Fingerprint Scanners Fooled By Play-Doh

* * Beatles-Beatles writes to tell us YubaNet is reporting that in recent tests by Stephanie C Schuckers, an associate professor of electrical and computer engineering at Clarkston University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds. From the article: "Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."

Is i just me

[plaxion (98397)]

Or is it starting to look like ScuttleMonkey is getting kickbacks from **Beatles-Beatles?

Re:Is i just me

[mattwarden (699984)]

You smell that? Do you smell that? **Beatles-Beatles bullshit, son. Nothing else in the world smells like that. I love the smell of **Beatles-Beatles bullshit in the morning.

Conspiracy.

[Jaruzel (804522)]

ScuttleMonkey IS ... * * Beatles-Beatles ?

-Jar.
(Who is so happy now he can join in with the Beatles-Beatles thing)

Re:Is i just me

[Tim C (15259)]

Something funny is going on - two stories in a row? That's not chance, that's not coincidence, that's paid for. The only question is whether slashdot is paying **Beatles-Beatles, or **Beatles-Beatles is paying slashdot.

Either way guys (and I'm talking to you, editors) it would be nice to be told. Just so we know, y'know? We're mostly intelligent, curious people here, and that sort hates being kept in the dark when there's so obviously something going on.

Re:Is i just me

[ndansmith (582590)]

What's more odd is that if there is something going on, they seem perfectly intent to be out in the open and obvious about it. Three stories in a row now (two on the front page) all with the same user (* * Beatles-Beatles) and the same link (http://george-harrison.info./ [george-harrison.info.] Why is ScuttleMonkey being so blatant about what he is doing? Does he not read anything on the submission at all? Or is he really in cahoots with this Beatles-Beatles fellow? Either way, doesn't he know that he is making an ass of himself and Slashdot by doing what he is doing?

Here come the -1, Offtopic mods, which I have a feeling will not be meta-moderated.

Re:Is i just me

[Tim C (15259)]

Out in the open and blatant only in that they're not trying to hide it. On the other hand, they're certainly not telling us, despite numerous comments asking what's going on attached to every **BB story.

Mind you, it's not like we should be surprised - they acted in exactly the same way about the Roland Piquepaille(sp?) stories, and have acted the same in the past too (anyone else remember the troll report thread and related mod bombing and moderation blacklisting? I *still* can't moderate). The bottom line is that for all slashdot seems to rail against poor customer service, they're quick to ignore their own customers.

Re:Is i just me

[ObsessiveMathsFreak (773371)]

On the other hand, they're certainly not telling us, despite numerous comments asking what's going on attached to every **BB story.

What? When have the Slashdot eds ever told us ANYTHING?!

Re:Is i just me

[Seumas (6865)]

I didn't even realize it until you mentioned it, but what's up with the modding? I used to get mod points on a weekly basis, but I think it's been over a year since I've had any mod points. I sure don't remember participating in any sort of great uncovering of Slashdot secrets that would deserve such a response...?

Re:Is i just me

[brunes69 (86786)]

Mind you, it's not like we should be surprised - they acted in exactly the same way about the Roland Piquepaille(sp?) stories, and have acted the same in the past too (anyone else remember the troll report thread and related mod bombing and moderation blacklisting? I *still* can't moderate). The bottom line is that for all slashdot seems to rail against poor customer service, they're quick to ignore their own customers.

Actually, far more likely is that they don't have time to read /. comments all day since they are busy doing other stuff and managing the sbumission queue.

I toally agree this whole ScuttleMonkey thing is BS and the guy should be fired, but if you want to make your point known, you should be emailing OSTG [ostg.com] about it, not ranting on here where no one sees you.

Re:Is i just me

[dorkygeek (898295)]

Because * *Beatles-Beatles is a link-farmer and uses the high page rank of slashdot to increase the page rank of the links he's farming on his website.

Re:Is i just me

[jamie (78724)]

Of course nobody's paying anybody. Seriously, what would make you think that? If there were paid stories, don't you think we would make that blatantly obvious? Since it was created, Slashdot has been one of the best sites on the internet as far as keeping up the wall between advertising and content.

Apparently this person submits a lot of stories that our editors think our readers want to read. That's all there is to it. Our editors review Beatles-Beatles submissions with the same skepticism (probably more) as any other.

I normally don't bother responding to paranoid threads like this because there is so much paranoia and no way for us to respond to it all. But lately the comment volume devoted to silly speculation is just out of control. I kind of doubt this response will help stem the tide but it's worth a shot...

The truth about * *Beatles-Beatles

[dorkygeek (898295)]

Looks like ScuttleMoney^H^Hkey still doesn't get. Interesting thing is, ScittleMonkey seems to use some standard template for * *Beatles-Beatles submissions, since ALL of them start by: "* * Beatles-Beatles writes to tell us ...".

So, let me repost some earlier post of mine:

Ok, let's have a look at his george-harrison.info website. Aha, maybe the links at the bottom of the page? Yes, I see: http://george-harrison.info/reciprocal-links.html [george-harrison.info].

Sooo, what may be on that page? Quoting:

Our reciprocal links page. These links are useful for website promotion, link trades, and generating traffic to your site. There are many sites with useful products, services, programs, business opportunities, information, and free stuff.

All reciprocal links have been manually screened before getting on this page. Webmasters that post links on this page, also promote this Links Page on their site too. If you want to add your link and become a member of this reciprocal links page, just click on the top link for details. It's free to join.

Looking at the link list (just a small excerpt):

Guaranteed Dropship Wholesalers business directory source

Good Vibrations for Singles - Free Dating, Love, Romance, and Friendship

Collection Agency - Williams, Cohen & Gray

Trade Links - Link Swap Page

Personals Dating Affiliate Program - Instant Sign-Up

ProfitsRup2U For Successful Internet Marketing

Trade links page - reciprocal links page

HTH!

Re:Fight back against this Beatles Beatles spammer

[dorkygeek (898295)]

Or simply report abuse to CmdrTaco (malda@slashdot.org [mailto]) every time a story by * *Beatles-Beatles gets posted!

LOL

[Red Samurai (893134)]

Better not install it in a kindergarten then.

Wow

[antikarma (804155)]

Wow, two in a row for Beatles. This is getting ridiculous...

Re:Wow

[sam_paris (919837)]

Its actually three in a row. IT: Fingerprint Scanners Fooled By Play-Doh

Science: Nano Tech. Spurs Continued Health Concerns

NewsWeek Looks at Search Engine Optimization

Boycott

[arthur5005 (608816)]

Wow, two in a row for Beatles. This is getting ridiculous...

I think as a collective we've got to get around to doing something about this. Criticisms that Slashdot content, and the overall quality of the website are merrited. I think a boycott is in order here.

Lets make it clear to the editors that these kind of submissions shouldn't be tolerated, and will recieve no attention. These kind of posts should recieve no replies regardless of importance. After which we should all carry out the task of resub

Re:Wow

[shri (17709)]

Today's submissions that were rejected include a new digital imaging chip [rochester.edu] from the folks at Univ of Rochester and the Gnope.Org [gnope.org] release (PHP GTK Toolkit).

Re:Wow

[ObsessiveMathsFreak (773371)]

Today's submissions that were rejected include a new digital imaging chip from the folks at Univ of Rochester and the Gnope.Org release (PHP GTK Toolkit).

Are the editors, trying to bury the site?! I'm a geek. I want to read about stuff like this? Those writeups have better have been awful.

Redundancy...

[Cherita Chen (936355)]

Which is exactly why Biometrics, i.e, "Fingerprint readers", should only be one small part of a much more robust security infrustructure. Redundancy is key...

Re:Redundancy...

[this great guy (922511)]

Redundancy is key...

That's why we all have 10 fingers.

Keep The Robust Stuff, Then

[Lagged2Death (31596)]

Supposing there exists a "much more robust security infrastructure" - how is it going to be improved by the addition of a Play-Doh, uh, I mean a fingerprint scanner? Why not just stick with the robust stuff, and forget the shiny newfangled contraptions?

This isn't the first demonstration that fingerprint scanners are useless. A few years ago, a Japanese university professor showed that it was possible to make a gelatin mold from a latent print [schneier.com] (i.e., without direct access to the authorized finger in question) that would fool the readers most of the time! What is a fingerprint scanner adding but a false sense of security?

Good security

[ReformedExCon (897248)]

It's one thing to fool fingerprint scanners. The ones described in the article use a photo system that takes a picture of the full print and detects similarities with prints on file. It does sound pretty easy to fool. However, what about swipe-based scanners? Or retinal scanners? Surely Play-Doh isn't durable enough to drag over a fingerprint swipe-scanner and it's probably difficult to make a good replica of an eye with the stuff.

But the real security comes with a Marine standing guard. If you can get passed that guy, the biggest problem is already solved.

Re:Good security

[mwvdlee (775178)]

And now you have to trust the Marine guard.

Re:Good security

[lars_stefan_axelsson (236283)]

But the real security comes with a Marine standing guard. If you can get passed that guy, the biggest problem is already solved.

Then you're in trouble [specialoperations.com] (scroll to near the bottom where they just drive through the main gate). The red team Red Cell were notorious in the eighties for getting into any base they set their sights on, in fact they were so successful that it played no small part in being shut down, they were just too much of an embarassement.

In fact, human security guards are notoriously unreliable, they'll get a few, but also let quite a few through. So I'm not sure that's necessarily the "biggest problem." It's a problem, but a combination of guard relying on technology that he's been assured is "foolproof" when in fact it is not, doesn't make for much in the way of security.

Re:Good security

[lars_stefan_axelsson (236283)]

While you are correct, the main purpose of guards next to biometrics devices is to ensure that users can not tamper with the devices.

Yes, that's what I was trying to get to in my last sentence, i.e. that that won't work either. As the guard will have a tendency to become complacent given that the e.g. fingerprint scanner is "foolproof" and not even bother to look at it as the person scans his finger. Compare if you will the absymal successrates of photo id:s when put to the test. The guard there is actually required to look at it as a part of the procedure (i.e. it's not incidental to the procedure as it is here), but anything usually goes. Even cartoon pictures (I know of one instance of Donald Duck) have gotten people into military bases. If I was a betting man, I'd bet that just holding the severed finger between the thumb and forefinger on the hand (in effect presenting a six fingered hand) would let you in more often than not, even with a fairly "vigilant" guard.

A guard beside a finger print scanner will probably prevent someone walking up carrying a dead body, or taking a crowbar to the gate, but beyond that I wouldn't bet my life on it. People without technological support just aren't that good at routine surveillance (at a reasonable cost that is).

Re:Good security

[ArsenneLupin (766289)]

What is he supposed to do, remember all two hundred peoples faces that pass him in a day?

He stands near the scanner. And if he sees that anybody puts something else than his finger on the scanner, he shoots ;-)

Welcome to Slashdot

[Motherfucking Shit (636021)]

"News for financial partners of the editors, bank balances that matter."

Gummy bears

[MillionthMonkey (240664)]

A guy at work was always talking about using gummy bears to commit the perfect crime. You somehow make a mold of someone's fingerprint using that gummy bear material. Then you use it on a fingerprint scanner, which gets fooled by it, and it lets you in. Then, get this- you eat the gummy bear fingerprint mold, and permanently destroy the evidence of your intrusion.

I always thought that was a little disgusting. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?

Re:Gummy bears

[frankmu (68782)]

i think the 5 second rule would apply, so it would be safe to eat.

Old Hat

[TheAcousticMotrbiker (313701)]

This is old hat, sortof.
German computer magazine C'T defeated fingerprint scanners a few years ago using gummibears. Im sure www.heise.de should ahve a (german) copy of that still online somewhere

And?

[Bacon Bits (926911)]

There are three flavors of a security pass:
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.

Two-form authentication (where you use two of the three above forms) is quickly becoming regconized as being much more secure. Numerous security professionals were hoping biometrics would fit into the "something you are" category, but increasingly that category is being replaced by "something you have". You can have a General's uniform or forged passport... or a playdough impression from an authenticated finger. All this study does is confirm that migration.

Re:And?

[by Anonymous Coward]

1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.

This gets interesting in the overlaps that refute the categoricals. What you know and what you have both define what you are. For example what makes you a General or a Doctor other than the correct uniform? A detailed knowledge of military or medical matters. So let's take two twins, one a doctor and one a general and get them to spend a month teaching each other everything they know about each others subject. The doctor twin puts on his brothers uniform and walks right into the base. Now, can he spend an entire day bluffing his way through a tactical conference, while his brother does a bit of impromptu brain surgery? Unlikely but not impossible. So is it what we know that defines us as who we are? Not with 100% certainty. Is it what we have that defines what we are? No, not definitely. Keys, passwords, biometric features, money, any facet of physical acuality can be forged, stolen or substituted. So where does that leave us? It leaves us with the uncomfortable philosophical annoyance that identity does not exist. We have to step back and look at the question again. What are we trying to achieve through assigning identity? We are trying to map INTENTION. The guy getting on the plane may look like, smell like, sound like, walk like... the person the computer says is good ole regular Joe Citizen 101, but what if his _intention_ is to blow up the plane and not ride peacefully? Joe could have been brainwashed/blackmailed/replaced by an android. Identity isn't the thing that governments and identity researchers _want_ it to be and so we have to start tackling the more difficult issue of stopping people needing or wanting to steal money or blow up planes.

Play-Doh is...

[TorKlingberg (599697)]

For all us not not from the same cultural sphere as the submitter, Play-Doh is a clay-like compound used by children to form various things. http://en.wikipedia.org/wiki/Play-Doh [wikipedia.org]

Re:Play-Doh is...

[meringuoid (568297)]

Play-Doh is a clay-like compound used by children to form various things.

'When I was a little man
Playdoh came in a little can
I was Star Wars' biggest fan
Now I'm stuck without a plan
G. I. Joe was an action man
Shaggy drove the mystery van
Devo was my favourite band
Take me back to my happy land!'

-- The Aquabats, Playdoh. A wonderful song of geek nostalgia...

Re:Play-Doh is...

[Gadzinka (256729)]

There's something I don't understand. From the article on Wikipedia:

Its exact makeup is a secret [...] Play-Doh was invented by Noah McVicker and Joseph McVicker in 1956 and awarded U.S. Patent 3,167,440 in 1965.

So, is its formula secret, or was it patented? If the patent was granted in 1965, shouldn't it expire already?

Robert

Next: man on terrorist watch list after buying Doh

[by Anonymous Coward]

If you have no children and buy PLay-doh you might be added to the terrorist watching list as a security risk.

Capacitance?

[Omicron32 (646469)]

I may be using the wrong term here, but why not have some sort of capicitance measuring device on the fingerprint scanner? Something a bit less sensitive than your iPod wheel or a normal laptop touchpad so it has to detect a current on the persons finger before it will even begin to scan?

Not that I've tried it, but I'm pretty sure you can use Playdoh to navigate around your iPod.

This is unacceptable.

[c0dedude (587568)]

Fingerprints are now part of our total security strategy and a first-line screening technique for inprocessing of mass police events. When groups are processed after WTO rallies and other such large police events, processing uses fingerprint ID. Imagine a case in which 500 were arrested and all could be terror suspects, and the terrorist, who would have been ID'd, got away because of a fingerprint error. Fingerprints are used by banks to cash out-of-state checks. It's time to verify fingerprints and begin associating them with a biometric less modifiable, such as retinal ID. Of course, concerns about the coercivity of this approach are justified, but the security benefit outweighs. If we're going to use biometrics, let's use effective ones. Of course, the merits of mass arrest are questionable, but if we are going to do it, let's do it right.

They are also annoying in other ways

[siddesu (698447)]

I for one have a problem logging on via the scanner after a longer bath. The damned thing won't recongize the fingerprint and won't let me logon until the skin dries and the wrinkles on the fingers go away.

It is not bad, as I give up on the computer in the evening, just don't wash your hands before a presentation :-)

Re:They are also annoying in other ways

[by Anonymous Coward]

I for one have a problem logging on via the scanner after a longer bath

I don't think that is a concern for most of the people who read this site.

I Don't Know About You Guys But...

[Niraj59 (935921)]

... I, for one, enjoy * * Beatles-Beatles's articles. Everything he posts is news to me and the content is stuff that matters to me. I especially love his well-designed, non-sketchy website. If Slashdot would implement his wonderful CSS styles (when you hover over text, it all becomes italicized and underlined with a box drawn around it) my experience here would be great. Is there any way we can make * * Beatles-Beatles a moderator, or better yet, an administrator on Slashdot? That would be excellent. Keep up the great work ScuttleMonkey and * * Beatles-Beatles!

Pulse Oximetry

[Detritus (11846)]

Why not add a little hardware and check for a living finger? When I was in the hospital, they put a noninvasive sensor on my finger that measured my pulse and blood oxygen level. It uses two frequencies of light to measure oxygenated haemoglobin.

Re:Pulse Oximetry

[Fred_A (10934)]

Or simply needles that shoot out and a microphone listening for screams.
It would be cheaper to implement.

I got one here, and they may not be practical

[EMIce (30092)]

I have a portable pulse oximeter sitting right next to me. It is pricey and is about 2.5" x 1.5" x 1.5". It clamps lightly around one's finger and has a numerical LED display for oxygen level and beats per minute. It's as accurate as a bedside hospital unit from what I have read. Adding one of these though would really drive up costs. Here [allegromedical.com] is a pic of the unit I am talking about. $675, ouch.

Incorporating them would also require a major redesign. They clamp around an inserted finger, and this would make them harder to clean and maintain, and also make them more prone to breakage.

The non-invasive principle of operation of these is pretty neat, and might interest slashdoters. They work by shooting dual wavelengths of light through the finger, namely infra-red and a visible red color. On the other side of the finger, a sensor relays readings to a signal processor, which distinguishes between flesh, bone, and what-not based on the absorption differential between the two wavelengths, so it can isolate out variables between different kinds of fingers. The result is incredibly precise, and the LED on the front flashes in precise sync with one's pulse. I'm guessing the signal processor is a major cost, so maybe in time these will come down in price.

You would think Beatles-Beatles could at least

[antifoidulus (807088)]

spell the name of the University correctly if he is going to spam slashdot. It's CLARKSON, there is no T in there!

More fingerprint spoofing techniques

[BeermanAtCampus (658994)]

Last summer on WTH: Spoofing fingerprints in 10 minutes [waag.org] shown at WTH last summer. The guy on the video also says that he never encountered a fingerprint reader which couldn't be fooled. Interesting is also to see is that he does not make a fake finger, but only a thin acryl layer placed over ones real finger. And also on the CCC website: A image gallery with text (EN) how to copy a finger print. [www.ccc.de] So it's not all about the Play-Doh

Omission in the FP

[StateOfTheUnion (762194)]

As is typical, the editors leave out crucial information in their first post so as to make the article more interesting and attempt to gain more posts (Which I assume is used as a metric for advertisement pricing).

Quoted from FP:

University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds.

Quoted from TFA:

Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.

The crucial piece of missing information: The need for dental materials; the same stuff used to make casting for denture, false teeth, etc. To do what the researchers did, one needs more than play-doh. But of course ignoring this makes the FP much more dramatic becuase it implies that a preschool toy is sufficent for fooling biometric scanners.

For the record the quote from the FP is the part written by the editors, not by the submitter (unitalicized portion of FP), so the error (or omission) was made by a /. editor, not by the submitter.

I find it frustrating that what I once thought was a useful and interesting source of infomation and lively discussion seems to have become what it once seemed to differentiate itself from. Slashdot editors seems to be adopting the playbook of big media and skewed news to drive up user posts.

I find this sad because I thought that Slashdot was a site with an alternative playbook, that treated its readers as more saavy. Now it seems to be on the slippery slope to USA Today style reporting. I can only assume that this change is an attempt to drive up ad revenue. But I am afraid it will alienate many of the readers.

It's way worse than they think!!

[Jeff_at_RAD (121656)]

I got a laptop with fingerprint identification and thought it was ultra-cool to just stick my index finger on there to log in (this was to XP tablet edition).

Then I wondered if you could trick it, so I looked at my index finger, and saw that it was a loop, and then had someone else in the office try with one of their fingers that also was a loop. Nothing just by pressing down.

But, because the login software takes continuous readings (which they display!), my buddy was able to keep sliding and mashing and rotating his finger around until after 4 or 5 seconds, Bong, logged in!! We were laughing, so we tried with with three other guys here, and they all logged on. Some of them had to rotate their hand all the way around, but *everyone* got on. THIS SOFTWARE DOES NOT WORK! DO NOT TRUST IT!

I reported this to the fingerprint software people (sorry, don't remember their name), but they never responded. I just turned it off completely - it's a joke.

Understandable Frustration

[ObsessiveMathsFreak (773371)]

Now ordinarily the parent would simply be regarded as a troll, but all you have to do is look through a few Slashdot journals to see examples of quality submissions that have been rejected. The fact that a search engine spammer's articles get preference really explains this kind of frustration.

I'd like to hear some kind of explanation from the editor(s). I'd like to think that this is simply some kind of failure of process rather than something fundamentally wrong with Slashdot itself. It would be nice if the next Slashback dealt with these issues in some way.