Face Recognition Goes Mainstream For Notebooks

MojoKid writes "Consumer and business-class computer security has clearly become more sophisticated over the years. Recent advances in recognition technology have brought forth new capabilities, like what can be found in Toshiba A305 series notebooks. Toshiba's Face Recognition software allows you to log in to the system simply by having your face properly recognized by the integrated webcam during Windows startup. Of course, the system's TrueSuite Access Manager also allows you to do the same, only using your fingers and the integrated fingerprint reader. However, TrueSuite goes a step further with the fingerprint reader, also allowing you to log in to Web sites, applications, and networks as well by using just your fingerprints."

Reliability

[negRo_slim]

Considering windows is already loading by the time this system kicks in I'd say it's value is zero.

Re:Reliability

[bloodninja]

Considering windows is already loading by the time this system kicks in I'd say it's value is zero. Windows may be loaded, but the user account (ha!) is not.

At least it is better than the fingerprint detectors, where your fingerprints are already all over the machine for the taking.

Re:Reliability

[Poorcku]

my lenovo boots nothing until i provide the fingerprint authentication. not even a live cd from ubuntu or knoppix. Now i am not an expert, but it does provide a certain ammount of security. Of course someone who really, really wants to steal your data will do it no matter what. :)

Re:Reliability

[knighty_nz]

This shipped on a new laptop we got today, i have yet to make it actually identify me :). Seems more of a gimmick than a useful app. Insert Witty Comment Here -->

and the downgrade?

[ILuvRamen]

You know how laptops seem to be going downhill in speed and stuff and people are buying ones with waaaay slower hardware that don't even run windows. I never saw that downgrade coming (in the hardware, the OS isn't a downgrade!) but I wonder what the downgraded equivilant of this feature will be. I'm thinking fingerprint recognition or worse, ass recognition. You gotta sit on it lol. But seriously, you hold up a picture of the person and you're in. That's pathetic. And your webcam breaks? Uh oh, can't log in. So obviously there's an emergency thing where you can put in a text password instead. So what's the result of this amazing security feature? Another way to get in in addition to the text password! Total waste of time and money!

Re:and the downgrade?

[finity]

It'd be great to have computers with stereo vision... With so many computers now coming standard with pinhole webcams, surely they don't cost too much. You could place one webcam at each top corner of the screen and then the computer would be able to produce a 3-D image of its environment.

Now you have to get a 3-D model of the person's face instead of just a photo.

This whole thing could be really bad. Imagine someone that just underwent massive facial trauma. Now, not even their computer likes them.

Re:and the downgrade?

[value_added]

Total waste of time and money!

Yes and no. For someone buying a laptop and then making regular use of this technology, it's absurd, or at least little more than a toy when viwed from a security perspective. On the other, we all seem to be heading to a future where computers are, or least behave, in a more personal manner, so in that sense, this technology is, for lack of a better word, a really cool idea.

Then, consider that the world around around us is demanding increased security and is thus subject to increased surveillance and control. That's true from the CCTV cameras monitored by law enforcement, to the folks at your local DMV or voting precinct trying to prevent fraud, to the liquor store owner checking his store while he's at home. It's a fair assumption that with increasing interest in these technologies, we'll see a corresponding increases in research and development, which will, in the end, lead to widespread usage of whatever technology wins out, whether that's iris scans, fingerprints. forearm barcode tatoos, DNA, faces, or a combination of any of the above. If you took a vote on which approach people want, I doubt anyone would say "It's more passwords and PINs for me!".

If it becomes possible to replace every lock and key with some sort of recognition software, would you complain, or tout all the benefits? Or if you could save tax dollars by replacing local security on the streets and Home Depots everywhere with similar software, would you view that a good or bad idea?

Let's face it, the above scenarios aren't very likely, at least in the short term. We're still working on voice recognition. For now, however, it doesn't mean we can't have fun playing with Toshiba laptops.

Re:and the downgrade?

[Divebus]

This whole thing could be really bad.

The **AA will start suing everyone to get control over this:

"Access Denied - You are not the purchaser of these media files and may not listen/view them. Ever"

Re:and the downgrade?

The feature is surely a gimmick to reel in the non-techie crowd.

Re:and the downgrade?

[skeeto]

Now you have to get a 3-D model of the person's face instead of just a photo.

Same principle, now you just hold two different photos up instead of one. :-P

Re:and the downgrade?

[Znork]

we'll see a corresponding increases in research and development

I'm not sure there's much of an increase in actual R&D, most of what we're seeing in the biometric security field looks more like slick salesmen conning gullible people out of their money.

If it becomes possible to replace every lock and key with some sort of recognition software

Some sort of secure recognition software? Well, pretty much the only biometric factor that cannot currently be copied, surreptiosly picked up or faked is the contents of your brain. So that would be some device that could detect knowledge, for example, by the pressing of numbers on a keypad.

The difficulty of changing a PIN to your ID card may to seem preferable after changing your face for the third time. Or easier than spending your life in a latex catsuit as the insurance companies wont pay out if you've been spreading your biometric data around everywhere you go.

Using biometrics for security is a fundamentally flawed approach. They have a places as an _added_ factor, but for most purposes they're too easily compromised to replace a password, to hard to change to replace a token and add little extra security above a token and password combination.

Re:and the downgrade?

[plasmacutter]

uuh... the os is a downgrade

Re:and the downgrade?

[Haeleth]

The **AA will start suing everyone to get control over this:

"Access Denied - You are not the purchaser of these media files and may not listen/view them. Ever"

Nah, they'll just insist the laptops are also fitted with credit card swipe thingies. Actually, forget the webcam... ;)

Re:and the downgrade?

[Capitalist+Piggy]

You know how laptops seem to be going downhill in speed and stuff and people are buying ones with waaaay slower hardware that don't even run windows.

This is the perspective one obtains when only getting their news from slashdot. There's plenty of strong gaming laptops out there with lots of battery-draining power and they sell pretty well. For some reason, we only hear about Apple products, EEE PCs, and such on here. I suspect advertising partnerships, but I'm paranoid like that.

Re:and the downgrade?

[Acid-Duck]

I own a laptop which has a fingerprint reader, and the fingerprint is only meant as an alternate login method, i.e.: it can't be enabled without already having a password enabled for that account. So if, for any reasons, the fingerprint login doesn't work, I can always login typing the password associated with that account.

Also, facial recognition usually works by "storing information about facial features in a database and comparing it at login", I seriously doubt dimensions is excluded from that list, therefore your "all I need is a photo" theory is just plain stupid.

Re:and the downgrade?

[v1]

It wouldn't even have to be anything major or permanent. Imagine having to shave before you could use your computer, because it doesn't like your 4-o'clock shadow?

I wonder how big the percentage is of people that use their computer in the morning before they shave?

Or even for the ladies, that magical facial/hair transformation they call 'getting ready for work'.

That's be pretty annoying on a Saturday having to get up and get the shower and makeup on etc before your computer would let you login.

Re:and the downgrade?

[travisco_nabisco]

Actually, it is funny that this review is claiming this 'New consumer feature.' I bought a Lenovo Y410 in Feb, and it had been out for much longer than that, with the same feature. Except the software on the Lenovo isn't fooled by pictures.

Note: I find the feature to be a big gimmick, it is always faster to type my password than have it try to recognize my face.

Another Note: You can always choose to log on with a password instead of the facial recognition.

Re:and the downgrade?

[collinstocks]

It's more passwords and PINs for me!

Seriously, I will never trust security based on any sort of recognition, be it facial, iris, fingerprints, DNA, etc. The thing is that it is too easy to A) fake, and B) shoot yourself in the foot.

Because software recognizing anything always has to forgive a little, that breaks the security. Worse, how do you store the information of, say, a person's face? With passwords (on Linux) you hash the password with a salt, so that two people can have the same password and never know it. But what do you do with a face? Do you store the pixels? Do you store lines and measurements? Do you store color? In any case, this information actually has to be stored so that it can be compared with the live information from the fingerprint-reader or web-cam. That means lower security, since it might be feasible to read that information even if it is impossible to change. And if you can read that information, then you can replicate it in such a way that it matches the original information.

Regarding (B), say the person gets into an accident, has plastic surgery, gets stitches in their thumb, loses an eye, loses a hand, et cetera. Now they are rejected by their computer. But, if they had had a password or a pin, they still would have been able to log in. At this point, I am repeating what has already been said, so I will stop now.

As a comment on DNA, that should be easy to collect, as it is all over your computer. Or, if there isn't enough of it on your computer, it must be set up in a way where you have to take a cheek swab or a blood sample every time you want to log in, in the first case the garbage will do to find your source, and in the second, well, who really wants to do that just to log into their computer anyway?

In short, I am perfectly serious when I say, "It's more passwords and PINs for me!"

Re:and the downgrade?

[Tubal-Cain]

But these pictures have to be taken more carefully. you can't just grab a portrait of them off the wall.

Cut off fingers?

[David+Hume]

However, TrueSuite goes a step further with the fingerprint reader, also allowing you to log in to Web sites, applications, and networks as well by using just your fingerprints.

Great. So now somebody has an incentive to cut off my fingers.

Re:Cut off fingers?

[Ieshan]

I realize the parent is probably a joke, but it has become a pervasive story on Slashdot that biometric ID is bad because of things like this ("the criminals might cut off my thumb!").

Biometric ID has it's bad points, and certainly, in the most secure settings, you'll probably want to make sure you have contingencies for these. But these are not notebooks designed for the FBI, they are designed for the security conscious business user.

With that in mind, suppose, today, that a criminal was sitting before you with a knife, threatening to cut off your fingers one by one if you did not give him your notebook password. Are you really willing to sit there and tell me that you would rather have your hands butchered than give up your text-based password?

If someone was really willing to go to lengths like cutting your fingers off, then they probably have all sorts of incentive to do all sorts of awful things. I'm not sure Biometric security appreciably changes the situation for 99.9% of users.

Re:Cut off fingers?

[robo_mojo]

What would you rather have cut off, your fingers or your face?

Re:Cut off fingers?

With that in mind, suppose, today, that a criminal was sitting before you with a knife, threatening to cut off your fingers one by one if you did not give him your notebook password. Are you really willing to sit there and tell me that you would rather have your hands butchered than give up your text-based password? That's where plausible deniability tech comes in. You'd give the criminal an alternative password which works but decrypts a dummy disk instead.

Though, the same technique could work for fingerprints. One finger gives you the real files, another gives you the dummy. Though testing for this isn't that hardm as there are only 10 to check.

Re:Cut off fingers?

[siddesu]

don't worry about your fingers. if someone has you where they can cut off your finger off, they'll probably just beat you a little before you give them access yourself.

Re:Cut off fingers?

[giafly]

Great. So now somebody has an incentive to cut off my fingers.

Fortunately there are less painful techniques.

Basically the hacker "lifts" your fingerprint and copies it onto latex/gummi/clay. Or just hacks the device-driver.

Re:Cut off fingers?

[finity]

But these are not notebooks designed for the FBI, they are designed for the security conscious business user.

That's the problem. People believe that these things are secure enough for the security conscious business user. Laptops are stolen all the time, whether for corporate espionage purposes or for resell value. The thing most people don't realize is that you don't have to cut someone's finger off to use their fingerprint on common scanners. There are many ways (the gummy bear technique) to fake a person's finger and print for these cheap fingerprint scanners.

How hard is it to type in a ten character password that means something to you? It becomes muscle memory after a while. I've used some of those scanners before and it took longer to load the software, recognize my finger and relay that to Windows than it did for me to enter my password. And that's when the scanner was clean. I think biometrics are a case of giving people what they think they want, when they want things simply because characters like Jason Bourne use them. It's capitalism, so whatever. Just don't fall into this security theater trap.

Re:Cut off fingers?

If it works anything like HP Credential Manager you can have it require both a fingerprint and password. For added security you can require a smartcard too.

Re:Cut off fingers?

[Paul+Jakma]

With that in mind, suppose, today, that a criminal was sitting before you with a knife, threatening to cut off your fingers one by one if you did not give him your notebook password. Are you really willing to sit there and tell me that you would rather have your hands butchered than give up your text-based password?

I'd rather the criminal could just take the laptop without ever having to threaten me, TBH. Similarly, I'd rather have a car with old fashioned mechanical locks on the doors and ignition (the UK is seeing an increase in burglaries perpetrated to steal car keys, due to use of electronic locks, particularly on more expensive cars).

Increased security is not without side-effects. Particularly when applied to goods popular with thieves, such as cars and laptops..

Re:Cut off fingers?

[moonbender]

Are you really willing to sit there and tell me that you would rather have your hands butchered than give up your text-based password?

No, of course not. I'd give up the password in an instant. That's the point! There better be a text-based alternate login.

Re:Cut off fingers?

[bloodninja]

One finger gives you the real files, another gives you the dummy. That technique is very popular on the interstate.

Re:Cut off fingers?

Are you sure someone needs an incentive?

Re:Cut off fingers?

[thermian]

it would be useful if the laptop had been stolen and you weren't there as well. Otherwise the only secure system is to not have a laptop in the first place.

Re:Cut off fingers?

[unlametheweak]

With that in mind, suppose, today, that a criminal was sitting before you with a knife, threatening to cut off your fingers one by one if you did not give him your notebook password. Are you really willing to sit there and tell me that you would rather have your hands butchered than give up your text-based password? It's not a realistic scenario; if you were sitting beside a criminal then they could just force you to put your fingers onto the finger print reader (no amputation required). In general, a criminal would not even need your actual fingers, but just your finger prints.

I would suppose that the computer algorithm would probably just need the md5 hash of the finger prints.

This technology makes security more interesting, and not necessarily more foolproof.

Re:Cut off fingers?

[Zironic]

I'm not sure how much plausible deniability helps when you're being tortured

Re:Cut off fingers?

[Znork]

In general, a criminal would not even need your actual fingers, but just your finger prints.

Which are usually available all over the nice glossy surface of laptop itself. Unless you're always wearing gloves.

This technology makes security more interesting

Like most buyometrics I'd say it mostly makes security more profitable. Nothing like high-tech snakeoil to part the gullible from their money.

Re:Cut off fingers?

[MrMr]

Great. So now somebody has an incentive to cut off my fingers.

Better still:
Now the thief of your luggage has more use for your dead body than for you alive.

Re:Cut off fingers?

[the_olo]

Well, you obviously base your argument on false presumption that a criminal has immediate access to you and the notebook at the same time, same place.

However, if this is not true (e.g. they stole the notebook first and hidden somewhere, then discovered the need for the fingerprint and got to you - the owner), they are very likely to cut off your finger whether you're willing to cooperate or not. It's simply so much easier to move around the city with a cut off finger than with a kidnapped person (or corpse thereof).

So you got your threat modeling wrong.

The password, however, is much more transportable. When you reveal it they can even call another one of them that sits with the notebook somewhere and test whether you've lied, so they can leave you alone earlier.

Re:Cut off fingers?

[maxume]

With a password, they need me to cooperate once.

With a fingerprint, they need my finger.

Despite the "if that's the situation you're already screwed", I'd prefer having the opportunity to cooperate.

Re:Cut off fingers?

[yakumo.unr]

March 2005 this had stopped being a joke: http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm "Malaysia car thieves steal finger"

Re:Cut off fingers?

[WetFreud]

How hard can it be to determine whether there is actually any circulation in the finger on the sensor while reading the print? They already use lasers to measure blood flow, and it's not like we need a very accurate measurement. A fairly rough likelihood of being alive or dead would do.

Re:Cut off fingers?

[CastrTroy]

Well, I know which one makes for a better movie.

Re:Cut off fingers?

[pesc]

Laptops are stolen all the time, whether for corporate espionage purposes or for resell value. The thing most people don't realize is that you don't have to cut someone's finger off to use their fingerprint on common scanners. There are many ways (the gummy bear technique) to fake a person's finger and print for these cheap fingerprint scanners.

If I stole your laptop I probably wouldn't have to bother with the fingerprint sensor to get at your data. I'd just rip out the hard drive and connect it to my computer.

Do you say your drive is encrypted? Then where is your encryption key stored? I'll bet it is on the hard drive or in the computer. I hope no one thinks the fingerprint IS the encryption key.

Re:Cut off fingers?

[finity]

I agree totally. I'm glad I'm not a paranoid security guy or I'd have a lot of trouble living a normal life. I've used the "plug an HD into a different computer" trick frequently, several times just to change a user's password easily. Almost every time that I've done it in front of even computer literate folks, they're shocked. It's surprising how secure most folks think that password makes their computer.

Evil twin

[tsa]

I guess when my evil twin gets hold of my shiny new face-recognizing laptop I'm doomed.

Re:Evil twin

[mrbluze]

I guess when my evil twin gets hold of my shiny new face-recognizing laptop I'm doomed. Bit only if your evil twin holds a photograph of himself in front of your PC.

Re:Evil twin

You'd just have to make sure the face recognition didn't allow logins by your face with a mustache and goatee.

Re:Evil twin

[zmollusc]

Only once EvilTsa shaves off his goatee beard.

Re:Evil twin

[WetFreud]

Yet another reason to use fingerprints. Identical twins don't have identical prints.

Re:Evil twin

[CastrTroy]

I wonder how loose of a picture you could use. Most facial recognition works by measuring the distance between the eyes, and other features on the face. Could you just draw the basic features of a face with the right proportions to get into the laptop?

Re:Evil twin

[arnoldo.j.nunez]

Only once EvilTsa shaves off his goatee beard. Would that be with a blade razor sharp edge?

Re:Evil twin

[tsa]

So they are essentialy non-identical twins :)

This seems so gimmicky.

[Capitalist+Piggy]

Really, if people are worried about security, then they should probably be looking at the copy of Windows instead of investing in gimmicks. Something tells me the ability to circumvent a program running during Windows startup is going to be relatively easy, no matter what form of trickery it uses.

It's also likely the package is designed to be circumvented out of the box, as there could be some painful customer support issues if their software ever manages to lock out a legitimate user without such a feature.

Even with this, there's nothing to stop a common criminal who will just nuke and pave the system for export to South America or another country, which occurs quite often.

Re:This seems so gimmicky.

[kvezach]

I wouldn't be surprised if the program did something like this (under disassembly):

push pointer
call GetAndProcessFace
push eax
push storedinfo
call CompareFace
test eax, eax
je badboy_logout
;Else good user, so terminate program
as the same user who it's designed to protect, instead of being linked to something secure like disk encryption under a password derived from a biometric hash. And with face recognition, it also has to deal with replay attacks, and again, it wouldn't surprise me if it didn't.

Re:This seems so gimmicky.

[Bri3D]

so you mean... it's like windows password authentication too?! that's almost exactly how windows auth works, and that's why it's so easy to bypass with any kind of direct memory or debug access (i.e. kernel debug mode, FireWire DMA, etc.)
making face authentication secure (i.e. linked to drive encryption) is a TERRIBLE idea, because faces can, do, and often change. you could get a broken nose. you could get burned. you could get slashed. you could lose teeth. you could get plastic surgery. and then you lose all your data? stupid.
just like Mac OS's old voiceprint authentication, and just like the way fingerprint authentication is usually done on laptops, it's for convenience, for keeping your roommate/sibling/mom from looking through your data when you're not around, or to keep bob from down the hall from sending nasty emails from your account, without the hassle of remembering a password (or the relative insecurity of keeping a sticky note with a complicated password on the monitor, although that method is actually *very* secure against remote attacks.)

I presume this is only for personal use

Because obviously someone could just hold a portrait photograph in front of the webcam and log in as you.

easy to fool..

[jnnnnn]

Can it spot the difference between a live face and a photo?

Sounds like a bit of a gimmick to me.

Re:easy to fool..

[It'sYerMam]

Seems to me like the software ought to ask you to perform a short sequence of gestures with your face - this would be nigh on impossible without having your present and coerced. Not that you'd want the criminal to have an incentive to coerce you, but it'd certainly be more secure.

I won't ask....

However, TrueSuite goes a step further with the fingerprint reader, also allowing you to log in to Web sites ... by using just your fingerprints. ...what print you use to logon to porn sties using this system.

Re:I won't ask....

[nawcom]

unfortunately this type of security has already been defeated.

Oh no! Not again.

[pesc]

From TFA:

It is important to note that both fingerprint and face-recognition technologies are not foolproof--there are a number of known, low-tech means of circumventing them. As such, depending on how secure access to your system, data, and Web sites needs to be, you might want to think twice before relying on these alternatives to typewritten passwords.

Right! Such as presenting it with a photo of the owner. Or using one of several well-known techniques to lift a fingerprint from somewhere (the computer itself?) and create a fake finger.

Why isn't this kind of "security" generally laughed at by the consumers?

http://www.youtube.com/watch?v=LA4Xx5Noxyo
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

And from 1998:
http://www.schneier.com/crypto-gram-9808.html#biometrics

Re:Oh no! Not again.

[IrritableBeing]

You have a point mr. pesc. But if they only allow live web cam feeds of said persons face, then why would this be a bad idea? Other than people having similar facial shapes and features? But I think we're assuming here the software is capable of such recognitions...

Re:Oh no! Not again.

[drgruney]

Because it's like a movie.

Re:Oh no! Not again.

[MojoStan]

Right! Such as presenting it with a photo of the owner. Lenovo's face recognition system for their notebooks supposedly cannot be fooled by high-resolution photos. Of course, this is coming from a Lenovo-run blog, so it may not be objective. From the blog article:

• "Of course, a feature like face recognition invites play, and what better way to play than to try and fool the software.

  First up was an 8 x 10 color glossy photograph of yours truly (with circles and arrows and a paragraph on the back). No matter how I held the photograph, no matter whether the security settings were set high or at their lowest setting, no matter what angle I held the photo, I was not able to use it to log onto the system. The result was exactly what I had expected - that the software was smart enough to distinguish a face from a picture of a face."

The article also describes some techniques that facial recognition software uses, but doesn't say very much about what techniques Lenovo uses. Maybe it's secret.

• "Depending on the software used, face recognition uses multiple techniques to identify a person's face. Some of the more advanced programs use texture mapping in which a person's skin texture is analyzed and matched. Most however, define nodal points on a person's face and then use software to mathematically represent those points. Things measured include distance between the eyes, width of the nose, length of the jaw line, or shape of the cheekbones. Together these concatenate a numerical code which is stored in a database for later retrieval.

  One particular aspect of the software Lenovo uses is rather freaky. When you sit down in front of the camera, the system generates two white dots that follow your eyes. Of course, this is completely harmless and is nothing more than a few white pixels shown on screen."

Or using one of several well-known techniques to lift a fingerprint from somewhere (the computer itself?) and create a fake finger.

Why isn't this kind of "security" generally laughed at by the consumers?

http://www.youtube.com/watch?v=LA4Xx5Noxyo http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

Lenovo claims to have that covered too. Instead of the finger/thumb "press," Lenovo's system uses the finger "capacitive slide." From their FAQ:

• Can fingerprint readers be fooled by hackers?

  There are a number of known attacks against fingerprint readers. Some are rather intricate, such as building a fake finger out of something like ballistic gel or soft plastic. Currently, there are no known attacks against capacitive slide technology, which is what our Fingerprint Reader offerings are based on. The sensor manufacturers keep on top of these attacks and continually update their devices to resist them.

Re:Oh no! Not again.

[growse]

Exactly. This is crap. The sooner that people learn that biometrics are largely unique, but rarely private (I can take a picture of you in the street, or lift your fingerprint from anything you touch), the sooner we'll stop trying to build security systems around it.

Add to that the whole non-revocation of credentials bit inherent in biometrics, and suddenly smart cards and passwords seem a whole lot more practical. Guess they're just not sexy enough any more.

Re:Oh no! Not again.

[Capitalist+Piggy]

"Depending on the software used, face recognition uses multiple techniques to identify a person's face. Some of the more advanced programs use texture mapping in which a person's skin texture is analyzed and matched. Most however, define nodal points on a person's face and then use software to mathematically represent those points. Things measured include distance between the eyes, width of the nose, length of the jaw line, or shape of the cheekbones. Together these concatenate a numerical code which is stored in a database for later retrieval.

This is all bad. What if I decided to grow a beard or spend a lot of time outdoors, getting various shades of skin from tan, pale, to burned? I'm betting on it being a nightmare for males due to the facial hair factor.

I had enough trouble with thumb readers at my previous job (which I was admin of the box and had like 30 scans entered in to make it more likely to identify one of my scans), and there would be days where either the temperature had a big swing where none of the readers would get a good read and I'd have to start knocking.

Oh and the worst thing about thumb readers is going to the bathroom and seeing one of our greasy developers leave from taking a dump, not washing his hands, and giving the reader a "stink thumb" on his way back into the office. This was the sole reason I started keeping hand sanitizer at my desk.

Re:Oh no! Not again.

[drinkypoo]

This is all bad. What if I decided to grow a beard or spend a lot of time outdoors, getting various shades of skin from tan, pale, to burned? I'm betting on it being a nightmare for males due to the facial hair factor.

Personally I just want the system to autologout if I walk away. Bonus points if I can feed it a picture of someone I dont want to use my computer if they come over to my house, so I can let everyone else have web access :)

Re:Oh no! Not again.

[mgblst]

For the fucking obvious reaons.

These are mostly to provide protection against laptop loses. You may be surprised but there aren't that many spies running around lifting people finger prints/getting thier pictures while stealing laptops, only in the movies really.

Now while I am sure this sort of thing does happen outside of movies, why don't you use your fucking brain and think about it for a second. Does it happen to the average person? NO.

I guess we should have locks, because someone can lock-pick/bump them.

Wow, mod me down all you want, but there are some stupid people around here.

Brian Damage.

[geckipede]

So the face recognition continues to work as long as you don't get smacked in the face, and you can continue remembering your password as long as nobody hits you in the back of the head. Now I don't have to fear people with hammers! I can log in no matter which way I'm facing when they attack me!

This is new?

[Verteiron]

From TFS: "However, TrueSuite goes a step further with the fingerprint reader, also allowing you to log in to Web sites, applications, and networks as well by using just your fingerprints."

Thinkpads have done this for at least two years already. The password manager app even has a plugin for Firefox. Mind you, I disabled it almost immediately because it adds an addition, out-of-place "Save this password?" prompt to every ever remotely passwordy prompt in Windows, IE, or Firefox.

But the functionality is there, and has been for some time. I hope these TrueSuite guys don't genuinely think they've got something new.

Re:This is new?

[Warll]

Ditto for my HP Compaq.

Re:This is new?

[soilheart]

Same for my HP 6710b (with vista).

Another gimmick

"Consumer and business-class computer security has clearly become more sophisticated over the years.

Rubbish. Without full disk encryption, laptops today are as vulnerable as they were 15 years ago. If anything they're *more* vulnerable nowadays, simply because we store more on them, keep them connected to the net all the time, and more people are using them.

Gimmicks like fingerprint readers and face recognition are worthless if someone steals your machine. Simply boot knoppix, mount the fat/ntfs partition and copy all that juicy data right off the drive. In fact this happened to a high-profile person recently - someone recovered Adrian Sutil's (F1 driver) discarded hard disk and tried to get money off him in exchange for not publishing his photos and emails.

Face recognition is probably good fun to try out in the store and maybe help sell a few machines. But disk encryption and strong passphrases are inconvenient and require a bit of work, so nobody uses it.

Re:Another gimmick

[Casandro]

Well there are still a few people left qho haven't noticed that biometics isn't complete and utter nonsense, even it's defeated in just about any TV-show or movie.

Besides having a camera in your laptop could also have it's advantages.

Re:Another gimmick

[owlstead]

True enough. Many laptops will have a firewire port that can directly address memory through DMA. I don't know how many hardware vendors are effected by firewire connections that can basically read all of the memory, but I think there might be quite a few around. Most people won't even know such holes exist, and I don't even know how widespread this problem is.

Re:Another gimmick

[novakyu]

Rubbish. Without full disk encryption, laptops today are as vulnerable as they were 15 years ago. If anything they're *more* vulnerable nowadays, ... keep them connected to the net all the time ... Not to overstate the obvious, but if you are worried about someone remotely hacking into a live system, full disk encryption does nothing, unless it's a kind of "disk" (more often an image used as loopback device) that you mount only when you are using it. The rest are just as vulnerable as without encryption, if you leave them decrypted all the time.

Now, wiith preloaded crapware! Do not buy.

[Animats]

The A305-S6845 comes with a fairly crowded Windows desktop, filled with icons for pre-loaded software and web links to numerous free offers.

This thing has substantial crap preloaded onto it. It even has Vongo pre-installed, which is very hard to uninstall. It has PowerCinema installed, which not only is hard to uninstall but uses resources when idle. And those are just the ones known to be malware. Buy from another vendor.

Re:Now, wiith preloaded crapware! Do not buy.

[plasmacutter]

wow. I knew HP was seedy, but if you actually read the damn thread.. these people are absolutely shameless.

they CHARGE YOU 20 dollars to remove something they charged another company to include into their machines, and which technically falls afoul of various computer crime laws by the very virtue that a computer's owner cannot remove it.

Re:Now, wiith preloaded crapware! Do not buy.

[maxume]

If you look at it as them charging you the $20 that they didn't get from the other company, the monetary aspect is less offensive. That assumes that they are getting $20 for installing it.

The fact that it is crap still stinks.

Re:Now, wiith preloaded crapware! Do not buy.

[plasmacutter]

look, they don't include other people's software in their factory configurations without being paid for it.

Such things don't come from nowhere, and it can be assumed theyre being paid for the "advertising" otherwise they would be violating copyright law by distributing the vongo software and liable for statutory damages which would destroy their company.

Re:Now, wiith preloaded crapware! Do not buy.

[maxume]

Yeah, I get it. My point was that you shouldn't be surprised that they charge more for a PC that is not being subsidized by Vongo. Vongo wants their software installed, so they pay HP, who can then charge less. If HP is not being paid by Vongo, they have to charge more to maintain their margins.

You are getting hung up on calling it 'removal' when really it is a 'Vongo free factory image' that costs $Vongo more than a PC with the Vongo image.

Re:Now, wiith preloaded crapware! Do not buy.

And the Windows key provided isn't a legal MS Key for reinstalling, so if you want to reinstall Windows with the license provided by Toshiba, you have to reinstall from their recovery disk, which restores ALL of the preloaded crap.

To justify their reinstall disk methodology, Toshiba support gave excuses that it was to stop piracy of Windows or that Windows couldn't be installed without their disk, because of drivers (of course all the drivers are on their website).

I'll never buy Toshiba again and I advise everyone who asks to avoid them.

Not really new

[Zorque]

My Lenovo ideapad has had face recognition for a few months now. It's actually kind of a nuisance having to line my face up with the camera every time, so I uninstalled it and went with a plain old password.

Nothing new here...

I purchased my dad a Lenovo laptop for Christmas and it came preloaded with facial recognition software.

We set it up so he could log in with it, but after playing with it some I decided he was better off with a good old-fashoned text password.

This is nothing new... maybe they are just trying to find reasons to push this laptop?

old tech

[sphazell]

I had face recognition via attached web cam on my Thinkpad T30 in 2002. And ive had all the above mentioned finger print features on my Sony TZ for nearly a year. Move along nothing to see here.

Face recognition leads to face targeting

[sweet_petunias_full_]

Actually it's not a PC with face recognition that brings this grisly thought to mind, it's those cameras that "lock on" to any face in the scene and hang on to it like a pit bull to its opponent's neck no matter how much they move around.

It seems to me that one would only need to add a rotating machine gun turret to one of these cameras to create an automatic firing system. One shot per face and then round-robin. You know, the kind that you don't even need to lift your head to look, it does all of the looking and all of the shooting with one click convenience? Well, sure, you may not think this will turn out so great in terms of friendly fire but one application that it would truly shine brightly at would be crowd control.

So, who wants to help beta test this technology?

Anyone?

How about if they offer to add your faceprint to the whitelist?

Re:Face recognition leads to face targeting

[drinkypoo]

Actually, some pretty young guys made a sentry gun mount and proved the concept with an airsoft gun... it got hits. Sentry guns are pretty easy, and so is getting a picture of someone. I admit, though, this does make it a bit easier. :P

Re:Face recognition leads to face targeting

[sweet_petunias_full_]

This one's easy all right, all that's missing are the leads with the signaling voltages to aim the turret.

Since this technology on the PC in TFA is supposed to identify individual faces, it might even be able to differentiate between friend or foe, though it wouldn't be a good idea to entrust anyone's life to its accuracy.

A previous slashdot story with an article from Rolling Stone revealed that the face recognition software sold to the Chinese by a U.S. security firm uses the distance between the eyes as one of the biometrics to identify people, and that this works even after people have aged for decades.

If so, once everyone on earth has their face in a database, all a leader has to do is push a button to send out a robot army against precisely specified targets, with all cameras also cooperating in the effort. Basically all of the robots can be hunting 24/7 for a person or group of people... and you hope they don't confuse you with someone else. After that, there is the possibility of a fully automated war where all of the enemy's faces are known in advance, and so are the friendlies, and it's basically a question of each side getting as many robots to a single location as they can. Of course, the winner of that will be the one with the smarter machines, and the next step of course is that the machines will become smarter than us and take over.

And all of that because we wanted to take better pictures. Tsk, tsk.

why not just use auto-login?

[robo_mojo]

A face-recognition login is orders of magnitude less secure than a good password. Considering the easy ways to defeat it (mentioned in other comments), why not simply use auto-login and forget about login alltogether?

Also, this isn't going to do anything to protect your files. You still need to use strong encryption, and you aren't likely to get that from face recognition.

Group Photo Everyone!

No fair hiding! I want to be able to see everyone's face in this shot!

identification != authorization

[QuantumG]

Man, what's so hard about that?

Use a high-res picture of notebook's owner

[wildem]

Just how does this banal system stand up against holding a high-res picture of notebook's owner in front of the camera. My guess, not very well.

What a waste of space.

[Jane+Q.+Public]

Fingerprint scanners have proven to be ridiculously easy to spoof, and I have no doubt that face scanners will turn out the same.

The best security is

[giorgist]

The best security

Something I know (password) +
Something I am (biometrics) +
Something I have (key)

Use all three for added security.

What we are seeing with laptops is that they are becoming commodities. Features are maxed out, people don't need any new ones.

So now we will have Ferrari editions, gell casing, wet feel touch pad, reflective screen (Why I have no idea) and a myriad of useless features trying to differentiate them.

Now is the time for Linux but then Linux is irrelevant. All you need is a box that will surf, run open office and you're done.

G

Yes, they do cut off fingerss.

[DingerX]

At least once in a while.

Of course face recognition is good: hold up a photo to the camera, and you're good.

Misleading title

[LordAlced]

It says "Face Recognition Goes..." then talks about fingerprints in the end? I think "Biometric Scanning Goes..." would be better.

More like:

[tastypotato]

False Recognition Goes Mainstream For Notebooks. I hardly ever can get the fingerprint reader on my laptop to work, and I can type my password about 10 times faster than I can swipe my finger and have it figure out if it's right or not. There's always going to be a text password in case of the inevitably happening like someone losing their hands. (Or face...)

Physical Acces

[pmontra]

If someone has physical access to my pc... all my data are belong to her/him anyway. These companies should scrap all these kind of biometric software development and invest in hard disk encryption. The fingerprint reader in my notebook is great to impress my friends but it's one of its weakest points. Another one used to be the firewire port but I disabled it.

State of the Art Fingerprint Scanner

[FurtiveGlancer]

Once they put a pulse oximeter in the fingerprint scanner, it will be dual purpose. It will be able to tell you whether you are getting adequate oxygen and it will keep you alive until after the bad guys force you to log on. ~

The Stylish Beard of the Week Club

[FurtiveGlancer]

is not going to like this!

I have one of these laptops...

[Syrente]

...and if your webcam breaks or you've changed your haircut/face drastically then the machine just lets you log-in as normal (username and password).

However, when I read my manual it also said, "People with similar faces might be logged in to your account by accident." So I decided to not use this feature. It's pretty good for people with distinctive faces, though.

Re:I have one of these laptops...

[blueswan1]

There may be a problem with the configuration of his system, but one of my friends had facial recognition for login and it let everyone in, if they sat in front of the computer.

Re:I have one of these laptops...

[ILuvRamen]

well no worries for me as I look a distinct mix of German and Dutch, which I am, but I guess they won't work in asian countries lol

sounds like a good lock

[alizard]

Good for separating honest people from temptation.

Otherwise, if the "bad guys" have access to your machine, you're Pwn3d. Demos have been done using pictures of people to fool facial recognition software.

Of course, if an owner has cosmetic surgery or a really nasty accident, it's the owner who'll get locked out of the machine. If they want to use biometric ID for anything but security theater, they need it as part of at least two-factor authentication. . . meaning "something you know" (i.e., a password) or something you've got (e.g. an RFID token key)

Re:sounds like a good lock

[Beltonius]

I (briefly) had an HP business laptop (nc8430), and while I had a plethora of hardware issues compounded by poor tech support, I thought it's security suite was fantastic...better than what's on my current Thinkpad T60. It allowed me to choose which factors I wanted used for accessing various things, from logging in to handing out website passwords: password, fingerprint, smart card or USB 'token' (eg it would put a key file on an attached storage device). I could've had 4-factor authentication to log on. That would've been ridiculous, but I liked having the option, and if I'd had the damn thing long enough to get a smart card, I would've used that too, just for kicks, if nothing else.

Re:sounds like a good lock

[d4t4c0ntr0ll3r]

Can I not just get a photo of you and hold it up?

Re:sounds like a good lock

[vertinox]

I dunno. Current passwords and security simply prevent casual access.

I mean... Take OS X for exampole. Just pop in the install CD and you can enable the root account and reset the system password. There are plenty of 3rd party apps for windows that do the same thing (actually I'm sure MS even provides some tools on MSDN for admins).

You could setup a password required to boot from CD or another drive, but if you have physical access to the machine you can usually take out the hard drive and put it in another machine.

My point is... Having a finger print or facial recognition security system is no more secure than a passworded computer that the person (obviously) has physical access too. If they are sitting at your desk and able to type in a password or put in a picture, its already too late.

In an open cubicle area sometimes this is rather difficult to stop, but usually people notice someone unfamiliar putting gummy bears on the finger print scanner or photocopy of someone else image in front of the camera.

At which point you should be asking how they got the front desk without a badge... And if its a coworker they'd probaly be able to social engineer the password anyways from sticky notes or watching their coworker.

Like most security measures... Its there to keep honest people honest.

And about that last comment... Biometrics are usually used in conjunction with the old password system. So if something did happen to your face or hands, you could still get in with the original password by typing the old fashioned way.

Re:sounds like a good lock

[poetmatt]

combination approaches are better, I would definitely agree with that. They explain the basic premise of "1 password is not enough" but it becomes increasingly hard to remember stuff like that...and if it's too simple, then it's too easy to guess...and if it's too complex, then you'll lock yourself out.

And if you have any sort of failsafe in place for when you lose your passwords, people will use that to obtain access.

Basically, the moment anyone has physical access to your machine fingerprint readers make it easier, usb tokens make it easier, facial recognition makes it easier (chances of you having a photo around somewhere near your laptop? probably pretty likely unless you are robbed/stolen in public.

I don't mean to rip on what you say, I just think it's hard to come up with a real security system that would work. Maybe one where you have to enter a string of acharacters and then after that you can continue to type anything (:and as long as the string matches the rest auto-matches).....so that you could randomize your own password every time....thats the only idea I can come up with off the top of my head that might be a first step towards improvement.

What I mean is like....password is john1234....as long as in the entry box you start with john1234 you can follow that up with john1234hasabunnyinthecookingpot would still be accepted as long as the exact string wasn't recently used....course this leaves open brute force vulnerabilities so I think its back to square one....would only maybe help if soeone was trying to steal your password by watching you/catching with a keylogger. /resigns //if someone's going to hack you, steal your info, etc....you're fucked....thats the basic end of it anyway

Re:sounds like a good lock

[Beltonius]

Well yea, physical access, unless very temporary, basically means game over. No question. However, when fingerprints/passwords/smart cards useable for boot-time security it helps, at least in situations when an attacker doesn't have permanent physical access to the machine. It's amazing what people can retrieve if they can do whatever they want to the machine...eg literally freezing the RAM and moving it to a new machine and pulling passwords etc off of it.

Re:sounds like a good lock

[Bender0x7D1]

Of course, if an owner has cosmetic surgery or a really nasty accident, it's the owner who'll get locked out of the machine.

It doesn't even require something traumatic. What about if someone decides to shave their beard. (Or their friends decide to do it for them while the are asleep.) Now we are talking about regular situations like: "I need to look presentable for my job interview. Oh no! I can't get my resume off the computer!"

Re:sounds like a good lock

[Sigma+7]

I mean... Take OS X for exampole. Just pop in the install CD and you can enable the root account and reset the system password. There are plenty of 3rd party apps for windows that do the same thing (actually I'm sure MS even provides some tools on MSDN for admins). Certain features of the OS, such as encryption/stored passwords, sometimes get erased or reset if you do that (or otherwise have a separate independent password.)

If you have some embarrassing information on your system (e.g. a collection of images, comics, or stories), they will become inaccessible unless you've backed up your security certificate to another secure location.

Re:sounds like a good lock

[owlstead]

Most of the time these functions hook in on the Windows logon process. Of course you may still have an administrator with a pretty strong password to log in to your system if you are locked out.

Most of the times these functions exist to make it easier to logon/logoff. You'll do it sooner that way. I have to type my password many, many times a day because I am supposed to lock my machine whenever I am not around. After a while you stop doing so when you are going for the coffee machine (5m) then the toilet (10m), then the neighboring lab etc.

It's more secure than leaving your machine open, that's what's count. The other security is/should be build in by Windows (e.g. encryption of the users home folder for both the admin as well as the facial recognition.

One problem with this scheme is that in comparison with password security, it is not easy to derive a unique "secret" value from the input of a picture. There is some work done on this for fingerprint biology, but even that is still in the research stage (although it is some time ago that I've looked into that). So you basically rely on a compare with the data already present in the machine, and you cannot directly derive secret keys.

Re:sounds like a good lock

[RulerOf]

Demos have been done using pictures of people to fool facial recognition software.
Now *that* is funny. Got any links?

Also, couldn't you use multiple cameras spaced slightly apart to determine if the face presented to you is actually being seen in three dimensions?

Re:sounds like a good lock

[mgblst]

There is usually a password backup, these systems are used as a convenience to override the backup, so you don't have to type in the password every time. This is the way it works on my IBM T42.

Always a little scary that the software makes you add in several fingers, using both hands, just in case you lose one.

I'd rather get info from people with a clue.

[alizard]

like these.

Biometrics are powerful and useful, but they are not keys. They are useful in situations where there is a trusted path from the reader to the verifier; in those cases all you need is a unique identifier. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destroy. Biometrics are unique identifiers, but they are not secrets. - Bruce Schneier

Useless Marketing Ploy

> Toshiba's Face Recognition software allows you to log in to the system simply by having your face properly recognized by the integrated webcam during Windows startup. ... or a photo of you, or someone who looks like you.

I mean, a joke. Which is why they still require a fingerprint. But as that idiot German minister learned recently, fingerprints on a glass of water can easily be turned into fake fingerprints. Google around.

All this does is give Joe Public a warm fuzzy feeling, tempting him not to take the sort of proper security precautions he'd otherwise take.

The Mythbusters did it

[mangu]

There's no need to cut fingers. In the Mythbusters episode they got the fingerprints from a CD case, photographed them using cyanoacrylate "super glue", and created a fake finger tip using a photosensitive printed circuit board.

About the face recognition, how would a life-size printed photograph of the person work?

I read it as

[louzer]

Note recognition went mainstream for Facebook. Why would that be such a big deal?

Still, cool

[popmaker]

I think it's pretty useless idea, check out all the points comments above about holding up a picture. But I think its' one of those things that you can't but say: "still, ain't it cool that we can actually do that"?

Prints

[RavenChild]

Does the software distinguish between real faces and say something like a print of the face? Nothing is ever going to replace direct user input via keyboard.

Multifactor Might Work

[Doc+Ruby]

Face recognition is still too inaccurate for me to trust. Fingerprint recognition is also too inaccurate for me to trust. But the combination might increase ID precision so it's trustworthy in distinguishing me from 6-10 billion who aren't me. Like how 2 redundant cheap failurepoints can turn 99.9% (8.76 hours down per year) uptime into 99.9999% (31.57 seconds down per year).

But each/both of them are crackable if I'm coerced to login, perhaps even if my dead body is forced up against my ATM. (I know I wouldn't care by that point, but the utility of that crack is incentive to kill me.) Or if someone wears a masks (on face and fingertips) imprinted from video and surfaces recording my prior, unwitting presence somewhere.

The third factor would be voice recognition. It doesn't have to get the exact words correct; in fact it's better if it just recognizes the result among a few categories by what I'm saying: "unlock", or "PANIC" or "ignore this". That way if I'm coerced, I can signal for help without alerting the coercers, who won't know that "rosebud" means "PANIC". And if I'm dead, I can't say anything, so I'm no good to the coercers.

These ID technologies still won't work to find someone who isn't cooperating with the authenticator, like growing a beard (or wearing a mask), until every single person must be positively ID'ed all the time everywhere, just to spot the tiny few of interest. But when I'm trying to unlock something, and all I can remember is that I'm me, and I don't want to be chained to some hardware key that I won't have if I give it to someone, and can be duplicated by someone I don't authorize, they might be a lot better than a password (or a list of them).

Biometrics are a nuisance, and insecure besides.

My Fujitsu tablet came with a fingerprint reader, which I didn't bother using for passwords. I eventually totally uninstalled the software for it because it grabbed focus at the login screen. That was a terrible nuisance, since I had to go click in the password box before entering my password, and I frequently typed my whole password into nothing at all because I didn't remember that this system doesn't work like the windows standard. Now the fingerprint reader does nothing and I am happier (it came standard on the tablet).

Ass Recognition

[Tablizer]

They should perhaps use ass recognition instead. Its very difficult to cut an ass off. However, signing on can be a bit embarrassing in public.

C'mon, give them some credit

[abucchi]

Salesman: "would you like the one with the finger thingy, or the one with the fringer thingy that can recognize your face". My Mom: ( smiles ) This is not targeted for you guys. And considering that each one of us has two parents... we are outnumbered! ( Some Moms fall for that one too )

Erm...

[Firewing1]

Seeing as somebody can just use a picture of me to fool the webcam, I'll stick to passwords.

Windows login tooltip

[hgkamath]

I guess you just need to sit in front of the computer, and indicate to it that you want to login, maybe by clicking a button. A continuously monitoring camera may capture a hand or a face signal and automatically initiate authentication. corresponding to "Bad password, please retype" you'll get "Bad Face, make another one" or after a few tries maybe "Your face is too clean or too dirty, hair combed too well or it's too scrambled, wash your face, comb your hair again, adjust the light, face the camera, hold your head in the position and make the same expression as when you took the picture (I am the computer trying to help you)" or after some more tries "You look like a thief"

Not that great

[yoyhed]

I have a Toshiba laptop, the M305-S4819, that came with this software (it now dual-boots XP and Slackware, but before formatting I gave it a shot.)

My random, alphanumeric password takes about 1-2 seconds to type in. The software takes about that long just to start the webcam, and then an additional 5 seconds to recognize the face. Also, obviously, you'd have to change your password to something extremely long and random (that maybe you didn't even know) for this to be useful.

On top of that, I registered my face in the morning with my hair messed up and with me unshaven. It worked fine then, but I had to re-register later in the day when I was cleaned up, because it didn't recognize me. It also won't recognize you if you have a hat on.

It is kind of a cool novelty though, if you're willing to use Vista just for that.

Better than the Dell software with finger print...

[sys_mast]

Better than the Dell software with finger print reader. They let you log into the PC with finger print. The SAME software can be used to remember website passwords but requires a password. Even though you don't get the software without the built in finger print reader, application password management requires a password, can you say duh?

google on

[alizard]

"facial recognition" spoofing including the quotation marks.

We'll just see...

[Cynic.AU]

We'll just see how secure facial recognition is after I hold up a bloody picture of someone's face and gain entry to whatever. Now with *two* webcams you could possibly do a bit better, but one need only have two photos from slightly varying angles & some lenses to refocus the webcams' cameras. Very easy.

This is worse than finger scanners. Up till now, I've actually had to cut off my victims' fingers to use their thinkpads!

I'm curious

[g0bshiTe]

Would a photograph of someone be substantial enough to fool a facial recognition program?
How would it distinguish between a 2d photo and a 3d person seeing a camera photos in 2d anyway.