Entries Tagged "false positives"

Page 7 of 13

Another Biometric: Vein Patterns

Interesting:

In fact, vein recognition technology has one fundamental advantage over finger print systems: vein patterns in fingers and palms are biometric characteristics that are not left behind unintentionally in every-day activities. In tests conducted by heise, even extreme close-ups of a palm taken with a digital camera, whose RAW format can be filtered systematically to emphasize the near-infrared range, were unable to deliver a clear reproduction of the line pattern. With the transluminance method used by Hitachi it is practically impossible to read out the pattern unnoticed with today’s technology. Another side effect of near-infrared imaging also has relevance to security: vein patterns of inanimate bodily parts become useless after few minutes, due to the increasing deoxidisation of the tissue.

Even if someone manages to obtain a person’s vein pattern, there is no known method for creating a functioning dummy, as is the case for finger prints, where this can be achieved even with home-made tools, as demonstrated by the german computer magazine c’t. As in the case with vendors of finger print systems, Hitachi and Fujitsu do not disclose information on liveness detection methods used in their products.

Besides the considerably improved forgery protection, the vendors of vein recognition technology claim further advantages. Compared to finger print sensors, vein recognition systems are said to deliver false rejection rates (FRR) two orders below that of finger print systems when operating at a comparable false acceptance rate (FAR). This can be ascribed to the basic structure of vein patterns having a much higher degree of variability than finger prints.

This is all interesting. I don’t know about the details of the technology, but the discussions of false positives, false negatives, and forgeability are the right ones to have. Remember, though, that while biometrics are an effective security technology, they’re not a panacea.

Posted on August 8, 2007 at 7:02 AMView Comments

Terrorist Watch List: 20,000 False Alarms

Why does anyone think this makes security sense?

The Justice Department’s proposed budget for 2008 reveals for the first time how often names match against the database, reporting that there were 19,967 “positive matches” in 2006. The TSC had expected to match a far fewer number 14,780. The watch list matched people 5,396 and 15,730 times in 2004 and 2005 respectively.

The report defines a positive match as “one in which an encountered individual is positively matched with an identity in the Terrorist Screening Data Base, or TSDB.”

It’s not clear from the report whether those numbers include individuals whose names only coincidently match one of those on list, such as when Sen. Ted Kennedy was confused with a former IRA terrorist also named Kennedy.

The watch list has been hounded by these mismatches, which have included small children, former presidential candidates, and Americans with common names such as David Nelson.

How do I know they’re all false alarms? Because this administration makes a press splash with every arrest, no matter how scant the evidence is. Do you really think they would pass up a chance to tout how good the watch list is?

EDITED TO ADD (8/28): The Washington Post just got around to writing an article on the topic, and Dan Solove has some good commentary.

Posted on July 23, 2007 at 1:39 PMView Comments

Canadians Are Allowed to Say "Bomb" in Airports

Some sense from Canada:

The Canadian Air Transport Safety Authority, trying to clamp down on screeners who alert police every time they hear alarming words, has issued a bulletin urging staff to show more discretion.

A person who announces “You better look through my suitcase carefully, because there’s a bomb in there”, “I am going to set fire to this airplane with this blowtorch” or “The man in seat 32F has a machine gun” will still be arrested.

But someone who remarks “Your hockey team is going to get bombed (badly beaten) tonight”, “Hi Jack!” or “You don’t need to frisk me, I’m not carrying a weapon” will first be warned about their behavior.

Posted on July 17, 2007 at 6:42 AMView Comments

Bioterrorism Detection Systems and False Alarms

Interesting.

It took several days for New Jersey officials to establish that the alert wasn’t the beginning of a deadly bioterror attack, but had been triggered by someone’s allergic reaction to a smallpox vaccine at a local military facility. This false alert came from the government-funded computer program, Biosense. The complex program, which culls electronic health data from 350 of the nation’s urban hospitals as well as veterans’ hospitals and defense department facilities, comes after a string of costly, and never fully realized computer ventures before it. But three years into its development, with a price tag of around $230 million (on top of millions more spent on unsuccessful systems before it), it is unclear as to exactly what the program can accomplish.

EDITED TO ADD (7/2): The article is in Google’s cache.

Posted on July 2, 2007 at 7:54 AMView Comments

Risks of Data Reuse

We learned the news in March: Contrary to decades of denials, the U.S. Census Bureau used individual records to round up Japanese-Americans during World War II.

The Census Bureau normally is prohibited by law from revealing data that could be linked to specific individuals; the law exists to encourage people to answer census questions accurately and without fear. And while the Second War Powers Act of 1942 temporarily suspended that protection in order to locate Japanese-Americans, the Census Bureau had maintained that it only provided general information about neighborhoods.

New research proves they were lying.

The whole incident serves as a poignant illustration of one of the thorniest problems of the information age: data collected for one purpose and then used for another, or “data reuse.”

When we think about our personal data, what bothers us most is generally not the initial collection and use, but the secondary uses. I personally appreciate it when Amazon.com suggests books that might interest me, based on books I have already bought. I like it that my airline knows what type of seat and meal I prefer, and my hotel chain keeps records of my room preferences. I don’t mind that my automatic road-toll collection tag is tied to my credit card, and that I get billed automatically. I even like the detailed summary of my purchases that my credit card company sends me at the end of every year. What I don’t want, though, is any of these companies selling that data to brokers, or for law enforcement to be allowed to paw through those records without a warrant.

There are two bothersome issues about data reuse. First, we lose control of our data. In all of the examples above, there is an implied agreement between the data collector and me: It gets the data in order to provide me with some sort of service. Once the data collector sells it to a broker, though, it’s out of my hands. It might show up on some telemarketer’s screen, or in a detailed report to a potential employer, or as part of a data-mining system to evaluate my personal terrorism risk. It becomes part of my data shadow, which always follows me around but I can never see.

This, of course, affects our willingness to give up personal data in the first place. The reason U.S. census data was declared off-limits for other uses was to placate Americans’ fears and assure them that they could answer questions truthfully. How accurate would you be in filling out your census forms if you knew the FBI would be mining the data, looking for terrorists? How would it affect your supermarket purchases if you knew people were examining them and making judgments about your lifestyle? I know many people who engage in data poisoning: deliberately lying on forms in order to propagate erroneous data. I’m sure many of them would stop that practice if they could be sure that the data was only used for the purpose for which it was collected.

The second issue about data reuse is error rates. All data has errors, and different uses can tolerate different amounts of error. The sorts of marketing databases you can buy on the web, for example, are notoriously error-filled. That’s OK; if the database of ultra-affluent Americans of a particular ethnicity you just bought has a 10 percent error rate, you can factor that cost into your marketing campaign. But that same database, with that same error rate, might be useless for law enforcement purposes.

Understanding error rates and how they propagate is vital when evaluating any system that reuses data, especially for law enforcement purposes. A few years ago, the Transportation Security Administration’s follow-on watch list system, Secure Flight, was going to use commercial data to give people a terrorism risk score and determine how much they were going to be questioned or searched at the airport. People rightly rebelled against the thought of being judged in secret, but there was much less discussion about whether the commercial data from credit bureaus was accurate enough for this application.

An even more egregious example of error-rate problems occurred in 2000, when the Florida Division of Elections contracted with Database Technologies (since merged with ChoicePoint) to remove convicted felons from the voting rolls. The databases used were filled with errors and the matching procedures were sloppy, which resulted in thousands of disenfranchised voters—mostly black—and almost certainly changed a presidential election result.

Of course, there are beneficial uses of secondary data. Take, for example, personal medical data. It’s personal and intimate, yet valuable to society in aggregate. Think of what we could do with a database of everyone’s health information: massive studies examining the long-term effects of different drugs and treatment options, different environmental factors, different lifestyle choices. There’s an enormous amount of important research potential hidden in that data, and it’s worth figuring out how to get at it without compromising individual privacy.

This is largely a matter of legislation. Technology alone can never protect our rights. There are just too many reasons not to trust it, and too many ways to subvert it. Data privacy ultimately stems from our laws, and strong legal protections are fundamental to protecting our information against abuse. But at the same time, technology is still vital.

Both the Japanese internment and the Florida voting-roll purge demonstrate that laws can change … and sometimes change quickly. We need to build systems with privacy-enhancing technologies that limit data collection wherever possible. Data that is never collected cannot be reused. Data that is collected anonymously, or deleted immediately after it is used, is much harder to reuse. It’s easy to build systems that collect data on everything—it’s what computers naturally do—but it’s far better to take the time to understand what data is needed and why, and only collect that.

History will record what we, here in the early decades of the information age, did to foster freedom, liberty and democracy. Did we build information technologies that protected people’s freedoms even during times when society tried to subvert them? Or did we build technologies that could easily be modified to watch and control? It’s bad civic hygiene to build an infrastructure that can be used to facilitate a police state.

This article originally appeared on Wired.com

Posted on June 28, 2007 at 8:34 AMView Comments

Silly Home Security

Fogshield:

Ask anybody who’s made money robbing houses, and they’ll tell you straight up: you can get away with a lot of loot in the 10 minutes before the cops come.

But the crooks won’t find their way out of the foyer if you hit ’em with the FogSHIELD—an add-on to your home security system that releases a blinding blanket of fog to stop thieves in their tracks. When an intruder triggers the alarm, water mixes in the FogSHIELD’s glycol canister to generate enough dry, non-toxic fog to cover 2,000 square feet in less than 15 seconds. It dissipates 45 minutes later, leaving your furniture unsullied and your electronics intact.

The website appears not to be a joke.

EDITED TO ADD (6/23): In the comments, a lot of people have taken me to task for calling this security silly. I stand by my statement: not because it’s not effective, but because it’s not a good trade-off. I can certainly imagine scenarios where filling your house with vision-impairing fog is just the thing to foil a would-be burglar, but it seems awfully specific a countermeasure to me.

Home security—like all security, really—is a combination of protection, detection, and response. Locks and bars are the protection system, and the alarm is the detection/response system. Fogshield is a protection system: after the locks and bars have failed, Fogshield 1) makes it harder for the burglar to navagate around the house, and 2) potentially delays him until the response system (police or whomever) arrives.

But it has problems as a protection system. For one, false alarms are way worse than before. It’s one thing to have a loud bell annoy the neighbors until you turn it off, it’s another to fill your house with fog in less than 15 seconds (plus the cost to replace the canister).

This whole thing feels real “movie-plot threat” to me: great special effect in a movie, but not really a good security trade-off for home use. An alarm system is going to make an average burglar go to the house next door instead, and a dedicated burglar isn’t going to be deterred by this.

Posted on June 21, 2007 at 6:55 AMView Comments

Nonsecurity Considerations in Security Decisions

Security decisions are generally made for nonsecurity reasons. For security professionals and technologists, this can be a hard lesson. We like to think that security is vitally important. But anyone who has tried to convince the sales VP to give up her department’s Blackberries or the CFO to stop sharing his password with his secretary knows security is often viewed as a minor consideration in a larger decision. This issue’s articles on managing organizational security make this point clear.

Below is a diagram of a security decision. At its core are assets, which a security system protects. Security can fail in two ways: either attackers can successfully bypass it, or it can mistakenly block legitimate users. There are, of course, more users than attackers, so the second kind of failure is often more important. There’s also a feedback mechanism with respect to security countermeasures: both users and attackers learn about the security and its failings. Sometimes they learn how to bypass security, and sometimes they learn not to bother with the asset at all.

Threats are complicated: attackers have certain goals, and they implement specific attacks to achieve them. Attackers can be legitimate users of assets, as well (imagine a terrorist who needs to travel by air, but eventually wants to blow up a plane). And a perfectly reasonable outcome of defense is attack diversion: the attacker goes after someone else’s asset instead.

Asset owners control the security system, but not directly. They implement security through some sort of policy—either formal or informal—that some combination of trusted people and trusted systems carries out. Owners are affected by risks … but really, only by perceived risks. They’re also affected by a host of other considerations, including those legitimate users mentioned previously, and the trusted people needed to implement the security policy.

Looking over the diagram, it’s obvious that the effectiveness of security is only a minor consideration in an asset owner’s security decision. And that’s how it should be.

Whether a security countermeasure repels or allows attacks (green and red arrows, respectively) is just a small consideration when making a security trade-off.

This essay originally appeared in IEEE Security and Privacy.

Posted on June 7, 2007 at 11:25 AMView Comments

Attackers Exploiting Security Procedures

In East Belfast, burglars called in a bomb threat. Residents evacuated their homes, and then the burglars proceeded to rob eight empty houses on the block.

I’ve written about this sort of thing before: sometimes security procedures themselves can be exploited by attackers. It was Step 4 of my “five-step process” from Beyond Fear (pages 14-15). A national ID card make identity theft more lucrative; forcing people to remove their laptops at airport security checkpoints makes laptop theft more common.

Moral: you can’t just focus on one threat. You need to look at the broad spectrum of threats, and pay attention to how security against one affects the others.

Posted on April 30, 2007 at 12:27 PMView Comments

Keystroke Biometrics

This sounds like a good idea. From a news article:

The technology, which measures the time for which keys are held down, as well as the length between strokes, takes advantage of the fact that most computer users evolve a method of typing which is both consistent and idiosyncratic ­ especially for words used frequently such as a user name and password.

When registering, the user types his or her details nine times so that the software can generate a profile. Future login attempts are measured against the profile which, the company claims, can recognise the same user’s keystrokes with 99 per cent accuracy, using what is known as a “behavioural biometric.”

I wouldn’t want to automatically block users unless they get this right, and the false-positive/false-negative ratio would have to be jiggered properly, but if they can get it working right, it’s an extra layer of authentication for “free.”

Another news article. Slashdot thread.

Posted on April 23, 2007 at 6:49 AMView Comments

Citizen-Counterterrorist Training Video

From the Michigan State Police. The seven signs, according to the video:

Surveillance

Elicitation

Tests of security

Acquiring supplies

Suspicious people who “don’t belong”

Dry runs/trial runs

Deploying assets or getting into position

I especially like the scenes of concerned citizens calling the police. Anyone care to guess what the false alarm rate would be if everyone started making phone calls like this?

Posted on April 19, 2007 at 2:15 PMView Comments

1 5 6 7 8 9 13

Sidebar photo of Bruce Schneier by Joe MacInnis.