Slashdot Mirror
Fingerprint Scanners Fooled By Play-Doh
* * Beatles-Beatles writes to tell us YubaNet is reporting that in recent tests by Stephanie C Schuckers, an associate professor of electrical and computer engineering at Clarkston University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds. From the article: "Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
Wow, two in a row for Beatles. This is getting ridiculous...
I'm not fat, just big boned...
Something funny is going on - two stories in a row? That's not chance, that's not coincidence, that's paid for. The only question is whether slashdot is paying **Beatles-Beatles, or **Beatles-Beatles is paying slashdot.
Either way guys (and I'm talking to you, editors) it would be nice to be told. Just so we know, y'know? We're mostly intelligent, curious people here, and that sort hates being kept in the dark when there's so obviously something going on.
It's official. Most of you are morons.
Wow, two in a row for Beatles. This is getting ridiculous...
I think as a collective we've got to get around to doing something about this. Criticisms that Slashdot content, and the overall quality of the website are merrited. I think a boycott is in order here.
Lets make it clear to the editors that these kind of submissions shouldn't be tolerated, and will recieve no attention. These kind of posts should recieve no replies regardless of importance. After which we should all carry out the task of resubmitting the article for discussions on the topic to resume.
After this post I intend to disregard any submission by '**Beatles-Beatles' and refuse to contribute or mod any of this Sponsorship Scandal(for those who don't live in Canada) like material. (Not a perfect analogy, but someone's getting a payoff it seems)
ending transmission....
And now you have to trust the Marine guard.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Redundancy is impractical after certain level, how'd you like that you have to login tens of times to a system every day, and that this takes, eye scan, finger scan, face scan, answering distorted CAPTCHA, entering user, password, ordering a set of pictures in right order and what not.
At the end it'll be so "redundant" noone will want to use it.
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
This gets interesting in the overlaps that refute the categoricals. What you know and what you have both define what you are. For example what makes you a General or a Doctor other than the correct uniform? A detailed knowledge of military or medical matters. So let's take two twins, one a doctor and one a general and get them to spend a month teaching each other everything they know about each others subject. The doctor twin puts on his brothers uniform and walks right into the base. Now, can he spend an entire day bluffing his way through a tactical conference, while his brother does a bit of impromptu brain surgery? Unlikely but not impossible. So is it what we know that defines us as who we are? Not with 100% certainty. Is it what we have that defines what we are? No, not definitely. Keys, passwords, biometric features, money, any facet of physical acuality can be forged, stolen or substituted. So where does that leave us? It leaves us with the uncomfortable philosophical annoyance that identity does not exist. We have to step back and look at the question again. What are we trying to achieve through assigning identity? We are trying to map INTENTION. The guy getting on the plane may look like, smell like, sound like, walk like... the person the computer says is good ole regular Joe Citizen 101, but what if his _intention_ is to blow up the plane and not ride peacefully? Joe could have been brainwashed/blackmailed/replaced by an android. Identity isn't the thing that governments and identity researchers _want_ it to be and so we have to start tackling the more difficult issue of stopping people needing or wanting to steal money or blow up planes.
Fingerprint scanners are rubbish. They're simply not that reliable. Even if they sound reliable - if you have a scanner that's 99.9% accurate, that means that one person in 1000 has a close enough fingerprint to pretend to be you. Or to put it another way, 10000 Belgians share your fingerprint.
And the best scanners are nowhere near that accurate.
Quoted from FP:
University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds.
Quoted from TFA:
Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.
The crucial piece of missing information: The need for dental materials; the same stuff used to make casting for denture, false teeth, etc. To do what the researchers did, one needs more than play-doh. But of course ignoring this makes the FP much more dramatic becuase it implies that a preschool toy is sufficent for fooling biometric scanners.
For the record the quote from the FP is the part written by the editors, not by the submitter (unitalicized portion of FP), so the error (or omission) was made by a /. editor, not by the submitter.
I find it frustrating that what I once thought was a useful and interesting source of infomation and lively discussion seems to have become what it once seemed to differentiate itself from. Slashdot editors seems to be adopting the playbook of big media and skewed news to drive up user posts.
I find this sad because I thought that Slashdot was a site with an alternative playbook, that treated its readers as more saavy. Now it seems to be on the slippery slope to USA Today style reporting. I can only assume that this change is an attempt to drive up ad revenue. But I am afraid it will alienate many of the readers.
On the other hand, they're certainly not telling us, despite numerous comments asking what's going on attached to every **BB story.
What? When have the Slashdot eds ever told us ANYTHING?!
May the Maths Be with you!
The people being picked up are patriots
Categorically saying they are patriots is just as silly as saying, categorically, that they are not.
Don't disappoint your bird dog. Go to the range.
People will trust these systems to the point that they will disengage their critical faculties, because they have been told how reliable they are.
When biometric ID cards come in to the UK, I believe we will see more fraud because of this. Once someone works out how to break it (by gummi bear, play-doh) or whatever, they will pass and be able to pull off bigger frauds.
The sad thing is, that would be an improvement, as I've yet to notice BB or SM make a dupe post or obvious grammar error.
Still, I don't know why I should care - this place has really just descended into noise, and I honestly can't think of anything new I've learned here all year.
Looking at your posting history, you seem to post fairly regularly. I have found that the moderation system seems to avoid giving mod points to people who post in most of the articles they read. I tend to only get mod points after the general standard of /. stories has been low for a week or two and I've not felt the need to post. When I go back to posting, they stop coming for a bit.
I am TheRaven on Soylent News
Supposing there exists a "much more robust security infrastructure" - how is it going to be improved by the addition of a Play-Doh, uh, I mean a fingerprint scanner? Why not just stick with the robust stuff, and forget the shiny newfangled contraptions?
This isn't the first demonstration that fingerprint scanners are useless. A few years ago, a Japanese university professor showed that it was possible to make a gelatin mold from a latent print (i.e., without direct access to the authorized finger in question) that would fool the readers most of the time! What is a fingerprint scanner adding but a false sense of security?
Yes, that's what I was trying to get to in my last sentence, i.e. that that won't work either. As the guard will have a tendency to become complacent given that the e.g. fingerprint scanner is "foolproof" and not even bother to look at it as the person scans his finger. Compare if you will the absymal successrates of photo id:s when put to the test. The guard there is actually required to look at it as a part of the procedure (i.e. it's not incidental to the procedure as it is here), but anything usually goes. Even cartoon pictures (I know of one instance of Donald Duck) have gotten people into military bases. If I was a betting man, I'd bet that just holding the severed finger between the thumb and forefinger on the hand (in effect presenting a six fingered hand) would let you in more often than not, even with a fairly "vigilant" guard.
A guard beside a finger print scanner will probably prevent someone walking up carrying a dead body, or taking a crowbar to the gate, but beyond that I wouldn't bet my life on it. People without technological support just aren't that good at routine surveillance (at a reasonable cost that is).
Stefan Axelsson
> (google doesn't AFAIK have the option to non-googlify a link, if it did and /. used it, how many stories would beatles post?)
>rel=nofollow
Sig out of date
I've said this before on slashdot: the biggest problem with biometrics is that once compromised they cannot be easily changed. You can always change your password if someone discovers it, but you can't easily change your retinal pattern. So if someone has a fake eyeball with your pattern you can't keep them from using it by using another pattern. The naive have assumed that biometrics are much harder to steal than passwords and would be too closely tied to the person to whom they belong to be compromised. For every type of authentication, there is a surprisingly easy and clever way to compromise it.
This BS is precisely why I stopped subscribing. The editors don't give a shit about the abuse and stupidity in the (a) "editing" and (b) moderation system.
If they clean house, I'll start subscribing again. Until then, there's no incentive.
Ironically, the word ironically is often used incorrectly.
I guess if somebody wants to not believe me, that's fine. Everybody has the right to an opinion. But I'm trying to share the facts. Slashdot doesn't take money for posting stories to our front page, and if we did, we would make it obvious that we had. I work with these guys and I know.
Heck, if Slashdot ever does get to the point where we think it's OK to take money for secretly biasing editorial content, I'll quit. One of the things I like about working for Slashdot is the editorial integrity. That hasn't changed in the six years I've been here. I find the scenario of Slashdot's front page going pay-for-coverage to be highly implausible, but if it does, I have better things to do. And I doubt I'm the only one here who feels that way.
Plus, if we ever got to the point where we sold that integrity to some random guy who just wants us to link to his George Harrison site... uh, at that point we are obviously so hard up for cash that I probably wouldn't have a job for long anyway ;)
As for rel=nofollow, yes, we do consider ways to make the submission process less gameable, like we constantly do for almost every part of the site. The policy has been for years that your reward for telling us about a story worth posting is 3 karma and a link to your homepage, and we don't want to change that without careful consideration.
Oh, and a number of people have pointed out (and I haven't checked this) that ScuttleMonkey has posted most of the Beatles-Beatles stories. Do y'all realize that this works against your theory? If we were getting paid wouldn't every editor be doing it? Just asking :)