Verifying a User By Following the Movements of Their Mouse 101
Harperdog writes "Tom Jacobs has a very cool little story about an Israeli research team introducing a novel way of verifying a computer is being operated by its rightful user. Its method, described in the journal Information Sciences, 'continuously verifies users according to characteristics of their interaction with the mouse.'"
Index/Evidence (Score:5, Insightful)
Is it indexical? Yes. Is it evidential? No.
Translation: unreliable.
Re:Index/Evidence (Score:5, Funny)
Re:Index/Evidence (Score:5, Interesting)
If it is unique enough to identify (not verify ) you, then it could be used to proove user XXX did the fraudulant things on PC Y, instead of the logged on user YYY.
Re:Index/Evidence (Score:5, Insightful)
Pro tip:
Before you do something illegal on your computer, switch to your non-dominant hand to maintain deniability.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But ... but my dominant hand keeps taking the mouse back again!
Re: (Score:1)
So if I collect enough data on your mouse movements, I can write a program that moves the mouse in order to prove you used my machine?
Re: (Score:3)
Re:Index/Evidence (Score:4, Insightful)
Lots of false positives and negatives make the system constantly alerting and having to be manually checked .... i.e. annoying and people get used to just accepting that it is always warning ...
A system that is constantly flagging alerts is next to useless ...it is only marginally better then alerting all the time ....
Re: (Score:3)
Just because this iteration of it isn't that useful does NOT mean it's a bad idea that will never be useful. Technology is often incremental, and while the beginning steps are unreliable, they are still very important ones.
Re: (Score:1)
If the system gets better and has less false negatives and false positives. And integrates with other systems, as another level of check.
Fixed that for you.
The problem is that there no proof that the premise that mouse movements are sufficient to identify a user, is actually true. If it's not than this technology is fundamentally flawed.
And perhaps this technology can be used to either prove or disprove that.
Re: (Score:3)
Translation: you're not getting the point. Lots of false negatives and false positives is still a lot better than random guessing. Also, this is just the beginning.
On the contrary: Equally large amounts of false negatives and false positives is exactly the same as random guessing. [Shannon, 1948]
Re: (Score:2)
Not true in general. For example, a system that yields 1% false negatives and 1% false positives is still 98% reliable, and much better than random guessing.
Re: (Score:2)
Not true in general. For example, a system that yields 1% false negatives and 1% false positives is still 98% reliable, and much better than random guessing.
Granted, but we are talking about this specific article and not "in general". Since mouse movements are sometimes used as an entropy source for RNG seed material (http://www.freepatentsonline.com/5799088.html, for example) indicates that the uncertainty could be closer to random chance. Ie <<2-sigma
Trackball (Score:4, Interesting)
Re:Trackball (Score:5, Insightful)
but really telegraph operatos could tell who was sending in the 1800's. it took us long enough.
Remember this for when someone starts trolling a patent
Re:Trackball (Score:5, Interesting)
I don't think they're trying to use this like fingerprints or retina. I gather (from not reading the article) that they just want to know if the person who usually uses this computer is the guy who is now using this computer. And I'm guessing that all the little ticks and taps that go on when you're reading something and just have your hand (left or right) resting on your ball (left or right) is pretty distinctive.
It made me notice just now that I do a little rhythmic dance with my pointer while I'm reading. Like a nervous tic. I never realized that until just now.
Re: (Score:2)
It made me notice just now that I do a little rhythmic dance with my pointer while I'm reading. Like a nervous tic. I never realized that until just now.
Oh, that must be you just making the sign of the cross over each of us slashdot sinners.
By the way, whenever I see your 'nym "PopeRatzo" I always picture in my head SNL's Father Guido Sarducci reading your posts out loud, complete with hat and cigarette waved around for emphasis.
Makes my day a little brighter.
Re: (Score:2)
You have no idea how close that is to the truth.
Re: (Score:1)
You have no idea how close that is to the truth.
Scary, huh? :)
Re: (Score:2)
I use a pretty odd arrangement at work & it makes my work 'mouse behavior' very different. I use a trackball i bought myself at work and I've always been aware that having to move my arm less to use it seems to have increased the 'nervous tic' like mousing behaviors.
Best example of which is that if I'm working my way through a page of boring documentation, its quite likely (>25% probability) that I will be highlighting & un-highlighting bits of the paragraph as I read it for no reason at all. Thi
Re: (Score:2)
That's interesting. Now that I think about it, my reading behavior (tics) is significantly different than my mouse behavior when I'm working in ProTools or Reaper. Very often, the tics are rhythmic, in time to some music in my head or on the speakers.
Still, I doubt that it's random, and if it's like most things human beings do, there are distinctive patterns.
for now.. (Score:1)
But just like everything else, they'll come up with some sort of automation that replicates the some-what erratic mouse gestures a human does to get around this "security".
Re: (Score:2)
Re:for now.. (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Re:for now.. (Score:5, Insightful)
If you can sneak into someone's office and use their computer at all, then detecting people by mouse movements is the least of your worries
Your staff leaving their computer unlocked, their door unlocked, and their office unattended, and no-one noticing are much worse security issues ...
Re: (Score:2)
Your staff leaving their computer unlocked, their door unlocked, and their office unattended, and no-one noticing are much worse security issues ...
Yeah, the secretary might have her handbag in the office, in which case you could find cool stuff like used handkerchiefs or even a spare panty or somesuch!
*pauses* *coughs* I'm merely pointing this out as a purely hypothetical case, of course. I don't condone, nor have ever engaged in any such activities. *looks down* *hurries away*
Re: (Score:2)
If you can sneak into someone's office and use their computer at all, then detecting people by mouse movements is the least of your worries
Your staff leaving their computer unlocked, their door unlocked, and their office unattended, and no-one noticing are much worse security issues ...
Sure, but this mouse thingy might still be an useful extra security feature after those basic things are taken care of.
Re: (Score:2)
And then get locked out... (Score:5, Insightful)
And then get locked out if you come from cold weather outside and cold hands somehow make you move differently...
Re:And then get locked out... (Score:5, Insightful)
Re:And then get locked out... (Score:5, Interesting)
True, while this system is too unreliable to work on it's own, I can imagine a hybrid solution where it pops up a traditional password authentication if you move your mouse differently than usual. It could be of some use in high-security places in case an employee leaves the machine on and forgots to log out, but then if you have enemies gaining physical access to your security-sensitive stuff you have already failed.
Re: (Score:3)
Re: (Score:2)
if you have to change your password every 30 days, then users will often change their password, and then forget it by the next time they have to type it in. I like how windows warns me up to 2 weeks in advance that My password requires changing. When I see this, I start thinking about what my next password will be, and I always change it on a Monday. Much less chance of forgetting it over night than over a weekend.
Are you saying that your password is actually not ?
These "change your password every X" system are extremely stupid and create password which are weaker than the original password (e.g. append a 1 every time). So in my example, I always change the password every month, and append the current month + year my base password. This fools the security check but does not introduce any additional security. E.g.
base pass= abcd ...
Pass in January 2012: abcd012012
Pass in February 2012: abcd022012
Re: (Score:2)
The problem with this is that people will forget the password, or it will be really weak so they dont't have trouble remembering it the 3 times a year they need it.
They can use their normal account password to get back. The mouse-movement-thing is just something extra that stops the action if someone else starts screwing with an unlocked, logged-in workstation.
Re: (Score:2)
...until regular business hours (Score:2)
Then you would get a screen which requires some additional authentication to solve the situation
If it were deployed on a site available to the public, the screen would likely say "Please call this telephone number during regular business hours." On a Friday evening before a bank holiday Monday. Or worse yet, "Please visit the nearest branch during regular business hours."
Re: (Score:1)
Or if you had a few drinks, smoked some pot, or are just simply a bit tired or excited or...
Re:And then get locked out... (Score:5, Funny)
If it detects you're excited, it logs you in, but defaults the browser to private mode.
Re: (Score:2)
All good reasons not to be allowed near a machine that has access to email, IM or Facebook. (With Twitter users you can't really tell the difference between drunk and sober anyway.)
Re: (Score:2)
And then get locked out if you come from cold weather
I believe that would be "frozen out" not "locked out".
Not persistent enough. (Score:5, Insightful)
I see several potential problems with this kind of identification. One of the biggies is switching hardware and the other - potential hand injuries.
Changing mice is the biggest issue, i think. Every mouse has a different shape and ergonomy, so it is being used differently by the same user, especially during the adjustment period. This also doesn't take into account the potential precision differences of the mouse. Plus, switching to an entirely different control scheme, like a tablet or trackball, screws up any tracking attempts.
The other problem is hand injuries - from a simple finger cut to advanced problems with nerve or bone structure. In addition to slowing down the usage, tracking movement will show an entirely different schemes of usage. This one hits especially close home to me, since having recently developed numbness and coordination problems in my dominant hand due to a relapse of Multiple Sclerosis, i now struggle to use a mouse at all and have almost completely switched to a thumb-operated trackball.
This identification method might be useful in highly integrated/high-security environments, where employees seldom change, or for protecting single-user terminals, but the hand injury problem trumps these uses, too.
Re:Not persistent enough. (Score:5, Insightful)
"potential problems" can mean different things. Who needs permanent identity verification? This could be a niche product, so scenarios where you get locked out each time you start gaming could be irrelevant. In that case dramatic mouse changes requiring retraining wouldn't happen frequently either.
Re:Not persistent enough. (Score:5, Informative)
The article specifically mentions "continuous verification", implying a workplace/business environment, where motions of the pointer are probably repetitive enough for the software to pick up on. This, of course, also implies not having to switch mouses every so often, but every time there IS a global company-wide switch of hardware, the ID software will go completely bananas, locking out every worker there. Without a method of purging already generated schemes for every user, this is just begging for a catastrophical company lockdown.
Re: (Score:2)
The article specifically mentions "continuous verification", implying a workplace/business environment, where motions of the pointer are probably repetitive enough for the software to pick up on.
The article also implies a country where the workers can't sue their employers for giving them the carpal tunnel syndrome.
After all if Pavlov were alive today, he'd argue that the seemingly insignificant penalty of getting a login screen requiring a password every time a small variation in behavior occurred would eventually condition the behavior of the computer operator and perhaps would probably cause even more employees than usual that get repetitive strain injuries as a result of their work.
Re: (Score:2)
Basically, when someone plugs a new mouse in, it'll have to reset itself, which completely negates the security of the technique anyway. If you're using the computer you've likely got hardware access to atleast plug in a new mouse.
In a high security area there are much better ways of tracking who's using what, and this just seems like it'll be too easy to a) fake and b) work around and c) gain false negatives
Re: (Score:2)
Yes, most people working in an office use at least four or five different mice and switch between them several times a day. Therefore, the system is totally useless. It could only possibly work for the kind of people who barely even know where to plug in a mouse, which is... oh, wait.
I used four mice. Squeak. (Score:2)
Re: (Score:1)
Yes, but they're all attached to different devices, so that would not matter in this case as each device would create its own profile of your mouse usage on that device.
Re: (Score:1)
Re: (Score:3)
Yes, in this case the method would work. The only remaining problem to address is whether it is sensitive enough to not give false-positives with random hand-related problems due to, for instance, weather conditions, and how will it impact workflow around a potential office - in a typical setup, even if workers are limited to their own cubicle, they often help each other out by going over to someone else's computer and doing something there. This, of course, depends on company policy, but having the compute
Re: (Score:2)
I'm pretty sure their system works nicely for data input role workers - and not at all for anyone doing anything more complex with variety.
for just about anything else.. the profiling can't be very good. basically they can detect if you change your mouse, screen resolution, if you change where you "rest" your mouse between clicks and such. big deal.
Re: (Score:2)
Changing mice is the biggest issue, i think.
That's far from being the biggest issue. The tough part is tuning the system so that it offers real protection, but at the same time does not get in the way of the authorized user of the computer.
Elsevier... (Score:1)
Seriously? Why does anyone even bother to publish computer science papers there, other than because the work is too poor to be accepted by a good IEEE or ACM conference or journal?
Re: (Score:1)
Bank of America modal dialog: "Your session has been destroyed for security purposes. Either you had two or more drinks, or your session has been hijacked (our IT guys say this happens from not upgrading your browser). Please login again and answer at least 3 security questions."
Eh, it wouldn't be that bad though. It would probably be more like the Wii Motion Plus...wanting to recalibrate every 3 minutes...
Re: (Score:1)
Exactly. They pissed off too many serious researchers with all their restrictions and paywalls, are getting boycotted as a result, and now this is the only kind of stuff they can still get their hands on.
Hmmm (Score:2)
This is an interesting direction for collecting metrics, and could obviously be used to evil(tm)
Depending on how they collect the data there are multiple potential sources for data collection.
DPI/Sensitivity of the mouse (which users generally do not change)
Algorithm/mouse smoothing (with enough data resolution can even narrow this down the sensor and processor used or even brand and model of mouse)
speed of click/double click user inputs.
degree and pitch of side to side or top to bottom of screen mouse trac
Re: (Score:2)
Re: (Score:2)
I'm pretty sure that just the overall appearance of said appendage is enough to positively ID someone.
Re: (Score:1)
But then how will women get money when they're having their period? Surely their characteristics will change a bit? Not saying it would be impossible, I'd love to see someone implement it, but I'm not sure it would be cost-effective.
Re: (Score:2)
I guess it's just that time of the month, you just can't operate heavy machinery. Nature, what are you gonna do?
vi code.cpp (Score:3)
ZZ
vi more_code.cpp *tap* *tap* *tap* *tap* *tap*
ZZ
vi extra_code.cpp *tap* *tap* *tap* *tap* *tap*
ZZ
firefox http://www.slashdot.org/ [slashdot.org]
INTRUDER ALERT! INTRUDER ALERT! AUTOMATIC LOGOUT AND SHUTDOWN IN PROGRESS!
Re: (Score:3)
So... (Score:1)
Basically if any conditions change in user's personality of physiology, or computer's configuration, or your routine daily tasks security app would be useless.
If it was used as part of hybrid solution its still useless, why just not get timed user promp
Re: (Score:2)
Basically if any conditions change in user's personality of physiology, or computer's configuration, or your routine daily tasks security app would be useless.
That does not immediately make the software completely useless. It still works when you are functioning in your mainline. During days which your behavior is deviant enough, you might just disable the feature for a while, or something.
And even if it would still get too much in your way, you could make it so that instead of completely locking the session, it would simply log the spurious events so you could check them if necessary.
Aimbot (Score:3)
Finally, using an aimbot will get you banned from your own PC.
About time.
Rich Little / Marcel Marceau Trojan discovered (Score:2)
Different pointing devices? (Score:1)
All in all, this is a cool idea but I can't see
Have my doubts on it's effectiveness (Score:1)
A few things make me doubt this.
People whom are familiar with playing games that have a lot of hot keys (like mainstream MMOs), and take the time to look up the hot keys built into their OS tend to use those hot keys because it easier than moving the pointer across the screen to hit a 1 to 3 key combination. Same would likely hold true for modelers, coders, and people whom use Linux often, or any other scenario where learning the hot keys of a program simplifies usage a lot.
Then there are mice like Razer's,
Pointer device vs touchpad vs mouse (Score:2)
These types of solutions are problematic.
My mouse use varies quite a bit from my mouse in my office, to my use of the Pointer Device on my ibm laptop to my home laptop with a touchpad. All yield very different mouse actions.
I also don't like these solutions that there are times when you want someone else to access your acct. For example, my brothers bank uses a validation system that measures how you type your password for an additional layer of security. My brother was in a situation where i needed to a
3 profiles for me please (Score:2)
If you pick up the mouse and speak into it (Score:2)
You must be Scotty.
Re: (Score:2)
passwords (Score:1)