Hey guys I just made this logo, inspired by this thread:
I also made logos for all the other unique app ideas, and you can see them on my site here!
David the answer to the âproof of humanâ in my mind is very simple, and I want you to really think about it.
You use a challenge response system with the deviceâs accelerometer.
Really, think about it.
The human supplies no real identifying information, but their human interaction with the device is clear as day.
I see it like this. It spits out initial voice commands to get a baseline âput device on groundâ âhold device above headâ âhold device outâ (logging arm length/height/other basic metrics).
With the initial human data the challenge starts saying commands âshake up and downâ âhold stillâ âmove device in a figure eightâ âmove device in a circleâ displaying the desired motion on screen, and records from the accelerometer. (think wiimote)
This human challenge can go on for as long as is needed, continuously telling the human new commands until a decision is made.
Maybe AI is advanced, and programmers are dedicated, and physics equations are easily understood⌠but mother of god have fun writing the program that will render the device in 3d space with perfectly fluid motion from every command to every other without delay or hickup.
The real secret sauce is in the commands given, âshake vigorouslyâ can get an estimate of the personâs strength, which can be compared to the âhold above headâ height.
You could of course add some voice challenge (count to 10 while putting arms up).
At the very least you can verify itâs human, not necessarily a unique one (although Iâm sure there are commands you could give to figure that out), but this will dramatically reduce the millions of fake accounts generated by common scripts.
Desktops are an issue but smartphones and laptops all have accelerometers now.
lol âbackseatâ truly is a great username for you
That means Professor Hawking could not be seen as human And anyone with such disabilities like limited arm movement.
Also it would give jobs to low paid sweatshop âemployeesâ who respond to the bot which relays the movements back to the app trying to verify if human.
Too many ways to fool it without even hacking or programming a voice activated response system. No need for AI, and is being developed for robotic response systems.
SAFE network does this by requiring payment for account to persist
I think you gloss over the really difficult problem. It is easy to get lots of people in a room going through this process (just as with generating game currency, filling in online forms etc.). The difficult part is the âuniqueâ bit, and so if you think you can solve that part please go on. Then you will have found something no-one here has yet. I like the idea you present, but I donât see how you can tie those responses to particular people. Iâm not saying you canât, but I think it needs to be demonstrated - or a theory of how presented that is worth someone exploring.
Maybe someone will pick up on the basic idea, but if you think you can solve it, donât stop there!
David mentioned that in the 1st post:
David mentioned in this thread that he was more concerned with proving that you are human, not specifically unique.
But yes you are correct, the unique element is the golden-goose.
The reason I mention this was that the current captcha system is being bypassed now with bots sending out the images/puzzles to unsuspecting users to solve (& dedicated solvers). Thus a bot operates as a human and proof fails. Ever been to that site asking for captcha to be solved for access to the article, yet the captcha always says you failed (to get the person to solve many)? Its increasing and saves the need of AI, or other recognition systems.
The movement challenge and response reminded me of that and how easily I could rig up a mechanism to fool such a system. (engineering is my expertise ) Easier than that captcha fooling system although a tad more expensive.
I also gather that the human proof for account creation has basically been replaced by paying a coin. Thus I gather it is more a quest for unique now.
Personally I feel that the need for human proof and unique human should be for things that really need it like voting and a number of other APPs that want humans and not bots. There is a lot of resistance to wanting people to prove things in order to use a system unless they feel its necessary. The more they have to do the less likely they will do it.
Uniqueness & human proof is very difficult and mostly fooled because the input has to be converted to digital. Iâd say the best would be a DNA analyzer that creates a hash of a personâs DNA so personal info is kept private. Then the problem is cost, identical twins and those that actually have 2+ DNA sequences. (the case of the mother who is not the âmotherâ depending on where the DNA sample is extracted from.)
I just read this entire 229-post thread inone fell swoop. Disclaimer: Iâm new to MaidSafe.
It certainly seems that this thread needs clarification on the âis this integrated in the network or built in apps on top of itâ point. For the higher-level apps, then, the point is moot, since the apps will do whatever they want, including their own seperate ways of verifying humans if they so desire, and we canât and shouldnât stop them. All of the discussion about upper-level authentication, while interesting and valid, is therefore only useful as suggestions to new app developers.
So all that really matters is if PoUH should be implemented at a network level, and if so, how?
Well⌠it shouldnât. Hereâs what the thread has taught me:
- Biometrics are fun and interesting and as discussed, plausible. Unfortunately, theyâre also never truly unique. Sharing a thumbprint with someone is rare, but it happens. Even less likely so for retinal scanners. Even less likely for heartbeat rhythyms, and even less for DNA. Yet, all of the above, are not perfectly unique. (To test any such idea, always apply the limit as the nimber of living humans approaches infinity) In each method there is also accessibility issues (blind people, fingerless people, inconsistent heartbeat, etc). It was also mentioned that this would promote acceptance of biometrics in general, including the other proprietary/insecure/spying methods out there.
- Combination of Biometrics seems like the obvious answer to the above, and many people would say itâs âunique enoughâ for our purposes. It comes in two forms:
- Mandatory combinations, say a heartbeat, an eye, and a fingerprint, exhibit the issues discussed about being far too complex, introducing high barriers to entry; not to mention hardware cost.
-
Optional combination of biometrics, like âeye scan or voice print, whichever you want!â, solves almost all of the accessibility issues but defeats the security gained. Bad actors simply go after the most exploitable method, and donât have to worry bout the rest.
In either case, biometrics are obviously cirumvented by physical coercion, as usual. - Defining âhumanâ in an operational way for the network is also necessary - if not different than âa user who provides valueâ, which would invalidate the need for PoUH (only bad actor elimination would be necessary), then we have no leg to stand on. For example, take the definition ârational animalâ. If a non-animal with rationality comes along then why not give it the same resources and opportunites? If an AI had the rationality of a normal human user (such that it were indistinguishable from one) then does it not deserve disk space and resources to use the network as an other user can? Or are we really concerned wih precluding value added by âanimalsâ only for some reason? I may have just watched Bladerunner last night, but you have to admit, defining human is⌠completely arbitrary.
- Voting, which should never need to be done on whole-network scale anyway, is not meant for this low level. We can use higher level layers and apps, to vote, and even then, among mutually-verified subgroups of users. So letâs rule that out.
- Joining the network seems to take three schools of thought:
- Join and get paid, a.k.a. free space/resources for new users
- Just join, and get/give nothing, all the way to
-
Pay to join, such as requiring a safecoin for an account.
Each of the extremes leads the user incentives astray. We donât want to incentivize the mass creation of accounts, so giving away free space, while generous and easy, wonât work. We can gain the benefit from this approach, though by simply making it easy to immediately earn a first safecoin (for example). This also has the disirable effects, such as psychological value, of the âpay to joinâ approach, except the barrier isnât actually there. What we donât want to deal with is the imposible task of charging the whole world a sensitively fair amount, not to mention that telling people they need to pay for internet 2.0 is not going to go over well.
Charging nothing and giving nothing has the pros of both extremes, with none of the cons. We can simply value the coins, rather than the accounts - and hey, we can even use that invitation-network-effect idea - we simply pass around âinvitesâ wih coin attached!
- Seperating personal lives into multiple âaccountsâ seems to be objected to, on the basis that it would be desirable and the PoUH would interfere with this. Iâm arguing against PoUH, but this is not a good reason. First of all, we still want everyone to have only one account, or at least I think so. I was under the impression that you could deal with the seperation-of-personal-life issue via something called Personas, which arenât as permanent/anonymous as your actual maidsafe account. I may have the terminology backwards, but what theyâre arguing for is PoUH for the account, which should suffice for all of the Personas under it. I still think everyone should have one account, and that there should be no point in having multiple (fragmentation of your stuff! multiple authentications to remember!).
This makes other processes fall into place - accounts will tend towards coinciding 1:1 with a single human because the incentives are set up that way.
Passports are used to identify unique human beings across the world. It is safe to assume that members of society have a passport. It is also safe to assume that given this form of identification, one can prove that one is not a bot.
Of course the problem is that people do not under any circumstances want to compromise their passport information.
Is it possible to generate a unique signature using a passport number as a one off without compromising the safety of said number, and still retain enough cryptographic information in the network to be able to verify this signature? Would this be illegal or impossible or just not secure enough? Since a lot of sites demand identification these days it got me curious as to why this type of solution would be infeasible.
Canât people buy fake passports on the deep web?
I donât have a passport
This is way off Iâm afraid. Even in the USA, having a passport is less likely than not.
Hmm I see the problem.
Noob question - Is this actually intended to become part of the network, or is this just a conversational thread?
I can see how an identity verification service can be useful for some users and some applications. As a core concept though, someone should point out that âproof of unique humanâ at a network level by definition can only eliminate anonymity. This would increase risks and annoyances.
Suppose âJayâ wants to back up his private e-mail every morning 2am, whether heâs at his desk or not. Jay also has a completely separate service that provides a REST interface to some unrelated weather data heâs been collecting and storing on the network.
Two options. One is that each of those âbotsâ can have itâs own separate account. The other is that Jay is only allowed one account, and all his tools have to automatically authenticate as Jay.
With account separation and anonymity, people might build bots that do harmful things. You might have to counteract those bots with tools like spam filtering, and ensuring that coins are only automatically issued to systems that have done useful work.
The second scenario could be a huge problem for Jay when it turns out that his weather data interface was not as well designed as heâd hoped, and some script-kiddie used it to steal his credentials and all his coins and e-mail (instead of being limited to whatever that specific app had access to).
Or maybe Jay has the misfortune of living in a totalitarian regime, and the government, which actually printed his ID in the first place, decides to execute him for documenting their activities with a foreign human-rights group.
Of course thatâs all very dramatic and I just made it up. Real life problems for me would include:
- Testing development of an application that has different permission levels when you canât create multiple accounts.
- Building automated tools for an employer without giving them access to your private data (Am I really the only person with a separate private and employee e-mail address?)
- (inverse) Hiring someone to build an app without giving them the credentials for your entire business.
- Simply not wanting to provide personally identifying information to a system thatâs not accountable to me.
To be clear, unique identity validation can be incredibly useful tool. I can easily see a business case for a specialized service provider doing manual ID checks and certain application writers insisting that only âEZ ID Verifiedâ accounts will be allowed to vote in their election. But from a design perspective I donât see anything good about making this a requirement for participation at the network level.
Very good points, but not necessarily the outcome.
First, your question: no it is not planned, because it is not yet possible to achieve this. The discussion is because there are things that would make this useful, but they need not lead to de-anonymising the user, so long as you can have none-unique accounts.
So for example, if you could have POUH this might be required for certain account benefits: voting, a free initial storage allowance etc, which would avoid spamming and similar abuse. But you could still allow other accounts, just without these features or benefits.
So we could have the best of both worlds. If only we could figure out how to do POUH!
Why not combine different strategies? For instance for your average job the wiimote idea would probably work fine to validate they are human. Then combine this with personal data and you have a login. To defeat the sweatshop problem tie oneâs personal data to oneâs biometric data. That is to say if the network knows youâre 6 feet tall, weigh 300lbs and shake your wiimote like a maraca and login one time then try logging in again and suddenly are 4ft tall, 90lbs and shake your wiimote like youâre trying to turn cream into butter thereâs a difference and the system knows âHey wait a sec this isnât the same human here!â And an alarm is tripped. In short if someone hires someone ELSE to login for them as the âhumanâ element then it becomes a permanant position until they reset the whole process, because you know that option would be nessesary because things happen just like wanting to change your password.
For the motion impaired there are options like using a passport or nymi heartbeat monitoring device. And couldnât we rig some kind of motion tracking system using the camera? Even a person in a wheelchair could follow commands to âmove forward, move backward, go over to your left, move back again, move to your right, spin round, now perform a figure eight while bobbing your headâ and so on. Quadrapalic issues, like many handicaps, are a greyscale. So one would need to input that into the system, which in itself would be identification data. If you know your human is handicapped and a human comes along who passes tests that they normally couldnât either a miracle has occured or thereâs a security breach. Of course weâd need to account for miracles as they do on occasion happen but itâs rather unlikely.
Thanks for clarifying!
Iâve never heard of anyone solving 100% automated PUOH validation, and now that you point it out, it does seem like a valuable enough service that if someone had figured it out, they would be famous billionaires.
I donât know enough about MaidSafe yet to understand whether it could be done with the account authentication system as written or whether itâd have to be a separate tool, but treated as a customer-service rather than an automation problem and POUH looks like a simple modification of PGP: Show âEZ Validation Serviceâ a meaningful form of identification and they sign one, and only one, of your public keys. Give the market a bit of a trial period and weâll know whether âEZ Validation Serviceâ is more reliable than âBackground Checkmaster.â
Obviously a purely automated solution is beyond my skills here. To be fair though, everyone who uses an SMS text or government issued ID is also just outsourcing the work to particularly well-established vendors.
Hereâs my current thinking on the topic:
I donât think thereâs been a pressing need for POUH, prior to Davids invention and hence no race to achieve it.
I wouldnât call POUH an âidentificationâ system, as it does not identify anything. All it does is (1) prove we are human (2) prove we are unique i.e not the same as any other human on the network.
When planning this algo, we should take into consideration cloned humans alsoâŚapparently the tech is on the shelf, awaiting humanityâs ethical readjustment.
When taking clones into consideration, a factor that might be important: âproof of unique experienceâ and since this is experience within the confines of a network that stores next to nothing about our activity, whatâs on there that we can verify? What activity on the network could be used to assess a user on their unique safe experience?
Youâd need a minimum amount of time/activity on the network, before you could even qualify to apply for Unique status.
So when we have 2 or more identical (DNA) humans as an accepted part of society, say 2 clones âcreatedâ at the same instant in âtimeââŚhow else are you going to accept their uniqueness, if not by their experience transacting with the networkâŚ
What about robots wanting to join up? Proof of unique machine? (MAC address)⌠Robots + AI with multiple accountsâŚnot good for business.