Schneier on Security

Clive Robinson • January 14, 2012 4:10 AM

@ Daniel,

Will eye scanning or facial recognition even be necessary. Is there a science to faking a genetic test?

The simple answer to your two questioons is yes and yes.

With regards eye iris and facial recognition they can be done now relativly reliably with a smart phone app communicating to a back end online DB that does the identification.

A current artical on facial recognition that also mentions the improvment rate given by NIST is,

http://money.cnn.com/2012/01/13/technology/face_recognition/index.htm?source=cnn_bin

The DNA system will also require a backend online DB to work so effectivly the costs of these two parts cancel out. Leaving the main cost differences being the front end hardware and the cost of the communications link. It is easy to see that the DNA system will be in addition to the cost of a mobile phone, and that economies of scale will always ensure that the cost of the camera inside the phone will be less than the DNA sampling hardware.

As for faking the results with eye iris and facial recognition there are two things masking and stimulating. That is making your identifying features unavailable and making your features appear to be somebody elses. Masking surface featurs is fairly easy to do with contact lenses, clothing and makeup prosthetics, and if you realy are crazy enough you can get your eyes tattooed.

Simulating somebody else is possible, and it breaks down into making you not you and making you somebody else. Making you not you ie disguising your feature sufficiently that you cannot be identified is easier than making your features appear to be somebody else and requires a knowledge not just of the other persons features but fairly detailed knowledge of the way the identification system works. Full Face prosthetics are known to have worked for getting through passport control and provided the materials used respond in a similar way to the cameras used by the system may well work.

As for faking DNA yes it’s possible, there are two basic ways fake the actual DNA (dificult / time consuming) and fritz the test (requires good knowledge of the testing procedure).

Firstly you need to accept that over a period of time your body effectivly compleatly replaces most of it’s self the obvious ones being skin and hair and blood. Which is why peoples DNA is known to change after having bone marrow transplants… The question then becomes one of getting the right bone marrow having the required surgery (realy not nice) and allowing sufficient time for the change to occure.

The other way is to fritz the test. All testing processes have weaknesses all you have to do is find them and know how to exploit them.

Years ago I worked out there was a flaw in the basic DNA testing proceadure that would alow you to contaminate a crime scene with duplicated fragments of another persons DNA. Predictably I was told by various “experts” it could not be done, then a couple of years later a Prof in Australia demonstrated the process and published the results, the result is that now the DNA testing process SHOULD have changed… But as it’s much more expensive to do it the new way, guess what the last time I checked many places were still doing it on the cheap (basic “free market” economics “race for the bottom”).

I’ve had an interest in breaking bio-metric systems for many many years. Over fourty years ago as an experimenting youngster I worked out how to make fake fingerprints using the red wax from Edam cheese to make a mold a commonly available spray on oil as a mold release agent and rubber solution (laytex) glue to make the fake skin. Years later when working as an electronics engineer for a company that made security devices that later included finger print scanners I pointed out that I knew how to make false finger prints. The experts predictably told me I did not know what I was talking about, I didn’t shut up or back down, demonstrated I did know what I was talking about and shortly there after found myself looking for new employment.

I’ve since gone on as a hobby to work out the defects in other bio-metric and evidence systems and how to exploit them. The one I’ve not broken to my satisfaction is retina scanning, mainly because I wouldn’t let one of those devices anywhere near my eyes as I don’t consider them to have been sufficiently tested to be safe.

Clive Robinson • January 15, 2012 6:48 AM

@ Daniel,

The article you linked too was very disingenious. It’s worth noting that despite all the so-called improvements in facial recognition technology there has yet to be a legal case in the USA where that evidence has proved decisive.

You may be right on both points, however the halving in false positive rate every two years has been quoted in the past.

I tend to look at facial recognition in the same way I do photo and security video recognition, both of which I view as using the same process as fingerprint recognition.

That is a forensic scene of crime officer collects the physical evidence of the fingerprint from the scene in a recognised and aproved way and produces a document cataloging it into the evidence chain (so far so good in most cases).

This image is then examined in some way to link it to one or more probable people who’s fingerprint records are pulled and a human then does a visual comparison between the scene of crime print and the probables records.

The human doing this comparison is the most fallible part of the system which is why there has been an investment in the likes of AFIS technology.

However in the UK fingerprints are now losing their “evidentiary value” because lawyers are beigining to question them after a number of cases which have shown the system to be badly broken. One of the most prominent was of a police officer who was found guilty of providing false testimony (she claimed she had been at all times outside the actual crime scene when her elimination prints said she had been touching items in the scene). Through various trials the fingerprint examiners only provided tiny bits of evidence. When finaly forced to reveal all the evidence it was obvious to anyone examining it they had been at best very badly inept.

The simple fact is the court systems are not interested in primary evidence just the documents that support it. Judges also get very upset when defense council cross questions “expert witnesses” because they are supposed to be “impartial officers of the court” and thus permitted to enter “opinion” which is effectivly the equivalent of “hearsay evidence”.

Thus I can easily see facial recognition getting the same faux gold standard as fingerprints and DNA had and once upon a time the now totally discredited “witness identification line up” had because in essence they all rely on the same fallible method of human interpretation that cannot be tested, and easily gamed.

And because for all the rhetoric at the end of the day modern court systems are not about justice or even the pretence of it, they are sausage machines designed to get defendents through the system as quickly and cheaply as possible. With only the theater of “justice being seen to be done” for either political or monetary reasons or both. Thus arguably many people go to jail because they are the cheapest and most conveniant to put there, the fact that it coincides with the actual criminals quite often might be more luck than judgment or stupidity on the criminals behalf.

Put bluntly the area of policing that works is “ears and eyes on the ground” criminals appear in the main incapable of staying hidden. In the UK something like 90% of lower level crime is actually solved because the criminals show off in some way, either “bigging it up” infront of their mates verbaly or going out and “buying flash gear because they’re flush”. Their mates or those on the edges see this and a name gets back to the ears and eyes and suddenly flash jonny is having his nice new shiny suit collar felt whilst facing a bunch of simple questions he cann’t answer.

It is only in the circles of noncriminals who do not have any association with law enforcment that the notion of justice and inocent untill proven guilty have any credibility any longer.

Clive Robinson • January 16, 2012 3:45 PM

OFF Topic:

ZAPPOS INFO.

It would appear that Zappos has turned of it’s phone lines (for the customers benift) and has likewise made the blog which their CEO posted to about the security incident unavailable to many.

However if you are potentialy one of the 24 millio people affected Sophos has kindly dug out the blog message info and put it up on their nakedsecurity site,

http://nakedsecurity.sophos.com/2012/01/16/zappos-data-breach/?utm_source=facebook&utm_medium=status%20message&utm_campaign=naked%20security

Clive Robinson • January 16, 2012 5:02 PM

@ Bruce (and others 🙂

Microsofts sometimes controverial researcher Cormac Herley and Carleton University’s (Ottawa Canada) Prof. Paul Van Oorschot have coauthored a paper about passwords,

Acknowledging the Persistence of Passwords

Which has been published in the IEEE Security & Privacy Magazine. Cormac has put his “author copy” up as a PDF on Microsoft’s research web server at,

http://research.microsoft.com/pubs/154077/Persistence-authorcopy.pdf

Essentialy they argue (for reasonable reasons) that passwords are here to stay for some considerable period of time, and that we should simply accept this and get on with actually improving the security involved.

Clive Robinson • January 17, 2012 7:36 AM

@ Nick P,

. However, there are other researchers showing that they can largely be replaced by technologies that may be more secure or convenient

Yes and no, anything involving an “aid memoir” is technicaly not a password but a token. That is, it’s nolonger “something you know” but “something you have”.

And as we know from long experiance tokens be they bits of paper or Secure ID tokens pocket computers or smart phones etc have their own security problems. More importantly importantly from the user perspective they represent a very very weak link in the authz/authn chain they are being used in, in that if they are not at hand when required then the chain is effectivly broken (so in theory) the user can not get access or compleate a transaction very much to the users anoyance (and being human they won’t blaim themselves but the technology in some way).

The other and possibly primary reason passwords are still in existance is “negligible direct cost” of implementation.

I and others realised before the turn of the century that the systems banks were using for online banking were compleatly and utterly hopeless from a security perspective and said as much. However we had to put up with being told that we didn’t 1, Know what we were talking about 2, Know what the real risks were 3,Understand the way banking worked… And a whole load more gumf every step of the way where 15 or more years later only some banks use 2 factor and none (that I’m aware of) fully authenticate each and every transaction in a secure way.

And to be honest they were right in one respect (3) we didn’t understand the way the banks work by laying off risk onto others rather than design sensible systems…

It’s interesting to note just how different the banks aproach to online system security is in juresdictions where they are forced to take on some or all the risk. It is a lesson the UK and US legislators realy should wake upto and act upon in a clear and non negotiable manner.

If they did then certainly the sort of tokens that you and I have talked about in the past would become a cost effective solution within an inordinatly short period of time simply due to the market forces involved. And thus the oportunity to move “passwords” out into a more secure ring, but they would still be there as a word or phrase to control access to the token.

Clive Robinson • January 18, 2012 10:18 PM

OFF Topic:

@ Bruce, Nick P, RobertT,

For those with an interest in EmSec especialy to do with “secure chips” Theador Markettos of the UK Cambridge Computer labs has in the past month put up his Phd thesis,

Active electromagnetic attacks on secure hardware

on line at,

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-811.pdf

Even for the not technicaly inclined the first part makes an interesting read. The whole report however is very interesting as it goes into a lot of the “experimental issues” of building and using equipment to do leading edge academic EmSec research.

Clive Robinson • January 20, 2012 12:38 PM

OFF Topic:

NSA release SE_Android…

I don’t know if anybody else has noticed that the NSA has taken Google’s Android code and ported their SE Linux code to it,

http://selinuxproject.org/page/SEAndroid

Clive Robinson • January 20, 2012 2:50 PM

@ Bruce,

There is a back story to the Argentine Squid blockade and it might lead to another South Alantic war.

The current Argentine premier appears to be a woman who has significant pretentions to being a cross between the “new Evita” and Imelda Marcos, with more pairs of shoes than any gal would need during ten or twenty lifetimes. Apparently there are jokes about her having the blood of a vampire due to the amount of make up she puts on before being seen in daylight.

Whilst that is how she is seen by many (of her detractors) what is quite clear is she is determined to get sovereignty of the Falklands away from the British.

Whilst this might appear to be a bit of popularist patriotic nonsense, there is actually quite a bit of jingoistic behaviour behind it that the Argentinians buy into. Back in the early days of the last UK Tory Government and the second term of the Thatcher premiership over a quater of a century ago the then Argentinian leader was in political trouble and to buy popularist support he invaded the Falkland islands. The result was quite a few atrocities and a war.

But further behinf this is the question of natural resources in the south atlantic and south pole. Supposadly some of the largest fossil fuel reserves are down there. Currently the south pole is protected by international treaty but this is due to come to an end in the very near future which means that it might well turn into a resource grab.

In the past resources not directly in the territory of a country have been divided up on a rule based on miles of costline reduced by the distance the coast is from the resources.

So the Falklands are very likley to have significant entitlement to any resources down in the south atlantic / south pole.

Thus we may well see another attempt by Argentina to forcefully wrest the sovereignty of the Falklands from the UK very much against the wishes of the people who live there and who still live in dread of the Argentinian jackboot.

Clive Robinson • January 21, 2012 7:54 AM

OFF Topic:

There has been some noise in the press about an articale that has just been published

Experimental Demonstration of Blind Quantum Computing.

(Ref – arXiv:1110.1381v1)

Put simply the scientists concerned (Stefanie Barz, Elham Kashefi, Anne Broadbent, Joseph F. Fitzsimons, Anton Zeilinger, Philip Walther) appear to have worked out a way for you to send encrypted data to a quantum computer and for it to process the data in some way and return the results to you without the computer, it’s operator or anybody eavesdropping the communications path seeing what the real data is.

Thus as some members of the press have put it combining “the potential of cloud computing” with “the security of quantum cryptography”.

Most of the news items,

http://www.bbc.co.uk/news/mobile/science-environment-16636580

http://www.theregister.co.uk/2012/01/20/blind_quantum_computing_for_the_cloud/

either don’t link to the paper or point you to a paywall. However one of the papers authors has a link (to the Cornell University pre-print site) up on his personal web site,

http://www.qunat.org/personal.php?id=9

Or you can just grab the PDF from,

http://xxx.soton.ac.uk/pdf/1110.1381v1

And before anybody asks me any awkward questions about if I actually think it’s secure (possibly not for practical implementations as with most Quantum crypto). Please give me a little time to inwardly digest the paper so I can see if I can spot any holes in it.