60 comments

[ 0.08 ms ] story [ 167 ms ] thread
This reminds me of the one from a few years back about copying house keys from photos.
Also reminded me of an article (I'm having trouble finding it) about a master key for an apartment complex that had been stolen. The article published a picture of the master key itself and then more people were able to copy the master key...
I played with this when I got my first 3D printer about 5 years ago -- I took a photo of my house key and replicated it in about a half hour. The photo was (intentionally) not a great one.

It was at that time that I started keeping all of my keys in a sleeve. Do I now need to start wearing gloves?

Locks are trivial to pick. Typically easier than recreating keys through a photo. This does not dimish their value.
Not all locks are trivial to pick, but the common consumer ones are (speaking from experience -- I've been a recreational lockpicker for years).

But recreating through a photo counts as a low-skill attack. Not as low-skill as raking a lock or using bump keys, but it does make low-skill attacks viable on moderately-or-better secure locks.

I mean, yes it does diminish their value. If you had an unpickable lock, that would be more valuable.
I've said it many times before. Biometrics should be used as usernames and not as passwords. You should be able to change a password.
> I've said it many times before. Biometrics should be used as usernames and not as passwords. You should be able to change a password.

This guidance isn't unique, though it is certainly accurate. Case in point sourced from 1999 when the differences between identification v. authentication in a biometric context were being hammered out: https://web.archive.org/web/19990508102505/http://biometrics...

You could use a gut biome sample for a password. It changes slowly over time, so you’ve got rolling built in. And you can do a reset with antibiotics.
I like that if you eat a healthier and more varied diet you end up with a more complex password.
Is this sarcasm?

I have accounts I haven't logged into for years, but still need access to. Losing access over time is not a good feature. And a 'reset' with antibiotics doesn't make sense for a bunch of reasons.

Also, password diversity is a good thing. I don't want $COMPANY_A's data breach to expose my password to $COMPANY_B

Gut biome actually changes pretty rapidly. IIRC some grad student did some kind of sequencing on his stool for a year, the the populations of different strains of bacteria would completely flip when he ate a salad one day and a cheeseburger the next.

His name was Lawrence David, but I can't quickly find the writeup that illustrates the point I'm making.

It's going to be difficult to keep the sensor completely clean for the next person to use.
I already use it as my signature.
Or, we can develop solutions based on existing [proven] cryptographic primitives, with a focus of abstracting authentication / signing / encipherment functionality to an external key or secure-device.

Example: iPhone (and Andorid) both have "secure enclaves" where cryptographic keys are stored. However when you step into the basic PC/Linux realm the concept of a secure-device for key storage (TPM) is pretty non-existent outside of corporate players. We can do better, without totally going pie in the sky.

And you can share your password with the rest of your family with a fecal microbiota transplant.
Why? If you can reliably determine that a fingerprint actually belongs to a person... it's not as if I can make my fingerprint mimic yours if I happen to come across a photo of your fingerprint... Of course, simple sensors such as phone fingerprint readers can easily be tricked, but that's an issue with that specific implementation (similarly to how you can sometimes see greasy traces of unlock pattern on phone screens), not of the general idea...
People keep forgetting that there are two parts that ought to be (as) secret (as possible) in authentication.

This is why major organisations don't allow usernames to be name_surname or nsurname. They pick random usernames. I remember when I was a student my username was a random string with characters and numbers.

This makes it more difficult to hack my account (without prior knowledge, shoulder surfing, etc.) since it was highly unlikely you could guess my username and my password.

Is this any more secure than just making the password longer?
> This is why major organisations don't allow usernames to be name_surname or nsurname. They pick random usernames. I remember when I was a student my username was a random string with characters and numbers.

sounds more like an artifact of early garbagey email systems than any sound security policy. certainly i've seen nothing of the sort from any organization since a VM/CMS system in the early 90's.

> This makes it more difficult to hack my account (without prior knowledge, shoulder surfing, etc.) since it was highly unlikely you could guess my username and my password.

this doesn't make any sense.

if i generate my passwords by a perfectly reasonable, robust procedure, and then prepend them with the string "password", and disclose this fact publicly, they become no less secure.

the username is just like a publicly announced string prepended onto your (hopefully) securely generated password.

Authentication includes both username and password. In a bank I used to work my username was a random 10 digit number. Very annoying to type all the time. The good thing is, if you want to use my account, good luck guessing both my username and my password.

Does that make sense? I do not imply that password should not be complex etc. I am merely pointing out the benefits of having a difficult to guess username.

> Does that make sense?

no, it does not. just add more bits of entropy to your password if you want more "unguessability". there's no benefit to putting it into the username.

the username and password fields can be imagined as a single field; whether the entropy is at the start or end of the field makes no difference. we just split them up for database efficiency reasons. (and because the username ends up displayed some places.)

> I do not imply that password should not be complex etc.

I do understand that's not your implication

> I am merely pointing out the benefits of having a difficult to guess username.

i'm saying that if your password is good enough, it doesn't matter what your username is.

the same way that if the last 50% of your password is "good enough", it doesn't matter if you plaster the first 50% of it onto billboards.

At least in the iPhone implementation, the finger print is neither user name nor password, it is more like a session key. You have to authenticate with username and password, then you can use your fingerprint (or faceID) to access that session for a multi-day period after which you have to reauthenticate with your password.
Good explanation of a good implementation. Thanks for bringing my attention to something that's been right in front of me for years but I didn't know about.
Absolutely 100% this. Been saying the same for a long time.
V... sign...
I guess the peace sign wasn't as universal like we thought...
It's also used for "victory". I'd argue in millennials and younger, this is probably the more familiar use because of Pokemon.
> I'd argue in millennials and younger, this is probably the more familiar use because of Pokemon.

Sorry but this is not the case at all. Most millenials know it as a peace sign, none of them would think of pokemon.

The "victory" meaning comes from WWII, not Pokemon.

The hippie counter-culture movement in the 1960s co-opted it as the "peace" sign, but nowadays I'd argue it doesn't have much of a meaning, it's just "something people do for photos" (especially in East Asia).

The V sign with palm facing the signer in British English means something like 'Fuck off'. All sorts of quite likely spurious history about archers insulting the French at Agincourt is used as a kind of etymology.

With the palm facing the viewer it means peace now but it's rare to see it referred to as a V sign in the UK with this meaning.

In WW II Churchill used it to mean Victory not peace but apparently started out used the insulting version and had to have the difference explained to him. Not sure if that is true or just apocryphal.

I never even knew that it appears to be a peace sign in the US. In my (central European) country it is the victory sign for everyone I have talked to about it.
Combine that with physical keys copied from photos, audio surveillance by recording vibrations with a standard Web cam, movement detection through WiFi signals, first steps towards mind reading, and other creepy tech breakthroughs, it is certainly an interesting time to be alive.
Hitchhikers guide to galaxy : (I remembered something along this lines)

https://scifi.stackexchange.com/questions/92738/what-is-the-...

    [Ford] slowly drew out from the wallet a single and insanely exciting piece of plastic that was nestling amongst a bunch of receipts.

    It wasn’t insanely exciting to look at. It was rather dull in fact. It was smaller and a little thicker than a credit card and semi-transparent. If you held it up to the light you could see a lot of holographically encoded information and images buried pseudo-inches deep beneath its surface.

    It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant - a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn’t even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

    Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology’s greatest triumph to date over both itself and plain common sense.
Please don't use code blocks for quoting large chunks of text - makes it impossoble to read.
Is there a better way to blockquote? HN doesn't have anything like Markdown's '>' for quotes/blockquotes.
No formatting at all is better than 100s of characters in a preformatted block.
> Is there a better way to blockquote?

Personally, I just stick the > in front even though HN doesn't apply special formatting to it. Most people are familiar with that convention, either from Markdown or from stuff like emails.

you can also do "asterisk greater-than text asterisk"

> like this

Same here. If quoting from more than one source, I've sometimes put an identifier in front of the >, like this:

knuth:> blah blah blah

wirth:> bläh bläh bläh

The point of pretty quote formatting is to highlight distinction between your own and borrowed text. But in this case the quote is the main content of the message, so there is no need to format it.

The modern convention for such quotations is called "copypasta": you put your quote in the beginning of your message without additional formatting, and attribute it to the author in the end of your message or in the reply to yourself, or ever in the username of account you created to post the quote (such account would be called "novelty account" because THGTTG is in fact a novel).

Attribution after the quote has additional benefit of giving people the pleasure to recognize the source of the quote themself while they read it.

Your keyboard has quotation marks on it. Why not use them?
(comment deleted)
(comment deleted)
(comment deleted)
Repost with readable formatting:

> [Ford] slowly drew out from the wallet a single and insanely exciting piece of plastic that was nestling amongst a bunch of receipts.

> It wasn’t insanely exciting to look at. It was rather dull in fact. It was smaller and a little thicker than a credit card and semi-transparent. If you held it up to the light you could see a lot of holographically encoded information and images buried pseudo-inches deep beneath its surface.

> It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant - a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn’t even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

> Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology’s greatest triumph to date over both itself and plain common sense.

I actually did this for a previous employer to demonstrate that we shouldn't switch to fingerprint auth-- took a photo of the big boss holding a clear glass, which nicely highlights your fingerprint.
It's not "stolen", it's "copied". Biometric identifiers are a conceptually ass-backwards thing.
I am not getting this the V sign is normally given with the back of the hand facing forward ie "F&^K you"
Heh, must be a cultural difference. The V sign they're talking about here is most common in East Asia I guess, though I see it often enough in the US. It's not a vulgar thing, and the usual position is with the palm facing the camera.

The same thing was often used as the "peace sign" in the mid/late 1900s, though these days it's not as mainstream as it used to be.

Its roots go back farther than that, and I think your interpretation (with the palm facing one's body) is older than the more modern interpretation.

Well there some argument that the inverted V (V for victory) was used in ww2 by Churchill avoid the negative connotations but in fact was trolling the Nazis.