SXSW 2015 Slides and Audio from Fingerprints are Usernames, Not Passwords

This morning, I led a "core conversation" session in the Security and Privacy track at SXSW Interactive festival.  With 60 seats in the room, it was standing room only, and unfortunately, some people were turned away from the session due to a lack of space.  Amazingly, that was a packed house at 9:30am on a Sunday morning, merely stumbling distance from the late night party that is 6th Street in Austin, Texas!

I'm pleased to share with you both the slides, as well as a rudimentary audio recording from the mic on my laptop.  The format of a "core conversation" at SXSW is not your typical conference lecture.  Rather, it's an interactive, dynamic, social exchange of ideas and thoughts.  I hope you enjoy!

Slides:


Audio:


Have a great South-by!
Dustin

Security and Biometrics: SXSW Preview Q&A

Rebecca: Can you give me a brief overview of why you see it as a problem that our personal biometrics, at this point mostly fingerprints, are being used to authenticate our actions rather than identify us?

Dustin: How many emails have you received, to date, from some online service or another saying, "We're sorry, but our site was attacked, and while we don't think your password was compromised, we think you should change it anyway, for good measure"?

Surely you've seen this once or twice, right?  And if you're like me, you kind of take a deep breath, and think, "Oh man, that's inconvenient..."

Now, what if that site used some form of biometrics, instead.  Let's say your fingerprint.  Or your eyeball.  How would that email read? You want me to change my fingerprints!?!  My eyeballs!?!

That's ridiculous, of course, but it perfectly shows the problem. Biometrics are not changeable.  You couldn't alter them if you tried. Being able to change, rotate, and strengthen passwords is one of the
most fundamental properties of authentication tokens -- and completely missing from all forms of biometrics!

That's just one of a number of problems with biometrics.  I'll cover more in my talk ;-)

Rebecca: Is biometrics something you've worked with professionally or what has piqued your interest in the area?  What made you want to do a panel on the issue?

Dustin: Sort of.  I've long maintained and developed an encrypted filesystem for Linux, called eCryptfs.  In 2008, I was asked to add eCryptfs support for Thinkpad's fingerprint reader.  After thinking about it
for a while, I refused to do so, with the core arguments being much of what I described above.  With that refusal to support fingerprint readers in 2009, I seemed to have picked a few fights and arguments with various users.

All was pretty quiet on the home front, until Apple released an iPhone with a built-in fingerprint reader in late 2013, and I blogged this piece that criticized the idea accordingly: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html

That blog post in October 2013 sort of did the viral thing on social media, I guess, seeing almost a million unique views in about a month.

Rebecca: I feel embarrassed to admit that I had simply never thought of this issue until seeing your panel synopsis.  Then, it seemed incredibly obvious and I found myself looking at my phone's fingerprint scanner suspiciously.  Why do you think the public has had so little response to biometrics in technology, other than seeing it as a neat feature of a particular gadget?

Dustin: On the surface, it seems like such a good idea.  We've all seen Mission Impossible or 007 or countless other spy movies where Hollywood portrays biometrics as the authentication mechanism of the future.  But it's just that...  Bad pulp fiction.

There are plenty of ideas that probably seemed like a good idea at first, right?  Examples: Clippy, The Hindenburg, New Coke, Tanning beds, The Shake Weight, Subprime Mortgages, Leaded Gasoline.  Think about for just a minute, though.  A passenger blimp filled with Hydrogen?  An annoying cartoon character that always knows more than you?  Massive scale lending to high-risk individuals packed into mortgage-backed securities?  Dig a little deeper and these were actually misapplications from the beginning.  We'll be in the same place with Biometrics, I have no doubt.

Rebecca: Have there been any instances that you're aware of where the technology has been compromised?

Dustin: The Chaos Computer Club have demonstrated compromised Apple TouchID: http://arstechnica.com/apple/2013/09/chaos-computer-club-hackers-trick-apples-touchid-security-feature/

TouchID is actually pretty high resolution.  The Thinkpad fingerprint readers, until recently, could be fooled with a piece of scotch tape: https://pacsec.jp/psj06/psj06krissler-e.pdf

Rebecca: In the future, if we continue down the current path do you see identity theft including the hacking of our fingerprints and voice patterns in addition to our credit card info?

Dustin: I certainly hope we can curtail this doomed path of technology before we get to that point...

But if we don't, then yes, absolutely.  All of your biometrics are easily collected in public places, with your knowledge.

• Your fingerprints are on your coffee mug and every beer bottle you've ever picked up with your bare hands.
• Your hair, dandruff, and dead skin contain your DNA.
• High resolution digital cameras can pick up your iris in incredible detail (less so for the retina currently)
• Facial recognition -- seriously, unless you've taken exorbitant steps, your face is all over Facebook, Google, LinkedIn, etc., and everywhere you go in public today, there are security monitors.
• The same goes for vocal recognition.  Surely you've heard, "This call may be recorded for training purposes".  Sure, that's fine.  But do you go spilling your master password to all of your accounts to that phone support?  Well, if you use voice recognition for your authentication, then that's exactly what you've done.

Rebecca: Beyond crime, what are the civil liberties issues you see being entwined with biometrics technology?  Could the government theoretically access this information in much the same way they have our email and phone records in the past?

Dustin: Theoretically, yes.  That that "theoretically, yes" is enough for me to be very concerned.

Is Apple colluding with the NSA/FBI/CIA/etc?  I am most certainly NOT making that accusation.

Could they, or anyone else in this biometrics?  Most certainly.  They could even be coerced or forced to do so.  And they could so unknowingly.  And it might not even be "the good guys".  Anyone of this magnitude is a target for attacks, by less than savory governments or crime organizations.

Moreover, I strongly recommend that everyone consider their biometrics compromised.  As I said above, you leave a trail of your fingerprints, DNA, face, voice, etc. everywhere you go.  Just accept that they're not secret, and don't pretend that they are :-)

Rebecca: What are some places where you see biometrics as appropriate and useful?

Dustin: Back to the title of the presentation, I think biometrics are decent as a "username", just not as a "password".

Is your name secret?  No, not really.  Is your email address secret? No, not really, either.

That's what biometrics are -- they're another expression of your "identity".  It can be used to replace, or rather, look up your name, username, or email address from a list, as it's just another expression of that information.

Now, a password is something entirely different.  A password is how you "prove" your identity.  This is something entirely different.  It must be long, and very hard to guess.  You have to be able to change it.  And you have to keep your passwords separate from different accounts, so that no one account could share that with another account and compromise you.

Rebecca: What are your thoughts on SXSW Interactive as a venue for such discussion?

Dustin: I think it's a fantastic venue!  I attended SXSW Interactive in 2014, and was very impressed with the quality of speakers and discussion around security, privacy, identity, and civil liberties.  I immediately regretted that I didn't submit this talk for the 2014 conference, and resolved to definitely do so for 2015.  Unfortunately, this subject is still important and topical in 2015 :-(  Which means we still have some work to do!

Rebecca: Finally, are there any other panels you're especially looking forward to?

Dustin: All of the Open Source ones (of which there are a lot!), as that's really my passion.  If I have to pick three right now I'm definitely attending, it would be:

• http://schedule.sxsw.com/2015/events/event_IAP35935
• http://schedule.sxsw.com/2015/events/event_IAP36290
• http://schedule.sxsw.com/2015/events/event_IAP40528

Cheers,
Dustin

My SxSW Interactive 2014 Recap

Overview: a Mega Conference

SxSW is basically 3 enormous, loosely related, overlapping conferences -- Interactive, Film, Music -- drawing 250,000+ people to downtown Austin, Texas, over the course of 2 weeks.  Literally thousands of events, both official and unofficial, run 20 hours per day, from 7am until 3am the next morning.  The event draws the earliest adopting techies, geeks, film buffs, music aficionados, angel investors, venture capitalists, musicians, recording studios, actors, agents, celebrities, and vendors of every imaginable kind.  With a keen eye, I also spotted one or two hipsters.  And throngs of Glassholes.

The largest keynote venues (plural) hold over several thousand people, and fill to capacity, with both closed circuit and Internet streamed broadcasts on display in multiple overflow ballrooms.  Technical sessions, presentations, and panels are spread across 30 different venues around downtown Austin (e.g. The Austin Convention Center, The Hilton, The Marriott, The Driskill, City Hall, The Chamber of Commerce, Palmer Event Center, the Omni, the Intercontinental etc.).  Tracks are roughly contained in a given venue.  While shuttles are available for moving between venues, the weather in Austin in March is gorgeous and everything is roughly walkable.

While massive corporate "super sponsors" drive the overall event (Miller, Chevrolet, AT&T, Deloitte, American Express), a huge portion of the interactive side of the house is focused on start ups and
smaller businesses.  This was a very familiar crowd, savvy and familiar with free software and open standards.  These are thousands of the hackers that are building the next 40 new apps you're going to install on your phone or for which you'll soon have to generate a new web login password.

SxSW has been used to launch or spread countless social media platforms, including: Wordpress, Twitter, Foursquare, etc.  Early adopters now flock to SxSW in droves, to learn about new hardware and software gadgets before their Silicon Valley friends do.  Or, depending on your means, perhaps invest in said opportunities.

Expo Floor 

The tradeshow does require an expo badge, but in my experience, its pretty easy to come by an expo badge freely.  The expo floor includes 300+ booths, wide and varied, covering technology, gadgets, startups, film, music, and more.  Nearly 75,000 unique badges entered the tradeshow floor.

I saw at least 4 different public cloud vendors (Rackspace, SoftLayer, DigitalOcean, and Codero) with sizable displays.  I spent a good bit of time with Codero.  They're a new(ish) public cloud offering, built on Ubuntu and CloudStack, based in Austin and Kansas City.  I also spoke with a couple of data analytics start ups, and talked a bit about Ubuntu and Juju.

I was surprised to see Ghostery on exhibit (I'm a big fan, actually, use it everywhere!). NASA had a spectacular booth.  I a few booths displaying their wares on Unity desktops (woot).

There were several RaspberryPi demos too.  The most amusing start up was from Japan, called LogLog, "When it comes to #2, we're #1".  Seriously.

I wore an Ubuntu t-shirt each day, and several people stopped to ask me where the Ubuntu booth was.  It's probably worth considering a booth next year.  I can see where both a Juju GUI and a few Ubuntu Touch devices would generate some great traffic and press at SxSW.  This is definitely the crowd of next generation app developers and back end social media developers building the new web.  It would behoove us to help ensure they're doing all of that on Ubuntu!

Session Highlights

I missed Friday and Saturday, but I did attend sessions Sunday, Monday, and Tuesday.

There was a very strong, pervasive theme throughout much of the conference, across many, many tracks about security, privacy of individual data, openness of critical systems and infrastructure, and
generally speaking, freedom.  I don't suppose I was expecting this. There were numerous mentions of open source, Linux, and even Ubuntu in various capacities as being better options that the status quo, for many of the social and technical issues under discussion.  Perhaps I gravitated toward those sessions (okay, yeah, I did).  Still, it was quite reassuring that there were so many people, unknown to many of us, touting our beloved free and open standards and software as "the answer".

The other theme I picked up on, is how "connected" our media and entertainment devices and mechanisms are becoming.  Netflix is designing TV series (House of Cards) based on empirical data that they collect, about what people like to watch.  Smart TVs will soon deliver richer experiences about the sports and programming we watch, with real-time, selectable feeds and layers of additional content.  Your handheld devices are becoming part of the entertainment experience.

Here are a few highlights, mostly from names that you might recognize.

Edward Snowden

[Note that I am not passing judgement here, just reporting what was said during that session.]

Perhaps the most anticipated (and reported upon) keynote was the remotely delivered panel session with infamous NSA leaker Edward Snowden, via Google Hangout.  The largest part of the conference center was packed to capacity, and local feeds broadcast the session to much of the rest of the conference.  I suppose some of you saw the coverage on Slashdot.  Snowden's choppy, Google+ hangout picture featured the US Constitution displayed behind him.

He said that the NSA collected so much information that they didn't even know what to do with it, how to process it.  Collecting it proved to be the easy part.  Processing it was orders of magnitude more difficult.  He suggests that developers need to think security and encryption first, and protect user data from the start (and the SxSW tech savvy crowd are the ones to do it).  He said that encryption is not fundamentally broken, and it generally works very well.  That the NSA spent for less time trying to break systems, than to just monitor all of the easy targets.  He said that he felt like he did his job, by blowing the whistle, in that "he took an oath to defend and uphold the constitution, and what he observed was abuse and violation of it on a massive scale."

Adam Savage

Adam Savage (co-host of Mythbusters) delivered the best canned presentation of the entire event (for me).  He discussed Art and Science, how they're fundamentally the same thing, but we as a society, lately, haven't been treating them as such, and they're tending to drift apart.  He talked about code as art, as well.

Shaquille O'Neal

Believe it or not, Shaq delivered a hilarious panel session, talking about wearable technology.  He described himself as the "world's biggest geek" -- literally.  He said that he used to be afraid of
technology (in high school), until he was tutored by one of the geekiest kids in school.  He then fell in love with technology (at 17), and has been an early adopter ever since.  He says he has both Android and iPhone devices, talked extensively about the Fitbit (the co-host was from Qualcomm), and other wearable technologies, particularly as they relate to sports, health, and fitness.

George Takei

George Takei is 76 years old, but has the technical aptitude of a 24 year old computer whiz.  He bridges at least 3 generations, and is on a quest to bring technology, and especially social media to older people.  I've been a subscriber to his feeds on Facebook/Twitter/G+, and he's really sharp witted, funny, and topical.  He discussed his tough life growing up (in an American concentration camp for Japanese Americans during WWII), coming to terms with his sexuality, entering showbiz, Star Trek, his (brief) political career, and now his icon status in social media.  Brilliant, brilliant man.  Entertaining and enlightening session.

Daniel Suarez

Daniel Suarez is an author of (now) four cyberpunk technical thrillers.  I reviewed his first book (Daemon) back in 2008 on my blog (and a few more).  His publicist reached out to me, put us in touch, and we've been in communication ever since.  He sat on a panel with Bruce Sterling and Warren Ellis, hosted by Joi Ito (MIT Media lab, early investor in Twitter, Flickr, Kickstarter).  Daniel invited me out for dinner and drinks afterward with he and his wife, and we had a great time.  He's a huge fan of Ubuntu.  He says that he wrote all of his last book (Influx) on an Ubuntu laptop (woot).  In his previous book (Kill Decision), Ubuntu made a brief cameo on the main character's computer (albeit compromised by a zero-day attack).

The Darknet

I did attend a few sessions by lesser known individuals.  Not much remarkable, but there was one "interesting" presentation, introducing people to "the dark net".  The presenter covered a bunch of
technologies that (probably) you and I use every day, but framed it as "the dark net", and explained how anyone from malicious people to Wikileaks use IRC, PGP, tor, proxies, stunnels, bitcoin, wikis, sftp, ssh, and so forth to conduct shady business.  He only had a very small time slot, and had to tear through a lot of material quickly, but I found it sad that so many of these fundamental technologies were conflated and in some people's minds, I'm sure made synonymous with human trafficking, drugs, corporate espionage, and stolen credit card numbers :-(

Aaron Swartz documentary

I did manage to catch one documentary while at SxSW...  The Internet's Own Boy: The Aaron Swartz documentary.  Aaron's story clearly resonates with the aforementioned themes of freedomness and openness on the Internet.  While I didn't know Aaron personally, I was of course very much aware of his work on RSS, Reddit, SOPA/PIPA, etc.  I feel like I've known many, many people like him -- brilliant programmers, freedom fighters -- especially around free software.  His suicide (and this documentary) hits pretty hard.  There are hundreds of clips of him, from 3 years old until his death at 26, showing his aptitude for technology, sheer brilliance and limitless potential.  He did setup a laptop in a closet at MIT and downloaded hundreds of gigabytes of copyrighted JSTOR documents, and was about to stand trial on over a dozen felony counts.  The documentary argues that he was to be "made an example of".  Heartfelt interviews with Lawrence Lessig, Cory Doctorow, Sir Tim Berners-Lee, as well as Aaron's friends and family paint extremely powerful portraits of a brilliant, conflicted genius.  The film was extremely well done.  I had a pit in my stomach the rest of the day.

Cheers,
:-Dustin

Gazzang Bang and the SXSW Startup Pub Crawl

The Gazzang office at 502 Baylor Street in Austin, Texas is one of the destinations of the 2012 SXSW Startup Pub Crawl, on Thursday, March 8th.

Join us between 4 and 10 pm for an open house, drum circle, and some awesome live music from the Lost Pines bluegrass band!  Please RSVP here.  Come talk to us over free beer and food about Cloud security, data privacy, encryption, eCryptfs, key management, Linux, and Ubuntu.  Meet the entire cast of the Sh*t IT Security Guys Say short film.  And tap into the vibrant tech start-up culture that's rocking downtown Austin by day, juxtaposed against the awesome live music culture that rocks downtown Austin by night.



View Larger Map

Come get your bang on!

:-Dustin