Also, it has other practical uses - think of it as a better-than-polygraph test for questions of type "have you seen this person" or "does this account-password belong to you".
I can't wait until this technology is improved, so I can "search" my own brain to find all the stuff I seem to forget. I'm sure it's locked in my unconscious somewhere...
While correct, I think you're missing something huge.
I'm not sure how long it takes for your brain to recognize a 4-digit number as something you "know". Absolute fastest would be something around 32/second, as I believe that's about as fast as your brain can view an image (movie frame rate). However, I'm reasonably sure it's much slower than this, and we haven't even factored in how long it takes the computer hooked up to your brain to recognize a change. So for the purposes of this argument, I'm going to say about one PIN per second.
So, for a 4 digit PIN, you can spend 9999 seconds to "hack" the mark's brain, and then try all those combinations that showed a recognition pattern. Or you could just brute force all 9999 permutations, likely at a much faster than 1 per second, without needing physical access to the mark, and without all sorts of crazy hardware.
In other words: I agree about the value of the idea. I think, however, that there's a huge disconnect between the information and how it's being presented.
0-Day? I knew I shouldn't have upgraded from primate.
In what world would the victim not become suspicious?
(I appreciate things may change in the future, and if brain control headsets become common then a malware model (ad popups, for example) could provide a plausible vector for this attack.)
(from the actual paper) "The experiments are implemented and tested using a Emotiv EPOC BCI device"
(from the hyperbole article) "For $200-300, you can buy an Emotiv"
In what world would the victim not become suspicious? I think this result is framed as "if BCI-controlled gaming takes off, it doesn't take much to harvest personal data from gamers".
Also, I wonder what are the implications for interrogation methods (think CIA, not local police). They didn't test what happens if the victim is actually trying to resist, maybe even if the victim has had guidance on how to resist. I would love to know.
resisting this sort of thing is easy, just think "loud" alternative thoughts and close your eyes so you don't see the stimulus. Sing a song in your head. Anything.
This is just image/text recognition research from 1980's and 90's neuroscience regurgitated as security publications with far shittier experimental methodology and consumer equipment.
At no point did they actually demonstrate they got access to secrets you knew. E.g. your real PIN number and they certainly didn't demonstrate they could do so surreptitiously. There is no reason to believe you could actually do this and these experiments tell us nothing we didn't already know from actual real experiments done by real clinical researchers: you can use the p300 signal to tell if someone recognizes a specified stimulus.
This implies the possibility of "something you know" may be only just as secure as "something you have."
As people integrate and evolve to include technology, the security aspects of bio-technical interfaces are going to get really interesting and damn important.
I'd love to log my brain activities while learning, reading or playing poker :D
Edit: Seems like the Emotive EPOC has an SDK that supports Linux and also an open source library called Emokit that was build from reverse engineering the device's communication :D
In addition, these cheaper consumer EEGs don't produce research-grade data, so while they are good for messing around and experimenting, if you want to get serious, you'll need to upgrade to a more expensive headset.
Granted you'd have to write the unfolding algorithm and infrastructure stuff yourself (eventhough I'd guess someone probably has done this already)
Seems like a neat enough toy to add it to my xmas-wishlist. Time to build a light version of the "Ready Player One" cyberworld :P
I used to play poker semiprofessionally and could see this as a very useful device to identify tilt (and shutdown the pokerclient or at least give you an alarm of sorts) or generally wear it while grinding and see what helpful info you can extract when comparing to your hands database.
But really, looks like this experiment could be totally derailed by closing your eyes, or by thinking of irrelevant topics.
Still pretty neat though.
Related, the MRI lie detector: http://www.ncbi.nlm.nih.gov/pubmed/19092066
It's cool that home BCI is so cheap now, I just wish they weren't trying to captilize so heavily on it.
But in any case showing pins that way wouldn't work anyway - most people have a muscle memory for their pins, but would not recognize them when written down.
Having said that, I would recognise both PINs as both a string of digits and as a spatial sequence... so that would probably just be another attack vector.
