Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Medicine Technology

Swallowing Your Password 118

HughPickens.com writes: Amir Mizroch reports at the WSJ that a PayPal executive who works with engineers and developers to find and test new technologies, says that embeddable, injectable, and ingestible devices are the next wave in identification for mobile payments and other sensitive online interactions. Jonathon Leblanc says that identification of people will shift from "antiquated" external body methods like fingerprints, toward internal body functions like heartbeat and vein recognition, where embedded and ingestible devices will allow "natural body identification." Ingestible devices could be powered by stomach acid, which will run their batteries and could detect glucose levels and other unique internal features can use a person's body as a way to identify them and beam that data out. Leblanc made his remarks during a presentation called Kill all Passwords that he's recently started giving at various tech conferences in the U.S. and Europe, arguing that technology has taken a huge leap forward to "true integration with the human body." But the idea has its skeptics. What could possibly go wrong with a little implanted device that reads your vein patterns or your heart's unique activity or blood glucose levels writes AJ Vicens? "Wouldn't an insurance company love to use that information to decide that you had one too many donuts—so it won't be covering that bypass surgery after all?"
This discussion has been archived. No new comments can be posted.

Swallowing Your Password

Comments Filter:
  • Silly (Score:5, Insightful)

    by Anrego ( 830717 ) * on Wednesday April 22, 2015 @05:12PM (#49532043)

    The problem with this, and biometrics in general, is that there is only one you.

    You can't revoke your "vein pattern" any more than you can revoke your fingerprint. Using your same biometric information for everything has the same pitfalls as using the same password for everything, and you are just one sketchy gas station away from someone getting a copy.

    If you are going to implant something, why not implant a challenge/response system with a public/private key and strong cryptography, like you know, we've been doing on the internet with a good amount of success. A random very large number is just as good as any biometric information, and at least you can change it.

    • Re:Silly (Score:5, Informative)

      by rubycodez ( 864176 ) on Wednesday April 22, 2015 @05:18PM (#49532097)

      great till the algorithm is cracked and everyone on earth needs a new implant in the next hour

      • by Anrego ( 830717 ) *

        Assuming it was based on current public key encryption, even if broken an attacker would still need to harvest private keys from users to make use of it. That's gonna require special equipment (portable reader of some kind) and time.

        Sure, damage would be done, but it wouldn't be the apocalypse. I suspect you'd see less impact than you do with current CC theft. AES being broken would be a far bigger deal on the internet where it would be much easier to apply the attack in a wide spread manner.

      • or back to the original idea:
        great until a biometric database is hacked and everyone on earth needs new veins/heart/some other internal organ in the next hour

      • How about instead of an implant, just put it into something the size of a credit card. And as a bonus, make it digestible too so it can be disposed of quickly when necessary. And then, for ease of use (to prevent key loggers and such), make it so that the only way to add new passwords is to physically input it into the device.

        Oh wait...

    • by ghjm ( 8918 )

      But in that case, what's the advantage of implanting it? I mean, other than thieves now wanting to cut out my spleen instead of just taking my wallet.

      • by Anrego ( 830717 ) *

        I can kinda see the appeal of an implanted device, but yeah, there's no reason such a system couldn't be a fob you carry around with you (or somewhat unfortunately more likely, baked into your phone).

      • But in that case, what's the advantage of implanting it?

        It gives the powerful yet another way to assert their dominance over the less so. And because the powerful are only so because of a system that backs their baseless claims of superiority, and can only continue as long as the powerless keep buying the lie, new ways to propagandize are always needed. All the little ritualistic humiliations society is so fond of, from drug tests to getting groped by the TSA, ultimately come down to the same message: "you

    • Re:Silly (Score:5, Insightful)

      by msauve ( 701917 ) on Wednesday April 22, 2015 @05:37PM (#49532245)
      And what happens when you die, and the executor of your estate can't get access to your records and accounts? Sure, there's legal authority, but good luck making things happen smoothly or timely.
      • Bigger issues (Score:2, Insightful)

        by s.petry ( 762400 )

        The biggest issue is that people taut these implanted devices as "safer" than any other alternative. Most of us here can see through the gag, but when they market to the masses will your great aunt have the same ability to know? Perhaps not.

        Most here know that "Strong" authentication requires at least 2 of 3 (something you know, something you are, something you have) and not just one of them. Security experts prefer the something you have over something you are, because we can control and monitor that th

    • I think the idea here is that the system would be two-part: challenge/response key, but with extra biodata, meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place.

      However, there are all sorts of problems with that:
      1) Our bodies change over time.
      2) The information must be broadcast, at which point any receiver can grab that info (unless it's protected by ANOTHER c/r system)
      3) Spoofing this would be relatively easy with a replay attack.

      • by Anrego ( 830717 ) *

        meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place

        As with DRM, if the thing that decides if you are valid can be in your hands (so to speak), you may as well assume it will be compromised.

        There's no way I can think of to pass on a piece of information describing yourself to another party without that party having to know that information already to validate it, and if they do, it can be stolen and replayed.

        • meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place

          As with DRM, if the thing that decides if you are valid can be in your hands (so to speak), you may as well assume it will be compromised.

          There's no way I can think of to pass on a piece of information describing yourself to another party without that party having to know that information already to validate it, and if they do, it can be stolen and replayed.

          Precisely.

          • PKI means Person A can confirm Person B is confirmed without knowing Person B's secret.

            • by Anrego ( 830717 ) *

              Right, but there has to be a public key involved at some point.

              • So?

                In this scenario, you have a public key and a private key embedded, you identify yourself with the public key and the validating system encrypts something with that public key, then passes you the result which you can then decrypt only by using your private key.

                Ergo: "pass on a piece of information describing yourself to another party without that party having to know that information already to validate it" and also prohibiting the possibility of a replay.

                The key to PKI is that you can encrypt something

                • by Anrego ( 830717 ) *

                  Yes, but how do you validate that the public key I send you is actually my public key? You have to already have it or it has to be stores somewhere that the other party trusts, bringing us right back to our original problem.

                  PKI lets two parties communicate securely without having ever spoken, and it lets one party validate that something was actually sent by another party _if they have the other parties public key and can trust it_.

                  Biometrics doesn't add anything useful to this equation that I see. Sure you

                  • by Anrego ( 830717 ) *

                    And I'll add, if it's your idea to create an anonymous but secure connection using PKI to send your biometric identity, that's no better than a password. Infact, it's worse than a password, because (as was the original point), all it takes is your super secret biometric identity to be compromised once, at which point your screwed.

    • by Livius ( 318358 )

      If someone wants to steal my heartbeat, they will want my actual heart, which unfortunately I need to live.

  • by swamp boy ( 151038 ) on Wednesday April 22, 2015 @05:13PM (#49532051)

    Gives new meaning to "I can't find my password in all this shit"

    • Re: (Score:3, Funny)

      by Anonymous Coward

      This password scheme is hard to swallow, I think they should stick it up their asses.

  • by just swallowing this free, little pill.
  • by roc97007 ( 608802 ) on Wednesday April 22, 2015 @05:19PM (#49532107) Journal

    This has the same problem as any exclusively biometric technique -- the user can be compelled to give up their "password" merely by being physically present. "Something you have" can be taken, even if it's your still-living (for now) carcass. "Something you have" should always be supplemented with "something you know".

    The summary rightly brings up privacy concerns but I'd also be concerned about the security of the transmitted data. Like RFID, the information can easily be snooped, and would have to be appropriately encrypted to be useful as credentials.

  • or at least considering ID more like dogs. Really. I can just hear the 'mark of the beast' stuff out of the religious right heading this way. Biometrics have limits just like any other technology. I agree with what has been said in prior debates about this stuff. Perhaps the biometric data can be used as a public/private key system, with safeguards built into it, but changeable as needed to address advancements in hacking by individuals driven by greed, etc. This is the only deterrence we have left wh
  • Badguy 1: "We need his fingerprint to break in"
    Badguy 2: "Cut off his finger then!"

    Badguy 1: "We need his heartbeat to break in"
    Badguy 2: "Cut out his heart then! We've got a machine to keep it beating after removal."

  • Biometric honesty (Score:4, Interesting)

    by Tony Isaac ( 1301187 ) on Wednesday April 22, 2015 @05:25PM (#49532163) Homepage

    Biometrics are only good so long as the device that reads your pattern is "honest." If you have to inject a device to read your biometric patterns, you could just as easily inject a device that pretends to read your biometrics, but actually copies someone else's.

    • by rtb61 ( 674572 )

      Anything can be faked especially in the digital world. So before anybody does anything with secure access methods, first they need to assess the risk for the particular kind of access and the security required for it.

      Logically there are two greatest risk points and neither one has anything to do with internet access or money. False imprisonment, being identified as someone else or not yourself and being imprisoned for it, that access risk is handled in a full public court of review because the risk is ex

    • Re: (Score:3, Insightful)

      Biometrics are only good so long as the device that reads your pattern is "honest." If you have to inject a device to read your biometric patterns, you could just as easily inject a device that pretends to read your biometrics, but actually copies someone else's.

      Or vice versa: you could ingest a device that pretends to use your biometrics for security validation, but actually copies your biometrics and broadcasts for someone else to spoof or collect for various purposes not approved by you.

      "biometrics" are only metric at the point they're being read -- the resulting hashes etc. are by no means biometric, and are instead a static constant to be used/abused by whomever.

      • by Qzukk ( 229616 )

        you could ingest a device that pretends to use your biometrics for security validation

        Be sure to check your pill to see if there's a skimmer taped to it!

  • by citylivin ( 1250770 ) on Wednesday April 22, 2015 @05:25PM (#49532167)

    from demolition man???

    https://youtu.be/CbM--4-z0cs?t... [youtu.be]

  • At best stomach acid is the electrolyte.

    grumble grumble.

    • on the other hand, your stomach could be a good power source -- kinetic energy, electrolyte source, AND it keeps a steady temperature. I think your colon would be even better though :)

      • on the other hand, your stomach could be a good power source -- kinetic energy, electrolyte source, AND it keeps a steady temperature. I think your colon would be even better though :)

        YES! The colon produces methane which is a fuel and could be used in some kind of fuel cell, perhaps. It's a win-win: you'd fart less and not have to remember passwords!

        • on the other hand, your stomach could be a good power source -- kinetic energy, electrolyte source, AND it keeps a steady temperature. I think your colon would be even better though :)

          YES! The colon produces methane which is a fuel and could be used in some kind of fuel cell, perhaps. It's a win-win: you'd fart less and not have to remember passwords!

          ...and any time you needed a password for something, you could go with your gut!

          • ...and any time you needed a password for something, you could go with your gut!

            I tried putting in "yourgut!" for my most recent password, and it failed the security check for not having a capital letter or a number. What kind of lousy password suggestions are you peddling?!

            Instead, I went with "Yourgut1!" and now it tells me that it's Highly Secure.

            • Your mistake was in leaving out the " " :)

              I find that the more spaces you use, the more secure you feel. Increase your password security feelings with "Your &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp gut!"

  • "Wouldn't an insurance company love to use that information to decide that you had one too many donuts—so it won't be covering that bypass surgery after all?"

    Wouldn't that have to be spelled out in the policy wordings when the policy is taken out or renewed?

    • Not if there's a clause saying "We may vary these terms at any time we want".

      And usually there is.

      • That's not how insurance works, It's a contract signed by two parties. You can't change the content of a contract without agreement from both parties.
        They can cancel the policy, but not after a claim has been made without first completing the claim.

  • by Forever Wondering ( 2506940 ) on Wednesday April 22, 2015 @05:33PM (#49532221)

    The heart bypass operation must be covered under the ACA (aka Obamacare). Insurance companies can no longer discriminate based on pre-existing conditions and can no longer impose a lifetime coverage cap.

    That is not to say that the implant idea is a good one for a number of other reasons.

    • Often the things that are brought up are extremes, and ridiculous; but, as we start to accept that they're ridiculous, people start to creep on them. 50 years ago, people would scream bloody murder about the government tapping phone lines--they even impeached the President! Now, they shrug and talk about protecting us from terrorists with all this state surveillance, because the government would never do anything bad with all that information.
      • Re: Nixon. Remember the bumper sticker "Don't blame me--I'm from Massachusetts"? I'm still screaming bloody murder about current state surveillance. Some may be necessary, but the amount being done far exceeds what is needed.

        Also, 50 years ago, people were screaming about Medicare [with the same arguments about gov't takeover of healthcare]. Now, we recognize the comfort and safety net it has given our senior citizens to have good health care in their declining years when they need it the most.

  • And put it into a pipe. Unless it's really big and nasty, then the garbage collector has to dispose of it.

  • by labnet ( 457441 ) on Wednesday April 22, 2015 @05:42PM (#49532283)

    I know you young kids don't read the bible anymore, so let me quote something from Revelation for you.

    "Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead, so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name. This calls for wisdom: let the one who has understanding calculate the number of the beast, for it is the number of a man, and his number is 666."

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Some of us do, wiseass, and some of us, like me, know about a little thing called "gematria." In gematria, each letter of the alphabet (and this works for Hebrew AND Greek) has a certain numerical value. It JUST SO HAPPENS that 666 is, roughly, "Neron Qaisar," or Emperor Nero. Revelation is coded anti-Roman polemic.

      A better rendering of that is "Let him who hath wisdom reckon [that is, "count" or "sum"] the number of the Beast, for it is the number of a man, and his number is six-hundred-threescore-and-six.

    • I like the version that uses the archaic "reckon" instead of calculate.
  • How do you plan to make it secure? What would stop anyone from just reading the information off it? Can you even CHANGE the information on it? If yes, how do you prevent people from hacking it? How do you ensure it's not going to get lodged somewhere and become impossible to remove? Who will get to dictate the standards for how these things communicate? How do you revoke these things - that is, what happens if your internal information becomes public? Why are you measuring things that change with exercise

  • Many people don't have access to medical care now. What insurance company would pay for this? Their business model is to make money, not to care for patients.
  • So, how exactly do they propose to recover from a compromise of these kinds of systems where it's impossible to change the authentication data? And these systems will be compromised, history has taught us that. At least with a password or a certificate carried in a two-factor dongle I can change/reissue it and what the crooks have is no longer valid. I don't like systems whose failure mode in the event of a compromise is catastrophic.

    • But they are so coooool. And that super secure lab that professor had in that science fiction movie I saw, had this tooo.

  • Is the NHS. Universal heathcare is far from perfect, but it's also just the right thing to have in a first-world economy. Then you stay healthy for the right reasons, not because your insurer will abuse information about you.

  • by idji ( 984038 ) on Wednesday April 22, 2015 @06:01PM (#49532433)
    She just grabs it from the table and slowly creeps up behind me and pushes it gently onto my thumb, and then runs away with an unlocked phone when i notice it...
    The value of a password is that it is locked away in MY BRAIN until I choose to use it. These are not passwords, and neither is the button on an iPhone.
  • Good thing for the ACA that bands insurance company from doing stuff like. But guess what GOP letting the ER or even the jail / prison take up the slack when you get rid of the ACA will cost more then medicare / medicaid for all.

  • * If there is some allergic reactions workers comp may have to fit the bill to deal with it. Also the injury lawyers may also sue on half of the victim as well.
    * religious rights lawsuits over this Mark of the beast / Shabbat? / others
    * ownership issues?
    * Who pays the costs

  • Comment removed based on user account deletion
  • What if I left my body at home?
    • by GuB-42 ( 2483988 )

      What if I left my body at home?

      I would probably mean that the "device" you swallowed is full of ketamine or something.

  • "I'm sorry, ossifer. But my car's transponder is powered by ethanol."

  • This will result in unique identification of people. It is not for passwords, it is for identifying.
  • http://blog.dustinkirkland.com... [dustinkirkland.com]

    For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated.

  • by koan ( 80826 )

            with the mark of the Antichrist needed to buy or sell.

    Now I ask you, in this day of surveillance, digital money and computerized oppression does that really seem all that far fetched?

    • Not particularly. It's been tried throughout history; I don't see why they couldn't do it, again. Question is, who gets the short stick this time?

  • Now determined hackers will literally spill your guts to get what they want.

  • So let's everyone swallow a chip that constantly identifies them! That's how we can get those dirty stealing bastards!
  • E, you're embeddable
    I, you're injectable
    M, you're a meatbag full of tech

  • Better to live in a country, where you don't need health insurance to get treated.
  • the automotive related intertubes discuss a new method of auto thefts which hypothetically involves using some sort of RF amp or repeater or such to amplify the signal from your key fob in your house to make your car think you're standing waiting to get in, for those cars which are nice enough to automatically unlock when you approach without buttons to push.

Genius is ten percent inspiration and fifty percent capital gains.

Working...