Pretty frickin stupid...
I can trust the government funded research to come with a joke of solution like this. (DISCLAIMER: I live in Japan.)
Japanese boffins have demonstrated a rather nifty way of preventing online password theft by screen capture and shoulder surfing – flood the screen with a barrage of dummy cursors. Researchers at the government backed Japan Science and Technology (JST) Agency showed off the rather unusual approach to preventing fraud to local …
Since they HAVE to know when the actual click takes place, and since click events can be recorded (macro recorders use this function), I suspect screen reader malware will just wait for actual clicks and then attach EXIF data to the pictures that happens to contain the coordinates of the actual mouse cursor at the point of the click. As for the over-the-shoulder observer, a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one.
I don't know whether he knows what he's talking about or not in general, but for what it's worth this bit of his post makes perfect sense to me;
" a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one."
I haven't seen the system in action to be fair, but even if they've programmed it to hesitate, move at varying speeds and make occasional "mistakes", I think it's likely that an observant watcher could figure out which was the human-controlled cursor. But only because it's so difficult to convincingly simulate randomness.
Doing that runs the risk of a false negative because convincing-enough fake cursors will start to foll the user and result in mistakes. Put it this way. Since the user has to be able to distinguish the real cursor from the fakes. Anything the user does can be observed by a suitably-trained over-the-shoulder observer. They can observer different motions of the cursors, catch the user's mouse movements out of the corner of the eye, and so on.
"a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one"
1) Read not-too-well explained stuff with no accompanying pics on El Reg
2) Run to the pulpit
3) Declare to world and dog that it won't work, make peremptory statements and a clown of yourself
FAIL icon doesn't begin to describe the situation
>Doing that runs the risk of a false negative because convincing-enough fake cursors will start to foll the user and result in mistakes. Put it this way. Since the user has to be able to distinguish the real cursor from the fakes.
The user distinguishes the real cursor through feedback from their mouse movements. In other words the user knows which cursor is theirs because they can directly see the result of a mouse movement. The over shoulder observer does not have the benefit of being able to observe both the mouse movement and the cursor movement since your eyes and cognitive processes can not focus on both areas at the same time.
Only the centre bit of the eye (called the fovea) has a high enough resolution to see enough detail. Move as little as 20 degrees from this sight line and your visual acuity has dropped by 90%.
I don't know whether he knows what he's talking about or not in general, but for what it's worth this bit of his post makes perfect sense to me;
" a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one."
I think that is pure speculation rather than anything else... unless the poster is an expert in a relevant field (in which case their more detailed input would actually be appreciated).
I haven't seen the system in action to be fair, but even if they've programmed it to hesitate, move at varying speeds and make occasional "mistakes", I think it's likely that an observant watcher could figure out which was the human-controlled cursor. But only because it's so difficult to convincingly simulate randomness.
Why don't you go and look at the video and listen to what the guy says... it's not detailed you'll probably get a better idea of what they're talking about that just using your imagination.
Stay with me on this...
The Adler Planetarium had this thing where the audience had a button on each armrest, so the audience could "steer" some of the presentation (it was less dumb than it sounded). Before the show, they had a display up that had a little square for each seat (arranged in a grid instead of the circular setup of the room, so it wasn't immediately apparent which was your square). When you pushed the left button, the square turned red, and green for the right.
It took a few minutes, but even with a packed house and a bunch of overcaffenated kids pushing the buttons constantly, you could figure out which one was yours, by just watching the screen and watching for your button pattern.
Since you have even more control over the cursor, I think this will work. If the other cursors are doing apparently purposeful stuff (say, by recording previous paths to clicked buttons), it should be hard for a shoulder surfer to do the same thing, since watching the screen and tracking the mouse is easy for the user (since the mouse is in their hand), but hard for them.
I watched the demonstration video. I could easily tell which of the cursors was under human control. (It moved less smoothly.) This could be overcome by making the fake cursor movements exact copies of the real cursor movements, but with displaced coordinates and different directions. Unfortunately, it would then be almost impossible for the user to tell which was the real cursor. A better solution would be to artificially smooth the movements of the real cursor so that it better matched the movements of the fake cursor.
Needs more work.
But [in Cryptonomicon] the whole screen was noised up, right?
Right. The point of the exercise in Cryptonomicon was to make it difficult for an OTS observer to track the real work being done by filling the screen with unrelated activity. The user has expectations about the results of his or her actions - pressing this key will cause this letter to appear in this window - which provide the additional information needed to distinguish noise from signal.
Oculis Labs offers software - which I've never tried - that implements another variation on this theme. It uses a laptop's webcam to track the user's gaze (using standard eye-tracking techniques). Any text the user isn't currently looking at is garbled. According to some stories I've seen on this technique - and again I've never tried it myself, or looked into the actual research - it's very successful at prevent OTS reading and the like.
My online bank presents me with a software screen in which I need to input my password using the mouse.
What's even better is that the location of the keys on the soft keyboard is always randomly generated when it is displayed so my hand/mouse motion to enter the password changes every time.
This post has been deleted by its author
This post has been deleted by its author
"Might work great in Hollywood, but in reality, it sux, use keypass instead. ;)"
I think you've actually managed to completely miss the point of this again - this is not being touted for use when you can copy a password/phrase into a text field or similar widget is it ? How can you use Keypass with a 3rd party on-screen keyboard ? Keypass is very nice, don't get me wrong, but it is not suitable where on-screen interaction with some random 3rd party on-screen verification scheme is required - something you may not have any option to avoid (whether the 3rd party should allow alternative verfication procedures is another debate).
As for 'it sux' - why don't you explain why you think it does.
Also on one specific note, last time I looked, Keypass required a GDI+, .Net 2.0 or Mono compatible environment, not sure if that is still the case though. Of course that doesn't preclude using similar software, for similar needs, in deployments where that environment is not available - but worth a thought.
The mouse pointer is called a cursor in many GUI APIs. In CSS, a pointer is a specific style of cursor, as in "cursor: pointer" (alternatives are things like "wait" and "crosshair").
Actually, of course, a cursor is the see-through thing on a slide-rule.