Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Australia Education Idle Technology

Aussie Kids Foil Finger Scanner With Gummi Bears 303

Posted by samzenpus
from the gummi-security dept.
mask.of.sanity writes "An Australian high school has installed 'secure' fingerprint scanners for roll call for senior students, which savvy kids may be able to circumvent with sweets from their lunch box. The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance. The school principal says the system is better than swipe cards because it stops truant kids getting their mates to sign-in for them. But using the Gummi Bear attack, students can make replicas of their own fingerprints from gelatin, the ingredient in Gummi Bears, to forge a replica finger. The attack worked against a bunch of scanners that detect electrical charges within the human body, since gelatin has virtually the same capacitance as a finger's skin."


This discussion has been archived. No new comments can be posted.

Aussie Kids Foil Finger Scanner With Gummi Bears

Comments Filter:
  • Over-hyped as usual (Score:3, Interesting)

    by PerformanceDude (1798324) on Thursday October 28, 2010 @01:56AM (#34046678)
    So, the school introduces this and the headline is: Students may be able to circumvent it using gummy bears. Boo hoo!! As if any other measure may not be circumvented. A simple supervision or CCTV of the scanner would detect any circumvention attempt.

    I'll be more impressed when they have an article that says: Kids circumvented fingerprint scanners at school using gummy bears.

    Kids should be in school. Period. Our present breed are just as crafty as we used to be back in the day in trying to avoid the system. That is how you create innovative kids in the first place. Those kids who defeats this totalitarian system and gets away with it - well - they deserve the day off :)

  • by EdIII (1114411) on Thursday October 28, 2010 @02:31AM (#34046804)

    Quite a long time ago the school district I was in kept attendance records on a computer. The password was kept on a piece of paper in the secretary desk, but that didn't matter. They had a 2400 baud modem connected to a hard line that allowed access for all sorts of records to be shared. I guess they figured the security was knowing that magic 7 digit number written on the modem, and not believing for a second that any child could possibly get the idea to call it, let alone with their own modem, and never one that understood computers better than they did.

    One of my first entrepreneurial ventures was attendance management services to other kids. In this system once you hit a certain level of tardiness, or missed classes, it triggered a physical letter to be sent to the parents. I could make sure that didn't happen. Was fairly profitable and this was back when "computers never lied" and hacking was not well understood by anybody, least of all school administrators.

    I had to stop when it became obvious in some parent teacher conferences that some students had clearly been ditching a lot of classes according to the teachers, but the records on the computers no longer matched the written records of the teachers. Good thing I used the computer lab and my own modem otherwise the phone records would have busted me... if the investigation even got that far. Since the "corrupt" records matched the district offices, it was assumed the computer itself was faulty somehow. They just ended up replacing it... but leaving the modem.

    I guess my point is overall, that if schools are really serious about taking attendance, maybe they should concentrate less on the technology and more about giving a shit "hands on". Teachers should have the phone numbers and email addresses of their students parents, and I don't know, use them. I would have never gotten away with what I did had their been even a small amount of caring amongst the staff. At this point in my life it disapoints and saddens me that a teacher would not directly call the parents once a student missed 3 classes in a week. Waiting for an automated system to send a letter out after 7 missed classes just allows a problem to fester for around a month before anybody starts to address it.

    Of course I can't blame a lot of the teachers. When you are chronically underpaid and have to do ridiculous shameful shit like purchasing resources out of your own pockets for your students, I can understand how some become burned out and disillusioned.

    Kids pick up on that too. If they feel they are in a situation where people don't care and it's a mechanical mind numbing system they are forced to deal with, they will react, and most often negatively.

    I guess what pisses me off more about this story is they could have used the money in that budget to raise the teachers salary and just had the teachers write down attendance in a book and have the empowerment to directly call the fucking parents.

  • Re:Next up... (Score:4, Interesting)

    by chrb (1083577) on Thursday October 28, 2010 @03:26AM (#34046996)

    There really aren't.

    Human beings manage to identify each other pretty well based on previous knowledge, often only visual information. As technology advances the technology to uniquely identify people will become more accurate. And more importantly - and a fact that a lot of people miss - the system doesn't need to be perfect, it only needs to be more accurate than the system that it replaces. For example passports - a unique chip ID+personal knowledge+biometric is a more accurate form of authentication than a photograph and some minimum wage guy comparing it to the holder's face several thousand times a day. I can see why people find biology based authentication intrusive, and celebrate when it fails in situations like this, but it's a small victory in a rather irrelevant environment. The technology to uniquely identify and authenticate an individual is going to get better, and it is going to become harder for the average person to forge and use an alternative identity.

  • by AigariusDebian (721386) <aigarius AT debian DOT org> on Thursday October 28, 2010 @05:40AM (#34047454) Homepage

    From my Eastern EU perspective attendance (and performance) is easy to fix.

    Make schools free, but mandatory. Make it mandatory for the student to finish school. If a student does not pass the test for at least 50% level in ALL classes, then he automatically stays in that class for the second year. Key tests are centralized and secret - every pupils of every school take the same test at the same time and all results are graded by teachers in other randomly chosen schools (to prevent cheating and grade boosting) the content of the tests is top secret so that no teacher can prepare their students specifically for that test. That is step one - establish a fair, but strict testing system that ensures that if a child is in a grade, he deserves to be there.

    Every teacher must know all their students and take attendance every time. If a student is not in class, he must bring a doctors note or a parents note (if he is away less than 4 days in a row). If there is no excuse for being late, the parents are summoned to school so that they can excuse him or punish him at their choice. However if parents do not show up, then child protective services are engaged and child is removed from their parents for neglect and is forced to live at the school.

    In any case everyone must be forced to go to school until they graduate for merit (or at least until they are 21 and declared mentally challenged). if you are too stupid to graduate from school, you are too stupid to drive, vote or take government office. One can regain those privileges by continuing his education (for free) until he graduates.

    No home schooling, private schools must obey the same testing and attendance laws.

  • Re:Next up... (Score:2, Interesting)

    by Kineticabstract (814395) on Thursday October 28, 2010 @07:32AM (#34048012)
    1) That's the least-useful Wikipedia page I've ever seen. It doesn't even discuss proposed methodologies for implementing its subject - it just has an extremely short definition.

    2) This is a scenario in which the users (the students) have no issue with giving their private keys away to their mates. That's actually the point, in this case. ZKPP is of little value here.

    3) Yeah, I know that you brought up ZKPP to respond to the issue with RFID scanning. I'm curious to see how you're going to get the RFID chip to cough up enough information to verify that it knows the private key, without giving away enough information to allow key determination through heuristic analysis anyway. In order for the knowledge exchange to work, the information has to be deterministic - yet, it has to change from query to query, or else I can simply re-transmit whatever the RFID chip last transmitted, and I'm in.

  • Re:Next up... (Score:2, Interesting)

    by natehoy (1608657) on Thursday October 28, 2010 @07:57AM (#34048310) Journal

    That worked for me at the lower schools I attended, too. The ones where teachers had 20-30 kids that they had all day. After the first couple of weeks, the teacher knew their students on sight, and an empty desk meant a student was not in attendance.

    Then I went to a large high school, and we had subject teachers who had classrooms of 50-75 students each, and only 45 minutes a day with them. Class sizes varied, so you couldn't tell by the number of empty desks. Even at a few seconds per student to do roll call, it ate up almost 10% of our class time, and it was completely impractical for a teacher who was teaching 5-6 classes of 50-75 students a day to know all of their students on sight. The average person could probably memorize about 100 of them, maybe.

    My daughter is going to a school where they have one teacher who will follow them through their academic career at the school (first grade to 12th grade). There are "subject teachers", but the teachers travel from classroom to classroom rather than the students traveling around to different rooms.

    So attendance is easy - the teacher knew the kids from the second week of school (class size is about 18 for our school), and greets them at the door. There's no opportunity for a student to cut a specific class, since the students are in the same classroom all day. They also don't need to carry their materials from classroom to classroom, since only one person (the teacher) has to move around. No need for lockers, or heavy backpacks that need to be worn all day, or fancy storage for their pens and pencils and notebooks. They have one desk, and they keep all of their stuff there.

    It astonishes me that more schools don't use that model. One teacher walks in carrying a folding flipchart and a briefcase with their notes for the class, teaches the class, then heads off to the next classroom. Instead of moving 20 kids, they move one teacher.

  • Re:Next up... (Score:4, Interesting)

    by codegen (103601) on Thursday October 28, 2010 @07:59AM (#34048330) Journal

    We've had the technology for several decades to implement systems where mutual authentication can take place without exposing private keys or passwords.

    Buy you need a key long enough to be secure, yet implementable in circuits lightweight enough that they can be powered passively by an RF field. Thats somewhat harder to accomplish, as was discovered by the Dutch with their prototype passport, and various other attempts at secure RFID

  • Alexander's solution (Score:3, Interesting)

    by rlseaman (1420667) on Thursday October 28, 2010 @12:18PM (#34052528)
    Alexander the Great solved the same problem with the Gordian Knot in the 4th century BCE. Smash the scanner. The modern improvement would be to disable it less flamboyantly and enjoy the theatrical performances of the assistant principle and custodial supervisor standing around scratching their heads.

10 to the 12th power microphones = 1 Megaphone