Slashdot Mirror
Fingerprint Scanners Fooled By Play-Doh
* * Beatles-Beatles writes to tell us YubaNet is reporting that in recent tests by Stephanie C Schuckers, an associate professor of electrical and computer engineering at Clarkston University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds. From the article: "Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
Or is it starting to look like ScuttleMonkey is getting kickbacks from **Beatles-Beatles?
Better not install it in a kindergarten then.
Wow, two in a row for Beatles. This is getting ridiculous...
I'm not fat, just big boned...
It's one thing to fool fingerprint scanners. The ones described in the article use a photo system that takes a picture of the full print and detects similarities with prints on file. It does sound pretty easy to fool. However, what about swipe-based scanners? Or retinal scanners? Surely Play-Doh isn't durable enough to drag over a fingerprint swipe-scanner and it's probably difficult to make a good replica of an eye with the stuff.
But the real security comes with a Marine standing guard. If you can get passed that guy, the biggest problem is already solved.
Jesus saved me from my past. He can save you as well.
"News for financial partners of the editors, bank balances that matter."
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
A guy at work was always talking about using gummy bears to commit the perfect crime. You somehow make a mold of someone's fingerprint using that gummy bear material. Then you use it on a fingerprint scanner, which gets fooled by it, and it lets you in. Then, get this- you eat the gummy bear fingerprint mold, and permanently destroy the evidence of your intrusion.
I always thought that was a little disgusting. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?
This is old hat, sortof.
German computer magazine C'T defeated fingerprint scanners a few years ago using gummibears. Im sure www.heise.de should ahve a (german) copy of that still online somewhere
There are three flavors of a security pass:
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
Two-form authentication (where you use two of the three above forms) is quickly becoming regconized as being much more secure. Numerous security professionals were hoping biometrics would fit into the "something you are" category, but increasingly that category is being replaced by "something you have". You can have a General's uniform or forged passport... or a playdough impression from an authenticated finger. All this study does is confirm that migration.
The road to tyranny has always been paved with claims of necessity.
For all us not not from the same cultural sphere as the submitter, Play-Doh is a clay-like compound used by children to form various things. http://en.wikipedia.org/wiki/Play-Doh
If you have no children and buy PLay-doh you might be added to the terrorist watching list as a security risk.
Wow, they really need to keep some play-doh around in SD-6. Next time Sloane is stuck in the torture room and they need his fingerprint they've got the solution right there!
"Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
I may be using the wrong term here, but why not have some sort of capicitance measuring device on the fingerprint scanner? Something a bit less sensitive than your iPod wheel or a normal laptop touchpad so it has to detect a current on the persons finger before it will even begin to scan?
Not that I've tried it, but I'm pretty sure you can use Playdoh to navigate around your iPod.
Fingerprints are now part of our total security strategy and a first-line screening technique for inprocessing of mass police events. When groups are processed after WTO rallies and other such large police events, processing uses fingerprint ID. Imagine a case in which 500 were arrested and all could be terror suspects, and the terrorist, who would have been ID'd, got away because of a fingerprint error. Fingerprints are used by banks to cash out-of-state checks. It's time to verify fingerprints and begin associating them with a biometric less modifiable, such as retinal ID. Of course, concerns about the coercivity of this approach are justified, but the security benefit outweighs. If we're going to use biometrics, let's use effective ones. Of course, the merits of mass arrest are questionable, but if we are going to do it, let's do it right.
Since when has this country used intellectual elite as a pejorative term?
I for one have a problem logging on via the scanner after a longer bath. The damned thing won't recongize the fingerprint and won't let me logon until the skin dries and the wrinkles on the fingers go away.
:-)
It is not bad, as I give up on the computer in the evening, just don't wash your hands before a presentation
"She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
I hope she didn't use it all on Play-Doh...
ScuttleMonkey IS ... * * Beatles-Beatles ?
-Jar.
(Who is so happy now he can join in with the Beatles-Beatles thing)
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
... I, for one, enjoy * * Beatles-Beatles's articles. Everything he posts is news to me and the content is stuff that matters to me. I especially love his well-designed, non-sketchy website. If Slashdot would implement his wonderful CSS styles (when you hover over text, it all becomes italicized and underlined with a box drawn around it) my experience here would be great. Is there any way we can make * * Beatles-Beatles a moderator, or better yet, an administrator on Slashdot? That would be excellent. Keep up the great work ScuttleMonkey and * * Beatles-Beatles!
Why not add a little hardware and check for a living finger? When I was in the hospital, they put a noninvasive sensor on my finger that measured my pulse and blood oxygen level. It uses two frequencies of light to measure oxygenated haemoglobin.
Mea navis aericumbens anguillis abundat
If they can boost George-Harrison's PR on google, they can probably convince the All Mighty One to bring him back from the dead. The same couldn't have been done for elvis because he is alive and well and editing for slashdot :)
Wow, two in a row for Beatles. This is getting ridiculous...
I think as a collective we've got to get around to doing something about this. Criticisms that Slashdot content, and the overall quality of the website are merrited. I think a boycott is in order here.
Lets make it clear to the editors that these kind of submissions shouldn't be tolerated, and will recieve no attention. These kind of posts should recieve no replies regardless of importance. After which we should all carry out the task of resubmitting the article for discussions on the topic to resume.
After this post I intend to disregard any submission by '**Beatles-Beatles' and refuse to contribute or mod any of this Sponsorship Scandal(for those who don't live in Canada) like material. (Not a perfect analogy, but someone's getting a payoff it seems)
ending transmission....
He's ruining Slashdot, so here's what we need to do:
1. He has a guest book that we can troll, spam, etc. Unfortunately he's shut off image posting (from what we did to him last time) but we're not going to let that stop us, are we? Show this moron spammer who's boss!
2. If you go to the very bottom of the page, there's some kind of link farming going on. I'm not sure if this is trollable, but if it is, I'm sure someone on Slashdot can figure out how to do it. The best thing would be to find a way to shut down the entire link farm somehow, or else redirect it to goatse or something. This constant beatles spamming on slashdot is getting old.
3. If you have a web page, do some creative googlebombing about stupid websites and moron spammers or whatever.
spell the name of the University correctly if he is going to spam slashdot. It's CLARKSON, there is no T in there!
Monstar L
Last summer on WTH: Spoofing fingerprints in 10 minutes shown at WTH last summer. The guy on the video also says that he never encountered a fingerprint reader which couldn't be fooled. Interesting is also to see is that he does not make a fake finger, but only a thin acryl layer placed over ones real finger. And also on the CCC website: A image gallery with text (EN) how to copy a finger print. So it's not all about the Play-Doh
Actually, that won't do anything. The problem is that Mr Beatles does SEO and is getting more pagerank (supposedly) from being linked from slashdot's FP. The only affirmative action you could take would be to remove any link to slashdot you may have on your web site. If I had one, I'd remove it now. Too bad, because slashdot is such a wonderful time waster... But thanks for your contribution of typically ill-informed libertarian rhetoric. It's more obvious when you paste it into random situations like this just how bankrupt that argument is.
Do those sanders work? Can they really remove your fingerprints from your fingers? Cause I was thinking, no one is going to be able to steal my fingerprints if I have no fingerprints to steal. Then again, if I have no fringerprints, it's going to be hard to log into whatever requires it as a biometric password.
Redundancy is impractical after certain level, how'd you like that you have to login tens of times to a system every day, and that this takes, eye scan, finger scan, face scan, answering distorted CAPTCHA, entering user, password, ordering a set of pictures in right order and what not.
At the end it'll be so "redundant" noone will want to use it.
Fingerprint scanners are rubbish. They're simply not that reliable. Even if they sound reliable - if you have a scanner that's 99.9% accurate, that means that one person in 1000 has a close enough fingerprint to pretend to be you. Or to put it another way, 10000 Belgians share your fingerprint.
And the best scanners are nowhere near that accurate.
I announced my displeasure with the ueber google-gayness of the beatles link in these stories before - and was modded as '-6 tin foil'.
/. used it, how many stories would beatles post?) and the fact that the first 100 million lines in the pages about link voting are hippie gay credits for the two guys who set it up makes me wary.
The problem is, if a slashdot page links to starwars dot com with the words 'solo shot first' then this will change the very nature and fabric of the universe, and may actually cause earth quakes and or hurricanes, or at least a small butterfly flapping it's wings might get struck by lightening (deserves it!).
Google is a bit dumb, and I am suprised that slashdot users : viaga, cheap-prescription-drugs, auto-warranty and friends haven't been posting more stories.
I am not 100% happy witht he ghey projects like micro formats to use link voting either (google doesn't AFAIK have the option to non-googlify a link, if it did and
akin to those twats scraping over who invented music, the internet, downloading music, downloading the internet, sex, tits and beer by fighting over who 'invented' podcasting.
humbug?
of course, this is an estimation.
please type the word in this image: ballpark
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Quoted from FP:
University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds.
Quoted from TFA:
Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.
The crucial piece of missing information: The need for dental materials; the same stuff used to make casting for denture, false teeth, etc. To do what the researchers did, one needs more than play-doh. But of course ignoring this makes the FP much more dramatic becuase it implies that a preschool toy is sufficent for fooling biometric scanners.
For the record the quote from the FP is the part written by the editors, not by the submitter (unitalicized portion of FP), so the error (or omission) was made by a /. editor, not by the submitter.
I find it frustrating that what I once thought was a useful and interesting source of infomation and lively discussion seems to have become what it once seemed to differentiate itself from. Slashdot editors seems to be adopting the playbook of big media and skewed news to drive up user posts.
I find this sad because I thought that Slashdot was a site with an alternative playbook, that treated its readers as more saavy. Now it seems to be on the slippery slope to USA Today style reporting. I can only assume that this change is an attempt to drive up ad revenue. But I am afraid it will alienate many of the readers.
Or is it starting to look like ScuttleMonkey is getting kickbacks from **Beatles-Beatles?
In the words of Napoleon: "Never ascribe to malice, that which can be explained by incompetence."
May the Maths Be with you!
I remember Macgyver defeating a hand print scanner using chalk dust to stick to the oils deposited by the previous person who used the scanner. I guess a swipe scanner makes much more sense if you want to try and keep Macgyver out (who are we kidding here, Macgyver can defeat any security system with nothing more than a bar of chocolate and a toothpick).
Fooling fingerprint scanners is really a child's play with Play-Doh !
I think this was the same method used in Runescape to copy the Jailer's key.
But thanks for your contribution of typically ill-informed libertarian rhetoric. It's more obvious when you paste it into random situations like this just how bankrupt that argument is.
Wow. Ignoring the unnecessarily aggressive tone of your argument, I STILL fail to see the problem in my argument:
STORY POSTED BY *B-B ANNOYS EVERYONE -> IGNORE HIS STORIES, NOT CLICKING ON HIS LINKS, NOT POSTING COMMENTS -> SLASHDOT STOPS POSTING STORIES BY **B-B DUE TO LACK OF INTEREST. Where exacty does pagerank fit into my argument?I've been reading ./ for years and I've noticed an increase in the number of "articles" posted that are nothing more than poorly disguised press releases with the goal of:
./ readers, and gives only one real example, doesn't go into any interesting details of the vulnerabilities and is only there to announce her algorithm reduces false verifications from 90% to 10%. In otherwords, the primary purpose for this article is to demonstrate an industry wide vulnerability in existing technology that can be drastically improved upon with her solution. Or, demostrate a problem to your consumers and offer a solution you provide (Business 101). Was there any real substance in that article besides the subtle pitch about their algorithm? Any hard science details, thought provoking questions about how the manufacturers fail to disclose how vulnerable their technology is or what is being done to address this - besides her solution? Not really.
1. Get some sort of funding/investment for a start-up business or a research project of some sort.
2. Generate traffic to a site to improve ad revenue or subscribers.
3. Sell a product or service of some sort.
In this article, I would guess that her new algorithm is patented and she is in the process of either licensing the technology or starting her own company eventually using the process she developed. The article isn't very useful to anyone with a technical background, like
More and more press releases are being disguised inside of tech articles or scientific articles in the hopes of making it by the editors or a site and readers tend to believe, or trust, sales pitches more when they are hidden within a article perceived as neutral or unbiased. Sorry I don't have other examples at the moment, but it's late and I don't really want to dig around for them, but if you start analyzing your articles a little closer you can see how prevalent this is becoming.
I can't decide which is more frustrating...The fact these stories get posted on Slashdot or the fact the majority of readers are lacking in critical thinking skills and aren't able to spot them and are being influenced by them.
I got a laptop with fingerprint identification and thought it was ultra-cool to just stick my index finger on there to log in (this was to XP tablet edition).
Then I wondered if you could trick it, so I looked at my index finger, and saw that it was a loop, and then had someone else in the office try with one of their fingers that also was a loop. Nothing just by pressing down.
But, because the login software takes continuous readings (which they display!), my buddy was able to keep sliding and mashing and rotating his finger around until after 4 or 5 seconds, Bong, logged in!! We were laughing, so we tried with with three other guys here, and they all logged on. Some of them had to rotate their hand all the way around, but *everyone* got on. THIS SOFTWARE DOES NOT WORK! DO NOT TRUST IT!
I reported this to the fingerprint software people (sorry, don't remember their name), but they never responded. I just turned it off completely - it's a joke.
Slashdot!. Fuck all your fuckin editors too. You ignore every legitimate fuckin story others post, and link up some link peddler. Fuck you for that. And fuck you for treating your readers like dirt. Fuck You!
Welcome digg!
www.digg.com
I recently purchased a new MS keyboard with the fingerprint scanner.
With 5 family members and Windows XP, it's working fabulously at home.
I wouldn't change my door locks to fingerprint scanners, but for a home computer used by the family it's great.
I don't mean to sound like a troll (and maybe I'm just exposing my own ignorance), but what's with these names? YubaNet? Stephanie C Schuckers? YubaNet sounds like an early 90's cheesy website designed with a lot of blink tags (with the obligatory "Best Viewed in Netscape" button), and Schuckers? Sounds like the kind of alias Amos and Andy would choose...
I know it's not nice to make fun of people's names, but this is too much...
They're on to the Play-doh trick. I think I'll just switch to Silly Putty.
*gives honourable badge of the tinfoil hat club*
Congratulations. We haven't heard THIS one yet.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
1. Get some sort of funding/investment for a start-up business or a research project of some sort.
2. Generate traffic to a site to improve ad revenue or subscribers.
3. Sell a product or service of some sort.
4. ???
5. Profit.
~ Better a freak than a sheep. ~
Now ordinarily the parent would simply be regarded as a troll, but all you have to do is look through a few Slashdot journals to see examples of quality submissions that have been rejected. The fact that a search engine spammer's articles get preference really explains this kind of frustration.
I'd like to hear some kind of explanation from the editor(s). I'd like to think that this is simply some kind of failure of process rather than something fundamentally wrong with Slashdot itself. It would be nice if the next Slashback dealt with these issues in some way.
May the Maths Be with you!
I have a portable pulse oximeter sitting right next to me. It is pricey and is about 2.5" x 1.5" x 1.5". It clamps lightly around one's finger and has a numerical LED display for oxygen level and beats per minute. It's as accurate as a bedside hospital unit from what I have read. Adding one of these though would really drive up costs. Here is a pic of the unit I am talking about. $675, ouch.
Incorporating them would also require a major redesign. They clamp around an inserted finger, and this would make them harder to clean and maintain, and also make them more prone to breakage.
The non-invasive principle of operation of these is pretty neat, and might interest slashdoters. They work by shooting dual wavelengths of light through the finger, namely infra-red and a visible red color. On the other side of the finger, a sensor relays readings to a signal processor, which distinguishes between flesh, bone, and what-not based on the absorption differential between the two wavelengths, so it can isolate out variables between different kinds of fingers. The result is incredibly precise, and the LED on the front flashes in precise sync with one's pulse. I'm guessing the signal processor is a major cost, so maybe in time these will come down in price.
Play-Doh becomes Play-D'Oh! now I guess ^_^
Is it just me, or does anyone else take this with a grain of salt? With a name like that..
And instead of mentioning and hopefully improving it by drawing attention to it, you sit on your ass and criticize someone who took time and effort to write about it, and contribute nothing of substance...Similar to what your mother contributed to this world.
and I'll say it again. Play-Doh and technology do not mix! My DVD player will not play Play-Doh discs and my PC case mod of Play-Doh gave me trouble getting it out of the power supply.
... that Wallace (of Wallace and Gromit fame) can fool any fingerprint detector?
Looks like ScuttleMoney^H^Hkey still doesn't get. Interesting thing is, ScittleMonkey seems to use some standard template for * *Beatles-Beatles submissions, since ALL of them start by: "* * Beatles-Beatles writes to tell us ...".
So, let me repost some earlier post of mine:
Ok, let's have a look at his george-harrison.info website. Aha, maybe the links at the bottom of the page? Yes, I see: http://george-harrison.info/reciprocal-links.html.
Sooo, what may be on that page? Quoting:
Looking at the link list (just a small excerpt):
HTH!
Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
I went to a friend's house the other day. He told me he was looking through a box of important papers and he found the recipe for play-doh. It seemed a bit weird at first but now it just seems suspicious.
So does this mean that Gumby can become an uberhacker (at least when facing these biometric devices)?, sid14_gci833464,00.html/.
More seriously... This is not new news. Previous schemes to foil the finger print scanners have been around for a good deal of time. One article I found is at http://searchsecurity.techtarget.com/tip/1,289483
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Just pick the guy who ordered to arrest 500 anti-WTO protesters.
Trust me, I work for the government.
I don't care what source of the news and what reason beyond their publishing, as long as they provide useful information. If the nice lady has a patent and a startup enterprise, best luck to her, but next time somebody suggests a fingerprint-based security, I'll know how to show them what it's worth. Or bypass it, if I find it handy. So please STFU and start evaluating the actual value of info provided by the article, instead of looking for sinister reasons behind posting it.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
I'm one more article away to flag ScuttleMonkey as an editor I don't want to read from anymore in my settings.
Assorted stuff I do sometimes: Lemuria.org
Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense.
They misspelled "suckers". After all, it can be fooled by play-doh.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
A couple things that the scanners could do to tell the difference between playdough and a finger is. Make sure whatever is on the scanner is at average body temperature. Check the presence of natural skin oils. Check for a pulse.
Find me empirical evidence indicating that everyone's fingerprints are actually unique?
Thought not.
Whole thing's based on supposition and received wisdom, and is an utterly stupid basis for a security system. And I don't think much of the degree to which fingerprint evidence is relied on in court, either. Still, you try convincing a jury that every cop show and courtroom drama they've ever seen has misled them.
Supposing there exists a "much more robust security infrastructure" - how is it going to be improved by the addition of a Play-Doh, uh, I mean a fingerprint scanner? Why not just stick with the robust stuff, and forget the shiny newfangled contraptions?
This isn't the first demonstration that fingerprint scanners are useless. A few years ago, a Japanese university professor showed that it was possible to make a gelatin mold from a latent print (i.e., without direct access to the authorized finger in question) that would fool the readers most of the time! What is a fingerprint scanner adding but a false sense of security?
This was the first question I randomly peeked at to see how far from my opinion this certification is. I closed the book and haven't opened it again so far. A shame this is getting almost as mandatory in security jobs as Cisco certification for networking and Checkpoint/Nokia for firewalls.
I just installed bought a biometric fingerprint security system and I must say it is really secure!
"Fingerprint Scanners Fooled By Play-Doh"
D'oh!
w00t
Bush has diverted $3.4 billion from the Department of Education to an unnamed defense contractor, explaining "what use is having educated people when this contraband threatens the safety of us all." Citing security concerns, he would not elaborate which contractor received the funds, though he did name BeatlesBeatles as the White House liasion for this project. "No one has a better handle on Al Qaeda than BeatlesBeatles," Bush explained.
Bush added: "some people think you can eat it, too."
To jcuervo: I guess if someone surgically removes their lips and removes their toeprints...
To Linker3000: Maybe fingerprints do grow back, unless you remove the fingers along with them. Then again, it would be very much difficult to type.
the screensavers on tech tv showed how to do this with a gummy bear, that's nothing new.
While the above reply is insightful, it kinda misses the point on security. It's not enough for the twin to "know how to talk like a General". For access to most secure facilities, the process is difficult to fake.
1. Drive to the site, showing the guard at the gate an appropriate ID CARD.
2. Proceed to an inner gate, showing a separate ID BADGE (the sticker on your vehicle, as well as the license plate ## must match information on the badge).
3. Use the BADGE to gain entrance to the first door by passing badge over a card reader.
4. BADGE into another reader at the second door, and punch in a personal code.
5. Door number 3 uses another code.
6. Ummmm.....PROFIT!
This is not the method to launch the nukes, mind you--this just gets you into a relatively low-security building.
I have several biometric readers at my installation for door access. If you notice something in the article (having read it), they made replicas of fingers and then used Play-Doh on them. Bottom line, in order to spoof the device you have to have direct access to someone's finger that is in the device. Good luck! They didn't use the Play-Doh to 'lift' a finger print from the device to spoof it; they had to get the finger. So, unless your roommate or spouse is going to swipe your fingerprint in your sleep, you're pretty safe. If they do, then the suspect list doesn't have to go very far to find the culprit.
Not only do you need direct access to the finger, but most of the devices used also require a PIN of varying length to be input along with the finger print. So there's your redundancy, before someone jumps on that. It's stupid research and a dumb article.
Oh, and anyone who has done single-ops will tell you that a 12v battery can be used to open most electric latches regardless of the access system attached to it. If the wires are exposed, or in a visible conduit your hosed if someone knows what they are doing. Of course, they can rip the unit off the wall and get access to the wires too. Spoofing the finger would not even be considered, nor would it be necessary.
In other news, Mr. Bill was arrested Saturday for suspicion of ID Theft and Conspiracy when it was found he was unlawfully trying to enter a secure location with a fingerprint scanner.
The police said his only words after getting caught were "DOH!" and then "Ohhh noooooooo!"
He who knows best knows how little he knows. - Thomas Jefferson
You know you can make play dough as well, so they should add everyone that buys flour to the terrorist watching list aswell. I guess they could just ban flour, I mean you don't need to cook anything yourself these days so anyone buying flour must be a terrorist.
Note: I do lots of cooking myself as I don't like the crap that is in most ready made food.
I hope the Department of Homeland Security pulled the strings to her a DMCA exception. Although, it would be funny to see government research get nailed by this ridiculous law. Maybe then something would change.
I know you guys can't spell, but if you could you would have been able to link to the right school. Clarkson University, www.clarkson.edu.
scuttlemonkey.user.js:
I've said this before on slashdot: the biggest problem with biometrics is that once compromised they cannot be easily changed. You can always change your password if someone discovers it, but you can't easily change your retinal pattern. So if someone has a fake eyeball with your pattern you can't keep them from using it by using another pattern. The naive have assumed that biometrics are much harder to steal than passwords and would be too closely tied to the person to whom they belong to be compromised. For every type of authentication, there is a surprisingly easy and clever way to compromise it.
ClarkSON University, not ClarkSTON University.
There are three flavors of a security pass:
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
Well, 2 out of 3 isn't bad.
"Something you are" is not a position you hold, such as Doctor or General. It is independent of your position or profession. That General's uniform is something you have, not something you are.
Think more along the lines of "your face" or "your fingerprints" or "your DNA" or something like that. It is inherent to your physical body.
Biometrics is trying to do "something you are"... it just isn't doing it very well right now.
A badge (can be) 2-factor authentication. It is something you have, and it has a picture of your face on it, making it something you are.
Of course, identity validation in the hands of the person requesting identification is inherently insecure, which is why all the best SciFi movies have a badge that, somehow, pulls up your picture from a central computer database, and the hero's sidekick changes the image in the database milliseconds before the guard looks at the image on his display.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
MacGyver + A-Team = UNSTOPPABLE.
This was common knowledge to anyone who ever watched MacGyver.
And this is why we use multi-factor authentication. Bruce Schneier has said it many times. We can't rely on one single form of authentication. Fingerprints can be stolen, RFIDs can be faked, passwords cracked...but just becaues one person can do one of those, doesn't mean they can do them all. The more factors you can include, the less likely that a person can steal them all. For instance, do a fingerprint scan and have the person speak a passphrase that changes daily.
Nullum magnum ingenium sine mixtura dementia (There is no great genius without a mixture of madness) - Aristotle
Yay, that's my University!
Ryan - http://www.thecosmotron.com/
Or, they get their information by bashing Microsoft.
Microsoft about a year ago released a rebadged optical fingerprint reader from Digital Persona. It is a horrible device that can easily be fooled. It also wears out quickly because the sensor relies on a coating on the glass to image fingerprints. Once the coating rubs off, the sensor is useless. Needless to say, this isn't anywhere near the state of the art.
A better technology is based on capacitive sensors. They work much better and are extremely difficult to fool. I.e., Play-Doh doesn't work. Gummi Bears do not work. However, the sensors tend to wear out and can be fooled by cadaver fingers.
Look at sensors from Authentec. That is http://www.authentec.com/. They make sensors that use RF reflection to measure the patterns beneath the first layer of skin. They also have integrated thermal sensing. Cadaver fingers do not work. Neither does Play-Doh or anything else. Fooling these sensors, which are far better than the junk referred to in the original article, is extremely difficult. So, just how much does this military-spec technology cost? $32, quantity one retail.
Can we please send a copy of this to Ms. Schuckers so she can write papers based on the current state of the art, rather than utterly outmoded Microsoft-distributed optical scanners? Please?
If your eyeball detecting device can't detect the difference between a fake eyeball and a real eyeball then you shouldn't have gone with the lowest bidder.
The school is Clarkson, not Clarkston.
Bush added: "some people think you can eat it, too."
...ducks
don't you mean
some people added: you can eat bush too
"Hey, can you stick your finger in this Play Doh for a second? Why? Oh, no reason..."
The fact that one can spoof a biometric with some ease, is not particularly novel nor should we expect that a single biometric is the solution to authenticating identity. A very simple combination of a biometric and an active input such as a password or pin, even spoken, provides a very strong solution to authentication. If the combination is used, I hardly even need strong passwords. The other factor to remember is that security, of whatever form, is only a temporary lock-out mechanism. In order to be robust to several decimal places, we have to force some regular change mechanism in password or pin as well.
"If all the American people want is security, let them live in prisons." Eisenhower
I guess Gumby and Mr. Bill are up shit creek too . . .
I'm not tense. I'm just terribly, terribly, alert.
Here's how it'll work:
1) Kill person
2) Cut off person's finger with pruning shears
3) Remove money from their account using their finger
And, if they've gone that far:
2b) Remove person's eye.
In the race to get rich quick, believe that criminals will do this.
i'm amazed that i survived - an airbag saved my life.
"Hey, I bet you can't get your fingerprint to stay on this piece of clay!"
I guess a lot of people would fall for that. If not, you could go ahead and add assault to the charges by knocking them out. Or better yet, you could just offer them a candy bar in exchange for their fingerprint.
http://www.amazon.com/gp/product/0449908577/103-09 72882-3463854?v=glance&n=283155
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
ScuttleMonkey fooled by **Beatles-Beatles... Yet again.
One can always use the new iPod Nano for finger printing. You can catch any criminal with the mirror plating on the back them.
The most perfidious way of harming a cause consists of defending it deliberately with faulty arguments. - Nietzche
They were good, but they didn't link to george-harrison.info.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
A quick trip to the search box yields just how severely this guy is taking advantage of Slashdot. This is ridiculous.
Please get it right. The article does, it'd be nice if the summary did as well.
I know of a few ways as well.
For fingerprint scanners:
1) Crouch down and breathe hot air on the pad. (Over 80% effectiveness for fingerprint scanners on the market, and probably led to the playdough tests)
2) Put on a latex glove and press with your thumb on the pad.
3) Pour water on it till it shorts, default mechanisms are often to unlock or resort to mechanical locking mechanisms, so get a key that way. (this obviously doesn't work for computers).
4) Get a USB sniffer (this obviously doesn't work for doors).
For ID cards:
1) Get a copy of one and make a mimic'd copy, complain that it isn't working to security, get one reissued or just get in.
2) Run a credit card through, sometimes nearly anything will work.
3) Pass a magnet nearby (this worked every time on a device labeled as an RFID scanner, and the vendor marketing it didn't know why)
For eye scanners:
1) Find a picture of the person offline and blow it up to actual eye size, laminate it.
2) Put a mirror in front of the scanner. (Yes, this works on at least one of them, and no, the vendor didn't specify why)
How does the /. community respond when it's a Female EE PROFESSOR getting 3.1 mil in grants to whitehat hack the military, and doing the job 10x better than any /. dropout neanderthal sysadmin could ever do?
I think you're just complaining because she takes away the uber macho-ness of tech.
Would you feel more comfortable, little boys, if she were writing your docomentation for you and getting your bleeding coffee? Go back to your stupid video games, and clean your rooms.
The name of the university at which Stephanie Schuckers works is Clarkson University, not Clarkston. It's in my hometown. Gotta represent.
... is don't give spammers a chance.
-- Lennon, from the grave.
Couldn't these scanners also have built-in heat detectors, and just check for 98.6 degrees F +/- a few degrees? Of course this still wouldn't be immune to "heated play doh attacks" but it would be one more measure of security. Of course, problems would arise on very cold days maybe, or when someone has a fever, but there could be some solution to that too. (I don't have all the answers! :)
Clarkson University does not have a t in the name.
Oh, come on! A Play-Doh mold is a reverse of the finger it was molded from. You right hand finger prints are not mirror images of your left hand finger prints. So while you might come up with some more complex technique to cast a false finger and somewhere in that technique use Play-Doh, the impilcation that you can just use Play-Doh to mold a finger and use that as a finger substitute is obviously false for any system that has any sense at all.
I'm an American. I love this country and the freedoms that we used to have.
You can do the Play-Doh thing to fake retinal scanners too. But man does it hurt.
Are you trying to say that there are stupid people out there that would rather carry an entire corpse to a authentication terminal, rather than delve into the gruesome arts of exacto-knifing those certain finger digits and eyeballs; to assemble a casted mould and a facial mask articulated to correct skin tone with the eyes precisely duplicated in a holographic-depth spectre surface (holographic printer, or inexpensive homemade holography, Holography technique, or even the Amature Holograph Society?) There are even inexpensive technical courses that improves this matter, that can be easily used to purvey an eye-scanner. There is nothing to hide; the technologies thought to provide more security and safety, other than brute-force and immediate consumption, were defeated the moment they were activated. I suppose someone can create every necessary part of a body in three-dimensional clay and it'll pass a scanner test.
I think the counter-actions that inexpensively defeat all the security measures are in good faith, whereas anyone that is coerced to wave standard good-faith handshaking rules and passkeys in their account to a more public and global access have already waived what little security and safety there was meant. I suggest people move their fortunes with them wherever they may need it. This is all the fault of a world-ready currency and central banking, then to let people carry specie in their pockets with a firearm to anyone that wants to take their demurred and stored compensation and barter representations of hard labor.
without prejudice
There is apparently a sub-industry in this country devoted to no other purpose than producing duplicates of these "keys". Congress is investigating and considering making "key duplication" technologs punishable under the DMCA.
Seriously though, why is this interesting? Ok, so you can make a mold of a finger that has fingerprints on it. Is that in some way surprising to someone? Does any method of defeating security that involves having access to the original key (finger) for an extended period of time really concern anyone?
A pulse oxymeter is not a sophisticated device. A basic design requires only two LEDs a photosensor and an op amp. I'll guess the cost is in the tens of dollars.
Of course if you want it for medical purposes you need extra certifications for reliability, that I believe can drive the cost up.
Retinal images can be faked. The only truly accurate test would involve taking a sample of your flesh and analyzing that. To meet basic security criteria, you want a multi-factor analysis: for example, blood type and nuclear DNA. You'd also want to perform multiple tests and compare the results, to make sure you're not working with a doctored sample of someone else's flesh.
To support the requisite multiple tests, flesh samples should not be smaller than about 1/4" cubed. In order to obtain the samples, it is likely that local anasthesia will be required. Since you'll be injecting the subject anyway, you may as well inject them with a general tranquilizing agent, preferable addictive, to reduce the chance that they cause you trouble in future. Oh, and you may as well use the opportunity to implant a subdermal identification chip.
The result will be a society that's at least 17.4% safer than it currently is. Clearly, the security benefits outweigh any possible extremist concerns about individual rights. This system should be welcomed by everyone, except those who have something to hide. You don't have anything to hide, do you??
is that the techniques used are continuous (his fingerprint matches our records with 94% accuracy), because they are all based on statistical techniques. A little dirt on your fingers can change things, or voice prints are slightly different every time you speak.
It's a fundamental mismatch to the problem domain, where a discrete decision is required (do I open the door or call the guys with guns?)
So, there will always be a tradeoff between false positives and false negatives depending on where you set the threshold. Lookup "ROC curves" for more info about this...
I don't think the Aquabats are RIAA-afiliated but look out if they get signed.
Please don't take this seriously. Sadly, I felt it necessary to state that.
Man, you really need that seminar!
$30 thousand - hammer
$50 thousand - toilet seat
$3.1 million - play-doh.
We have reached first step, this maybe a long proccess.