Wednesday, February 25, 2009

eBay and Reputation

Stories like this demonstrate how broken the eBay/Paypal system is. I've been trying to think of a practical solution to fully fix the business model to no avail. Escrow services seem to be the only way to be reasonably protected but that scales poorly, is costly, and is difficult for high-tech or esoteric transactions.

eBay is one of the first and most successful examples of a reputation-based identity system, yet is still remarkably flawed. Is it because people are naive to the concept of reputation, greed/ignorance leading them to carry out deals with people with no/poor feedback, or reputations simply not being relevant to peer-to-peer commerce? Such systems will never fully defend against someone willing to throw away their identity to score a quick buck, but the anecdotal evidence is everywhere and eBay's reputation as a scammer's haven is becoming solidified.

The above story doesn't detail buyer's feedback, but it is definitely relevant.

Wednesday, February 18, 2009

Facial Recognition and Biometrics

Slashdot points to an article describing the "cracking" of facial recognition software used as an alternative login for some laptops. It may be a liberal use of the term "cracking," but it's yet another reason why biometrics should be used sparingly (if at all) and as a single factor in a multi-factor authentication system. It's just too easy to capture and reproduce human qualities that most biometric readers will believe. Try revoking those credentials.

Someone in the identity movement should contact Hollywood and tell them to knock off the sci-fi authentication schemes. I'm convinced that is where much of this biometric craze originates. Isn't painful to watch a show where biometrics provide the "strong" security (which actually offer trivial protection), and the next scene has a ciphertext or firewall being cracked in seconds? I'm talking to you, 24.

Sunday, February 15, 2009

Face Detection and iPhone Video Streaming

I recently purchased a Linksys WVC54GCA WiFi camera. It's a wonderful little camera, but my primary reason for purchasing it was to be able to stream video to my iPhone; it uses Motion JPEG which is the only video option available in Mobile Safari. It actually works very well, though my intention is to eventually attach it to my iRobot Create to give it "vision." More on that later.


Anyway, despite the camera's strengths, there are a few limitations. First, the camera can only support 4 simultaneous clients and the performance degrades linearly with each additional client (from my anecdotal experience). Second, the only access control the camera offers is HTTP Basic Authentication backed with a 4-user list configurable from its web interface that doesn't integrate well with any other application or security system. I figured that the best and most direct way of fixing the problems was to proxy the feed through my MacPro to manage the connection and user access there instead of on the camera.


As I was imagineering this system, I also got the bright idea to go ahead and do facial detection (not recognition -yet-) on the stream. After doing some research on the technology, I decided to use the OpenCV libraries developed by Intel and subsequently open sourced. My initial prototypes were extremely slow (1-2 FPS) since the Java libraries depended on JNI calls to a non-thread-safe C library. I did more research and found the Faint (Face Annotation Interface) library which did Haar in pure, multithread-able Java. (I had to take the beta code from the SVN since it wasn't released yet.) That finally got me a much more acceptable 10+ FPS.


Now I have the camera stream being cached within a custom-built Tomcat webapp that does the detection and also provides security for the stream. It can support much more than the 4 users available from the camera and without a FPS hit. It's pretty cool. Right now it just draws a red rectangle around the detected face, but obviously more triggers and actions are possible and desirable. It should definitely be noted that the stream (with facial detection) is viewable from the iPhone! Now- to just get the damned thing attached to my iRobot and my little mobile sentry will be complete. :)




Friday, February 6, 2009

dscacheutil -flushcache

I've been needing to flush the DNS cache on my Mac a lot lately. (Possibly due to VPN hackery) Anyway, the nice little utility for OSX to flush the DNS cache (dscacheutil) is okay, but I'm pretty sure that it also flushes out any Safari cookies/sessions too. Isn't there a less destructive command for clearing the DNS cache?

Monday, February 2, 2009

The weakest link


Sad but true. Probably could be have had countless other punchlines, like "let's have a hot-sounding girl call him up and ask him" or any other socially-engineered password harvesting technique.

Sunday, February 1, 2009

Zoombak Dissection


I've had a lot of fun with the Zoombak GPS device. Ever wonder what's inside one of those little guys? I did, but couldn't find any images on the internet to satisfy my curiosity. So I dissected mine.


It uses a 3.7V 890mAh battery, a Siemens 133851-V02 cellular chipset, and a Cirocomm 574B GPS module. As suspected, you can clearly see the holder for the T-Mobile SIM card (which I've already removed).