Suramya's Blog : Welcome to my crazy life…

September 24, 2022

Keep your disk temperatures below 40 Deg C to increase their life

Filed under: My Thoughts,Tech Related — Suramya @ 12:18 PM

Over the past few decades since I got my first computer, Hard Drive failures have been a problem for me till recently as my disks would last about a max of 2 years before I started seeing errors & disk failure on them. I tried all the brands including Segate, WD and a couple of others but still had the same issue. It had gotten bad enough that I was looking at buying enterprise hard disks instead of the Desktop versions even though the enterprise versions are a lot more expensive.

Then one day I was randomly looking at the temperature sensors for the system, I noticed that the hard drive temperature for 2 of the disks was at 41 Deg C. Plus the logs on the disk showed that this was a common occurrence for the disks. Then a quick Google search told me that the drives should be kept below 40 Deg to avoid disk failures. So I opened up the case and added a couple of more fans in the casing so that I had a constant flow of air over the disks. Took me about 20 mins and I already had the extra fans lying around. With the new fans the disk temperatures dropped to an between of 33-35 Deg C and I left it as is.

This was about 5 years ago. Today I was running my quarterly SMART scan of all my disks and noticed that the disks have been running for an average of 50k hours now (one of the disks is at 2k, but all others have been running constantly for a while). The max value of lifetime hours for my system is currently at: 52381 hours -> 2182.5 days -> 5.97 hours. That is a massive improvement over the previous average of <2 years. I am sure the same would be true for laptops as well but it is difficult to add another fan to a laptop so haven’t tested it. Plus my laptop doesn’t get used as often as my desktop since I mainly only use it while traveling whereas the desktop has been running pretty much 24×7 since I got it.

This shows that having your CPU/devices at the recommended temperature is essential for a longer life of the components. This is one of the reasons that all data-centers are cooled to the degree they are and any increase in the temperature maintained needs to be carefully tested before implementation.

– Suramya

September 22, 2022

Do kids make the world better? (A: Of course they do…)

Filed under: My Thoughts — Suramya @ 12:22 AM

There is this quote floating around from a person who should know better, asking “What has any 5th grader done to make the world better because he or she is in it?” in response to a message at a school telling kids that they are loved and the world is better because they are in it. The question has stuck in my head and made me think a lot. There are so many ways kids make things better by being in it and though I never want to have kids even I can see how they make the world a better place when they are in it. Only selfish fools that measure value by what you own and what your bank balance can’t see this and I feel sorry for them as they don’t know what it is like to be loved.

It also made me think about all the times a kid has made things better for me so am sharing some random thoughts and examples from my life where a kid definitely made things better:

  • Kids will show unconditional love to those who love them, will come and cuddle with you and tell you stories about their day and what they learned that will make you forget your troubles for a bit
  • The hug you get when they see you after a while will make you forget a bad day at work…
  • Make you laugh so hard that your sides hurt with their explanations on why & how things work or why they did a certain thing.
  • Give you that look that tells you that you are the most important person in their world right now
  • Come up with really corny nicknames for you that you grow to love, Mine is ‘shu mama’ or shoe-mama as per my niece and nephew…
  • Watching kids play will show that not everything in the world is about money or being selfish. A little while ago I was playing with Vir and I jokingly told him that I was going to eat his nose. He told me no so I responded saying that I was really hungry. He looked at me for a few seconds and then looked at his hands; thought for a bit and then told me that I only have one nose but you can eat a finger as I have 10 of them.

There are so many examples but I don’t think any of them will make this person change their mind because they only look at the world with a mindset that values people only based on their bank balance, things they have accumulated and how useful the person is going to be for them personally. There is more to the world than how it can be used and how to make money from it. If you can’t see that then I feel sorry for you.

Well this is all for now. More later.

– Suramya

September 15, 2022

Thoughts on the Bangalore flood and how its citizens banded together to help each other

Filed under: My Life,My Thoughts — Suramya @ 8:51 PM

The past few weeks have been pretty bad publicity for Bangalore with the flooding and the ineptitude of the BBMP and other govt services on full display, however I am going to talk about another aspect of the situation that I feel didn’t get enough coverage: The human factor and how people from various aspects of life banded together to deal with the situation together.

I was traveling during the floods so I managed to miss the major part of the flooding, but last year I wasn’t that lucky. I was visiting a friend back in Dec 2021 and didn’t realize that the water in the underpass was rising quickly and my car stalled as soon as I was half way through. I tried a few times to restart and with the water rising quickly I immediately got out of the car and tried pushing it out of the water. I wasn’t very successful because the car was heavy and not moving much. While I was trying this 3 guys passed by on scooters/bikes and they saw that I was struggling so they immediately parked their bikes and waded into the hip deep water with sewage mixed in it without me even asking them for help. They pushed the car out of the water and up to the main road through the water and the torrential rain. They only spoke Kannada and we both (Jani and me) don’t speak it so we just communicated with gestures and sign language. But none of that mattered these folks didn’t stop to ask if I was a northie or a proper kannadiga before they helped me in the middle of the night. Once the car was out and they were certain that we were ok they started to walk away and when I tried to give them some money but they refused. I insisted and forced them to take it because I wanted to show my gratitude and it was the least I could do. I wish I had asked for their names so that I could thank them and name them but I was a bit too frazzled to think of that at the time and by the time I remembered they were long gone.

This is what I will remember when people talk about Bangaloreans or people from the south being rude. It is just not true these guys didn’t have to help us, but they did it without us even asking for it. All they saw was that someone was in trouble and immediately helped.

The same scene played out in the recent floods as well where random people helped to push stranded vehicles to safety, farmers in tractors were helping people get to safety and boats rescued people from flooded areas etc etc. This was not the government coming in to help but people helping their neighbors and even random people who just needed help. There are so many stories that played out during this time that should have been captured but most people who helped were just being good humans and that is what we need more of in these times; people helping each other. This does help shore up my faith in humanity. After the floods folks in Diamond District have been donating money and essential supplies to help the people in slums (and other impacted areas) and the same is the scene at a few other apartment complexes as well. Companies are also looking at using their CSR budgets to help.

We need to celebrate these small acts of kindness and humanity. Trust me that these will be remembered for longer than random idiots on Twitter calling for all ‘northies’ to get out. I commented on a tweet by a friend whose apartment complex was flooded and even I had an idiot telling me to get out of Bangalore, but they are a vocal minority. Most people want to help and were/are helping as much as they can and I was happy to see the city where I have been living for over 2 decades come together to face this disaster together.

That all being said, the government and the agencies that allowed the situation to deteriorate this badly should be held accountable and action must be taken against them. This didn’t need to happen and the loss of life and property damage is their fault.

Well this is all for now. Will write more later.

– Suramya

August 31, 2022

Thoughts around Coding with help and why that is not a bad thing

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 11:40 PM

It is fairly common for the people who have been in the industry to complain about how the youngsters don’t know what they are doing and without all the fancy helpful gadgets/IDE’s they wouldn’t be able to do anything and how things were better the way the person doing the complaining does it because that is how they learnt how to do things! The rant below was posted to Hacker News a little while ago in response to an question about coPilot and I wanted to share some of my thoughts around it. But first, lets read the rant:

After decades of professional software development, it should be clear that code is a liability. The more you have, the worse things get. A tool that makes it easy to crank out a ton of it, is exactly the opposite of what we need.

If a coworker uses it, I will consider it an admission of incompetence. Simple as that.

I don’t use autoformat, because it gets things wrong constantly. E.g. taking two similar lines and wrapping one but not the other, because of 1 character length difference. Instead I explicitly line my code out by hand to emphasize structure.

I also hate 90% of default linter rules because they are pointless busywork designed to catch noob mistakes.

These tools keep devs stuck in local maxima of mediocrity. It’s like writing prose with a thesaurus on, and accepting every single suggestion blindly.

I coded for 20 years without them, why would I need them now? If you can’t even fathom coding without these crutches, and think this is somehow equivalent to coding in a bare notepad, you are proving my point.

Let’s break this gem down and take it line by line.

After decades of professional software development, it should be clear that code is a liability. The more you have, the worse things get. A tool that makes it easy to crank out a ton of it, is exactly the opposite of what we need.

If a coworker uses it, I will consider it an admission of incompetence. Simple as that.

This is a false premise. There are times where extra code is a liability but most of times the boiler-plate and error-checking etc is required. The languages today are more complex than what was there 20 years ago. I know because I have been coding for over 25 years now. It is easy to write Basic/C/C++ code in a notepad and run it, in fact even for C++ I used TurboC++ IDE to write code over 25 years ago… We didn’t have distributed micro-services 20 years ago and most applications were a simple server-client model. Now we have applications connecting in peer-to-peer model etc. Why would I spend time retyping code that a decent IDE would auto-populate when I could use that time to actually solve more interesting problems.

This is the kind of developer who would spend days reformating the code manually to look just right instead of coding the application to perform as per specifications.

I don’t use autoformat, because it gets things wrong constantly. E.g. taking two similar lines and wrapping one but not the other, because of 1 character length difference. Instead I explicitly line my code out by hand to emphasize structure.

This is a waste of time that could have been spent working on other projects. I honestly don’t care how the structure is as long as it is consistent and reasonably logical. I personally wouldn’t brag about spending time formatting each line just so but that is just me.

I also hate 90% of default linter rules because they are pointless busywork designed to catch noob mistakes.These tools keep devs stuck in local maxima of mediocrity. It’s like writing prose with a thesaurus on, and accepting every single suggestion blindly.

I am not a huge fan of linter but it is a good practice use this to catch basic mistakes. Why would I spend manual effort to find basic issues when a system can do it for me automatically?

I coded for 20 years without them, why would I need them now? If you can’t even fathom coding without these crutches, and think this is somehow equivalent to coding in a bare notepad, you are proving my point.

20 years ago we used dialup modem and didn’t have giga-bit network connections. We didn’t have mobile-phone/internet coverage all over the world. Things are changing. We need to change with them.

Why stop at coding with notepad/vi/emacs? You should move back to assembly because it allows you full control over the code and write it more elegantly without any ‘fluff’ or extra wasted code. Or even better start coding directly in binary. That will ensure really elegant and tight code. (/s)

I had to work with someone who felt similarly and it was a painful experience. They were used to of writing commands/code in Hex to make changes to the system which worked for the most part but wasn’t scalable because they didn’t have others who could do it as well as him and he didn’t want to teach others in too much detail because I guess it gave them job security. I was asked to come in and create a system that allowed users to make the same changes using a WebUI that was translated to Hex in the backend. It saved a ton of hours for the users because it was a lot faster and intutive. But this person fought it tooth and nail and did their best to get the project cancelled.

I am really tired of all these folks complaining about the new way of doing things, just because that is not how they did things. If things didn’t change and evolve over the years and new things didn’t come in then we would still be using punch cards or abacus for computing. 22 years ago, we had a T3 connection at my university and that was considered state of the art and gave us a blazing speed of up to 44.736 Mbps that was shared with the entire dorm. Right now, I have a 400Mbps dedicated connection that is just for my personal home use. Things improve over the years and we need to keep up-skilling ourselves as well. There are so many examples I can give about things that are possible now which weren’t possible back then… This sort of gatekeeping doesn’t serve any productive purpose and is just a way for people to control access to the ‘elite’ group and make them feel better about themselves even though they are not as skilled as the newer folks.

The caveat is that not all new things are good, we need to evaluate and decide. There are a bunch of things that I don’t like about the new systems because I prefer the old ways of doing things. It doesn’t mean that anyone using the new tools is not a good developer. For example, I still prefer using SVN instead of GIT because that is what I am comfortable with, GIT has its advantages and SVN has its advantages. It doesn’t mean that I get to tell people who are using GIT that they are not ‘worthy’ of being called a good developer.

I dare this person to write a chat-bot without any external library/IDE or create a peer-to-peer protocol to share data amongst multiple nodes simultaneously or any of the new protocols/applications in use today that didn’t exist 20 years ago

Just because you can’t learn new things doesn’t mean that others are inferior. That is your problem, not ours.

– Suramya

August 26, 2022

Using MultiNerf for AI based Image noise reduction

Filed under: Computer Software,Emerging Tech,My Thoughts,Tech Related — Suramya @ 2:58 PM

Proponents of AI constantly come up with claims that frequently don’t hold up to extensive testing, however the new release from Google Research called MultiNerf which runs on RAW image data to generate what the photos would have looked like without the video noise generated by imaging sensors seems to be the exception. Looking at the video it almost looks like magic, and appears to work great. Best of all, the code is open source and already released on GIT Hub under the Apache License. The repository contains the code release for three CVPR 2022 papers: Mip-NeRF 360, Ref-NeRF, and RawNeRF.

TechCrunch has a great writeup on the process. DIYPhotography has created a video demo of the process (embedded below) that showcases the process:


Video Credits: DIYPhotography

I like the new tools to make the photographs come out better, but I still prefer to take unaltered photos whenever I can. The most alteration/post-processing that I do on the photos is cropping and resizing. That also is something I do infrequently. But this would be of great use to professional photographers in conditions that are less than optimal.

– Suramya

August 16, 2022

Debian: My Favorite Linux Distro turns 29!

Filed under: Linux/Unix Related,My Thoughts — Suramya @ 9:23 PM

Debian, one of the most popular Linux Distributions that has served as the base for over 100 derivative distributions (See here for the partial list) is celebrating it’s 29th Birthday! I have been using it since 2003, so it’s been 19 years since I started using it and I have to say the OS has been improving constantly over the years while keeping the core values/stability.

I have tried other distro’s in the middle: Ubuntu, Mint, Knoppix but keep coming back to Debian because of the stability and functionality. I do use Kali as the primary OS on my laptop as I use that for my security research/testing but all other systems run Debian. I even managed to get it to work on my Tablet. 🙂

One note of caution/advice is to always look at the packages being changed/removed when you are upgrading esp if you are on the Unstable branch as things can break in that branch. Usually if I see that packages are being removed that I want to keep I just have to wait for a few days and the issue gets resolved. It is not the best distribution if you are looking for ‘newbie friendly’ but is one that will let you learn Linux the fastest. (Linux from Scratch will get you to learn more about Linux internals than you ever wanted if you can manage to get it to work and have the time required to install/configure it. For me the effort spent for the gain wasn’t worth it, but your mileage may vary.

In any case, I think I will be sticking with Debian for the foreseeable future. Here’s to another 30 years!

– Suramya

August 15, 2022

Wishing everyone a Happy 75th Independence Day!

Filed under: My Thoughts — Suramya @ 8:37 PM

Today marks the 75th anniversary since India freed itself from the British rule. Things have not been perfect (and they can never be) but we have achieved so much in the past 75 years that it is awe inspiring. Looking at my memories over the past 40+ years below are some of the things that have improved/changed in that time:

  • It used to take ~2-3 years to get a new car (maruti 800) in the early 80’s, now you can get one within a couple of days if they have it in stock and they have hundreds of brands/models to choose from
  • Up until 1975, only seven Indian cities had television services with a single TV channel. Now every city in India has TV and as of 2021, over 900 permitted television channels
  • The first mobile phone call was made in 1995 and cost over 8 rs a min, now we have the cheapest calls in the world
  • We have gone from people having to move to US for good Tech jobs to a thriving Tech industry where we are ranked 19th in the world’s startup ecosystems globally
  • The inter-city and inter-state highways are getting better and better all the time. In my last road trip, I was consistently over 120-140 and in fact had to remind myself not to cross 160. (Yes there is a lot of scope for improvement)
  • ISRO has gone from a local joke to a powerhouse that is launching the majority of the world’s satellites into orbit. We also had the world record for max satellites launched in one launch (104) that was broken earlier this year (143). Efforts are underway to take back the title

The list can go on and on. There is a lot of effort put in by folks to make India a success and there is a lot more effort needed to ensure that we keep improving. The mindset of ‘but this is India, nothing can be done’ needs to be changed/eradicated from the thought process.

The top people in India are living a life of luxury that was not feasible/imaginable 75 years ago and we need to ensure that the bottom percentage of our population is uplifted as well. This requires effort not just from the government but from us as a people as well. We need to work with the government and each other to help and uplift people. I see a lot of efforts around us to achieve this, folks in Diamond District (where I stay) are sponsoring the education for multiple kids, other are working with NGO’s to teach them basic skills. Some of my friends volunteer in various organizations to help the poor, and not just by giving them money but helping them learn skills so that they can uplift themselves.

We need to improve the Tourism Industry in India and make people aware that India has more than Delhi, Agra and Jaipur to offer for tourists. We have temples, archeological sites, palaces and other locations etc going back thousands of years. In my travels across India I have seen some of the most beautiful sights that take your breath away but not many know about them so hardly anyone visits. We have to advertise these sites/locations more. We need to make it easier for tourists to come to India and safely see the sights. I love the new ASI mandated tour guides for the major historical places in India, they are cheap and highly knowledgeable plus they are registered and have identification. You should hire them when visiting any of the sites as they give a wholesome overview of the location and any notable highlights. There are so many things that you miss when just walking around on your own that it is worth it to hire these folks. They speak multiple languages including international languages.

We need to clamp down on the corruption and improve the infrastructure more. This includes reducing the bureaucracy and eliminating the Babu rule, where the government officials think it’s their right to demand money to do their job (which they are getting paid for).

Things are improving and have improved a lot but we have a long way to go. As Robert Frost put it ” The woods are lovely, dark and deep, But I have promises to keep, And miles to go before I sleep”. The following poem by हिमांशु (Himanshu) captures the sentiment quite beautifully as well:

जाना है अभी तो बहुत दूर,
सूरज चढ़ा क्षितिज पर,
चारों ओर रेत का ढेर,
तपन घोर, तपस घनघोर,
मृगतृष्णा पसरी चहुंओर,

चलते चलो, बढ़ते चलो,
कहानियां बुनते चलो,
खुद से खेलते चलो,
चलते चलो, चलते चलो।

लंबे बहुत हैं रास्ते,
आयेंगे बहुत से दो-रास्ते,
सही चुनना, नहीं गिनना,
आकाश को ही देखना,
अवकाश को हर भूलना,

गिर गए तो उठते चलो,
मौका पड़े तो उड़ते चलो,
चलते चलो, चलते चलो।

मत ढूंढना बरगद,
ना चाहना लंबा खजूर,

छांव दृश्य नहीं,
साथ सिर्फ छाया है,
सिकुड़ती, जलती, ढलती,
काया ही, अब सरमाया है,
जो देखा, जिया, आजमाया,
वही सच है, अशेष है,
बाकी सब माया है,

बस, बरबस,
अतृप्त, असंतृप्त,
अविदित, अविरल,
चलते चलो,
हर मील का
हर मील पर,
जश्न मनाते चलो,

शाम अभी दूर है,
चांद कुछ और दूर है,
चलते चलो, चलते चलो।।

~~~
~इति
~~~

हिमांशु “चहुंओर”

I was planning to post poems in other Indian languages as well but couldn’t decide on one as I can’t do justice to them (as I can’t read them). Planning on asking Jani for help to get some good collections to share here. Will update the post once I find a good one.

Map of India outlined by trees with an Indian flag in the center
जय हिन्द! জয় হিন্দ ജയ്_ഹിന്ദ് જય_હિંદ ಜೈ_ಹಿಂದ್ ਜੈ ਹਿੰਦ జై హింద్ ஜெய்_ஹிந்த்

Will post more later.

– Suramya

August 8, 2022

Using Behavioral Biometrics for User Authentication as added security measures – Advantages and Disadvantages

Filed under: Article Releases,Computer Security,My Thoughts — Suramya @ 11:59 PM

In this paper we explore how users can be uniquely identified using biometrics other than fingerprints, facial recognition, iris recognition etc on a continuous basis. We explore the use to techniques such as typing style, computer use style to see if we can create a model to uniquely identify a user based on the way they type and use the computer. As this method allows a system to constantly reauthenticate a user based on characteristics that are almost impossible to fake we look at the complexity of how this can be integrated as a security measure for secure systems. We also look at the pros and cons of implementing this authentication mechanism and explore potential problems this system generates for the user and administrators. Specifically, we look at how the system would deal with users who are sick, under medication or stress that could change their usage patterns and is it worth the expense and privacy issues to implement such a system.

Introduction and background

User authentication is the process of verifying the identify of a user or process trying to access a system, online service, connected device, infrastructure resources etc. Traditionally authentication is done by having the user provide one or more of the following:

  • Something they know
  • Something they have
  • Something they are

Let’s look at each of these one by one. The oldest way of authentication to computer systems is using usernames and passwords. The first password protection system was implemented in 1961 by Fernando J. Corbató at MIT (Workos, 2020). This allowed the system to identify users based on a secret password that only they knew. The first set of passwords were stored in plain text, but then password encryption was implemented so that users could not read the passwords for other users.

However, passwords can be leaked or guessed. In the past few years there have been major leaks of authentication data which have been decrypted and sophisticated password crackers have been created that can crack passwords based on dictionary attacks and brute force attacks. To safeguard against this attack vector another authentication mechanism was created that authenticates users based on something they have with them. This can include hardware keys, smartcards etc and these hardware devices would contain an embedded certificate that can be used to uniquely identify the holder.

The final method of authentication is something you are, which is provided by Biometric authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, face scans, and voice analysis. Fingerprints, Face Scans and iris scans are the most widely used biometric method in use today.

Multifactor Authentication
When a system uses a combination of one or more of the authentication methods described in the previous section the system is said to be using Multi-factor Authentication (MFA). The key point to remember is that a system is only considered to be using MFA if the authentication factors are in at least two of the categories. So if the authentication mechanism uses a password and a second pin to authenticate, it won’t count as MFA because both are things that you know.

Weaknesses in the current User Authentication methods

The current user authentication methods have several weaknesses that make it easy for attackers to compromise and bypass the checks. Complex passwords are harder to crack or guess than simple passwords, but they are harder for users to remember. So, users tend to use the same passwords across multiple sites or use passwords that are simple to remember. Unfortunately, passwords that are simple to remember are also easy to guess.
Another risk is that an attacker can compromise a site or server using vulnerabilities in the OS, services or applications running on it. Once they have access, they can gain access to the stored passwords for all users and depending on the encryption scheme used the passwords for user accounts can be guessed quickly. This is an attack vector that has been seen frequently over the past few years with password lists for major sites such as LinkedIn (Morris, 2021) and Yahoo (Goel & Perlroth, 2016) etc being compromised and leaked.

Hardware tokens or smart cards can be cloned, copied or stolen. If the card is not deactivated when it is lost or stolen an attacker can use it to gain access to restricted resources. Tools to create copies of smartcards are available easily in the market (Benchoff, 2016) using which an attacker can clone the cards quickly.

Biometrics was touted as an authentication mechanism that is almost impossible to bypass but unfortunately the hype didn’t match reality. Fingerprint authentication systems have been compromised using copies of fingerprints lifted from glasses, door knobs etc transferred to jello, Glycerin and gelatin. (Barral & Tria, 2009)

Facial recognition systems have been fooled by photographs and cosmetics. Researchers have also used the StyleGAN Generative Adversarial Network (GAN) to create master faces that can be used to impersonate 40% of the population. (Shmelkin et al., 2021)

Voice authentication systems have been bypassed using voice recordings and AI based ‘deep fake’ technologies. Amazon recently showcased technology that allows Alexa to impersonate the voices of people based on a few minutes long voice recording of the person being impersonated.

Similar bypasses have been found for all authentication mechanisms in use currently and thus researchers have been exploring new authentication mechanisms which would be harder to bypass and fool. One such field being explored in behavioral biometrics and we will explore the field, it’s implications, the pros and cons of the tech in this paper.

Introduction to Behavioral Biometrics

Behavioral biometrics is the study and use of uniquely identifying and measurable patterns in human activities that can include keystroke dynamics, gait analysis, mouse use characteristics, signature analysis etc. The field postulates that a user can be identified based on these characteristics just as uniquely as they can be using physical biometrics.

Another advantage of using Behavioral Biometrics over physical biometrics is that it doesn’t require specialized equipment to collect the data. Data can be collected using existing hardware and only requires software analysis and processing which makes it cheaper to implement to a certain extent and we will look at this in more detail later in the paper.

Behavioral Biometrics can include the following:

Keystroke Dynamics:

According to the studies, if a group of users is asked to type the paragraph of text, each of them will type the text slightly differently with different delays between each character being typed, and different rhythms for the text. This allows a system to identify the user based on how they type including criteria such as:

  • The user’s typing speed
  • Time elapsed between each consecutive keystroke
  • The time that each key is held down
  • The frequency with which the number pad keys are used
  • The timing and sequence of the keys used to type a capital letter
  • The Error Rate in typing, such as using the Backspace keys and words repeatedly mistyped by the user.

As each person would type the password slightly differently the system can use it to identify the authorized user and block attackers who might have gained the password for a given user.

Cursor Movement:

This uses the tracking speed, clicks and path taken by the mouse cursor movement during use to create a profile for the active user. This would be useful if the user uses the same set of applications frequently, if they are using a varied set of applications that keep changing then this would not be accurate.

Finger pressure on keypad:

This analyses the pressure on the keyboard to create a user profile. This is a lot more relevant for mobile devices and other devices with a touchscreen interface as the allow us to capture pressure details easily without extra hardware.

Posture:
Every person has a different way of standing and a sufficiently trained system can look for differences in how the person sits in front of the computer and their posture while using the system.

Gait:

Gait analysis attempts to identify a person based on their walking style, which includes movements such as stride length, posture, and speed of travel etc.

Each of the methods we listed above can potentially be used to continuously re-validate a logged in user.

Historical use of Behavioral Biometrics for authentication

Historically, behavioral biometrics have been in use since the 1860s when experienced telegraph operators were able to identify individual operators by the way they would send the signals. In World war II allied officers used it to validate the authenticity of messages they received based on how they were sent. (Das, 2020) Similarly, other organizations used this ability as well as an extra validation layer when communicating instructions over telegraph.

The Military has also used gait recognition to identify imposters in their base who are trying to impersonate authorized personnel to gain access to sensitive information.

Current state & the Future for Behavioral Biometrics

The behavioral biometrics market revenue totaled ~US$ 1.1 Bn in 2020, according to Future Market Insights (FMI). The overall market is expected to reach ~US$ 11.2 Bn by 2031, growing at a CAGR of 23.6% for 2021 – 31. (Future Market Insights, 2021)

As we can see, an increasing number of institutes, financial companies, website owners are using behavioral biometrics in their systems to detect fraudulent usage. The Royal Bank of Scotland uses it to monitor visitors to their websites and apps, others use it in their applications to monitor and authenticate users as an extra verification layer. (PYMNTS.com, 2018)

With the increase in processing capacity, sensor sensitivity and processing algorithms systems can make more accurate identifications of individual users. This allows systems to detect bots, password sharing/compromise.

Ecommerce sites have increasingly started incorporating this technology into their setup to prevent fraud. It can also potentially allow systems to make an educated judgment about the visitor’s gender and age to show appropriate products.

Considering the advantages and minimal hardware investment we will only see an increase in the use of Behavioral Biometrics for authentication in the future.

Advantages of using Behavioral Biometrics for authentication

Behavioral Biometrics have the following advantages that make them attractive for companies and institutes to implement:

  • Flexibility: The data being analyzed is not limited to currently identified sets that we have discussed so far. Since most of the processing being done is on the software side the organization can easily add additional behavioral data to be analyzed and processed.
  • Convenience: This a major plus point for the technology is that it is a passive layer of security. This allows it to work without interfering with the user workflows. This removes a major obstacle in incorporating security into the system as the traditional security setups decrease the usability of the system.
  • Efficiency: They can be applied in real-time to detect fraudulent use and the system can be run against historic data as well to detect improper use after fact.
  • Security: Behavioral characteristics are hard to replicate and thus incorporating this additional layer of security improves the security of the system.

Disadvantages of using Behavioral Biometrics for authentication

As with all systems there are some disadvantages of using a Behavioral Biometric system for authentication as well. If we are using the Keystroke analysis then the text being entered has to be long enough for the system to generate a profile and match it so if we are only using it as an additional validation step during password entry and the user’s password is too short, then the system might not be able to create and match a profile.

Another problem is that a user’s behavior can change drastically due to various valid reasons and that can cause access issues when the algorithm is unable to account for the changes. Some of the reasons can include:

  • Illness or Injury: If a person is injured or unwell then their usage patternswill change
  • Stress
  • Pregnancy
  • Sleep deficiency
  • Caffeine deficiency or overindulgence
  • Tiredness: If a user logs back in after a session in the gym their usage patterns are going to differ from the pattern before their gym session
  • Time of day: Some people are more active during certain times of day so their usage patterns will vary based on the time of the day.
  • Distractions: If the user is distracted while working , or example, if they are on a call and working at the same time. Their behavior patterns will be different.
  • Location: If the person logs in from a different location and are working with a different setup their metrics are going to be different. For example the profile when using an egronomic keyboard in office vs using a laptop keyboard while working remotely will be drasticly different and the system will have a hard time creating a consolidated profile for such users.

Another major issue with this technology is the Privacy implications. If we are implementing a system that monitors every keystroke and mouse movement and logs it for analysis then that has a serious privacy implication as sensitive data that shouldn’t be logged such as medical information, personal account passwords, other sensitive information etc can get logged as well. Once the data is logged there is a possibility of data leaks or a breach of the security system which would expose the collected information to an attacker.

Depending on the user’s location collection of this kind of data can be illegal due to rules such as the GDPR (Krausová, 2018), the California Consumer Privacy Act (CCPA) and other such rules. They will also limit the information that can be transmitted across state & country boundaries which can be a concern for multinational companies.

Finally incorporating the processing required for behavior analysis on the local system can be resource intensive which might make the setup infeasible for older machines. If the processing of the data is consolidated at a central location then the usage data would need to be transmitted to the location over the network that can potentially max out the bandwidth and depending on network congestion cause unacceptable delays in the processing and access.

Results and Recommendations

Based on our review of the current state of Behavioral Biometrics in the industry and the technological state of the system/algorithms we find that the technology does help increase the security of the system by adding an additional layer of security to the system. However, it is not yet mature enough to deploy for general commercial implementation and should only be used for securing highly sensitive systems and infrastructure where the security considerations outweigh the limitations identified earlier in the paper.
Once the technology is more mature and the issues identified earlier have been mitigated it can slowly be incorporated in the general computing world as an optional additional layer of security. At no point should this be used as the only layer of security for any system.

Conclusion

Behavioral Biometrics as a security measure is a technology still in its early stages of use and implementation and while it does add an additional layer of security the current limitations do not justify a general release and implementation in general use computing. The system should only be implemented in systems such as classified military systems, critical corporate servers containing highly sensitive information etc where the benefits or security concerns outweigh the disadvantages of using a technology that still needs to mature more.

References

Alzubaidi, A., & Kalita, J. (2016). Authentication of smartphone users using behavioral biometrics. IEEE Communications Surveys & Tutorials, 18(3), 1998–2026. https://doi.org/10.1109/comst.2016.2537748

Araujo, L. C. F., Sucupira, L. H. R., Lizarraga, M. G., Ling, L. L., & Yabu-Uti, J. B. T. (2005). User authentication through typing biometrics features. IEEE Transactions on Signal Processing, 53(2), 851–855. https://doi.org/10.1109/tsp.2004.839903

Banerjee, S. P., & Woodard, D. (2012). Biometric authentication and identification using Keystroke Dynamics: A survey. Journal of Pattern Recognition Research, 7(1), 116–139. https://doi.org/10.13176/11.427

Barral, C., & Tria, A. (2009). Fake fingers in fingerprint recognition: Glycerin supersedes gelatin. Formal to Practical Security, 57–69. https://doi.org/10.1007/978-3-642-02002-5_4

Benchoff, B. (2016, January 18). Emulating and cloning smart cards. Hackaday. Retrieved June 27, 2022, from https://hackaday.com/2016/01/18/emulating-and-cloning-smart-cards/

Bo, C., Zhang, L., Li, X.-Y., Huang, Q., & Wang, Y. (2013). Silentsense. Proceedings of the 19th Annual International Conference on Mobile Computing & Networking – MobiCom ’13. https://doi.org/10.1145/2500423.2504572

Das, R. (2020, October 14). A behavioral biometric – keystroke recognition. A Behavioral Biometric – Keystroke Recognition. https://resources.infosecinstitute.com/topic/a-behavioral-biometric-keystroke-recognition/
Future Market Insights. (2021, October). Behavioral biometrics market. Future Market Insights. https://www.futuremarketinsights.com/reports/behavioral-biometrics-market

Goel, V., & Perlroth, N. (2016, December 14). Yahoo says 1 billion user accounts were hacked. The New York Times. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html

Krausová, A. (2018). Online behavior recognition: Can we consider it biometric data under GDPR? Masaryk University Journal of Law and Technology, 12(2), 161–178. https://doi.org/10.5817/mujlt2018-2-3

Morris, C. (2021, June 30). LinkedIn data theft exposes personal information of 700 million people. Fortune. https://fortune.com/2021/06/30/linkedin-data-theft-700-million-users-personal-information-cybersecurity/

PYMNTS.com. (2018, August 15). What’s behind the rise of behavioral biometrics? PYMNTS.com. Retrieved June 27, 2022, from https://www.pymnts.com/fraud-prevention/2018/behavioral-biometrics-uk-banks-authentication-security-privacy/

Shmelkin, R., Friedlander, T., & Wolf, L. (2021). Generating master faces for dictionary attacks with a network-assisted Latent Space evolution. 2021 16th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2021). https://doi.org/10.1109/fg52635.2021.9666968

Workos. (2020, September 5). A developer’s history of authentication – WorkOS. A Developer’s History of Authentication. https://workos.com/blog/a-developers-history-of-authentication


Note: This was originally written as a paper for one of my classes at EC-Council University in Q2 2022.

– Suramya

August 7, 2022

Winamp is back in action (!) after 9 years of no releases

Filed under: Computer Software,My Thoughts — Suramya @ 11:59 PM

Anyone who was using computers in the late 90’s and 2000’s knows that the best MP3 player of all time was Winamp, it really whips the llama’s ass. First released back in 1997, it spread like wildfire. I used it as my primary music player till I switched to Linux and even then I used a player that was skinned to look and work like Winamp.

Development for the player was paused back in 2013 and then resumed in 2018. It took 4 years of hard work and the Winamp 5.9 Release Candidate 1 is now available for download. Most of the changes in this version as in the backend as the code was migrated from Visual Studio 2008 to Visual Studio 2019. This modernizes the whole setup and the next release will focus on new features.

The only downside of this is that it is not available for Linux so I still have to use some other software rather than the original. I wonder if it would work over Wine/Crossover? If so then that would be awesome. Let me go try that out and see if that works (I will update this post if it actually works).

Well this is all for now. Will post more later.

Update (8/8/2022): It Works on Linux! I downloaded and installed the latest RC on Linux using Crossover and it works flawlessly. (Although the preset names are in Chinese for some reason)

– Suramya

August 4, 2022

Microsoft needs to fix their Windows registration/Activation system as it doesn’t work

Filed under: My Thoughts,Tech Related — Suramya @ 11:59 PM

A lot of people claim that Windows is easier to use than Linux and I think that is because they never had to install windows on their system as it is almost always preinstalled. Based on my experience it feels like Microsoft is almost trying to make sure that people pirate their software because their systems suck, especially their license activation process. Over the past few months I have spent almost 48+ hours trying to get my installation of Windows to accept my Windows Pro license key that is part of my MS account and yesterday I spent 6.3 hours on call with their support with absolutely nothing to show for it.

Some background, I purchased a license for Windows 10 Pro back in 2020 so that I have a fully functional windows system that I can use for my Testing and research. This was the second license key that I purchased for Windows 10 because the previous one I had that I got from Amazon was locked to my old computer and as per the support there was no way to migrate to a new system as it was not purchased from MS directly (Which is very strange and doesn’t make sense at all). So, they told me that I needed to get the license from their online store so that it would be associated with my MS account and that way it could be moved to a new computer without issues. (Yeah right!)

I got the license, used it on my old system for a bit and then switched to a new laptop. I unregistered the key from the old laptop and tried registering it on the new laptop. It absolutely refused to work. Even though it was connected to my MS Account and the license was being validated using the digital license it was still working as a Windows Home Single user.

Spoke to the support and while they were super nice they couldn’t solve the issue. We tried reinstalling, upgrading, other license keys but nothing worked. Got escalated to senior folks but same issue. I had just about given up and was actually considering just downloading a pirated copy as that would be easier to install when I thought I should give it one last try. So I reinstalled Windows again and then didn’t connect it to my online account, instead I tried changing the product key using the key given to me by the support team to upgrade and that finally worked. My copy of Windows finally was upgraded to Windows Pro. After that the system upgraded to the latest version that took forever and a ton of reboots.

The same issue is there in their other software, MS Teams refuses to open when you click on a meeting link in Firefox on your mobile, but when I copy the same like to Chrome it works. Why do I have to use Chrome when all it is doing is launching a native application when I click on the link. Other applications like Zoom, GotoMeeting etc manage to do this without issues, but MS with their super smart team of people have hard coded it to work only with Chrome/Edge. LinkedIn is another major mess and I will post about it in a different post as that is a long story as well.

You need to make it easy for users to install/register licensed software else if using pirated software is easier/faster then people will just use that. I mostly use open source products along with a few Linux licensed software but they are so much easier to use/register.

In any case I now have a licensed version of Windows Pro running after wasting days of my life trying to get it to work. Ask any end use to do registration and then they will feel differently about how easy Windows is to use.

Well this is all for now. Will post more later.

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress