Slashdot Mirror
Fingerprint Scanners Fooled By Play-Doh
* * Beatles-Beatles writes to tell us YubaNet is reporting that in recent tests by Stephanie C Schuckers, an associate professor of electrical and computer engineering at Clarkston University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds. From the article: "Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
I'm not fat, just big boned...
Something funny is going on - two stories in a row? That's not chance, that's not coincidence, that's paid for. The only question is whether slashdot is paying **Beatles-Beatles, or **Beatles-Beatles is paying slashdot.
Either way guys (and I'm talking to you, editors) it would be nice to be told. Just so we know, y'know? We're mostly intelligent, curious people here, and that sort hates being kept in the dark when there's so obviously something going on.
It's official. Most of you are morons.
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
This gets interesting in the overlaps that refute the categoricals. What you know and what you have both define what you are. For example what makes you a General or a Doctor other than the correct uniform? A detailed knowledge of military or medical matters. So let's take two twins, one a doctor and one a general and get them to spend a month teaching each other everything they know about each others subject. The doctor twin puts on his brothers uniform and walks right into the base. Now, can he spend an entire day bluffing his way through a tactical conference, while his brother does a bit of impromptu brain surgery? Unlikely but not impossible. So is it what we know that defines us as who we are? Not with 100% certainty. Is it what we have that defines what we are? No, not definitely. Keys, passwords, biometric features, money, any facet of physical acuality can be forged, stolen or substituted. So where does that leave us? It leaves us with the uncomfortable philosophical annoyance that identity does not exist. We have to step back and look at the question again. What are we trying to achieve through assigning identity? We are trying to map INTENTION. The guy getting on the plane may look like, smell like, sound like, walk like... the person the computer says is good ole regular Joe Citizen 101, but what if his _intention_ is to blow up the plane and not ride peacefully? Joe could have been brainwashed/blackmailed/replaced by an android. Identity isn't the thing that governments and identity researchers _want_ it to be and so we have to start tackling the more difficult issue of stopping people needing or wanting to steal money or blow up planes.
Quoted from FP:
University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds.
Quoted from TFA:
Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.
The crucial piece of missing information: The need for dental materials; the same stuff used to make casting for denture, false teeth, etc. To do what the researchers did, one needs more than play-doh. But of course ignoring this makes the FP much more dramatic becuase it implies that a preschool toy is sufficent for fooling biometric scanners.
For the record the quote from the FP is the part written by the editors, not by the submitter (unitalicized portion of FP), so the error (or omission) was made by a /. editor, not by the submitter.
I find it frustrating that what I once thought was a useful and interesting source of infomation and lively discussion seems to have become what it once seemed to differentiate itself from. Slashdot editors seems to be adopting the playbook of big media and skewed news to drive up user posts.
I find this sad because I thought that Slashdot was a site with an alternative playbook, that treated its readers as more saavy. Now it seems to be on the slippery slope to USA Today style reporting. I can only assume that this change is an attempt to drive up ad revenue. But I am afraid it will alienate many of the readers.
Yes, that's what I was trying to get to in my last sentence, i.e. that that won't work either. As the guard will have a tendency to become complacent given that the e.g. fingerprint scanner is "foolproof" and not even bother to look at it as the person scans his finger. Compare if you will the absymal successrates of photo id:s when put to the test. The guard there is actually required to look at it as a part of the procedure (i.e. it's not incidental to the procedure as it is here), but anything usually goes. Even cartoon pictures (I know of one instance of Donald Duck) have gotten people into military bases. If I was a betting man, I'd bet that just holding the severed finger between the thumb and forefinger on the hand (in effect presenting a six fingered hand) would let you in more often than not, even with a fairly "vigilant" guard.
A guard beside a finger print scanner will probably prevent someone walking up carrying a dead body, or taking a crowbar to the gate, but beyond that I wouldn't bet my life on it. People without technological support just aren't that good at routine surveillance (at a reasonable cost that is).
Stefan Axelsson