Websites that ID you by how you type: Great when someone's swiped your password, but... Debate is raging over the discovery that simple web browser extensions can defeat behavior-based biometric technologies. (In this case, behavior-based biometric technologies is a fancy way of saying JavaScript that profiles how people type so that they can be identified the next time they get behind the keyboard.) Passive …
The EU data protection regulators must make sure that any site that is recording any sort of biometrics, including behavioural ones, must make that absolutely clear and get informed consent.
Users need to know that:
i) they can be tracked and identified even if they delete cookies and even if they do not log in. Obviously that is little problem for banks -- if you don't log in you don't get service (although I might choose to look through their loan offers while not logged in so I don't get bombarded with sales calls for their loans). But if the technology works then it will be used for advertising tracking as well.
ii) all biometrics are simply passwords you can't change. So, if someone works out how to reverse the analysis and generate an apparent biometric match for you (like people have already done with fingerprint readers) then your security is lost and cannot be recovered. There is a reason why the US Secret Service destroy glasses the President has handled (for example when Obama had a pint of Guinness on his trip to Ireland).
Biometrics are not passwords. Passwords change, biometrics don't.
Be honest: when was the last time you changed your password for El Reg?
PasswordsMAY OR MAY NOT CHANGE. Should they? Probably, in most cases. But that doesn't make it a defining feature.
>Biometrics are not passwords. Passwords change, biometrics don't.
Biometrics are user id's.
Not all logins are equal. Most of my web-logins are inconsequential. If my ElReg account is taken over, I don't care that much. All those websites which require an account before you can download some free (beer) software, probably don't rate a complex password - they simply don't matter.
Banking & finance applications are a different issue.
<iIt's being done secretly</i>
Unlikely, it's being done openly, and people click on "I agree" to requirements to accept cookies and confirm T&C acceptance. The T&C of any self respecting website will have been drawn up to be (like a software licence) to be as all encompassing as possible for the company, and as disempowering as possible for the customer. How often do people have the time, willingness to read, or ability to understand the T&Cs?
The Reg's privacy policy is over 1,000 words, and that's a model of brevity and clarity, and it references only three adservers. But in addition to the Reg's policy, you need the adserver privacy policies: The Doubleclick (Google) policy is 3,800 words long, the Mediamind (Sizmek) policy is 3,100 words - and the Reg ling is broken as well, and the Atlas DMT adserver appears to be widely considered spyware, and is blocked by my enterprise security settings, so whilst I'd guess at another 3,000 words of freshly shovelled legalese shtie, I can't even see it. How often does anybody read through around 10,000 words of turgid claptrap, just so they can read a f***ing website?
I'm sure these crummy "agreements" are legally enforceable, but you and I won't be initiating proceding against adservers, malvertisers and other bottom feeding corporations any time soon. The ICO can't even stop simple UK specific abuses like spam texts for PPI, or nuisance phone calls, so what's the chance of them forcing big US corporations to right short, clear, fair policies in plain English?
Sadly the congesceni use a range of ad, cookie and script blockers in an endless arms race, but to assume that (in a legal sense) consent has not been granted is a bit naieve, surely?
The problem with NoScript however is that increasing numbers of websites simply don't work without Javascript. At all. At best you simply see a little note at the top left that says something like "This site used Javascript. Either enable Javascript or upgrade your browser." or words to that effect.
My usual response when I hit such a site is simply to close it and move on. But when every single site on the first 3 pages of search results is Javascript-only, what do you do? I can't boycott every single site on the internet, and that's where it's fast going - enable Javascript or fuck off.
Yes, it shits me to tears when a site demands Javascript when its content is perfectly displayable using simply HTML+CSS. The only reason they hide the content with Javascript is because they want to do nefarious shit like tracking, profiling or exploiting you.
Then there's the increasing obnoxious tendency to scatter Javascript over fifty fucking domains ranging from image servers to CDNs to streaming servers to ad servers, so going "Allow mainsite.com" doesn't show or change anything. So then you go "Allow msitecdn.com" and half the article becomes visible, but with no pictures. So then you go "Allow mainsite-imgsrv.com" and some of the pictures appear, but the video box is still empty. So then you go "Allow msvidstream.com"... You get the idea.
And I wish websites would STOP FUCKING DOING THIS SHIT. Fetch your fucking data from one domain FFS. You CAN load-balance without needing a nation's worth of fucking domain names to do it in. I do it all the time on my websites, and I also display enough content without Javascript on my sites that do require it, to give the viewer a reason to enable it over and above that mere "You must enable Javascript" bullshit.
But in the end, these sites still get enough traffic from all the sheeple that don't give a shit about Javascript control that guys like me boycotting them doesn't make any difference.
Sad I know, but I have actually become accustomed to reading THE SOURCE HTML of some pages now. Some add-ons also let you edit the underlying code and run your own client side version of the page, which can bypass some of this bullshit.
But its not the internet I wanted...
If you ever type the keyboard
I make sure we know you man
J'script log and make you mine
Guarantee you good fine time
Drinkin' rum and Coca-Cola
I can see what's in your buffer
Both motherboard and usb port
Searchin' for the inkey$
................................................................'Tis a rudimentary tune.
The basic idea isn't that novel. It has been tried and rejected for crapness before. It's also very similar to identifying a person by their gait - also shown to be crap.
However the whole purpose of this is to try any put an idea in front of VCs and hope they think the idea has some merits and pay out a fortune to the start up, as well as create a few buckets of gravy for all the security bods.
"If a biometric behavioral profile is either shared or stolen, it can't be changed like a password."
I beg to differ. Firstly, as Mark 85 says above, both accidents or alcohol can change the way you type. And secondly, the device/keyboard you are using - or even the way you are using it - can affect things. Keyboards differ - I'm typing this on a decent, raised keyboard that is quite the opposite of annoying pancake keyboards that you get in most modern laptops, and I type differently on this one than I do if I'm using the laptop keyboard.
And as for the laptop keyboard itself, I type differently on it when it's sat on a desk compared with when it's sat on my lap.
This whole idea is just nonsense when it comes to the proffered use - IDs and security - which only really leaves the invasion of privacy.
Criminals can attack the password as well.
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.
In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at
http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
