Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Portables Hardware

Researchers Hack Biometric Faces 244

yahoi sends in news from a week or so back: "Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."
This discussion has been archived. No new comments can be posted.

Researchers Hack Biometric Faces

Comments Filter:
  • hacking? (Score:5, Funny)

    by Anonymous Coward on Tuesday February 17, 2009 @08:38PM (#26896877)
    Shouldn't they get charged with hacking the researchers faces off? That is kind of brutal no?
    • Re:hacking? Huh? (Score:2, Interesting)

      by davidsyes ( 765062 )

      Not for that. But they should be careful because they probably just pissed off a load of laptop and biometrics software manufacturers who will likely lobby for their being arrested if they land in the US, or if they commence their presentation.

      Haven't they heard of Russian and other national's programmers being arrested or threatened with arrest if they land here?

      But, if they are REALLY good, they've come up with a solution (for however long decent solutions can be expected to last...), and boost Vietnam's

    • Re:hacking? (Score:5, Funny)

      by Anonymous Coward on Tuesday February 17, 2009 @10:09PM (#26897739)
      Being an average, white American, I reckon an Asian having a biometric face-secure laptop is just plain stupid. 9 billion Chinese probably all can get into each other's raptops, no shit, G.I. They all sure do look alike, don't they? My Pa sure thinks so. So does his wife, my sister. Man, she's hot.
    • Shouldn't they get charged with hacking the researchers faces off? That is kind of brutal no?

      Hey, hacking off someone's face and wearing it as a grotesque mask to access their laptop is ghoulish, but it works!
      You gotta do watcha gotta do :-\

  • Ok then... (Score:5, Interesting)

    by going_the_2Rpi_way ( 818355 ) on Tuesday February 17, 2009 @08:39PM (#26896881) Homepage
    He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed.

    If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

    If you get your laptop lifted at the coffee shop, they better lift your wallet too I guess.
    • by Sir Groane ( 1226610 ) on Tuesday February 17, 2009 @08:46PM (#26896955) Homepage

      Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in.

      The point is facial recognition alone is so vulnerable! All you need is a cameraphone and a photo printer - and you can't revoke your face as your password either. At least with fingerprints you can get hacked nearly 10 times (on average) before it becomes a problem.

    • Re:Ok then... (Score:5, Insightful)

      by GrenDel Fuego ( 2558 ) on Tuesday February 17, 2009 @08:48PM (#26896967)

      I definitely disagree here. While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

      There is a difference between identification and authentication (your claim of who you are, and your proof of that claim). What you look like is identification.

      • Re:Ok then... (Score:4, Insightful)

        by Panzor ( 1372841 ) on Tuesday February 17, 2009 @09:39PM (#26897475)

        While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

        Also, you could say that face recognition is just as secure as writing a reasonably long password on your forehead. Someone takes a picture and boom. Access.

        Personally, I refrain from writing my passwords on my forehead - regardless if I can see a suspicious-looking character taking a picture of me square-enough in the face to capture all the digits. And, I also refrain of using or buying face recognition devices...

    • There is no need to take your wallet, most mobile phones have cameras in them that could be used to get a photo of your face.

      1. Walk into cafe looking for a target
      2. Photograph the target's face
      3. Steal the targets laptop
      4. Profit

      • It was a bit of a joke. But I don't think your scenario would work anyways given their need to adjust lighting conditions as they mentioned.

        More to the point, you could use something like an Iphone with a DB of randomly generated photos until it cracked. This is what the researchers here did. This is the real vulnerability. But it's brute force attack, and on any proper 'secured' system it would have to be one of several.
        • Re:Ok then... (Score:5, Insightful)

          by Herby Sagues ( 925683 ) on Tuesday February 17, 2009 @09:50PM (#26897579)
          What puzzles me is the comment in the article: > This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords Considered by whom? Their dog? No one that has three working neurons can think that how your face looks is a stronger secret than some word you have in your mind. When they announced this "security mechanism" every security specialist I know said it was worse than nothing, it didn't even qualify as weak security, and it would be abandoned within months. It is sad when security features of computers are designed in the marketing department.
    • Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

      With the ubiquity of digital cameras, "determined intruder with infinite resource" no longer includes "scumbag with camera".

      As such, this security feature seems particularly useless.

    • Re:Ok then... (Score:5, Insightful)

      by Jurily ( 900488 ) <jurily AT gmail DOT com> on Tuesday February 17, 2009 @08:50PM (#26897005)

      If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

      Not quite. Biometrics are horrible for security, because 1. they're not secret, 2. they're not easily replaceable. Once they have a picture of you, facial recognition is broken. Once they have your fingerprint, that's broken as well.

      Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

      • Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

        I take your point, but I don't understand the either/or philosophy of security. Besides, in most cases that matter, once they have your 'password', they have you. Period.

        To me, security is all about layering anyways. Adding a biometric layer that works well for the user (i.e. effortless) and typically involves a brute force attack to defeat? Why not?
        • Re:Ok then... (Score:5, Insightful)

          by fuzzyfuzzyfungus ( 1223518 ) on Tuesday February 17, 2009 @09:32PM (#26897413) Journal
          In single-system scenarios, you are correct. Once the password or biometric ID is cracked, the system is cracked, game over, etc. In that sense, they are equivalent. The problem is that your life, which is ultimately the use case you care about, isn't a single-system scenario, it is a long series of systems and accounts and whatnot over your entire life. If a password is broken, and your email account or whatever is compromised, that sucks; but you can generate a new one for future rounds. If a biometric ID is cracked, you can't generate a new one, so any and all systems, for the rest of your life, that are "secured" by biometrics aren't secure. That is where biometrics really falls flat.
          • by Jurily ( 900488 )

            If a password is broken, and your email account or whatever is compromised, that sucks; but you can generate a new one for future rounds. If a biometric ID is cracked, you can't generate a new one, so any and all systems, for the rest of your life, that are "secured" by biometrics aren't secure.

            Which reminds me. What do you do with an iris scan if you lose your eyes? Fingerprint if you lose that finger? Facial recognition after a fight with the neighbor...

            • A Responsible Citizen would have safeguarded his identity, and would never have engaged in physical conflict. I'm afraid that, in addition to your re-authentication penalty charge, that will be going on your permanent record...
              • by Jurily ( 900488 )

                A Responsible Citizen would have safeguarded his identity, and would never have engaged in physical conflict. I'm afraid that, in addition to your re-authentication penalty charge, that will be going on your permanent record...

                Heh. Now it's even illegal if you didn't cause that car crash :)

            • by ITEric ( 1392795 )

              ...Facial recognition after a fight with the neighbor...

              I had been thinking about this aspect - and although I believe the facial recognition systems aren't yet ready for prime-time, at least if you're subjected to this hack, [xkcd.com] it could save your face!

          • That is where biometrics really falls flat.

            Are you saying that we should remove the photos from our IDs?
            Card + Code + fingerprint = a very hard nut to crack. Biometrics can be faked, but so can every other singular security precaution. That's why you couple them with other security features and never rely on one aspect alone.

            Besides, which fingerprint did you plan on using?

            • > Are you saying that we should remove the photos from our IDs?

              You probably can't convince a security guard that you are me by pasting a photo of me to your forhead.

            • Re: (Score:3, Insightful)

              You leave your fingerprints everywhere, so it's pretty much public information. Now the only thing you're relying on is the attacker's inability, or choosing not waste time, to reproduce your fingerprint - but that's security by obscurity, isn't it?

              So based on this argument, card + code is just as secure as card + code + fingerprint. The fingerprint step is there to make you feel safe rather than really make you safe.
      • Re: (Score:3, Insightful)

        by ratnerstar ( 609443 )

        Biometrics are one part of a good authentication system. But there are always trade-offs: to lower FRR (False Reject Rate, or rate of false negatives) you have to raise FAR (False Accept Rate, or rate of false positives). Iris and fingerprint recognition are mature technologies; they can deliver low false negatives with virtually no false positives. There are well-defined and effective ways of preventing spoofing. But yes, they are only a single component, and should be combined with password and/or phys

        • Re:Ok then... (Score:5, Insightful)

          by Jurily ( 900488 ) <jurily AT gmail DOT com> on Tuesday February 17, 2009 @09:29PM (#26897377)

          Iris and fingerprint recognition are mature technologies; they can deliver low false negatives with virtually no false positives.

          Passwords deliver 0% false negatives and 0% false positives. If it rejects you, just type it again.

          There are well-defined and effective ways of preventing spoofing.

          Like what? A hash of my whole eyeball?

          Anyway, nice job twisting my point. Let me repeat:
          1. Not secret. Unique, but not secret. Which means, if someone gets the technology to spoof one, they can spoof all. What, fingerprints? They use them to catch criminals because we leave them all over the place.
          2. Not replaceable. If you find out someone can spoof your iris, what do you do? Grow new ones?

          Just because the technology isn't available yet, don't assume it never will be.

          There is only one thing that biometrics add to security: noone has to tell the Big Boss he can't juse his initials as password anymore. Apparently it's worth it.

      • Here's how you do it with a face: instead of using your own face, you a photo of Brad Pitt on your Iphone or related device. When they brute force that, you switch to a picture of Jennifer Anniston. You can change your 'biometric-based' password just as easily as they can brute force it. Just don't limit yourself to your own biometrics.
      • Once they have your password, you choose another one and that's it. I'd like to see you do that with your face

        Hell, I would too, just for the heck of it...

    • Instead of thinking about this in the sense of some random hacker trying to get into your computer, think about the more probable situation of your office. Do you have, or could you easily get a good face shot of the CEO of your organization?

      Now do you see how this could be a real problem? And yes, C-level's love biometric stuff because they don't have to remember passwords.
      • Instead of thinking about this in the sense of some random hacker trying to get into your computer, think about the more probable situation of your office. Do you have, or could you easily get a good face shot of the CEO of your organization?

        A picture of the CEO? Like the picture of the CEO that's on just about any company's website?

        Nearly impossible to get at is my guess.

      • Do you have, or could you easily get a good face shot of the CEO of your organization?

        Of course. Its right there on page one of the newsletter.

      • Re: (Score:3, Funny)

        by SEE ( 7681 )

        And yes, C-level's love biometric stuff because they don't have to remember passwords.

        They should just all get Ident-i-Eeze cards.

    • Re:Ok then... (Score:5, Interesting)

      by spleen_blender ( 949762 ) on Tuesday February 17, 2009 @08:55PM (#26897057)
      I don't comment that often but does anyone have any idea on the viability of stereoscopic facial recognition? Wouldn't that make a 3d model required to be presented to the input instead just a 2d one? Or two 2d images offset at the right angle for the distance from the cameras?
      • by spud603 ( 832173 )
        I like the idea. Like the other poster said, you'd need two cameras, but that could be built into laptops.
        However it may not be a huge hurdle, it just means that an attacker would need to get two photos of you instead of one. I'd guess that the angles wouldn't even need to be perfect, as different angles would just approximate different distances from the computer.
        What else... i guess identical lighting would be necessary...
    • You see kids, this is just another reason why you need *layered* security. Biometrics, PKI, keyfobs, enryption, uids/passwords, alone they all suck. When you start using them in combination, *then* you start putting up reasonable barriers to would be adversaries.

    • Thing is, in this case, that the vulnerability is difficult to control for, even under the practical limits of a low skill attacker. Passwords, say, are vulnerable if you use ones that are short, weak, obvious, or written on a post-it note on your monitor. All problems; but well understood, and easy to mitigate by doing the right thing. Facial recognition, by contrast, has multiple vulnerabilities, as TFA describes; but it is also hard to get right. Barring horrible accident, you are always carrying your fa
    • by dbIII ( 701233 )
      However in this case the facial biometrics sre not much more than silicon snake oil while other methods are less vunerable.

      For example the BBC series "the face" has John Cleese showing very clearly the difference between machines trying to identify people by the best algorithms of the time (probably better than in the commercial products even now) and human beings doing the same thing. We have a situation where the best researchers in the world are still getting poor results since it isn't known yet how to

  • Ummm... (Score:4, Insightful)

    by Darkness404 ( 1287218 ) on Tuesday February 17, 2009 @08:41PM (#26896903)
    Any security measure other than a (secure) password for computers are not going to provide much security. Fingerprint scanners can be bypassed, physical dongles can be duplicated, and other things are trivial to remove. A secure password with encryption is the only way that you can really make sure a computer is 100% secure. But most people don't need 100% security. There are very few robbers who would steal a laptop then proceed to attempt to remove data on it via fingerprints or other biometrics. So for the average user, it isn't a security risk. Its like saying that locking your door at night isn't good enough because a determined person can break through the glass.
    • Re:Ummm... (Score:4, Funny)

      by QuantumG ( 50515 ) * <qg@biodome.org> on Tuesday February 17, 2009 @08:43PM (#26896925) Homepage Journal

      Heh, if you have physical access the game is over. "Lock your terminal" is merely a poor defense against bored pranksters (beating their head in if they touch your machine is the only effective deterrent).

      • Heh, if you have physical access the game is over. "Lock your terminal" is merely a poor defense against bored pranksters (beating their head in if they touch your machine is the only effective deterrent).

        Lets say that the terminal only gives you a remote desktop on a secure remote system, and your credentials are required to authenticate.

        • Re: (Score:3, Insightful)

          by TheDugong ( 701481 )
          Then you do not have physical access.
        • by tepples ( 727027 )

          Lets say that the terminal only gives you a remote desktop on a secure remote system

          For one thing, the cost of access to the secure remote system would then include $40[1] per month for mobile Internet access, which is $40 more than a system running on a laptop or other computer without a continuous Internet connection would require. Take this into account in your cost/benefit analysis. For another, the attacker could still install a keylogger on the terminal to capture your credentials.

          [1] Price of T-Mobile's cheapest plan for a USB mobile broadband dongle. AT&T charges even more.

        • by Z34107 ( 925136 )

          Heh, if you have physical access the game is over. "Lock your terminal" is merely a poor defense against bored pranksters (beating their head in if they touch your machine is the only effective deterrent).

          Lets say that the terminal only gives you a remote desktop on a secure remote system, and your credentials are required to authenticate.

          Let's say I steal your terminal and sell it.

    • Re: (Score:2, Interesting)

      by xwizbt ( 513040 )

      My iPhone locks itself after a minute and demands a four digit passcode.

      It's not the perfect solution, I know, but I don't mind tapping a four digit key out on my keypad after a minute's inactivity on my Mac. Maybe 5. Maybe 10.

      That's enough - once you've stolen my Mac, you need to be with it every ten minutes... forever.

      • I don't mind tapping a four digit key out on my keypad after a minute's inactivity on my Mac. Maybe 5. Maybe 10.

        That's enough - once you've stolen my Mac, you need to be with it every ten minutes... forever.

        Or the thief can just change the PIN to 1337 and have access whenever he wants.

        • Doesn't he have to know the original pin for this?

          • by tepples ( 727027 )

            Doesn't he have to know the original pin for this?

            Not if he steals the laptop while it is already logged in. And not if he just backs up the home folder and any already-mounted TrueCrypt volume to external USB storage, unplugs it, and then reformats.

  • ... Wow. (Score:4, Interesting)

    by Valdrax ( 32670 ) on Tuesday February 17, 2009 @08:41PM (#26896905)

    The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user [...]

    Tragically, sadly obvious. Not even a hack, really.

    • one small problem (Score:2, Interesting)

      by westlake ( 615356 )
      Tragically, sadly obvious. Not even a hack, really.

      if it is not an inside job - how does the thief get his photograph of the "authorized user?"

      when the sensor is a webcam - why not include motion or depth perception in the authentication process?

      if the camera is sensitive to infrared why not confirm that the heat signature of a live body is present as well?

  • by HomerJ ( 11142 ) on Tuesday February 17, 2009 @08:44PM (#26896941)

    Even made a point of saying "facial recognition systems aren't all that secure. They can't tell the difference between a person and a photo of the person". Then he proceeded to break into the room by holding up a picture of someone that had access.

    • by ari_j ( 90255 ) on Tuesday February 17, 2009 @09:35PM (#26897437)
      And Mythbusters has fingerprint scanners covered. As others have pointed out, use your faceprint or fingerprint for identification and a password or the like for authentication. Hell, even in Star Trek you have to say "Authorization Picard Alpha Two" in Picard's voice to blow up the ship.
    • Re: (Score:2, Informative)

      by citizenr ( 871508 )
      yes, and in last episode they showed how you can defeat cellphone jammer using Ethernet patchcord connected into mainframe as an antena .. this show is full of GARBAGE Science
    • Are you actually quoting a TELEVISION SHOW as being realistic in any way? Are you serious? And who the hell modded you up? TV shows do whatever they want, they are works of FICTION.
  • by Coder4Life ( 1396697 ) on Tuesday February 17, 2009 @08:57PM (#26897091)
    ...your average joe-6-pack criminal isn't going to have the brain cells for black hat cracking stuff like this. If they can't get into the laptop, they are probably going to part it out and sell it for any money they can get. On the other hand, if they have full access and can get wifi somewhere, then having Adeona (http://adeona.cs.washington.edu/) installed might pay off. A chance of getting your laptop back is probably better than none at all... If you're really concerned about security, true crypt + usb key would probably be a better choice imo. I guess it all comes down to how_secure you want your laptop to be...
  • by Anonymous Coward on Tuesday February 17, 2009 @09:06PM (#26897167)

    Wonder if, when you 'enrolled' your face in the recognition software, you held your hand(s) up in the image forming a symbol -- peace sign, one finger salute, whatever. Then someone would have to capture your image at the instant you authenticated.

    It would be customizeable and and changeable, unlike your face, and hard to duplicate blindly.

    • Still pretty easy to spoof.

    • by Burning1 ( 204959 ) on Tuesday February 17, 2009 @11:30PM (#26898341) Homepage

      ...and carries the same level of security as speaking your password every time you type it.

      Seriously, biometrics are a bad idea, unless also combined with other methods of authentication.

    • by Eil ( 82413 )

      From what little I know of facial recognition software, it takes measurements of facial features and uses those as the "key". They almost certainly won't accept something that doesn't that doesn't resemble a face. I'll bet it never occurred to the developers that ripping out all those fancy algorithms would actually make the system somewhat more secure.

  • From my point of view, it seems this could be combatted by using two cameras and depth perception, movement detection. The same way we are able to judge these things. Then the cameras would be able to tell of it was a picture or not. Also, if the cameras could move on a track, and look up, down, left or right, this would make it even more accurate.
    • for two cameras, just use two photos (taken with a stereo camera). Depth perception is already reliant on this, so adds nothing. But it seems unlikely laptop manufacturers would add a second camera just for this purpose. Unless they also do cool 3D video stuff. But if that's the case then you could just plonk a similar laptop (which has previously recorded a 3d video grab of the subject) in front of the stereo cameras. It's the same thing, just a little more complex

  • by thethibs ( 882667 ) on Tuesday February 17, 2009 @09:10PM (#26897197) Homepage

    Of course they broke it. "Biometric Authentication" is an oxymoron. The correct phrase is "Biometric Identification". A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.

    No Id and no authentication is "public". Id but no authentication is "public, but stupid about it".

    • A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.

      Yup, it's Lenovo et al.'s mistake, for using face recognition for both identification and authentication, The two functions are different, and should remain separate. Via Schneier's Cryptogram, here [microsoft.com]'s a good article explaining why merging them is a bad idea

  • by mattack2 ( 1165421 ) on Tuesday February 17, 2009 @09:18PM (#26897279)

    Well, Mythbusters got past fingerprint recognition systems with a Xerox and a Sharpie (after getting the fingerprint off of a can or glass, IIRC). My comment at the time to the group I was watching it with was approximately "I hope their stocks drop hugely tomorrow".

    • Re: (Score:2, Informative)

      by Cobra Spaz ( 1480491 )
      Fingerprint readers are very easy to crack if you have someones finger print. The last company I worked for they had to types of fingerprint readers. You could crack them both by placing a scanned image of the fingerprint on the reader. The only difference between the two was that one of them only scanned if it sensed enough heat and the of scan plate was grounded by being touched. So it was slightly more difficult to crack. It took awhile to find the right paper that allowed enough heat to come through and
      • by 0123456 ( 636235 )

        "I still think that facial recognition and/or a fingerprint scanner is a great addition to a strong password, but it should never be used by itself to begin with."

        Yeah, rather than the bad guys just beating your password out of you, now they get to cut off your fingers and your face too.

  • well sure (Score:3, Insightful)

    by Drumforyourlife ( 1421647 ) on Tuesday February 17, 2009 @09:22PM (#26897311)
    but wouldn't those hackers be pissed if they go through all the trouble to get a good face pic of the user only to find out that there's a password screen immediately after that. i'd say it's a great addition to a layered security system.
  • In a recent posting [slashdot.org] I pointed out how fingerprint and retinal scanners could be fooled.

    An AC followed up claiming that "devices designed for actual security" also checked "biological signatures" to avoid being fooled by static images, fake fingerprints, and the like.

    I responded that security vendors have a long history of claiming their stuff is testing for much more than it actually is, counting on this to deter attempts to actually break it. I expected that, as past behavior is a good predictor of future

  • I'm pretty sure we demonstrated this technique back in Space Quest III...

    Oh come on, I'm not the only one who remembers that game!

    • take portrait
      place portrait on photocopier
      press button
      take copy
      take portrait
      replace portrait
  • If you're in a coffee shop, then the best type of authentication is dance recognition. You place the laptop on a table, push the chair to one side and dance like you're selling nails. As most people are terrible dancers it should be a fairly unique identifier. Especially for Apple owners, who will have to dance like Leonard Cohen because they all wear polo neck sweaters.

  • If it can be defeated with a 2D picture, why not up the ante and ensure that the target is 3d by scanning it with a cheap laser? Sure this could be defeated too, by people fabricating mannequins. If this is within your threat model, then you could require the subject to speak a phrase, then scan the series of facial movements for recognition. The black hats would then have to build an android replicant, requiring the white hats to counter with.... um... typed passwords?

    • Re: (Score:3, Insightful)

      by John Hasler ( 414242 )

      > If it can be defeated with a 2D picture, why not up the ante and ensure that the target
      > is 3d by scanning it with a cheap laser?

      Because the whole point was to offer biometric identification without spending any money on hardware. The camera was already there.

  • I've been to a few places that use biometric security. They are nothing but a toy to impress the rich dummy customers. I've had to deal with thumbprint scanners on entry doors. You have to scan your thumb AND enter a code. Why? Because it can't readily enough tell the difference between your thumb and someone else's but if you provide a security code as well, then it is reasonably satisfied that it is really you. Of course, if you just entered the code by itself, that would have been just as good. What was
    • I have had the same password for over 15 years and never had any trouble because ... I don't tell it to anyone. The problem with passwords is when people do dumb things like share them with someone else, or worse, write them down.

      Or when a server you used it on 12 years ago got its HDDs stolen/dumped w/o being wiped. Or if an unscrupulous sysadmin has modified ssh to store unencrypted username-password pairs (and you're not using keys). Changing every now and then makes sense, but you're completely correct about the "every 60 days, never any repeats, must use all 255 characters in the ASCII table, and be a minimum of 4096 characters". Security policy by committee is what that is.

  • We need facial recognition CAPTCHA's. Something like three physical tasks you need to perform to gain access, eg 'Please place your left index finger on your nose. Accepted. Now please poke out your tongue. Accepted.' etc.

    But even that wouldn't be impossible to defeat.

    Still... I wonder how a 'Now show us your boobs' instruction would go down :)

  • believing they did something so stupid. I mean... I believe it, but it's way out there. You'd have thought they would have learned their lesson when Mythbusters faked out an expensive fingerprint reader about 4 different ways a couple of years ago. Or when it was reported elsewhere last year that facial recognition could be fooled with simple pictures.

    They blew it, big time. They should be held liable.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...