Slashdot Mirror
Fingerprint Recognition with Linux & IBM's T42
Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"
I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?
They're talking about writing this whole framework for Linux called BioAPI, and then once that's done they're going to work on a BioAPI-to-PAM gateway, but that seems like way too much work.
Why can't an authentication module simply maintain its own database to register the biometric data associated with each user?
The way it is now, pam_unix.so does a one-way hash of the password you create and compares it with a one-way hash of whatever password you enter to log on, right? The password once stored is never stored in the clear.
I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad.
This is a really tricky problem.
I just don't see why we need a new framework. Seems to me, we need a new kind of hash function.
Why can't that go into pam_finger.so?
Wow, I am really looking forward to giving Linux the finger...er wait..
AT&ROFLMAO
Put now your finger on the scanner to play this drm-protected wma. Well... kinda better than hardware fingerprinting anyway. But way more spooky.
\u262D = \u5350
Windows has supported biometric authentication (in addition to smart cards) since Win2k. Hell, they've been selling keyboards with fingerprint scanners built in for almost a year now ...
now I can REALLY finger my computer!
The question said 'out of the box', I think that means 'without having to install any drivers'.
All biometric solutions I've seen use the OmniPass software from Softex that needs to be installed first. Just plugging one of those fingerprint scanners in your computer (e.g. APC Biopod) does nothing without installing the software.
I think it's great - and time! I really don't like having to remember 20 or so passwords just so because if one of them gets hacked my other data is secure. :(
Non-supporter of Online Activation and any other draconian DRM
So I guess OEM installations don't count?
I mean, who buys computers with preloaded operating systems, drivers and productivity suites these days?
I think the magic words here are "out of the box". So the question isn't as foolish as you seem to think but pretty irrelevant I agree.
Hasn't OS X had biometric user verification/login, albeit voice not fingerprint, since it was first released back in 2000 (or was it 1999?)
Mudge
In theory, theory and practice are the same.
In practice, they're not.
Linux frequently supports a lot of hardware out of the box. Some folks argue that there is better hardware support for Windows. And that is true in and of itself. However, how often when installing a Windows operating system do yo need a load of driver CDs to accompany the installation? In my experience: always, especially if there is additional hardware such as a printer. Linux, on the other, is frequently distributed with drivers for suppoorted hardware out of the box. What's better is that as Linux grows in popularity, so will the hardware support.
Get some.
Well then you're not just buying an 'operating system' :-)
But I do agree that the question was very vague. It can be interpreted both ways depending on your definition of 'operating system' or 'out of the box'. I don't think this will be something where Linux will really be better than windows, especially this is all yet to be developed, and there are so many biometric devices already available for Windows.
By the way, the IBM T42's we have here at work don't seem to have the fingerprint option enabled when they are delivered to us, but it could be that they took it out of the corporate preload they put on it.
No. OS X dropped the voiceprint identification system. It was only present back in the OS 9 days.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
The combination of open sores and a finger scanner doesn't sound too hygenic to me.
I guess if I had a fingerprint scanner I'd want to clean it regularly if people are going to start trying to use it randomly...
I am reminded that when I was reading Stallman's The Right To Read (linked from the recent Slashdot story Old-Fashioned DRM Protects Harry Potter Book), I wondered why it didn't include biometrics. That would have prevented the happy ending.
Having biometrics on my computer with a free / open source OS wouldn't be scary like having biometrics on my computer with a closed OS and hardware DRM, of course.
For public / institutional networks though, I can't help but wonder where it's going. But on the plus side, at least if big brother runs on Linux I won't worry so much about script kiddies stealing my identity.
It's Lenovo's T42 Notebook now
-- www.globaltics.net
Political discussion for a new world
...what I want is retinal scanning!
I'd imagine the patterns in our eyes are more difficult to duplicate for nefarious purposes than our fingerprints, which (besides the cool factor) would mean increased security... On the other hand, I'd rather have the arch-villain chop off my finger than carve out my eyeball.
Oh wait, no.. that was T-43 not T42. My bad!
OK, so the Merc was worth USD 75,000 to the thieves, a little more than a laptop. But if a dead finger works, a plastic replica would work as well. Before using a system like this, it may be worth considering the value that the data on a laptop might have to unscrupulous rivals ...
Is it worth this kind of horror to protect the laptop itself? There are easier and better ways to protect *data*.
More to the point, how long until I stop getting spam from gmail accounts???
How on earth do I change my login data once it has been compromised? How do I randomly regrow a new fingerprint? Or retina?
At least you can change them.
r s_defeat_fingerprint_sensors/
http://www.theregister.co.uk/2002/05/16/gummi_bea
In MacOS 9, one could use a "voice-print" to log into their user account right out of the box. This isn't in OS X, for some reason, but it used to be there. Then again, at least OS X has real users, and not an At Ease retrofit.
Anyone know the state of support for fingerprint recognition with Familiar on the Ipaq's that have the scanner? I've got one of those, and would love to switch to linux, but am worried about this and wifi support.
Get user to scan finger on a equivent scanner. Some how.
Save data.
Electronicly remove the scanner and plug in a electric equivlent. System is shot.
Aquire a full set of finger prints from a glass or a drink can or laptop(normally only one person has handled it recently).If this is not a 3d scanner.
Feed this information in to a scanner replacement.
By by protection.
Final methords most problem methord from a law point of vew.
Kill the person required and use thier dead hands.
Cut of both hands and take the laptop to get the information.
Biometric means more reason to kill the user. Since killing the user is the best methord. Heck in Australia you get 15 years for computer crime any how and for murder you will get 15 years so really what is the difference. The grade of jail that is about it.
Really think about if the hacker thinks he has a chance of aquiring the information by stealling the laptop and not killing the person. He/She thinks their is no chance they will kill the person.
Better methord passwords take X about of time to crack. In build a harddrive self destruct if harddrive is not returned to coded cradle inside X about of time data will be destroyed.
Reason kill the user they cannot tell you the password so no point. Don't have the cradle data will be lost anyhow. Crack open drive auto activate self destruct.
And if everything is time locked heck the hacker is stuffed.
You don't even need to go to the extreme lengths of chopping off someone's finger...
All you need is some fingerptinting dust and some clear tape. Dust the laptop (paying particular attenstion to the central keys on the keyboard where the index finger is most likely to be used, but try the back too, as that might have been brushed off recently, then picked up firmly using several identifiable fingers), pick up a selection of fingerprints with the tape, et voila.
Unless, of course, you always wear gloves when using your laptop...
"Nothing can shake my belief that this world is the fruit of a dark god whose shadow I extend." - Emil Michel Cioran
Sadly, AuthenTec still lags behind and I still can't use the built-in fingerprint sensor in my laptop.
When will hardware companies realize that providing documentation and software increases sales?
My boss has one of those Microsoft keyboards with the fingerprint scanner. It does not work for Windows logins, only for things like passwords on webpages.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 Whoops, silly middle mouse button...
...once it's broken, you don't have many options for a new 'password'.
Bullshit.
W2k and XP implimentation of smartcards sucks and is 1/2 assed requireing a "suprise" windows server on the network to use them.
the fingerprint crap is CERTIANLY not built into the OS but a crappy add-on application that does not work worth a damn and will not work decently with active directory and domain models. It's a "toy" for people to use at home nothing more.
when they pull their heads out of their asses and impliment it right and you see it easily deployed in corperate without special software requirements (and the morons at IT let it happen) then I'll agree..
Until then it's still a half assed bolt-on.
I wish companies and .gov would stop pushing biometrics as the end-all solution to password & user security.
If the server where the passwords are stored is insecure, then the passwords are insecure!
The only benefit that fingerprint scanners offer is the instant ability to have 10 different passwords "at your fingertips"!
Downside: I have to label each of my fingers so I know which password belongs to which site. Well, there's one finger that i don't need to label, that special middle finger is reserved for just one site.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
Well actually breaking a the fingerprint authentication is not simple but its not foolproof either.
One of the place I worked had fingerprinting for attendance. After it was introduced some smart chap figured how to fool it; put his fingerprint with somekind of ink on a transparent plastic strip. and the system was fooled. I don't know how the system function but if the laptops or whatever security mechanism uses only fingerprints to authenticate you, beleive me you should be wiping off every fingerprint you leave on anything, else ur fingerprint will be photographed, reproduced on somekind of sheet and your security is as good as none.
Sorry this is a misinterpretation. When I said you can use finger in linux I didn't mean biometric identification, I really meant
/home/strider44 Shell: /bin/bash
strider44@strider44:~$ finger strider44
Login: strider44 Name: strider44
Directory:
When configuring the system, you provide original prints from any number of your fingers. It suggests you provide 2 of them. Then, you just have to slowly pass any of the fingers on the sensor for it to authenticate you. So for instance, you could make sure you have an electronic print of your right index finger and of your left ring finger. I suppose the redundancy is meant to make sure you have a back-up the day you nicked you finger doing DIY during the week-end.
If you want to change the print (the same way as you would change password), you just remove some existing prints from the authentication DB and replace them with new ones. Then you just have to remember what finger to use this week.
Finally, there is always the solution to press CTRL-ATL-DEL to get a normal password prompt.
So, all in all, the way it is implemented in Windows is not as a substitute to the standard password authentication but as an extension that makes it easier for you, the owner of the machine, to log in but not more difficult for a third party to do so.
I quite like the way it's implemented on Windows but it would be nice if its use could be extended to provide digital signatures and authentication to other systems, such as a Firefox plug-in.
I forgot to mention: the Windows XP implementation doesn't come out of the box. It's an IBM extension that is provided with the T42.
I also referred to the preposterous of the alternative reading, since the scope of "Linux" is so broad. Of course, a good editor should also be a good writer--and a good writer will not write such ambiguous and misleading stuff in the first place.
Since the introduction was so misguided, I admit I didn't even read the article. There's no reasonable way it could be talking about something else like an add-on fingerprint scanner, because in that case it wouldn't be limited to the T series.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
I see how that applies to fingerprint storage, but not recognition.
Can you explain further.
Exam 4/C again. Maybe I'll do better this time.
That's the best way to get your prints digitalized and stolen over the net.
I dont want to be accuse of the murder of a colombian drug lord.
Well I don't own a ThinkPad so I'm only speculating, but I think the author was suggesting that Windows itself doesn't come with fingerprint recognition, though the version installed on the ThinkPad probably does. Now if this is indeed the case the author might be right that Linux (or rather a "normal" Linux install) might be the first OS to have such a feature "out of the box". However, as I said, I think it's really irrelevant, because who cares as long as it works..
http://www.qrivy.net/~michael/blua/upek-announceme nt.html
the LinuxBiometrics.com forum should be back shortly.
I have had a Digital Persona Biometric Fingerprint scanner that I have been trying to get working for ages now. It works great in Windows, but I havent yet found a program to get it to actually perform in Linux. It is USB, and does get identified by hotplug. Digital Persona does provide an SDK for their devices. My opinion is Biometric authentication will be a pretty regular standard in the future.
You know they're insecure because you can already buy commercial advertising space in people's fingerprints online.
n
-- Watch the REAL Jon Katz.
Short Answer: It depends on the scanner.
Optical scanners work using an image of the print itself. The finger is pressed against glass, so that at a particular angle the print is very clear.
Capacitive scanners work using a grid of electrodes: the higher parts (ridges) disrupt the conductivity of some electrodes, and the lower parts (valleys) don't. This pattern of disrupted capacitance is the print.
The best capactitive scanner will be able to tell from sweat in the pores if the finger is live, or if it has been chopped off. Likewise, glue or images will not work.
An optical scanner is much easier to fool.
If you are simply looking to mess up your fingerprint to avoid identification the 3M liquid bandage stuff is the best.
You're right about PAM, BTW.
But there's no point using fingerprints for authentication. They've been widely discredited. Most commercial fingerprint readers can be fooled with a surgical glove filled with warm water. If you really wanted to you could print a replica of the print (which people tend to expose readily) but in most caes, the print from the last user is left on the device and you don't even need to.
The only biometric I can see being remotely useful is data on fingernails (see boingboing recently - if you don't what what boingboing, is, it's where slashdot get their interesting stories). Unlike most biometrics, fingernail data makes it easy to replace compromised credentials.
Who says they are? As one who has over a decade of technical experience in the field, I can tell you that there is not a single objective scientific study to support the belief that fingerprints are unique. You can be equally sure that if it were ever proven that they are not, it would be a disaster for law enforcement all over the world. There is a powerful incentive not to find out. There was a time when everyone knew the world was flat. That "knowledge" had no impact on the truth of the matter.
There is not nearly enough love in the world, but there is far too much trust.
And if you're going to say "but windows doesn't really do it by itself out of the box," then be fair - linux doesn't either. Linux does almost nothing out of the box, and everything it does do is an add on.
or else!
I think that means 'without having to install any drivers'.
I use fingerprint authentication right now with my T42p Thinkpad (with preinstalled Windows). I did not have to install any drivers: it just worked "out of the box".
Interesting how my GP post got moderated Redundant? It is my experience of sysadmin's 10 years in active Windows/Solaris/OSX/Linux/AIX usage.
:)
:)
But of course, this is slashdot, lot of things can't be taken seriously here
Peace
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
I use it on my T42p Thinkpad, and it works beautifully. I use it for my power-on password, my hard disk password, and to log into Windows.
It's even smart enough to ask me to authenticate only once for all three when I'm booting up, and not for each one.
So far (about 2 months) I'm quite impressed.
Am I the only one thinking outside of the shoe? We leave fingerprints all over the place -- drinking glass, doornobs, eyeglasses. When they create a device that you can stick your foot in for authentication.
ewe sorry, this is going in the wrong direction.
Having to work for a living is the root of all evil.
I like it when my own devices can authenticate me with biometrics. Because when they fail, it's my own problem. False negatives can be retried without consequence, and false positives are usually manageable because I control physical access to the device. And, if the errors are unacceptable, I can do something about it, because I control the device. Public authentication, especially surreptitious auth by the government, flips the script. Those devices control me, whether I know it or not. If they're working against me, there's nothing I can do about it. Especially if they're covert. And their false records can last for years. In the case where my security depends on public auth of "bad guys" who escape detection, I'm double screwed.
The biggest problem with these devices is the faith that lawmakers have in the marketers of the devices, neither of whom really care whether it works - only that their check clears the bank.
--
make install -not war
The fingerprint bypassing technique with the gummy bear and surgical glove doesn't work with the fingerprint scanners in the "slit" design, where it uses a type of 'radar' and other patented technology to verify the finger is 'live' - using a slit doesn't leave an imprint of the prior user, also using this technique gathers more of a print since you slide it from the first skin fold to the tip (an area usually larger than most of the typical square FP readers).
Some readers actually do look for blood vessel fluctuations (e.g. heart beat) in your finger, along with the actual topography of the finger, not just a picture (e.g. Digital Persona) type of readers.
Those who think biometrics are better than password systems, ought to think twice. While passwords can be changed when compromised, biometrics cannot.
There is a scene in a James Bond movie where JB uses a glass eyeball that has someone's retina pattern in it to gain access to a secure building. Also, all biometrics must be converted to some digital pattern. How long will it be before some malicious person gets these digital patterns and figures out how to plug them into the software that authenticates the biometrics thereby bypassing the reader?
Once compromised, you can't change your fingerprint or retina!
The fingerprint scanner is a convenience, and is actually pretty finicky (e.g it won't work until your fingertips unwrinkly after a shower). I have one, and seldom use it, because it's faster/more reliable for me to type the password than to scan a finger a couple of times. Although I suppose that you COULD get a basic login using my severed finger, it it was nice and fresh and clean. . . oh my!
I'd still rather not have to take out a contact lens every time I need to authenticate...
Help us build a better map!
can you imagine all the places you leave finger prints during a day, not to mention how easy it is to lift a print and make a copy?
"You know, you've gotta watch it with those circular saws," Tom said off-handedly.
The T42 is a excellent machine. I currently have one and due to work, I need it to have Windows XP on it since it's owned by them, but soon I am looking into seeing if I can put a Linux partition on it. Got to be careful so I don't toast my work setup on it. It's nice to see that the fingerprint reader is getting support....BUT this device seems to be a little flakey, to me. The one in the iPaq h5555 was better.
Gorkman
Remember the Madrid Bombing? A US lawyer was arrested since his fingerprints sort-of matched, despite abundant evidence that he didn't leave the country at the time.
Oh well, what the hell...
Raising the other question - competence to judge comparisons between fingerprints does not seem to be in abundance. Again, there is always pressure to solve cases and find somebody to hold responsible. This pressure does not always lead to a true finding.
There is not nearly enough love in the world, but there is far too much trust.
It does indeed work for logins. I have one myself. Good for the lazy one who wants to save a few keystrokes by just touching a finger to the red light.
I took my laptop out of the box, turned it on (booting win xp prof.) and enrolled my fingers for authentication. Then I logged on using the enrolled fingers.
Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"
So sorry, just not going to be the case.
Fortunately, there is yet no research into integrating the mons or frenulum or cossicks for biometric security. Those would be more like bio-HAZARD... I suppose a wire or chip could always be clamped to the delta cartoid
... be considered in the first ten of anything.
Which is why I laugh about "innovation".
The best thing about fingernail security devices is that when someone wants to steal your ID, they don't need to cut off your finger. The way I see it, less harm to me is a good thing, so I'm all for it. :-)
Karma: It's all a bunch of tree-huggin' hippy crap!
Or indeed any sharp implement such as a kitchen knife that could result in you having to wear a plaster around your finger and not be able to log in :-)
I know this is way late, but is anyone else using Epiphany to post to this thread? It's kind of eirie seeing the toes of that foot moving around.
Ops, I shuld have usd the prevuwe but in.
Summary here or check Slashdot, its probably been covered here before.
Help poke pirates in the eyepatch, arr.