Forgot your password?
typodupeerror
Hardware Hacking Privacy Build

Hacker Club Publishes German Official's Fingerprint 253

Posted by kdawson
from the sauce-for-the-goose dept.
A number of readers let us know about the Chaos Computer Club's latest caper: they published the fingerprint of German Secretary of the Interior Wolfgang Schäuble (link is to a Google translation of the German original). The club has been active in opposition to Germany's increasing push to use biometrics in, for example, e-passports. Someone friendly to the club's aims captured Schäuble's fingerprint from a glass he drank from at a panel discussion. The club published 4,000 copies of their magazine Die Datenschleuder including a plastic foil reproducing the minister's fingerprint — ready to glue to someone else's finger to provide a false biometric reading. The CCC has a page on their site detailing how to make such a fake fingerprint. The article says a ministry spokesman alluded to possible legal action against the club.
This discussion has been archived. No new comments can be posted.

Hacker Club Publishes German Official's Fingerprint

Comments Filter:
  • by Anonymous Coward on Saturday March 29, 2008 @03:53PM (#22906604)
    I'd like to see this done to officials in all countries.

    Reminds me of Gone in 60 seconds (the Jolie version) where one of the car-thieves glues on Elvis' fingerprints.
  • Good for them (Score:5, Insightful)

    by Scareduck (177470) on Saturday March 29, 2008 @04:00PM (#22906648) Homepage Journal
    High officials often seem to think the consequences of privacy-invading legislation will only occur to other (read: little) people. It's good to remind people in those positions that they do not have absolute power, and that they need to think about second order consequences.
  • by DamnStupidElf (649844) <Fingolfin@linuxmail.org> on Saturday March 29, 2008 @04:09PM (#22906704)
    At least until extreme body modification is commonplace, biometrics suck for identification. It's the only modern "security" mechanism that lacks revocation. Without revocation, a security model is eternally broken as soon as one chink is found.

    A person only has 20 digits, 2 palms, 2 soles, 2 retinas, and one genome. All of the biometric properties of those can easily be duplicated with noninvasive methods (simply enrolling in a biometric system requires the same access as duplication would). When one of those 27 properties is compromised, how do you revoke its use? I guess start with the fingers and palms and as people get older they have to start using their feet for identification, and at the very last make them get pricked for each identification. When all the biometric identifiers are used up, the now useless (at least in a Secure(TM) society) people can be recycled in the soylent green program or something.
  • T-shirt (Score:2, Insightful)

    by BlueParrot (965239) on Saturday March 29, 2008 @04:10PM (#22906710)
    Seriously, maybe a protest with loads of people wearing his fingerprint on a T-shirt would get the message across ...
  • by this great guy (922511) on Saturday March 29, 2008 @04:10PM (#22906716)

    This event highlights one of the major flaw of biometrics. This official had his fingerprint copied. There is nothing he can do. He can't change it. He can't prevent people from using it. No fingerprint reader will ever be able to determine with 100% certainty whether a particular fingerprint is real or fake. Bottom line: when one of your biometric traits gets stolen, you get screwed. For life.

    I hope this convinces governments that using biometrics for anything is a bad idea (other than perhaps criminal investigations, although what if this german official's fingerprint was found on a murder scene ?).

  • by metlin (258108) on Saturday March 29, 2008 @04:10PM (#22906718) Journal
    One can only hope.

    What better way than a senior official to be convicted of crimes as a result of identity theft because officials such as him decided that privacy didn't really matter anymore?

    Personally, I sincerely wish that this happens in all the countries which have fingerprinting in place. Enough already.
  • Legal action? (Score:5, Insightful)

    by HalAtWork (926717) on Saturday March 29, 2008 @04:12PM (#22906730)
    The article says a ministry spokesman alluded to possible legal action against the club.
     
    To what ends? You can't deter it as it's already happened, and you can't suppress it, as even the method for tricking the security system is widely known. If the security system is broken, you can't legalize it into working again. The security system was built in order to keep things safe, and now we have to keep other things safe from the security system itself.
  • by metlin (258108) on Saturday March 29, 2008 @04:15PM (#22906746) Journal

    I'd hate to see people get proficient at faking fingerprints, because that leads to all sorts of interesting results in the realm of law. If fingerprint fraud becomes widespread, for example, will fingerprints at a crime scene still be valid evidence in court?
    What are you talking about?! It's fantastic.

    I mean, since fingerprints cannot be conclusive anymore, I foresee our politicians with moral fibers of steel pushing for more surveillance. I mean, if we cannot really tell whose fingerprints they are, we certainly need video proof! And since we do not know where a crime may happen, the policy makers (who typically have about as much morality as a pea) have decided that the way around this is to have cameras everywhere. Public restrooms and your house included.

    I mean, think of the children! /cynic
  • by smolloy (1250188) on Saturday March 29, 2008 @04:15PM (#22906748)
    This is a perfect way to demonstrate to the perfect person why such invasions of privacy are bad, and of the unintended negative consequences of their plans. Sometimes people in power forget that the "solutions" they develop to certain problems may be worse than the problems themselves. All they see is that a certain issue will be fixed -- not that the fix raises even worse issues.

    Bravo!

  • by Anonymous Coward on Saturday March 29, 2008 @04:18PM (#22906758)
    At least they get off their asses unlike American's who cry about the Constitution but do fuck all about it.

    Bush was right, it is JUST a piece of PAPER. Why? Because American's do NOTHING about it and do not believe in it.

    This is plain to see by their inactions.
  • by Naughty Bob (1004174) * on Saturday March 29, 2008 @04:18PM (#22906760)

    We hear that Wolfgang Schäuble is convicted of committing 17 crimes. Simultaneously
    17 One-fingered crimes at that...
  • by Anonymous Coward on Saturday March 29, 2008 @04:22PM (#22906782)
    Since a senior public official still remains a public official, it could probably be defended on the same grounds that allow for political satire. It is expressly allowed in most countries to make fun of political figures, especially if you're doing it from a political standpoint yourself.

    Then again, we also have a new buzzword for crime with ideological motives. It's called terrorism...
  • by dpx420 (1210902) on Saturday March 29, 2008 @04:23PM (#22906792)
    Yeah if someone tried this with a high ranking government official in China or somewhere, they would indeed mysteriously 'disappear' in 60 seconds.
  • by ilikepi314 (1217898) on Saturday March 29, 2008 @04:28PM (#22906826)
    I'm sure there were other prints, but only one was needed to prove the point -- that his fingerprints and therefore biometric security just got PWNED.
  • Re:Good for them (Score:5, Insightful)

    by IgnoramusMaximus (692000) on Saturday March 29, 2008 @04:30PM (#22906842)

    All three easily solved via a security by-pass incentive in a form of a pistol to the head or a kidnapped lover/child/dog etc which will "get it" if you do not cooperate or some poison with time release and the antidote delivered upon your succesful authentication, etc and so on and on and on and on.

    "Ironclad security" does not exist.

  • by Idiomatick (976696) on Saturday March 29, 2008 @04:46PM (#22906950)
    WTF does china have to do with this?
  • by BlackCreek (1004083) on Saturday March 29, 2008 @05:08PM (#22907062)
    AFAICT the point that the parent poster was making is that unlike other security measures (say ID card, social security number etc) you just can't get a new biometric reading for your fingers (without at least some serious medical intervention), you can't get a new iris scan for your eyes, you can't get a new DNA code etc.

    Biometric data may put some entry barriers higher, so what? The problem is that you just can't get a new iris scan, like you get a new passport once your gets stolen.

    The worst of the situation is that we have all these politicians deciding --without the least form public debate about the real privacy implications-- that biometric data is now to be collected, and used, and kept by the government.

  • by MikeFM (12491) on Saturday March 29, 2008 @05:10PM (#22907090) Homepage Journal
    I think the only working model is the concept of security in layers. The more layers an attacker has to dig through to compromise a systems security the more secure that system is. Biometrics alone are pretty weak. Passwords alone are pretty weak. Use them together and they're a little less weak. The biggest obstacle is the user. Will they put up with multiple security checks? Can they remember a good password? Will they notice where they're leaving behind fingerprints or if someone is trying to record their voice?

    In the end you have to be realistic with your expectations for any security system. We lock our front door when we leave our house but we all know that someone that wants to get in can still get in if they want to try hard enough. When you lay in bed at night you have no way to be sure that a stranger hasn't secretly entered your home and is waiting to cut your throat in the dark. Yet we make a bigger deal over how secure access to your bank account and other sensitive information is. At some point you just have to say enough and go on with your life.
  • by Belial6 (794905) on Saturday March 29, 2008 @05:14PM (#22907122)
    It likely is. In just the same way that sinking the Titanic before any passengers boarded would have been grounds for criminal action.
  • by gerardolm (1137099) on Saturday March 29, 2008 @05:17PM (#22907150)
    Let's say you lose your ID card. Someone else could take it and fake that he/she is you. Are you guilty of anything?
  • Re:Good for them (Score:3, Insightful)

    by TheSpoom (715771) * <[ten.00mrebu] [ta] [todhsals]> on Saturday March 29, 2008 @05:18PM (#22907168) Homepage Journal
    Yes, because it would be unconscionable to design a system where the duress code did not let you in. I would assume the duress code successfully authenticates you but alerts security.
  • by Todd Knarr (15451) on Saturday March 29, 2008 @05:45PM (#22907372) Homepage

    Except that with most types of biometric data (eg. fingerprints), they suffer two faults: you leave copies of them everywhere, and once compromised they can't be changed. The first makes it easy for someone to compromise the authentication, as this club demonstrated. I'll bet the minister left his fingerprints on a lot more than just a single plastic cup at a panel, and lifting a fingerprint from a hard surface is relatively easy to do. And the second means that compromises are 100% absolutely fatal for the rest of your life. With a password or a PIN, if it's compromised you can just use alternative authentication and then change it. With a physical key or combination you can just change the lock or the combination on the lock and the old key or combination becomes useless. But how do you change your fingerprint? And if you can't, how does anyone from that point on know that any use of your fingerprint is really you and not an imposter? So the fingerprint check doesn't add significant difficulty in obtaining the additional authentication item, and it makes a compromise much more annoying to recover from.

    You have to evaluate any security mechanism not just in terms of it's strength (resistance to compromise), but in terms of it's resilience (the consequences of a compromise and the difficulty of correcting the compromise). Biometrics tend to vary on the first, but all of them are highly brittle: any compromise tends to be total and irreparable.

  • by LurkerXXX (667952) on Saturday March 29, 2008 @05:46PM (#22907380)
    I'll be by later to snag a few hairs out of your comb. Never mind why I want them...

    I make DNA all day in the lab. It's getting easier and cheaper to make every year.

    DNA isn't going to turn out to be any more of a panacea than fingerprints.
  • by BlackCreek (1004083) on Saturday March 29, 2008 @05:56PM (#22907442)
    The whole point of the parent poster is apparently lost to you.

    The point being that my biometric data is mine. It is private. It is not the government's business to have my blood samples, or DNA, or finger print. I am not a criminal, and therefore I expect to be entitled to some privacy from the BigBrother.

    Once some retarded government bureaucrat decides to leave a laptop inside a taxi or something, my private data is lost, and I can never get a new fingerprint, or iris scan. I can get a new social security number, I can get a new passport, a new bank account number, but I **cannot** get a new DNA.

  • by twenex (139462) on Saturday March 29, 2008 @06:03PM (#22907508)
    Sorry, you miss the point. Biometrics are not private and any biometric system which is built with that assumption is flawed.

    But I suppose you wear a tinfoil mask to guard against those face recognition systems tied to cameras because your face data is yours and only yours.

    You are confusing the ethics, legality and technology behind biometrics in a bad way.

  • by Znork (31774) on Saturday March 29, 2008 @06:09PM (#22907564)
    DNA now that is good, and it is something difficult to duplicate.

    No need to duplicate it, free samples are falling off you everywhere you go. So no, DNA isn't very good either.

    There is however a very good biometric one can use. A neural imprint of a specific token; it currently can't be read without the cooperation of the person, it leaves no imprint around except as the owner desires and controls.

    It's known as a 'password'. A technology that is, perhaps, new and radical, but far more secure than other biometrics. Which, unfortunately, isn't particularly secure, just less insecure than the crap the scam artists of the biometrics industry are trying to push on the gullible.
  • by AJWM (19027) on Saturday March 29, 2008 @06:43PM (#22907764) Homepage
    DNA now that is good, and it is something difficult to duplicate.

    I dunno, DNA wants to duplicate, although that's not what you meant.

    In terms of different individuals having the same DNA, talk to identical twins. About all DNA tests can really do is disprove that someone with non-matching DNA is guilty. DNA "matches" don't compare 100% of the DNA (even if they did, that doesn't rule out twins), and close relatives may well "match" also (and the fewer comparison points, the less-close the relative that could still "match").
  • by Anonymous Coward on Saturday March 29, 2008 @07:01PM (#22907886)

    I thought the point of biometric data was that it added one *more* piece of data that would have to be stolen before someone could successfully impersonate you.
    Indeed, and this is why it's bad. Let's say someone wants to steal your car, but it's locked with a fingerprint reader. So they have to steal your fingerprint. How do you think the thief is going to accomplish this? Hint: it involves a sharp object and a lot of blood.

    You do not want to give criminals even more incentive to cause bodily harm than they already have.
  • by Wavebreak (1256876) on Saturday March 29, 2008 @07:14PM (#22907986)
    Long as he only used one finger.
  • by BlackCreek (1004083) on Saturday March 29, 2008 @07:28PM (#22908064)

    Sorry, you miss the point. Biometrics are not private and any biometric system which is built with that assumption is flawed.
    But I suppose you wear a tinfoil mask to guard against those face recognition systems tied to cameras because your face data is yours and only yours. You are confusing the ethics, legality and technology behind biometrics in a bad way.

    I am confusing so much? Really? Please tell where is the police state where you live. Since your biometrics are not private (as you say it yourself), I assume your government has the right to request your DNA sample (or iris scan) in order to allow you to enjoy public services. Or not?
    Get a grip dude:

    My blood type is (still) legally private.

    My iris scan is (still) legally private.

    My DNA is (still) legally private.

    I am still allowed to walk down the street anonymously, with a cap, and dark glasses own, and a police officer still needs probable cause to ask me to remove those. A police officer also needs cause to request a fully, well made iris scan.

    But if I need to: travel abroad, or while living in another EU country, get any paperwork done. (Both rights I have, mind you). I need a passport.
    To have a passport I need to surrender my fingerprints. My fingerprints are no longer private, the government has the right to request them. I fully understand that, and I do oppose it.
    Not only that, the government also made my fingerprints much, much less private. Now people don't need special permits or access to a (well kept?) database to have a copy of a very good scan of my fingerprints. Because now for every service I need to present a passport, I'll need to handle over these (high quality) files (kept in the passport) for copy if so desired.
    Before, if a hotel clerk wanted my fingerprints it would be manual job, it would be time costing, expensive, and the quality would be poor. Now he buys a reader, asks to take a look at my passport, and voila! High quality copies made in a second, to extra costs, no extraordinary effort. My government after all, took good care and spend good money for it to be easy.

    So now, not only my central government has access to these (high quality) scans, but also a bunch of other people as well. Which is, lets face it, a much worse problem.

    I reckon you hint at the point that people confuse anonymity with privacy [schneier.com]. But trust me, I am pretty aware of the difference.

  • by erroneus (253617) on Saturday March 29, 2008 @08:21PM (#22908294) Homepage
    To that, all I'll have to add is that the truth is stranger than fiction.

    It's often rather difficult for people to make an objective assessment of the present especially since causes and facts are often incomplete "now" and often require now to be later before you can look back on now and get a more clear picture, but consider the shocks and fears generated when "1984" was published. Now look at how much farther we have gone beyond 1984's "science fiction" and how we don't even notice it, let alone are alarmed by it.

    Things aren't "getting bad." They ARE bad. Things are getting worse. For all the people out there who think we need to give up privacy and crap like that, you need only look back to your teenage years for why a sense of personal space and privacy is important for people in general. I don't know that there are any studies on the subject, but I'd be willing to place a very large bet on the notion that in societies with less privacy, the suicide rates are likely to be higher. A person's sense of safety is closely tied to their sense of privacy... you only need to sit on a toilet without walls surrounding it once to understand that notion.
  • by Anonymous Coward on Saturday March 29, 2008 @08:30PM (#22908352)
    I have talked to Andi from the CCC [wikipedia.org] just about over a week ago and he told me that he had something big and dangerous running. Well, now I know what that was. He also told me that he was followed by black BMWs many times recently and he told me that he reckoned to mysteriously 'disappear' any time.



    The answer why I am posting as an AC is left as an exercise to the reader.

  • by garglblaster (459708) on Saturday March 29, 2008 @08:36PM (#22908384) Journal
    Well, you summarized it up very well: Germany, Land of the Free, Home aof the Brave. Times are a-changing aren't they? Hint: No, Bush's country isn't any longer considered 'Home of the Free' in any part of the world any longer.. - Sad to say this but true.. my 2 cts
  • by jonberling (1256136) on Saturday March 29, 2008 @09:28PM (#22908662)

    Very clever. I think I'm going to use this one too. Here are some other, real life examples of illegal actions:

    • the Boston Tea Party
    • freeing slaves before the Civil War
    • Gandhi's protests against colonization
    • Reading the Bible, or other religious text, in nations without Freedom of Religion
    There are plenty of illegal actions that are morally correct actions. I usually pull out this list to anyone who suggests that following the law is one and the same with moral actions. Anyone else care to add to this list?
  • by CastrTroy (595695) on Saturday March 29, 2008 @10:26PM (#22908956) Homepage
    I'll one up you, and promote the use of the pass phrase. Seriously. Sites with 8 character maximums or only alphanumeric passwords annoy me to no end. There's no reason you shouldn't allow people to use 300 character pass phrases if they so wish.
  • Re:Good for them (Score:4, Insightful)

    by CastrTroy (595695) on Saturday March 29, 2008 @10:35PM (#22909010) Homepage
    Just because you can cut the iron, doesn't stop it from being iron. Iron clad doesn't mean inpenetrable, it simple means really hard to penetrate. If you are going to go through the trouble of blowing the door off a bank vault with C4, you can have the money. If you're going to go through the trouble to shoot me for my password, you can have it.
  • by Cardcaptor_RLH85 (891550) <<CardcaptorRaaShaun> <at> <Gmail.com>> on Sunday March 30, 2008 @12:18AM (#22909434)
    This truthfully makes sense to me. I don't think that there are any real technical limitations to having very long symbolic pass phrases anymore so why are we often limited to 8 or 16 characters? My Windows password is a long sentence with correct grammar, punctuation, and one or two non-dictionary based proper nouns. Much easier to remember than a random string or even, in some cases, a password.
  • by Idiomatick (976696) on Sunday March 30, 2008 @05:08AM (#22910280)
    Since when was germany worse than china when it came to rights... Wait, godwin is that you???
  • by Anonymous Coward on Sunday March 30, 2008 @07:03AM (#22910670)
    Dude, wtf? I *am* from Germany, and I can tell you that it's nowhere even *near* the "land of the free" or "home of the brave". It's turning into a damn police state, Sam (yet again... you'd think we'd learn after a few times), and the fact that there's occasionally some good news doesn't mean shit in the long run. Look at the big picture; if you want a free(r) nation, go to Switzerland or maybe Scandinavia. Those are pretty much the last places on the planet where you'll still have *some* freedom. (And in Switzerland, you're legally allowed to make and keep your own gunpowder, too. Woo!)
  • by InvalidError (771317) on Sunday March 30, 2008 @02:05PM (#22913442)

    Fingerprints as biometric are almost useless. The only way to make sure they work is to have a trained finger inspector look at every finger before it's used.
    In a MythBusters episode on security device, they showed - much to their own surprise - that some of those fancy biometric fingerprint readers can be tricked by a plain paper copy.

    Yup, fingerprints are extremely weak security checks since a normal person leaves hundreds of prints behind them every day.
  • Re:even worse (Score:2, Insightful)

    by sohare (1032056) on Sunday March 30, 2008 @07:52PM (#22916186)
    What is the context of demanding that "they find something that's 100% unique and fast and accurate"? Nothing will ever fit that bill. You can steal/counterfeit plastic cards, guess passwords, pick locks, etc. It's simply unreasonable to demand the things you do, and moreover it's a logical fallacy (akin to what anti-evolutionists or conspiracy theorists do when they anomaly hunt).

    I note three things that appear to be grossly overlooked in all the crowing from our community of armchair experts. 1) There there is such a thing as a hierarchy of security needs. Some things just don't need extreme security. For a lot of security needs, mere deterrence is sufficient (look at bike locking strategies for example). 2) Technologies can be used in tandem to create more robust security. 3) Further development of technologies may lead to individual robustness for particular security measures. The first locks, for instance, were extremely crude.

You are an insult to my intelligence! I demand that you log off immediately.

Working...