Slashdot Mirror
Aussie Kids Foil Finger Scanner With Gummi Bears
mask.of.sanity writes "An Australian high school has installed 'secure' fingerprint scanners for roll call for senior students, which savvy kids may be able to circumvent with sweets from their lunch box. The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance.
The school principal says the system is better than swipe cards because it stops truant kids getting their mates to sign-in for them. But using the Gummi Bear attack, students can make replicas of their own fingerprints from gelatin, the ingredient in Gummi Bears, to forge a replica finger. The attack worked against a bunch of scanners that detect electrical charges within the human body, since gelatin has virtually the same capacitance as a finger's skin."
And the kids circumvent it by keeping the gummy bears in their pockets on the way to class.
Once again, a "foolproof" system proves to be only as useful as the fool who invented it.
If that is an actual photo of an Australian kid's finger prints they have bigger issues than being absent. I've heard of kids chewing nails but Australian kids must chew off their whole finger tips. Creepy.
Now get off of my lawn.
What one fool can do, another can. (Ancient Simian Proverb)
Fuck, YES. I read the original story, about the school introducing this moronic system, and could only shake my head. Attempts at total control are generally the solution proffered by lazy bureaucrats as an alternative to them doing their jobs. Here’s an idea - instead of working out ways of forcing the kids into school and keeping them there - why not work to make it compelling for them to come to school in the first place. I know, hard, right? Idiots. However, the creative (dare I say scientific) solution employed, and so quickly makes me remotely proud of our clever children. It’s nice to see the kids are far more intelligent and creative than their so-called teachers. I will have somewhat less pride when they remotely drain my bank account and I am forced to live on cast off gummi bears, but hey.
...is more expensive than a finger print scanner? Pay peanuts, get gummi bears.
I was promised a flying car. Where is my flying car?
Not even slightly surprised this is coming from Australia. You guys really need to do something about reworking that government so the party that doesn't win anything also doesn't end up in power.
There is no -1 Disagree.
Duke Igthorn is NOT going to be happy when he hears about this!
Nobody has actually foiled the high school fingerprint scanners yet, it's still only in the realm of (likely) possibility - especially after the kids see this story on /.
Biometric, swipe cards or any other method they use will have loopholes when left alone. All it needs is a single teacher to watch everyone put their fingers there. But if I were in school I'd hate that too (*mutters* "fucking attendance nazis").
In my old 2nd language class in school, we would all file in, sit down and the teacher would go through the list & call out the students she thinks is absent. But it was all on paper and there was no tallying done until the end of the term.
But I must applaud the school for making the kids work harder to break the system, that's a definite way to select intelligence for "coolness" :)
Quidquid latine dictum sit, altum videtur
* You have to buy a new system and probably sign a support contract for it
* It ties up personnel with deployment
* It doesn't work any better than the old system
* It raises significant privacy issues not present in the old system
* It raises huge data security and disposal issues not present in the old system
* Adding a new student is more invasive and time consuming than in the old system
* Fingerprint biometrics can track an arbitrarily large set of individuals...but they can only distinguish a few hundred
Yep, that sounds like a textbook example of educational bureaucracy.
If a school needs fingerprint scanners to take attendance, doesn't that imply that the school has bigger problems than students circumventing fingerprint scanners?
Quoting from the end of the fine article (emphasis added by me).
Tsutomu Matsumoto, a Japanese cryptographer, uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.
His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.
Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.
What one fool can do, another can. (Ancient Simian Proverb)
Video of how they did it. Not included with the article for some reason: here.
I agree that its a stupid and lazy approach. But there is only so much you can do to "make it compelling" until reality sets in that discipline is necessary for children.
The oldest approach is still the best - have teachers (and not machines) who **recognize** kids conduct roll calls.
Until Discovery Communications has it taken down--
http://www.youtube.com/watch?v=LA4Xx5Noxyo
What one fool can do, another can. (Ancient Simian Proverb)
..they shouldn't be getting money to pay for teachers.
swipe cards would be enough if the teacher actually paid attention when the kids are swiping the cards.
is it a movie theater or a school?
world was created 5 seconds before this post as it is.
I'll be more impressed when they have an article that says: Kids circumvented fingerprint scanners at school using gummy bears.
Kids should be in school. Period. Our present breed are just as crafty as we used to be back in the day in trying to avoid the system. That is how you create innovative kids in the first place. Those kids who defeats this totalitarian system and gets away with it - well - they deserve the day off :)
Meus subcriptio est nocens Latin quoniam bardus populus reputo is sanus callidus
This has been know for years. I used to work for a company that produced electronic locking devices and biometric readers when I got in contact with a professor in Japan who had discovered this method. He mailed me full, detailed documentation on how to fool most biometric fingerprint readers with a "gummy finger". His method involved lifting fingerprints via transparent tape and using a photosensitive circuit board to manufacture a fingerprint mold, which could then be used to form the gummy finger. Some biometric devices worked with just the gummy finger and some that measured capacitance simply required you to lick the gummy finger beforehand. Afterwards, you could just eat the thing, thereby eliminating any evidence of its existence.
Quite a long time ago the school district I was in kept attendance records on a computer. The password was kept on a piece of paper in the secretary desk, but that didn't matter. They had a 2400 baud modem connected to a hard line that allowed access for all sorts of records to be shared. I guess they figured the security was knowing that magic 7 digit number written on the modem, and not believing for a second that any child could possibly get the idea to call it, let alone with their own modem, and never one that understood computers better than they did.
One of my first entrepreneurial ventures was attendance management services to other kids. In this system once you hit a certain level of tardiness, or missed classes, it triggered a physical letter to be sent to the parents. I could make sure that didn't happen. Was fairly profitable and this was back when "computers never lied" and hacking was not well understood by anybody, least of all school administrators.
I had to stop when it became obvious in some parent teacher conferences that some students had clearly been ditching a lot of classes according to the teachers, but the records on the computers no longer matched the written records of the teachers. Good thing I used the computer lab and my own modem otherwise the phone records would have busted me... if the investigation even got that far. Since the "corrupt" records matched the district offices, it was assumed the computer itself was faulty somehow. They just ended up replacing it... but leaving the modem.
I guess my point is overall, that if schools are really serious about taking attendance, maybe they should concentrate less on the technology and more about giving a shit "hands on". Teachers should have the phone numbers and email addresses of their students parents, and I don't know, use them. I would have never gotten away with what I did had their been even a small amount of caring amongst the staff. At this point in my life it disapoints and saddens me that a teacher would not directly call the parents once a student missed 3 classes in a week. Waiting for an automated system to send a letter out after 7 missed classes just allows a problem to fester for around a month before anybody starts to address it.
Of course I can't blame a lot of the teachers. When you are chronically underpaid and have to do ridiculous shameful shit like purchasing resources out of your own pockets for your students, I can understand how some become burned out and disillusioned.
Kids pick up on that too. If they feel they are in a situation where people don't care and it's a mechanical mind numbing system they are forced to deal with, they will react, and most often negatively.
I guess what pisses me off more about this story is they could have used the money in that budget to raise the teachers salary and just had the teachers write down attendance in a book and have the empowerment to directly call the fucking parents.
As a sysadmin at an Australian high school, I've been asked by my Principal to check into the current state of these systems.
I raised the concern that kids are just going to find some way to dupe whatever electronic system is put in place. He agreed. He then stated that there's nothing stopping kids from impersonating their mates when the roll call is made, giving a false 'present'.
I thought, well, fair enough.
He put his rationale to me this way: if roll call takes five minutes per lesson, and there are 20-ish lessons per week, then a student initiated roll marking system is going to recover a sizable portion of 100 minutes a week, or around 60 hours over run of a school year. This time can then be spent TEACHING the students who are there to learn. A lot can be taught in 60 hours.
What about the kids who skip class? There are processes in place to deal with those. Ultimately, their absence is going to be manifest itself in all sorts of problems for them later - all of their own doing. Meanwhile, they're not in class distracting those that are there to do what they are there for.
AC, because I'm a decade-long /. lurker and can never be bothered signing up. Feel free to not waste mod points on me.
Called me old fashioned, but whatever happened to teachers actually knowing their kids and simply taking attendance that way?
I faintly remember back in high school, when we had substitute teachers sometime. One was particularity dim, so most folks cut that class. I was in it, and the substitute teacher passed around a paper for all the students to sign in. There were three of us in the class, and about three hundred names were on the list that we passed back: "Who's Dick Hertz?", etc.
Students will always find a way to get around stuff like this . . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
"Chris?"
"Here Miss"
"Peter?"
"Present Miss"
"Well it looks like everyone who's going to be here is here already, let's get started!" She thought knowing full well that a few of the students skipping the class will be reported to the principle yet again.
Fingerprints? Really? Whatever is wrong, it's not the fault of the system that has served us for hundreds of years, and doesn't need some stupid technology to fix it.
The real question is why they even need advanced tech solutions to determine attendance in the first place. Last I checked, role call isn't prone to security breaches, hacks (well, maybe on the data after), or any kind of clever foiling. Card swiping? Fingerprint scanners? All that looks like a downgrade not and upgrade to me...All this sounds like
But isn't the whole point of this so that you don't need to employ someone to check attendence? If you have to employ someone to stand there, why no just get that same person to call out names and record on a register?
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
Didn't the Mythbusters bust the myth that "fingerprint scanners are secure" already?
http://www.google.com/search?q=mythbusters+fingerprint+scanner
Old news, Mythbusters did this same thing years ago with a bunch of different scanners.
no
Several teachers that I had relied on the class staying pretty constant, and gave each student a number in alphabetical order. To "Call roll", you would listen for the number before yours, and after that was said by the student in question, you would say yours. Any absences were immediately obvious, and it took no more than a minute to finish it.
If the problem with cards was that people were swiping their friend's cards, and the problem with fingerprints is that they're faking them, then the problem seems to be a social one.
As noted, there's no technical solution that will keep motivated teenagers at bay.
No sig today...
When I was at school we had to sit in a room and the teacher would read out a list of names and you had to say "here!".
No sig today...
> Gummi Bears... worked against a bunch of scanners that detect electrical charges within the human body, since gelatine has virtually the same capacitance as a finger's skin.
Ridiculous. Bovine Gelatine has a completely different capacitance from Human Skin. Only Human Gelatine could give that sort of result. Wait. Human. Gelatine. Gummi Bear. A barber shop quartet. Scopie. Illinois. Orca. A Big Fat Guy. Gummi Bear. Gummi. Gelatine. Human. People.
They invented all that, not some Japanese guy.
(If the show isn't a trick...)
No sig today...
While school kids may yet learn to scam extra lunches and play hooky through the use of gummi candy biometrics, the headline is bogus. None of the linked articles reported that any kids anywhere are doing anything with gummi bears except fucking up their teeth.
Kids' ingenuity is always at its best when fighting the man. Maybe they'll be smart and Orwellian. You know, like the Chinese.
Bueller? Bueller? .. Bueller?
Pure gelatine may (or may not) have the exact same capacitence... But what about the sugar, flavourings etc?
Then there's the fact that if you pressed your finger into a gummi bear, it's not going to create a lasting or deep impression. Perhaps if you really squashed the gummi bear it would create a detailed, lasting impression but then you're going to be left with a fragile, thin piece sheet of gelatine that would fall apart if you pressed it on the scanner.
Yes you could create a mould of the finger and fill it with pure gelatin but a 11year old would struggle to create a detailed enough mould without being helped and it's simply too much hassle for a kid to attempt. It would be easier to clone a magnetic strip, tell someone a passcode, get someone to forge a signiature or simply to say "here" when their name is called out.
Am I getting old or is everyones memory that bad?? The gummibear attack was already shown in 2002: http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
Oh I'm a gummy bear, yes I'm a gummy bear Oh I'm a yummy, tummy, fingerprint stealing gummy bear, oh yeah!
Just wow. I work where we have these things and there is NO way I could do that. Maybe I am OCD but after they were installed I started to look at how people behaved with their hands and fingers. WAY too many nose pickers that I had never noticed before. We have a sanitizer station by each one but I would prefer a little flaming jet of natural gas sometimes.
Once again, FUD-inducing security experts with a clear lack of judgement and risk analysis...
My house door is still locked with a 5 tumbler generic door knob, because implementing higher cost measures will not necessarily be beneficial, and a thief actually has to break in rather than just open the door, pick up the TV and leave. If no one had any locks on their doors, we would likely have much more theft than we do. This is the measure that society deems to be "the right level" to address this particular risk.
Biometric readers are a good trade-off in this very context.
They are more complex to fool than just swiping a card, which can be traded by students and doesn't require much knowledge to circumvent. Circumventing a biometric reader requires knowledge of their inner working, and the methods may or may not work depending on the quality of the print, which would have traveled in another student's pocket and be manipulated in less than ideal circumstances to replicate a finger. It is not as trivial as a mag stripe card being given to a friend. From a strict risk-benefit standpoint, this is a better strategy. Yes, it can still be circumvented and is not perfect, but that holds true about just any measure.
If the machine can track you the next thing is it wants to control you. Who doesn't feel like giving Big Brother the slip? Big Brother is the guilty conscience come into reality, ready to find fault and curtail life's evil little pleasures.
The best way to fool Big Brother is to let it think it knows the truth, to invent reality.
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
My old school had a sign-in system based on face-recognition. Nobody ever found a way to circumvent it. This was 25 years ago, but I believe others were using a similar system even earlier.
... or this tasty!
Build a better mousetrap, and the universe will build a better mouse.
Mythbusters already covered this.Just take a photocopy and it will work.
When I went to school, we had a class book where teachers would note who was not in. When I was responsible for the classbook, about half of the class once skipped a few lessons. When I was ordered to the principal he asked me if I was absent during those classes. I gave him the book and said stone cold: "My name is not written down in the book, so that must mean I was there."
He went for the logic, not thinking that the book and I where BOTH absent.
They did part of it in the right way. Letting the teacher do the social check and then they went wrong with the technical solution and relied on that.
Don't fight for your country, if your country does not fight for you.
"Aaand...that's why they call it Jell-O":
http://www.penny-arcade.com/comic/2010/4/7/
Fingerprint scanners for ROLL CALL? Really?
I'm all for technological advances, but just how lazy do you really need to be? Is it too much to ask the teachers to take roll call like they have been for hundreds of years, and LOOK at the students to make sure they are who they say they are?
Somehow I'm getting less and less surprised that Australia has passed the US as the most obese nation in the world...
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
unmonitored physical access to the device means it is compromised. Hell it could be as simple as using the USB "setup" port to make it say what ever you want. Heck, program it to just use a list, first finger checks in first person on the list, and so on, stick people you like at the top, and people you don't near the bottom.
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
the types of high schoolers that bring lunch boxes are the types that wouldn't skip class. so to me this sounds like a plan of flawless logic, FLAWLESS!
Many biometric identification systems are useless, overhyped crap that is vulnerable to trivial spoofing. Few of them are worth the enormous cost, and most seem to be made for idiots who can't memorize a reasonably strong password, or who think cool and futuristic means secure.
The call is coming from inside the school!
Why exactly are there fingerprint scanners in a school?
I don't know, but teachers here in Switzerland still manage to track attendance with a simple piece of paper and a pen. Yes, you can social engineer that one, but come on...
If students don't want to attend school then there is something wrong with the school. Fix the school so that the students want to go there; then you don't need a fancy biometric scanner.
Do you think the casual school student is going to make silicone molds to cast the fake finger, or do the fingerprint on glass, CA adhesive to raise it, and then "a technique for processing printed circuit boards to the production of the molds for cloning the gummy finger"
I can see someone doing this if the "target" were of sufficient value to spend the time to do all this, but the value of cutting school just isn't high enough for it to be a significant risk.
Then again, this is Austrailia we are talking of, their government tries to overly-complicate everything.
Wow! You were Ferris Bueller!
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Of course I can't blame a lot of the teachers. When you are chronically underpaid and have to do ridiculous shameful shit like purchasing resources out of your own pockets for your students, I can understand how some become burned out and disillusioned.
Yep.
Of course, if teachers have to call home, you often times wind up with "perfect child syndrome" where the parent doesn't believe the teacher. They take it up with the principal, and if they're the kind of parent who can donate a new computer or something, suddenly the teacher is just harassing them. Put it in the computer, however...the computer never lies!
No trespassing. Violators will be shot. Survivors will be shot again.
I was a teacher in a rural farm school for 5 years. I can tell you first-hand that having contact information for parents is useless 75% of the time.
One of our huge challenges was trying to break the inertia of bad parent experiences in school 10-20 years ago. "I flunked out, so there's no hope for my kid." "I graduated, and look what it got me - I'm working on the farm like I was all my life. School doesn't do nuthin for ya!"
To be frank, parents can often be the biggest barrier to a student's education. This is especially true in undereducated/impoverished communities. Even encouraging your kid to hang around with different kids can have a profound effect on their performance in school.
It was rare for me to be able to get in touch with the parents of the most troublesome students. Why were they trouble students? Mainly because their parents weren't ever around disciplining them or doing their job as parents.
Typical parents were ones like the one who threatened his kid (bright, I got along with him, but failing my class for the second time. Dad asked why. I bluntly said, "He's plenty smart enough to pull an A, he just doesn't try at all.") with all sorts of stuff if he didn't pass. Three weeks later? Kid was gone for two week. Why? Family went on vacation... Had a meeting with a very bright kid's parents who had become a major stoner half-way through freshman year. His grades went from straight 100s (not just As) into the 50s. Parents were distraught. I pointed out how he was on time and handed everything in the first half, was late all the time and turned next to nothing in the second half of the year. A week later, the band instructor opened the case for the instrument he used, out fell a bowl and the leavings of the last oz he bought. As responsible parents....they threatened to sue the school because it could have been anyone's bowl and pot. Because the instrument case wasn't locked. A month later, after the school decided that they couldn't financially afford to suspend the kid, his parents bought him a new car. Convertible.
Now those were some of the parents I could get ahold of. For a large percent of kids, I couldn't get in touch with a parent. Ever. Phones disconnected, working two jobs, would just hang up on me. Would always have the kid answer the phone or get the mail, so all contact with the school was "junk mail" and "telemarketers". It was truly mind-boggling to me how disengaged parents were with the system. What was truly needed was a mandate that parents be involved with their kid's schooling. Of course, a lot would then turn out to be like the two I mentioned - there were a lot of parents like that where I worked.
Velociraptor = Distiraptor / Timeraptor
When gummie bears are outlawed only outlaws will have gummie bears ;)
If you think they'll actually use the right technology instead of simply saying, 'ooo RFID, must be good', you're delusional.
There is nothing new to this.
Kevin Rose on the former TV show "The Screensavers" on G4TV (now Attack of the Show) demonstrated this back in 2005, and there are probably others who have documented this even before it hit the TV.
Since having teachers take attendance is just too damned hard.
Why are you letting these clowns ruin our country?
why no just get that same person to call out names and record on a register?
*Ding*Ding*ding*
We have a winner!!!
Sometimes the simplest solution is the most effective.
---
"I can't complain, but sometimes still do..." Joe Walsh
would be to focus on the real problem; the kids that are using these methods to pose as other students need to be charged with and convicted of identity theft! It's only when they have been punished to the fullest extent of the law that they will truly appreciate the value of a good education. I'm sure there are high school graduation programs available in Australian prisons and at least there we can be sure they will actually attend.
Our attendance and grading were on computers, but the network was slightly better managed. The big mistake they made though, is to leave reams of traction-feed report card paper in the detention room. After filling my backpack with about a 4-inch stack of report card paper, my Commodore 64 printer could duplicate the report cards perfectly. So the question then becomes, "what grades do you want?" Back when I got handwritten report cards, this was a much more difficult thing to do. Granted, this story is about attendance and not grades, but can the teachers really not be bothered to, I don't know, check for themselves?
Geez. This seems like the old zero-gravity pen vs just using a pencil in outer space argument. In High School, we had homeroom at the start of the day for someone to lay eyes on you and take attendance. Then attendance was informally taken in each class afterward. Low tech and simple. Why some people see the need for a high tech solution to a low tech problem is beyond me!
It would seem that the people having put this system into place didn't see the Mythbusters episode where they circumvented a "foolproof" fingerprint scanner with gelatin.
~Syberz
"...and I would've gottten away with it, too, if weren't for those darn kids!"
After exhaustive research and excrutiating analysis, I've determined that Bubba is, in fact, everywhere.
Alexander the Great solved the same problem with the Gordian Knot in the 4th century BCE. Smash the scanner. The modern improvement would be to disable it less flamboyantly and enjoy the theatrical performances of the assistant principle and custodial supervisor standing around scratching their heads.
Its a sad sad day when innocent, sweet (tasting) Gummi Bears get caught up in an attack like this. We strive to create technology that is able to combat the most diligent of adversaries, but who oh who could have forseen the rise and attack of the Gummi Bear. I know the Department of Homeland Security will now begin tracking sales and shipments of Gummi Bears, and begin screening retailers of these Gummi Bears so as to ascertain how exactly these bears present a threat to national security. Throught the land, security officials are shouting "So you're not going to talk eh? Look at me now, I'm EATING YOUR ARMS, THEN LEGS, AND NOW HEAD! Let that be a lesson to the rest of you!" The idea being that if none of the bears talk, all of the officials will chew on the bears, every last one of them!
This news is at least 5 years old.
Back in 2004/2005, Kevin Rose demonstrated the use of gummy bears to cheat fingerprint scanners on the TV show "The Screensavers" (today called "Attack of the Show"). And my guess that this trick was known even before then.
Too many gummy bears: http://idle.slashdot.org/story/10/10/28/170207/School-Children-Are-Now-Too-Fat-to-Fit-In-Class-Chairs
Wow!
I've always wanted to meet a Gummi Bear!!
You're sooooo kool
Hey, can you slip me some Gummi Berry Juice? I promise not to tell!!!
Someone modded this offtopic. When is Slashdot going to add an appeal system against bad mods? The current "hey! would you like to review some moderations?" thing is a joke.
Maybe they will make a sniffer that will read farts???
All they need to do is reprogram the scanner to not accept the left-to-right mirror image of the fingerprint that the gummi bear would display. The image is a mold-negative. They should only accept the mold-positive that the original finger produces.
When my dad was in High School, he (mostly for fun) helped the school implement an attendance system where each homeroom class sent in the punch cards for the students who were present at the start of the day. Someone fed each card to the computer, and the attendance was tallied. (This was the same year he was guaranteed an "A" in his computer class on condition he stop showing up - gotta love the irony there.)
Of course, students carried the punch cards to the office, so it was easy enough to slip in a card for someone who hadn't attended.
It's actually somewhat comforting to think that, more than thirty years later, nothing has changed.