Slashdot Mirror
Hacker Club Publishes German Official's Fingerprint
A number of readers let us know about the Chaos Computer Club's latest caper: they published the fingerprint of German Secretary of the Interior Wolfgang Schäuble (link is to a Google translation of the German original). The club has been active in opposition to Germany's increasing push to use biometrics in, for example, e-passports. Someone friendly to the club's aims captured Schäuble's fingerprint from a glass he drank from at a panel discussion. The club published 4,000 copies of their magazine Die Datenschleuder including a plastic foil reproducing the minister's fingerprint — ready to glue to someone else's finger to provide a false biometric reading. The CCC has a page on their site detailing how to make such a fake fingerprint. The article says a ministry spokesman alluded to possible legal action against the club.
I'd like to see this done to officials in all countries.
Reminds me of Gone in 60 seconds (the Jolie version) where one of the car-thieves glues on Elvis' fingerprints.
They should do that to the head of the TSA and put him on the no fly list
So.... let's see.
Oh all the people to humiliate... a senior public official who sets policy for something you directly care about.
This couldn't possibly turn out badly.
"Chinese Amazons, power armor, laser swords.... things just meant to be." - Shampoo, A Very Scary Bet
We hear that Wolfgang Schäuble is convicted of committing 17 crimes. Simultaneously
High officials often seem to think the consequences of privacy-invading legislation will only occur to other (read: little) people. It's good to remind people in those positions that they do not have absolute power, and that they need to think about second order consequences.
Dog is my co-pilot.
At least until extreme body modification is commonplace, biometrics suck for identification. It's the only modern "security" mechanism that lacks revocation. Without revocation, a security model is eternally broken as soon as one chink is found.
A person only has 20 digits, 2 palms, 2 soles, 2 retinas, and one genome. All of the biometric properties of those can easily be duplicated with noninvasive methods (simply enrolling in a biometric system requires the same access as duplication would). When one of those 27 properties is compromised, how do you revoke its use? I guess start with the fingers and palms and as people get older they have to start using their feet for identification, and at the very last make them get pricked for each identification. When all the biometric identifiers are used up, the now useless (at least in a Secure(TM) society) people can be recycled in the soylent green program or something.
This seems a bit over the top if you ask me, but hopefully it will expose biometrics for what it is: an unchangeable, and in many cases public, password. It's not very easy to hide your fingerprints (or even your DNA, for that matter) from people who really want to find them, and to rely on them for definite identification has the same problems as a social security number. Plus, anyone with a police record would be somewhat compromised from the get go here in the U.S.
I'd hate to see people get proficient at faking fingerprints, because that leads to all sorts of interesting results in the realm of law. If fingerprint fraud becomes widespread, for example, will fingerprints at a crime scene still be valid evidence in court?
Quiz: True or False -- On a scale of 1 to 10, what is your middle name?
This event highlights one of the major flaw of biometrics. This official had his fingerprint copied. There is nothing he can do. He can't change it. He can't prevent people from using it. No fingerprint reader will ever be able to determine with 100% certainty whether a particular fingerprint is real or fake. Bottom line: when one of your biometric traits gets stolen, you get screwed. For life.
I hope this convinces governments that using biometrics for anything is a bad idea (other than perhaps criminal investigations, although what if this german official's fingerprint was found on a murder scene ?).
The article says a ministry spokesman alluded to possible legal action against the club.
To what ends? You can't deter it as it's already happened, and you can't suppress it, as even the method for tricking the security system is widely known. If the security system is broken, you can't legalize it into working again. The security system was built in order to keep things safe, and now we have to keep other things safe from the security system itself.
Twinstiq, game news
With the advent of Biometric Embedded Copyright Token (BECT), If this hack had been done in America, wouldn't this fall under the DMCA?
It would by interesting to try to tell the cops that they can not have your finger prints because it violates the DMCA.
Bravo!
At least they get off their asses unlike American's who cry about the Constitution but do fuck all about it.
Bush was right, it is JUST a piece of PAPER. Why? Because American's do NOTHING about it and do not believe in it.
This is plain to see by their inactions.
You don't have to go to any special measures really to do this. I mean plastic and all those synthetic rubber moulds and stuff that the average person couldn't do is a bit excessive. Remember on mythbusters when they tried to beat that "unbeatable" fingerprint lock on a door and managed to do it by printing off the fingerprint with a laser printer and licking it? Yeah, biometrics is a joke. And really good biometrics like DNA aren't practical or fast and the retina scan, well you do that every day for a year and see if you don't go partically blind. I can't care hoe safe they think it is. Facial recognition is pretty useless and easy to beat too. Until they find something that's 100% unique and fast and accurate, they should forget about biometics.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
I wonder if anyone has actually tried making such a fingerprint copy, and then using it on a fingerprint reader like the ones on laptops etc.
Do you really get a good enough copy? How hard is it? (After all, any security can be broken somehow. So an essential aspect is the "cost" of breaking the security)
I'm sure there were other prints, but only one was needed to prove the point -- that his fingerprints and therefore biometric security just got PWNED.
Yep. The problem is, what do you do if they compromise multiple sections of your biometric profile?
Bob: DAN! What the fuck happened to you? You have no arms and not legs.
Dan: And no testicles either. They took those too.
Bob: No tes..what happened?
Dan: Somebody got a copy of my biometric profile. So we had to make changes...
Bob: But you have no arms and no legs!
Dan: They even changed my name...
Bob: They did? What's your name now?
Dan: Matt
Chas - The one, the only.
THANK GOD!!!
Everyone knows that biometric data can be stolen, just like every other means of identifying yourself. I thought the point of biometric data was that it added one *more* piece of data that would have to be stolen before someone could successfully impersonate you.
So in addition to needing to know a pin or password, someone also needs to have stolen my fingerprint in order to take money out of my bank account. Isn't this what is called two factor authentication? Isn't that a good thing that makes it that much more difficult to steal an identity?
According to this article Germany's new passports:
http://www.itsmig.de/best_practices/ePass_en.php
they contain both fingerprint data, and a picture of the person. Thus, to steal your identity, a person would have to steal your passport, look like you, and also steal your fingerprint. This actually seems like a pretty good system that would prevent someone from using a stolen passport to steal the rightful owners identity. Without the fingerprint data, an identity theft doesn't need to do as much work.
That said, I'm not from germany, so maybe there additional nuances about this thing that I'm missing.
Yes, this was done a couple of years ago in Sweden as a Master Thesis, which was described in Swedish Engineering paper Ny Teknik http://www.nyteknik.se/efter_jobbet/kaianders/article32986.ece (sorry, swedish only). The student Marie Sandström tested a simple yello, which was created using the same method as mentioned in the article above, on three commercial fingerprint-readers on the CeBit fair in 2004.
Mister Schauble can enjoy an easy career as burglar when he's out of office. With 4000 copies of your fingerprint circulating, it cannot be used as evidence any more.
The only thing dumb thing he could get caught with is when he leaves wheelchair tracks at the scene of the crime.
DNA is the ultimate spaghetti code.
The CCC is one of the things I like about Germany. It highlights a major element of german-style citizen-culture. It's clearly opposed to uncontrolled gouverment and any notion of a police-state. It has a taste of anarchy to it and on its fringes it has inofficial members with ties to the black-hat community. Yet it is a well organised official registered German association that speaks up on behalf of the people and democracy. With a 27-year tradition of keeping the public political debate alive on IT related rights-issues by perpetually coming up with creative ways of gaining attention. This recent 'Schäuble-Fingerprint' stunt being one of them. I don't know if they've exposed their selves with legal liability by doing this (after all it was officially published in their magazine 'Datenschleuder') but it sure is as funny, hilarious and exposing as ever. Creative non-sense at its best. Go, CCC!
We suffer more in our imagination than in reality. - Seneca
My kids were watching the Scooby-Doo 2 movie the other day. There's a scene where Daphne activates a fingerprint activated lock by dusting the scanner with blush powder (highlighting the latent fingerprint from its last use) then using a pore-strip over her own finger to provide the right body temperature/capacitance/whatever without her fingerprint confusing the sensor.
I was amused to see that the technology's weaknesses had made it to the Scooby-Doo level already. I don't know if that exact combination would work, but I've heard of similar successful attacks.
-- Alastair
To that, all I'll have to add is that the truth is stranger than fiction.
It's often rather difficult for people to make an objective assessment of the present especially since causes and facts are often incomplete "now" and often require now to be later before you can look back on now and get a more clear picture, but consider the shocks and fears generated when "1984" was published. Now look at how much farther we have gone beyond 1984's "science fiction" and how we don't even notice it, let alone are alarmed by it.
Things aren't "getting bad." They ARE bad. Things are getting worse. For all the people out there who think we need to give up privacy and crap like that, you need only look back to your teenage years for why a sense of personal space and privacy is important for people in general. I don't know that there are any studies on the subject, but I'd be willing to place a very large bet on the notion that in societies with less privacy, the suicide rates are likely to be higher. A person's sense of safety is closely tied to their sense of privacy... you only need to sit on a toilet without walls surrounding it once to understand that notion.
The answer why I am posting as an AC is left as an exercise to the reader.
Fingerprints as biometric are almost useless. The only way to make sure they work is to have a trained finger inspector look at every finger before it's used.
No sig today...
You leave your DNA everywhere you go and there's machines which can duplicate it and produce big samples - big enough to create fake DNA mouthwashes or whatever is needed to fool the scanner.
...and that's not going to be very popular.
The only way to be sure you're looking at the right DNA is to stick a needle into a person and take a sample from deep inside them...
Most biometric systems are junkware being pushed by people who are after the lucrative government contracts. The bottom line is they don't really work too well.
The only one which might work is retinal scanning but for whatever reason I don't see that on anybody's ID card agenda. Why not? I don't know...
No sig today...
Duress codes were widely implemented by the British Special Operations Executive in the Second World War.
Agents dropped behind Axis lines were taught how to use 'security codes' if they were compromised (i.e. captured by the Nazis).
The imbeciles in London who received their messages, especially from the totally infiltrated Dutch circuits, were so stupid as to message them back saying 'why are you omitting your security codes?'
It got so bad that on April 1st 1944 the London operators received a plaintext message from the head of the Nazi operation thanking them for their cooperation (I think his name was Geiske).
Hundreds died. It soured British/Dutch relations for a generation. It was monstrous, inexcusable loss of life.
Don't EVER underestimate the power of stupidity.
Yup, fingerprints are extremely weak security checks since a normal person leaves hundreds of prints behind them every day.