Aussie Kids Foil Finger Scanner With Gummi Bears

mask.of.sanity writes "An Australian high school has installed 'secure' fingerprint scanners for roll call for senior students, which savvy kids may be able to circumvent with sweets from their lunch box. The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance. The school principal says the system is better than swipe cards because it stops truant kids getting their mates to sign-in for them. But using the Gummi Bear attack, students can make replicas of their own fingerprints from gelatin, the ingredient in Gummi Bears, to forge a replica finger. The attack worked against a bunch of scanners that detect electrical charges within the human body, since gelatin has virtually the same capacitance as a finger's skin."

Over-hyped as usual

[PerformanceDude]

So, the school introduces this and the headline is: Students may be able to circumvent it using gummy bears. Boo hoo!! As if any other measure may not be circumvented. A simple supervision or CCTV of the scanner would detect any circumvention attempt.

I'll be more impressed when they have an article that says: Kids circumvented fingerprint scanners at school using gummy bears.

Kids should be in school. Period. Our present breed are just as crafty as we used to be back in the day in trying to avoid the system. That is how you create innovative kids in the first place. Those kids who defeats this totalitarian system and gets away with it - well - they deserve the day off :)

Re:Removing the human ... that's where the issue i

[EdIII]

Quite a long time ago the school district I was in kept attendance records on a computer. The password was kept on a piece of paper in the secretary desk, but that didn't matter. They had a 2400 baud modem connected to a hard line that allowed access for all sorts of records to be shared. I guess they figured the security was knowing that magic 7 digit number written on the modem, and not believing for a second that any child could possibly get the idea to call it, let alone with their own modem, and never one that understood computers better than they did.

One of my first entrepreneurial ventures was attendance management services to other kids. In this system once you hit a certain level of tardiness, or missed classes, it triggered a physical letter to be sent to the parents. I could make sure that didn't happen. Was fairly profitable and this was back when "computers never lied" and hacking was not well understood by anybody, least of all school administrators.

I had to stop when it became obvious in some parent teacher conferences that some students had clearly been ditching a lot of classes according to the teachers, but the records on the computers no longer matched the written records of the teachers. Good thing I used the computer lab and my own modem otherwise the phone records would have busted me... if the investigation even got that far. Since the "corrupt" records matched the district offices, it was assumed the computer itself was faulty somehow. They just ended up replacing it... but leaving the modem.

I guess my point is overall, that if schools are really serious about taking attendance, maybe they should concentrate less on the technology and more about giving a shit "hands on". Teachers should have the phone numbers and email addresses of their students parents, and I don't know, use them. I would have never gotten away with what I did had their been even a small amount of caring amongst the staff. At this point in my life it disapoints and saddens me that a teacher would not directly call the parents once a student missed 3 classes in a week. Waiting for an automated system to send a letter out after 7 missed classes just allows a problem to fester for around a month before anybody starts to address it.

Of course I can't blame a lot of the teachers. When you are chronically underpaid and have to do ridiculous shameful shit like purchasing resources out of your own pockets for your students, I can understand how some become burned out and disillusioned.

Kids pick up on that too. If they feel they are in a situation where people don't care and it's a mechanical mind numbing system they are forced to deal with, they will react, and most often negatively.

I guess what pisses me off more about this story is they could have used the money in that budget to raise the teachers salary and just had the teachers write down attendance in a book and have the empowerment to directly call the fucking parents.

Re:Next up...

[chrb]

There really aren't.

Human beings manage to identify each other pretty well based on previous knowledge, often only visual information. As technology advances the technology to uniquely identify people will become more accurate. And more importantly - and a fact that a lot of people miss - the system doesn't need to be perfect, it only needs to be more accurate than the system that it replaces. For example passports - a unique chip ID+personal knowledge+biometric is a more accurate form of authentication than a photograph and some minimum wage guy comparing it to the holder's face several thousand times a day. I can see why people find biology based authentication intrusive, and celebrate when it fails in situations like this, but it's a small victory in a rather irrelevant environment. The technology to uniquely identify and authenticate an individual is going to get better, and it is going to become harder for the average person to forge and use an alternative identity.

Re:Next up...

[codegen]

We've had the technology for several decades to implement systems where mutual authentication can take place without exposing private keys or passwords.

Buy you need a key long enough to be secure, yet implementable in circuits lightweight enough that they can be powered passively by an RF field. Thats somewhat harder to accomplish, as was discovered by the Dutch with their prototype passport, and various other attempts at secure RFID