I love it
Here is your security he is lucky in other countries they may have taken the whole finger which is what worries me. Do you think maybe a decent photograph would work just as well.
A hacker club has published what it says is the fingerprint of Wolfgang Schauble, Germany's interior minister and a staunch supporter of the collection of citizens' unique physical characteristics as a means of preventing terrorism. In the most recent issue of Die Datenschleuder, the Chaos Computer Club printed the image on a …
That's easy! Just have a fresh fingerprint issued to the rightful owner.
All it requires is the removal of the ends of all the fingers and a few months of bio-assisted regeneration (don't take too much of the fingers though, last I heard more than the tips were beyond current science to regrow).
*The thumb because there wasn't an icon with the middle fingerprint raised.
Eat this crow, fingerprint-lovers. How long before the random yoof is able to fake your fingerprints from your RFID-powered ID card? All it takes is a cheap RFID reader and a way to issue rubber-prints. This ID card scheme is really a mad-bomber wet dream. So long for the "I've nothing to hide" sheeps.
Yes a decent photograph will defeat most fingerprint scanners. The better ones require you to warm the photograph with your finger. A quick web search will lead you to a video by Mythbusters showing how easy it is to defeat these scanners.
Fox hunters should only be allowed into parliament if they have the hand or eye of an MP.
So what you need are different cross referenced biometric checks coupled with more conventional ID methods and motivated human operators.
Which ever way you look at it the immediacy of the global village, ease of travel, multi-nationalism, multiple streaming global media, and an ever increasing dependency on IT have thrown up issues never previously encountered in human history. And a significant portion of these issues will be thought of as detrimental, at least in some populations.
Or we could just pretend that there's no such thing as organised crime, smuggling, large scale identity fraud, unrestricted criminal movement, drug trafficing, child abduction, sex slavery, money laundering and of course terrorism -
Yeah, since when has terrorism ever really hurt anyone? Its like crime, everyone knows that only happens on TV. We could always pretend it was all a Govt.promoted myth, close our eyes, cover our ears and hum.
The pick pocket because it reminds me of the time someone assumed me and my car's identity and racked up thousands in parking tickets and motoring offences!
In reply to the previous comment about DNA:
The problem with DNA is not so much being able to obtain a specific person's sample, which is somewhat hard, or at least takes effort. The problem is that you can get a random person's DNA and frame them.
As an example, if you're a burglar or other career criminal a smart thing to do would be to go to a bus-stop in a dodgier area of town and pick up cigarette butts. There is now a high probability that these butts will have DNA from the DNA database (30% of all black men, more criminals are smokers, etc.) so you just need to leave a butt at the scene of each crime. At the very least this will throw off the police for a while. At best it will mean the wrong guy gets convicted if he is unlucky enough not to have an alibi (DNA never lies).
The risks of this attack increase as more people are added to the DNA database.
I'd laugh if we started seeing all German officials wearing gloves in public. I wonder how the minister will respond. I don't know about over there, but in NA you can't copyright fingerprints, so it's hard to call it forgery. I'm sure they will try to do something to save face.
Given it's been proven that a false print is accepted by the readers it'd be interesting to know just what source data someone actually needs to start from.
If you have the encoded fingerprint biometric stored on an RFID enabled passport/card, and you have knowledge of the algorithm used to generate the biometric data from the original fingerprint, then surely you could create something that - while not quite the original print - would provide a matching pattern on a reader? After all, it doesn't match the 'print' but a set of point measurements,
In which case all you'd need to do is read the biometric data at some point which may be even easier than getting hold of an actual print, particularly if attempting to use a stolen ID.
Extracting the RFID data isn't difficult as it's all based on simple open standards. But is the biometric encrypted? Or just encoded? And is the encrypted/encoded data non-reversible i.e. can you recreate the original input from the data or is it only suitable for matching with a result? And in that case how hard is it to bulk generate lookup data to reverse the process?
Another nail in the ID card coffin? It will be interesting to see how the minister's fingerprint gets used and what the minister "buys" or "agrees" to on the strength of his fingerprint.
Biometrics are the ultimate form of "money laundering". After all, the system validates *your* identity so if it says you are the German Interior Minister then you must be. All of you........
Stupid bl**dy system!
This is just one more hassle for the common honest citizen and merely a slight speed bump for anyone intent on getting in or through.
Has anyone compared the crime figures of countries already with ID cards such as Germany and Belgium and those without? I have a feeling that the ID card is just another useless piece of bureaucracy...
... That is why fingerprints are fantastic for *identification*, NOT *authentication*! FFS why can't politicians understand this stuff.
"passport that stores individuals' fingerprints on an RFID chip". Where do I start? You put the biometric data *on* the passport? The user's passport is probably the weakest authority on whose biodata is whose. For this to work it would have to be stored in a trusted central database, not a spoofable passport.
And lasty, an RFID chip? Lets take this whole insecure mess and open it up to anyone with an RFID sniffer. Now anyone can walk by you and get your biometric data, or at bare minimum, your name, and a hash of your fingerprint that would be sufficiant to identify you. Or you could just replace the chip on your passport with an off the-shelf one you burnt, or sniff trasactions out of the air by listening to the authentications, etc.
@DNA has its problems too
Too right, I used to get a train to work which shuttled between Cleethorpes and Manchester airport. I can just see my DNA doing transatlantic trips, and I'm now accountable for every last bit of it.
@OR WE COULD JUST DO NOTHING
I don't think anyone disagrees there are lots of problems in the world. However, having power crazed jobsworths at every street corner saying "ID" isn't going to solve them. It will, however, negatively impact everyone's freedom. There is an argument that says stopping all crime is more important than freedom; is this what you advocate?
Sensible policies, for instance stopping carrying on up the Khyber, would go some way to silencing the terrorist motormouths.
Because if this does defeat current fingerprint readers, the companies will simply wail loudly and apply for more money from the public teat. Biometrics have become so much of an article of faith with the UK government that they can't be seen to lose face - bottomless amounts of taxpayer pounds will be made available to any multibillion pound company who needs the cash.
The security lobby is today's military-industrial complex - not that that's gone away. Hmmmmm Perhaps it's more accurate to say that the security lobby is the bastard child of the military-industrial complex and David Blunkett.
there isn't actually a problem to solve - other then chimera, ghosts and ghouls.
ID cards wont stop crime, biometrics wont stop crime, huge transnational death bot linked to hypereffcent mind readers wont stop crime or terrorism.
You reduce it to managable levels and get on with life. It's at manageble levels - I don't see tens of thousands of people dying a week due to terrorism or crime. Although so many doomseyers would like to put that image across.
You can't stop every crime or terrorist act, you can try and clean up effectively and investigate well. Infltration and intelligence are far better weapons then ID and magic. However in the post soviet era such things have been abandoned for flashy devices and ineffectual grandstanding.
The ann above is evidently some kind of scoper - as none of the things it listed would be affected by identity cards/registers/biometrics - maybe mind reading death bots would help though.
organised crime they're organised - as such would have little problem in moving around or maintaining their images. ID wouldn't help a damn.
smuggling - Well you catch the smuggler or you don't - ID plays no role
large scale identity fraud - doesn't make it any harder just means you need to either a: steal something different or b: change the records to reflect something withing your power.
unrestricted criminal movement - like smuggling? I think you covered that already.
drug trafficing - it's called smuggling and as before you get caught or you don't and generally you get caught due to undercover work not magic.
child abduction - an increadibly rare event - and just how would biometrics make it any harder? Do you mean anyone with a child whose biometrics don't match a guardians are being abducted? Darn gotta be hard for step parents, adopted parents, guardians, family friends, etc also please remember there are only a few dozen child abducters active in the world.
sex slavery - how does your magic ID help here? Sorry you're a woman you can't come in becouse you may be a sex slave.
money laundering - I still don't get what you're talking about. ID wont help as most of it's done in contry.
terrorism - well all the bombers in both 9/11 and 7/7 had no criminal convictions so... what's your point? Of course maybe a bit of old fashioned investigation would have helped.
Really you're a prime example of the fuzzy thinking that exists.
All these things are problems, however they arn't changing society - weak willed, thin skinned children like yourself are changing society.
Grow a pair of balls. Life isn't safe, you could get run down by a car any minute, your gas mains could explode - hell you may get hit by lightning.
Most of the world managed to survive quite nicely for quite a few thousand years of civilisation without any form of ID card. All an ID card does is prove that it belongs to the person holding the ID card, it doesn't prove that person exists (pretty obvious) or who they actually are. It doesn't provide "identity". Identity is innate.
"Or we could just pretend that there's no such thing as organised crime, smuggling, large scale identity fraud, unrestricted criminal movement, drug trafficing, child abduction, sex slavery, money laundering and of course terrorism"
That's not the real position though. The alternatives are spend a massive amount of public money on making the situation *worse* with governments' phony silver bullets like poorly implemented biometrics, or keep on looking for a solution that inevitably won't be capable of being packaged in a simple way to sell to the public. But unfortunately governments need to look like they're doing something more than they need to actually achieve their goals.
...the fingerprint had been extracted from the electronic records kept by the government, rather than lifted from a glass. After all, this only proves what we've all known for years: one can lift a print from something a person touches and create a rubber copy for use in readers.
What "identity problem" is this then? The one the government insists we have, or the one that Sky News makes you have sleepless nights about?
So you think fingerprints would have stopped someone copying your license plate? Surely you didn't actually pay the fines, you must have told them it wasn't you, right?
Fraud is nothing new, it's one of the oldest professions, I reckon! Ridiculous ID schemes do nothing to solve it. They're for the benefit of the government and big business, not the public - they just make it harder for us to prove our innocence.
Ten years from now: "Sorry sir, you were definitely speeding. Your fingerprints match the ones on the RFID chip in the number-plate, which was read by the speed camera as the car went by..."
"All an ID card does is prove that it belongs to the person holding the ID card, it doesn't prove that person exists (pretty obvious) or who they actually are. It doesn't provide "identity". Identity is innate."
Standing around finding fault with present attempts or settling for an existing philosophical viewpoint gets no one anywhere.
I will continue waiting semi-patiently for the Einstein of security 'cause it sure ain't me or anyone I've read here - conventional thinkers all.
The first is the fun thing we want to know about:
Guido Fawkes has issued a challenge. "Guido will buy dinner at a Michelin starred restaurant for anyone who provides him with a verifiable* copy of Jacqui Smith's fingerprints." See http://www.order-order.com/2008/03/if-jacqui-has-done-nothing-wrong-she.html for more details, including his rules about "verifiable".
The second is the unfun thing that we wish won't happen:
As finger prints and DNA are as dubious as other contributors have made out, what will our control freak governing classes do next? Mandatory RFID chip insertion? Time to read Revelation methinks!
i think taking this fingerprint is a good idea to highlight the biometric problems. Unfortunately they only did 4000 copies of the magazines.
They should have put it in a newspaper or so with millions of copies. Then you just need a couple of hundret creative people to do something with this fingerprint. and hopefully it'll become the first ever distributed biometric security attack.
While I would never partake in, or encourage, criminal behaviour (lets face it if I didn't say that they'd come and lock me up for incitement! Or actually doing it I suppose...) things like this *really* make me want to take the fingerprint; slap it all over a few house bricks and throw them through some windows...
Hopefully MPs would get so sick of the police asking for alibis they'd ditch it just for the piece and quiet. :)
PS: I like the cigarette butt idea too but I'd prefer it if the original owner either had an alibi (I know I wouldn't like to be framed I didn't commit! PS: anyone got the number for the A-Team just in case?) or deserved jail time for some other reason (which I say knowing that I don't fall into that category - or should I say 'hoping'; it seems that it is far too easy to break a law nowadays)
Nabbing a high profile politician's print is interesting, not to mention very good publicity, but not particularly useful. How likely is it that the target's dabs are on file so they can be matched? You could leave them but nobody would know.
What is much more interesting is collecting dabs from local people who you *know* will be on file. For example the local chief constable, or in fact any local policeman will do.
Imagine the merry mayhem if large numbers of police had to keep on finding alibis for themselves.
Also the forged print idea is not new. In the early 80's the Western Australian police framed some alleged gold robbers by planting a print on a document. The print came from a rubber cast of a hand that had been produced in a moment of idle curiosity by one of the alleged.
Don't fool yourselves, governments know very well that biometrics do nothing to improve security. They also know that available non-biometric security measures for documents are sufficient. What they really want is the ability to tax citizens for just about anything imaginable and make it impossible for people to escape the ever increasing and often unjust taxation via a second passport that for tax purposes may then appear as belonging to a different tax payer or a non-tax payer.
The so called Perpetual Traveller aka PT technique has long been used to pay fewer taxes by people who do business in different countries. The idea is to hold a second or third passport and spend your money in country A as a tourist with a passport from country B and vice versa while having a permanent residence in country C where no income is generated nor spent.
In the age of 50%++ tax rates in many countries it is no wonder that such schemes have been developed and will continue to thrive. To many governments this is a thorn in the side and they have a common interest when it comes to milk their citizens. By coupling biometric data and identity documents and sharing standards to read those documents, governments will be able to identify that perpetual tourist John Doe with passport from country A is actually the same person than Dick Harris resident in their own country with no declared income. They will then be able to tax Dick Harris on the spending he does as John Doe or even charge him with tax evasion.
That's what the biometrics are all about. In reality politicians are grateful to OBL and Al Quaeda for having created an environment in which they are able to push such measures through without much opposition from their lemming populations.
Bruce Schneier is the director of BT Counterpaine - due to the fact that Counterpaine was purchased by BT. He manages a subsidiary company .
I would not at all be surprised to discover that no-one at BT internet sent him a memo asking for his input on phorm - the internal invoice would take too much a chunk out of their budget, and as they have already decided that Phorm is so good and brings them money (since when do they care about the end customer?), it's got to be good. Why waste their christmas bonus on getting and experts point of view - and a critical point of view that they know in advance that they will not like?
Bill as the Devil as Microsoft has mulitple levels of management abstration that disconnects people from reality too...
To summarize for the non german speakers:
- In all new german passports the fingerprints are stored.
- there´s an RFID chip in order to read this biometric data wirelessly
- it´s encrypted, so nobody NOT authorized can access this data (says the man)
- the CCC has already proven how easy it is to intercept and decrypt the data
- Jörg Ziercke, the president of the BKA, Bundeskriminalamt, i.e. germany uppermost policeman, wraps, whenever he needs to carry his passport, in tinfoil, in order to block wireless access from unauthorized persons
--> gives you a really warms and fuzzy feeling, right?
I´m a german living in Spain, and my passport is up for renewal in september :(
I guess I´ll buy a copy of Datenschleuder and provide Mr Schäuble´s fingerprints, just in case ...
Partly you have to acknowledge that security is a process, not an end result. For every technological advance in favour of the process there is an equal and opposite one against. Just as DNA can find a (guilty) suspect, DNA can be planted to find an (innocent) suspect.
Partly you have to recognise that fundamentally flawed checks such as fingerprint readers are hailed as panaceas. They are treated as the solution. But of course, they are not, and never can be.
If they are not the solution then they are a step along the process, except they are probably a step backward because it is expensive to implement nationwide and trivially cheap to circumvent. This is a fundamental flaw in all nationwide systems.
But you must also recognise the ID issue is one that we had 10 years ago but you didn't fear it as much. ID theft is a term that fear-mongers throw around for their own reasons. Your own identity cannot be stolen any more than your mind can be, but people can pretend to be you - it's just much easier if your identity is reduced to a number (whether encrypted on an RFID chip or not).
So what is the real problem that we've had for ages and now urgently needs a solution? That someone else can use your credit card online? They can access your bank account over the Internet? That they can burgle a house and leave your fingerprints or DNA? No proposed solution would help these problems.
You want a panacea, but what is the problem? Take away the buzzword, and what are you trying to stop? Are you absolutely sure that what you are trying to stop;
1) Is worth the time and energy required to keep the process of security up to date, and non-circumventable at it's weakest points.
2) Cannot be tackled by a free-market solution rather than a govt one (e.g. the onus is on a bank to secure your money, and not on us the taxpayers to pay for their ID system that requires us the customers to secure our fingerprints or - automatically - lose our money).
This whole fingerprint DNA thing is rather one sided. The authorities have copies of DNA and fingerprints of a rapidly increasing percentage of the population, mostly of the criminal kind but more and more of the unfortunate 'collateral damage' of investigations as well as immigrants, visitors, etc.
So basically 'they' have you where they want you, a neat index entry in their database to have and to hold till your death do you part. 'They' have exclusive control of this information due to their various privacy acts. So the power model is 100% to 'they' and 0% to anyone else.
Now imagine a radical proposal. Take away 'their' exclusive hold on people. Make the DNA and fingerprint database a public item. Everyone who has had to submit to the the fingerprint / DNA profile held by the authorities should immediately (anonymously) publish their own copy.
The effect is that 'they' no longer hold an exclusive private copy of how to ID you, and 50 million other people now have the same information (adjust for country of origin). This immediately devalues the secret information that 'they' hold. Anyone can now reproduce your fingerprints. Given relatively trivial technology, anyone can now reproduce your DNA.
Does this help the bad guys? Probably not. Conviction based on DNA or fingerprints alone is almost certainly unsafe. Bad guys will always be convicted on more substantial evidence.
Does this help Joe public? Yes. DNA and fingerprints are a major intrusion on living a private life with 'the system' keeping unnecessary tabs on you and open to abuse when someone gets a bright idea on what else to do with your DNA samples. If you publish, you devalue the stuff they are so keen to keep. If enough people do it, perhaps they will stop and go back to a kindlier, gentler age where most people are presumed innocent and there is no need for the state to intrusively monitor the entire populace.
Does this mean you will be convicted of a crime you didn't commit because some pratt used your DNA/fingerprint ID? No. Convictions (at present) require substantive non DNA and non fingerprint evidence.
The real worry is if DNA and fingerprints becomes the exclusive property of 'the authorities' and you can be convicted solely on DNA or fingerprint evidence. Then you only have to worry about who, working for the authorities, has it in for you. History shows this sort of arrangement *will* produce bad outcomes.
Currently one of the best protections (for the individual) against identity fraud is the use of photographic ID. If someone tries to steal my identity they will often be required to produce some sort of photographic ID and a copy of it is kept. If the photo doesn't match (fake ID) then I can prove this later. The new ID cards are based on the concept of self verification, they won't keep a copy of someones fingerprint, they just verify it is "correct". At this point the "bank" will be insistant that it was me and not an identity fraudster. As far as I can see the biggest risk with ID cards is that the person impersonated easily gets to be held responsible for the actions of the impersonator rather than the body whose security failed.
A round of applause to CCC for having the balls when most of Europe is just silently obedient and waiting for the next blow to the rights to have an existance without the USSR like EU politicians tuning in on it all the time.
ID proves nothing save perhaps a probability of a person. Unless EU is planning massive realtime surveilance for Citizen Political Cleanliness we have a massive epedemic of voyEURism in Brussels.
The only way for total security is the next Zoo living on the other side of the bars.
A big thumbs up to the German magazine for doing this.
As anyone with even the vaguest interest in technology would know – spoofing prints is as old as the Bond movie 40 years ago…
A more robust - and currently available - solution is 3D imaging of the veins/capillaries in the fingers or hand. You’re not going to be leaving *that* attached to pint glasses etc. Yes, someone could spoof it – but it’s by an order of several magnitudes more complicated.
Sure, it doesn’t get round the obvious problems like cracking the chip etc – but *prints* are so, errr, 19th Century dudes!
Then again – nothing really new with authoritarian governments purporting that the “end is nigh” – unless we do what they say, and politicians with doe-eyed belief in the wonders of technology either.
I've read some (but not all) of the comments on here and there is a vein of "don't knock it, they're trying to achieve something". Couple this with the cases of senior police officers calling for universal DNA screening after two high profile murders here in the UK (the politicians pooh-poohed the idea, presumably distancing themselves when the uproar began - but no doubt they'd have been all for it if the public reaction had been favourable).
The upshot is this: anyone arrested on all but the most trivial change is now routinely DNA'd. Various studies report that X% of crime is committed by a low number of career criminals.
If DNA is the answer to all our problems, how come a huge percentage of crime hasn't been cleared up?
And if it hasn't then what is the point of it all?
This story illustrates both the weakness of fingerprints as a method of access control and the naivete of politicians who think biometrics are the sole solution to access control. It's all very well finding a unique biometric but if it is relatively easy to steal and duplicate - as this example demonstrates, then it has NO value in any security situation that MATTERS.
Knowing, for example, what we now know about how easy it is to steal and use your fingerprint, would you be happy to grant access to your house or car based on fingerprint alone? Of course not. So why should we imagine that fingerprints are a remotely sensible way to protect access to aircraft or sensitive databases? (abuse of which could do far more damage to society than having your own house broken into or car stolen)
This is not to say that biometrics are not useful. But the only biometrics, so far, which cannot be trivially stolen and represented on cue are your dna fingerprint (which still takes too long to be used for access control) and your retina print - which can be performed in a couple of seconds. And even then, we can only trust it if the test is performed in our presence with kit we control.
Conclusion, the only safe and practical biometric is the retina print and it is only guaranteed secure when used on trusted kit on trusted premises and supervised by trusted guards. Anything less is "Security Theatre"
On the question of risk of abuse by State and other bullies, I'm slightly attracted to Jerry's idea of defeating exclusive access by publishing our own biometrics. We could then legitimately claim, for example, that if our spoor is ever detected at the scene of a crime, it could have been planted there by a hostile party wishing to frame us. This could, at least, provide Juries with enough doubt to make the prosecutors' task much more difficult.
But we cannot glibly ignore the downside of that breach of our own privacy. It would, for example, make us much easier prey for stalkers, private detectives, government agents and other hostile attackers who may not wish to frame us but do wish to spy on us.
OK not the most original title, but the truth.
The reason I am writing this is because no one seams to have noticed the fact that any system no mater what will be broken.
The past is littered with systems that were unbreakable, but were broken. Often though the information in the system, such as a coded wireless messages had a limited life expectance.
The prize for breaking this system is so grate and the data valid for so long (a life time) that is unlikely that it won’t be broken, and the data corrupted with false information. How long before a new OS is probed for vulnerabilities, and that mainly for the kudos of being the first to beat the OS.
Given that the data in the ID database is used for access to and from a country as well as welfare payment systems and ID generally it is unlikely that criminals will take long in finding ways to add people to the system.
I see ID cards being implemented, at huge cost to the public. There will be some newspaper articles about delays and spiralling costs. I see huge payments to contractors who have long relationships with the government.
I see the whole thing fall flat on its arse a year or so later when even the government is forced to admit that it's not working. CEOs will walk out with golden handshakes, and the ministers involved will have more time to spend with their families.
But it's OK - the taxpayers' money will, by then, be safely stored on foreign soil in a handful of bank accounts.
Just wait for the next Datenschleuder Issue. Then The current one is a backnumber and you can DOWNLOAD the PDF!
Then you just extract the bitmaps and carry on as per instructions.
Rather than a wavelet format, the ICAO requires JPEG or JPEG200 Pictures of fingerprints. ie You crack the RFID protection, download, print to plastic film and carry on.
There is an English translation of the Fingerprint forging Instruction manual on the CCC English servers, which google delivers within a few clicks...
Biting the hand that feeds IT © 1998–2019