False workplace with my hand

In the middle of a huge pile of pdf file to read (for civil expertise), we did not write any article but this did not avoid news to reach us…

Virtual Workplaces. A first wave of false terrorism alerts have already overruned the schools’ virtual workplaces and since we prophetized at that time, a new wave rise up 6 months later. Except that this time, the smart-asses have added some trash videos…

  1. https://www.lefigaro.fr/conjoncture/ent-suspendues-combien-de-temps-faudra-t-il-pour-ameliorer-la-securite-des-plateformes-scolaires-20240329
  2. https://www.marianne.net/societe/terrorisme/messageries-suspendues-pourquoi-les-plateformes-ent-sont-si-vulnerables-aux-attaques-de-pirates
  3. https://www.liberation.fr/societe/education/menaces-terroristes-dans-les-etablissements-scolaires-comment-expliquer-le-piratage-des-ent-20240328_FRPS2XQZY5G3NIWF6P37T6BWA4/
  4. https://www.nouvelobs.com/societe/20240328.OBS86377/menaces-d-attentat-dans-les-lycees-ce-n-est-pas-tant-les-ent-que-ses-utilisateurs-qui-sont-vulnerables.html

There is almost nothing to say about the “hacking side” (phishing… if only they made some polymorphic shellcode to exploit some zero day). We are proud of the ministry’s decision to disable the messaging part of those workplaces. Another proof that our [marvellous] website influence as far as those higher circles; our last article[5] stated that:

  1. https://www.arsouyes.org/articles/2024/2024-03-11_useless_IT/

[…] When we tell them that school teachers need to communicate with parents, they will lose points if they propose a virtual workplace and will pass the test by proposing a simple mailing list (bonus for those who remember that a contact book already exists and, unlike computers, teach children to be more responsible).

We hope the minstry go to the next step and disable the whole virtual workplace (including pronote), that would only makes good vibes to all children and officials.

False rating. This technique is as old as the commerce; if you want to sell any product, ask a friend to speak for you. Morris have made an album about that in 1955 – “Doc Doxey’s elixir”. But this time, with social network and market places, it reach industrial production.

  1. https://www.ouest-france.fr/faits-divers/arnaques/e-commerce-quand-les-avis-positifs-laisses-en-echange-de-cadeaux-faussent-la-donne-7ddd0e8c-e5e3-11ee-866f-a23d1e28d709
  2. https://www.tf1.fr/tf1/jt-20h/videos/abus-ils-ont-vendu-leur-avis-sur-internet-92331570.html

Auth with hands. Among all authentication factors, biometry seems to have better rates but higher costs (any sci-fi film will uses, at minimum, a retinal laser scan). Ingenico (credit card paiment manufacturer) said to itself that instead of a credit card, let’s use the owner’s hand. Or mor precisely, the vein’s map of its hand.

  1. https://www.tf1.fr/tf1/jt-13h/videos/je-paye-avec-ma-main-37989940.html

Technically, using the shape of one’s hand have been cracked a while ago (but the technique is still relevant when it isn’t worth, such as school cantina). The shape of the veins have already been cracked by the CCC in 2019. As we understood, they now check that the hand is alive (read: belong to an alive human being).

This system, as any other biometric recognition system, has false negative rates (you are not recognized) and false positives (some else is auth as you). Techniques involving your face are subject to NIST evaluation protocol [9] and when one fixes the false positives to 1 out of 1.000.000, we have false negative rates around 1 out of 1000. Nothing have been published for the hands but we should compare to the rates of PIN codes (1/10000) or contactless payment (1/1). So, even if the hand is not as good as you would expect, if it’s better than a PIN code at least that’s something.

  1. https://pages.nist.gov/frvt/html/frvt11.html

But the true problem with those methods, the one we never speake about, is when a database have leaked and the authentication data is cracked and reused. Because it’s quite easy to change one’s password or even some cryptographic keys. But how to change your body if an hospital database leaks? (someone’s telling me that the veins are rearranged when a bruise is cured, so a big hammer shot may resolve the problem).

Keep our hands in pocket may ends up being a sign of resistance to oppression…