Slashdot Mirror
Chaos Computer Club Claims It Can Reproduce Fingerprints From People's Photos
An anonymous reader writes Chaos Computer Club, Europe's largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias "Starbug," explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen. Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, "politicians will presumably wear gloves when talking in public."
Even better than gummi bears.
It's trivial to get fingerprints of a politician. If, say, China doesn't lift the fingerprints off of every presidential candidate's glass at a fundraiser I'll eat my shoe. This really is nothing special.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Despite some of the biggest names in security lauding the advantages of biometric authentication, it's pretty flawed by design. If your fingerprints, facial structure, etc. are ever compromised, they become useless. Unlike a password or a cert, you cannot simply revoke who you are. So once the cat is out of the bag, you simply cannot use it again. Not to mention the fact that it could be fairly trivial to obtain fingerprints or other biometric data of a target.
TFA has no details, so there is no way to evaluate the credibility of the claim.
The problem isn't how to identify people. The problem is that we think that we need to identify people all the time. Tracking and identification is an obsession that's obviously rooted in paranoia. When was the last time you actually needed to prove to a stranger who you are and it wasn't just to satisfy an arbitrary requirement? When did you last perform full identification when a proof of ownership or proof of age had sufficed? Posting as AC because that's what I do, but also to make a point.
Fingerprints aren't even good for ID. They shouldn't be used at all.
Biometrics should be limited to deep vein scans which are fast, accurate, very hard to "steal", very difficult to obtain without the user's consent, and aren't being left all over the place all the time.
It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.
All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.
You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The biggest problem with fingerprints is very simply that, if compromised, it's damn hard to change them, unlike passwords.
Second problem, unlike your password, you can't really help but compromise them. You leave them littered about everywhere. Every waiter can have your prints if he so chooses.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I always think of security like the Miller-Rabin test for primality (which is really a test for a number being composite): it does not give an absolute assurance, but each time you test a given candidate again with a new challenge, you reduce the probability that the candidate is composite, and each test is orthogonal to the previous ones. You, the designer of the system requiring confidence that a big number is prime, get to select your confidence level by adjusting the number of tests applied.
So too, then, you, the designer of a security system requiring confidence that a given person is who they claim to be, get to select your confidence level by adjusting the number of factors required. A brass key gives a certain level of confidence. An iris/thumbprint/palmprint/voiceprint scan another. An RFID card another. A PIN/password another. Being recognized by a guard another. Each is orthogonal to the rest.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Minor quibble: using two of one group is not useless either, it is only less useful.
B) Eliminate all the stupid users. This is frowned upon by society.