Forgot your password?
typodupeerror
Hardware Hacking Privacy Build

Hacker Club Publishes German Official's Fingerprint 253

Posted by kdawson
from the sauce-for-the-goose dept.
A number of readers let us know about the Chaos Computer Club's latest caper: they published the fingerprint of German Secretary of the Interior Wolfgang Schäuble (link is to a Google translation of the German original). The club has been active in opposition to Germany's increasing push to use biometrics in, for example, e-passports. Someone friendly to the club's aims captured Schäuble's fingerprint from a glass he drank from at a panel discussion. The club published 4,000 copies of their magazine Die Datenschleuder including a plastic foil reproducing the minister's fingerprint — ready to glue to someone else's finger to provide a false biometric reading. The CCC has a page on their site detailing how to make such a fake fingerprint. The article says a ministry spokesman alluded to possible legal action against the club.
This discussion has been archived. No new comments can be posted.

Hacker Club Publishes German Official's Fingerprint

Comments Filter:
  • by Shadowruni (929010) on Saturday March 29, 2008 @03:58PM (#22906636) Journal
    So.... let's see.
    Oh all the people to humiliate... a senior public official who sets policy for something you directly care about.
    This couldn't possibly turn out badly.
  • by EaglemanBSA (950534) on Saturday March 29, 2008 @04:10PM (#22906714)
    This seems a bit over the top if you ask me, but hopefully it will expose biometrics for what it is: an unchangeable, and in many cases public, password. It's not very easy to hide your fingerprints (or even your DNA, for that matter) from people who really want to find them, and to rely on them for definite identification has the same problems as a social security number. Plus, anyone with a police record would be somewhat compromised from the get go here in the U.S.

    I'd hate to see people get proficient at faking fingerprints, because that leads to all sorts of interesting results in the realm of law. If fingerprint fraud becomes widespread, for example, will fingerprints at a crime scene still be valid evidence in court?
  • Re:Good for them (Score:5, Interesting)

    by swright (202401) on Saturday March 29, 2008 @04:12PM (#22906726) Homepage
    Maybe this is what you meant, but I just think this is the perfect example to illustrate to all how biometrics are just NOT the be-all and end-all. If only for the one simple fact that he cannot change his fingerprint like he could a password that got compromised!
  • "The" finger print? (Score:2, Interesting)

    by fredrated (639554) on Saturday March 29, 2008 @04:12PM (#22906728) Journal
    Were the other 9 digits lost in an accident?
  • DMCA (Score:2, Interesting)

    by RichardEasterling (1123929) on Saturday March 29, 2008 @04:13PM (#22906734)
    With the advent of Biometric Embedded Copyright Token (BECT), If this hack had been done in America, wouldn't this fall under the DMCA?

    It would by interesting to try to tell the cops that they can not have your finger prints because it violates the DMCA.
  • by rduke15 (721841) <rduke15NO@SPAMgmail.com> on Saturday March 29, 2008 @04:23PM (#22906794)
    I wonder if anyone has actually tried making such a fingerprint copy, and then using it on a fingerprint reader like the ones on laptops etc.

    Do you really get a good enough copy? How hard is it? (After all, any security can be broken somehow. So an essential aspect is the "cost" of breaking the security)

  • by Anonymous Coward on Saturday March 29, 2008 @04:32PM (#22906850)
    Since the Home Secretary stated, that storing fingerprints is no privacy concern, he would be hard pressed to explain his stance.

    I know german law is byzantine, but surely they can find something along the lines of estoppel [wikipedia.org] in there.
  • Re:Good for them (Score:5, Interesting)

    by aproposofwhat (1019098) on Saturday March 29, 2008 @04:44PM (#22906934)
    Two words.

    Duress codes.

    Enter one code to authenticate normally, another to flag up that you are being forced to authenticate.

    Not quite ironclad, but an extra level of safety.

  • by sentientbrendan (316150) on Saturday March 29, 2008 @04:45PM (#22906948)
    Everyone knows that biometric data can be stolen, just like every other means of identifying yourself. I thought the point of biometric data was that it added one *more* piece of data that would have to be stolen before someone could successfully impersonate you.

    So in addition to needing to know a pin or password, someone also needs to have stolen my fingerprint in order to take money out of my bank account. Isn't this what is called two factor authentication? Isn't that a good thing that makes it that much more difficult to steal an identity?

    According to this article Germany's new passports:
    http://www.itsmig.de/best_practices/ePass_en.php [itsmig.de]

    they contain both fingerprint data, and a picture of the person. Thus, to steal your identity, a person would have to steal your passport, look like you, and also steal your fingerprint. This actually seems like a pretty good system that would prevent someone from using a stolen passport to steal the rightful owners identity. Without the fingerprint data, an identity theft doesn't need to do as much work.

    That said, I'm not from germany, so maybe there additional nuances about this thing that I'm missing.
  • Perfect alibi (Score:5, Interesting)

    by oever (233119) on Saturday March 29, 2008 @05:09PM (#22907078) Homepage
    Mister Schauble can enjoy an easy career as burglar when he's out of office. With 4000 copies of your fingerprint circulating, it cannot be used as evidence any more.

    The only thing dumb thing he could get caught with is when he leaves wheelchair tracks [wordpress.com] at the scene of the crime.
  • People have strong opinions about technology without bothering to understand it.

    It's the same in politics. People call the U.S. government's action in Iraq a war, but killing Iraqis is only a distraction from the real purpose. The real purpose is stealing money from the U.S. taxpayer.

    Obviously, at more than $1,000,000 per Iraqi killed, most of them very poor, the "war" is mostly about money, and the killing is only required to draw attention away from the real purpose.

    How will the astounding ignorance of technology get resolved? Maybe we will have to wait until all the old dinosaurs retire. When I say "old dinosaurs", I am not talking about chronological age, I am talking about mental age. Some 24-year-olds are old dinosaurs mentally.
  • by Qbertino (265505) on Saturday March 29, 2008 @06:13PM (#22907586)
    The CCC is one of the things I like about Germany. It highlights a major element of german-style citizen-culture. It's clearly opposed to uncontrolled gouverment and any notion of a police-state. It has a taste of anarchy to it and on its fringes it has inofficial members with ties to the black-hat community. Yet it is a well organised official registered German association that speaks up on behalf of the people and democracy. With a 27-year tradition of keeping the public political debate alive on IT related rights-issues by perpetually coming up with creative ways of gaining attention. This recent 'Schäuble-Fingerprint' stunt being one of them. I don't know if they've exposed their selves with legal liability by doing this (after all it was officially published in their magazine 'Datenschleuder') but it sure is as funny, hilarious and exposing as ever. Creative non-sense at its best. Go, CCC!
  • Re:Good for them (Score:5, Interesting)

    by v1 (525388) on Saturday March 29, 2008 @06:14PM (#22907600) Homepage Journal
    Those can work against you too. My mom's got a security system in her apartment building, which is also secured. She was in a hurry one day and entered the wrong code to the alarm when she opened her apartment door, and re-entered it and it silenced as it should. 30 minutes later (!!) there's a knock on the door and looking out thru the hole she sees a row of cops lining the hallway all the way to the end, and a guy dressed in a white coat at the door "wanting to talk". She insisted it must be a mistake since the alarm company always calls before sending the cops. not when you enter the hostage code. oops! So they insisted on coming in for a bit and while they chatted with the white-coat, several of the officers methodically swept their place making sure there wasn't a guy with a weapon holding one of the family members hostage in a closet or something. It had taken them over 20 minutes to get someone else to buzz them into the building or they'd have been there a lot sooner.
  • Re:T-shirt (Score:5, Interesting)

    by AJWM (19027) on Saturday March 29, 2008 @06:57PM (#22907856) Homepage
    My kids were watching the Scooby-Doo 2 movie the other day. There's a scene where Daphne activates a fingerprint activated lock by dusting the scanner with blush powder (highlighting the latent fingerprint from its last use) then using a pore-strip over her own finger to provide the right body temperature/capacitance/whatever without her fingerprint confusing the sensor.

    I was amused to see that the technology's weaknesses had made it to the Scooby-Doo level already. I don't know if that exact combination would work, but I've heard of similar successful attacks.
  • by David Jao (2759) <djao@dominia.org> on Saturday March 29, 2008 @07:22PM (#22908048) Homepage

    Everyone knows that biometric data can be stolen, just like every other means of identifying yourself.

    Part of the problem is that you (and many other people) seem to think authentication is the same as identification. It's not. Biometrics are awesome as part of two-factor authentication, but they're horrible as a means of identifying yourself.

    Identification is the problem of determining, on your own, the identity of a given person.

    Authentication is the problem of determining whether or not a given identity corresponds to a given person.

    The difference is that, in authentication, you are given both a single person and a single identity, and your job is to answer true or false as to whether they match. Authentication is a yes/no question: your answer is either yes or no. In identification, you are given only a person, and your job is to produce a matching identity. Identification is not usually a yes/no question, although in some cases it can be disguised as one -- for example: to answer "Is this person a terrorist?" you typically have to determine a person's true identity (which a terrorist is not likely to offer to you) and then check that identity against known terrorist databases.

    National governments are fully aware of this distinction, and they exploit public confusion to further their agenda. Biometrics are being advertised as authentication tools (does this passport accurately identify this person?), for which they work pretty well, but in reality governments are using biometrics for identification (is this person a terrorist?), an approach which has fail written all over it.

    Even for authorization, biometrics are not a panacea, but they are at least a useful tool capable of contributing some benefits when employed properly. For identification, biometrics are an unmitigated disaster, for many reasons, chief among them the base rate fallacy [wikipedia.org], which says that the accuracy of an identity test drops precipitiously when the test is presented with large databases of identities.

  • by Joce640k (829181) on Saturday March 29, 2008 @10:16PM (#22908900) Homepage
    Fingerprints as biometric are almost useless. The only way to make sure they work is to have a trained finger inspector look at every finger before it's used.

  • by Joce640k (829181) on Saturday March 29, 2008 @10:29PM (#22908968) Homepage
    You leave your DNA everywhere you go and there's machines which can duplicate it and produce big samples - big enough to create fake DNA mouthwashes or whatever is needed to fool the scanner.

    The only way to be sure you're looking at the right DNA is to stick a needle into a person and take a sample from deep inside them... ...and that's not going to be very popular.

    Most biometric systems are junkware being pushed by people who are after the lucrative government contracts. The bottom line is they don't really work too well.

    The only one which might work is retinal scanning but for whatever reason I don't see that on anybody's ID card agenda. Why not? I don't know...

  • Duress codes (Score:3, Interesting)

    by mikeb (6025) on Saturday March 29, 2008 @11:25PM (#22909254) Homepage
    Duress codes were widely implemented by the British Special Operations Executive in the Second World War.

    Agents dropped behind Axis lines were taught how to use 'security codes' if they were compromised (i.e. captured by the Nazis).

    The imbeciles in London who received their messages, especially from the totally infiltrated Dutch circuits, were so stupid as to message them back saying 'why are you omitting your security codes?'

    It got so bad that on April 1st 1944 the London operators received a plaintext message from the head of the Nazi operation thanking them for their cooperation (I think his name was Geiske).

    Hundreds died. It soured British/Dutch relations for a generation. It was monstrous, inexcusable loss of life.

    Don't EVER underestimate the power of stupidity.

"We are on the verge: Today our program proved Fermat's next-to-last theorem." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Working...