside,the tech works (Score:1)
One of our instructors has on a couple of occasions related his experiments with similar password software (Don you reading? Fill in the details...) He stated that with the software on its most setting forgiving setting, and with him deliberately trying to vary his typing speed, it still recognized him most of the time, and foiled the majority of attempts by others in the lab to duplicate his keyrate (he had given them the password). On it's strictest setting, he, still trying to vary his keystrokes, got in about half the time, but no one else succeeded in doing the same.
I think this could easily catch on. People will not go out of their way to foil it, and our typing patterns can be almost as individual as a retina scan.
Re:This Won't Work (Score:3)
...burns, jammed fingers, scraped knuckles, fingers caught in doors, arthritis flareups, changed keyboards, same keyboard but dirty, having a few beers -- even hand lotion can make me type a little different.
There's no shortage of reasons why this won't fly.
Bad idea! Bad! Bad! (Score:1)
What about when typing on a laptop, or one of those ergonomic (not!) keyboards?
Of course, this must be doomed to failure. I hope.
Re:Security-Token of the Week fads (Score:1)
Key capture anyone? (Score:1)
They're really desperate, aren't they... (Score:1)
May their business die a slow and painful death.
From the makers of "Net Nanny" (Score:5)
I do not type consistantly from moment to moment. Heck, I don't even "type" I hunt and peck really fast... Sometimes I type one handed... sometimes two... This software has NO chance of correctly identifying me.
Add that to the great "hit rate" that is consistant with Net Nanny, and you will find that this software will more often than not block legitimate users from accessing the music.
Besides, as another user mentioned, this whole idea is based on a flawed premise. Music purchases are not tied to a single user. I may be buying this music as a gift. I may be buying this music to transfer to my car mp3 player (which has no keyboard) Or my Lyra (also no keyboard)
When I buy music, I get FAIR USE RIGHTS
Copying music is NOT a crime. This is the reality. The RIAA is the fiction...
-Count Zero
I'm against it (Score:1)
downloadable music (Score:1)
I'll bet it doesn't work. (Score:2)
I also hunt and peck for passwords most of the time so that I can keep my hand on the mouse. Or how about network lag between keystrokes over a slow network connection when using telnet, WinVN, or other remote access? Or how about as your typing changes over time as you get better, or as you develop carpal tunnel syndrom and it gets worse?
I don't think I'll be buying music with this security. Sounds a bit too easy for me to lose it or not be able to listen to it.
What about... (Score:1)
98% Reliability?! (Score:1)
Re:Charlatans selling magic boxes (Score:1)
Here's a quick extract which pretty much sums it up... "Against all of these systems -- disappearing e-mail, rights management for music and videos, fair game playing -- there are two types of attackers: the average user and the skilled attacker. Against the average user anything works; there's no need for complex security software. Against the skilled attacker nothing works. And even worse, most systems need to be secure against the smartest attacker. If one person hacks Quake (or Intertrust or DisappearingInc), he can write a point-and-click software tool that anyone can use. Suddenly a security system that is secure against almost everyone can now be compromised by everyone."
An extract from the Crypto-Gram Newsletter [counterpane.com], ladies and gentlemen. A fine publication.
Re:Where do I start? (Score:1)
Then we could hook that urinanalysis machine to the cpu heatsink and OC this baby! Be the first on your block to have a liquid cooled 1.8Ghz dual celeron system! Weeh! umm, no I meant - wee-wee! (btw - OC=over clocked)
Re:What if you own cats? (Score:2)
Not all that new (Score:4)
A more recent paper by Fabian Monrose and Aviel Rubin with the title Authentication via Keystroke Dynamics [nec.com] might enlighten those interested in this, and I am sure that you'll find some interesting references on the above web page.
Scepticism is often healthy, but when it comes to new ideas, "new" being used in a very relative sense here since the idea is apparently "new" to Slashdot staff, one should be more keen to understand them before writing them off.
-Bjørn
Re:This Won't Work (Score:1)
I'm baking this kellogs pastry thingee in a toaster oven. Now I'm a veteren of many a pop-tar, but this is a variation on the theme that I'm unfamiliar with... the little bell goes off and I excitedly whip the glas door open. I rish inside to grab the tasty treat, only to overshoot, and plunge my fingers into the surface.
Now poptart frosting is made of some bizarre substance that nobody has ever quite reverse engineered. Scientists have heated it to thousands of degrees, yet it never leaves its solid form... I assumed that this pastry would behave similiar, but I erred with painful results. This frosting melted. I stuck my finger into it. It was hot. Real hot.
I yelp and begin sucking my fingers and making hurt noises as loud as can be expected considering my mouth is full of crisped fingers. The frosting tastes good, but my hands hurt. CowboyNeal laughs at me and I stick my fingers under the tap and run cool water over the pain.
Now I have burn blisters on 2 fingers. Damn pastry.
Bad Taco! On behalf of the RIAA I hereby suspend your music privilages.
Some things you never forget... (Score:1)
It's pretty interesting to hear that somebody is actually working on this seriously. I first heard about it back in the 80's. Believe it or not, it was a Michael Crichton story that mentioned the concept. Here's the link:
Mousetrap [simplenet.com]I seem to recall that the article I read included this story as well as some sample code, probably in Applesoft BASIC, which attempted to implement the mousetrap technique. It was certainly crude, but it worked better than I might have expected...
NO BENFITS TO CONSUMERS + RESTRICTIONS = BAD SALES (Score:1)
Wow, this sounds like another company who's going to take a big hit when their product comes out.
I mean.. seriously, when it comes to music transport over the net, it can very likely be said that mp3 is the currently favoured format. Introducing another format which only plays on a restricted system requiring an odd and at best, sometimes workable password/locking mechanism is doomed to failure.
Given the differences in keyboards, styles, alternating hands, sometimes single handed or single finger typing, or for those of us too lazy to move the chair over a foot or two, typing with a stick. Or typing when exhausted or half asleep or loaded on coffee.
It would be like: You entered the original pass phrase while you were standing up. But when you're in need of listening to the music, you're sitting down. Oops. What do you know, now you have just doomed yourself to having to enter the code in while standing up while using a particular keyboard.
I mean seriously, is it REALLY that hard to figure out what will not work in the public? Privacey is an issue. Free transport/playback is an issue. A biometric scan of someone's keystrokes which can identify them is something that would be a privacy issue. Making it a requirement to play music is a free transport/playback issue. {free as in freedom, not beer}.
Simply slapping on restrictions onto a custom player which offers NO BENFITS OR ENHANCEMENTS TO THE CUSTOMER is not going to work. Divx offered nothing benficial and actually resulted in lower quality because of all the encoding required. Sony's mp3 stick/wand/thing is like that as well. No real new benefits to the consumer but adding on a truckload of restrictions.
Do companies think this sells a product? It's like selling a computer case that's made of cast iron with a lock that only the company can open and you need to make an appointment to do so. And to boot, they charge you a whopping extra for the case with nothing in it.
Seriously, this is the kind of thing that makes me think that while the collective IQ of these companies may be formiddable, their collective understanding and common sense is sorely lacking.
NO BENEFITS TO CONSUMER + RESTRICTIONS = BAD PRODUCT & NO SALES.
I think the music industry is where that Sprint Representative in the black trenchcoat should go to offer those nice clearing up phone services. Maybe then, things will be clearer and better. But then again, that would be abuse to the poor representative.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
Identification by Typo (Score:4)
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Re:Yeah, right (Score:2)
Then they will probably try to hang you out to dry via the DMCA provisions about defeating a copyright control mechanism.
...phil
Some Manger went to Comdex and ..... (Score:1)
There is more details about this system at BioPassword [http]. There entire presentation looks like a smoke screen with a brief mention of Statistics and a frequently mentioned but no explaination of their pateneted method.
The only advantage I see of this over say hand writing verification is that it does not require any special hardware, but what happens in all of these cases:
1) I'm tired so I type slower.
2) I have hurt my hand or I am suffering from repetitive strain injuries.
3) I change my keyboard.
4) I spill coffee on my keyboard and the keys are a little sticky.
5) I have been working at my keyboard for months and my typing speed goes up (I have advanced from two fingers to four).
6) Since this is only available for windows at the moment and windows has crashed on me again and I am mad, so I hammer the keys home when typing the password.
I am sure others could add many more scenarios to this list.
Every biometric system has its faults, the more accurate the system the more expensive, but this has to be the cheapest and least accurate.
What if you own cats? (Score:5)
Cat owners will understand.
Re:Fatal flaw (Score:1)
"MIS! They copied my authentication! I need a new set of hands!"
Oops.
Oh yeah, by the way:
"Slashdot requires you to wait 1 minute between each submission of
It's been 60 seconds since your last submission!"
Yes, I *do* type that fast.......
~Tim
--
Don't Forget (Score:2)
I can't type and I rarely do things the same way twice, I wonder if this would still work for me.
This Won't Work (Score:4)
Retna Scan (Score:2)
Re:Where do I start? (Score:2)
It would do it by default. By lesson 5 or so your typing style just might possibly change!
"I'm sorry. You're not the same 'hunt-and-peck' typist that registered this product. Access Denied."
carlos
Different keyboard types (Score:2)
Will they never stop trying? (Score:3)
Sigh.
Time for another /. round of "spot the holes in the crap copy protection system".
The type-speed thing works on a specific pass-phrase rather than a computer-generated one-time "type this please" string, so typing speed should be easily duplicatable. Or one could set the input keypresses to a constant rate, to make it easy to fake.
And I presume this system is just as vulnerable to the likes of unfuck as anything else. Not much use being resistant to distribution schemes "like Napster and Gnutella" if you can turn them into MP3s or OGGs at the flick on an audio capture.
This is a particularly worrying part of musicrypt's 'technology' spiel (black text on a black background in my browser - nice):
Read: the publisher can at any time revoke your right to listen to the music you have purchased. And knows about every bit of music you listen to, but that's kind of obvious and expected these days, isn't it.
Once again, musicrypt, you lose. Once again, legitimate customers, you lose. Pirates? Well you're kind of unaffected. Hey ho.
--
This comment was brought to you by And Clover.
Consistency? Dvorak? (Score:2)
What happens in the case where you haven't listened to the music in two years, and your typing skills have dramatically improved or changed?
I can see how something like the authentication system you are talking about might work, but that is something that is used on an ongoing basis. If I change the way I type I can't access my music any more?
Besides, what if I decide to switch to the DVORAK layout?
Re:From the makers of "Net Nanny" (Score:2)
This program sounds stupid to me. They claim it's 98% accurate. That doesn't sound very good to me. Are 2% of thier customers going to be denied access to what they pay for?
What's more, I think that 98% accuracy is a bit optomistic. In a test with lots of nice, fresh suit-and-tie computer programmers first thing in the morning at a work terminal it may be very accurate, but I type differently when I'm at home. Sometimes I turn sideways to watch TV and put my feet up. My typing style changes completely because my body is at a 90-degree angle to the keyboard. What if the user talkes a typing course? I bet they havn't tested things like this.
My other thought on the subject is how anazingly easy this coul be to break... VERY simple scripting/programming language Visual DialogScript has the command:
WINDOW SEND, ,
WINDOW SEND sends the contents of to the specified window as simulated keystrokes. Text can be entered as ordinary text.
People will write programs using a system like this to simulate typing. Feed that in as the initial input instead of your 'real' typing and you'd be past the security in no time. I think.
Who knows? maybe I'm totally wrong.
Michael Tandy
Secure hardware (Score:2)
But for home computers in a hostile setting ("cmon, Johnny, help mom get rid of this annoying password scheme on my Bette Midler collection") it is completely unworkable. It is relatively easy to figure out where the biometric input is collected and collated (ie, after the NN has had a chance to guess on whether the variances in typing speed / retina patterns are pass/fail).
It can't stand up to more than five minutes of reverse enginnering.
Re:This Won't Work (Score:2)
Tough luck.
Re:Where do I start? (Score:5)
That's why the only good solution is an onboard urinanalysis machine, bolted to your computer's case. This will indisputably verify your identity, and will also help prevent you from buying products on Ebay while drunk. Of course, you will need a six-pack on hand by your computer if you want to listen to a long playlist, but then again, who doesn't have that already?
This is an end-run around first-sale (Score:2)
The DMCA is designed to outlaw fair use. They don't like that you can legally use excerpts from copyrighted works, so they purchased a law that effectively allows them to "opt out" of fair use by simply encrypting their material.
Now they are out to do away with the first sale doctrine. First sale means that once you buy a copyrighted work, you have the right to turn around and resell your copy. That's why used record stores are legal. That's why you can go to a used record store and buy an old record that is out of print.
If the recording industry is successful in adopting biometrics (which I don't think they have a chance in hell of), then old music will, by design, wither away and die after it goes out of print. Think about it
The industry is well aware that their biggest competitor is their own body of old work. If people spend their time purchasing and listening to old music, that is less money and time they are spending listening to the brand new music that the industry wants us to pay attention to.
That's what this is about
oh, not just that (Score:2)
Can't change that shared secret once it's compromised, no sir. (well, maybe you could switch eyes, once)
And then, even though more recent systems depend on the eye being alive to work, there are still the stupid uninformed goons who would go around gouging people's eyeballs out.
Not to mention you're SOL if you have an accident or something.
Biometrics are BAD. (Score:2)
I used to work at a government related thing. One of the places had a very secure computing center.
They discontinued using retinal scanners when it turned out that an identical twin had a better than 10% possibility of fooling the system. That was just as well. No-one wanted to have access to the "retina room." The thinking was that if the Russians or Libyans wanted in, they'd just borrow what they needed to open the door. Obviously, borrowing just your eye wouldn't work very well (it would damage a lot of delicate blood vessels), so we figured they'd borrow your whole head if they really wanted in. Well, that probably wouldn't work either, but we wanted to avoid the risk just in case they'd try it.
So after the retina scanner went away, they put in a palm scanner. Evidently, early environment effects fingerprints sufficiently that a palm scanner (which gets prints from four fingers, and several different areas on the palm itself) has a higher discrimination, and can much more reliably detect tricks like identical twins. Of course, using the same logic we all used before, we tried to avoid having access. If we had to get signed up for that room, we'd ask if we could get our left hand keyed (at least those of us who are right handed).
Of course, the actual risk was probably infinitesimal. But just the same, why should we have taken those risks? If the "enemy" wants your password enough, they'll get it, whether it's a phrase, body-part, typing pattern, DNA sample, or whatever. They may have to kill you for it, or threaten someone you love. But if they want it enough, and they have the means to access you, they'll be able to get your password.
If we extrapolate out to music, it's a bit ridiculous. No-one's gonna cut your hand off so they can listen to your MP3s. But it's the wrong direction to be taking this. By emphasizing biometrics, we not only give credence to the idea that they're secure (which they're not), but we also start irrevocably linking our security to our selves.
Think about it. The Evil entity snags your computer: if the data is protected by a password, there's no way that they can prove that the data is *yours*. You might know how to decrypt it, but the ownership is not provable by that fact. You could plausibly argue that the file was placed on the server by someone else. Now, if that same file was encrypted by your palm-print, that defense is gone. Suddenly, they KNOW that they're your DeCSS sources, or Metalica MP3s, or $cientology documents...
-
bukra fil mish mish
-
Monitor the Web, or Track your site!
Typical password sequence ... (Score:2)
Input Password:
***** - sorry, you missed a beat
Input Password:
***** -
Input Password:
***** - nope, i got at least a 5 ms discrepancy there
Input Password:
***** - maybe it's just lag, but that one was WAY off
Input Password:
***** - you just don't get it, do you
Input Password:
***** - Keystoke rythm confirmed; password incorrect.
At this point the user will be forced to find a new monitor after he puts his keyboard through the one he's using now.
--Forager.
Deja-vu (Score:3)
The story emphasized the geek's contempt of older users and human-engineering issues; the kid was caught by an older engineer who identified his fake logins by his typing pattern.
As soon as he was identified, he was switched to a honeypot where the trade secrets were replaced by porn files. His "customers" were pissed enough to leave the kid have a very intimate explanation with a sumo wrestler...
--
Here's my mirror [respublica.fr]
If Quake can... (Score:2)
They can get the sequence of the characters you type, but can they get the time between the characters?
If Quake can read the time (to within 15 ms) when you pressed a key, then this biometric software can.
Re:What About Keyboard ID's (Score:2)
ifconfig whatever whatever whatever hw ether any:mac:adresss
You can have whatever mac you want, see man ifconfig.
Never mind securing music (Score:2)
The login screen can just display a sentence or two, the user types those sentences (mistakes and all), and the biometric algorithm will allow them in or not.
If you want to combine this with a normal password-type situation, then just don't display the sentences - expect the user to remember them. If you combine the entropy of the words in the sentence with the entropy of the biometric authentication, then you might have entropy for a decent password (even if you build in a little error correction for discrepancies in the biometric or typing the sentence).
Yeah, right (Score:2)
How about ID by playing music? (Score:2)
RIAA backs DVORAK in 2010 (Score:2)
Hmm.. so if you get a new keyboard (with either a new feel or a new layout), you need to buy all new keyboards.
If this takes off, I expect there to be an explosion of new types of keyboards on the market. A return of the IBM hard clicking keyboard (god I love these), "chicklet" keyboards (remember Atari 400 and ZX81?), ergonomic and "split" keyboards, and DVORAK layouts, etc. All secretly backed by RIAA's slush fund. :-)
---
Re:why not? (Score:2)
That's true. However, if I play music in my house, chances are that my family will be able to hear it. If I turn up the volume REALLY loud, my neighbors will probably be able to hear it. However, they haven't paid for the rights to listen to the music; I have. Can I call the cops on them for breaking the copyright -- before they call the cops on me for disturbing the peace?
Retina Scan is bad. (Score:2)
Cryptonomicon again; morse-code styles (Score:2)
I suspect the same would be true if we were all disciplined typists, like the stereotypical 1940's-era business offices crammed with female typists pounding on keyboards round-the-clock.
I think this method would require that the person to be identified has been typing for some time. A newbie typist would require several months (years?) to develop a distinct style.
But I can see where they got the idea.
---
evil thoughts (Score:2)
I can think of a number of delightfully mean things to do with such software.
1. If you type your Smashing Pumpkins passphrase in too perkily, the program forces you to listen to Brittney Spears instead.
2. If you make a spelling error in your passphrase, you have to listen to Hason's "Mmm-bop" at least 4 times.
3. If you type too slowly, you have to listen to Leonard Nimoy's redition of Proud Mary -- but only once.
4. If your passphrase isn't politically correct, you have to listen to a Tracy Chapman song before your perferred choice.
5. All other errors require the playing of Motley Crue at the highest possible volume.
-- Diana Hsieh
why is it your property? (Score:2)
Strictly speaking, these sorts of "protection" schemes don't take that plastic disc away from you, they only limit the manner in which you may interact with certain aspects of its symbolic content.
They aren't stopping you from playing frisbee with it, using it to resurface your roof along with your AOL CDs, or cleaning the toilet with it.
let me try that again... (Score:2)
That's not specifically addressed or infringed by these technologies.
It seems to me that the state of affairs that the record companies have brought about is this:
When you buy a CD, you buy that round piece of laser-engraved metal and plastic, and you also buy a license to use its information content. (The latter accounts for most of the price of the CD)
The piece of plastic is your property. The information content is just licenced to you.
That's just how it works now.
In this context, right of first sale just means that the license must be transferred with the CD, and nobody is allowed to prevent that.
Where there IS no spoon
Sorry.
I'd also like to note that it's not really possible (semiotically or practically) to impose restrictions on the copying of information while simultaneously allowing its use in any way.
(just try to come up with a 100% consistent definition of a practical "no copying" rule -- keep cacheing and related techniques in mind)
It is relatively more practical to achieve some semblance of control over use directly, however, hence the sort of draconian things that the industry is suggesting.
This idea is more than 20 years old (Score:2)
We researchers had our reservations about that one, based on many of the same concerns shown here. Imagine our surprise when the blamed thing actually worked. There were enough degrees of freedom that the aggregate of the correlations it used was immune to "off days" and other such variations. This is described in Rand Report R-2526-NSF. [rand.org]
Re:What About Keyboard ID's (Score:2)
I'm sure my cubicle-neighbors would just love that.
"DEAR LORD, JASON WHY ARE YOU PEEING INTO THE COMPUTER?"
"Relax. I just want to hear some music. I'm also signing in to post things on Slashdot."
(confused employee runs away terrified, notifies security)
What about lag? (Score:2)
Last time I checked, IP was not really a time sensitive protocol. It makes sure the packets get there but not when, hence the trouble with webphones and streaming media in the early days. So to use this they're either going to have to record the whole string in a trusted client, a bad idea when security is an issue, or they are going to send the sentence letter-by-letter across the internet, where noise is going to cause serious problems with their time-based metrics. I sense possible implementation problems coming in the future...
Still it might be an interesting way to encrypt stuff on your computer. Not only would you have to know the password phrase to type, but you would also have to be able to type it properly to get access to the data. It makes passwords lots harder to crack and the extra security is almost transparent to the user.
Re:The real problem... (Score:4)
What's worse, is that all of these schemes rely on you giving the server all the information the server needs to impersonate you every time you sign in. What if your bank and your favorite pr0n site both use a fingerprint scan to ID you? Congratulations, the only thing keeping your pr0n dealer out of your bank account is their skill with a debugger! It's just like the crappy security on credit cards. Every single vendor you do business with has all the information they need to impersonate you. It's a testament to how honest the majority of people are that the entire industry hasn't gone belly up.
But the biometrics are the absolute worst, since you can't change your password. At least you can close a credit card account and get a new one. I don't know where to buy new fingers or retina's, however. The only long term solution will be based on some sort of public-key algorithm. Anything else is just a scam. Actually, the one place where a fingerprint scanner might be handy is to authenticate you to a hardware smart-card that does your public key for you. Since the whole thing is built by a single vendor in hardware, it could be made pretty secure. At a minimum, a crook would have to steal the card and have a fair amount of hardware skill to get anything useful out of it. But this whole idea of using biometrics over the internet is just a bunch of snake oil. And poisonous snake oil at that. You're better off sticking with what you have now, at least then you can be concious of that fact that your security sucks.
Re:Ummm (Score:2)
May I know why this guy's posting was moderated as Flamebait ? He posted his idea on the subject and it seems to me that it's a valid point.
I'd like to add that I don't like the idea of an identification system to listen downloaded music : it's a move in the wrong direction.
The present system of audio CDs, which you buy once and on which you have property rights (usus, fructus, abusus) is far better than those fuzzy rights. For me it's OK to buy music I like, but please, don't turn my music experience in a techno-nightmare.
Stéphane
Have you checked out Badtech [badtech.com] The daily online cartoon?
Have you checked out Badtech [badtech.com] The daily online cartoon?
Re:Retina Scan is bad. (Score:2)
In addition to the fact you mentioned that it's possible to sureptitiously determine a great deal about the user's health and habits (alcohol, drugs, late night web binges, etc.) there's the more formidable problem that most people view the process as unsanitary. I read a paper about this some time back. (In The Lancet??) Bottom line, they noted these perceptions were the primary impediment to retinal IDs, and that people would not accept retinal scans as routine.
This is just plain stupid (Score:2)
Repeating the exact same rhythm accurately is a skill that takes years to master. It sure doesn't happen by accident.
Memory of rhythm fades rapidly. Unlike the patterns that grow on the ends of your fingers.
Supposing that people did have characteristic patterns - by ear, a trained musician can easily copy and conterfeit them.
On top of that, *nobody* is going to be happy about getting a retinal scan or anything remotely resembling that before they can play a piece of music they bought and paid for. This idea is so far out in left field that I can't see it as anything other than grasping at a straw - an act of desperation.
I was reading a fine piece [osopinion.com] today that sums up exactly my thoughts, better than I could. The problem is defined perfectly, and the reasons why recorded music is *never* going to be expensive and restricted again, like it has for much of the 20th century. (The solutions he proposes for compensating musicians in that piece are too utopian, IMHO, but other solutions *will* work.)
The RIAA and their toadies are on the run. They may be able to attack dotcom's and bring them to heel, but they can't successfully overwhelm the entire net.
Disclaimer: I would *never* encourage anyone to violate a copyright, even to hasten the demise of an evil cartel like the RIAA - instead, listen to the music of musician's that *want* you to, and don't unfairly restrict you.
--
Not that nutty. (Score:2)
Saying it wouldn't work because people make typos might be like saying that gait analysis won't be able to identify people who stumble sometimes.
My question would be, does it work better or worse on people who actually learned to touchtype "properly"?
-Kahuna Burger
Old-School Neuro-Chips (Score:2)
Where do I start? (Score:3)
What about other people in the same house? What if I sell the software? What if what if what if?
This is just dumb. Of course, knowing the software industry, the first product to include a license management scheme that locks you out if your keyboard skills change will be "Mavis Beacon Teaches Typing"...
--
Compaq dropping MAILWorks?
Another flaw... (Score:2)
Anyone else type differently on each?
Lessee...
At work I have one of those nifty ergonomic jobs on the pc, and a generic extended board on the Linux rack.
At home, one of those little iMac boards on my G3 tower, and an IBM 101key (better tactile/audio feedback than other brands) on the Linux box.
Plus, I have an old beater of a Thinkpad, with keyboard oddities of its own, I use for email on the road.
And by the end of the summer, I plan to have a new Powerbook.
Five keyboards (now... six in a couple months), all with different feel and feedback, and almost certianly, all with different typing habits.
I don't think it'll work.
john
Resistance is NOT futile!!!
Haiku:
I am not a drone.
Remove the collective if
Re:Cryptonomicon again; morse-code styles (Score:2)
None of this applies to me, as I am a dirty stinkin' no-coder.
This could be robust if done properly (Score:3)
I would hope that the system they're developing does NOT expect the user to put conscious effort into typing with the "same rhythm." The process of typing a full sentence, with timing data, has much higher dimensionality than any human observer could possibly take advantage of. Whether or not there are relevant parameters to be extracted from this remains to be seen, but I would stay clear of making statements such as the above until a good learning algorithm spends some quality time with the data. The only way this will work is if a learning algorithm manages to extract parameters which uniquely identify the user no matter what the user "tries" to do.
Re:Will they never stop trying? (Score:2)
Quick poll: How many of you use rather random passwords like "U{.Z!Li}"? How many of you type them slowly at first, but can type these very quickly after using them for a week or so? I though so.
Yet another hole in this scheme, if it's a constant passphrase then you'll naturally become faster with practice, and then lose your access because your typing style has changed.
-----
Lame, lame idea. (Score:3)
I remember doing this when I was like 12. Dialing into local Commodore 64 warez BBS'es acting like I had a terrible grasp of English, and typing terribly slow to convince the Sysop I was dialing in from l33t-land, Europe. A whole big charade to give me an unlimited ratio. Worked nearly every time.
There are so many holes in a technology like this that i'd shitcan it before it even got off the ground. If you're going to identify someone, there are far, far better ways of going about it than this, i'm afraid.
Bowie J. Poag
Typos Included (Score:2)
The typos are part of that rhythm.
If this were speech recognition, then every slur, drawl and lisp would be part of that rhythm. That's how biometric identification works: it doesn't measure and record EXACT patterns, it is looking for _rhythmic_ approximations that are typical, or representative, of user X. Further, it is amazingly effective. Think how often, when proofreading, that you discover exactly the same errors - teh instead of the - again and again and again. And that is just a trivial example. I'm sure there are many others.
Are you kidding me? (Score:2)
And it's utterly absurd.
Think about it: do we really need retinal scans and fingerprint scanners or biometric typing tutors to
All of these "copy control measures" are in place solely to *guarantee* the flow of profits not to the artists but to the corporations that contract the artist.
I mentioned this in today's Napster story, but -- and come on, where is Katz when we need him? -- no one is talking about what's really going on here: the fact that 'intellectual property' as the studios would have us believe it is dying a slow, expensive death.
And, if that wasn't enough, all this should start people thinking about the notions of 'intellectual property' in the first place.
Come on, Katz, for chrissake: write one of your grand editorials about this -- about how technology is (finally) questioning the very notions of "property" -- and what it is that makes this a so-called "property" in the first place.
What we're witnessing with all this biometric nonsense and CSS absurdity is the very loud gasps of corporations attempting to stay afload on yesterday's notions of 'property' and 'profit.'
This, finally, may be the single most important contribution of the internet: the paradigm shifting notion that yesterday's 'intellectual property' cannot survive in an age where 'democracy' plays itself out not in parchment 'constitutions' or 'declarations' but across fiber optic cables and digital switches.
'Property' has always depended as much on the presence of an object as much as its absence. Property has value when, say, you have a Lexus and you know that not everyone else does. This makes your Lexus valuable in the marketplace. Everyone *could* have a Lexus, sure, but not every one does. Everyone *could* own a house, but not everyone does.
But what happens when you realize that your highly prized commodity (as determined by an artificially designed marketplace) suddenly loses its intrinsic value?
Short of the specific things we need for survival -- food, shelter, sex -- the value of everything else is artificially assigned by the culture in which it is commodified.
You go ape shit and attempt to preserve its value. But the question is this: for whom is this value being preserved for? And, more importantly, why? Are you preserving its value because without value the object will disappear? Well, this is what Jack Valenti will have us believe. If there is no copy protection for the next Brad Pitt movie, there will be no Brad Pitt movies. (Now, if this means that there will be no more absurd films like 'Fight Club', I'd be delighted. But Valenti would have us believe that even another 'Seven' -- a brilliant film -- would never get made, which would, indeed, be a shame.)
Of course, this is bullshit. Art won't stop if suddenly there are no more corporations to exploit it. All that will happen is that a lot of the dead weight will be jettisoned.
My point is that the link between 'art' and its earning potential for corporations is an artificial link. Art will always exist -- and art will continue to exist, even when it loses its status a 'property' by the corporations that use it to make money.
keyboard wedges (Score:2)
The one I've got has a small 8-bit micro in it that also has the ability to capture and replay keystroke sequences delimited by truly odd and awkward command key sequences. Heck, IIRC, someone even posted something here a while back about a keyboard with a built-in capture and playback buffer. One thing I noticed about the way mine works is that it preserves the timing of the input in order to make sure it doesn't get ahead of the applicaiton. Any such gadget would defeat this scheme.
Re:This Won't Work (Score:2)
No kidding!
Oh wait, we're not talking about the same thing are we?
One-handed typing? (Score:2)
Fatal flaw (Score:2)
why not? (Score:3)
[ begin devil's advocate mode ]
Then they should pay to hear it, the same as you.
The thing to understand here is that if you are making use of someone else's property, you should expect to abide by the conditions imposed on its use.
If you don't like the conditions, don't use it. It's not like this is food or anything: you don't need, say, Metallica's Black Album to keep breathing for another week.
The music is the property of its owner. If someone wants to, they may let you or your family members use it for free if they want, but they shouldn't be forced to do so.
It's only now that technologies like this are giving the owners an option in these matters. Forcing them to let people use their property for free is morally wrong and it's only now that we're beginning to see technology that can rectify the situation.
[ end devil's advocate mode ]
In my own opinion, while I believe that private property rights are a consequence of natural law (woo, look at the cute widdle 18th century philosophy), they are such only because of exclusivity. Two people physically can't posess or control a physical object.
I don't think the notion of "property" should be perverted to include things that aren't naturally, in enconomic parlance, excludable, and I don't think scarcity should be imposed where there is naturally none soley for the sake of making a profit.
If people get mad when someone creates artificial scarcity even in a naturally scarce good (e.g. OPEC with oil), why is making a naturally non-scare good scarce just for the sake of making money suddenly okay with everyone?
Now, making sure artists eat is a different matter, but the record companies aren't generally doing any better -- the majority of musicians would be living in cardboard boxes on the street (and not eating) if they relied on revenue from the record companies for their livelihood.
Personally, I think we need to start thinking more about artists as people who actually do WORK (they do, you know, composing ain't easy) for which they should be paid (they generally aren't now, except when they're paid for performing), rather than thinking of them as people who need to be subsidized by someone playing tollkeeper to their ideas.
The new technology is also enabling schemes like the Street Performer Protocol area which are I think a good start in the right direction. I only hope more people pursue them, instead of strangling ourselves like we are now.
We have real world scare resources that have economic value: scare creative talent (labor). There is no real need to make "pretend" scarcity in information-space to subsidize that labor, unless you expect <sarcasm>the lazy artists to do their thing for free (they're not really DOING anything, after all)</sarcasm>.
Re:Not all that new (Score:2)
moneky (Score:2)
I will just get a monkey to randomly mash and bash the keyboard with it's hairy paws, now that is security.
But, say you wanted to crack this, couldn'y you just get a realtime video cam and record the rate system admin mashes the keyboard with his fat hands? Get the rhytem from the tape and then make a robtic device to mimic system admin bob's keystroke rate.
Eye scanners would be cool, cause to crack though, you would have to cut out the users eye, remove your glass eye, insert their's into the empty socket and crack that puppy open like a nice cold beer.
On thing I seriously though about doing is a IR interface that is embedded into the body and can send the signal automatic when a correct password is typed into the machine.
Seriously though, the above is just bs. Let's thinkg about this, what if you are drunk or stoned and want to check email? do you think your type rate will be the same? What if you are intoxicated on large amounts of caffeine when you "insert" the password rythems, then when you wake up slow in the morning and try to see what is on slashdot, you type rate is differant. What if you finally get one of those big ass old sytle IBM "click" keyboards that slows down your type rated compared to your sleek space age "fluffy" keyboard?
And most of all, what if you a typing class?
Re:What if you own cats? (Score:2)
I know what you meant, really... (Score:2)
I suspect the goober will probably get smacked down in metamoderation, anyway.
Family situations aside, though, there are a lot of things that we do now (e.g. campfire singalongs) that violate copyright, it's just that there isn't (currently) a good mechanism to enforce it in those circumstances. (except some ASCAP sabre-rattling now and then)
People ignore the inequities in the law because it's not consistently enforced. Technology is changing that.
Really, my only reservation is that I'd like to make sure there are other ways artists can get equitably paid for their work BEFORE the copyright system falls apart.
Linux module (Score:2)
Forget this music crap. If I can route it to my speakers, I can burn it to cd, make an mp3, or record it to tape and take it to my car. Let them develop the technology, then eventually we'll put it to good use.
morse fist (Score:3)
Given that this was possible in 1940 with no computing power, biometrics based on keyboard style is probably not so stupid...
Fortune says: (Score:2)
programmer used his new computer terminal, all was fine when he was sitting
down, but he couldn't log in to the system when he was standing up. That
behavior was 100 percent repeatable: he could always log in when sitting and
never when standing.
Most of us just sit back and marvel at such a story; how could that terminal
know whether the poor guy was sitting or standing? Good debuggers, though,
know that there has to be a reason. Electrical theories are the easiest to
hypothesize: was there a loose with under the carpet, or problems with static
electricity? But electrical problems are rarely consistently reproducible.
An alert IBMer finally noticed that the problem was in the terminal's keyboard:
the tops of two keys were switched. When the programmer was seated he was a
touch typist and the problem went unnoticed, but when he stood he was led
astray by hunting and pecking.
-- "Programming Pearls" column, by Jon Bentley in CACM February 1985
Discrimination! (Score:2)
And to people like Stephen Hawking, they can forget about listening to music this way.
And if I want to play a huge collection of songs, legally bought by myself, I must authenticate each and every time the song advances.
Do the companies that think of this "innovative" stuff even bother to think about what they are doing? Are these people morons for thinking that such a thing would work?
Re:Something like this at the Rand Corporation (Score:2)