To get Jennifer into her home, the police take her to the front door of her home. They place her thumb on a small circular reader by the door. Radial LEDs circle underneath her thumb for a moment as it reads. Then a red light above the reader turns off and a green light turns on. The door unlocks and a synthesized voice says, Welcome home, Jennifer!
Similarly to the Thumbdentity, a multifactor authentication would be much more secure. The McFly family is struggling, so you might expect them to have substandard technology, but that the police are using something similar casts that in doubt.
When officers Foley and Reese find the sleeping Jennifer, they thumbprint her on a wireless handheld device, and Officer Foley looks up the young girls information. Looking at the screen she retrieves Jennifer(2015)’s address and age.
Thumbprint is a fine unimodal authenticator, but much better is multimodal biometric or multifactor authenticator to be certain of identity.
Time traveling in the DeLorean is accomplished in three steps. In the first, he traveler turns on the “time circuits” using a rocking switch in the central console. Its use is detailed in the original Back to the Future, as below.
In the second, the traveler sets the target month, day, year, hour, and minute using a telephone keypad mounted vertically on the dashboard to the left, and pressing a button below stoplight-colored LEDs on the left, and then with an extra white status indicator below that before some kind of commit button at the bottom.
In the third, you get the DeLorean up to 88 miles per hour and flood the flux capacitor with 1.21 gigawatts of power.
Seems simple.
It’s not…
Rocker switch?
Note that the rocker switch angles down to a nearly 45 degree angle in the on position. One of the worst thing that could happen is for that thing to get accidentally turned off at the wrong time, I imagine. (Back to the Future 4: Lost in Somewhen?) The 45 degree angle makes an accidental activation unlikely, but the T-shaped handle means it could catch on a sleeve or bag handle or something. There are more secure safety switches, but I also wonder if it would be smarter to use the Fake Off mode that most electronics run in today, where they’re never really off, but look off, just waiting for user interaction to spring to life. With a Mr. Fusion on board, I presume powering it isn’t that much of a problem.
Good disambiguation
Note that the pad only has numbers. But Doc uses the military and European standard date format
[day of month] [month] [year]
which might confuse another user, i.e. Marty, entering the stupid USA standard
[month] [day of month] [year]
Though preventing errors is preferable, at least Doc helps Marty recognize errors by displaying the month in 3-character text format, which would help Marty realize if he’d accidentally put in 10 September instead of 09 October.
Bad disambiguation
Note that doc is traveling to 4:29 in the afternoon, and the display has a tiny LED A.M./P.M. indicator. Better is the less ambiguous military time. Sure, audiences might have been confused, but using a 24-hour clock would have been less ambiguous for diegetic users, you could eliminate the AM/PM indicator, and Doc could use the existing number pad for entry without having to either add an “AM” and “PM” button (missing from the console), or doing some annoying “press 1 for AM or 2 for PM now” IVR thing.
While we’re on time disambiguation, what, uh, time zone is this? Did doc only ever plan to fly in and around Hill Valley? It might have been keyed to the Prime Meridian, or to Pacific Time, but if so it would have been very useful to have it marked as such. If not, it should display the current time zone and provide a means to change it. Somehow. With that number pad. (Or more controls.)
Bad input constraint and recovery
It’s wholly possible to enter a day-of-month or month of “99,” which is nonsensical given the Gregorian calendar that we use today. How does the system handle this? A mod function? There’s no clue, but the unconstrained inputs would allow it.
Farther travel?
As the Long Now Foundation reminds us, a four-digit date is really short-sighted. So Doc didn’t want to travel to 10,000 C.E. and see if Zager & Evans were right? And what if he wanted to go meet Amenhotep? How does he specify 1526 B.C.E.? It seems unduly constrained.
Misleading mapping
I don’t know what those LEDs to the left of the input panel do, but I can tell they’re poorly mapped. The colors go, from top to bottom: red, yellow, and green, like a stoplight. Then there’s the extra white LED below that maps to nothing. But the LED colors on the display go from top to bottom red for destination, green for present, yellow for last time departed. Better mapping would have these two agree, or distinct color schemes.
Missing controls
In 1985 dialing a telephone number worked much like the dial-a-date seen here. Punch a sequence of numbers and the system runs with the input. But instant-input systems need a way to correct errors; either the ability to review and correct the input, or to abort the input altogether and start over.
Phone users from back then will recall it was entirely possible to mistype a digit and dial a wrong number. You’d be connected to a stranger who had no idea who this “Marty” you wanted was. This is more serious in the DeLorean than on a phone, as it drops the user into circumstances potentially much more dire, from which there might be no recovery. What would happen if they had accidentally wound up in 21 October 1015? Wholly different story. Is Biff distantly related to Cnut the Great?
Doc might be able to review the input on the display before getting up to speed, but there’s no obvious control for aborting input so far and starting over. (What if he has skipped a digit instead of mistyping one?) A simple delete button would help him correct mistyped digits. Even if he mistyped the first one and only realized it at the end, it wouldn’t be too burdensome to press delete the handful of times.
Rich preview
How does the system confirm for Doc that he’s entered the right date he intended to? On one level, sure, the 7-segment LED output is clear and unambiguous. It’s a nice discrete number. But of course 7-segment 1989 isn’t that easy to distinguish from 1898 when you’re distracted. Better would be to give a preview of the meaning of the choices entered (but not yet enacted) by the user. If there was a video screen in the car, then maybe it could show scenes from old Westerns with the label “Headed to 1898: The Old West.” You could even do it with the cars’ speakers and an audio soundscape if a screen wouldn’t work for space or distraction reasons.
Security
As noted in the overview, Biff(2015) gets into the car to make off for 1955 early in the film. I can’t quite figure out how he was able to figure out turning on the time circuit and that the 88MPH was a target speed, but he did. (Seriously, looking for fan theories here.) Of course Doc might have designed everything to be perfectly understandable for Marty, but that’s no excuse to avoid authenticating the user, since Doc is so panicked about the consequences of the time travel that he’s doing all the times. [sic]
The Barbasol can is a camouflaged container that Nedry uses to smuggle genetic information, i.e. dinosaur embryos, off the island to an unnamed group that is willing to pay him a lot of money for this act of industrial espionage.
The exterior case looks identical to an off-the-shelf can of Barbasol shaving cream, and hides a metal cradle for the DNA vials. With a twist, the cradle pops up. When twisted back, the cradle locks into place. Dennis uses this under tight time constraints to steal the DNA samples and carry them.
Near the end of the movie, he falls and loses the can. It rolls away into a pile of silting mud where it will be impossible to find (though Nedry doesn’t live long enough to look for it). Greed gets its comeuppance.
Would you want one of these today?
This device would prove really problematic today. First, it would never make it past modern security at an airport. It’s too big. Given the acceptable travel-sized can, that’s like five crummy embryos at the most. That eliminates a big backup plan for Nedry and the MysteryCo if the getaway plan involves anything other than privately chartered transportation. Which, given the need for secrecy, we can presume.
Second, the large, round shape is too big to comfortably grip and its cylindrical shape basically guarantees that it’s going to get lost if it gets dropped. You know, which is exactly what ends up happening. What was the original plan, a moistened bar of soap?
Third, anyone can open the can. There is no key. Given that Barbasol cans are actually a commonly-available diversion safe, you might want to lock that thing down with a magnetic key that’s still undetectable, but won’t let the baggage handler walk off with your millions.
Admittedly, this might be a real world thing because of the movie. It’s hard to say.
Finally, since to the casual observer it has to look and function identically to a Barbasol can, it runs the grave risk of being swapped for one, accidentally or in some gritty-reboot Spy Vs. Spy fan fiction. Including a passive RFID call-and-response API would enable identification, status indication, and triangulation for, say, if the thing ever gets lost in the silt of a tropical island in the Caribbean Sea.
So, if there’s going to be any dinosaur embryo smuggling in the future, and I’m looking at you, Dodgson, it should pass modern security. So maybe a travel sized can of Barbasol and I don’t know, mousse? Does anyone still use mousse? This size will be easier to zip into a pocket. Make sure Nedry has zipping pockets. Give the can a hidden lock to deter casual unscrewers, and be able to wirelessly query for identification or loss. And maybe someone as bumbling as Nedry can fetch you the goods without getting himself turned into raptor chow.
The Drones’ primary task is to patrol the surface for threats, then eliminate those threats. The drones are always on guard, responding swiftly and violently against anything they do perceive as a threat.
During his day-to-day maintenance, Jack often encounters active drones. Initially, the drones always regard him as a threat, and offer him a brief window of time speak his name and tech number (for example, “Jack, Tech 49”) to authenticate. The drone then compares this speech against some database, shown on their HUD as a zoomed-in image of Jack’s mouth and a vocal frequency.
Occasionally, we see that Jack’s identification doesn’t immediately work. In those cases, he’s given a second chance by the drone to confirm his identity.
Although never shown, it is almost certain that failing to properly identify himself would get Jack immediately killed. We never see any backup mechanism, and when Jack’s response doesn’t immediately work, we see him get very worried. He knows what happens when the drone detects a threat.
Zero Error Tolerance
This pattern is deadly because it offers very little tolerance for error. The Drone does show some desire to give Jack a second chance on his vocal pattern, but it is unclear how many total chances he gets.
On a website, if I enter my password wrong too many times it will lock me out. With this system, the wrong password too many times will get Jack killed.
There are many situations where Jack may not be able to immediately respond:
Falling off his bike and knocking himself out
Focus on repairing a drone, when a second drone swoops in to check the situation out
Severe shock after breaking a limb
etc…
As we see in the crashed shuttle scene, the Drones have no hesitation in killing unconscious targets. This means that Jack has a strong chance of being killed by his Drone protector in some of the situations where he needs help the most.
A more effective method could be a passive recognition system. We already know that the drone can remotely detect Jack’s biosignature, and that the Tet has full access to the Drone’s HUD feed.
The Drone then could be automatically set to not attack Jack unless the Tet gives a very specific override. Or, alternatively, the Drone could be hard-wired to never attack Jack at all (though this would complicate the movie’s plot). In any situation where it looks like the Drone might attack anyways, the remote software Vika uses could act as a secondary switch, providing a backup confirmation message.
That said, we must acknowledge that this system excels at is keeping Jack nervous and afraid of active drones. While they help him, he knows that they can turn on him at any moment. This serves the TET by keeping Jack cowed, obedient, and always looking over his shoulder.
Ethical Ramifications
The Drones are built as autonomous sentries, able to protect extraordinarily expensive infrastructure against attack. They need to be able to eliminate that threat, quickly and efficiently. Current militaries are facing the exact same issues. Even though they have pledged (for now) to not build autonomous kill systems, modern military planners may find value in having a robot perform a drudging, dangerous task like patrolling remote infrastructure.
The question asked best in Oblivion is “What should constitute a threat?”
Drones fire mercilessly on unarmed civilians and armed enemy militia, but do not attack armed friendly soldiers (Jack). This already implies some level of advanced threat analysis, even if we abhor the choices the Drone makes.
The Future
Military Planners will need to answer the same question: How does the algorithm determine a threat? With human labor becoming more and more expensive both monetarily and emotionally, the push for autonomous drone systems will become even stronger for future conflicts.
There is still enough time to research and test potential concepts before we have to make a decision on autonomous drones.
Interaction Design Lessons:
Don’t threaten civilians and non-combatants.
Give clear feedback of limits and consequences if a deadly pattern is about to be activated.
As far as Carmen is concerned, the shuttle is small fries. Her real interest is in piloting a big ship, like the Rodger Young.
On her first time at the helm as Pilot Trainee, she enters the bridge, reports for duty, and takes the number 2 chair. As she does, she reaches out to one of two panels and flips two green toggle switches simultaneously down, and immediately says, “Identify.”
In response her display screen (a cathode ray tube, guys, complete with bowed-glass surface!)—which had been reading STATION STANDBY in alternating red and yellow capitals—very quickly flashes the legend VOICE IDENTITY CONFIRMED in white letters before displaying a waveform with the label ANALYZING VOICEPRINT, ostensibly of her voice input. Then, having confirmed her identiy, it displays her IDENTIFICATION RECORD, including her name, portrait, mission status, current assignment, and a shouty all-caps red-letter welcome message at the bottom: WELCOME ABOARD ENSIGN. There are tables of tubles along the bottom and top of these screens but they’re unreadable in my copy.
She then reaches to the panel of physical controls again, and flips a red toggle switch before pressing two out of a 4×4 grid of yellow-orange momentary buttons. She sits back in her seat, and turns to see the ridiculously-quaffed Zander in the adjacent chair. Plot ensues.
Some challenges with this setup.
Input
It looks like those vertical panels of unlabeled switches and buttons are all she’s got for input. Not the most ergonomic, if she’s expected to be entering data for any length of time or under any duress.
Output
Having the display in front of her makes a great deal of sense, since most of the things she’s dealing with as either a pilot or navigator are not just out the front viewport.
Workflow
The workflow for authentication is a little strange, and mismatched for the screens we see.
A toggle switch might make sense if it’s meaning was “I am present.” But we can imagine lots of other ways the system might sense that she is present passively, and not require her to flip the switch manually.
Why would it analyze the voiceprint after the voice identity was confirmed? It would have made more sense to have the first screen prompt her to provide a voice print, like “Provide voiceprint” with some visual confirmation that it’s currently recording and sensitive to her voice. Then when she finishes speaking the sample, then the next can say Analyzing voiceprint with the recorded waveform, and the final screen can read Voice identity confirmed, before moving on. I can’t readily apologize for the way it’s structured now. Fortunately it zips by so that most folks will just get it.
The waveform
That waveform, by the way, is not for the word “identify.”. I opened the screen cap, isolated the “waveform”, tweaked it in Photoshop for levels, and expanded it.
I ran this image through the demo of a program called PhotoSounder. What played from my speakers was more like astronomy recordings than a voice. Admittedly, it’s audio interpreted from a very low-rez version of the waveform, but seriously, more data is not going to help resolve that audio spookiness into human language.
Props to the interface designers for NOT showing the waveform of sounds in the Rodger Young’s database. It would be explanatory, of course, to immediately see the freshly recorded one being compared against the one in the database. But it would not be very secure. A malefactor would just be able to screen cap or photograph the database version, interpret the waveform like I did for the sound above, and play it back for the system for a perfect match.
Multifactor authentication
Additional props to whoever specced the password button presses after the login. She might be setting a view she wants to see, but I prefer it to mean the system is using multifactor authentication. She’s providing a password. Sure, it’s a weak one—2 hexadecimal characters—but it’s better than nothing, and would even help with the hacking I described in the above section.
The welcome message
Finally, the welcome message feels a little out of place. Is this the only place she encounters the computer system? The literal sense of “welcome aboard” is to welcome someone aboard, which would be most appropriate only when they, you know, come aboard, which surely was some time ago. Carmen at least had to drop her stuff off in quarters. It’s also used by individuals who have been aboard welcoming newcomers the first time they greet them. But that anthropomorphizes this interface, which through this interaction and the several we’ll see next, would be dangerously overpromising.
I have a special interest in sci-fi doors, so, for completeness in the database, I’m going to document what’s we see with the security doors of the Rodger Young, which is not much.
To access the bridge, Carmen walks through a short corridor, with large, plate-metal doors at either end. As she approaches each, they slide up over the course of about a second, making a grinding sound as they rise, and a heavy puff of air when they are safely locked open. (If they’re automatic, why don’t they close behind her?) The lower half-meter of each door is emblazoned with safety stripes.
Carmen appears to do nothing special to authenticate with the doors. That either means that there is no authentication, or that it’s a sophisticated passive authentication that works as she approaches. I suggested just such a passive authentication for the Prometheus escape pod. The main difference in what I recommended there and what we see here is that both Carmen and the audience could use some sort of feedback that this is happening. A simple glowing point with projection rays towards her eyes or something, and even a soft beep upon confirmation.
The only other time we see the door in action is after Carmen’s newly plotted course "discovers" the asteroid en route to Earth. It’s a Code Red situation, and the door doesn’t seem to behave any differently, even admitting about half a dozen people in at a time, so we have to presume that this is one those "dumb" doors.
For personal security during her expeditions on Earth, Eve is equipped with a powerful energy weapon in her right arm. Her gun has a variable power setting, and is shown firing blasts between “Melt that small rock” and “Mushroom Cloud visible from several miles away”
After each shot, the weapon is shown charging up before it is ready to fire again. This status is displayed by three small yellow lights on the exterior, as well as a low-audible charging whine. Smaller blasts appear to use less energy than large blasts, since the recharge cycle is shorter or longer depending on the damage caused.
On the Axiom, Eve’s weapon is removed during her service check-up and tested separately from her other systems. It is shown recharging without firing, implying an internal safety or energy shunt in case the weapon needs to be discharged without firing.
While detached, Wall-E manages to grab the gun away from the maintenance equipment. Through an unseen switch, Wall-E then accidentally fires the charged weapon. This shot destroys the systems keeping the broken robots in the Axiom’s repair ward secured and restrained.
Awesome but Irresponsible
I am assuming here that BNL has a serious need for a weapon of Eve’s strength. Good reasons for this are:
They have no idea what possible threats may still lurk on Earth (a possible radioactive wasteland), or
They are worried about looters, or
They are protecting their investment in Eve from any residual civilization that may see a giant dropship (See the ARV) as a threat.
In any of those cases, Eve would have to defend herself until more Eve units or the ARV could arrive as backup.
Given that the need exists, the weapon should protect Eve and the Axiom. It fails to do this because of its flawed activation (firing when it wasn’t intended). The accidental firing scheme is an anti-pattern that shouldn’t be allowed into the design.
The only lucky part about Wall-E’s mistake is that he doesn’t manage to completely destroy the entire repair ward. Eve’s gun is shown having the power to do just that, but Wall-E fires the weapon on a lower power setting than full blast. Whatever the reason for the accidental shot, Wall-E should never have been able to fire the weapon in that situation.
First, Wall-E was holding the gun awkwardly. It was designed to be attached at Eve’s shoulder and float via a technology we haven’t invented yet. From other screens shown, there were no physical buttons or connection points. This means that the button Wall-E hits to fire the gun is either pressure sensitive or location sensitive. Either way, Wall-E was handling the weapon unsafely, and it should not have fired.
Second, the gun is nowhere near (relatively speaking) Eve when Wall-E fires. She had no control over it, shown by her very cautious approach and “wait a minute” gestures to Wall-E. Since it was not connected to her or the Axiom, the weapon should not be active.
Third, they were in the “repair ward”, which implies that the ship knows that anything inside that area may be broken and do something wildly unpredictable. We see broken styling machines going haywire, tennis ball servers firing non-stop, and an umbrella that opens involuntarily. Any robot that could be dangerous to the Axiom was locked in a space where they couldn’t do harm. Everything was safely locked down except Eve’s gun. The repair ward was too sensitive an area to allow the weapon to be active.
In short:
Unsafe handling
Unauthorized user
Extremely sensitive area
Any one of those three should have kept Eve’s gun from firing.
Automatic Safeties
Eve’s gun should have been locked down the moment she arrived on the Axiom through the gun’s location aware internal safeties, and exterior signals broadcast by the Axiom. Barring that, the gun should have locked itself down and discharged safely the moment it was disconnected from either Eve or the maintenance equipment.
A Possible Backup?
There is a rationale for having a free-form weapon like this: as a backup system for human crew accompanying an Eve probe during an expedition. In a situation where the Eve pod was damaged, or when humans had to take control, the gun would be detachable and wielded by a senior officer.
Still, given that it can create mushroom clouds, it feels grossly irresponsible.
In a “fallback” mode, a simple digital totem (such as biometrics or an RFID chip) could tie the human wielder to the weapon, and make sure that the gun was used only by authorized personnel. (Notably Wall-E is not an authorized wielder.) By tying the safety trigger to the person using the weapon, or to a specific action like the physical safeties on today’s firearms, the gun would prevent someone who is untrained in its operation from using it.
If something this powerful is required for exploration and protection, it should protect its user in all reasonable situations. While we can expect Eve to understand the danger and capabilities of her weapon, we cannot assume the same of anyone else who might come into contact with it. Physical safeties, removal of easy to press external buttons, and proper handling would protect everyone involved in the Axiom exploration team.
Sandmen surrender any physical objects recovered from the bodies of runners to the Übercomputer for evaluation via a strange device I’m calling The Evidence Tray.
As a Sandman enters the large interrogation chamber, a transparent cylinder lowers from the ceiling. At the top of this cylinder an arm continuously rotates bearing four pin lights. A chrome cone sits in the center of the base. The Sandman can access the interior of the cylinder through a large oblong opening in the side the top of which is just taller than Sandmen (who seem to be a near-uniform height).
The Sandman puts any evidence he has found into the bottom of this cylinder. (What if the evidence was too large to fit? What if the critical evidence is not physical, or ephemeral? But I digress.) In response to his placing the objects, lights on the rotating arm illuminate, scanning them. The voice of the Übercomputer prompts the Sandman to “identify,” a request that is repeated on a large screen mounted on the wall in view through the transparent backing of the Evidence Tray.
The Sandman identifies himself by placing his palm on a cone in the cylinder’s center, positioning his lifeclock in the small indention in its tip. The base section of the cylinder illuminates, and after a pause, the voice and screen confirm that his identity has been “affirmed.” Logan removes his hand, and in a flash of blue light the objects in the tray disappear. The film gives no clue as to whether the objects are teleported somewhere or disintegrated into thin air.
Objections
There are of course the usual objections to the authentication. The lifeclock check is really a biometric check, something that Logan “is” (since he can’t remove the lifeclock) and—per the principles of multifactor authentication—should need to provide an additional factor, such as something he has (like a key) and something he knows (like a password).
There’s another objection there to the fact that the authentication requires that his hand be put into a teleport/distingration chamber. Perhaps narratively this shows the audence the insane levels of trust citizens have in their Nanny Program, but for the real world let’s just say it’s best that you don’t require police to submit to a Flash Gordon Wood Beast just to hand over exhibit A.
There’s a nice touch to the transparent walls allowing him to see the computer screen through it, to get the visual confirmation of what he’s hearing. But I suspect the curved surface also adds a bit of distortion to his view that doesn’t help readability. So the industrial design aspects of the interface sort of even out. Unless I’m missing something. Any industrial designers want to weigh in?
A final objection is the unnecessarily vast architecture that is part of the workflow. Why this giant room with a thin cylinder in the middle of it? Sure there are narrative reasons for it (welcome to this digital heart of darkness) but it seems like something that Sandmen would be doing routinely, and this giant ritual just makes a creepy, big deal about it.
Better
Better might be a wide, waist-high cubby off to the side of their offices, whatever those are, with a wide tray and computer screen. Sandmen could drop the evidence into the tray and place their hands into an authenticator outside the tray, initiating the scan. This would save them the awkward time of waiting for the computer to order them to authenticate, and tightly couple the objects with their identity. The improved semiotics say, “I, Logan, found these and am surrendering them to you.” Then if the computer needed to speak more about it, it could summon them to an interlocution room, or something with a similarly awkward 70s name.
The multipass is the all-purpose card of 2263. It’s a driver’s license, work authorization record, proof of identity, emergency medical information, phone card, plus all your credit cards in one. There is a white rectangle and yellowish, rounded-bevel shape on the lower left, each of which may be a button, but that we don’t see in use.
Often just showing it is enough for a human’s satisfaction, but sometimes it must be read by a machine. To do this, the holder inserts it into a slot, where the machine verifies its authenticity and registers the user locally. In Korben’s taxi, he has to leave it in as he operates the vehicle. At the Fhloston Paradise check-in booth, travelers dip it in and out of the reader.
The act of inserting the card to authenticate may seem a bit old-fashioned in the days of RFID and read-at-a-distance technology, but it’s also nice to see that whatever agency was able to get the various corporations and government agencies to cooperate has also got privacy in mind. If it needs to be dipped to be read, maybe it can’t be read at a distance. That means the holder has more control over when and how it’s accessed.
As far as convenience, hot damn. It’s practically a wallet in and of itself. But there are security concerns to having all of this in one place. There are many cards that work like this in the world. Bus passes, skeeball tickets, gift cards. They’re generally low-cost. If you steal or forge Korben Dallas’ multipass, though, do you suddenly have his charge accounts, his taxi, and his phone card all at once? Seems high-cost, especially since the one forgery we see in the movie actually works.
This returns us, as so many things do, to multifactor authentication. This security philosophy requires that the user presents three factors: something they have, something they are, and something they know. The multipass covers only the first two.
The multipass itself is the thing they have.
The picture is something they are, i.e., what they look like.
It could be improved by requiring something they know, like a PIN or a password.
We don’t know what kind of power Cornelius’ order wielded in the world, but since it wasn’t enough to sway the president or purchase tickets to Paradise, let’s presume it wouldn’t have been enough to uncover Korben’s password, and in that case, the PIN would have foiled the attempted forgery.
