
Behavioral Profiling: The password you can't change - walterbell
https://paul.reviews/behavioral-profiling-the-password-you-cant-change/
======
Htsthbjig
Well, yes you can change your behavior, and no, this is not a good idea.

We worked in biometrics like 4 years ago or so. It is trivial to defeat this
"security mechanism".

We had snake oil people trying to convince us to invest in this(we are a
software company), so we made a bet: If we could defeat their marvelous thing
on a test they will pay all of our tester team a dinner(and go away and don't
bother us again).

It was as easy as creating a prototype trainer. You record a person typing
with a webcam. You make some statistics and then in 10 minutes you could train
ANYBODY to copy the same behavior signature.

It took us like 2 hours to create the prototype trainer. After testing it we
realized the webcam WAS NOT EVEN NEEDED, the microphone is enough.

So we used a single hidden microphone to record the people chosen by the snake
oil team and ALL OF US(10 people) were able to defeat the system. Really fun
for us, extremely humiliating for the snake oil people.

BTW: This man is proposing a complete keylogger of all your actions in the
computer, what could go wrong?

~~~
ThomPete
Although you are of course right there is something underlying interesting
about what could be done to track us in order to build a unique "ghost" of us
that can can be used for many purposes beyond logging in.

But given I am not an expert in this field I would like to turn around and
perhaps ask you, what is the bigger vision?

Surely biometrics in all sorts of shapes and forms comes with it's own issues
and shortcomings.

Isn't the idea to make it good enough not necessarily 100% airtight (although
I do understand that the scaleability of technology makes it the requirements
many times higher than between people)?

~~~
logfromblammo
This concept was used in __The Dosadi Experiment__ , by Frank Herbert. The
Dosadis would input all available information on an adversary into a computer,
and build a personality model of them. They would then run game scenarios
against the model to find the optimal strategies to achieve some desired goal.

If you can assemble an AI copy of someone, you have an almost unbeatable
weapon against him. You can make him do things that he thinks are his own
ideas, just by adjusting the input parameters.

If you want someone to walk on one side of the street, and you know he avoids
panhandlers, you put a fake panhandler on the other side. If you want him to
slow down or stop at a certain point on that side of the street, and you know
he likes motorcycles, you park a custom chopper there. And while he's gawking,
you pick his pocket, or bag his head and shove him into a van, or stab him
with a drugged needle, or whatever other spy movie crap you might have in
mind.

If you have a detailed enough model to authenticate someone, you may also have
a good enough model to impersonate them, or to influence their behavior for
your own ends.

~~~
ThomPete
Agree, the question I guess is if there is any research into finding a way to
make the ghost "part of your dna" in some way so that it's tied to you and you
to it?

I know this is probably naive sci-fi but I have heard crazier things. I guess
at the end of the day it requires that the interfacing is not just digital but
also somehow biological/genetic.

------
Udo
What a huge nightmare waiting to happen. Sites already give me shit for
changing my location, making me jump through additional hoops because my
browser signature changed, refusing to let me purchase something because I
don't access them from my home country. The last thing I need is a behavioral
profiler that insists it has determined I'm not me and there is nothing I can
do to prove it wrong.

~~~
blowski
True - I was thinking "what happens if I burn my finger while cooking?" It
does seem like a solution looking for a problem.

~~~
pandler
Or, what if I've had a few beers and my typing is getting sloppier.

~~~
outworlder
If it's trying to prevent you from doing bank transfers while inebriated, I'd
say it's working as intended.

~~~
bobmagoo
I think there's a whole industry being ignored here - "Are you _sure_ you want
to post this to Facebook? Your typing is all over the place." or "Maybe we'll
just delay sending that text message for a few hours to make sure future you
really thinks it's a good idea."

------
arihant
I hope these services have an opt-out. I know, I know, this will get
infinitely more accurate at an arbitrary point in the future, and that I won't
have complaints then.

But I get screwed constantly while travelling to other countries, getting
repeatedly locked out of Gmail. Again, most users won't face these issues. But
I don't want to live in a world where if you're not a nominal case, you're
screwed.

The people who think passwords are hard will keep getting older and will be
washed away. The generation coming in thinks paper is a broken iPad. So
exactly, why do we need to solve the problem of passwords, when even slightly
savvy users can handle it. Is it so hard to figure out that not too long in
future, you can expect all your users to be comfortably savvy?

Also, passwords are deterministic and are a better UI. The Android Lollipop's
on-body smart lock, for example, is pure non-deterministic headache. Haven't
we gone through this with automatic sliding doors already?

~~~
theseatoms
> The people who think passwords are hard will keep getting older and will be
> washed away.

I wonder if younger generations use more secure passwords. I'd guess that the
typical user does not.

~~~
Vexs
Nope. Passwords used by them young folk just fit the requirements, and nothing
else. Now, geeky XKCD readers probably use a variant of
correcthorsebatterystaple, so we've got that going for us.

------
bbrazil
[http://blog.dustinkirkland.com/2013/10/fingerprints-are-
user...](http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-
not.html) bears repeating. If you can't change it then it doesn't make for a
good passwords as there's no revocation.

This sort of thing is useful as a signal when deciding if a user is who they
say they are, but it's not sufficient on it's own.

~~~
ixwt
After reading about this post, I was theorizing about using this kind of
system in an enterprise system to help with intruder detection.

It would be another thing an intruder would have to bypass, and it could be
constructed loosely enough to not interfere with a normal work day.
Essentially just a flag, rather than a lock-out if it detects a failure.

I imagine a suite of behavior heuristics would be something of interest to a
big enterprise company.

------
coob
Isn't Google's recaptcha already doing this?

[http://www.wired.com/2014/12/google-one-click-
recaptcha/](http://www.wired.com/2014/12/google-one-click-recaptcha/)

~~~
Aoyagi
Yes. It's annoying, because it taunts me with efforless click once or twice a
day while it wastes my time with the annoying image matching for the rest of
the day.

~~~
typis7
I blocked the domain. If the site presents me with a re-captcha, I don't even
have to think whether to use that site.

~~~
artursapek
That's a pretty dismissive attitude. We recently added reCAPTCHA to our sign
up flow at Codecademy and it helped combat spam a lot. The site was harder to
manage and moderate before we took that little step.

Assuming all websites using reCAPTCHA are not worth using seems ridiculous to
me.

~~~
typis7
Captchas are dismissive towards users.

You throw humans and robots in the same basket and tell all of them to solve a
puzzle or you won't talk to them.

~~~
coldpie
I understand your point, but do you have a better suggestion to solve the spam
problem? It's a really hard problem, and CAPTCHAs do a reasonable job of
solving it at low cost to the end user.

------
liw
If you can't change it, it's a username, not a password.

~~~
tom-lord
There are plenty of sites that allow you to change your username!

~~~
jessaustin
The observation that some usernames are changeable, doesn't contradict the
claim that passwords must be changeable, nor does it contradict the claim that
usernames need not be changeable.

~~~
tom-lord
> the claim that [...]

What are you talking about? The comment I replied to didn't make any such
claims!

> passwords must be changeable

Not necessarily. What about fingerprints?

> usernames need not be changeable

Not necessarily. What about National Insurance / Social Security numbers?

~~~
liw
Fingerprints are usernames, not passwords, even if some people use them as
passwords.

What's the point of a password you can't change? Once it leaks, you're screwed
forever.

In the autenticaion realm, there's three main things used: a) who you are
("username") b) what you know ("password") and c) what you have (smartcard,
various kinds of dongles). Biometrics of any kind only fit in the first
category. The other two must be changeable, or there's no point to them, since
they become aliases for the username. Any authentication system needs to
assume the password or the what-you-have thingy leaks or is stolen. If they
can't be changed, it becomes rather difficult to lock out an attacker while
still allowing the legitimate user access.

~~~
tom-lord
> Fingerprints are usernames, not passwords, even if some people use them as
> passwords.

This doesn't make sense. You cannot "use a username as a password".

Fingerprints, retina scans, DNA samples, etc are biometric passwords. They are
unique identifiers to your identification, and cannot be changed for obvious
reasons.

~~~
jessaustin
Please reread this thread. The reason 'liw and I are on the same page, and you
literally denied that 'liw said what we can all read 'liw saying three inches
above, is that you simply haven't thought deeply enough about this topic.

The entire concept of "biometric passwords" is flawed, because as you see,
they "cannot be changed for obvious reasons". One of the _most_ important
things about passwords (and passphrases!) is that they may be changed at any
time. Every time there is an unauthorized data dump, we get lists of thousands
of passwords or hashes thereof. Therefore, anyone who protects important
assets with passwords should change them regularly. Anyone whose biometric
data is stored in a database will eventually have that dumped as well.

The day is quickly approaching when none of these biometric measures will be
private anyway. With that in mind, they could perhaps be used as public
identifiers, "usernames" if you will. In that sense they might be similar to
the SSN, another datum that is clearly unsuitable as a password, even though
hundreds of stupid organizations have used it as such.

------
Taek
I wonder if it makes sense to disable some of that information in JavaScript.
You couldn't disable it for js videogames, but I see no reason for most
websites to be able to track your behavioral profile.

The problem is that behavioral profiling will get better. How long you stay on
a page, which links you prefer, and potentially a lot of the metrics that
companies routinely use to A/B test their page would also reveal your
behavioral profile.

It's a similar problem to rhetorical analysis. It's difficult to publish a
paper anonymously if you have other publications because the rhetoric is
likely to have your fingerprint plastered all over it.

Privacy is rapidly eroding and it's not clear the trend can be reversed.

~~~
InclinedPlane
These sorts of techniques have widespread applicability. Who needs facial
recognition when you have kinematic behavioral analysis? Just imagine the
trove of data you could pull from existing information sources if you had
unlimited analytical time and computational power? As computing power becomes
even cheaper and various analytical techniques become better our "effective
privacy" window in our partially-anonymous society will grow ever smaller.

~~~
TeMPOraL
That's why I'm still entertaining the thought that we may be a "privacy vs.
progress of mankind, chose one" type of situation. "These sorts of techniques"
are the first scraches on the Great Web of Causality. I don't see a way to
prevent it short of banning general-purpose computation. But are we going to
deny ourselves all the advances in medicine, disaster relief, energy
efficiency, etc. to protect ourselves from some future governments that may
get funny in their heads? Maybe it's time to embrace that our "effective
privacy" was only a temporary state of affairs, a historical abberation of the
industrial age. I don't know if this is a good idea or not, but I suspect
we'll learn to live with it and proper social customs will develop around
snooping on your neighbours.

By the way, it's funny how often the discussions turn into "we need to stop
technology X because evil advertisers will use it to do their evil things".
It's not technology X that is the problem, it's evil advertisers that are
assholes, and we need to find the way to get rid of the latter, not the
former.

~~~
pjc50
_progress of mankind_

At this point we have to drag out the heavy philosophical tools and ask: what
do we mean by progress? The "Whig view of history" is one of incremental
improvement towards better states, but it's reasonable to ask what we mean by
"better" and how the progress itself affects our view on what is better.

We also need to bear in mind that it's not just future governments but present
governments in various parts of the world that will weaponise technology for
control purposes. Behavioural analysis as part of the Great Firewall of China?

------
Flammy
I'm curious how much the ergonomics of your computer play into this...

Log in from your laptop vs desktop and you're (presumably) going to have to
have 1 profile for each.

~~~
amelius
Also, when logging into my bank account and I'm anxious to see if that big
deposit has been made, my behavior might be different than when checking at
the end of the month if there's anything left.

------
golergka
Would that work if the user changed keyboards? I used Apple keyboards of
various types for the last five years, and recently bought myself a new gaming
pc with a gaming keyboard — and while WASD feel is great, typing is a
nightmare, and I feel that my WPM count is three times smaller than on
keyboards I'm used to.

------
interfixus
We already know that places like Facebook monitor our every keystroke and
store them for posterity. Yes, they hang on, also to the text you regretted,
backspaced, and never published. It would seem utterly unprofessional, and
potentially detrimental to shareholder interest, for them to not also keep
track of timings and typing rhythms. Which makes me wonder how much mood
analysis, lie detection, and other psychometrics they really have collected on
us all over the years, given the right kinds of algorithms to run the lot
through.

~~~
bluefinity
That would be... disturbing. Fortunately it's not true, as you can see for
yourself with the chrome developer tools.

~~~
interfixus
It was true at one stage, according to official acknowledgement form Facebook.
There's a discussion somewhere here on Hacker News. Can't find the link right
now.

~~~
davidgerard
Not quite. Here's a blog post from someone who read the study, and quotes from
it:

[http://www.dailykos.com/story/2013/12/16/1263165/\--Facebook-...](http://www.dailykos.com/story/2013/12/16/1263165/--Facebook-
tracks-what-I-don-t-even-publish-No-No-it-doesn-t)

~~~
interfixus
I stand corrected. Thanks.

~~~
davidgerard
I didn't realise either until I read that, fwiw :-)

------
746F7475
If this doesn't get implemented into browsers as a default option or usage of
extension doesn't get popular people using this are going to be easy to
identify. It's like someone using just normal http and suddenly using https
and Tor. You are going to stick out.

~~~
typis7
I wonder how popular are NoScript/AdBlock percentage wise these days?

~~~
why-el
I tried NoScript for a bit. Obviously most social networks stopped working,
but I liked how NYT became free again (since they track you by a cookie) and
obviously HN remained solid. Essentially NoScript just means no online
socializing, which I think I might grow to become ok with.

~~~
typis7
Don't forget that you can whitelist domains, or disable/enable them per
session.

~~~
why-el
Yep, I actually just learned that a minute ago. Thanks for the tip. :)

------
wtbob
Yet another reason not to enable JavaScript in the browser…

And then there's Rowhammer
([http://googleprojectzero.blogspot.com/2015/03/exploiting-
dra...](http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-
rowhammer-bug-to-gain.html)).

------
annnnd
> Most (if not all) behavioral profiling systems check your mouse movements
> too. However in my experience, mouse movements do not provide sufficient
> metadata to accurately identify a user

I would love to know more about this. Online ad networks have access to mouse
movement patterns on web pages, but users (usually) don't enter data through
keyboard on such pages. And I would expect they already use this mouse
movement data to catch fraud... I wonder if it can be used to identify users?

------
mpatachi
I might not get everything right, but aren't they proposing "kind of" a
keylogger as a security solution? Even the idea of using a technology for
which others build products to fight against seems a bit strange.

Now, admitting that everyone will use it in good faith, I'd like the fact
that, by itself, it does not add another thing you need to do as a user to
authenticate. But, as Paul said in his article, I only see it used as a
trigger for other security measures.

~~~
rjaco31
I don't see why you find the idea that strange, an anti-virus is already
running on your computer, hooking all your programs, and sniffing on your
connections. Offense & defense have always used virtually the same techniques.

------
Lawtonfogle
Imagine the behavior profiler learning enough to notice trends and even
changes in groups. Imagine if it could identify enough to determine people who
had previously been sexually victimized. I wonder how much that type of data
could sell for.

My problem with all of this prfiling/bio-metrics is an extension of the
problem with retinal scanning. It isn't a question of if it works or not, but
of what information other than identity does it leak.

------
JohnyLy
It sounds great and much more protective than passwords. You can't
copy/imitate behaviors. However, I am wondering if the system still works if
you are tired or sick. Your behavior might change in this case and therefore
the system would not recognise you.

~~~
typis7
I think you misunderstood the intention of this feature. The goal is to
identify and/or profile users that themselves use just a regular log-in. This
can be then used to improve targeted marketing, selling that information to
third-parties for example.

Note how the article mentions that the gender can be determined after a few
keystrokes, even though the user never entered that specific information. This
is certainly not the only metric that can be identified. The point of the
article is to develop a solution to prevent leakage of private/personal
information.

~~~
learnstats2
> Note how the article mentions that the gender can be determined after a few
> keystrokes, even though the user never entered that specific information.

Research got median 88% accuracy testing subsets of 98 males and 35 females.

Note that I got 74% accuracy on that data set by guessing male, male, male,
male, male...

~~~
typis7
By knowing in advance what the ratio is. Such a great system will do really
well in the real world.

( You have a very ironic username given the circumstances. )

~~~
learnstats2
The original researcher knows in advance what the ratio is, yes, that's my
point. I'm illustrating that the research is not very good. They couldn't even
identify women to take part in the study. Given the numbers involved, it
certainly isn't Facebook-ready.

In general, I don't believe it is possible to distinguish male and female
typing patterns.

What you might be recognising is how people learned to type combined with the
size of their hands - that might partly but not exactly break along gender
lines. Bucketing people on that basis is just a recipe for awkwardness.

~~~
typis7
Fabricating facts and using ad-hominem is not a very good way of backing up
your arguments.

Quote from the paper: _We use the public GREYC keystroke benchmark database
for this work. It is one of the largest databases (in term of number of users
and sessions) in keystroke dynamics. To out knowledge, no existing database
contains more individuals. In order to reduce the bias due to this high
quantity of male information, we only kept the first n male samples( where n
is the number of female samples)._

( Don't bother with your response, I won't be reading it. )

~~~
learnstats2
>We use the public GREYC keystroke benchmark database

Yes. That's their own database which they're talking up, the one that they
made to do this research. That's what I was talking about.

>In order to reduce the bias due to this high quantity of male information, we
only kept the first n male samples( where n is the number of female samples).

It happens that I didn't read this part.

On reflection, what I understand now is far worse than what I originally
understood:

\- They have 35 females and 98 males, they take many handwriting samples from
each.

\- Since the participants provided many samples, these samples appear both in
the training set data and in the test set data.

\- I use the training set data to figure out if I can recognise the
handwriting of the 35 female participants.

\- Then I look through the test data to see if I can identify those
participants again.

Basically what you've shown is you can identify the handwriting of 35 people
if you've already seen it - 88% of the time.

Splitting groups into 'female' and 'male' is a red herring. This method would
presumably work, even if I split them into two random groups.

If I'm right, this is not even state-of-the-art. In 2006 they could have been
scoring 96%:
[http://abcnews.go.com/Technology/story?id=97978&page=2](http://abcnews.go.com/Technology/story?id=97978&page=2)

------
kriro
How is the profiling data supposed to be used theoretically? I hope not as a
full login. I'd count it as a "what you are" type of item like a fingerprint
and would just only want to use it as a username. I think session expiration
could actually be an interesting use case. Instead of/in addition to "session
expires after X minutes" you could expire the session after the behavioral
delta is big enough. But I'd assume a different login mechanism. Could be good
session hijacking protection, especially for applications that require regular
interaction anyway.

Love that there's countermeasures already. Well written article, too :)

~~~
typis7
Practically speaking, you will get advertisements, that have a measurably
larger chance of you following up on them, i.e. targeted adds.

------
cosmolev
Will it really work on a large user base?

There are a lot of approaches around (big data, profiling, machine learning,
...) based on the assumption that people usually behave in the same way. And
they really do.

This thing is quite the contrary.

------
vjvj
Cool tool but kinda ironic that someone built a privacy tool for Chrome only

------
coldcode
I wonder how effective this would be on mobile keyboard. I can type fairly
well on a desktop keyboard but on mobile it's more complex since you can have
plugin keyboard enhancers.

------
bitbandit
This means that if I break a finger playing volleyball, I will need to go
through extra verification steps to access an app.

------
vinceguidry
It'll only last until web APIs take over and the new hotness is third-party
clients for everything.

------
kasparsklavins
My typing speed waries from 70 to 120 words per minute.. Cant imagine this
working

------
cmkrnl
Walk without rhythm/and it won't attract the worm...

------
fjdhrjxjcjfdb
Please stop. You're getting your panopticon all mixed up in my internet.

