Specially prepared photos shown bypassing Windows Hello facial recognition

Specially prepared photos shown bypassing Windows Hello facial recognition

SySS demonstrates using the printout of the IR photo to trick Windows Hello on a Surface Pro 4.

Security researchers at a German security firm, SySS, have shown that the Windows Hello facial recognition can be tricked by using specially prepared printouts of photographs. Microsoft added an “enhanced anti-spoofing” mode in the Windows 10 Creators Update earlier this year that properly defeats the attack, but it’s neither enabled by default nor compatible with all Windows Hello hardware.

The obvious question with any kind of facial recognition-based biometric authentication system is, how easily can it be tricked with a photograph? Since it’s easy to take a picture of someone’s face, often without them even knowing, a facial recognition system that can be fooled by a photo isn’t much use. The Windows Hello system has two main parts: there’s the physical hardware, which for Hello is a webcam with infrared illumination and detection, and the software algorithms, which are part of Microsoft’s Biometric Framework. With this design, Microsoft can refine and improve the algorithms, and the improvements should work for any compatible hardware.

Windows Hello’s infrared requirement should protect it from being spoofed by regular photos. So what the researchers from SySS did was use a photo taken with an infrared camera. This photo was then adjusted to change its contrast and brightness and printed at a low resolution on a laser printer. The resulting picture was successful at authenticating a user with Hello on two separate devices: a Surface Pro 4, using its integrated camera, and a laptop, using a discrete LilBit USB camera.

While the picture produced this way would not fool an RGB camera, it looks sufficiently close to what the infrared camera expects to see to allow the attacker to log on.

The Windows 10 Creators Update, version 1703, included a little-documented feature called “enhanced anti-spoofing.” Enabled by changing a registry key or Group Policy setting, the exact purpose or effect of this setting isn’t entirely clear. It appears that it integrates infrared and RGB data, making the infrared-only photo distinguishable from a real human. With this setting enabled, the picture was no longer effective.

However, this setting isn’t a panacea. As well as the awkwardness of enabling it—there’s no user interface for it, so modifying the registry is the only way to go—it’s not available for all Hello hardware, and there’s no obvious way of knowing if it will work or not. The cameras integrated into Microsoft’s Surface devices support enhanced anti-spoofing, but the LilBit that was tested doesn’t. We also haven’t seen compatibility with this feature disclosed on spec sheets, either for laptops or for standalone cameras. Additionally, even if compatible with your hardware, the setting isn’t enabled by default, at least for systems that were upgraded to Windows 10 1703.

Taken together, all this means that a security option that every Windows Hello user should want to enable probably isn’t turned on and may not even work.

Listing image by SySS

Read more

Google fights fragmentation: New Android features to be forced on apps in 2018

Google fights fragmentation: New Android features to be forced on apps in 2018

Enlarge / The Google Play Developer Console will stop accepting old apps in 2018.

While Apple’s app store is heavily regulated, the Google Play Store has mostly lived its life under Google’s laissez-faire attitude. As long as you didn’t get caught by Google’s malware scanning, your app was free to do just about anything.

But lately, Google’s hands-off approach seems to be changing. The company tried to restrict Android’s powerful accessibility APIs only to accessibility apps, but after a power user revolt, Google is currently rethinking that plan.

The Play Store’s biggest change is coming in 2018, though. Recently Google announced it will start setting a minimum API level that new and updated apps will be required to use. This is a technical change but a massive one. Basically, Google will stop accepting old app code from developers. The move won’t harm support for devices running old versions of Android, but it will require developers to adopt new Android features and restrictions as they come out.

Every new version of Android comes with a new API level, which changes how the app framework functions, adding new features, new restrictions, and new security measures. Currently, developers can opt out of these changes by just using an old API level, but soon they will be forced to target recent API levels. This will accelerate Google’s Android changes throughout the app ecosystem, rather than having to wait years and years for it to happen naturally through Android’s incredibly ineffective OS update program.

All Android apps must set two API levels internally: first is the “minimum” API level, which determines the oldest Android version the app will run on, and then there’s the “target” API level, which is the highest version of Android that the app is aware of. Every new version of Android bumps the API level up one version, and currently Android 8.1 is on API level 27. When Google changes the way the Android app framework works, it doesn’t want to break old apps, so it locks this functionality behind a new target API level.

For instance, in API level 26 (Android 8.0), Google changed the way background tasks worked by turning off many power-hogging background processing features for apps and requiring them to use a more restrictive API. In API level 23 (Android 6.0), Google added à la carte permissions, allowing users to block apps from accessing certain device functions. These changes are good for users but more restrictive for app developers, and they require work to implement. If a developer wanted to be a greedy device hog, they could just decide to not target the latest API level, and these restrictions would not apply to them. The ability to use an older API level is meant to be a backward-compatibility consideration, but developers can abuse the feature if they are greedy, lazy, or malicious.

Previously, Google used a “carrot” approach to getting developers to target the latest API levels. If you want access to that sweet new fingerprint API in Android 6.0 or the Vulkan Graphics APi, you’ll need to target the latest version! Newer versions also come with a host of requirements and restrictions to make your app a better smartphone citizen, though. New API levels haven’t had much in the way of enticing developer features, though—they’ve mostly been things that are good for users, like less background processing, stricter permissions, controllable notifications, and design conformancy features like adaptive icons. These are work for developers to implement, and while they benefit the user, they don’t help developers. The carrot approach looks like it’s going away and being replaced with a stick. Google says “Update to a newer API or never update your app again.”

Speeding up ecosystem adoption

An API Survey of ours from 2015. Twenty-four percent of apps would not meet Google's new update requirements.

An API Survey of ours from 2015. Twenty-four percent of apps would not meet Google’s new update requirements.

Google has published a timeline for mandatory API level adoption. Generally, API levels that are a year old will become mandatory for new and updated apps. This will begin in August 2018, when targeting API level 26 (Android 8.0, released August 2017) will be mandatory for new apps. A month later, the requirement kicks in for all app updates.

Requiring all new and updated apps to use an API level that is a year old will speed up API adoption across the Android app ecosystem. We last took a survey of the top 200 non-game apps in late 2015, so we actually know what natural API adoption speeds look like. Shortly after the release of Android 6.0 (and a lengthy developer preview period), only five percent of the top 200 apps targeted the latest API version. Forty-one percent targeted the previous API level, which was seven months old at the time of our survey.

If we look at the top 200 apps that target an API level that was a year old or newer, which will be the new minimum requirement in 2018, it was only 78 percent. If we assume the top 200 apps are regularly updated (and they are), Google’s new requirements would bump this to about 100 percent.

Keep in mind, these are just the top 200 apps, which are all made by competent developers that (I guess) represent the best Android has to offer. The other 2.5 billion apps are probably less well-maintained. Today, there are some notable exceptions in the top 200. Facebook still targets Marshmallow, API level 23. This is two years old and allows the company to dodge Android’s new background processing requirements, meaning the Facebook app can run in the background all the time, if it wants. Snapchat uses API level 22, which is almost three years old and allows the company to skip Android’s à la carte permissions. This means, just to install the app, you have to approve a ghastly brick of permissions, giving Snapchat your identity, contacts, location, photos, microphone access, device ID, and more. Why would these companies want to upgrade and give up this access?

Security benefits and faster API deprecation

Setting a minimum floor on the API level should help with security, too. As we’ve written about time and again, Google’s malware scanning isn’t perfect, and sometimes malicious apps end up in the Play Store. Sometimes they even get millions of downloads! If you were going to write a malicious app that aimed to defeat Google’s built-in malware scanning, you certainly wouldn’t target the newest API level. You’d use an older version with fewer restrictions on the app, allowing you to wreak more havoc and steal more information. Now, malware writers will be limited to APIs that are a year old or will have to trick users into installing the app off the Play Store.

Perhaps the best news in this blog post is that “Future Android versions will also restrict apps that don’t target a recent API level and adversely impact performance or security.” Hopefully this means Google is going to actually retire API Levels faster, allowing Android to become more streamlined. Letting apps pick their API level means maintaining a ton of old systems for old apps to plug into. Sometimes, a new system comes along and replaces an old one, but Google still has to keep the old system around, in case an old app wants to use it.

If Google requires all new and updated apps to use a later API, it’s possible that Google could opt to streamline newer versions of Android and remove these old components. Today, Google’s cutoff point seems to be API level 14, which is the minimum API level for Google Play Services. API Level 14 corresponds to Android 4.0, Ice Cream Sandwich, which is six years old! Android 8.1 Oreo still contains all the components needed to make these six-year-old apps work.

The one thing that isn’t happening is a purge of old apps on the Play Store. In late 2018, developers won’t be able to update old apps without fixing the API level, but these apps will still be free to rot on the Play Store forever. This change also won’t affect developers’ ability to make apps for older devices; it will just require that they support new OS features one year from release.

August 2018 is a long way away, and this is probably on purpose. Google is giving developers plenty of notice, so there shouldn’t be any room for excuses once the restrictions kick in.

Read more

LG teases a monstrous 34-inch, 5K, 21:9 monitor ahead of CES

LG teases a monstrous 34-inch, 5K, 21:9 monitor ahead of CES

Brace yourself: the deluge of product announcements for next month’s Consumer Electronics Show has begun.

LG took its turn in the spotlight on Thursday, announcing a trio of new monitors that’ll be showcased in full at the upcoming trade show. The star of the bunch is likely the 34WK95U, a 34-inch ultrawide monitor with a (roughly) 21:9 aspect ratio and a 5K resolution. Well, sort of 5K—that resolution is technically 5,120 x 2,160, meaning it has the same number of vertical pixels as a 4K monitor but adds pixels horizontally.

The device will include a Thunderbolt 3 port and what appear to be fairly slim bezels, too. The idea here is to court professionals who need to have several windows open at once, edit images and videos with precision, and so on. Here’s hoping it doesn’t suffer from any technical issues like its last high-profile 5K monitor.

There’s a new 32-inch 4K monitor, too. The 32UK950 will also carry a Thunderbolt 3 port, which LG says will allow it to chain two 4K monitors at once—a detail not specified for the 5K model—and “provide enough charge to power a 60W notebook.” The company says it’ll cover 98 percent of the DCI-P3 color gamut and, like the 5K panel above, utilize its “Nano IPS” color boosting tech, which it rolled out in select TVs earlier in the year. We’ll have to see the panels in action before saying if that’s anything more than jargon, though.

LG says that both panels will also support “HDR 600,” but it’s not clear if the company is referring to VESA’s DisplayHDR 600 spec or its own thing. The former was announced last week by the computer display standards body; it sits in the middle of three new high-dynamic range standards and requires at least 600 nits of peak brightness (plus 10-bit color, among other specs). Samsung announced that its massive 49-inch CHG90 monitor was compliant with the DisplayHDR 600 spec earlier this week.

Whatever the case, it’ll be hard to say either monitor will be capable of true HDR the way TV-based standards like HDR10 and Dolby Vision are. Both of those specs reach at least 1,000 nits and are thus capable of facilitating the higher contrast ratios needed to take advantage of HDR content more fully. That said, sitting a foot away from a screen that bright probably wouldn’t be much fun for your eyes.

LG briefly mentioned a new QHD gaming monitor that will support Nvidia G-Sync in its press release, too. In general, there’s still plenty we don’t know about all three monitors—namely, when they’re coming and how much they’ll cost. The company didn’t immediately respond to a request for comment, but we’ll likely get more details once CES kicks off next month.

Read more

Geekbench and Reddit think they’ve cracked why iPhones get slower over time [Updated]

Geekbench and Reddit think they’ve cracked why iPhones get slower over time [Updated]

Samuel Axon

Update: Apple has shared the following statement with TechCrunch confirming the functionality and its reasoning:

Our goal is to deliver the best experience for customers, which includes overall performance and prolonging the life of their devices. Lithium-ion batteries become less capable of supplying peak current demands when in cold conditions, have a low battery charge or as they age over time, which can result in the device unexpectedly shutting down to protect its electronic components.

Last year we released a feature for iPhone 6, iPhone 6s and iPhone SE to smooth out the instantaneous peaks only when needed to prevent the device from unexpectedly shutting down during these conditions. We’ve now extended that feature to iPhone 7 with iOS 11.2, and plan to add support for other products in the future.

Original story: Based on anecdotal observation, many iPhone users have long believed that older iPhones get slower over time. Generally, people have assumed that this is because of new features and additions in new versions of iOS that are better optimized for the latest phones.

But Reddit users, and Geekbench developer John Poole, have a compelling new theory, backed up by benchmarks: the iPhone may throttle performance to preserve battery life or avoid unexpected shutdowns as the battery degrades.

Several days ago, Reddit user TeckFire posted a report to the iPhone subreddit stating that, after experiencing slowdown on their iPhone 6S, they replaced the battery with a new one and saw significant improvements in benchmarks—seen below, via their imgur post:

Commenters shared theories and benchmarks in response to TeckFire’s findings. But the theory picked up even more steam when Geekbench founder and developer John Poole posted a blog post exploring the issue with his own benchmarks, this time comparing across versions of iOS to control for that.

Here’s how he said he established the test:

I’ve plotted the kernel density of Geekbench 4 single-core scores for the iPhone 6s and the iPhone 7 running different versions of iOS. Scores obtained in low-power mode are not included in the distribution.

On iOS 10.2.0, the iPhone 6S did not significantly exhibit this throttling behavior. However, it is detected in iOS 10.2.1, as well as iOS 11.2.0.

The introduction of this behavior in iOS 10.2.1 might have been a coincidence, though nothing is currently certain. Before January of 2017, iPhone 6 and 6S owners (myself included, earlier in 2016) reported that their phones would shut down unexpectedly as the battery reduced. Apple’s iOS 10.2.1 addressed the issue. Apple explained its approach in the following update, shared with TechCrunch in February:

With iOS 10.2.1, Apple made improvements to reduce occurrences of unexpected shutdowns that a small number of users were experiencing with their iPhone. iOS 10.2.1 already has over 50% of active iOS devices upgraded, and the diagnostic data we’ve received from upgraders shows that, for this small percentage of users experiencing the issue, we’re seeing a more than 80% reduction in iPhone 6s and over 70% reduction on iPhone 6 of devices unexpectedly shutting down.

Reports at the time suggested that the iPhone 7 was not affected by the shutdown issue. However, Poole did find similar distributions in Geekbench scores on the iPhone 7 to those he found in the iPhone 6S—but with one key difference. Here are his results, again courtesy of his blog post.

In this case, the result did not emerge until the phone was updated to iOS 11.2.0.

We tested on a year-old iPhone 7 (running iOS 11.1.1) that has seen daily battery drain and recharge. We found that its CPU frequency was 2,333MHz, close to the expected 2.35GHz. We also ran Geekbench’s CPU test on the phone and got average results of 3,503 for single-core and 5,973 for multi-core—almost the same as the 3,506 and 6,073 we got when we first tested the iPhone 7.

In iOS 11.2.1, we didn’t see substantially different results. The frequency read at 2,345MHz, and our average Geekbench results were 3,491 and 5,860 for single and multi-core, respectively. Obviously, the nature of the test is different from those run by Poole. But while we weren’t able to replicate any slowdown in this very limited test, several Reddit users were.

Read more

Amazon Music removes ability to upload MP3s, will shutter storage service

Amazon Music removes ability to upload MP3s, will shutter storage service

Getty Images

One feature of Amazon Music allows users to upload their own MP3 files from other sources, but that service is shutting down over the next year or so. According to a help page on Amazon’s website, the company will end its Amazon Music Storage subscription service in January 2019. An official date hasn’t been released, but once the storage service ends, users won’t be able to play or download MP3s they previously uploaded.

Amazon already removed the ability to upload personal MP3s to Amazon Music through its PC and Mac apps earlier this week. The company’s dedicated music importer software shuttered even earlier, back in 2015.

Both free and paid customers of Amazon Music Storage will be affected by this recent decision: free users, who were able to upload up to 250 files, can play and download any of that music until January 2019. Free users should download their previously uploaded tracks before January 2019, because those will become inaccessible through Amazon Music at that time.

Paid users, who paid $25 annually to store up to 250,000 files, can also play and download any of that music until their subscription expires. Those who let their subscription expire won’t have the option to renew it, and all songs over 250 will be removed. Those remaining 250 songs will be available for one year after the subscription expires before they’re removed as well.

Those who stand to lose the most in this situation are paid Music Storage subscribers. Those customers should re-download any and all tracks they originally uploaded before their subscription expires to avoid the service erasing part of their library and leaving them with just 250 songs.

Amazon notes that this change only affects music imported to Amazon Music from other sources. Any music you’ve purchased from Amazon or uploaded using Amazon’s AutoRip service won’t be affected. Amazon released AutoRip in 2013 as a way for users to sync CD tracks through MP3 matching, so at least the music that you paid for a long time ago won’t be affected by Amazon’s move.

Uploading personal MP3s isn’t as popular as it used to be thanks to the rise of music streaming services. But at the beginning of the transition, some companies offered ways for customers to listen to their personal MP3 files along with music provided from the new service—Apple has iTunes Match and Google Music has scan-and-match as well. At the time, it was a convenient way for companies to encourage new users to sign on without abandoning the huge music libraries they may have already built up over the years. With more of the music industry moving to paid streaming, it makes more sense for Amazon to focus on its Music and Music Unlimited services.

Read more

Body Fat Scale,FlightingLive High Accuracy Digital Body Weight Bathroom Scale,Accurate Health Metrics, Toughened Glass Top for Body Weight, Body Fat, Water, Muscle Mass, BMI, Bone Mass etc – CNET

Body Fat Scale,FlightingLive High Accuracy Digital Body Weight Bathroom Scale,Accurate Health Metrics, Toughened Glass Top for Body Weight, Body Fat, Water, Muscle Mass, BMI, Bone Mass etc – CNET

Body Fat Scale,FlightingLive High Accuracy Digital Body Weight Bathroom Scale,Accurate Health Metrics, Toughened Glass Top for Body Weight, Body Fat, Water, Muscle Mass, BMI, Bone Mass etc

Read more

All of the smart home stuff we expect to see at CES 2018

All of the smart home stuff we expect to see at CES 2018

CES 2018 kicks off in early January and CNET will be there in force, scouring Las Vegas convention halls and pop-up casino demo rooms for the latest product innovations. 

Not only is CES one of the largest tech shows in the world, smart home devices and large appliances have had an increasing presence at the annual event in recent years. 

At CES 2017, so many companies announced integrations with voice assistants that we compiled a “scoreboard” to keep track. Amazon’s Alexa dominated with 33 new partnerships, followed by 18 from Apple’s Siri-powered HomeKit platformGoogle Assistant trailed behind with 10. We also saw a lot of robots. Yes, robots. Some were kind of creepy, others we downright adorable — but all of them were supposed to help make your home smarter. 

So, what does the upcoming CES have in store for the smart home? We don’t know for sure, but it’s going to be big if last year’s show was any indication. Here’s a look at smart home and appliance trends we think we might see at CES 2018. 

google-home-max-4Enlarge Image

“,”modalTemplate”:”

{{content}}

“,”setContentOnInit”:false}”/>

The Google Home Mini, Google Home Max and Google Home speakers.


Chris Monroe/CNET

Voice assistants

By “voice assistants,” I don’t mean new AI platforms to compete with Alexa, HomeKit and the Google Assistant (although that’s entirely possible too). I instead expect to see something of a repeat from CES 2017 — announcements of new and existing smart home products adding Alexa, HomeKit and Google Assistant voice functionality. 

Where last year was heavily weighted toward Alexa integrations, I expect to see more HomeKit and Google Assistant announcements in 2018. Apple’s HomePod smart speaker might have missed the holiday season for this year, but that won’t stop third-party device makers from extending support for Siri.

simplehumansmartmirrorproductphotos-4.jpgEnlarge Image

“,”modalTemplate”:”

{{content}}

“,”setContentOnInit”:false}”/>

Simplehuman’s Wide-View Sensor Mirror.


Chris Monroe/CNET

Beauty and fashion products

We’ve also seen an uptick in smart beauty and fashion devices lately. Simplehuman sells a couple of different smart mirrors, designed to help you optimize your look whether you’re spending the day in natural or fluorescent light. 

A smart hairbush called the Kerastase Hair Coach was on display at CES 2017. Its proposed goal? To collect data as you brush your hair via integrated sensors and give you related care recommendations. MAC makeup stores are getting AR mirrors so you can “try on” different products without, you know, actually having to try them on. And what about Amazon’s quirky Echo Look camera? It judges your outfits and tells you what to wear. A new Echo Look update even lets you ask strangers for fashion advice

I’d be surprised if we didn’t see a few new products in these categories at CES 2018.  

jibo-product-photos-3Enlarge Image

“,”modalTemplate”:”

{{content}}

“,”setContentOnInit”:false}”/>

Jibo.


Tyler Lizenby/CNET

Robots

We saw robots in droves at CES 2017 and the fascination will likely continue into 2018. But the smart home bots we’ve seen so far have been pretty hit-or-miss. Jibo (pictured above) is kind of cute, but it doesn’t do much — including move, beyond panning and tilting its head and an admittedly endearing, but stationary wiggle-dance. It also costs a whopping $899. Panasonic showcased a mobile mini fridge-bot at IFA 2017 that will bring you chilled sake, no effort required. 

Others, like Kuri by Mayfield Robotics, can actually move around and claim to recognize faces, but we haven’t had the chance to test them out just yet. It would be exciting to see if there are any new assistant robots at the show in January. 


Now Playing:
Watch this:

The huge TV screens of CES 2018 are coming for you! (The…

4:13

Facial recognition

Face-scanning technology isn’t new; we’ve seen it on the Netatmo Welcome security camera, the Microsoft Kinect (which Microsoft no longer makes) and plenty of other consumer products. But recent advances in machine learning have helped bring facial recognition to even more devices, from the iPhone X to Nest’s IQ cameras and its Hello doorbell

We’re also seeing an increase in home security cameras supporting “person alerts.” Person alerts can’t tell you who they see, but they should be able to distinguish between a person and your neighbor’s cat — and send you a notification about it. At CES 2018, I expect to see even more manufacturers introduce facial recognition (or person alerts) as a feature. 

ge-gtw685bslws-washing-machine-product-photos-8Enlarge Image

“,”modalTemplate”:”

{{content}}

“,”setContentOnInit”:false}”/>

The GE GTW750CSLWS washing machine works with Amazon’s Echo Show speaker. 


Chris Monroe/CNET

Smart appliances

Fridges, dishwashers and other large appliances with integrated smarts have been around for awhile, too. Only a few have managed to offer any real convenience, though. I’m not convinced we’ll see much movement in this space at CES beyond some additional voice assistant integrations. But the Kitchen and Bath Industry Show is happening the same week as CES 2018, so expect to see appliance coverage from both shows. And, who knows, maybe we’ll see a smart appliance or two. 

Want to see if these predictions come true at CES 2018? Bookmark this page, where you’ll find all of the latest news straight from the show floor starting in early January.

Read more

Sengled Element BR30 Smart LED Bulb Zigbee Dimmable 60W Equivalent Soft White, Compatible with Samsung SmartThings and Wink Hub, Requires Hub for Alexa – CNET

Sengled Element BR30 Smart LED Bulb Zigbee Dimmable 60W Equivalent Soft White, Compatible with Samsung SmartThings and Wink Hub, Requires Hub for Alexa – CNET

Sengled Element BR30 Smart LED Bulb Zigbee Dimmable 60W Equivalent Soft White, Compatible with Samsung SmartThings and Wink Hub, Requires Hub for Alexa

Read more

KeeWifi Easy BBQ Bluetooth Device

KeeWifi Easy BBQ Bluetooth Device

Take the Guesswork out of Barbecuing — Love to barbecue, but hate keeping a constant eye on your food? KeeWifi has a solution for you. Compatible with both iOS and Android, these Bluetooth 4.0 thermometers allow you to monitor the temperature of your meat from up to 100 feet away. Loaded with a wide range of doneness settings for different types of meats–like beef, chicken, lamb, and fish–they make it easy to keep tabs on your favorite grilled meats without sacrificing time with friends and family.

Read more

TP-Link Kasa Cam Indoor WiFi Security Camera for $100 + free shipping

TP-Link Kasa Cam Indoor WiFi Security Camera for $100 + free shipping

Best Buy offers the TP-Link Kasa Cam Indoor Full HD WiFi Security Camera for $99.99 with free shipping. That’s the lowest price we could find by $30. It features a 1920×1080 resolution at up to 30 fps, a 130° field of view, two-way talk, and night vision out to 25 feet. A TP-Link LB-Series WiFi Smart LED bulb is included.

Read more