×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Club Publishes German Official's Fingerprint

kdawson posted about 6 years ago | from the sauce-for-the-goose dept.

Hardware Hacking 253

A number of readers let us know about the Chaos Computer Club's latest caper: they published the fingerprint of German Secretary of the Interior Wolfgang Schäuble (link is to a Google translation of the German original). The club has been active in opposition to Germany's increasing push to use biometrics in, for example, e-passports. Someone friendly to the club's aims captured Schäuble's fingerprint from a glass he drank from at a panel discussion. The club published 4,000 copies of their magazine Die Datenschleuder including a plastic foil reproducing the minister's fingerprint — ready to glue to someone else's finger to provide a false biometric reading. The CCC has a page on their site detailing how to make such a fake fingerprint. The article says a ministry spokesman alluded to possible legal action against the club.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

253 comments

Respect, respect maan! (4, Insightful)

Anonymous Coward | about 6 years ago | (#22906604)

I'd like to see this done to officials in all countries.

Reminds me of Gone in 60 seconds (the Jolie version) where one of the car-thieves glues on Elvis' fingerprints.

Re:Respect, respect maan! (4, Insightful)

dpx420 (1210902) | about 6 years ago | (#22906792)

Yeah if someone tried this with a high ranking government official in China or somewhere, they would indeed mysteriously 'disappear' in 60 seconds.

Re:Respect, respect maan! (5, Funny)

Foobar of Borg (690622) | about 6 years ago | (#22906838)

Yeah if someone tried this with a high ranking government official in America, China or somewhere, they would indeed mysteriously 'disappear' in 60 seconds.
There, fixed that for you. I guess now it's Germany, Land of the Free, Home of the Brave (WTF?)

Re:Respect, respect maan! (3, Funny)

Anonymous Coward | about 6 years ago | (#22906906)

I'm a retarded asshole
There, I fixed all your comments for you.

gag (2, Funny)

Anonymous Coward | about 6 years ago | (#22906630)

They should do that to the head of the TSA and put him on the no fly list

couldn't possibly have negative consequences (4, Interesting)

Shadowruni (929010) | about 6 years ago | (#22906636)

So.... let's see.
Oh all the people to humiliate... a senior public official who sets policy for something you directly care about.
This couldn't possibly turn out badly.

Re:couldn't possibly have negative consequences (5, Informative)

Yokaze (70883) | about 6 years ago | (#22906774)

Hardly. The CCC is a highly prolific club and is very likely keen on some legal "retaliation", as it would generate even more public attention on that matter.
Since the Home Secretary stated, that storing fingerprints is no privacy concern, he would be hard pressed to explain his stance.

Re:couldn't possibly have negative consequences (1, Interesting)

Anonymous Coward | about 6 years ago | (#22906850)

Since the Home Secretary stated, that storing fingerprints is no privacy concern, he would be hard pressed to explain his stance.

I know german law is byzantine, but surely they can find something along the lines of estoppel [wikipedia.org] in there.

Re:couldn't possibly have negative consequences (1)

Propaganda13 (312548) | about 6 years ago | (#22907004)

Since the Home Secretary stated, that storing fingerprints is no privacy concern, he would be hard pressed to explain his stance.
I know german law is byzantine, but surely they can find something along the lines of estoppel in there.

Estoppel sounds more like the defense for the CCC, not for the Home Secretary.

Re:couldn't possibly have negative consequences (1)

santiagodraco (1254708) | about 6 years ago | (#22907008)

Capturing another persons fingerprint and then distributing it to the general public ostensibly for "faking" the identity of that individual... sure seems like grounds for criminal action to me.

Re:couldn't possibly have negative consequences (5, Insightful)

Belial6 (794905) | about 6 years ago | (#22907122)

It likely is. In just the same way that sinking the Titanic before any passengers boarded would have been grounds for criminal action.

Re:couldn't possibly have negative consequences (3, Insightful)

gerardolm (1137099) | about 6 years ago | (#22907150)

Let's say you lose your ID card. Someone else could take it and fake that he/she is you. Are you guilty of anything?

Re:couldn't possibly have negative consequences (4, Insightful)

Anonymous Coward | about 6 years ago | (#22906782)

Since a senior public official still remains a public official, it could probably be defended on the same grounds that allow for political satire. It is expressly allowed in most countries to make fun of political figures, especially if you're doing it from a political standpoint yourself.

Then again, we also have a new buzzword for crime with ideological motives. It's called terrorism...

I'm reminded of a scene from Fight Club (0)

Anonymous Coward | about 6 years ago | (#22906852)

The club has been active in opposition to Germany's increasing push to use biometrics in, for example, e-passports. Someone friendly to the club's aims captured Schäuble's fingerprint from a glass he drank from at a panel discussion.

This chaos computer club reminds me of another club. [youtube.com] Go CCC!

Re:couldn't possibly have negative consequences (5, Funny)

dirtsurfer (595452) | about 6 years ago | (#22907350)

>> Oh all the people to humiliate... a senior public official who sets policy for something you directly care about. This couldn't possibly turn out badly.

I love the idea that the way to make politicians do what you want is to be nice to them.

so apparently Monica Lewinsky was probably about a week away from getting us all free national healthcare, too. Curse you, mainstream media!

In future news... (5, Funny)

Spartan Niner (1264332) | about 6 years ago | (#22906638)

We hear that Wolfgang Schäuble is convicted of committing 17 crimes. Simultaneously

Re:In future news... (5, Insightful)

metlin (258108) | about 6 years ago | (#22906718)

One can only hope.

What better way than a senior official to be convicted of crimes as a result of identity theft because officials such as him decided that privacy didn't really matter anymore?

Personally, I sincerely wish that this happens in all the countries which have fingerprinting in place. Enough already.

Re:In future news... (1)

peragrin (659227) | about 6 years ago | (#22906960)

actually it would only have to happen once or twice, People would start to realize that biometerics are useless for confirming Identity. DNA now that is good, and it is something difficult to duplicate. Now all we need is field DNA testing and database of DNA to compare to. Of course knowing the government said Database would run windows be comprised, and i get to be Brad Pit, by DNA testing.

Re:In future news... (2, Insightful)

LurkerXXX (667952) | about 6 years ago | (#22907380)

I'll be by later to snag a few hairs out of your comb. Never mind why I want them...

I make DNA all day in the lab. It's getting easier and cheaper to make every year.

DNA isn't going to turn out to be any more of a panacea than fingerprints.

Wait until the mental dinosaurs retire? (1, Interesting)

Futurepower(R) (558542) | about 6 years ago | (#22907234)

People have strong opinions about technology without bothering to understand it.

It's the same in politics. People call the U.S. government's action in Iraq a war, but killing Iraqis is only a distraction from the real purpose. The real purpose is stealing money from the U.S. taxpayer.

Obviously, at more than $1,000,000 per Iraqi killed, most of them very poor, the "war" is mostly about money, and the killing is only required to draw attention away from the real purpose.

How will the astounding ignorance of technology get resolved? Maybe we will have to wait until all the old dinosaurs retire. When I say "old dinosaurs", I am not talking about chronological age, I am talking about mental age. Some 24-year-olds are old dinosaurs mentally.

Movies come to mind... (1)

AnomaliesAndrew (908394) | about 6 years ago | (#22907274)

The Net...
Minority Report...
Demolition Man...
Judge Dread...

What makes this clownshoe Wolfgang Schäuble think it'll work any better in real life than it always has in the movies?

Re:In future news... (4, Insightful)

Naughty Bob (1004174) | about 6 years ago | (#22906760)

We hear that Wolfgang Schäuble is convicted of committing 17 crimes. Simultaneously
17 One-fingered crimes at that...

Re:In future news... (2, Funny)

Anonymous Coward | about 6 years ago | (#22906908)

17 One-fingered crimes at that...
Well if he isn't your doctor...

Re:In future news... (1)

Spartan Niner (1264332) | about 6 years ago | (#22906910)

You only need one finger to pull a trigger ;-) But yes, it would seem that our good friend Wolfgang has some fast fingers to be in 17 places simultaneously.

Re:In future news... (5, Funny)

evil_aar0n (1001515) | about 6 years ago | (#22906952)

On the other hand - no pun intended - this might actually work out in his favor, since he _could_ go out and commit a crime, and they'd have to wonder whether the fingerprint evidence was valid or not.

Good for them (5, Insightful)

Scareduck (177470) | about 6 years ago | (#22906648)

High officials often seem to think the consequences of privacy-invading legislation will only occur to other (read: little) people. It's good to remind people in those positions that they do not have absolute power, and that they need to think about second order consequences.

Re:Good for them (5, Interesting)

swright (202401) | about 6 years ago | (#22906726)

Maybe this is what you meant, but I just think this is the perfect example to illustrate to all how biometrics are just NOT the be-all and end-all. If only for the one simple fact that he cannot change his fingerprint like he could a password that got compromised!

Re:Good for them (1)

Hyppy (74366) | about 6 years ago | (#22906806)

Biometrics, to most security professionals, are far from the end-all solution. Multi-factor authentication is recommended for most.

Here's the basic triad of authentication mechanisms:
- Something you are (fingerprint, retina, etc)
- Something you have (access card, RSA key fob, etc)
- Something you know (password, PIN, etc)
Choose one for basic security. Choose two for great security. Choose three for ironclad security.

Re:Good for them (4, Insightful)

IgnoramusMaximus (692000) | about 6 years ago | (#22906842)

All three easily solved via a security by-pass incentive in a form of a pistol to the head or a kidnapped lover/child/dog etc which will "get it" if you do not cooperate or some poison with time release and the antidote delivered upon your succesful authentication, etc and so on and on and on and on.

"Ironclad security" does not exist.

Re:Good for them (4, Funny)

Morten Hustveit (722349) | about 6 years ago | (#22906904)

"Ironclad security" does not exist.

Not even when you completely cover something with iron?

Re:Good for them (4, Funny)

Plutonite (999141) | about 6 years ago | (#22907396)

Ironclad Security only exists when you have Chuck Norris on the shift. Do we really have to discuss this?

Re:Good for them (5, Interesting)

aproposofwhat (1019098) | about 6 years ago | (#22906934)

Two words.

Duress codes.

Enter one code to authenticate normally, another to flag up that you are being forced to authenticate.

Not quite ironclad, but an extra level of safety.

Re:Good for them (1)

Propaganda13 (312548) | about 6 years ago | (#22907026)

Duress codes are just a silent alarm.

The criminal still has a gun pointed at you or your family.

Re:Good for them (2, Insightful)

TheSpoom (715771) | about 6 years ago | (#22907168)

Yes, because it would be unconscionable to design a system where the duress code did not let you in. I would assume the duress code successfully authenticates you but alerts security.

Re:Good for them (0)

Anonymous Coward | about 6 years ago | (#22907266)

or lets you in to a fake system altogether...

Re:Good for them (5, Funny)

Matt Perry (793115) | about 6 years ago | (#22907096)

Enter one code to authenticate normally, another to flag up that you are being forced to authenticate.
Then they'd have to keep TWO post-it notes under their keyboard.

Re:Good for them (0)

Anonymous Coward | about 6 years ago | (#22907068)

Easily? Hardly.

Giving up my password under duress sounds like a really bad deal. Even after I authenticated for you, why would you let me go, then? I could go after you, I could sic the police on you, etc. If you're prepared to kill my self/lover/child/dog if I *don't* do it, you're probably equally willing to kill us all as soon as I *do* do it. I have no guarantee you will (or even can) let me or my family go, and I don't even think it's likely.

A gun to the head is easy: bang, I'm dead. Time-release poison is also easy. Torture might work -- if you think I'll still have presence of mind to remember the password after being tortured (of the couple dozen passwords I have right now!).

Besides, what do you want? My bank PIN? There are far easier ways to get it -- steal my ID, dress up like me, practice my signature, and go ask a bank teller to reset it. (Kidnapping and torture is just a stupid risk.) Unless you're in a Steven Seagal movie, these "gun to the head" situations are just philosophical wanking, not an effective strategy.

3rd World Countries (0, Troll)

nx6310 (1150553) | about 6 years ago | (#22906986)

thats why its so cool living in iraq, where my turban government is so clueless when it comes to technology, they probably believe Biometrics are the work of the devil, and the americans use a non-centralized database biometrics based authentication process, in other words, they both can't work em right.

Re:Good for them (0)

Anonymous Coward | about 6 years ago | (#22907142)

High officials often seem to think the consequences of privacy-invading legislation will only occur to other (read: little) people.
It will only occur to litte people. Politicians are in Germany officially not controlled nor is their telecommunications data collected. That just happens to the others...

MOB RULE!!! (0)

Anonymous Coward | about 6 years ago | (#22906650)

I love it!

Brave defenders of freedom (1)

Bromskloss (750445) | about 6 years ago | (#22906662)

I salute you, impressed by your action!

Re:Brave defenders of freedom (5, Insightful)

Anonymous Coward | about 6 years ago | (#22906758)

At least they get off their asses unlike American's who cry about the Constitution but do fuck all about it.

Bush was right, it is JUST a piece of PAPER. Why? Because American's do NOTHING about it and do not believe in it.

This is plain to see by their inactions.

Biometrics: lamest of all security protocols (4, Insightful)

DamnStupidElf (649844) | about 6 years ago | (#22906704)

At least until extreme body modification is commonplace, biometrics suck for identification. It's the only modern "security" mechanism that lacks revocation. Without revocation, a security model is eternally broken as soon as one chink is found.

A person only has 20 digits, 2 palms, 2 soles, 2 retinas, and one genome. All of the biometric properties of those can easily be duplicated with noninvasive methods (simply enrolling in a biometric system requires the same access as duplication would). When one of those 27 properties is compromised, how do you revoke its use? I guess start with the fingers and palms and as people get older they have to start using their feet for identification, and at the very last make them get pricked for each identification. When all the biometric identifiers are used up, the now useless (at least in a Secure(TM) society) people can be recycled in the soylent green program or something.

Re:Biometrics: lamest of all security protocols (1, Funny)

Anonymous Coward | about 6 years ago | (#22906738)

Soylent Green is people?

Re:Biometrics: lamest of all security protocols (5, Funny)

Fission86 (1070784) | about 6 years ago | (#22906832)

When one of those 27 properties is compromised, how do you revoke its use?
Cut it off?

Ah, the Yakuza solution. (3, Funny)

Chas (5144) | about 6 years ago | (#22906888)

Yep. The problem is, what do you do if they compromise multiple sections of your biometric profile?

Bob: DAN! What the fuck happened to you? You have no arms and not legs.
Dan: And no testicles either. They took those too.
Bob: No tes..what happened?
Dan: Somebody got a copy of my biometric profile. So we had to make changes...
Bob: But you have no arms and no legs!
Dan: They even changed my name...
Bob: They did? What's your name now?
Dan: Matt

Re:Biometrics: lamest of all security protocols (1)

w3c.org (1039484) | about 6 years ago | (#22906892)

Ok, let me explain this: I only have eight fingers (five on right hand, three on left hand, call it a deformity), and what's interesting is that one of my left hand finger has a digital print different from the other. It has a straight digital print, whereas my other fingers have a left curved one ( | instead of / ) So: am I able to be delivered a passport or some kind of identity on which this deformity appear ? If not, well, where can I apply for a serial-killer job, knowing I can offer the guarantee of never being on any list ?

Re:Biometrics: lamest of all security protocols (0)

Anonymous Coward | about 6 years ago | (#22907294)

biometrics suck for identification. It's the only modern "security" mechanism that lacks revocation

PGP keysigning doesn't count as modern? ;)

T-shirt (1, Insightful)

BlueParrot (965239) | about 6 years ago | (#22906710)

Seriously, maybe a protest with loads of people wearing his fingerprint on a T-shirt would get the message across ...

Re:T-shirt (1)

saibot834 (1061528) | about 6 years ago | (#22907072)

You can already get his picture on T-Shirts [spreadshirt.net] (The protesters call the current political course "Stasi 2.0 [wikipedia.org] ")

But the whole point of this is actually the E-Pass which contains fingerprints and is supposed to be absolutely safe. And the CCC has shown ways to make a fake fingerprint [youtube.com] with some glue in less than an hour.

No better thant he status quo? (4, Interesting)

EaglemanBSA (950534) | about 6 years ago | (#22906714)

This seems a bit over the top if you ask me, but hopefully it will expose biometrics for what it is: an unchangeable, and in many cases public, password. It's not very easy to hide your fingerprints (or even your DNA, for that matter) from people who really want to find them, and to rely on them for definite identification has the same problems as a social security number. Plus, anyone with a police record would be somewhat compromised from the get go here in the U.S.

I'd hate to see people get proficient at faking fingerprints, because that leads to all sorts of interesting results in the realm of law. If fingerprint fraud becomes widespread, for example, will fingerprints at a crime scene still be valid evidence in court?

Re:No better thant he status quo? (3, Insightful)

metlin (258108) | about 6 years ago | (#22906746)

I'd hate to see people get proficient at faking fingerprints, because that leads to all sorts of interesting results in the realm of law. If fingerprint fraud becomes widespread, for example, will fingerprints at a crime scene still be valid evidence in court?
What are you talking about?! It's fantastic.

I mean, since fingerprints cannot be conclusive anymore, I foresee our politicians with moral fibers of steel pushing for more surveillance. I mean, if we cannot really tell whose fingerprints they are, we certainly need video proof! And since we do not know where a crime may happen, the policy makers (who typically have about as much morality as a pea) have decided that the way around this is to have cameras everywhere. Public restrooms and your house included.

I mean, think of the children! /cynic

Re:No better thant he status quo? (4, Funny)

rnt (31403) | about 6 years ago | (#22906844)

I mean, since fingerprints cannot be conclusive anymore, I foresee our politicians with moral fibers of steel pushing for more surveillance.
They will also be pushing for a whole new set of copyright laws, giving governments exclusive copyrights on their citizens' fingerprints. Unauthorized copying or publishing of your own fingerprints will be severely punishable!

Major flaw of biometrics (5, Insightful)

this great guy (922511) | about 6 years ago | (#22906716)

This event highlights one of the major flaw of biometrics. This official had his fingerprint copied. There is nothing he can do. He can't change it. He can't prevent people from using it. No fingerprint reader will ever be able to determine with 100% certainty whether a particular fingerprint is real or fake. Bottom line: when one of your biometric traits gets stolen, you get screwed. For life.

I hope this convinces governments that using biometrics for anything is a bad idea (other than perhaps criminal investigations, although what if this german official's fingerprint was found on a murder scene ?).

Re:Major flaw of biometrics (1)

rolfwind (528248) | about 6 years ago | (#22906820)

I disagree. Any security model is susceptible, but people should not be surprised that biometric information is duplicable -- as we are basically just results of DNA-copying ourselves.

This is like how any lock can be picked, eventually. The value is not in a lock that can't be picked, as that is an impossibility, but one that makes the level of entry significantly high so as to ward off any amateur attempts and possibly raise the suspicions of those watching -- i.e. some guy deciding the lock is too hard and bashes in a window (it doesn't stop the intrusion but alerts me something happened).

So I think biometric data can be a good thing. It significantly raises the barrier of entry -- most will try to find an easier way and other attempts may raise suspicions. The bad thing is assuming it's the be all, end all of security and never wrong.

Re:Major flaw of biometrics (4, Insightful)

BlackCreek (1004083) | about 6 years ago | (#22907062)

AFAICT the point that the parent poster was making is that unlike other security measures (say ID card, social security number etc) you just can't get a new biometric reading for your fingers (without at least some serious medical intervention), you can't get a new iris scan for your eyes, you can't get a new DNA code etc.

Biometric data may put some entry barriers higher, so what? The problem is that you just can't get a new iris scan, like you get a new passport once your gets stolen.

The worst of the situation is that we have all these politicians deciding --without the least form public debate about the real privacy implications-- that biometric data is now to be collected, and used, and kept by the government.

Re:Major flaw of biometrics (2, Funny)

Basehart (633304) | about 6 years ago | (#22906828)

That's why they should use another part of the body as an identifier, such as the penis for example?

Senior public officials could slide their penis into the reader at checkpoints and a reading quickly and easily taken.

Females could be fitted with a custom made prosthetic of some kind.

Re:Major flaw of biometrics (1)

aproposofwhat (1019098) | about 6 years ago | (#22906964)

I'm sorry, but you have just infringed on my patent no. 7209859 - Glory Hole Mk 1.

Please see the dominatrix down the corridor for your corrective treatment.

Re:Major flaw of biometrics (1)

twenex (139462) | about 6 years ago | (#22906860)

The previous comment should have been titled "the major misunderstanding of biometrics". The biometric itself is not required to be kept private. Any biometric system worth anything utilizes a combination of the sample analysis and comparison with various "liveness checks" or other heuristics to determine that the sample given came from the appropriate person. While it is worth having a debate on the relative effectiveness of these techniques, to dismiss biometrics based on the flawed "once you've lost your fingerprint..." argument is wrong.

Example checks might be:
- Fingerprint: measuring temperature, bloodflow through the finger, resistance of finger, etc
- Voice: asking the individual to respond to questions, measuring stress, etc
- Iris: measuring dilation over time, asking the subject to look left or right, etc

Various systems have had combinations of these or many other approaches. In addition, some more secure systems use a combination of biometrics (e.g. finger for identification with voice for authentication)

Again, it's worth debating how effective these approaches may be in each particular deployment scenario, but the previous post (strangely marked "insightful") is just wrong.

official's fingerprint was found on a murder scene (1)

zmollusc (763634) | about 6 years ago | (#22906980)

What if this german official's fingerprint was found on a murder scene ?

Well, duh! The police and judicial system would treat him exactly the same as someone without any political clout or friends in high places, because there is no corruption in the ruling class.

"The" finger print? (1, Interesting)

fredrated (639554) | about 6 years ago | (#22906728)

Were the other 9 digits lost in an accident?

Re:"The" finger print? (2, Insightful)

ilikepi314 (1217898) | about 6 years ago | (#22906826)

I'm sure there were other prints, but only one was needed to prove the point -- that his fingerprints and therefore biometric security just got PWNED.

Legal action? (4, Insightful)

HalAtWork (926717) | about 6 years ago | (#22906730)

The article says a ministry spokesman alluded to possible legal action against the club.
 
To what ends? You can't deter it as it's already happened, and you can't suppress it, as even the method for tricking the security system is widely known. If the security system is broken, you can't legalize it into working again. The security system was built in order to keep things safe, and now we have to keep other things safe from the security system itself.

DMCA (2, Interesting)

RichardEasterling (1123929) | about 6 years ago | (#22906734)

With the advent of Biometric Embedded Copyright Token (BECT), If this hack had been done in America, wouldn't this fall under the DMCA?

It would by interesting to try to tell the cops that they can not have your finger prints because it violates the DMCA.

A perfect demonstration to the perfect person (4, Insightful)

smolloy (1250188) | about 6 years ago | (#22906748)

This is a perfect way to demonstrate to the perfect person why such invasions of privacy are bad, and of the unintended negative consequences of their plans. Sometimes people in power forget that the "solutions" they develop to certain problems may be worse than the problems themselves. All they see is that a certain issue will be fixed -- not that the fix raises even worse issues.

Bravo!

even worse (4, Informative)

ILuvRamen (1026668) | about 6 years ago | (#22906788)

You don't have to go to any special measures really to do this. I mean plastic and all those synthetic rubber moulds and stuff that the average person couldn't do is a bit excessive. Remember on mythbusters when they tried to beat that "unbeatable" fingerprint lock on a door and managed to do it by printing off the fingerprint with a laser printer and licking it? Yeah, biometrics is a joke. And really good biometrics like DNA aren't practical or fast and the retina scan, well you do that every day for a year and see if you don't go partically blind. I can't care hoe safe they think it is. Facial recognition is pretty useless and easy to beat too. Until they find something that's 100% unique and fast and accurate, they should forget about biometics.

Has anyone tried this on a fingerprint reader? (3, Interesting)

rduke15 (721841) | about 6 years ago | (#22906794)

I wonder if anyone has actually tried making such a fingerprint copy, and then using it on a fingerprint reader like the ones on laptops etc.

Do you really get a good enough copy? How hard is it? (After all, any security can be broken somehow. So an essential aspect is the "cost" of breaking the security)

Re:Has anyone tried this on a fingerprint reader? (1)

andreas (1964) | about 6 years ago | (#22906834)

Of course. It works. With exactly the fingerprint copy distributed in the Datenschleuder.

Re:Has anyone tried this on a fingerprint reader? (2, Informative)

mactard (1223412) | about 6 years ago | (#22906856)

There was actually a Mythbusters episode that showcased how you could take a fingerprint found on a can and use it on a DoD approved biometric fingerprint scanner. It's really a useless method of security.

Re:Has anyone tried this on a fingerprint reader? (4, Informative)

rah1420 (234198) | about 6 years ago | (#22906876)

I wonder if anyone has actually tried making such a fingerprint copy, and then using it on a fingerprint reader like the ones on laptops etc.

As a matter of fact, Yes. [slashdot.org]

Re:Has anyone tried this on a fingerprint reader? (0)

Anonymous Coward | about 6 years ago | (#22906886)

Mythbusters were able to crack several commercial readers with a photocopy of a dusted fingerprint, after they licked it or something. A correctly made gel mockup would probably break any fingerprint reader that reads fingerprints. (I believe I've heard about one that reads heat signatures of blood vessels or something, and this wouldn't beat that...)

Yes, fingerprint readers are easily screwed. (4, Informative)

Flu (16236) | about 6 years ago | (#22906962)

Yes, this was done a couple of years ago in Sweden as a Master Thesis, which was described in Swedish Engineering paper Ny Teknik http://www.nyteknik.se/efter_jobbet/kaianders/article32986.ece [nyteknik.se] (sorry, swedish only). The student Marie Sandström tested a simple yello, which was created using the same method as mentioned in the article above, on three commercial fingerprint-readers on the CeBit fair in 2004.

Re:Has anyone tried this on a fingerprint reader? (1)

KillerCow (213458) | about 6 years ago | (#22906992)

I wonder if anyone has actually tried making such a fingerprint copy, and then using it on a fingerprint reader like the ones on laptops etc.

Do you really get a good enough copy?


Yes.

How hard is it?


Very easy.

GFE: fingerprint hack [google.ca] .

Re:Has anyone tried this on a fingerprint reader? (4, Informative)

88NoSoup4U88 (721233) | about 6 years ago | (#22907022)

It doesn't seem hard at all at a 'normal' reader (see Mythbusters [youtube.com] episode.

The high-end, ridicilously expensive fingerprint readers are a lot harder to crack though; But I wouldn't say uncrackable.

Re:Has anyone tried this on a fingerprint reader? (3, Insightful)

MikeFM (12491) | about 6 years ago | (#22907090)

I think the only working model is the concept of security in layers. The more layers an attacker has to dig through to compromise a systems security the more secure that system is. Biometrics alone are pretty weak. Passwords alone are pretty weak. Use them together and they're a little less weak. The biggest obstacle is the user. Will they put up with multiple security checks? Can they remember a good password? Will they notice where they're leaving behind fingerprints or if someone is trying to record their voice?

In the end you have to be realistic with your expectations for any security system. We lock our front door when we leave our house but we all know that someone that wants to get in can still get in if they want to try hard enough. When you lay in bed at night you have no way to be sure that a stranger hasn't secretly entered your home and is waiting to cut your throat in the dark. Yet we make a bigger deal over how secure access to your bank account and other sensitive information is. At some point you just have to say enough and go on with your life.

Re:Has anyone tried this on a fingerprint reader? (0)

Anonymous Coward | about 6 years ago | (#22907114)

MythBusters did it, and it worked just fine on the laptop security systems.

Re:Has anyone tried this on a fingerprint reader? (3, Informative)

Chris Pimlott (16212) | about 6 years ago | (#22907194)

wonder if anyone has actually tried making such a fingerprint copy, and then using it on a fingerprint reader like the ones on laptops etc.

Do you really get a good enough copy? How hard is it? (After all, any security can be broken somehow. So an essential aspect is the "cost" of breaking the security)
Already been done. here's a video demonstration [youtube.com] , again courtesy of our friends at CCC. Just takes a digital camera, a bit of wood glue, a bottlecap, a transparency and a bit of skin-friendly glue to apply the fake to your finger.

Mythbusters did (0)

Anonymous Coward | about 6 years ago | (#22907272)

They managed to fool 2 different readers easily.

now if only there wer a place using biometrics.. (1)

kesuki (321456) | about 6 years ago | (#22906878)

like disneyland paris to test this thumb print out...

I can't recall if disney's biometrics use just the thumb or the whole hand.. but i know people who get the year long pass have to use biometrics to get into disneyland... this is to cut down on fraud of say a person renting or selling the pass to other people, so obviously disneyland was the first place I'd even seen biometrics in public.

very cool, using this technology people can sell their biometric fake palms along with the pass to use the year round pass with other people... (although i think disney has a photo as well as the biometrics) oh well. photos can be faked as well ;)

isn't biometric authentication a good thing? (3, Interesting)

sentientbrendan (316150) | about 6 years ago | (#22906948)

Everyone knows that biometric data can be stolen, just like every other means of identifying yourself. I thought the point of biometric data was that it added one *more* piece of data that would have to be stolen before someone could successfully impersonate you.

So in addition to needing to know a pin or password, someone also needs to have stolen my fingerprint in order to take money out of my bank account. Isn't this what is called two factor authentication? Isn't that a good thing that makes it that much more difficult to steal an identity?

According to this article Germany's new passports:
http://www.itsmig.de/best_practices/ePass_en.php [itsmig.de]

they contain both fingerprint data, and a picture of the person. Thus, to steal your identity, a person would have to steal your passport, look like you, and also steal your fingerprint. This actually seems like a pretty good system that would prevent someone from using a stolen passport to steal the rightful owners identity. Without the fingerprint data, an identity theft doesn't need to do as much work.

That said, I'm not from germany, so maybe there additional nuances about this thing that I'm missing.

Re:isn't biometric authentication a good thing? (2, Insightful)

Todd Knarr (15451) | about 6 years ago | (#22907372)

Except that with most types of biometric data (eg. fingerprints), they suffer two faults: you leave copies of them everywhere, and once compromised they can't be changed. The first makes it easy for someone to compromise the authentication, as this club demonstrated. I'll bet the minister left his fingerprints on a lot more than just a single plastic cup at a panel, and lifting a fingerprint from a hard surface is relatively easy to do. And the second means that compromises are 100% absolutely fatal for the rest of your life. With a password or a PIN, if it's compromised you can just use alternative authentication and then change it. With a physical key or combination you can just change the lock or the combination on the lock and the old key or combination becomes useless. But how do you change your fingerprint? And if you can't, how does anyone from that point on know that any use of your fingerprint is really you and not an imposter? So the fingerprint check doesn't add significant difficulty in obtaining the additional authentication item, and it makes a compromise much more annoying to recover from.

You have to evaluate any security mechanism not just in terms of it's strength (resistance to compromise), but in terms of it's resilience (the consequences of a compromise and the difficulty of correcting the compromise). Biometrics tend to vary on the first, but all of them are highly brittle: any compromise tends to be total and irreparable.

Re:isn't biometric authentication a good thing? (1)

ditoa (952847) | about 6 years ago | (#22907374)

Two problem I have with biometric authentication

1. You leave it everywhere. You leave your finger prints all over your desk at work. Just look how this guys finger print was stolen from a glass.
2. You can't change it.

Two factor auth is about something you know and something you have. I would much rather the later was a usb eToken or similar and not my fingerprint!

the eye looks both in and out (1)

1 a bee (817783) | about 6 years ago | (#22907028)

I've always thought that the only viable answer to the increasing privacy invasion we face by both government and business is to turn the camera around and look back at the innards of the one that's doing the looking. What this German hacker club has accomplished is to say, "If you're gonna look here [our fingerprints], we can look back. Any hey, people are much more interested in *your* fingerprints, than some joe shmo wanna be."

That there will be more and more eyes in the future is inescapable. If we developed technology that allowed us to see who's doing the looking, I believe, then a protocol would develop. It would be roughly like the protocol people observe in a park when eye meets eye. If you catch a stranger looking too much, or without apparent reason, then you stare them down.

Re:the eye looks both in and out (1)

BlackCreek (1004083) | about 6 years ago | (#22907268)

I disagree that that is the only viable answer. While being able to "turn the camera around" is great.
The fact is that there is a huge unbalance in the resources governments have to invade our privacy, and the resources that scattered groups of citizens would have.

There is no real way to compete with their resources.

The only real solution, IMHO, is to make the majority of the population conscious of these problems and simply kick these facists-wannabes out of their offices.

Copyright your biometrics (1)

BountyX (1227176) | about 6 years ago | (#22907066)

Quick everyone, copyright your fingerprints and retina images. Then when the government tries to get a copy of it, they have to either pay royalties, or they would be violating copyright. >=) muwhahaha

Perfect alibi (4, Interesting)

oever (233119) | about 6 years ago | (#22907078)

Mister Schauble can enjoy an easy career as burglar when he's out of office. With 4000 copies of your fingerprint circulating, it cannot be used as evidence any more.

The only thing dumb thing he could get caught with is when he leaves wheelchair tracks [wordpress.com] at the scene of the crime.

Instant winnage! (1)

billcopc (196330) | about 6 years ago | (#22907400)

Hats off to the CCC, this is brilliant! How satisfying it must be to rub the government's nose in their own mess.

True hacktivism at its finest!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...