Swallowing Your Password 118
HughPickens.com writes: Amir Mizroch reports at the WSJ that a PayPal executive who works with engineers and developers to find and test new technologies, says that embeddable, injectable, and ingestible devices are the next wave in identification for mobile payments and other sensitive online interactions. Jonathon Leblanc says that identification of people will shift from "antiquated" external body methods like fingerprints, toward internal body functions like heartbeat and vein recognition, where embedded and ingestible devices will allow "natural body identification." Ingestible devices could be powered by stomach acid, which will run their batteries and could detect glucose levels and other unique internal features can use a person's body as a way to identify them and beam that data out. Leblanc made his remarks during a presentation called Kill all Passwords that he's recently started giving at various tech conferences in the U.S. and Europe, arguing that technology has taken a huge leap forward to "true integration with the human body." But the idea has its skeptics. What could possibly go wrong with a little implanted device that reads your vein patterns or your heart's unique activity or blood glucose levels writes AJ Vicens? "Wouldn't an insurance company love to use that information to decide that you had one too many donuts—so it won't be covering that bypass surgery after all?"
Re:Probably not the approach I'd have taken (Score:5, Funny)
When I shit the thing out, do I have to eat it again?
Re: (Score:2)
I believe the idea is that they are 'single-use' devices, so...you get to keep buying new ones for the rest of your life, otherwise you are locked out of everything.
Now there's incentive...do you buy groceries and eat outside, or buy a new password and go hungry. Or dig through your shit and be disgusted.
And they'll make sure it corrodes from acid in your digestive tract so you can't fully 'reuse' it...
Re: (Score:2)
Is that considered a "password leak"?
Re: (Score:2)
I'm guessing that ten minutes after this is possible, it will be mandatory.
You might not get a choice. Especially if you get arrested.
Silly (Score:5, Insightful)
The problem with this, and biometrics in general, is that there is only one you.
You can't revoke your "vein pattern" any more than you can revoke your fingerprint. Using your same biometric information for everything has the same pitfalls as using the same password for everything, and you are just one sketchy gas station away from someone getting a copy.
If you are going to implant something, why not implant a challenge/response system with a public/private key and strong cryptography, like you know, we've been doing on the internet with a good amount of success. A random very large number is just as good as any biometric information, and at least you can change it.
Re:Silly (Score:5, Informative)
great till the algorithm is cracked and everyone on earth needs a new implant in the next hour
Re: (Score:2)
Assuming it was based on current public key encryption, even if broken an attacker would still need to harvest private keys from users to make use of it. That's gonna require special equipment (portable reader of some kind) and time.
Sure, damage would be done, but it wouldn't be the apocalypse. I suspect you'd see less impact than you do with current CC theft. AES being broken would be a far bigger deal on the internet where it would be much easier to apply the attack in a wide spread manner.
Re: (Score:2)
or back to the original idea:
great until a biometric database is hacked and everyone on earth needs new veins/heart/some other internal organ in the next hour
Re: (Score:2)
How about instead of an implant, just put it into something the size of a credit card. And as a bonus, make it digestible too so it can be disposed of quickly when necessary. And then, for ease of use (to prevent key loggers and such), make it so that the only way to add new passwords is to physically input it into the device.
Oh wait...
Re: (Score:2)
I feel like this is a reference I should recognize but I don't. Anyone care to enlighten me?
Re: (Score:3)
But in that case, what's the advantage of implanting it? I mean, other than thieves now wanting to cut out my spleen instead of just taking my wallet.
Re: (Score:2)
I can kinda see the appeal of an implanted device, but yeah, there's no reason such a system couldn't be a fob you carry around with you (or somewhat unfortunately more likely, baked into your phone).
Re: (Score:2)
It gives the powerful yet another way to assert their dominance over the less so. And because the powerful are only so because of a system that backs their baseless claims of superiority, and can only continue as long as the powerless keep buying the lie, new ways to propagandize are always needed. All the little ritualistic humiliations society is so fond of, from drug tests to getting groped by the TSA, ultimately come down to the same message: "you
Re:Silly (Score:5, Insightful)
Bigger issues (Score:2, Insightful)
The biggest issue is that people taut these implanted devices as "safer" than any other alternative. Most of us here can see through the gag, but when they market to the masses will your great aunt have the same ability to know? Perhaps not.
Most here know that "Strong" authentication requires at least 2 of 3 (something you know, something you are, something you have) and not just one of them. Security experts prefer the something you have over something you are, because we can control and monitor that th
Re: (Score:3)
... people taut these implanted devices ...
Taut means under tension. Tout means to attempt to sell.
Re: (Score:1)
Re: (Score:1)
I think the idea here is that the system would be two-part: challenge/response key, but with extra biodata, meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place.
However, there are all sorts of problems with that:
1) Our bodies change over time.
2) The information must be broadcast, at which point any receiver can grab that info (unless it's protected by ANOTHER c/r system)
3) Spoofing this would be relatively easy with a replay attack.
Re: (Score:2)
meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place
As with DRM, if the thing that decides if you are valid can be in your hands (so to speak), you may as well assume it will be compromised.
There's no way I can think of to pass on a piece of information describing yourself to another party without that party having to know that information already to validate it, and if they do, it can be stolen and replayed.
Re: (Score:1)
meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place
As with DRM, if the thing that decides if you are valid can be in your hands (so to speak), you may as well assume it will be compromised.
There's no way I can think of to pass on a piece of information describing yourself to another party without that party having to know that information already to validate it, and if they do, it can be stolen and replayed.
Precisely.
Re: (Score:2)
PKI means Person A can confirm Person B is confirmed without knowing Person B's secret.
Re: (Score:2)
Right, but there has to be a public key involved at some point.
Re: (Score:2)
So?
In this scenario, you have a public key and a private key embedded, you identify yourself with the public key and the validating system encrypts something with that public key, then passes you the result which you can then decrypt only by using your private key.
Ergo: "pass on a piece of information describing yourself to another party without that party having to know that information already to validate it" and also prohibiting the possibility of a replay.
The key to PKI is that you can encrypt something
Re: (Score:2)
Yes, but how do you validate that the public key I send you is actually my public key? You have to already have it or it has to be stores somewhere that the other party trusts, bringing us right back to our original problem.
PKI lets two parties communicate securely without having ever spoken, and it lets one party validate that something was actually sent by another party _if they have the other parties public key and can trust it_.
Biometrics doesn't add anything useful to this equation that I see. Sure you
Re: (Score:2)
And I'll add, if it's your idea to create an anonymous but secure connection using PKI to send your biometric identity, that's no better than a password. Infact, it's worse than a password, because (as was the original point), all it takes is your super secret biometric identity to be compromised once, at which point your screwed.
Re: (Score:2)
Sure, but how do they apply to confirming an identity and not a capability.
Maybe I'm too thick to get it, but I can't see how say, a bank, can validate that you are who you say you are without at least knowing _something_ about you that you can than verify through whatever means.
Re: (Score:2)
Identity is a capability. What do you ask someone to do? Identify themselves. How do they do it? By providing a piece of information you know to be known to them, either by fact of being born attached to it, or by fact of regurgitating it somehow.
All the bank needs is assurance that you're the only one likely to possess it, short of dedicated efforts to illicitly acquire it. Assurance is not a black and white thing, settled once and for all; it's a bar you have to jump over. That's the whole idea of securit
Re: (Score:2)
If someone wants to steal my heartbeat, they will want my actual heart, which unfortunately I need to live.
Re: (Score:2)
Re: (Score:3)
Or someone gets out a tape recorder and records your heartbeat.
Gives new meaning (Score:5, Funny)
Gives new meaning to "I can't find my password in all this shit"
Re: (Score:3, Funny)
This password scheme is hard to swallow, I think they should stick it up their asses.
20% discount on your insurance (Score:2)
Not allowed under the ACA smokeing is the only (Score:2)
Not allowed under the ACA smokeing is the only thing they can bill you more for.
Re: (Score:2)
I'd double check this. Under the ACA, premiums are set based upon your age and your "zone" [effectively, your zip code].
Re: (Score:2)
by just swallowing this free, little pill.
As my Canadian acquaintance Stu once said..."Fuck off, please."
same problem as with any biometrics (Score:4, Insightful)
This has the same problem as any exclusively biometric technique -- the user can be compelled to give up their "password" merely by being physically present. "Something you have" can be taken, even if it's your still-living (for now) carcass. "Something you have" should always be supplemented with "something you know".
The summary rightly brings up privacy concerns but I'd also be concerned about the security of the transmitted data. Like RFID, the information can easily be snooped, and would have to be appropriately encrypted to be useful as credentials.
Re: (Score:2)
That "Something you know"-part can be extracted quite easily. How much do you like having all your teeth, fingers & toes attached?
Well yes, I think I would like to keep all my appendages. (Cue OB XKCD, where a $7 crowbar is more effective than a $100M password cracking array.) I have thought about this, and I think it can be solved by having two accounts -- your "real" account, and a "hostage" account, which looks a lot like your "real" account (kinda like keeping two sets of books) and takes the same biometrics, but upon providing a slightly different "something you know", raises (silent) alarms everywhere it would be appropriate t
Re: (Score:2)
That's it. It's been awhile, but I think I got the gist right, even though the details were off.
oh dear, we're going to the dogs (Score:1)
Uh oh (Score:2)
Badguy 1: "We need his fingerprint to break in"
Badguy 2: "Cut off his finger then!"
Badguy 1: "We need his heartbeat to break in"
Badguy 2: "Cut out his heart then! We've got a machine to keep it beating after removal."
Biometric honesty (Score:4, Interesting)
Biometrics are only good so long as the device that reads your pattern is "honest." If you have to inject a device to read your biometric patterns, you could just as easily inject a device that pretends to read your biometrics, but actually copies someone else's.
Re: (Score:2)
Anything can be faked especially in the digital world. So before anybody does anything with secure access methods, first they need to assess the risk for the particular kind of access and the security required for it.
Logically there are two greatest risk points and neither one has anything to do with internet access or money. False imprisonment, being identified as someone else or not yourself and being imprisoned for it, that access risk is handled in a full public court of review because the risk is ex
Re: (Score:3, Insightful)
Biometrics are only good so long as the device that reads your pattern is "honest." If you have to inject a device to read your biometric patterns, you could just as easily inject a device that pretends to read your biometrics, but actually copies someone else's.
Or vice versa: you could ingest a device that pretends to use your biometrics for security validation, but actually copies your biometrics and broadcasts for someone else to spoof or collect for various purposes not approved by you.
"biometrics" are only metric at the point they're being read -- the resulting hashes etc. are by no means biometric, and are instead a static constant to be used/abused by whomever.
Re: (Score:2)
you could ingest a device that pretends to use your biometrics for security validation
Be sure to check your pill to see if there's a skimmer taped to it!
Re: (Score:2)
Better open it up. They might have used a Russian nesting skimmer.
Have we learned nothing (Score:3)
from demolition man???
https://youtu.be/CbM--4-z0cs?t... [youtu.be]
Re: (Score:1)
Or Saw...
Acid is not a power source. (Score:2)
At best stomach acid is the electrolyte.
grumble grumble.
Re: (Score:1)
on the other hand, your stomach could be a good power source -- kinetic energy, electrolyte source, AND it keeps a steady temperature. I think your colon would be even better though :)
Re: (Score:2)
on the other hand, your stomach could be a good power source -- kinetic energy, electrolyte source, AND it keeps a steady temperature. I think your colon would be even better though :)
YES! The colon produces methane which is a fuel and could be used in some kind of fuel cell, perhaps. It's a win-win: you'd fart less and not have to remember passwords!
Re: (Score:2)
on the other hand, your stomach could be a good power source -- kinetic energy, electrolyte source, AND it keeps a steady temperature. I think your colon would be even better though :)
YES! The colon produces methane which is a fuel and could be used in some kind of fuel cell, perhaps. It's a win-win: you'd fart less and not have to remember passwords!
...and any time you needed a password for something, you could go with your gut!
Re: (Score:2)
...and any time you needed a password for something, you could go with your gut!
I tried putting in "yourgut!" for my most recent password, and it failed the security check for not having a capital letter or a number. What kind of lousy password suggestions are you peddling?!
Instead, I went with "Yourgut1!" and now it tells me that it's Highly Secure.
Re: (Score:1)
Your mistake was in leaving out the " " :)
I find that the more spaces you use, the more secure you feel. Increase your password security feelings with "Your        gut!"
Why is it always about health insurance? (Score:2)
"Wouldn't an insurance company love to use that information to decide that you had one too many donuts—so it won't be covering that bypass surgery after all?"
Wouldn't that have to be spelled out in the policy wordings when the policy is taken out or renewed?
Re: (Score:2)
Not if there's a clause saying "We may vary these terms at any time we want".
And usually there is.
Re: (Score:2)
That's not how insurance works, It's a contract signed by two parties. You can't change the content of a contract without agreement from both parties.
They can cancel the policy, but not after a claim has been made without first completing the claim.
bypass operation must be covered under ACA (Score:4, Insightful)
The heart bypass operation must be covered under the ACA (aka Obamacare). Insurance companies can no longer discriminate based on pre-existing conditions and can no longer impose a lifetime coverage cap.
That is not to say that the implant idea is a good one for a number of other reasons.
Re: (Score:2)
Re: (Score:2)
Re: Nixon. Remember the bumper sticker "Don't blame me--I'm from Massachusetts"? I'm still screaming bloody murder about current state surveillance. Some may be necessary, but the amount being done far exceeds what is needed.
Also, 50 years ago, people were screaming about Medicare [with the same arguments about gov't takeover of healthcare]. Now, we recognize the comfort and safety net it has given our senior citizens to have good health care in their declining years when they need it the most.
Re: (Score:2)
Take a dump of your password (Score:2)
And put it into a pipe. Unless it's really big and nasty, then the garbage collector has to dispose of it.
Nope.. Hand or Forehead .. (Score:3)
I know you young kids don't read the bible anymore, so let me quote something from Revelation for you.
"Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead, so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name. This calls for wisdom: let the one who has understanding calculate the number of the beast, for it is the number of a man, and his number is 666."
Re: (Score:2, Informative)
Some of us do, wiseass, and some of us, like me, know about a little thing called "gematria." In gematria, each letter of the alphabet (and this works for Hebrew AND Greek) has a certain numerical value. It JUST SO HAPPENS that 666 is, roughly, "Neron Qaisar," or Emperor Nero. Revelation is coded anti-Roman polemic.
A better rendering of that is "Let him who hath wisdom reckon [that is, "count" or "sum"] the number of the Beast, for it is the number of a man, and his number is six-hundred-threescore-and-six.
Re: (Score:2)
The invevitable problem with this... (Score:2)
How do you plan to make it secure? What would stop anyone from just reading the information off it? Can you even CHANGE the information on it? If yes, how do you prevent people from hacking it? How do you ensure it's not going to get lodged somewhere and become impossible to remove? Who will get to dictate the standards for how these things communicate? How do you revoke these things - that is, what happens if your internal information becomes public? Why are you measuring things that change with exercise
It Will Never Happen (Score:1)
Inevitable compromise (Score:2)
So, how exactly do they propose to recover from a compromise of these kinds of systems where it's impossible to change the authentication data? And these systems will be compromised, history has taught us that. At least with a password or a certificate carried in a two-factor dongle I can change/reissue it and what the crooks have is no longer valid. I don't like systems whose failure mode in the event of a compromise is catastrophic.
Re: (Score:2)
But they are so coooool. And that super secure lab that professor had in that science fiction movie I saw, had this tooo.
What the author needs... (Score:1)
Is the NHS. Universal heathcare is far from perfect, but it's also just the right thing to have in a first-world economy. Then you stay healthy for the right reasons, not because your insurer will abuse information about you.
When my daughter wants to get into my iPhone... (Score:5, Interesting)
The value of a password is that it is locked away in MY BRAIN until I choose to use it. These are not passwords, and neither is the button on an iPhone.
Re: (Score:2)
Good thing for the ACA that band insurance compan (Score:2)
Good thing for the ACA that bands insurance company from doing stuff like. But guess what GOP letting the ER or even the jail / prison take up the slack when you get rid of the ACA will cost more then medicare / medicaid for all.
I see a few lawsutes if some where to force this? (Score:2)
* If there is some allergic reactions workers comp may have to fit the bill to deal with it. Also the injury lawyers may also sue on half of the victim as well.
* religious rights lawsuits over this Mark of the beast / Shabbat? / others
* ownership issues?
* Who pays the costs
Re: (Score:1)
The old biometrics caveat still applies... (Score:2)
Re: (Score:2)
What if I left my body at home?
I would probably mean that the "device" you swallowed is full of ketamine or something.
Keyless Ignition (Score:2)
"I'm sorry, ossifer. But my car's transponder is powered by ethanol."
Identification, not password (Score:2)
Biometrics are the username NOT the password (Score:2)
For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated.
Wheee (Score:1)
with the mark of the Antichrist needed to buy or sell.
Now I ask you, in this day of surveillance, digital money and computerized oppression does that really seem all that far fetched?
Re: (Score:2)
Not particularly. It's been tried throughout history; I don't see why they couldn't do it, again. Question is, who gets the short stick this time?
Re: (Score:1)
Everyone but the robots.
Just Great (Score:2)
Now determined hackers will literally spill your guts to get what they want.
IP Address Person... so... (Score:2)
I feel a song coming on (Score:2)
E, you're embeddable
I, you're injectable
M, you're a meatbag full of tech
Health insurance, what's that? (Score:1)
and on another note (Score:1)