Tue Jun 12 16:09:47 2007

Input Validation Done Wrong

When reading about software security, one of the most often repeated mantras is the strict validation of user input. Lack of input validation and quoting has been the root cause of countless security vulnerabilities. But there are times when you want your input data to be exactly as they where provided, especially if you collect sample data that you want to use in detection mechanisms later.

Last week, I needed a new passport, and quickly at that. Since this involves German government institutions, the process gets more complicated the quicker you need something to be done. To make a very long story short, I ended up with my two hour old passport pictures at a governmental office and got told that the pictures would not work. What happened?

Germany is now rolling out the e-pass. The political smoke screen with Terrorist decoration aside, it was the only way to sell large amounts of otherwise totally useless and probably unreliable biometric detection software to customers that cannot effectively refuse to buy - the citizen. If you need to travel, you have to buy the new passport, which supports the German industry, well, some of them.

One of the core features of the new passport is a frontal picture, as opposed to the slightly sideways one used before. The frontal pictures can be read and interpreted by a piece of software in the government office to calculate biometric data about your face, so all the fancy Frauenhofer-Anti-Terror cameras at airports, train stations, in taxis, hotels and the cabins in the city sex shop may be able to identify you.

For this to work, photographers were told how to take an exact frontal picture of you. They usually charge more for the biometrics ready picture than for a regular one too. So I went to a photographer's shop and got my biometrics ready pictures taken. Before the picture is scanned into the computer at the government office, a transparent sticker with an outline and some orientation points is placed on top of the photograph to tell the software where to look for the face.

The software at the government office kept complaining that my picture was not showing a head in frontal perspective, although it was painfully obvious that it was. The surprisingly helpful lady re-placed and re-adjusted the transparent sticker several times to make the software understand that in fact, this is a frontal picture of someone who just happens to have a real egg head - but to no avail. Finally, she sent me on my way again to another photographer's shop around the corner that supposedly produced acceptable pictures for the software with a 100% success rate. So I went getting new pictures taken.

The photographer at the second shop was a young and obviously street-smart German citizen of Turkish descends. After the second round of pictures was taken, he loaded them into Photoshop and copied one into a template file he had at hand. The template file was composed of rulers and grid lines for Photoshop, which seemed to mirror the requirements of our governmental biometrics software at the passport office. Once it again became obvious that my egg-head would not fit into the boundaries, he scaled it on the X-Axis to make it fit. Kiss your aspect ratio goodbye.

Input Validated and reshaped

Now, I don't understand much of the biometrics matching algorithms used by our government's software. But the little that I do know about face recognition involves head geometry information, including the distance between eyes in relation to other distances, like the one between your nose base and mouth. Well, if you scale an image without preserving the aspect ratio, this information is changed.

What came out was a head shot that was happily accepted by the passport office software as a perfectly valid front shot and respectively is rendered into my passport as well as placed on the RFID chip digitally. The only issue is: that's not me, or to be more precise, it is not my head geometry. May be I should be happy about this, since it will make life a bit harder for the government officials should my profession become entirely illegal in the future and cause them to search train stations and public places for me.

The story somehow reminded me of NASA's input validation when they put a satellite in place over Antarctica. The satellite neglected the fact that there was a hole in the ozone layer, since the measurements were so far out of average that they were considered false. The same can probably be said about my head geometry compared to the average German citizen.

When you collect sample data that you want to use in detection mechanisms, it's probably not wise to neglect data just because it is different than you expected. This will lead to the detection only detecting things you did expect, which renders the detection slightly useless. On the other hand, the story underlines the fact that overly drastic security measures, governmental or otherwise, will increase the likelihood of people circumventing them, knowingly or not. If you bother people enough, they will start cheating. If you bother them even more, you loose them.

Some forum posting people suggested the root issue is actually that the person photographed is ugly. While this is obviously not a false statement per se, it would suggest that the biometrics software exhibits automatic taste - an interesting thought ;)

Posted by FX | Permanent link