Author Archives: wunderbarb

Cheap face recognition

Posted on by
Reply

I just read about KeyLemon, a company who offers face recognition based login to Windows XP for less than 40$. They have a trial version. For fun I decided to try it.

The installation was straight forward. It used my webcam. When registering for the first time, it became touchy. The software wants you to be in a given relatively precise position.

Instead of your typical login screen, you have a screen who displays what the webcam sees, and a field to possibly enter your password. Once it recognized me (after a few seconds), it logged on without any problem. Now, the funny part, let’s push slightly the limit. I registered with my glasses, because I work without them in front of my screen. When I tried with the glasses, it did not recognize me. OK, let’s do it without the glasses.

Of course, you all already though about it. I took a picture of me with the webcam and printed it on the color printer. YES!!!! It recognized my picture! That’s really bad! An easy way to impersonate.

Then, I decided to comb my hairs (those who know me will understand :Wink: ) It did not recognize me. Ouf, my picture works.

Then, I decided to train better the tool (after 20 cumulative training with glass or not, comber or not), it did perform worse. Gracefully, there was still the field to type the password in.

KeyLemon is a funny tool but not a secure tool. Don’t trust it. Interestingly, the announced advantage

Stop wasting time entering your password

I’m not sure who would win the race

Stop remembering your password

No!!! What if it does not work correctly.

The only funny feature is the lock of the computer once it does not see you anymore in front of the screen.

Retrieving lost passwords through social interaction

Posted on by
Reply

What happens when you forget your password? Often there is an automatic back up procedure that allows to get it back. Sometimes, it is just an authentication through mail address, i.e. the password or a new one is sent to the address you registered. More often, it uses secret questions that should authenticate you. For instance the name of your pet, your birth town… Obviously, these secret questions have two problems:

  • They are easy to guess because too simple. You may harden it by cheating with the answer, but you need to remember your cheating.
  • If they are too complex, then you may have forgotten the answer.

In other words, they are inadequate, although largely deployed.

SCHECHTER S., EGELMAN S. and REEDER R. from Microsoft describe an interesting solution to this problem in “It’s not what you know, but who you know“. Each user defines a list of trustees. Each trustee will receive a recovery code. To retrieve the password, the user must obtain form his/her trustees their recovery code.

The experiment highlighted two issues:

  • After a while, the user often forgets his/her trustees. Thus, you need a procedure to retrieve the trustees’ identity.
  • Many trustees would provide the recovery code to someone close to the user.

I would also add one major one. It takes a lot of times. One subject took 5 days to get three recovery codes. Often, you want immediate access.

Nevertheless, an interesting paper to read. I recommend the section that describes how the trustee gets the recovery code. It was designed to highlight many risks of social engineering. Nice work.

Is French HADOPI law dead? (7)

Posted on by
Reply

The French law “Création et Internet” has been approved by the two chambers. On Tuesday, the French deputies voted for the second time the law. This time it passed easily. The right wings deputies were massively present to vote yes (compared to the last presentation).
Yesterday, the senators approved the law. The French government can now launch the HADOPI. The HADOPI is the body that will manage the graduated riposte.

Is the story finished? Not sure. Last week European parliament approved the amendment 138 that requires a court decision to cancel the Internet connection. it is not yet sure that the modus operandi of HADOPI will respect the law. No doubts that the anti-HADOPI proponents will try to use this threat.

The story continues…

Wolverine is a success… (2)

Posted on by
Reply

This time it is a real financial success. Despite the leakage, Wolverine is a blockbuster. Last week, it was number 1 at the US box office. This week it is number 2 (being deposed by the new Star Trek). In 2 weeks, just for the US market, the cumulative gross is about 130M$. By comparison, Slumdog millionaire is at 141M$ after 26 weeks.
My predictions were not bad :Happy: .

Is wolverine leakage a real tragedy?

Posted on by
Reply

As reported earlier, the expected blockbuster “Wolverine” leaked out about one month before theatrical release. The official release is next week.

The movie is still a success on P2P but not anymore in the top 10 charter. Why? Probably because many people heard about the real quality of the leak. Following are some representative snapshots.
– The picture has some special effect to add

– The picture has some details to remove

– The picture is quite empty due to missing special effects (quiet all the end of the movie)

– or my preferred one: annotated pictures

Conclusion: You have the plot of the story but not the pictures. All the fans will go to the theater to view the final movie even if they downloaded this version. We will not see a lot of impact.

This version is interesting because it gives a very good overview of how a modern movie is created. You have all the different stages of a movie. In fact, it is a super attractive trailer.

We will verify that if a GOOD movie leaks too early, it may not be too much of a disaster. For a bad movie, it may be another story.

Next week we will see the fist figures.

The Pirate Bay sentenced

Posted on by
Reply

Friday, the Sweden court issued its verdict against the Pirate Bay. Peter Sunde (brokep), Fredrik Neij (TiAMO), Gottfrid Svartholm (Anakata) and Carl Lundström have been sentenced to one year of jail and 900K$ each. They already send to appeal.

The judge estimated that the first offenders were The Pirate Bay’s users but that the four defendants assisted the users to do the infringements. The verdict leaked out the court several hours before its actual official announcement. The police investigates this breach of confidentiality.

Nevertheless, The Pirate Bay is still online. There is even no visible sign or clue about the verdict. it is not the case of some other tracker sites such as Nordicbits, Powerbits, Piratebits, MP3nerds and Wolfbits which went off line. They feared prosecution.

Some Pirate Bay supporters have organized a DDOS attack against IFPI site as retaliation. We may expect other such actions in the coming days.

Is French HADOPI law dead? (6)

Posted on by
Reply

The story continues. Last week, it seemed that the law was in good shape. But the adventure continues.

Meanwhile, the “Commission Mixte Paritaire”, which has deputies and senators, rejected some amendments that annoyed the government. for instance, this commission decided that the customer should pay the full Internet subscription during the suspension.

Yesterday, the French National Assembly voted this new version of the law. About 40 députés were present (This lower house of the French parliament has 577 députés!) The result was 21 against the law and 15 for the law.

Is the law dead? No. The government can ask a second presentation of the law. It is already scheduled for the 28th April. No doubt, that the government will lobby its députés to avoid the same fiasco.