Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Kids Foil Finger Scanner With Gummi Bears

Posted by samzenpus on from the gummi-security dept.

mask.of.sanity writes "An Australian high school has installed 'secure' fingerprint scanners for roll call for senior students, which savvy kids may be able to circumvent with sweets from their lunch box. The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance. The school principal says the system is better than swipe cards because it stops truant kids getting their mates to sign-in for them. But using the Gummi Bear attack, students can make replicas of their own fingerprints from gelatin, the ingredient in Gummi Bears, to forge a replica finger. The attack worked against a bunch of scanners that detect electrical charges within the human body, since gelatin has virtually the same capacitance as a finger's skin."

26 of 303 comments (clear)

  1. Next up... by Moryath · · Score: 5, Insightful
    I can just see it now. Next they come up with one to detect "body heat" in the finger.

    And the kids circumvent it by keeping the gummy bears in their pockets on the way to class.

    Once again, a "foolproof" system proves to be only as useful as the fool who invented it.

    1. Re:Next up... by Moryath · · Score: 5, Insightful
      There really aren't.

      As far as the human body goes, there are only a few things that are really "constant." Exposure to allergens or illness change the voice enough that it will fail vocal characteristic matching. Taking biometric readouts of a facial structure fails the moment someone has a serious traffic accident, gets any sort of illness that causes facial swelling, or simply grows out their facial hair.

      Fingerprints? I think we've done that one pretty much to death.

      The best suited is probably retinal or iris scanning, but even those have issues. Retinal scanning fails on any number of degenerative disorders affecting the blood flow, like diabetes and glaucoma. It also fails to properly record and identify on people with moderate to severe cataracts and astigmatism. There are also some pretty hefty privacy issues with retinal scanning, since it can be used to diagnose a number of diseases and conditions - AIDS, syphilis, a number of other STD's, malaria, chicken pox, hereditary diseases like lymphoma and anemia, and even pregnancy.

      Iris scanning will fail to recognize due to tinted glasses or cosmetic contact lenses, and it'd be pretty easy to spoof them with a contact lens "printed" to someone else's pattern that is opaque around the ~750nm wave band that most NIR (Near Infrared) scanners use - and the reason they predominantly use NIR is that if you don't pick that specific band, light reflections from the cornea throw enough noise into your scan image to make it virtually unusable. For the really cheap-ass iris scanners, a suitable high-quality picture of someone's eye may even be sufficient to spoof.

      And of course, both retinal and iris scanners will fail out if they don't have an incredibly controlled environment - stick a retinal or iris scanner in an area with bright sunlight or inconsistent lighting, and you may as well just chuck the thing out the window, because iris contractions to open/close the pupil will make your scan worthless.

      Of course, you could put a hooded structure that people have to stick their eyeball on to look into in order to get scanned. That'll last all of about 2 days before some prankster gets the idea to smear some india ink or something else around the edge of the eyeball viewer...

    2. Re:Next up... by interkin3tic · · Score: 4, Insightful

      I can just see it now. Next they come up with one to detect "body heat" in the finger.

      Or they just try to ban gummi bears. If they're coming up with a stupid fingerprint scanner, these are obviously the typical school administrators, cut from the same cloth as those who gave their students laptops and didn't tell them they'd be watching them through the webcam at all times, adding to the contraband list is probably going to be their first reaction. Maybe if the ban fails miserably, they'll just tattoo barcodes onto their foreheads.

      I suspect the public would not be so willing to accept encroaching police states and governments slowly taking away our rights if schools had to actually justify shit like this to the students.

    3. Re:Next up... by choongiri · · Score: 5, Insightful

      Whether it's technically possible to defeat the system isn't the issue. If you're trying to force kids' presence with technological measures rather than encourage leaning and enthusiasm socially, you're doing something wrong. Especially since this is talking about older kids. Try giving them something fun to do, instead of demanding they bio-retina-dna scan in after recess.

    4. Re:Next up... by Worthless_Comments · · Score: 5, Insightful

      The teacher could actually, you know, take roll. I guess that would be too much work for a government employee though?

    5. Re:Next up... by davester666 · · Score: 5, Funny

      You mean like getting them to figure out how to defeat a high-tech security system using gummi bears?

      It's fun and you can eat the evidence!

      --
      Sleep your way to a whiter smile...date a dentist!
    6. Re:Next up... by The+Hatchet · · Score: 5, Insightful

      Easy, just scan people as they walk by, record their numbers and get yourself an adjustable implant. You could change identities whenever you please. That is probably the easiest to spoof of all.

      --
      Where is the mod rating for "scary"? Also, ...
    7. Re:Next up... by MichaelSmith · · Score: 5, Funny

      My son is an Aussie kid and there is no way he could not eat a gummi bear long enough to foil a finger scanner.

      --
      http://michaelsmith.id.au
    8. Re:Next up... by SharpFang · · Score: 5, Insightful

      There's one, worse problem. Compromised credentials can't be changed. Only revoked. So someone somehow acquired your retina scan... sorry, Your credentials as compromised have been revoked, you're fired, come back when you get new retinas.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    9. Re:Next up... by phillips321 · · Score: 5, Funny

      You could change identities whenever you please.

      Finally my dream of becoming a 10year old choir boy is getting ever closer :-)

    10. Re:Next up... by chrb · · Score: 4, Informative

      Easy, just scan people as they walk by, record their numbers and get yourself an adjustable implant. You could change identities whenever you please. That is probably the easiest to spoof of all.

      Zero-knowledge password proof. We've had the technology for several decades to implement systems where mutual authentication can take place without exposing private keys or passwords.

    11. Re:Next up... by delinear · · Score: 4, Insightful

      When I was at school there was no need to get on any network. In fact, only two rooms in the entire school had a connection to the network. The teachers had a printed sheet of what we used to call "paper", and they'd use an archaic device called a pen to tick off students in attendance. Of course, back then they also actually knew the students, which was a big help (after a couple of classes they could put names to faces and check off the register in silence while the students got on with some work). It seems schools are falling over themselves to find technical solutions to something that's been trivial to manage for years, I don't see the agenda, are schools subsidised by the companies who provide the technology and welcome real world trials or is it something else?

    12. Re:Next up... by delinear · · Score: 4, Insightful

      You seriously do not want to eat a gummi bear that's touched the same scanner as a couple hundred teenagers - trust me, I used to be one, I know the kinds of things they touch. I wouldn't even want to touch that with my finger, let alone my food. On the plus side, at least when all the kids get sick because they're sharing around their diseases, at least they'll have a legitimate excuse to not be in class.

    13. Re:Next up... by strack · · Score: 4, Insightful

      well, its a effective way to get everyones fingerprints on record, whether theyve commited a crime or not. its basically a way to sqeeze a great big brick over everyones privacy. and it also primes people to be more accepting of giving up biometric data for a government database.

    14. Re:Next up... by ciderbrew · · Score: 5, Insightful

      I don't worry about the average person. It's the above average and people with an imagination that really work the system.

  2. The Future is Secure by lorelorn · · Score: 4, Insightful

    Fuck, YES. I read the original story, about the school introducing this moronic system, and could only shake my head. Attempts at total control are generally the solution proffered by lazy bureaucrats as an alternative to them doing their jobs. Here’s an idea - instead of working out ways of forcing the kids into school and keeping them there - why not work to make it compelling for them to come to school in the first place. I know, hard, right? Idiots. However, the creative (dare I say scientific) solution employed, and so quickly makes me remotely proud of our clever children. It’s nice to see the kids are far more intelligent and creative than their so-called teachers. I will have somewhat less pride when they remotely drain my bank account and I am forced to live on cast off gummi bears, but hey.

  3. Misleading Title by scdeimos · · Score: 4, Informative

    Nobody has actually foiled the high school fingerprint scanners yet, it's still only in the realm of (likely) possibility - especially after the kids see this story on /.

  4. Let's see... by kurokame · · Score: 4, Insightful

    * You have to buy a new system and probably sign a support contract for it
    * It ties up personnel with deployment
    * It doesn't work any better than the old system
    * It raises significant privacy issues not present in the old system
    * It raises huge data security and disposal issues not present in the old system
    * Adding a new student is more invasive and time consuming than in the old system
    * Fingerprint biometrics can track an arbitrarily large set of individuals...but they can only distinguish a few hundred

    Yep, that sounds like a textbook example of educational bureaucracy.

  5. How it's done (gelatin, not Gummi Bears) by PatPending · · Score: 4, Informative

    Quoting from the end of the fine article (emphasis added by me).

    Tsutomu Matsumoto, a Japanese cryptographer, uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.

    His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.

    Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.

    --
    What one fool can do, another can. (Ancient Simian Proverb)
  6. Re:Removing the human ... that's where the issue i by EdIII · · Score: 4, Interesting

    Quite a long time ago the school district I was in kept attendance records on a computer. The password was kept on a piece of paper in the secretary desk, but that didn't matter. They had a 2400 baud modem connected to a hard line that allowed access for all sorts of records to be shared. I guess they figured the security was knowing that magic 7 digit number written on the modem, and not believing for a second that any child could possibly get the idea to call it, let alone with their own modem, and never one that understood computers better than they did.

    One of my first entrepreneurial ventures was attendance management services to other kids. In this system once you hit a certain level of tardiness, or missed classes, it triggered a physical letter to be sent to the parents. I could make sure that didn't happen. Was fairly profitable and this was back when "computers never lied" and hacking was not well understood by anybody, least of all school administrators.

    I had to stop when it became obvious in some parent teacher conferences that some students had clearly been ditching a lot of classes according to the teachers, but the records on the computers no longer matched the written records of the teachers. Good thing I used the computer lab and my own modem otherwise the phone records would have busted me... if the investigation even got that far. Since the "corrupt" records matched the district offices, it was assumed the computer itself was faulty somehow. They just ended up replacing it... but leaving the modem.

    I guess my point is overall, that if schools are really serious about taking attendance, maybe they should concentrate less on the technology and more about giving a shit "hands on". Teachers should have the phone numbers and email addresses of their students parents, and I don't know, use them. I would have never gotten away with what I did had their been even a small amount of caring amongst the staff. At this point in my life it disapoints and saddens me that a teacher would not directly call the parents once a student missed 3 classes in a week. Waiting for an automated system to send a letter out after 7 missed classes just allows a problem to fester for around a month before anybody starts to address it.

    Of course I can't blame a lot of the teachers. When you are chronically underpaid and have to do ridiculous shameful shit like purchasing resources out of your own pockets for your students, I can understand how some become burned out and disillusioned.

    Kids pick up on that too. If they feel they are in a situation where people don't care and it's a mechanical mind numbing system they are forced to deal with, they will react, and most often negatively.

    I guess what pisses me off more about this story is they could have used the money in that budget to raise the teachers salary and just had the teachers write down attendance in a book and have the empowerment to directly call the fucking parents.

  7. Matt? "Present Miss" by thegarbz · · Score: 4, Insightful

    "Chris?"
    "Here Miss"
    "Peter?"
    "Present Miss"
    "Well it looks like everyone who's going to be here is here already, let's get started!" She thought knowing full well that a few of the students skipping the class will be reported to the principle yet again.

    Fingerprints? Really? Whatever is wrong, it's not the fault of the system that has served us for hundreds of years, and doesn't need some stupid technology to fix it.

    1. Re:Matt? "Present Miss" by wrook · · Score: 5, Insightful

      Actually, it's even easier than this. At the school I work for the teachers know what the students look like and what their names are. If one of the seats in the classroom is empty, usually it means a student is missing. If another student tries to impersonate someone you can tell by looking at them. So far this system is working pretty well. I'm pretty sure it's cheaper than a fingerprint scanner too.

  8. Re:The Future is FAR from Secure by cappp · · Score: 4, Insightful

    What? Kids willingly walk miles to school every day because it's drilled into their heads that the only way off the farm, out of the slums, or whatever their particular disadvantage happens to be, is through education. There's no magical inspirational African/South American/Chinese teaching model that somehow drives these kids out of their beds before dawn and across miles with hungry bellies and an urge to learn. Hell, most of those kids are walking miles to school every day to learn arbitrary information, out of order, and by rote. Teaching kids to be critical learners, to engage with knowledge? That's a privilege that's only found in the rich western educational model, certainly not in the shanty towns.

    That being said, I understand your broader point and agree somewhat. Education has to be relevant, it should be interesting, and it shouldn't be one-size-fits-all. However, if we're honest we have to admit that that kind of system is expensive, demands teaching excellence, is hard to assess, and complicated to run. The US has over 60 million students in primary and secondary schools - that's an enormous population. There are a lot of problems with education in the west - most of them related to broader social issues like violence, poverty, ignorance et al - but it’s not nearly as bad as some of us seem to feel. There is a logic to a lot of the problems you’re complaining about and while matters could possibly be dealt with in better ways it’s going too far to claim the system itself is bullshit hell.

  9. How about "education"? by Joce640k · · Score: 4, Insightful

    If the problem with cards was that people were swiping their friend's cards, and the problem with fingerprints is that they're faking them, then the problem seems to be a social one.

    As noted, there's no technical solution that will keep motivated teenagers at bay.

    --
    No sig today...
    1. Re:How about "education"? by xaxa · · Score: 4, Insightful

      If the problem with cards was that people were swiping their friend's cards, and the problem with fingerprints is that they're faking them, then the problem seems to be a social one.

      As noted, there's no technical solution that will keep motivated teenagers at bay.

      Yes there is -- at least, if your goal is that they be in class: have the teacher check who's there in the first minute of the lesson. Loads of schools in Britain use some kind of electronic system to do this (there are various manufacturers). Of course, it takes some time at the start of the lesson, so why not combine the two systems? Have the swipe card system, and then a message to tell the teacher "22 students have registered for this class". She can then verify this.

      (I had a friend at a different school back in 2002 with the swipe card system. He made money by charging other students to swipe their cards before class. Many of these students could afford this since they were paid to go to school.)

    2. Re:How about "education"? by Lumpy · · Score: 4, Insightful

      Agreed.

      Honestly what is it with all this concern about truancy.

      Just let the idiot kids skip a lot and fail. They can enjoy working as a lower class minimum wage bum. Stop making life a Pain in the Arse for the others that actually care about their education.

      MY 18 year old was floored when she said, "Dad will be upset with my grades this semester"... and I responded with, "You are in college on student loans. I'm not the one that needs to be upset. In fact I don't care if you blow off school. You will be the one that cant get a job and have a nice big debt over your head. I'll be disappointed, but you are an adult, if you want to screw up your own life... feel free to do so!"

      It changed her attitude overnight. Suddenly stopped partying with friends all the time and now is paying attention. Nothing like smacking your kid in the face with the carp of reality to wake them up.

      Honestly, let the loser kids that do not want to learn to skip or drop out. The world needs septic tank cleaners.

      --
      Do not look at laser with remaining good eye.