Biometric Fingerprinting - Pag Talk

[ai_Droid]

If something can be encrypted, it can be restored to a good replication of it's original form. In fact you called me a total idiot on the last thread I replied to because I disagreed with that.

 

Make your mind up

 

You're getting confused between compression, encryption and hasing.

 

You can't decrypt a hash, it doesn't contain the original data. It's a hash of the data, a description if you like, a fingerprint of it.

 

Same answer to Tweak actually, you wouldn't need to store the biometrics even in a national ID card system, just a hash of them. As we're talking about a proposed system, we can't say for sure either way how it'll actually be done.

 

You say you don't trust them with your biometric data? Well, they don't actually have it, given what I've said above, see?

[Cambon]

If something can be encrypted, it can be restored to a good replication of it's original form. In fact you called me a total idiot on the last thread I replied to because I disagreed with that.

 

Make your mind up

 

You're getting confused between compression, encryption and hasing.

 

You can't decrypt a hash, it doesn't contain the original data. It's a hash of the data, a description if you like, a fingerprint of it.

 

Same answer to Tweak actually, you wouldn't need to store the biometrics even in a national ID card system, just a hash of them. As we're talking about a proposed system, we can't say for sure either way how it'll actually be done.

 

You say you don't trust them with your biometric data? Well, they don't actually have it, given what I've said above, see?

 

The only thing I am confused over is how you high and mighty broadsheet readers can be so blaze about what is and is not security sensitive data. Seems to me that you are the ones with the head in the sand, not the Daily Mail readers.

 

You seem to trust the UK government implicitly and yet they have bullshitted to you every day since they came to power. They are even bullshitting about this 25.000.000 people's data. It was lost a month ago and yet it has only just come to light.

 

Oh, an when trying to create a fake ID card, what could be more useful than having someone elses finger or thumb print / or hashes, especially if they looked a bit like you? You don't have to use the ID, just let it be found after the crime has been committed.

[BigDave]

Oh, an when trying to create a fake ID card, what could be more useful than having someone elses finger or thumb print / or hashes

Having their fingers and/or thumbs as well?

 

I understand some people are worried, but isn't the whole point of biometric information that it doesn't matter how many people know what your fingerprint looks like, it's useless to them unless the've actually got your fingers with them?

[Dodger]

If something can be encrypted, it can be restored to a good replication of it's original form. In fact you called me a total idiot on the last thread I replied to because I disagreed with that.

 

Make your mind up

 

You're getting confused between compression, encryption and hasing.

 

You can't decrypt a hash, it doesn't contain the original data. It's a hash of the data, a description if you like, a fingerprint of it.

 

Same answer to Tweak actually, you wouldn't need to store the biometrics even in a national ID card system, just a hash of them. As we're talking about a proposed system, we can't say for sure either way how it'll actually be done.

 

You say you don't trust them with your biometric data? Well, they don't actually have it, given what I've said above, see?

 

The only thing I am confused over is how you high and mighty broadsheet readers can be so blaze about what is and is not security sensitive data. Seems to me that you are the ones with the head in the sand, not the Daily Mail readers.

 

You seem to trust the UK government implicitly and yet they have bullshitted to you every day since they came to power. They are even bullshitting about this 25.000.000 people's data. It was lost a month ago and yet it has only just come to light.

 

Oh, an when trying to create a fake ID card, what could be more useful than having someone elses finger or thumb print / or hashes, especially if they looked a bit like you? You don't have to use the ID, just let it be found after the crime has been committed.

 

It is the potential misuse that is the problem, the very reason why they want it! The government has already admitted that criminals and terrorists will have multiple passports, they will also be able to generate multiple id's from online data!

 

Whether the print itself or a number generated from it, it is still identifying the person. The same software will generate the same number in another computer/department or member of the public.

 

I was going to answer earlier up the thread, but Tweak put it down first...........

[Cambon]

Oh, an when trying to create a fake ID card, what could be more useful than having someone elses finger or thumb print / or hashes

Having their fingers and/or thumbs as well?

 

I understand some people are worried, but isn't the whole point of biometric information that it doesn't matter how many people know what your fingerprint looks like, it's useless to them unless the've actually got your fingers with them?

 

LOL

 

Erm, you would think. To the criminal, new forms of security are just new forms of opportunity. It is a bit like chip and pin. Credit card fraud has increased dramatically since it's introduction. Why? because the shopkeeper no longer pays any attention to the card. As long as they appear to get their money they don't care.

[Dodger]

Oh, an when trying to create a fake ID card, what could be more useful than having someone elses finger or thumb print / or hashes

Having their fingers and/or thumbs as well?

 

I understand some people are worried, but isn't the whole point of biometric information that it doesn't matter how many people know what your fingerprint looks like, it's useless to them unless the've actually got your fingers with them?

 

We all leave fingerprints wherever we go.......It is the linking of data to your identifying biometric that is the issue, then no matter what you do or when you do it there will be records. The starting of the process at primary schools is worrying, especially when it isn't a necessary use of the technology.

 

There is also the misuse of the data, whether it is lost by accident or stolen once it is lost it can't be resecured.....

[Mr. Sausages]

Fuel for the fire...

 

This HOWTO contains step-by-step instructions for turning a latent fingerprint on the side of a glass or similar into a latex fingerprint you can wear on your fingertip in order to fool biometric sensors.

http://www.boingboing.net/2005/05/18/howto...-a-fingerp.html

[Cronky]

Awesome. So, if you know someone is using a fingerprint scanner for a highly sensitive purpose, (bank vault, government office, hospital lab) you can gain entry by recreating their prints.

 

Does the man from Biometric Zolutions know this?

[Dodger]

Awesome. So, if you know someone is using a fingerprint scanner for a highly sensitive purpose, (bank vault, government office, hospital lab) you can gain entry by recreating their prints.

 

Does the man from Biometric Zolutions know this?

AI Droid will condem the link........propaganda!

 

There was debate on Prime minister's question time, where it was advised that the data was misplaced three, yes three times! The conservatives had a field day and the PM had to apologise, that's a first! Must be new, most can spin it off onto someone else!

 

Makes you wonder at the security of details held electrionically?! especially a central database where ALL your details could be lost at once - OUCH!

[Tweek]

If something can be encrypted, it can be restored to a good replication of it's original form. In fact you called me a total idiot on the last thread I replied to because I disagreed with that.

 

Make your mind up

 

You're getting confused between compression, encryption and hasing.

 

You can't decrypt a hash, it doesn't contain the original data. It's a hash of the data, a description if you like, a fingerprint of it.

 

Same answer to Tweak actually, you wouldn't need to store the biometrics even in a national ID card system, just a hash of them. As we're talking about a proposed system, we can't say for sure either way how it'll actually be done.

 

You say you don't trust them with your biometric data? Well, they don't actually have it, given what I've said above, see?

Are you saying that you will only get a unique hash number, produced at the local ID centre when you have your iris scanned and fingerprints taken etc for the issue of your ID card - - - so they don't actually hold our original biometric data - and our unique hash is simply reproduced whenever we are rescanned for verification?

 

If you are saying that, then considering the National Identity Register (according to the No2ID site) involves "individual checking and numbering of the population; making personal details into "registrable facts" to be disclosed and constantly updated; collection and checking of biometrics (e.g. fingerprints); the card itself (and other documents made equivalent to an ID card); a widespread scanner and computer terminal network connected to the central database; widespread use of compulsory identity "verification"; and data-sharing between organisations on an unprecedented scale."

 

Firstly, fingerprints and iris scans are effectively unique, so the algorithm used to create or reproduce the hash number must be representative of what we have already identified what actually makes fingerprints unique in order to produce the unique hash in the first place. You can't say that someone with access to the mathematical algorithm and your hash can't reproduce from a hash number your fingerprint (printing it onto thin film) or even your iris scan (using contact lens technology). The technology exists today to print fingerprints onto very thin film, and even to print onto contact lenses and so a group of determined technically aware criminals could get hold of this equipment - this is everyday semiconductor/photographic/opthalmic industrial technology today, and not limited to movies such as Mission Impossible. Personally, I think it is only a matter of time before criminals catch up with fingerprint duplication.

 

Secondly, the hash number will still have to be associated with a bunch of data stored by banks and government etc (again for checking purposes after you've been identified). There will always be humans involved in the system, so it would only take a couple of well placed government employees (an ID card system will employ many people) in order for something similar to yesterdays events to happen either by mistake or by a deliberate act resulting in the release of hash numbers and personal data.

 

Join the two, and the whole system is undermined. A criminal with both your data and access to the algorithm will be the first to undermine it. Place government incompetence at the centre of every transaction requiring ID and that is even more worrying.

 

Yesterdays mistake was so basic it could and should have been avoided nearly 40 years ago in government computing history. I just can't see why you can carry on supporting such a flawed system, that has lost all credibility even on the most basic of issues. Your interpretation of what things will be like is a little too idealistic for my tastes, and I forsee very many more such blunders with this blind reliance on technology and such a lax attitude to data security. After yesterdays events ID cards under this government have been completely undermined - and I can't see them going ahead now, regardless of the governments assurances.

[I don't know]

Fuel for the fire...

 

This HOWTO contains step-by-step instructions for turning a latent fingerprint on the side of a glass or similar into a latex fingerprint you can wear on your fingertip in order to fool biometric sensors.

http://www.boingboing.net/2005/05/18/howto...-a-fingerp.html

 

 

 

Thanks Mr S. now I know how to steal a book from a primary school library, just need to get a glass before the dinner ladies wash them.

[Mr. Sausages]

Awesome. So, if you know someone is using a fingerprint scanner for a highly sensitive purpose, (bank vault, government office, hospital lab) you can gain entry by recreating their prints.

 

Yeah, or you could take out some library books in some kid's name and rack up massive fines for them. That's what I'd do.

 

And it must be true cos it's on the internet, and I saw it on QI and CSI which is full of FACT.

[Albert Tatlock]

Rumour has it that criminals also invest in R&D. So it'll only be a matter of time.

[Dodger]

Positive Action Group

PRESS RELEASE

ISSUE DATE: 17th September 2007

 

Biometric fingerprinting on the Island

 

 

Island political lobbyists Positive Action Group have expressed concern about the

attempt to introduce biometric fingerprinting into Island schools without prior

consultation with parents.

 

A spokesman for P A G commented:

"If it wasn’t for the vigilance of a parent at Peel Cloth workers School, where this was going to be introduced for children to get books from the school library, the system would have been established in a number of other Island Primary schools.

"In our opinion this is a very worrying development, especially as it involved children"

"A number .of our members have expressed concern about the Isle of Man copying the UK practice of using recording biometric identity in Primary schools. We question why the decision was taken in the Isle of Man to replace secure paper records .

"On the face of it biometric fingerprinting seems innocuous, but it could be the first ofmany such intrusions into personal privacy. There should have been widespread meaningful public consultation before any such measures are introduced"

"Once a child's fingerprints have been encoded into a digital record the data can easily be distributed further within the system of Government. Who is to say where this data might be in ten years time? Children need to be educated in a culture of privacy so they don’t one day go on the Internet and give away their private details.

"Getting them to give their fingerprint data to a scanner in primary school is tantamount to grooming them to hand over their private data when so instructed by Government."

" It is ironic that the Chief Secretary is preparing a report on the question government consultation and at the same time consultation didn’t take place with parents oversuch a fundamental topic as fingerprint recognition.

To highlight the whole question of the undermining of civil liberties P A G has organised

a screening of the compelling film “ TAKING LIBERTIES” which exposes the shocking

truth about the erosion of civil liberties in the U K in recent years. P A G is anxious to

make the Manx public aware of this potential threat to individual freedoms

 

Their spokesperson went on to say:

“We urge people, especially parents, to see this controversial film – it’s not only for P A G members.

Admission is free and everyone is welcome, but places are limited – just reserve a seat

by phoning: 863106 or e mailing: info@positiveactiongroup.org”

 

 

 

 

 

 

 

 

“TAKING LIBERTIES”

7.30 p.m.Monday 22nd OCTOBER 2007

CLAREMONT HOTEL, DOUGLAS

Admission Free – Everyone welcome

To reserve a seat tel: 863106 or e mail: info@positiveactiongroup.org

 

EDITORS NOTE

 

 

2 For information about Positive Action Group

visit: www.positiveactiongroup.org

Contact W Roger Tomlinson

tel: 863106

e mail: info@positiveactiongroup.org

 

"Biometric Enrollment and Authentication

In a typical IT biometric system, a person registers with the system when one or more of his physical and behavioral characteristics are obtained. This information is then processed by a numerical algorithm, and entered into a database. The algorithm creates a digital representation of the obtained biometric. If the user is new to the system, he or she enrolls, which means that the digital template of the biometric is entered into the database. Each subsequent attempt to use the system, or authenticate, requires the biometric of the user to be captured again, and processed into a digital template. That template is then compared to those existing in the database to determine a match. The process of converting the acquired biometric into a digital template for comparison is completed each time the user attempts to authenticate to the system."www.zvetcobiometrics.com

 

Here is from a biometric solution provider proof that the digital template created each time a print is scanned is checked against the one in the database. Not quite what I would call a hash....... This information was from one of the google ads attached to this forum.

 

Tweek, I take my hat off to your last post copied and posted below

 

"Are you saying that you will only get a unique hash number, produced at the local ID centre when you have your iris scanned and fingerprints taken etc for the issue of your ID card - - - so they don't actually hold our original biometric data - and our unique hash is simply reproduced whenever we are rescanned for verification?

 

If you are saying that, then considering the National Identity Register (according to the No2ID site) involves "individual checking and numbering of the population; making personal details into "registrable facts" to be disclosed and constantly updated; collection and checking of biometrics (e.g. fingerprints); the card itself (and other documents made equivalent to an ID card); a widespread scanner and computer terminal network connected to the central database; widespread use of compulsory identity "verification"; and data-sharing between organisations on an unprecedented scale."

 

Firstly, fingerprints and iris scans are effectively unique, so the algorithm used to create or reproduce the hash number must be representative of what we have already identified what actually makes fingerprints unique in order to produce the unique hash in the first place. You can't say that someone with access to the mathematical algorithm and your hash can't reproduce from a hash number your fingerprint (printing it onto thin film) or even your iris scan (using contact lens technology). The technology exists today to print fingerprints onto very thin film, and even to print onto contact lenses and so a group of determined technically aware criminals could get hold of this equipment - this is everyday semiconductor/photographic/opthalmic industrial technology today, and not limited to movies such as Mission Impossible. Personally, I think it is only a matter of time before criminals catch up with fingerprint duplication.

 

Secondly, the hash number will still have to be associated with a bunch of data stored by banks and government etc (again for checking purposes after you've been identified). There will always be humans involved in the system, so it would only take a couple of well placed government employees (an ID card system will employ many people) in order for something similar to yesterdays events to happen either by mistake or by a deliberate act resulting in the release of hash numbers and personal data.

 

Join the two, and the whole system is undermined. A criminal with both your data and access to the algorithm will be the first to undermine it. Place government incompetence at the centre of every transaction requiring ID and that is even more worrying.

 

Yesterdays mistake was so basic it could and should have been avoided nearly 40 years ago in government computing history. I just can't see why you can carry on supporting such a flawed system, that has lost all credibility even on the most basic of issues. Your interpretation of what things will be like is a little too idealistic for my tastes, and I forsee very many more such blunders with this blind reliance on technology and such a lax attitude to data security. After yesterdays events ID cards under this government have been completely undermined - and I can't see them going ahead now, regardless of the governments assurances." Posted by Tweek

[ai_Droid]

There's so much misunderstanding, misinformation and scaremongering here that it's hard to know where to start. Pretty much all these issues have been covered.

 

Dodger, you've bizzarely just started copying and pasting other posts, including the one that started the subject, which has been debated in detail. Are you not cabable of understanding or making informed posts on this subject yourself? Have you read the thread? For someone so vocally opposed your understanding seems to be absent.

 

The only thing I am confused over is how you high and mighty broadsheet readers can be so blaze about what is and is not security sensitive data. Seems to me that you are the ones with the head in the sand, not the Daily Mail readers.

You seem to trust the UK government implicitly and yet they have bullshitted to you every day since they came to power. They are even bullshitting about this 25.000.000 people's data. It was lost a month ago and yet it has only just come to light.

 

No, you're very clearly confused about encryption and compression, which is why you've made those incorrect statements above. Not sure what that has to do with what newspaper we all read?

 

I've never said I trust the government. My stance all along has been that I don't need to trust the government because a thumbprint scanner doesn't actually store any sensitive personal data, see? I don't know how I can put this any plainer that will be understood.

 

It is the potential misuse that is the problem, the very reason why they want it! The government has already admitted that criminals and terrorists will have multiple passports, they will also be able to generate multiple id's from online data!

 

Whether the print itself or a number generated from it, it is still identifying the person. The same software will generate the same number in another computer/department or member of the public.

 

No, they wont be able to generate ID's from online data. That's the point of the biometrics. As matty said, you can't duplicate biometrics if you don't have the phsyical atributes to match. But you're making the leap from thumbrpints to ID cards again. Where's the connection?

 

The same software may generate the same hash, but only from the same thumb, don't you see? It's not actually that complicated, and you're very vocal in your opposition, but you really don't appear to understand the basics.

 

Erm, you would think. To the criminal, new forms of security are just new forms of opportunity. It is a bit like chip and pin. Credit card fraud has increased dramatically since it's introduction. Why? because the shopkeeper no longer pays any attention to the card. As long as they appear to get their money they don't care.

 

Now, that's completely wrong, unless you can back it up?

 

Chip and pin has virtually eliminated point of sale fraud. What's increased is 'customer not present' fraud, basically because that doesn't require chip n pin, so that's where the fraudsters have moved too. There's also some evidence of pin scraping going on moving to cash machines.

 

I'm not a big fan of chip n pin, and the industry has admitted it went for the cheap solution when active two factor systems would have been a big improvement, but to claim frauds up since it's introduction is just plain wrong.

 

We all leave fingerprints wherever we go.......It is the linking of data to your identifying biometric that is the issue, then no matter what you do or when you do it there will be records. The starting of the process at primary schools is worrying, especially when it isn't a necessary use of the technology.

 

There is also the misuse of the data, whether it is lost by accident or stolen once it is lost it can't be resecured.....

 

You keep saying the same wrong stuff. How can a stolen hash of a thumbprint be missused? Explain it in detail, with information to back up your claim.

 

 

Awesome. So, if you know someone is using a fingerprint scanner for a highly sensitive purpose, (bank vault, government office, hospital lab) you can gain entry by recreating their prints.

 

Does the man from Biometric Zolutions know this?

 

Why don't you phone him and ask him?

 

As has been said already, multiple times....Fingerprint scanning isn't particularly secure. It's used as a form of identification, not authentication. Think of it as the difference between a username and a password. The thumbprint is the username. Banks looked at fingerprinting, and rejected it as insecure, favoring instead stronger two factor authentication. Fingerprinting's only ever going to be used for low risk applications like school libraries for exactly that reason, and for exactly that reason it's trivial and doesn't deserve this attention or scaremongering.

 

 

AI Droid will condem the link........propaganda!

 

 

No I wont, I've even raised the same fact myself many times in this thread. Thumbrints can be fooled, it's not strong authentication, which is why this issue is trivial, and your scaremongering is unfounded.

 

Are you saying that you will only get a unique hash number, produced at the local ID centre when you have your iris scanned and fingerprints taken etc for the issue of your ID card - - - so they don't actually hold our original biometric data - and our unique hash is simply reproduced whenever we are rescanned for verification?

 

That's how a thumbprint system will work, and I imagine that's how an ID card system will work. There is no biometric ID card system currently, so I can't say with any certainty. I'm really not debating a national ID card, I'm debating the use of thumprint scanners in school and how they're not connected in the slightest to a national ID card.

 

 

Firstly, fingerprints and iris scans are effectively unique, so the algorithm used to create or reproduce the hash number must be representative of what we have already identified what actually makes fingerprints unique in order to produce the unique hash in the first place. You can't say that someone with access to the mathematical algorithm and your hash can't reproduce from a hash number your fingerprint (printing it onto thin film) or even your iris scan (using contact lens technology). The technology exists today to print fingerprints onto very thin film, and even to print onto contact lenses and so a group of determined technically aware criminals could get hold of this equipment - this is everyday semiconductor/photographic/opthalmic industrial technology today, and not limited to movies such as Mission Impossible. Personally, I think it is only a matter of time before criminals catch up with fingerprint duplication.

 

Your misunderstanding how hashing works, the alogrithm is public and well documented and doesn't help a jot in 'reversing' the hash. It's one way, and even if it wasn't one way, the hash doesn't contain the data anyway. There is no data to decrypt. So in summary:

 

- You can't revers data out of a hash

- Even if you could,the hash doesn't actually contain the data

- Thumbprinting doesn't actually use a complete thumprint, just a description of some features of the thumprint, so even the data that's hashed isn't complete.

 

Suggest you read up on hasing:

 

http://en.wikipedia.org/wiki/SHA-1

 

 

Secondly, the hash number will still have to be associated with a bunch of data stored by banks and government etc (again for checking purposes after you've been identified). There will always be humans involved in the system, so it would only take a couple of well placed government employees (an ID card system will employ many people) in order for something similar to yesterdays events to happen either by mistake or by a deliberate act resulting in the release of hash numbers and personal data.

 

Again, you've moved from fingerprint scannings in schools to id cards. I'm not much interested in debating ID cards. Yes, data protection of central databases is a very important issue, and the loss of it is serious and disturbing, but biometrics specifically does not make this risk any greater.

 

 

Join the two, and the whole system is undermined. A criminal with both your data and access to the algorithm will be the first to undermine it. Place government incompetence at the centre of every transaction requiring ID and that is even more worrying.

 

No, that's fundamentally wrong. The whole world has access to the algorithm, it's public. You need to understand hashing.

 

 

Yesterdays mistake was so basic it could and should have been avoided nearly 40 years ago in government computing history. I just can't see why you can carry on supporting such a flawed system, that has lost all credibility even on the most basic of issues. Your interpretation of what things will be like is a little too idealistic for my tastes, and I forsee very many more such blunders with this blind reliance on technology and such a lax attitude to data security. After yesterdays events ID cards under this government have been completely undermined - and I can't see them going ahead now, regardless of the governments assurances.

 

 

Eh? I'm not supporting anything, I'm talking about biometrics, not central government data. The data the govt holds centrally is an important issue, and one that's really not influenced by school thumbrpint scanners or biometrics. They fucked up losing this data, and that needs fixing, no argument from me there, ok?

 

I'm being portrayed as some sort of champion for ID cards. I'm not, I've not talked about them at all, I've not advocated them, I'm not behind them.

 

I do think we need stronger authenticating personal id than a (biometric!) signature and a four digit pin however, and I'm sick of the number of two factor tokens I have already (I've got four, from various different organisations), so I can certainly see the case for a national system if it can prove to be secure. I'm not sure it'll ever be possible though.

 

One final point; kids are giving far far more potentially and future damaging personal information, including biometrics to Myspace, MSN, Google, Facebook and Beebo than to any school library system. Nobody is batting an eyelid at that.