Schneier on Security

One of the first cases of giving someone the finger by giving theirs to everyone else.

How will he change his password now?

Too bad this will be harder to do with iris scans...

But, indeed, this has got to be one of the all time greatest technology politics hacks. But, I suspect the response will not be mea culpa but a call for laws making distribution of fingerprints illegal, following the common political trend of when embarrassed, pass laws to arrest those who embarrassed you.

"How will he change his password now?"

Well, he does have 9 more fingers...of course that only helps in those situations where he is allowed to choose the finger used which is often not the case.

I wonder if places that require you to change your password every three months will retain that policy when they go to biometrics? Probably. They they will complain when worker's typing speed goes down every few months...

You know, back in the 1800s it was fashionable to wear gloves to hinder the spread of disease. Now it will become fashionable to wear gloves to hinder the spread of your biometric data. I expect that hairnets (to avoid accidentally dropping your DNA) will become popular as well. Who knew Islamic women had the right idea all along?

Roxanne

@Scote

Apparently the current iris scanners at Heathrow airport (nothing to do with T5 farce) have a very high failure to identify rate on a very small population of users.

There is no "magic bullet" for personal identification. Biometrics may seem to be a good idea (after all, all those TV SciFi shows use them) but in practise they are expensive and have interesting failure modes.

Approximately 10% of the population have indistinct fingerprints and 10% of the population have various eye problems that make iris scans unreliable. That means 1% of the population don't have usable biometrics. Any system has to deal with this 1% of the population (that's three million Americans!) We rarely hear how the exceptions will be processed by any national ID scheme.

What about a Rectal Scan? It's not as though it could be left *behind* on a drinking glass? Could you imagine, "Please press your brown eye to the screen."

I have a wonderful idea: a hacker convention with a biometric scanner at the door, and only celebrities may enter.

"Hello Mr. President... Right this way Mr. President... Here's your nametag, Prime Minister... Welcome, Dr. Turing, you're the first one tonight... Whoah! C'mon in, your Holiness!..."

Biometrics is not a secret, the key is making it usable (for verification) given that the fingerprints are publics.
Biometrics is for verification, when the people is in front of you.

While biometrics are non-unique, and not necessarily usable, implanted chips are rock solid and cannot be duplicated or otherwise tampered with...right?

Mr. Schäuble has since responded that "everybody can have my fingerprint. I have nothing to fear." However, he is still considering legal action against the Chaos Computer Club.

We now have the opportunity to leave his fingerprint all over the place. Let Mr. Schäuble become the next Brandon Mayfield!

" Mr. Schäuble has since responded that "everybody can have my fingerprint. I have nothing to fear." However, he is still considering legal action against the Chaos Computer Club."

That's hilarious.

"The hackers have no case, and I'm considering suing them for it."

would be funny if one day some of these are discovered at unusual places ...

a crime scene, for example: http://chaosradio.ccc.de/ctv003.html

'Mr. Schäuble has since responded that "everybody can have my fingerprint. I have nothing to fear." '

This is humbug on so many levels.
1) He's making a virtue of neccessity -- and not offerring to publish his other nine.
2) _He_ has nothing to fear because he can afford better personal security than will be foisted on the public.
3) This isn't a problem because he isn't a criminal, you see.
4) Nobody can impersonate him because he's famous, you see.
5) It doesn't matter if hundreds of Herren Schäuble start boarding planes and crossing borders because public safety isn't really the purpose. Also, see 2.

Did I miss any?

More details in English:
http://www.heise.de/english/newsticker/news/...

Oh, and the fingerprint itself, ready to print out: http://www.ccc.de/images/misc/...

Now that they have a finger print, they can rummage around in his trash to collect DNA.

I wonder if he will charged if these items - which have been used as "incontrovertible proof" to convict others - are later found in connection to a crime? Or will the authorities just assume that the evidence is false, since at least one item was made publicly available? If they do that, it's like a "get out of jail free" card, isn't it?

If you give away "ten-print" cards with your fingerprints and a swab with DNA, doesn't that eliminate the ability of the authorities to use this as evidence?

The German Minister may be on to something. :)

too mad the dummy-print page didn't specify that dummy prints are to be made from gelatin because it conducts heat and pulse, and mimics skin elasticity well enough to fool pretty much any scanner, and to top it all off it's edible, so you can just suck it off your finger and swallow it once you figure there's more chance that some human will inspect your fingers than there is that you'll have to scan them again.

> One of the first cases of giving someone the finger by
> giving theirs to everyone else.

That might be the quote of the year on the blog, so far.

Ohhh.....
....yesss.

But always remember, my dear american friends: the need for fingerprints in passports was imposed on us by the US government.

That our spineles german government followed their liege lords happily instead of "giving the finger" is something different, but so they had a good excuse for their own agenda.

Concerning using iris scanners, there is a field test a Frankfurt/Main airport with some 10k of people. The failure rates according to the government are 'less than 10 percent' which probably means 9%, which is just hilarious.
http://dip21.bundestag.de/dip21/btd/16/084/... (german)

I disagree that you have to make the fake fingerprint from gelatin, for commercial fingerprint scanners it so far completely sufficient to use wood glue. And while this is not really digestable, you can still eat it, if necessary. ;-)

I really wonder, how long it takes, until criminals start using fingerprints from random people and leave them behind at the crime scene to confuse the police.
We will probably have a law against this. You know, elections are not faked because it is forbidden. ;-) (That was the argumentation of one politician why voting machines are safe.)

> 10% of the population have various eye problems that make iris scans unreliable.

Great. Therefore, where eye scan is part of the authentication process, one can gain unauthorized access by showing a fake doctor's certificate and bypassing the scan.

Papers are much easier to counterfeit than irises.

@TheDoctor: "remember, my dear american friends: the need for fingerprints in passports was imposed on us by the US government."

As a result of policy laundering, though, so you can hardly blame one other nation. Here's how it works:

Several governments want to introduce biometric ID. So, they tell their representatives at ICAO to start talking about biometric passports. ICAO defines a standard for biometric passports. Every government says to those who oppose them, "look, we have our reservations, but it's an international standard, and other governments are going to demand that we follow it. It's a treaty obligation, so we can't break it without causing even worse problems".

Other than ICAO, the WTO is another prime location for policy laundering, as is the EU Council of Ministers.

Even if it is the US government which first imposes rules on fingerprint passports (they haven't done yet, and there will be a change of President before they get a chance to), that's just happenstance. The deal has already been made, and if the German government is claiming now to be against it, then why didn't they oppose it back when there was time to do something about it?

In fact, way back in 2005 Privacy International reported that the US only wanted facial photograph biometrics, and it was the EU that was keen to press ahead with fingerprints:

http://www.privacyinternational.org/...

Actually, to answer my own question, Merkel's government has the excuse of only having been in power since 2005. Which, even if she were against fingerprint biometrics, which I don't believe she is, would only show the democratic deficit of one government deliberately entrenching its policies in international treaties which later governments then have to obey.

If he makes a legal case against CCC and wins, how can the minister make the case for publishing the fingerprint of German civilians on a passport?

Engligh-language?

@SteveJ: You are certainly right.

Nevertheless it's the US immigration office who was first to ask for fingerprints from everybody who wants to enter. The EU is just now following. And it was one of the main official arguments to introduce this into german passports.

And all german governments are vasall to the US, what, as long as the US behave sane enough, is not a bad thing in itself.

Serves him right. I keep thinking that if people would publish private data on Congressmembers or steal their identities, perhaps laws protecting information wouldn't be so slow to come.

@Jeremy Duffy :

Do I remember right that Dick Cheney got silent on outlawing homosexuals after his daughter came out to be lesbian ?

Your approach seems to work :)

Maybe Schauble gets wise too.

@yesstra
I really wonder, how long it takes, until criminals start using fingerprints from random people and leave them behind at the crime scene to confuse the police.

The current methods of fingerprint faking work for scanners, but don't leave behind the normal residues. So if they left marks at all they would be easy to identify as nof "fingerprints".

@Brown Eyed Girl

We might have trouble with certain segments of the population choosing to repeatedly authenticate themselves.

I don't think it would be a major problem to define a procedure to leave faked fingerprints if you spend some time thinking about it. And concerning the "normal residues": You have plenty of it on your skin, you just have to transfer it to the "fingerprint stamp". I anyway doubt that they perform a chemical analysis on it so it would be sufficient to use some artificial mixture that behaves similar.

The timing of this NIST article seems rather odd:
http://www.physorg.com/news126355836.html

BTW: Biometric keylogger anyone? ;-)
http://www.theregister.co.uk/2008/04/02/...

iris scanners are even more easy to hack.
you just need a good quality picture of the iris. a print with more than 500dpi should do. even scanners that check if the iris moves can be overtaken. you just need some simple mechanics that switches between two images.

There's a lot of chat here about the implications of the article that CCC published as well as the publishing of fingerprints. This is all irrelevant if the method we're discussing doesn't work as claimed.

Has anyone tried this method with the laser printer and wood glue? What about the gummy method?

Also, you could rub oils onto your fake fingerprints to leave them behind.