Schneier on Security

Clive Robinson • January 11, 2019 12:15 PM

@ Olaf, ImpossiblyStupid,

As one of the researchers Jan Krissler notes,

Biometrics is always an arm race

As I’ve mentioned before getting on for half a century ago when I was quite young not even a teenager, I worked out how to make what were 3D finger prints using the red wax from outside of Edam cheese, light oil as a mould release and rubber solution glue to make the fake skin.

And when some time after as an engineer I worked for a company that made early finger print readers. My boss and others were not ammused when I demonstrated to them their new “high security” sensor was not secure in the slightest to a very low tech attack. And surprise surprise I ended up in having to find a new job fairly quickly. As there were not “hacker” events back then I had no real way to get the message out, and they sold product they knew to be “not upto claims” for eye watering prices.

So the obvious next step for these researchers or other researchers is to make a “glove” that can be worn by someone with a smaller hand (unless scaling makes no difference to the scanner which is quite likely).

With the next step for the manufactures of these vein readers is “signs of life” it’s not that difficult to read not just pulse but oxygen saturation using IR light.

Thus having designed a glove getting it to apparently have blood flow with “oxygen” would be a response. However I suspect first time around they won’t need to have actual fluid flowing through veins just a layer under the veins image layer.

At the end of the day bio-metrics are a bit of a joke. Even DNA testing can be fritzed in one way or another. The last time I looked and that’s quite a while ago only a certain type of eye scan had not yet shown signs of being easily attackable.

Clive Robinson • January 12, 2019 11:54 PM

@ Wael,

I have yet to hear: trust the physics 😉

That is because as has been noted on the past,

In physics you get taught a succession of lies, each more acurate then the previous one…

What many people forget is “maths is not reality, reality is way more messy. Maths is a tool by which we try to describe the world in terms of sets and logic. We of course fail in this endeavor, but it is the journey not the destination from which we learn the most.

Clive Robinson • January 13, 2019 12:50 PM

@ Wael, Impossibly Stupid,

You have a fingerprint (but you are not the fingerprint,) you have DNA, (but you are not the DNA.) These are partial representations of some supposedly unique characteristics of a carbon unit, not “what you are”, per se.

As Dame Stella Rimington DCB noted when she was the Director of MI5, and I’ll put in your wording,

You have a paper with an identity on it, but you are not the paper or the identity.

And as I’ve pointed out a few times here,

You have a role(s) but you are not the role(s).

It’s this last point that brings up the absurdity of “identification” if not “perversion” by bureaucracies, that are both lazy and inept, they want you to be what you clearly are not. That is they want you to be –as the old TV series[1] had it– a “number” not a “person”.

People are even when very young multifaceted, infact they have as many facets as they do activities and have acquaintances. It is a form of “Social armour” to protect the inner person, generaly the more guarded a person is or the more compartmentalized they organise their life the more likely they are to have had reason to be. The trick being to appear open whilst actually being extreamly guarded, to the point of having in effect facets that are more like entirely seperate personalities or lives. Thus an extention on the “work life”, “home life”, “friend life” etc roles but with stronger segregation.

Unfortunatly this “you are a number” perversion is not just consigned to bueracrats. We are now having it forced on us by non-neurotypical types who are found in the high tec industry. Who have because of their view-point made it considerably easier for other non-neurotypical types in the marketing and similar industries to make us “numbers to profit from” thus push hard against any attempts to be “individuals with multiple roles/faceted.

For instance take most peoples primary interface to the Internet, the web browser, you can kind of set it up for multiple users if you want to go through the pain and complications which can mean having entirely segregated users to the point two or more cheap tablets might be easier.

Likewise on OS’s that have some sense of individuality –*nix etc– where “multi-user” is considered the norm at the OS level it can still be quite hard seting browsers up for “roles” in browsers without getting undesired leakage. But other systems –such as MS OS’s– where the underlying OS is not multi-user orientated leakage across users is almost a given at various levels.

What some of us want and every one needs is computers that can provide clean seperation at all levels including the desktop, so that the user remains in the driving seat with regards their multiple identities (life roles) and the segregation (or overlap) they desire or don’t desire to have between the identities.

Look at it this way, if you have multiple financial accounts such as current, savings and credit accounts you may not want financial institution A that has an account your salary geys paid into being aware that you have another account at institution B where “another” of your income streams from online trading or property rental come into.

If you make the mistake of using MS OS’s, and browsers in modes most users can change them too from the standard interface, then the chances are your online banking accounts will become known to all the financial institutions. Likewise those of any other family member etc who uses the computer.

The designers and developers could change this behaviour, but for various reasons including financial they are unlikely to do so.

Humans unless they have certain issues are not monofaceted / monoroled, anyone beleving that they are or worse should be is trying to destroy the cohesiveness of society even though they might not have that intention or be aware of what damage they are causing. Whilst others think “society will adapt” I’m very far from certain it can, and still be a society we would recognise as such or wish to live in.

But getting back more on target the issue with bio-metrics is their “singular use” that is let us say less than stellar, in fact it’s pretty abysmal in many cases. Where it gets strong though is where you use multiple bio-metrics all at the same time. Currently few people do this prefering to go for one bio-metric that they thay have been told is strong… Where as going for three or four biometrics at the same time would probably[2] be better than any single bio-metric.

Like many “marketing led” product marketplaces bio-metrics tend to be well lubricated in snake oil.

[1] The late 1960’s television series “The Prisoner” staring Patrick McGoohan, who also co-created it. On the surface it might now be considerd SiFi for it’s –still– futuristic themes. It appears as a quaint idilic village with the residents leading a collectivised utopian yet almost entirely pointless existence. However nobody uses their name just a number which hides much about them including if they are too prisoners or guards or worse. It quickly becomes clear that “No 6” is being held a prisoner in what might be a “guilded cage”. He is being in effect tourtured psychologicaly to get information out of him. Brcause he was some kind of intelligence officer who having resigned in anger gets gassed in his flat and wakes up in the village. His intent is not to give out information and escape, he comes up with all sorts of plans and involves others in the village quickly causing disruption. So it has many interlaced themes and is often quite dark for adults. At it’s base it is about the fight between individualism and collectivism, where the collectivism has behind it evil intent and few if any morals, whilst maintaining a vener of urbanity and sophistication that is suave in it’s reality. It’s famous tag line is “I’m a name not a number”, which half a century on is still in “common parlance”.

https://en.m.wikipedia.org/wiki/The_Prisoner

[2] It’s actually not that easy to say what the real false positives and negatives are on “identity” because of all the extra crap like “signs of life” being used to distort the figures on both false positives and suprisingly false negatives. Put simply the manufacturers include the “signs of life” successes in with the actual bio-metric when it makes things look better but treat them seperatly when they fail… Thus if you present your hand and the system says you are not alive that gets put down to a “signs of life” fail not the bio-metric… You actually have to get hold of “academic study” results, but there are two issues. Firstly the studies are few and very far between. Secondly they are rarely on “new bio-metric systems” due to costs and often availability (same as it is with the mechanical “unpickable locks” that lock companies push, that later turn out to be fairly easy to pick like nearly all mechanical locks and more than a few electronic locks).