[Soc-coordination] Face Authentication : GSOC-2009 applicant

Erich Schubert erich at debian.org
Sun Mar 22 13:40:14 UTC 2009 

Hello,
For a project to be accepted at Debian, it should bear one of the
following characteristics:

- Software that is directly applicable to Debian (e.g. package
management related software, Debtags, Aptitude, ...)
- Integration projects for existing software (e.g. automatic generation
of Debian packages for R extensions)

This is not a "written down" kind of rule, but I think the last years
(since I've been involved) all successful applications were of this
kind. Other projects often were rated as "interesting, but should be
mentored somewhere else" ...

The reasoning is that Debian usually has much more applications than
slots, and we tend to choose Applications that:
- are a "best match" to be mentored by Debian and not by other
organizations (including Google themselves and other distributions as
well as umbrella projects such as Gnome and Apache)
- have a good *mentor* at Debian

So with you application I see the following hurdles at Debian:

- I see no specific link to Debian, it applies to any Linux distribution
- The key part seems to be the development of face recognition, and I'm
not sure we have an appropriate *mentor* for that

I could imagine a project that involves *integrating existing face
recognition*, however such an integration would still not be
Debian-specific, and thus probably be better mentored by some other
organization. For example, it might involve a configuration application
for Gnome, integration with Gnome screensaver for unlocking and such.
Then Gnome would be an appropriate mentoring organization.
The distribution-specific (i.e. Debian-specific) integration points
however are minimal and do not constitute sufficient work for a SoC
project.

============================================================================

On a side note my personal opinion:
I wouldn't ever trust face recongition for authentification purposes,
because from all I've heard pretty much all of them can be fooled with a
simple *photograph* of the user.
Face recognition is appropriate for *plausible identification* but not
for *authorization* IMHO. Note that pretty much any use of face
recognition so far relies on humans to post-process the identification
information.

See also:
----
http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Nguyen
Duc Nguyen
Your Face Is NOT Your Password 
Biometrics has nowadays been of universal interest and has been
developed and used for many purposes such as for the detection of
criminals and undesirables, identification and access control. Within
this paper, we would like to concern about Facial Cognitive Biometric
Systems and their application in User Authentication Based on Face
Recognition.

Lenovo, Asus, and Toshiba are known as the first three big computer
manufacturers to put that technology into practical use and to bring
about greater convenience for their customers. The one question to ask
is whether such technology is really safe and secure for its users to
enjoy. 

My research, which is concluded in this paper, will prove that the
mechanisms used by those three vendors haven’t met the security
requirements needed by an authentication system and that they cannot
wholly protected their users from being tampered. 
----
http://www.heise.de/english/newsticker/news/133240
[...]
The researchers claim they were able to trick their way past the
recognition systems with great ease by using the photographs of
registered users, or even doctored images. Apparently all they had to do
was generate a large number of images to make what they dub a "Fake Face
Bruteforce" attack. Nguyen will be presenting the tool he and his
colleagues developed for the hack.

They are calling on laptop makers to remove biometric authentication
from their machines and to warn all users against using the facial
recognition function.
----

Given this background, I seriously doubt that Debian security experts
will actually allow a face recognition authentification system to be
added to Debian, unless it has proven to be at the same time
- still useful (i.e. accepts the valid user under various lighting
conditions and e.g. with different haircuts, glasses, ...)
- not that easy to attack using photos and "facelets".

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
                Friends are those who reach out for                 //\
                  your hand but touch your heart.                   V_/_
          Liebe ist eine schwere Geisteskrankheit (Platon)

More information about the Soc-coordination mailing list