Privacy

by Glyn Moody


Filed Under:
fingerprints, photographs, privacy



Why Making A Peace Sign In Public Is Now A Security Risk

from the and-not-just-for-political-reasons dept

The British have a number of traditions. Some, such as drinking tea, are famous around the world. Less well-known is a habit of revealing highly-confidential information by carrying pieces of paper in public that photographers using long-focus lenses are able to snap and then magnify to read. The Guardian wrote an entire article on the subject, detailing how numerous embarrassing leaks occurred in the UK because people forgot to put the documents they were holding in some kind of opaque folder. On one occasion, an anti-terror operation had to be brought forward when Britain's most senior counterterrorism officer walked around with top secret documents on display -- a blunder that cost him his job.

This mistake is so common that there are notices by the door of the UK Prime Minister's residence at Number 10 Downing Street reminding people not to walk out with confidential material that is exposed. The fact that there is a photographer with a long-focus lens who hangs around outside No 10 in the hope that they do precisely that shows how often they ignore this warning.

Although the Brits have practically turned this activity into another weird sport alongside cricket, it's not unknown in the US. For example, the following happened at the end of November last year:

Potential Donald Trump cabinet pick Kris Kobach accidentally leaked Department of Homeland Security plans when posing for a press photograph with the president-elect. Using photo editing tools, a zoomed-in view on the documents being carried by Kansas Secretary of State Kris Kobach reveals a plan to put Trump’s hard-line immigration platform into practice.

Aside from the carelessness of the people involved, the problem has arisen because long-focus lenses are now so powerful and commonly-deployed that it is relatively easy to capture a high-quality image of an exposed document so that its contents can be read. That's a problem that will only get worse as camera technology advances, especially combined with digital enhancement techniques. If this story on the BBC's website is to be believed, it's not just documents that are now at risk as a result:

A Japanese researcher says doing the peace sign in a photo could lead to your fingerprints being stolen.

They might be easy to recreate if your digits are "in focus with strong lighting".

That claim is from Isao Echizen, from the National Institute of Informatics (NIII), who says prints could then be made "widely available".

That's clearly a big problem at a time when fingerprints are increasingly being used to unlock digital devices, and to provide access to sensitive data. The British experience shows it's hard enough to shield confidential papers; keeping fingerprints out of high-resolution photos seems like an impossible task.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    pegr, 24 Jan 2017 @ 11:50am

    Biometrics

    Biometrics are usernames, not passwords.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jan 2017 @ 11:57am

      Re: Biometrics

      They don't get it, and they never will!

      reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 24 Jan 2017 @ 12:37pm

      Re: Biometrics

      Yup. In an ideal world biometrics are unique IDs, but they're not secrets.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Jan 2017 @ 1:20pm

        Re: Re: Biometrics

        Biometrics are perfect, unique and very hard to completely replicate. The way they are measured is very far from perfect...

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 24 Jan 2017 @ 1:25pm

          Re: Re: Re: Biometrics

          > Biometrics are perfect, unique and very hard to completely replicate.

          Did you read nothing above? Or do you have an investment in a biometrics company?

          reply to this | link to this | view in chronology ]

          • icon
            Cdaragorn (profile), 24 Jan 2017 @ 1:31pm

            Re: Re: Re: Re: Biometrics

            False, false, and soooooo false. It's these very wrong belief's about them that is creating a widespread security problem.

            They are not perfect. In fact, it's common for them to even change over time.

            Even if you did have a perfect capture of whatever biometric you're using, which actually rarely happens, the idea that they are unique has never been tested or proven true. It's just always been assumed, and security is not a place we should be assuming anything.

            They are ridiculously easy to replicate. I can most likely replicate at least one of your fingerprints just testing your outside doors and car doors.

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 25 Jan 2017 @ 1:22am

            Re: Re: Re: Re: Biometrics

            Biometrics are perfect, unique and very hard to completely replicate. That depends on the chosen biometric, and also the precision of the measuring sensor. A fake only has to fool a sensor and not a human.

            reply to this | link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 24 Jan 2017 @ 5:37pm

      Re: Biometrics are usernames, not passwords.

      Unfortunately, no. Usernames are not confidential information, so there is no point in using biometrics for them.

      A username is who you claim to be. But anybody can make that claim. You then have to accompany that claim with some kind of authentication protocol, to prove your claim. Which is where authentication comes in.

      As Bruce Schneier has pointed out, there are three categories of ways to provide such authentication factors:

      • Something you know (a password)
      • Something you have (a physical key-type object, or other object that is easy to keep with you, such as a mobile phone)
      • Something you are (biometrics).

      What’s called “two-factor” authentication means using factors from two different categories.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Jan 2017 @ 7:01pm

        Re: Re: Biometrics are usernames, not passwords.

        Due to recent rulings, a fingerprint is a bad authenticator. You may be forced to give that up in court. A password and token are a lot harder to force out of me.
        http://arstechnica.com/tech-policy/2017/01/court-rules-against-man-who-was-forced-to-fingerprint- unlock-his-phone/

        reply to this | link to this | view in chronology ]

      • icon
        Cdaragorn (profile), 30 Jan 2017 @ 9:03am

        Re: Re: Biometrics are usernames, not passwords.

        The fact that usernames are not confidential is irrelevant. Neither are biometrics.

        A username is meant to identify a user. That's exactly what biometrics are meant to do. Believing that a biometric is confidential is just inviting yourself to get hacked.

        The problem I have with the push for biometrics today is that too much of the information people are basing their opinions on is assumption, not proven fact. The biggest two being that biometrics are unique to a single person (never proven true), and that they cannot be easily copied (proven false).

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Cowherd, 30 Jan 2017 @ 9:57am

        Re: Re: Biometrics are usernames, not passwords.

        That's only true if the authenticator has physical access to the person being authenticated. To physically verify the person is actually using a key or biometrics, not just transmitting the right data to pretend to do so.

        Remotely, all authentication factors are just information. Something you know.

        reply to this | link to this | view in chronology ]

  • icon
    OldMugwump (profile), 24 Jan 2017 @ 11:52am

    Time to stop using fingerprints for authentication, then

    Every technology has its day.

    If fingerprints can be read at a distance, they're no longer useful for authentication.

    So, stop using them. We have plenty of better options anyway.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 24 Jan 2017 @ 12:15pm

      Re: Time to stop using fingerprints for authentication, then

      Yup; Nippleprints. Most people keep those covered, so they should be secure. And we can reuse the same infrastructure - readers built into laptops and phones. The icons may have to change.

      BTW, people's lips match their nipple color. Good luck trying to look anyone in the face for the rest of today.

      Ask me about two-factor authentication!

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Jan 2017 @ 12:34pm

        Re: Re: Time to stop using fingerprints for authentication, then

        most people's lips... good to know

        reply to this | link to this | view in chronology ]

      • identicon
        I.T. Guy, 24 Jan 2017 @ 12:38pm

        Re: Re: Time to stop using fingerprints for authentication, then

        I'll bite. What about two-factor auth?

        reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 24 Jan 2017 @ 12:44pm

        Re: Re: Time to stop using fingerprints for authentication, then

        Disregard. I forgot something:

        A couple years ago I was ordered to make the UI for our new online shopping cart as intuitive as possible. Quick research revealed that "the only truly intuitive user interface is the nipple."

        I'm no longer allowed to discuss innovative nipple-based technology.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 24 Jan 2017 @ 1:23pm

          Re: Re: Re: Time to stop using fingerprints for authentication, then

          Sorry, but using both nipples is not "two-factor authentication".

          reply to this | link to this | view in chronology ]

          • identicon
            Lawrence D’Oliveiro, 24 Jan 2017 @ 5:38pm

            Re: Sorry, but using both nipples is not "two-factor authentication".

            I misheard that as “tooth-factor authentication”.

            Ouch...

            reply to this | link to this | view in chronology ]

        • icon
          Eldakka (profile), 24 Jan 2017 @ 6:31pm

          Re: Re: Re: Time to stop using fingerprints for authentication, then

          I don't about 'only', I can think of one other that's pretty intuitive...

          reply to this | link to this | view in chronology ]

      • icon
        Eldakka (profile), 24 Jan 2017 @ 6:34pm

        Re: Re: Time to stop using fingerprints for authentication, then

        Since most people who's nipples I'm interested in tend to wear lipstick, I don't think that helps much.

        Well, not unless they also apply it to their nipples as well!

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jan 2017 @ 12:16pm

      Re: Time to stop using fingerprints for authentication, then

      "We have plenty of better options anyway."

      Such as?

      reply to this | link to this | view in chronology ]

      • icon
        Cdaragorn (profile), 24 Jan 2017 @ 1:35pm

        Re: Re: Time to stop using fingerprints for authentication, then

        Despite their weaknesses, passwords are much better than any biometric.

        If for no other reason the fact that I can change a password when it gets compromised or whenever I choose makes them better. Good luck finding a new biometric after someone gets all your fingerprints.

        reply to this | link to this | view in chronology ]

        • icon
          JoeCool (profile), 24 Jan 2017 @ 2:15pm

          Re: Re: Re: Time to stop using fingerprints for authentication, then

          That's easy! Just use a knife the make your fingerprints unique again! ;)

          reply to this | link to this | view in chronology ]

        • icon
          R.H. (profile), 25 Jan 2017 @ 7:34am

          Re: Re: Re: Time to stop using fingerprints for authentication, then

          I had a shop accident a few years ago and one of my fingerprints has been permanently changed so, it does happen. Fortunately, I had more than one finger recorded for my laptop's fingerprint reader (and I still knew my password even if I lost all 10).

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jan 2017 @ 12:27pm

    Other ways

    Fingerprints can also be lifted and copied from objects touched. Doorknobs, beverage containers, etc. Not only that, but DNA can also be lifted and copied from various objects.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 24 Jan 2017 @ 12:35pm

      Re: Other ways

      Years ago German Interior Minister Wolfgang Schauble was pushing for biometric identity cards. So Chaos Computer Club hackers lifted his fingerprints off a glass and published 10,000 copies of them on acetate (suitable for leaving fingerprints) as a magazine insert.

      Then in 2014 they obtained the fingerprints of German defence minister Ursula von der Leyen, this time from photographs including one gleaned from a press release issued by her own office.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jan 2017 @ 12:32pm

    I was relieved to learn that the security risk described was not what I initially feared when I read the headline.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jan 2017 @ 1:19pm

      Re:

      Same here. I read the article expecting to get to a block about how some enterprising surveillance company had decided to add "Makes peace sign in public" as a classifier for adding people to some secret terrorist list. Fingerprint theft is a recurring problem. This is an interesting new take on it, but it's not the instantly and broadly applicable problem that an overzealous surveillance state is.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jan 2017 @ 12:39pm

    We need not worry about our prints in the US. The DMV already has them ready to be 'lifted'.

    reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 24 Jan 2017 @ 1:10pm

    White Gloves

    So *this* is why I need to wear formal white cotton gloves!

    Just like Charlie Chaplain!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jan 2017 @ 1:40pm

    I read an article a few days ago that said that facial recognition is actually the safest public available method for authentication.
    They held it up against passwords, pass phrases, fingerprint and iris scans. Incredibly enough they found that Windows hello was the hardest to fool when they couldn't even use an identical twin to access someones computer.
    It does have its troubles though... gain or loose weight, grow a beard, get a too obvious piercing, or get an injury and you would be locked out. This leads back to a secondary method of gaining access which is then dependent on one of the less safe methods.
    It does provide a somewhat good security though, as faces are hard to copy when a cutout won't work. Iris and fingerprints are just too simple to be effective.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jan 2017 @ 2:46pm

      Re:

      > I read an article a few days ago that said that facial recognition is actually the safest public available method for authentication.

      Link?

      reply to this | link to this | view in chronology ]

    • icon
      Eldakka (profile), 24 Jan 2017 @ 6:47pm

      Re:

      Well, then we'll have to worry about people cutting our heads off (instead of just a finger or an eye) to be able to use to bypass security!

      What about a professionally made latex cast of a face? the sort special effects artists or wax museums make?

      reply to this | link to this | view in chronology ]

      • identicon
        OGquaker, 25 Jan 2017 @ 12:42am

        Re: Re: diversion

        I donated my machine shop to Makeup & Effects Laboratories years ago, and got a door key for 20 years. They were making latex faces for this government back then.
        P.S. When i was giving pre-induction physicals for the Armed Forces Entrance & Examination Station, three or more nipples was seen almost every day...And, we resold your piss test for $75 a barrel..

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Jan 2017 @ 5:55am

        Re: Re:

        > What about a professionally made latex cast of a face? the sort special effects artists or wax museums make?

        Or even just a photo.

        reply to this | link to this | view in chronology ]

        • icon
          R.H. (profile), 25 Jan 2017 @ 7:51am

          Re: Re: Re:

          Even Windows Hello requires cameras that also see in IR so that fake faces (non-living ones) don't work and that's in consumer level equipment now. Anything that really needs to be secured should be using even better equipment than that.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jan 2017 @ 3:26pm

    I am appalled, Glyn Moody

    I am appalled at your disgusting attitude shown in

    Although the Brits have practically turned this activity into another weird sport alongside cricket,

    Cricket is the sublime, superior sport played all over the world. In backyards, on ovals, at the beach, nothing could be finer and more civilised than playing a game of cricket.

    To denigrate this game in the way that you have, has completely diminished anything that your article might have provided.

    You need to change your attitude to this most wonderful of sports.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Jan 2017 @ 5:00am

      Re: I am appalled, Glyn Moody

      Test match cricket is probably the most boring of all sports.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Jan 2017 @ 11:46pm

        Re: Re: I am appalled, Glyn Moody

        No, the most boring sport is that American version of Rugby League called Gridiron, nothing ever happens in that. It's like watching Days of Our Lives, you see two episodes 20 years apart and you have caught up on the entire 20 years.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jan 2017 @ 3:30pm

    Its not just because of the long lens

    Just to add, the long lenses are not the sole or even main reason this can be done. They have been around for decades. It is more due to the high resolution sensors we have today. The resolving power is amazing.

    reply to this | link to this | view in chronology ]

  • icon
    Jeffrey Nonken (profile), 24 Jan 2017 @ 4:43pm

    Recently upgraded from my old Galaxy S4 to a Nexus 5X, and I'm pretty happy with it. It's got a cool fingerprint reader on the back. It even works, I've tested it.

    ...And immediately turned on the pattern lock. I can change the pattern, or a PIN. I can't change my fingerprints.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 24 Jan 2017 @ 5:22pm

      Re:

      Also police and border guards can't legally compel you to hand over your password. They ARE however allowed to force your finger onto the reader.

      reply to this | link to this | view in chronology ]

      • icon
        Eldakka (profile), 24 Jan 2017 @ 6:52pm

        Re: Re:

        Also police and border guards can't legally compel you to hand over your password.

        Jurisdiction dependent. Some countries have legislation that can be used to compel providing passwords/cryptographic keys.

        reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 24 Jan 2017 @ 5:24pm

    Upcoming government solution

    Registration for hi-res cameras and lenses; and background checks.

    Surprised no one in here thought of this. You can bet it's occurred to government bozos.

    reply to this | link to this | view in chronology ]

    • identicon
      OGquaker, 25 Jan 2017 @ 1:17am

      Re: Upcoming government solution

      I've got a 41 megapixel camera on my 2012 cell phone,
      and a Canon Cine-35 45-200mm 1:2.8 zoom, six pounds and $20k from 1980.
      Way to late.

      reply to this | link to this | view in chronology ]

  • identicon
    Wheee, The Peeps, 25 Jan 2017 @ 12:25am

    Take me wife. please

    There are some of who allow anyone to use our cars, computers, etc., freely, as a matter of life style choice.

    The established paranoids cannot abide such choices and personal responsibility.

    So be it. Paranoids can choose to be crazy, as a personal life style. just do not include your unwilling neighbors.

    reply to this | link to this | view in chronology ]

  • identicon
    ANON, 25 Jan 2017 @ 10:07am

    Nothing New

    I think it was Popular Photography back in the mid-1970's that published an article about photographic insecurity. As a test, a press photographer took a huge (YUGE!!) telephoto into the Helsinki international summit press gallery. He got photos over Kissinger's shoulder of him reading classified briefings - which turned out to be a simple newswire roundup. (Moral- governments will stamp anything as "Secret", as if we didn't know)

    Similarly, about 20 years ago the Canadian government had to quickly rewrite parts of their budget; (budgets in Parliament are secret until the details are announced) the finance minister in a photo op the day before the release was flipping through the secret budget bill and someone realized that freeze-framing the video allowed them to read details of some new tax measures.

    One of the early programs, even before iPhones, allowed a flip-phone user to video a page and feed it into a compute program to create a full-page higher resolution picture; something especially useful in Japan with pictographic printing. People would video the article they were reading at a magazine stand.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jan 2017 @ 1:35pm

    * Only if you are foolish enough to use a fingerprint as a password

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Math Is Not A Crime
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.