Acer Laptop W/Fingerprint Recognition System

Dekaner writes "Acer has announced the TravelMate 740 with a built-in fingerprint recognition security system. The fingerprint sensor is part of the notebook? s palm rest. Users must train the recognition system, which is then used to boot the machine or to decrypt files stored on the hard disk. The TravelMate has a 1.2 GHz Pentium III processor, a 15-inch screen with a resolution of 1400 by 1050 pixels, built in 56K modem and Ethernet connection, and it can be supplied with either 128 or 256 MB of memory. It can be configured with a second hard disk, CD-ROM, DVD, or a DVD-CD-RW drive. It will go on sale in October."

Not for use with *really* valuable data

If there is one thing I learned from 'Demoliton Man' with Rocky^H^H^H^H^HSylvester Stallone is that Wesley Snipes will come and cut parts of your body off if he needs them badly enough.

Don't keep data on this thing that's worth dismemberment, because scary terrorist-types will cut your fingers off.

Demolition Man? No...Red Dwarf !

I doubt Red Dwarf was the first show to use it, but they were much funnier about it....

They come upon a door.

KRYTEN: Uh-oh, a door. We'd better use an air vent.
LISTER: No need.
KRYTEN: Sir?
LISTER: Look, I'm gonna do something now, Kryten, that's totally, totally
gross. I don't want you to look. Turn around.
KRYTEN: What?
LISTER: Trust me, you don't wanna know!

KRYTEN reluctantly turns around. LISTER pulls the object he picked up
earlier out of his jacket: it's a hand. He presses the severed hand to
the palm-print device, and the door opens. He puts the hand back in his
jacket and turns around. KRYTEN has a sick look of realization on his
face.

KRYTEN: Logically, sir, there is only one way you could have possibly
have opened that door. I feel quite nauseous. Where is it?
LISTER: Where's what?
KRYTEN: Oh, sir!! You've got it in your jacket!!
LISTER: I got us out of the hold, didn't I?
KRYTEN: Sir, you are sick! You are a sick, sick person! How can you
possibly even conceive of such an idea?
LISTER: Cheer up! Or I'll beat you to death with the wet end!
KRYTEN: Sir, if mechanoids could barf, I'd be onto my fifth bag by now.
You're a sick person! Sick! Sick!

New Crypto Rules

Yeah, but according to the new crypto laws you'll have to cut off your pinkies and give 'em to the FBI to keep in "finger escrow."

Re:reset?

This could've been a Seinfeld Episode:
George inherits this laptop, only to find it's fingerprint protected, so at the funeral, he tries to sneak it up to the corpse to get the print...
Yadda yadda yadda....

It is interesting...

The article is short on details but it seems not to be very reliable. In corporations, the IT department usually has a master key so that even when the employee leaves, the company can still retrieve the data. What about this fingerprint-recognition system?

Second, this article makes me wonder if Slashdot will consider inserting text ads like Google by masquerading as submissions. I think it is a great way to get income to maintain this heavyly used site (banners at the top are no longer very effective), given the financial conditions of the parent company VA Linux.

This is neat, but not really useful

This sort of biometric authentication is not really all that vital for most of us, and the effort required to keep it functional, in this case at least, outweighs any advantage gained.

Don't get me wrong -- I can see this being very useful for corporations and governments who have valuable information to keep encrypted. For those applications, this is a good idea.

The problem I see is that fingerprint sensors require maintenance. The human fingertip exudes oil, used to increase the traction of the fingertip. This is not good for a sensing surface, and will necessitate regular cleaning. Anyone who has owned a trackball can tell you that anything the finger touches regularly, builds up gunk quickly.

Another problem is susceptibility to damage -- scratches in particular. I wouldn't want to be locked out of my files due to clumsiness. Also, damage to the recognition system through any form of clumsiness will keep you out of your encrypted files. Using an ordinary encryption method, you'd just hook the HD up to a different machine and be back in business.

I'll assume that the device is good enough to detect your print accurately. I wouldn't think the company would willingly release a half-engineered product in such an important area as authentication.

Another reason it might not be useful

How many bits worth of unpredictable information, exactly, is in a fingerprint? I know it's "a lot", but is it enough? 48 bits is "a lot" too, but it has been demonstrated to be not enough for protection against a simple brute-force attack.

Ultimately, it's all just bits. This fingerprint-recognition device ultimately must convert your fingerprint into a binary key, and use that key to perform the encryption/decryption. If someone can get a copy of your encrypted data, they could run it through software which tried binary keys until it found the right one. If the adversary could lift your fingerprint from something you've touched, that might give them information which helps them narrow down the search.

Until I found out just how many keys they'd have to try before exhausting the keyspace, I wouldn't trust this to be secure. A good mixed-case/numbers password with a - or ! (et al) thrown in can easily have 67**8 > 48-bit strength. A 5-word english passphrase can have up to 38619 ** 5 > 76-bit strength (38619 words in /usr/dict/words, and that's assuming no case variations). For very secure stuff, I'll keep a 1024-bit RSA keypair on a floppy disk in my lapel (no, I'm not just being a smart-ass, I already do this.)

Seriously, though, does anyone know the strength of a key generated by Acer's gizmo? And how much it might be narrowed down with a sample fingerprint to work from?

-- TTK [ciar.org]

False security is worse than no security

The article fails to give a technical explanation on exactly how the fingerprints enhance security. Does anyone here really believe that this laptop can protect its data when it is stolen? In order to do that it must encrypt the data on the disk.

Using what encryption key? Your fingerprint? Does anyone believe that your fingerprints are secret? You are putting thousands of copies of your prints on various objects every day. You probably have several fingerprints on your laptop! And once your secret encryption key becomes known, how do you change your key? :-)

The key (sorry) to good encryption security is to change your keys often.

Until a good technical description on the security is provided I will regard this laptop as techno-babble trying to impress PHB types.

Re:False security is worse than no security

(disclaimer, I worked for a few years on a fingerprint security project)

Actually, the problem is that you have to keep a copy of the fingerprint to match. Getting a copy of this fingerprint from disk or memory would be fairly simple.

Also, you can not hash a fingerprint. Each scan of the same fingerprint is different from the previous one. You can't protect the b' enrolled fingerprint.

The only way this would work is by:
(a) using a dual password/biometric. The password would unlock the b' biometric(enrolled) and the fingerprint would be used to extract it.

(b) using a hardware protection and matching system. Whereby the hardware is responsible for protecting itself. Simular to a smart card concept, the hardware would encrypt the data on disk, and also gather and match the fingerprints. Still, a bit of reverse engineering could defeat this. Also, a cheap fingerprint scanner could probably be fairly suseptable to rubber finger attacks. ;-)

Pan

Re:False security is worse than no security

Having worked at $LASTJOB{PHARMA [pfizer.com]} where the FDA was looking over our potential implementatation of biometrics in wireless handheld webpads in 1998, I can tell you how this is done:

CFR 21:11 [gpo.gov] , the Code of Federal Regulations, goes through this fully. In order to be "validated" as the real person, you must hold at least two of three key pieces of information:

1. Something you have: A keycard, a physcal key, an iButton
2. Something you know: A password, passphrase, memorized key
3. Something you are: Iris scan, fingerprint, voice, some other biometric.

. If you have two of those things, any two in combination, you are said to be one of two things:

1. Truly that person to which the biometric belongs, or
2. A conspirator, working with that person, since you cannot have obtained the second piece of information without consent from the holder

This is how our Federal Government looks at it anyway.

Biometrics have come a long way, and contrary to popular belief, this fingerprint-style technology does not compare a "picture" of your finger. It measures datapoints (the FingerChip [thomson-csf.com] for example, measures many more datapoints than most biometric scanners, and is a fraction of the size).

The "retraining" you have to do is so that your "personality" is measured as one of the datapoints. If this was a signature capture biometric, it would measure whether or not you dot your "i" before your words are finished, or after. That "personality" is set in the equation as part of the measurement. This is why even if you have someone's signature on paper, and can replicate it perfectly freehand, a good biometric will rule it out, since the "personality" (speed to write, dot i's first/last, etc.) will certainly not match.

Acer laptops are impressive

After doing some research, I recommended to my girlfriend that she buy an Acer laptop. The reasons were simple - it had a modem, ethernet, and wireless ethernet built in, it had a large 14" screen, and it was only 5.2 pounds with the dvd drive installed, 4.5 without, and came installed with Windows 2000.

I looked at a variety of other laptops, especially Dell and Compaq, and none could build in everything (she wanted wireless ethernet for use at college and in the future) at such a low weight. The price wasn't too bad either, for last June - about $2100 including Windows 2000 and Office 2000 from CDW.

When it arrived, there was a feature I sort of brushed over - a smart card reader. Its primary purpose in this laptop is to restrict access if the card is not installed. It looks like a credit card, and is easily removable. By default, the security settings are such that the smart card must be installed for the computer to boot. Of course, this isn't perfect protection against things like theft, but it is more convenient than a boot password to prevent people from simply using the laptop.

So I am not surprised to see that Acer is leading the way with more laptop security features. I absolutely hate the many old desktops that I have had to fix over the years, but the quality of the laptops is quite nice. They fit a lot of features, including some pioneering ones, into a laptop that is comparable in price to Toshiba and Dell with less weight.

Biometric Authentication Experience

Finger print recognition has been a pain for me. We had it installed at work a few years ago, and it worked fine for the first couple of months. However, my hands start peeling due to dryness in the winter, and it soon came to the point that the system wouldn't let me in. This wouldn't have been a problem except that I was usually the first one to work in the morning, and was getting locked out.

We tried registering all of my fingers to no avail. In the end, I got a magnetic card to get in.

I had tried one of those systems where you sign for authentication, too. But it turns out that I can't write my own signature the same twice. I haven't had much luck in having biometric authentication figure out who I am.

Umm, this is OLD.

A co-worker of mine got one of these Acer laptops with fingerprint recognition several months back, perhaps around April.

The fingerprint recognition was OK for one person, but as soon as we tried to configure it to recognize two people, we had horrible problems. It seemed like there were differences between the BIOS level recognition and the software OS level recognition. We were eventually both locked out and just sent the laptop in to be reset.