New Fujitsu Laptop Reads Your Palm, For Security

judgecorp writes "Fujitsu has launched a laptop which authenticates users using the veins of their palm. The contactless technology is hard to deceive and — since it detects haemoglobin in the veins, is not so likely to be breakable using the gruesome method of cutting off a hand."

Not for I

[binarylarry]

Damn these hairy palms!

Damn them to hell!

Re:Not for I

[sunderland56]

On the plus side: having your palm coated in a sticky gel-like substance should improve reader accuracy.

Re:Not for I

[AmiMoJo]

Buddy, you need to see a doctor.

Re:Not for I

[K.+S.+Kyosuke]

Damn them to hell!

Heh. That reminded me of the "computer people from hell" story where the person in question was building a new in-house computer system, and because he was in the right mood, he inserted a function in the login screen (I think these were your grandpa's old green screen terminals) that, if I remember it correctly, drew a horizontal green line vertically moving either top-to-bottom or bottom-to-top, something like that. Then he told his users that in addition to entering their login name and password, the system will scan their hands for increased security. Then, in the morning, he amused himself with watching the office people caressing their computer screens en masse. This went on for some time until the boss noticed, asked what the hell were those people doing, and then told him to stop. When the guy removed the palm scanning feature, he explained the office people that the login was eating too much CPU time and had to be scrapped. ;-) I wish I had bookmarked the link, though. There were more stories like this.

Re:Not for I

[davester666]

If you hold the donut with the wax paper sheet it comes with, the jelly filling fall on that instead of your palm...

Re:Not for I

[kaladorn]

I note they say that there is no 'cut off hand' tactic viable with this.

They don't mention how incredibly viable the 'pistol resting against the temple' tactic is. That one will still work. you can pull the trigger after they unlock the laptop.

And what happens if your hand gets mashed? It does happen. It's rare, but I'll bet that messes up the capillaries something fierce. Then... is there a way around this? Do you enroll both hands? (One assumes, just like you enroll multiple fingers)

And who can come along and perhaps hack the stored biometric data? Hmmm...... N....S.....ah they wouldn't do that would they?.....A.....

My tinfoil hat helps keep me warm in winter.

Medical Application

[mrbluze]

This means that the near-infra-red emitters and camera have become so cheap as to be mass marketable. Hold off for six or so months before buying a vein finder for medical use, you could save 90% on the price ... or maybe the next generation of smart phones will support this?

Re:Medical Application

[binarylarry]

Or... maybe we'll continue to be raped by the medical industry anyway?

Re:Medical Application

[Sqr(twg)]

The price of a medical device has very little to do with the price of components. (Compare the price of a medical hearing aid to the price of a bluetooth headset.)
It's all in certification and testing. - And insurance against lawsuits.

Re:Medical Application

[AlphaWolf_HK]

Some hunters like to use devices similar to hearing aids for hunting because they muffle the sound of gunshots while amplifying quieter rustling noises. Some models are as small and discreet as a medical hearing aid, will work just fine for that purpose, and cost a lot less.

If I were to guess I would think that since they aren't prescription they don't require any kind of FDA approval, which would certainly save on cost somewhere.

Re:Medical Application

[mwvdlee]

God forbid the manly sport of shooting bunnies from afar would slighly discomfort your sensitive ears.

Re:Medical Application

[gigaherz]

Too late: http://evenamed.com/products/glasses

Re:Medical Application

[mrbluze]

Too late: http://evenamed.com/products/glasses

Yeah but it's still way overpriced, that's my point.

Re:Medical Application

[Jane+Q.+Public]

"This means that the near-infra-red emitters and camera have become so cheap as to be mass marketable. Hold off for six or so months before buying a vein finder for medical use, you could save 90% on the price ... or maybe the next generation of smart phones will support this?"

There is ZERO new here on the hardware end. The hardware has been capable for more than 10 years (some video cameras took advantage of this near-infrared sensitivity of CMOS sensors by offering a "night mode".)

The only difference is that some people are finally figuring out ways to exploit it.

Re:Medical Application

Or... maybe we'll continue to be raped by the medical industry anyway?

Ah, most definitely this.

Unless you're one of those special people who actually think the $20.00 Tylenol pill by your hospital bedside is any different than the $0.02 pill sitting in the Tylenol bottle in your own home.

Re:Medical Application

[gigaherz]

Hmm that was the wrong product... http://www.amazon.com/gp/product/B008LPFEDO these use a passive filter, and should be much cheaper (if you can consider $300 cheap).

Re:Medical Application

[drinkypoo]

"Evena Sparrow is not available in the U.S., EU and many other developed nations" I presume because of licensing requirements. What undeveloped nation do I have to visit to get a pair of these, and how many camels will it cost?

Re:Medical Application

[mrbluze]

Interesting. The more expensive product though gives stereoscopic depth perception of the vein which is an advance.

Re:Medical Application

[K.+S.+Kyosuke]

"...is effective for almost all physiologies."

Obviously, it's costly because they made sure that it's Spock-compatible.

Re:Medical Application

[chihowa]

No shit, brother! Real men don't let animals live free in nature until their lives are ended in a split second for food.

Real men cramp them in dirty confined spaces, pump them full of hormones and antibiotics, and deprive them of exercise or contact with their young until they're ready to be lined up and slaughtered in front of each other.

Taking responsibility for the life you've taken in order to eat is cruel and inhumane. It's much preferable to pretend that meat comes into existence in shrink-wrapped packages at the grocery.

Re:Medical Application

[mwvdlee]

There is, ofcourse, the alternative of letting animals live free in nature, then until their lives are ended in a split second without pain by somebody who does not take some perverse kind of pleasure in killing animals.

It costs a bit more, but if you're buying a thousand-dollar gun, ammo, go on hunting trips and buy outfit and gear in order to be "humane" to your food, it's quite a lot cheaper.

Besides. Lets get realistic here; how many of those animals killed by hunters and up as food? Most aren't.

Re:Medical Application

[chihowa]

I'm not quite sure what your argument is. Are you arguing that anyone who kills an animal must take a perverse pleasure in it? Or are you saying that I take a perverse pleasure in it, but that someone else (from whom I would, per your second sentence, buy the meat from) doesn't? On what basis do you feel you can make either of those statements?

You're also overstating the cost involved... There are rabbits in my backyard. The ammunition costs a dime a piece. The rifle was inherited. You can't get meat much cheaper than that. (Certainly not rabbit.)

I don't know every hunter, but everyone that I know shoots paper or an animal that they eat. Why do you think most hunters kill animals and don't eat them? Do you have a source for that?

[Your sig is quite apt, also. Where are these shades of gray you refer to. Your world looks pretty black and white from here.]

Re:Medical Application

[kaladorn]

Most of the people I know who shoot (who are not military or police) hunt for food. I do not know a single trophy hunter. I do know people who, for a reasonable expense, bring home a fair value of food to their table. They would not dream of shooting an animal just for the fun or some wierd killing joy. It's all about putting food on the table, just like fishing.

There are probably instances where an animal brought down for food could yield a trophy antler rack or some skin or fur, but that's more in 'whole use' than 'hunting just for the trophy' thinking.

I suspect you've never hunted nor know many hunters personally.

Re:Medical Application

[Firethorn]

I've heard of the occasional evidence of pure 'trophy hunting' where no effort is made to collect the meat. However it's extremely rare and more associated with illegal hunters, IE poachers. The general consensus in my family and friends who hunt is that they like to put a round to the back of the head of those people.

And yes, the family has a few trophies, and they've pretty much all been 'lucky' in the sense that they happened to find a trophy buck, not that they particularly went looking for a trophy, if that makes sense.

Re:Medical Application

[Firethorn]

until their lives are ended in a split second without pain by somebody who does not take some perverse kind of pleasure in killing animals.

Don't know about you, but I think that 'professional hunters' like you propose are going to precisely be the people who 'take some perverse kind of pleasure in killing animals'. There's a difference between somebody who goes hunting once a year for 1-6 animals, and a professional who does it for hundreds.

Palm Authentication!!

I'd give my right hand for security like this!!

Reliability?

[axlash]

Not so sure how good this is. From what I can see, the equal error rate of palm identification is 0.17, compared to 0.01 for fingerprint identification.

Re:Reliability?

[lxs]

But I want to put my hand on the screen. In the glowing hand outline. Like in the movies.
Right after I have my destiny surgically altered of course.
I love living in the future.

Re:Reliability?

[sumdumass]

The article also says nothing about the cutting off of the hand. I suppose you could just use a tourniquet in order to keep blood inside the hand after it is severed.

I guess a bigger question might be is how if the system accessed in case of death or injury? I mean suppose I crash my car and lose my arm on the way home tonight, how will I access the laptop after that or does it become a brick. What if I died, is some next of kin going to show up at my funeral and pull my hand out of the coffin and try to trick this thing into opening so they can find all my accounts or something? And if there is a way around it, that would sort of defeat the entire security point to some degree. I mean it wouldn't matter how big and strong the dead bolts on the doors to the house are if someone can squeeze through the doggy door and simply unlock them.

Re:Reliability?

[CaptQuark]

Most of these systems are alternative ways of authenticating to Windows, but not the only way. (Most of the biometric systems require an enrollment process that is optional.) Most people will still have an Administrator account that uses the traditional password method.

~~(Mod -1 for too many uses of the word "most")

Re:Reliability?

[CohibaVancouver]

I know that on Slashdot everyone jumps to the personal / consumer use-cases, but it's important to note that this is a corporate solution, to protect corporate data on an endpoint. If the endpoint is no longer accessible (theft / loss / whatever) the data is simply retrieved from the upstream servers.

Obligatory:

[fyngyrz]

XKCD has the last word on this subject

Re:Obligatory:

But at least They can't mangle your hands!

Re:Obligatory:

[fyngyrz]

You mean, your palms. No reason they can't take an interest in the *rest* of your hands.

Re:Obligatory:

[turbidostato]

"You mean, your palms."

And that's the really weird thing!

What are Fujitsu executives thinking about!? Palms have been out of the market for a decade! Why they don't support Android instead?

Re:Obligatory:

[fyngyrz]

Coming soon to a laptop near you: Newton recognition (fig model for initial release, apricot and whole grain planned with kickstarter funding, if whoever (now) holds the rights to Commodore's IP releases the rights to "kickstart" in time.)

I have a better idea for a security device

[BringsApples]

You lick it. It detects your tongue (much like a finger-print reader) and does a DNA analysis. Not that I've built one.

Re:I have a better idea for a security device

[chuckugly]

Yeah I tried that "no honey, it's an ID verification device" line before too.

Re:I have a better idea for a security device

I have an even better idea. It's a port that you stick your cock into. If it verifies your cock against the allowed cock database, you get access to the system and if not, it cuts your cock off.

Just make sure to wait for SP1.

Re:I have a better idea for a security device

[Lehk228]

"it's not a dick"

"Hard to deceive?" I doubt that.

[gweihir]

There are a few people that routinely break "hard to deceive" biometrics on the cheap. Wait till they get their hands on one of these. I predict it will fall fast, just as all the other technologies promoted by lying marketing scum as "secure".

Re:"Hard to deceive?" I doubt that.

There are a few people that routinely break "hard to deceive" biometrics on the cheap. Wait till they get their hands on one of these. I predict it will fall fast, just as all the other technologies promoted by lying marketing scum as "secure".

If it's detecting dark lines for the unique pattern, it wouldn't take long to modify a camera that uses the same near-infrared to take photos of someones hand waving to friends (or in japan a 'hi-5 the panel for a coke' vending machine) then it'd be as simple as printing out the hand. It's not like you can change it once it's stolen either... Short of cutting off the hand and grafting on a new one.

I suppose a high security one would take multiple shots and look for vein dilation matching the heartbeat but even that could be faked with a animated gif.

Que Mythbusters

Re:"Hard to deceive?" I doubt that.

Hey how do you expect anyone to buy that shit with so many muslims in the white house?

Not Secure

I read the article, but it doesn't go into specifics. It looks like it uses the built-in web cam. That means you'll be able to hold up a photo of the person's vein pattern and beat the security.

Re:Not Secure

[CaptQuark]

Not unless you can print a picture that will show different levels of reflection to the near-infrared wavelengths.

If you've seen a thermal images of a house showing where the heat loss is, compare that to the normal image of the house. This method is using the equivalent of a thermal image.

~~

Re:Not Secure

Yes, setup an IR camera to record everyone and you'll eventually get a good enough video of their veins. If the security software randomly goes through different wavelengths it would no longer to be simple to beat, but the gif in the article makes it look like they only do easy edge detection on the veins and pattern match against that.

Re:Not Secure

Thermal imaging != NIR, unless you're imaging things that are hot enough to visibly glow.

Re:Not Secure

[Rosyna]

Not unless you can print a picture that will show different levels of reflection to the near-infrared wavelengths.

Actually, you'd just have to print something using a Laser printer (toner contains iron oxide, just like Hemoglobin) and tape it to something, like a copper sheet, to produce a very similar picture to the camera.

Re:Not Secure

[fuzzyfuzzyfungus]

Good thing that IR-band pigments aren't already commercially available (never mind the tedious-but-likely-cheaper process of just looking for random stuff at Staples that happens to have the right property despite being formulated for visible-band applications, you only need to get lucky once and you'll probably have something you can spit out at usefully high resolutions on some ghastly inkjet that costs less than the ink it takes). This might actually be easier than cloning fingerprints...

And a big old

Who the hell cares?

The stranger

[SpaghettiPattern]

Will it recognize me when I do "the stranger"? I'd be damned pissed off in such a moment of need.

Hemoglobin? Uh. Not quite.

[Chas]

Cut off the hand in such a way as to keep the appendage from bleeding out (think fire-heated axe), and there's still going to be blood (and hemoglobin) in there.

Maybe enough, maybe not.

What about people with poor circulation (older people mostly).

They're going to have real problems using this as an authentication mechanism. Hell, some of them NOW have major issues with capacitive touchscreens.

Biometrics are not good as a "password"

[nctritech]

You can't change your palm vein layout or your fingerprint when an attacker makes a copy of it somehow. You can easily change a password with practically no real effort. Biometrics are a key to a door where the key is unchangeable. I reinstalled everything on a laptop of mine and didn't even waste time putting a driver in place for the fingerprint reader it came with.

Re:Biometrics are not good as a "password"

[Koookiemonster]

Use another finger? :) Although after the 10th fingerprint-password you'll have to start removing your sock to open your computer.

Re:Biometrics are not good as a "password"

[nctritech]

Oh fun. We'll get to enjoy Athlete's Palmrest.

Re:Biometrics are not good as a "password"

[Keyboard+Rage]

Somewhere deep inside a bunker hidden in a desert in the USA, General Alexander strokes his kitty, cackles evilly, and gleefully browses through his collection of hand palms. Each is carefully anotated with the most juicy information about its owner. He selects one, uses it to remotely log into the user's laptop using the NSA's various back orifices, and spends the rest of the day posting obscene cat videos to Youtoob. Elsewhere, someone is fired for gross misconduct during work hours.

Re:Biometrics are not good as a "password"

[AmiMoJo]

Biometrics like this are still useful though. If you laptop is stolen or you just want to keep your co-workers/family/flat mates out they are adequate since they are unlikely to bother stealing your credentials. You can always fall back to a password if they do.

On top of that it is a bad idea to have a single authentication for everything. For example you might have a different user account password and root account password. Your palm print might just be for unlocking after you have entered a password to log in initially.

Re:Biometrics are not good as a "password"

[Hognoxious]

after the 10th fingerprint-password you'll have to start removing your sock

Unless you're from Alabama - then you get two more goes!

Re:Biometrics are not good as a "password"

[PPH]

That's a lie! I don't stuff a sock in there.

Is it really though?

I'm sure we've all seen those "ads" for similar tech before used for finger scanning, and all of them without exception could be fooled by a wet piece of paper that had the finger print of the other person on it.

Better be quick...

[Krokus]

How fast can you explain to the guy about to cut off your hand that it's not going to work? Is he going to believe you?

Re:Better be quick...

Mod parent up! Are the types of criminals that would cut off your hand be likely to know the finer details of how the sensor works?

Re:Better be quick...

Would they care that it might not work?

Re:Better be quick...

[fuzzyfuzzyfungus]

How fast can you explain to the guy about to cut off your hand that it's not going to work? Is he going to believe you?

Wrong strategy: Simply explain that you'd be happy to assist a fine fellow such as him with making the desired modifications to your laptop's security settings...

Seriously, if somebody is willing to chop your hand off to bypass the security system (even if they are on the wrong track technologically) probably has many ways of demonstrating the sort of attacks enabled by physical access. You'll need to have something good on that computer to make even trying to hold out worth it.

Re:Hemoglobin? Uh. Not quite.

[Rosyna]

Cut off the hand in such a way as to keep the appendage from bleeding out (think fire-heated axe), and there's still going to be blood (and hemoglobin) in there.

Pretty sure it uses the RF properties of iron when in motion. If it does use IR, then the blood needs to be a different temperature than the skin. Cutting off the hand would cause the blood to cool too much.

Not new technology

[RedLeg]

They demo'd this at CeBIT several years ago, and were spinning it at the time for high security applications, banking, etc. It did not get much traction IIRC, not sure how successful it was in Nippon.

One of its claimed advantages was (at least what they demo'd) that it used infrared to "see" the heat of your veins through the palm of your hand. Cut the hand off, it ain't gonna work, or so they claimed.

It will be interesting to see how this is accepted in the larger notebook market.

-Red

Re:Not new technology

[Lehk228]

cut the hand off and attach a heated pump it will work just fine.

any security system is only as secure as it is cost effective for attackers to bypass. pumps and heaters are not expensive. building an interface for the arteries and veins in an arm will be moderately more expensive but not much since the interface does not need to be medical grade or last very long.

any security system that encourages an attacker to cut off part of my body is a security system I will not use

Re:Not new technology

[ColdWetDog]

Doesn't the tin foil get uncomfortable after a while?

Re:Not new technology

Time f or a new MytBusters episode!!!! They did a really fabulous job showing how easy it is to fake fingerprints versus the latest, greatest door scanners, and even beat one with a moistened, printed paper copy of a fingerprint.

        http://www.youtube.com/watch?v=3Hji3kp_i9k

Hold on...

[srussia]

Yeah I tried that "no honey, it's an ID verification device" line before too.

Are you a man or a woman?

Re:Hold on...

Are you a man or a woman?

Yes.

(Assuming inclusive, not exclusive OR)

Re:Hold on...

[binarylarry]

I think you mean "true."

When was the last time an OR operation returned "Yes."?

Maybe in VB or Ruby or something.

Advanced applications

[jandersen]

Just imagine the potential of this - "It is no use logging in - you are going to meet a tall, dark stranger ..."

I can see it now

[stenvar]

"You have been authenticated based on your palm print; last login 11/15/2013. Also, you will meet a beautiful but mysterious woman with long blond hair, and you will have a long and healthy life."

Re:Hemoglobin? Uh. Not quite.

[stenvar]

Except for the word "iron" that was complete gibberish.

Re:Hemoglobin? Uh. Not quite.

[gl4ss]

you just need a picture that looks the same in ir..

NSA angle

I'm sure the NSA loves these gadgets that do biometric checks. Expect many more of these to come. There are vast databases to be populated.

Alternative

[gnupun]

Just as you can use a physical key to open a conventional lock, why can't mobile device manufacturers come up with something that can read a password off a physical electronic key attached to an ordinary key chain.

One password systems are purely stupid, and biometric systems usually involve invasion of privacy of some sort.

Re:Alternative

[Megane]

Seeing as how it would be pretty easy to install an RFID reader on a PC, I'm going to guess that someone already patented it, wants too much money for it, and it won't expire for another ten years or so.

Re:Alternative

[Antique+Geekmeister]

They're not very expensive, you can get a workable one for $10. But looking at the insides of a few readers for hacking reviews, the cheap antenna is fairly bulky. It's typically a coil of wire, several inches wide. Finding space for that inside a normal laptop is feasible, I'd assume it can be built into the case itself, for example. But every time you introduce bulky components in a laptop, you introduce additional expense. Also, like wifi, they consume some power, so a contact sensor to read only when the device is present is additional work and expense.

It does raise the interesting idea of having an RFID reader built into your laptop for security scanning of _other_ people's RFID keys. Coupled with the very poor security of these devices, it raises the possibility of using the RFID reader in my laptop to scan the RFID keys on your person, such as your laptop RFID key or your passport key, and do relatively easy identity theft. Examine some of the articles on cracking, or cloning, RFID passport keys to learn more about the vulnerabilities.

Re:Alternative

[fuzzyfuzzyfungus]

Seeing as how it would be pretty easy to install an RFID reader on a PC, I'm going to guess that someone already patented it, wants too much money for it, and it won't expire for another ten years or so.

I think that the problem is mostly apathy. 'Enterprise' laptops offered smartcard support for years(as did/does windows) and you could get fairly cheap PCMCIA slot card readers(the just-slightly-larger size of the PCMCIA slot makes the physical design pretty easy, and implementing a low-voltage, low-speed serial bus isn't rocket surgery). Once 'contactless/RFID' became a Thing, laptops in the same bracket started to offer RFID as an option. It's mostly mired in cryptic alphabet soup (nothing reminds you exactly how many, mostly shitting and overlapping, some incompatible RFID 'standards' there are like trying to use something not purchased all in a lump and at a markup from a single vendor); but it's there. This document applies to select Dells; but others should be largely similar.

Broadcom's "BCM2079x Family" shows up at the party, usually with some amount of confusing vendor rebranding, fairly frequently.

Re:Alternative

[gnupun]

I think the key should be something simple that you can stick in a laptop's usb port. The BIOS and OS do some hardware initialization, read the password and unlock/login the user. The key should also have protections that data relating to the password cannot be stolen (copied.)

Re:Hemoglobin? Uh. Not quite.

[Chas]

If the former, maybe. Might still be gotten around by pumping the hand.

If the latter, I wouldn't worry too much. A human hand doesn't bleed heat off that quickly.

Added functionality

[shikaisi]

The advantage of this system is that, as well as handling the security of your laptop, it is also able to tell you that you will meet a tall dark stranger, you will live to an old age and will be lucky in love but not in money.

Reads your Palm

Does anyone use a Palm anymore?
Nevermind, TFA is about actual, physical palms. Not interesting.

Re:Hemoglobin? Uh. Not quite.

It uses IR. See also: http://hackaday.com/?s=pulse+ox

The theory behind a pulse oximeter relies on the fact that hemoglobin absorbs red and infrared light differently based on its oxygenation levels. By shining a red and IR LED through a finger onto a photoresistor, it’s possible to determine a person’s blood oxygen level with just a tiny bit of math.

About the laptop specs

Forgetting the probably useless palm reader, this laptop is interesting. I was looking into HP ZBook 15 which also takes up to 32 GB RAM and has a matte display. In the league of the silly left-shifted-keyboards-and-touchpads (because they really can't restrain from slamming in a numberpad) the Fujitsu has large arrow keys which is great. The touchpad middle button is smaller but maybe is usable (thinking about Linux middle click paste). Processor and graphic card are the same. The HP can accomodate two disks (solid state or spinning) by swapping out the optical one. Now... if both would have a centered keyboard they'd be two great machines.

CANCER

"It works by radiating the hand with near-infrared rays."

But wait those rays.. will give you CANCER.

Noise levels.

[Firethorn]

slighly discomfort

Say what? Gunshots range from ~143-174+. Hearing damage is pretty much instant at 130db.

That means you need hearing protection, but when hunting hearing is still very useful, so 'active' hearing protection that shuts down for the gunshot but otherwise amplifies quiet signals are helpful assists.

As for the cost of hearing aides, it's my understanding that the expensive ones are much more configurable than 'simple' devices like bluetooth headsets, and are designed to last longer(with better warranty), plus often include the cost of the configuration in the cost for the device. But yeah, a lot of medical device paperwork&liability expense baked into the price.

Re:Noise levels.

[drinkypoo]

As for the cost of hearing aides, it's my understanding that the expensive ones are much more configurable than 'simple' devices like bluetooth headsets, and are designed to last longer(with better warranty), plus often include the cost of the configuration in the cost for the device. But yeah, a lot of medical device paperwork&liability expense baked into the price.

The really fancy expensive ones do pitch-shifting. Problem is, they've been the same price for ages. Some good ones are supposedly starting to come out of China but you're not going to find them at your local audiologist.

Re:Noise levels.

[mwvdlee]

I'm sure the last thing the bunny feels as the bullet passes through it's guts is worry about whether the gunshot hurt your ears.
All is relative.

Re:Noise levels.

[AlphaWolf_HK]

That doesn't make the bunny any less delicious.

Biometrics suck

[jonwil]

Biometric devices aren't particularly secure plus if they are compromised somehow you cant change your fingerprints or iris pattern or voice print or palm veins or DNA in the way that you can change a password or a security card.
Oh and using a device secured by biometrics rather than a good strong password can reduce your legal protections if the cops want to get at whatever it protects

Fourth and Fifth Amendment questions

This technology if widely adopted could undermine the protection of the Fifth Amendment. The Fifth Amendment is only a bar to compulsion of testimonial acts - not government compulsion such as taking of fingerprints, DNA and standing in a lineup for identification. However, you still have a right to refuse producing documents and physical evidence if you by the act must admit to control, access, existence and authenticity, unless the government's knowledge is a foregone conclusion. It was the problem in some of the recent encryption cases that the government could prove the chain of custody. If a computer is tied to a physical profile, and every session must be authenticated with DNA, palm, fingerprint or iris scanning, a lot of Fourth and Fifth Amendment questions become moot. The Fourth Amendment does not protect you against disclosure to the government of information voluntarily disclosed to a third party. So if you have already disclosed to a cloud service that your computer is online at a certain time and the user authenticated with method X, you probably have lost any constitutionally protected reasonable expectation of privacy in a lot of facts wich the government would otherwise have to work out itself through warrants and probable cause. And when the government has legally acquired facts without violating the Fourth Amendment, it may attempt to build a chain of evidence sufficient to overcome the Fifth Amendment's protection against self incrimination. The government could and likely already uses these methods for a lot of mischief. Subpoena the cloud service for records, and correlate these to a particular user. Visit the person of interest, and ask him a lot of innocent sounding questions like - - did you use a computer at time XX. And when the person inevitably misremembers and falsely answers yes instead of no, nail him for violation of 1001. If the technology from bottom to top has built in authentication, proving that someone is not telling the truth is no match for the government.

Fourth and Fifth Amendment questions

This technology if widely adopted could undermine the protection of the Fifth Amendment. The Fifth Amendment is only a bar to compulsion of testimonial acts - not government compulsion such as taking of fingerprints, DNA and standing in a lineup for identification. However, you still have a right to refuse producing documents and physical evidence if you by the act must admit to control, access, existence and authenticity, unless the government's knowledge is a foregone conclusion. It was the problem in some of the recent encryption cases that the government could prove the chain of custody. If a computer is tied to a physical profile, and every session must be authenticated with DNA, palm, fingerprint or iris scanning, a lot of Fourth and Fifth Amendment questions become moot. The Fourth Amendment does not protect you against disclosure to the government of information voluntarily disclosed to a third party. So if you have already disclosed to a cloud service that your computer is online at a certain time and the user authenticated with method X, you probably have lost any constitutionally protected reasonable expectation of privacy in a lot of facts wich the government would otherwise have to work out itself through warrants and probable cause. And when the government has legally acquired facts without violating the Fourth Amendment, it may attempt to build a chain of evidence sufficient to overcome the Fifth Amendment's protection against self incrimination. The government could and likely already uses these methods for a lot of mischief. Subpoena the cloud service for records, and correlate these to a particular user. Visit the person of interest, and ask him a lot of innocent sounding questions like - - did you use a computer at time XX. And when the person inevitably misremembers and falsely answers yes instead of no, nail him for violation of 1001. If the technology from bottom to top has built in authentication, proving that someone is not telling the truth is no match for the government.

Not likely, but someone is going to have to try

[mark_reh]

so we can know for sure! Wait, that would be an anecdote, not equivalent to real statistical evidence. It will have to be tried many times before we have a definitive answer. Unfortunately for the rest of us, the sort of people (drug cartels?) who might test this aren't the sort who are likely to announce the results. I guess we'll never know.

Easy to read from a distance

The way this works is that deoxyhaemoglobin is darker than oxygenated heamoglobin when viewed in the near infra-red. The downside to this is that there's no distance limit to it, you could easily take a picture of someone's palm from a distance, and assuming you were equipped with the right lens and sensor and read their 'password'

At least with fingerprints there's the hassle of obtaining an object that the target has physically interacted with.

Name?

They need to call it the Soothsayer System. Microsoft and the NSA will be delighted to get this info on everyone.

Just another password that's impossible to change

[badger.foo]

I completely fail to see why this is supposed to be a good idea.

Whether it's port knocking, fingerprint reading or palm reading as in this case, can anybody point out why this is a more 'secure' authentication method than anything else?

I tend to think that a fingerprint or similar may possibly serve as a substitute for a user name, but would you want to let people sign in using usernames only, no password, ssh key or a generated one time pad? Other than that it was probably fun to make, I don't see any advantage at all to using a known constant as a substitute for the familiar user name plus password and/or other changeable secret.

Simple hack

[PPH]

Photograph user's hand in the appropriate IR band. Print to film stock that uses silver (or some other metallic/conductive) based emulsion. Place print in microwave* oven to selectively warm the image of the vein patterns. Place on keyboard and log in.

*Other heating technology could be used, including a print with conductive layers and resistive heating.

Re:Just another password that's impossible to chan

[laejoh]

Why do you think you have to use your own hand? Think! Just as criminals can cut of your hand, you can cut of the hand of others whenever you need a new password!

It is still a key

[Solandri]

If the biometric sensor can read the key (hemoglobin in your veins), then so can a key duplicator. And using what the duplicator reads, you can make a duplicate key which unlocks the biometric sensor just like the original key.

The only benefit biometric sensors bring to the table is that the keyholder cannot misplace the key. If you want real security, you need to go with public/private key encryption or rolling codes (essentially a continuous one-time pad), and multi-factor authentication. Biometrics can't do the former, and can only do part of the latter.

Re:Hemoglobin? Uh. Not quite.

[chihowa]

Dear god... stop talking. By what mechanism would an affordable laptop component measure the movement of the tiny amounts of iron in your blood via RF well enough to map your veins?

It is likely looking at the near IR (not thermal IR, so temperature isn't even being measured) absorption of hemoglobin. It's similar to what's being measured in pulse oximetry, but you don't really care about whether the blood is oxygenated or not.

Re:Hemoglobin? Uh. Not quite.

[fuzzyfuzzyfungus]

As far as I know, absolutely none; in particular, throwing out enough RF to get a usable signal back would probably do your battery life and relationship with the FCC no good at all; but the large, precise, and sensitive PCB antenna arrays in Wacom tablets would be my off-the-cuff candidate for 'component most likely to be able to do the sensing' (but not the illuminating, they only work with the passive pens because those pens are designed to behave usefully in response to the quite feeble field put out by the tablet PCB, and nature is unlikely to be nearly so helpful). Plus, they look cool.