Slashdot Mirror
Acer Laptop W/Fingerprint Recognition System
Dekaner writes "Acer has announced the TravelMate 740 with a built-in fingerprint recognition security system. The fingerprint sensor is part of the notebook? s palm rest. Users must train the recognition system, which is then used to boot the machine or to decrypt files stored on the hard disk. The TravelMate has a 1.2 GHz Pentium III processor, a 15-inch screen with a resolution of 1400 by 1050 pixels, built in 56K modem and Ethernet connection, and it can be supplied with either 128 or 256 MB of memory. It can be configured with a second hard disk, CD-ROM, DVD, or a DVD-CD-RW drive. It will go on sale in October."
If there is one thing I learned from 'Demoliton Man' with Rocky^H^H^H^H^HSylvester Stallone is that Wesley Snipes will come and cut parts of your body off if he needs them badly enough.
Don't keep data on this thing that's worth dismemberment, because scary terrorist-types will cut your fingers off.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Yeah, but according to the new crypto laws you'll have to cut off your pinkies and give 'em to the FBI to keep in "finger escrow."
These small, integrated fingerprinter scanners have been in the works for a while now. It's good to see that they're finally being put to use. What's next? Fingerprint ID car-starters? Cell-phones? so many possibilities...
The article is short on details but it seems not to be very reliable. In corporations, the IT department usually has a master key so that even when the employee leaves, the company can still retrieve the data. What about this fingerprint-recognition system?
Second, this article makes me wonder if Slashdot will consider inserting text ads like Google by masquerading as submissions. I think it is a great way to get income to maintain this heavyly used site (banners at the top are no longer very effective), given the financial conditions of the parent company VA Linux.
¦ ©® ±
I knew someone would eventually find a way to make all those fancy CEO's give their laptop the finger.
Btw: for all the l337 hackers suggesting cutting off fingers: proper finger recognition systems can sense whether the finger being scanned is attached to a living body by checking for temperature, pulse etc. So instead of just stealing your thumb and laptop, they will have to steal you as well.
I intend to live forever, so far so good.
Gives new meaning to the phrase "three-finger salute," doesn't it?
Ctrl-Alt-middle finger, indeed.
In Soviet Russia, Jesus asks: "What Would You Do?"
This should be very popular with companies - problem #1 with giving managers/execs laptops is they'll lose them or have them stolen, which, when combined with the lack of (transparently) easy security means that a lot of important data can be compromised very easily.
For the same reasons it should be popular with MI6 who last year seemed to be losing a laptop a month.
So long as it's implemented sensibley, I think Acer are on a winner here.
This sort of biometric authentication is not really all that vital for most of us, and the effort required to keep it functional, in this case at least, outweighs any advantage gained.
Don't get me wrong -- I can see this being very useful for corporations and governments who have valuable information to keep encrypted. For those applications, this is a good idea.
The problem I see is that fingerprint sensors require maintenance. The human fingertip exudes oil, used to increase the traction of the fingertip. This is not good for a sensing surface, and will necessitate regular cleaning. Anyone who has owned a trackball can tell you that anything the finger touches regularly, builds up gunk quickly.
Another problem is susceptibility to damage -- scratches in particular. I wouldn't want to be locked out of my files due to clumsiness. Also, damage to the recognition system through any form of clumsiness will keep you out of your encrypted files. Using an ordinary encryption method, you'd just hook the HD up to a different machine and be back in business.
I'll assume that the device is good enough to detect your print accurately. I wouldn't think the company would willingly release a half-engineered product in such an important area as authentication.
Denial isn't just a river in Italy
This should definitely add to the FUD-factor at your local Best Buy, though...i can see it now:
Salesman: But if you don't have fingerprint recognition, ANYONE can get into your private personal super-top-secretest files!!! Even TERRORISTS!!!!
Customer: I'll take fifteen of 'em!!!
BTW, what if I scorch my finger?(I guess it could work but I would like to be sure)
Finally, some more details are given just a click deeper...
Trolling using another account since 2005.
well, if the fingerprint recognition is used at the BIOS level (i assume that it would), then the boot disk would still require fingerprint recognition in order to work.
This could've been a Seinfeld Episode:
George inherits this laptop, only to find it's fingerprint protected, so at the funeral, he tries to sneak it up to the corpse to get the print...
Yadda yadda yadda....
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Win2k & XP Pro support NTFS encryption. Sensitive files would be safe even if you mount it outside the system or with a NT boot disk. Plus, you have to log into the file system anyways for access. Still, you could reformat the HD, but the files would go with it.
You can have my laptop when you pry it out of my cold-dead-er-nevermind.
"Draco dormiens nunquam titillandus."
Forget the finger print, how about that resolution!?
1400 by 1050 pixels? That's better than my desktop's!
The REAL sam_at_caveman_dot_org is user ID 13833.
The article fails to give a technical explanation on exactly how the fingerprints enhance security. Does anyone here really believe that this laptop can protect its data when it is stolen? In order to do that it must encrypt the data on the disk.
:-)
Using what encryption key? Your fingerprint? Does anyone believe that your fingerprints are secret? You are putting thousands of copies of your prints on various objects every day. You probably have several fingerprints on your laptop! And once your secret encryption key becomes known, how do you change your key?
The key (sorry) to good encryption security is to change your keys often.
Until a good technical description on the security is provided I will regard this laptop as techno-babble trying to impress PHB types.
)9TSS
This sounds great, except for the fact that it's an Acer.
After doing some research, I recommended to my girlfriend that she buy an Acer laptop. The reasons were simple - it had a modem, ethernet, and wireless ethernet built in, it had a large 14" screen, and it was only 5.2 pounds with the dvd drive installed, 4.5 without, and came installed with Windows 2000.
I looked at a variety of other laptops, especially Dell and Compaq, and none could build in everything (she wanted wireless ethernet for use at college and in the future) at such a low weight. The price wasn't too bad either, for last June - about $2100 including Windows 2000 and Office 2000 from CDW.
When it arrived, there was a feature I sort of brushed over - a smart card reader. Its primary purpose in this laptop is to restrict access if the card is not installed. It looks like a credit card, and is easily removable. By default, the security settings are such that the smart card must be installed for the computer to boot. Of course, this isn't perfect protection against things like theft, but it is more convenient than a boot password to prevent people from simply using the laptop.
So I am not surprised to see that Acer is leading the way with more laptop security features. I absolutely hate the many old desktops that I have had to fix over the years, but the quality of the laptops is quite nice. They fit a lot of features, including some pioneering ones, into a laptop that is comparable in price to Toshiba and Dell with less weight.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
read my orignal post, its not in the bios in this case..
-
ping -f 255.255.255.255 # if only
Indeed, if we don't know how it works internally, how do we know that Acer hasn't built a huge backdoor into it (like how their CEO's fingerprints or an easily reproducable pattern will always work)?
I expect it uses some system to "hash" fingerprints into simpler indentifiers, but how do we know that this function is unique? I've already dealt with iris-identification products that, given a large enough input sample, start incorrectly identifying people since the hashing function didn't produce unique hashes.
Pretty simple. This technique has proven itself at cash machines. Biometrics may marginally help prevent someone from stealing a machine outright when you're not there. So if someone really needs the data, it just means they're going to wait for the owner/key to arrive. Yoink.
> When will these types of screens be available in standard laptops???
Dell has been selling their Inspiron 8000 with 1400x1050 and 1600x1200 screens for quite some time. I have the 1400x1050 display, and it's very nice indeed. Not to mention the Dolby Digital sound, TV out, dual monitor capability (LCD + external), or 1394 port.
We tried registering all of my fingers to no avail. In the end, I got a magnetic card to get in.
I had tried one of those systems where you sign for authentication, too. But it turns out that I can't write my own signature the same twice. I haven't had much luck in having biometric authentication figure out who I am.
I'm not so sure that biometrics are really a good idea. People have already pointed out various means to thwart the system, i.e. chop off your finger, put a gun to your head. Facial recognition systems have proven so far to be less than reliable. I don't understand how biometrics will make any information more secure than already well established best practices for security.
This trend towards biometrics just seems like a way to make security somewhat brainless. The big problem is that security that is brainless isn't security.
"Encrypting the hard drive or portions of it as with PGPDisk is still the most secure."
"Users must train the recognition system, which is then used to boot the machine or to decrypt files stored on the hard disk."
This sig is xenon coated, and will glow red when in the presence of aliens
I disagree.
While Acer Desktops aren't exactly cream-of-the-crop, their laptops aren't bad at all. I personally own an Extensa 501T and it runs Slackware Linux. Everything works beautifully - Display, Sound, and there's even support for the Winmodem. I've enjoyed this laptop for the past four years, and I've only ever had trouble with the floppy drive.
In that event, Acer paid to have it returned to the factory, fixed it, and had it back to me the same week.
I would definitely recommend Acer laptops. I've had nothing but good things to say about mine.
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Does this mean my clone can boot my laptop? Hope it's not my evil twin...
Give me my freedom, and I'll take care of my own security, thank you.
Until it spills out into the air via the "optional Acer InviLink IEEE802.11b wireless LAN PC Card." ;)
This sig is xenon coated, and will glow red when in the presence of aliens
There's always a way around security...it just depends on how much that data is worth. And if it's worth so much that someone would be willing to manually decrypt an entire HDD, then maybe that data shouldn't be on a laptop in the first place.
because then Joe Bob, COO, has to remember 5 different password instead of having to remember to bring his fingers along with him to each meeting.
-sam
The REAL sam_at_caveman_dot_org is user ID 13833.
That's unfair! There's nothing wrong with my Travelmate 507, apart from the faded keys, jerky touchpad, cracking hinges, heavy weight, crappy video card, noisy hard drive, crackly sound, fragile modem socket, erratic parallel port, blocky display, overheating CPU, short battery life, sluggish system speed, minimal upgradability, and the lack of WinME/Win2K/WinXP support for all of the wierd hardware in it.
</sarcasm> (OK, OK, but it was cheap, the CD reads burned discs very well, and it runs Linux better than it runs the bundled Win98SE)
If you were blocking sigs, you wouldn't have to read this.
Hmm, so if you got in a car accident, and lost your hands - all your data would be totally and permanently unrecoverable?
Will this drive up the incidence of finger mutilation as people could potentially try to hijack your computer?
- passion
I doubt Red Dwarf was the first show to use it, but they were much funnier about it....
They come upon a door.
KRYTEN: Uh-oh, a door. We'd better use an air vent.
LISTER: No need.
KRYTEN: Sir?
LISTER: Look, I'm gonna do something now, Kryten, that's totally, totally
gross. I don't want you to look. Turn around.
KRYTEN: What?
LISTER: Trust me, you don't wanna know!
KRYTEN reluctantly turns around. LISTER pulls the object he picked up
earlier out of his jacket: it's a hand. He presses the severed hand to
the palm-print device, and the door opens. He puts the hand back in his
jacket and turns around. KRYTEN has a sick look of realization on his
face.
KRYTEN: Logically, sir, there is only one way you could have possibly
have opened that door. I feel quite nauseous. Where is it?
LISTER: Where's what?
KRYTEN: Oh, sir!! You've got it in your jacket!!
LISTER: I got us out of the hold, didn't I?
KRYTEN: Sir, you are sick! You are a sick, sick person! How can you
possibly even conceive of such an idea?
LISTER: Cheer up! Or I'll beat you to death with the wet end!
KRYTEN: Sir, if mechanoids could barf, I'd be onto my fifth bag by now.
You're a sick person! Sick! Sick!
Build it, and they will come^Hplain.
How many bits worth of unpredictable information, exactly, is in a fingerprint? I know it's "a lot", but is it enough? 48 bits is "a lot" too, but it has been demonstrated to be not enough for protection against a simple brute-force attack.
Ultimately, it's all just bits. This fingerprint-recognition device ultimately must convert your fingerprint into a binary key, and use that key to perform the encryption/decryption. If someone can get a copy of your encrypted data, they could run it through software which tried binary keys until it found the right one. If the adversary could lift your fingerprint from something you've touched, that might give them information which helps them narrow down the search.
Until I found out just how many keys they'd have to try before exhausting the keyspace, I wouldn't trust this to be secure. A good mixed-case/numbers password with a - or ! (et al) thrown in can easily have 67**8 > 48-bit strength. A 5-word english passphrase can have up to 38619 ** 5 > 76-bit strength (38619 words in
Seriously, though, does anyone know the strength of a key generated by Acer's gizmo? And how much it might be narrowed down with a sample fingerprint to work from?
-- TTK
There's probably a way to make it boot off of a bios-update disk or a specially prepared boot floppy that will cause the saved settings to get wiped and put it into "new computer" mode again.
I had a DEC PC that had a bios recovery mode that would reflash the bios from floppy without a flash program or a bootable floppy. The catch was you had to make a recovery floppy before you foobar'd the machine. I presume it was just a raw dump to disk media of the old bios.
Whatever ROM the machine had was capable of doing disk reads and flash writes.
I'm sure there's a way to make this one go into "recovery" mode which would at least make it a working laptop.
It's easier to detect the authenticity of a finger than one might think.
After being unable to activate my touchpad with anything other than my finger, my curiosity had been captured. After a great deal of experimentation, and actually getting 5 other engineers running around looking for something to fool the touchpad, we finally resorted to technical support. Here was my letter:
I have a prosthetic limb which I am unable to use
the synaptics touchpad with. I am unaware of the type of touch sensing it uses, and have been unsuccessful in my attempts to 'simulate' a fingertip on my prosthesis.
I even bought a rubber hand and cut the finger off
and stuck it to my prosthesis, but to no avail.
I have also tried heating the prosthesis to my body temperature.
The pad works fine for the other engineers in the
group with real fingers, so I don't believe there is a problem with the pad itself.
Do you have any suggestions for a tip I can use to
properly activate the touchpad?
If not, do you plan on releasing something I would
be able to activate
with a prosthesis?
And their reply was:
Hi Chris,
Unfortunately, as you have discovered, our touchpad uses finger-sensing technology. Basically, the touchpad determines that a touch is made through the capacitance of the human body.
I'm very sorry to say that we cannot recommend a
product you can use to activate it at this time.
Best regards,
So what have we learned other than how fun messing with tech support can be? Even a heated pulsing finger isn't going to work if the electrical properties aren't right. Capacitance is a tough thing to trick. Try putting probe leads on two parts of a finger, and plot the voltage / current patterns. Very, very difficult to duplicate.
Of course, medical science will always find a way to stick severed fingers on hands, and we know that your average bin Laden follower won't scoff at the replacement of one of his fingers with a victims...
I apparently forgot that sig != uptime...
A co-worker of mine got one of these Acer laptops with fingerprint recognition several months back, perhaps around April.
The fingerprint recognition was OK for one person, but as soon as we tried to configure it to recognize two people, we had horrible problems. It seemed like there were differences between the BIOS level recognition and the software OS level recognition. We were eventually both locked out and just sent the laptop in to be reset.
.. adds your fingerprint to a global FBI like database, that is used with MS passport and knows all the porn sites you visit... once it knows who you are it does not let you out of its site..
Only 'flamers' flame!
Yeah right. You're really just worried because your fingerprints might be hard to read after those late nights reading playboy.com
Got Rhinos?
After all, if you struggle at all, it will be unable to get a good fix. Even twitching the muscles in your finger violently should be enough, and if $BADGUY hold your finger down hard enough to stop that, you'll get a screwy reading anyway
Locked out, standing in the cold, your hands getting dryer and less likely to work the next day. Oh my!
We use a hand and plastic card system here for entry. It seems to work well. Key numbers work where there is no card reader or if you forget your card. The hand readers themselves tollerate changes in my hands from exercising, but not gloves, and are speedy. This might not work for a laptop, but it's tops for building entry.
Friends don't help friends install M$ junk.
Train it to recognize your toe prints. They change less than your finger prints, and anyone who would steal your foot will have to smell it all day.
Friends don't help friends install M$ junk.
They will take my fingers from my cold dead hands.
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
The success of this technology is going to depend on what type of fingerprint image is being scanned.
Is it photographic ? That is, the mechanism captures a photo of the fingerprint using lighting differences to create a pattern. If so, then what happens when I get the errant pen mark or paper cut across my finger ?
Is it geographic ? There are some nifty technologies out there that either through sonographic or similar means create a viritual image of the fingerprint pattern. These are far more accomodating in ignoring things like dust, dirt, pen marks, paper cuts, chaffing/sluffed skin, boogers and other stuff that sticks to our hands.
Does anyone know which type is being used on this laptop ?
healyourchurchwebsite.com - WWJB?
cut off your finger accidentally and you won't be able to access your files. :-)
"I love my job, but I hate talking to people like you" (Freddie Mercury)
According to the Acer site the chip is made by Authentec, Inc. (based in Florida); here are some more tech specs: Products; and some other details are in their Media Coverage Archive.
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
I have two holes to punch into Acer's new notebook:
(1) Their illustration of a Pentium III-M processor is good for a laugh. Check out the lower-right corner of the second page of the brochure, and tell me that isn't an FCPGA Coppermine Pentium III sitting on top of a circuit board.
(2) More than likely, they've implemented the hard drive protection using an IBM Travelstar hard drive, which has a password-protection option (although this is very rarely used in the real world). Why am I poopooing this? Keep reading.
Section 11.8 of the Travelstar 48GH Specifications (page 87, PDF page 101) details IBM's security system. I would imagine this can be circumvented in one of two ways, the first being in the hard drive itself and the second being part of the notebook's security implementation.
First, there's a Master Password in addition to the normal User Password. If you don't know what the Master Password is, and don't know that only you know both passwords, anyone with access to the Master Password (quite likely any high-level Acer technician) can send a Device Unlock command to the drive along with the Master Password and voilà, the oyster opens to reveal the pearls inside. (No, you can't read the passwords out of the drive's EEPROM; it's stored in a non-externally-addressable area of the disk. Even if you know and control both passwords, though, I'd imagine there are undocumented commands to reset the password or unlock the drive regardless of the password. If you're thinking that IBM would need to be able to unlock drives to refurbish/repair them, they wouldn't, because there's a command which will write zeroes to every externally-addressable sector on the drive then unlock the drive and erase the password. No hard drive maker that I know of guarantees the integrity of the data on any hard drive that's sent to them.)
Second, I'd be very surprised if they had gone any further than storing the Travelstar's access password in CMOS or an EEPROM part, and sending it to the drive if the fingerprint matches what's stored there as well. (They couldn't store a one-way hash of the drive password, because any obfuscation would have to be reversable to be able to feed the password to the drive.) Therefore, anyone with an SMD rework station and an EEPROM reader could probably extract the password from the CMOS/EEPROM.
In summary, I wouldn't trust state secrets to this. I would recommend PGP Corporate Desktop instead as the closest thing a mortal can get to decent data security. (An interesting aside: You know how the government erases drives holding classified information before they're resold? They don't. The drives are physically destroyed. For good reason.)