Fingerprint Scanners Fooled By Play-Doh 302
* * Beatles-Beatles writes to tell us YubaNet is reporting that in recent tests by Stephanie C Schuckers, an associate professor of electrical and computer engineering at Clarkston University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds. From the article: "Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
Is i just me (Score:5, Funny)
Re:Is i just me (Score:3, Funny)
Conspiracy. (Score:5, Funny)
-Jar.
(Who is so happy now he can join in with the Beatles-Beatles thing)
Re:Is i just me (Score:5, Insightful)
Either way guys (and I'm talking to you, editors) it would be nice to be told. Just so we know, y'know? We're mostly intelligent, curious people here, and that sort hates being kept in the dark when there's so obviously something going on.
Re:Is i just me (Score:4, Interesting)
Here come the -1, Offtopic mods, which I have a feeling will not be meta-moderated.
Re:Is i just me (Score:5, Interesting)
Mind you, it's not like we should be surprised - they acted in exactly the same way about the Roland Piquepaille(sp?) stories, and have acted the same in the past too (anyone else remember the troll report thread and related mod bombing and moderation blacklisting? I *still* can't moderate). The bottom line is that for all slashdot seems to rail against poor customer service, they're quick to ignore their own customers.
Re:Is i just me (Score:4, Insightful)
What? When have the Slashdot eds ever told us ANYTHING?!
Re:Is i just me (Score:4, Interesting)
Re:Is i just me (Score:2, Interesting)
I suddenly stopped getting mod points too, and I can't figure out why.
Re:Is i just me (Score:3, Insightful)
Still, I don't know why I should care - this place has really just descended into noise, and I honestly can't think of anything new I've learned here all year.
Re:Is i just me (Score:3, Insightful)
Re:Is i just me (Score:3)
I think I've been punished for something, whatever that might be. And why should the admins care? They have tousands of potential moderators, so it doesn't matter to them if they kick out those who cross the line even a little, according to them.
So yeah, it awards mod points if you aren't a r
Re:Is i just me (Score:2)
Re:Is i just me (Score:4, Informative)
Actually, far more likely is that they don't have time to read /. comments all day since they are busy doing other stuff and managing the sbumission queue.
I toally agree this whole ScuttleMonkey thing is BS and the guy should be fired, but if you want to make your point known, you should be emailing OSTG [ostg.com] about it, not ranting on here where no one sees you.
Re:Is i just me (Score:3, Insightful)
If they clean house, I'll start subscribing again. Until then, there's no incentive.
Re:Is i just me (Score:2)
Please, someone explain what their problem is with this person... he's submitting legitimate news, and frequently. If you don't like it, make sure you send better news in. But please, stop complaining.
Re:Is i just me (Score:4, Informative)
Re:Is i just me (Score:3, Interesting)
Re:Is i just me (Score:5, Informative)
Of course nobody's paying anybody. Seriously, what would make you think that? If there were paid stories, don't you think we would make that blatantly obvious? Since it was created, Slashdot has been one of the best sites on the internet as far as keeping up the wall between advertising and content.
Apparently this person submits a lot of stories that our editors think our readers want to read. That's all there is to it. Our editors review Beatles-Beatles submissions with the same skepticism (probably more) as any other.
I normally don't bother responding to paranoid threads like this because there is so much paranoia and no way for us to respond to it all. But lately the comment volume devoted to silly speculation is just out of control. I kind of doubt this response will help stem the tide but it's worth a shot...
Re:Is i just me (Score:3, Interesting)
Why is it that Scuttlemonkey favors Beatles-Beatles posts so heavily. I mean seriously, some of us are reasonably logical. It is nearly impossible that one person could hit the front page with almost every single article submission, without some kind of favoritism, with great frequency. If someone would just tell us what the deal is, I expect you wouldn't see the entire articles devoted to the "paranoia" you refer to. Obviously people agree that something is wrong, as I haven't seen a
Re:Is i just me (Score:3, Insightful)
I guess if somebody wants to not believe me, that's fine. Everybody has the right to an opinion. But I'm trying to share the facts. Slashdot doesn't take money for posting stories to our front page,
Re:Is i just me (Score:3, Interesting)
The fickle ways of moderation (Score:2, Interesting)
The problem is, if a slashdot page links to starwars dot com with the words 'solo shot first' then this will change the very nature and fabric of the universe, and may actually cause earth quakes and or hurricanes, or at least a small butterfly flapping it's wings might get struck by lightening (deserves it!).
Google is a bit dumb, and I am suprised that slashdot users : viag
The Worst Form Of Corruption (Score:2)
In the words of Napoleon: "Never ascribe to malice, that which can be explained by incompetence."
The truth about * *Beatles-Beatles (Score:4, Informative)
Looks like ScuttleMoney^H^Hkey still doesn't get. Interesting thing is, ScittleMonkey seems to use some standard template for * *Beatles-Beatles submissions, since ALL of them start by: "* * Beatles-Beatles writes to tell us ...".
So, let me repost some earlier post of mine:
Ok, let's have a look at his george-harrison.info website. Aha, maybe the links at the bottom of the page? Yes, I see: http://george-harrison.info/reciprocal-links.html [george-harrison.info].
Sooo, what may be on that page? Quoting:
Looking at the link list (just a small excerpt):
HTH!
Re:Fight back against this Beatles Beatles spammer (Score:4, Interesting)
LOL (Score:5, Funny)
Wow (Score:3, Insightful)
Re:Wow (Score:3, Informative)
Science: Nano Tech. Spurs Continued Health Concerns
NewsWeek Looks at Search Engine Optimization
Boycott (Score:3, Insightful)
I think as a collective we've got to get around to doing something about this. Criticisms that Slashdot content, and the overall quality of the website are merrited. I think a boycott is in order here.
Lets make it clear to the editors that these kind of submissions shouldn't be tolerated, and will recieve no attention. These kind of posts should recieve no replies regardless of importance. After which we should all carry out the task of resub
Re:Boycott (Score:2)
Or sabotage. I know, let's
Re:Wow (Score:2)
Re:Wow (Score:5, Interesting)
Re:Wow (Score:4, Insightful)
Are the editors, trying to bury the site?! I'm a geek. I want to read about stuff like this? Those writeups have better have been awful.
Re:Wow (Score:2)
Regarding the seeming favoritism of
Re:Wow (Score:2)
Redundancy... (Score:5, Insightful)
Re:Redundancy... (Score:5, Funny)
That's why we all have 10 fingers.
Re:Redundancy... (Score:3, Funny)
Speak for yourself. I only have 9 fingers, and of them, only 5 have useful fingerprints. Which is why I always have great amusement at immigration whenever I visit the US these days. "Please place your left index finger on the glass. Oh. Er, your left thumb then. Oh, you haven't got a left thumb. Well, your second finger then. Now your right index finger. Oh. Your right thumb - er no, make that your second finger - er okay, so perhaps your thumb after all". And because th
Re:Redundancy... (Score:2)
I keep hearing this over and over so it must be true.
Keep The Robust Stuff, Then (Score:4, Insightful)
This isn't the first demonstration that fingerprint scanners are useless. A few years ago, a Japanese university professor showed that it was possible to make a gelatin mold from a latent print [schneier.com] (i.e., without direct access to the authorized finger in question) that would fool the readers most of the time! What is a fingerprint scanner adding but a false sense of security?
Good security (Score:5, Interesting)
But the real security comes with a Marine standing guard. If you can get passed that guy, the biggest problem is already solved.
Re:Good security (Score:3, Insightful)
Re:Good security (Score:5, Interesting)
Then you're in trouble [specialoperations.com] (scroll to near the bottom where they just drive through the main gate). The red team Red Cell were notorious in the eighties for getting into any base they set their sights on, in fact they were so successful that it played no small part in being shut down, they were just too much of an embarassement.
In fact, human security guards are notoriously unreliable, they'll get a few, but also let quite a few through. So I'm not sure that's necessarily the "biggest problem." It's a problem, but a combination of guard relying on technology that he's been assured is "foolproof" when in fact it is not, doesn't make for much in the way of security.
Re:Good security (Score:2)
Biometrics are notoriously trivial to bypass if you can tamper with them at will. That's why in a serious environment, you put a guard next to the scanner so nobody can walk up with a severed hand and get waved through.
Re:Good security (Score:5, Insightful)
Yes, that's what I was trying to get to in my last sentence, i.e. that that won't work either. As the guard will have a tendency to become complacent given that the e.g. fingerprint scanner is "foolproof" and not even bother to look at it as the person scans his finger. Compare if you will the absymal successrates of photo id:s when put to the test. The guard there is actually required to look at it as a part of the procedure (i.e. it's not incidental to the procedure as it is here), but anything usually goes. Even cartoon pictures (I know of one instance of Donald Duck) have gotten people into military bases. If I was a betting man, I'd bet that just holding the severed finger between the thumb and forefinger on the hand (in effect presenting a six fingered hand) would let you in more often than not, even with a fairly "vigilant" guard.
A guard beside a finger print scanner will probably prevent someone walking up carrying a dead body, or taking a crowbar to the gate, but beyond that I wouldn't bet my life on it. People without technological support just aren't that good at routine surveillance (at a reasonable cost that is).
Re:Good security (Score:3, Funny)
Seriously, I was picking up a cousin at Travis AFB, and they put me through ten minutes of questions, even though I had all the passes, paperwork, etc. While they had me standing outside my car, they waived a pizza guys through without even stopping him.
Re:Good security (Score:5, Funny)
He stands near the scanner. And if he sees that anybody puts something else than his finger on the scanner, he shoots ;-)
Re:Good security (Score:2)
200 faces is nothing, especially if they remain largely the same. England during the 1600s had prisons with wardens, but no gates. Visitors could enter and leave freely, but the guards quite knew their inmates.
Welcome to Slashdot (Score:5, Funny)
Gummy bears (Score:5, Funny)
I always thought that was a little disgusting. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?
Re:Gummy bears (Score:2)
You are right. If it was a Gummy Venus de Milo I doubt I would have the self control to make it to the scanner.
Re:Gummy bears (Score:5, Funny)
Re:Gummy bears (Score:3, Funny)
The 2004 Ig Nobel Prize Winners [improb.com]
PUBLIC HEALTH
Jillian Clarke of the Chicago High School for Agricultural Sciences, and then Howard University, for investigating the scientific validity of the Five-Second Rule about whether it's safe to eat food that's been dropped on the floor.
Old Hat (Score:5, Informative)
German computer magazine C'T defeated fingerprint scanners a few years ago using gummibears. Im sure www.heise.de should ahve a (german) copy of that still online somewhere
Re:Old Hat (Score:2)
And? (Score:5, Interesting)
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
Two-form authentication (where you use two of the three above forms) is quickly becoming regconized as being much more secure. Numerous security professionals were hoping biometrics would fit into the "something you are" category, but increasingly that category is being replaced by "something you have". You can have a General's uniform or forged passport... or a playdough impression from an authenticated finger. All this study does is confirm that migration.
Re:And? (Score:5, Insightful)
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
This gets interesting in the overlaps that refute the categoricals. What you know and what you have both define what you are. For example what makes you a General or a Doctor other than the correct uniform? A detailed knowledge of military or medical matters. So let's take two twins, one a doctor and one a general and get them to spend a month teaching each other everything they know about each others subject. The doctor twin puts on his brothers uniform and walks right into the base. Now, can he spend an entire day bluffing his way through a tactical conference, while his brother does a bit of impromptu brain surgery? Unlikely but not impossible. So is it what we know that defines us as who we are? Not with 100% certainty. Is it what we have that defines what we are? No, not definitely. Keys, passwords, biometric features, money, any facet of physical acuality can be forged, stolen or substituted. So where does that leave us? It leaves us with the uncomfortable philosophical annoyance that identity does not exist. We have to step back and look at the question again. What are we trying to achieve through assigning identity? We are trying to map INTENTION. The guy getting on the plane may look like, smell like, sound like, walk like... the person the computer says is good ole regular Joe Citizen 101, but what if his _intention_ is to blow up the plane and not ride peacefully? Joe could have been brainwashed/blackmailed/replaced by an android. Identity isn't the thing that governments and identity researchers _want_ it to be and so we have to start tackling the more difficult issue of stopping people needing or wanting to steal money or blow up planes.
Re:And? (Score:2, Insightful)
People will trust these systems to the point that they will disengage their critical faculties, because they have been told how reliable they are.
When biometric ID cards come in to the UK, I believe we will see more fraud because of this. Once someone works out how to break it (by gummi bear, play-doh) or wha
Re:And? (Score:2)
The whole problem with 'perfect security' is that it encourages design without graceful modes of failure.
When you know you have shitty security, and you know you that it's more or less practically impossible to get better than moderately shitty security, you design the whole 'system' with those factors in mind.
Wether in computer systems or social, economic and physical systems this can take various forms, ranging from not pissing people off more than you have to, thr
Re:And? (Score:2)
"The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair"
Re:And? (Score:2)
Play-Doh is... (Score:5, Informative)
Re:Play-Doh is... (Score:4, Interesting)
'When I was a little man
Playdoh came in a little can
I was Star Wars' biggest fan
Now I'm stuck without a plan
G. I. Joe was an action man
Shaggy drove the mystery van
Devo was my favourite band
Take me back to my happy land!'
-- The Aquabats, Playdoh. A wonderful song of geek nostalgia...
Re:Play-Doh is... (Score:5, Interesting)
Its exact makeup is a secret [...] Play-Doh was invented by Noah McVicker and Joseph McVicker in 1956 and awarded U.S. Patent 3,167,440 in 1965.
So, is its formula secret, or was it patented? If the patent was granted in 1965, shouldn't it expire already?
Robert
Re:Play-Doh is... (Score:3, Informative)
http://patimg1.uspto.gov/.piw?docid=US003167440&Pa geNum=2&IDKey=97FD77D33410&HomeUrl=http://patft.us pto.gov/netacgi/nph-Parser?Sect1=PTO1%2526Sect2=HI TOFF%2526d=PALL%2526p=1%2526u=/netahtml/srchnum.ht m%2526r=1%2526f=G%2526l=50%2526s1=3167440.WKU.%252 6OS=PN/3167440%2526RS=PN/3167440 [uspto.gov]
Next: man on terrorist watch list after buying Doh (Score:5, Funny)
Capacitance? (Score:5, Interesting)
Not that I've tried it, but I'm pretty sure you can use Playdoh to navigate around your iPod.
Re:Capacitance? (Score:2, Interesting)
This is unacceptable. (Score:4, Interesting)
fingerprints not needed to find the terrorist... (Score:2)
Re:This is unacceptable. (Score:3, Insightful)
Categorically saying they are patriots is just as silly as saying, categorically, that they are not.
They are also annoying in other ways (Score:5, Interesting)
It is not bad, as I give up on the computer in the evening, just don't wash your hands before a presentation
Re:They are also annoying in other ways (Score:4, Funny)
I don't think that is a concern for most of the people who read this site.
I Don't Know About You Guys But... (Score:5, Funny)
Re:I Don't Know About You Guys But... (Score:3, Insightful)
Re:I Don't Know About You Guys But... (Score:2)
Pulse Oximetry (Score:5, Interesting)
Re:Pulse Oximetry (Score:3, Funny)
It would be cheaper to implement.
Re:Pulse Oximetry (Score:2, Interesting)
I got one here, and they may not be practical (Score:5, Interesting)
Incorporating them would also require a major redesign. They clamp around an inserted finger, and this would make them harder to clean and maintain, and also make them more prone to breakage.
The non-invasive principle of operation of these is pretty neat, and might interest slashdoters. They work by shooting dual wavelengths of light through the finger, namely infra-red and a visible red color. On the other side of the finger, a sensor relays readings to a signal processor, which distinguishes between flesh, bone, and what-not based on the absorption differential between the two wavelengths, so it can isolate out variables between different kinds of fingers. The result is incredibly precise, and the LED on the front flashes in precise sync with one's pulse. I'm guessing the signal processor is a major cost, so maybe in time these will come down in price.
Wait a minute... (Score:2, Funny)
Re:Wait a minute... (Score:2, Funny)
I call BS on this. Every knows slashdoter's don't have sex. Unless you are attempting to reproduce female organs. Which in that case, you would have had to of seen one in real 3. And that comes back to my original point.
You would think Beatles-Beatles could at least (Score:3, Informative)
More fingerprint spoofing techniques (Score:5, Informative)
The thing is... (Score:3, Insightful)
And the best scanners are nowhere near that accurate.
Omission in the FP (Score:5, Insightful)
Quoted from FP:
University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds.
Quoted from TFA:
Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.
The crucial piece of missing information: The need for dental materials; the same stuff used to make casting for denture, false teeth, etc. To do what the researchers did, one needs more than play-doh. But of course ignoring this makes the FP much more dramatic becuase it implies that a preschool toy is sufficent for fooling biometric scanners.
For the record the quote from the FP is the part written by the editors, not by the submitter (unitalicized portion of FP), so the error (or omission) was made by a /. editor, not by the submitter.
I find it frustrating that what I once thought was a useful and interesting source of infomation and lively discussion seems to have become what it once seemed to differentiate itself from. Slashdot editors seems to be adopting the playbook of big media and skewed news to drive up user posts.
I find this sad because I thought that Slashdot was a site with an alternative playbook, that treated its readers as more saavy. Now it seems to be on the slippery slope to USA Today style reporting. I can only assume that this change is an attempt to drive up ad revenue. But I am afraid it will alienate many of the readers.
It's way worse than they think!! (Score:5, Interesting)
Then I wondered if you could trick it, so I looked at my index finger, and saw that it was a loop, and then had someone else in the office try with one of their fingers that also was a loop. Nothing just by pressing down.
But, because the login software takes continuous readings (which they display!), my buddy was able to keep sliding and mashing and rotating his finger around until after 4 or 5 seconds, Bong, logged in!! We were laughing, so we tried with with three other guys here, and they all logged on. Some of them had to rotate their hand all the way around, but *everyone* got on. THIS SOFTWARE DOES NOT WORK! DO NOT TRUST IT!
I reported this to the fingerprint software people (sorry, don't remember their name), but they never responded. I just turned it off completely - it's a joke.
Schuckers = suckers? (Score:2)
So does this mean... (Score:3, Funny)
play-doh (Score:3, Funny)
Spelling (Score:3, Funny)
They misspelled "suckers". After all, it can be fooled by play-doh.
Can anybody, anywhere (Score:2)
Thought not.
Whole thing's based on supposition and received wisdom, and is an utterly stupid basis for a security system. And I don't think much of the degree to which fingerprint evidence is relied on in court, either. Still, you try convincing a jury that every cop show and courtroom drama they've ever seen has misled them.
Mr. Bill arrested for Conspiracy & ID theft (Score:3, Funny)
The police said his only words after getting caught were "DOH!" and then "Ohhh noooooooo!"
Re:Do the right thing.... (Score:2)
Re:It's sad "fake news" keeps appearing on Slashdo (Score:2)
Congratulations. We haven't heard THIS one yet.
Re:It's sad "fake news" keeps appearing on Slashdo (Score:2)
Re:It's sad "fake news" keeps appearing on Slashdo (Score:2, Informative)
2. Generate traffic to a site to improve ad revenue or subscribers.
3. Sell a product or service of some sort.
4. ???
5. Profit.
Understandable Frustration (Score:5, Informative)
I'd like to hear some kind of explanation from the editor(s). I'd like to think that this is simply some kind of failure of process rather than something fundamentally wrong with Slashdot itself. It would be nice if the next Slashback dealt with these issues in some way.
Re:Sanding (Score:2)