Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fingerprint Recognition with Linux & IBM's T42

timothy posted more than 9 years ago | from the nobody-said-*which*-finger dept.

Security 156

Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"

Sorry! There are no comments related to the filter you selected.

Ahem, PAM (5, Interesting)

nokilli (759129) | more than 9 years ago | (#13031404)

I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

They're talking about writing this whole framework for Linux called BioAPI, and then once that's done they're going to work on a BioAPI-to-PAM gateway, but that seems like way too much work.

Why can't an authentication module simply maintain its own database to register the biometric data associated with each user?

The way it is now, pam_unix.so does a one-way hash of the password you create and compares it with a one-way hash of whatever password you enter to log on, right? The password once stored is never stored in the clear.

I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad.

This is a really tricky problem.

I just don't see why we need a new framework. Seems to me, we need a new kind of hash function.

Why can't that go into pam_finger.so?

Re:Ahem, PAM (2, Informative)

Libor Vanek (248963) | more than 9 years ago | (#13031427)

PAM is really great thing - you can even have "plaintext" passwords in *SQL database or whatever - so there is no need to change hash or anything. IIRC I've seen some biometric Linux solutions (using PAM) on some CeBIT show...

Re:Ahem, PAM (3, Insightful)

nokilli (759129) | more than 9 years ago | (#13031455)

Well, you know, you can even have plaintext passwords stored in world-readable text files you keep in /hack/me/now but why would you use PAM for this?

The whole point I thought was to create a framework through which it would be impossible to recreate the user's authentication info.

We do what you're saying and the next thing you know, I have your fingerprint, or even better, I've replaced your fingerprint with mine.

Re:Ahem, PAM (2, Funny)

/ASCII (86998) | more than 9 years ago | (#13031466)

Keeping the password file in a non-standard location like /hack/me/now is simple security through obscurity. Kind of like using ROT13 to encrypt your DRMed ebooks [zdnet.com] . This is a very common security technology used through out the IT industry. It's just a question of time before Bezos patents it!

Re:Ahem, PAM (1)

Libor Vanek (248963) | more than 9 years ago | (#13031483)

Of course having plaintext passwords is braindead stupid. I've said it to show, that PAM doesn' neccessary imply passowrd hashing.

Re:Ahem, PAM (1)

imthesponge (621107) | more than 9 years ago | (#13031437)

I suppose a solution is to have the reader use a normalizing algorithm of some sort so that every correct fingerprint from a particular user resolves to the same "password".

Re:Ahem, PAM (1)

/ASCII (86998) | more than 9 years ago | (#13031458)

That is a problem that has yet to be solved. Fingerprint matching is a special case of image recognition, and image recognition is either really hard to do or really hard for us humans to describe to a computer how to do.

Re:Ahem, PAM (4, Informative)

Libor Vanek (248963) | more than 9 years ago | (#13031503)

AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!

Re:Ahem, PAM (2, Informative)

straybullets (646076) | more than 9 years ago | (#13032080)

AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!

Yes this true. It depends on the system used but the one i know works like this. Once aquired as a real image, a complex algorithm is invoked to convert the image into a set of coordinates, that represent different interesting points in the fingerprint.

A match is a % of same coordinates between the stored and the scanned print. Interesting to note is that this % is fixed by law and depends on which country you are !

What? (1)

QMO (836285) | more than 9 years ago | (#13032123)

I see how that applies to fingerprint storage, but not recognition.

Can you explain further.

Re:Ahem, PAM (5, Insightful)

/ASCII (86998) | more than 9 years ago | (#13031450)

The reason why making a general purpose API is better than hardcoding for a single use authentication algorithm is that you get:
  • Less lock in, since when the next generation of PAM killer comes along, the switch will be much easier.
  • Better portability to systems that don't use PAM. QNx, ReactOS, Windows, MacOS the world is a big place...
  • More uses for the software. Maybe you can use this fingerprinter together with a Firefox plugin to slightly increse the security of your bank transactions?

If the above reasons are enough to warrant the extra layer of indirection, I do not know. But saying that there are _no_ advantages to making a general purpose API is plainly false. It's a simple tradeoff.

Re:Ahem, PAM (1, Interesting)

Libor Vanek (248963) | more than 9 years ago | (#13031511)

Less lock in, since when the next generation of PAM killer comes along, the switch will be much easier.

That's stupid. There is nothing like "PAM killer" on the horizont in next 1-2 years! And there is no need for it - AFAIK PAM architecture is very clever and there are none "system design limitations" (but I'm NOT PAM expert - if I'm wrong, please correct me!)

Better portability to systems that don't use PAM. QNx, ReactOS, Windows, MacOS the world is a big place...

AFAIK MacOS is using PAM (or not?). And writing new API means that you've to transfer (and integrate it into existing) Windows/QNX... OS. The effort is much bigger then having "proprietary" library and just port it to Windows native login API/Linux PAM/...

More uses for the software. Maybe you can use this fingerprinter together with a Firefox plugin to slightly increse the security of your bank transactions?

WRONG! Just make FireFox PAM plugin and voila - you can use your "PIN pad" (if it has PAM plugin), fingerprint/face/voice/DNA/... recognition (just by having PAM plugin for this) out of box!

Re:Ahem, PAM (1)

nokilli (759129) | more than 9 years ago | (#13031536)

It can be a tough call sometimes, and the grandparent is right about the benefits of abstraction but I just don't think it applies here. Like you say, PAM still has life left in it and everybody is using it.

Sometimes rolling your own API just adds to bloat.

Re:Ahem, PAM (1)

Libor Vanek (248963) | more than 9 years ago | (#13031542)

Of course that if you write something like that you'll have some library with your "kind-of-API" (more or less public and stable). I just wanted to say, that there is no need to write something that will replace PAM just to get biometric API - and I don't think that IBM has done it.

Re:Ahem, PAM (1)

gunnk (463227) | more than 9 years ago | (#13032140)

That's stupid. There is nothing like "PAM killer" on the horizont in next 1-2 years!

No, it's NOT stupid. The grandparent poster is right. I'm a network admin for a research center of about 300 people. We have servers running software that is 10 years old. We have servers that came online Friday. I'm trying to move the oldest software to retirement, but the user accounts and access rights are murder to migrate to anything new because those systems were never built to be modular.

Remember Y2K? Two digits for years were plenty when the software was written, and everyone just assumed that all that software would have long since been retired by the time it became an issue. When Y2K rolled around the world didn't end, but IT units worldwide spent a small fortune fixing bugs because 15 year-old software was still in use.

If you think you only need to look towards what might happen in the next 1-2 years you are mistaken. It's a nice thought, but the reality is that you need to be ready for changes that may come about in the 5-10 year timeframe. Since you cannot predict what those changes may be, it is best to make any system you work with as modular as possible.

Re:Ahem, PAM (1)

Anne Thwacks (531696) | more than 9 years ago | (#13032178)

There is nothing like "PAM killer" on the horizont in next 1-2 years

Maybe for someone your age, 1-2 years is a long time. However, in a large part of the real world, applications take 2-3 years to develop, and then have a life of 10-20 years, during which tiome, ALL the technology used during development becomes obsolete, and much of it is replaced, as part of "routine maintenance".

Some of it isn't replaced, because the new hardware is worse than the old - hence the amount of 10 year old kit still in daily use. Notice how much of *BSD is over 7 years and guess what 10 year old software still runs! How old is Fortran exactly? and Colossal cave, written in Fortran in the 1970's STILL RUNS. Notice how some people still drive 1970 Mustangs. (Notice how no sane person still uses DOS 3.3 and no sane person _ever_ used DOS 4.x)

The moral of this story is: Just because its old does not make it good, but sometimes you need to make an investment over a long period. This requires stable APIs.

Re:Ahem, PAM (1)

Libor Vanek (248963) | more than 9 years ago | (#13032285)

Yeah - that's why I'm saying that there is nothing on the horizont. If something should become more widely usable in 2 years, we'd be seeing some beta realease, flame wars on /. why this is better/worse then PAM, people pushing this into Fedora Core 5 etc. right NOW.

Re:Ahem, PAM (1)

photon317 (208409) | more than 9 years ago | (#13032170)


PAM has been in use in multiple *nix environments for a long time. PAM will quite likely outlive the fingerprint-auth-fad. You write a simple interface library/module to get at the fingerprint reader, and from there you write on top of that a PAM module, Firefox plugin, etc. There's no need for whatever this overdone BioAPI thing is.

Re:Ahem, PAM (4, Informative)

nathanh (1214) | more than 9 years ago | (#13031703)

I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

No. For example, the OpenSSH server needs explicit support for GSSAPI to support Kerberos Single Sign On. That could not be done within PAM.

Re:Ahem, PAM (0)

Anonymous Coward | more than 9 years ago | (#13031929)

Yes it can.

I do it. (well more accurately I've done it. Having Openssh take care of it is better, IMO)

Silly person.

But it's not just OpenSSH that gets authenticated thru Kerberos, it's EVERYTHING in my system. All login, and even file (openafs home directories) access is controlled thru PAM.

Then all the usernames and that is handled thru OpenLDAP and nsswitch. Which itself is encrypted and protected thru TLS/SSL and access is controlled thru GSSAPI itself (which is thru PAM).

All done on Debian, BTW.

in /etc/pam.d/common-auth

auth required pam_nologin.so
auth sufficient pam_krb5.so forwardable
#auth sufficient pam_ldap.so
auth sufficient pam_unix.so shadow use_first_pass
auth required pam_deny.so

Re:Ahem, PAM (2, Interesting)

nathanh (1214) | more than 9 years ago | (#13032049)

Yes it can.

I do it. (well more accurately I've done it. Having Openssh take care of it is better, IMO)

Silly person.

No, you just don't understand what is being discussed here.

auth required pam_nologin.so
auth sufficient pam_krb5.so forwardable
#auth sufficient pam_ldap.so
auth sufficient pam_unix.so shadow use_first_pass
auth required pam_deny.so

That is not Kerberos Single Sign On. Read the man page for sshd_config, in particular the section on GSSAPI authentication.

Re:Ahem, PAM (1)

tzanger (1575) | more than 9 years ago | (#13031770)

I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad

It appears as though you're unfamilliar with the technology.

At least with the fingerprint sensors I used (Authentec) the goal was to genearate a biometric signature and toss that around. When you scanned your finger it went over the map and created a digest which described the features of your fingerprint (whorls, swirls, forks, etc.) and the relative distance and orientation from each other. THIS is what makes up your fingerprint's... uh.. fingerprint. You don't store the bitmap image at all. Similarly when you scan for access, the same process is repeated and the fingerprint maps are compared, not the images.

So yes, it should be entirely possible to do what you want. PAM on its own is an unholy beast though. There was a great article at one point which detailed exactly why PAM was a solution looking for a problem, but I've long since lost it.

Re:Ahem, PAM (1)

morgan_greywolf (835522) | more than 9 years ago | (#13031785)


Why can't that go into pam_finger.so?
Well, you can have various modules handling 'password' management groups. For example, pam_pwcheck.so lets you have MD5 hashes and checks the passwords for uniqueness, against a dictionary, meets minimum security requirements, etc.

Generally, though, things like pam_pwcheck.so can plug into things like the Linux CyrptoAPI; they don't have to handle MD5 hashes internally. In fact, I think that pam_pwcheck.so does use CryptoAPI if it's available.

So that's where BioAPI would sit...exactly where CyrptoAPI does now. One way to implement this with PAM would be to have BioAPI sit as a kernel module like CryptoAPI -- affording it a level of protection from crackability by userland processes who do not have access to kernel space by definition -- and then either have a library that interfaces with BioAPI that could, say, translate the results of a fingerprint scan somehow into a repeatable MD5 hash that could be stored in the passwd file, or have a function call within the module itself.

They probably just chose the former instead of the later.

Re:Ahem, PAM (0)

Anonymous Coward | more than 9 years ago | (#13032062)

BioAPI is an open standard, and is the right solution. Keep in mind they wrent writing some new framework called bioapi, they are using the existing bioapi framework which has existed for some time now, and complying with it. There's a pretty big difference between the two. BioAPI provides a device independant api, which is not limited just to fingerprint reading style biometric devices.

Having PAM support bioapi is the right solution; having pam directly support each vendor is retarded.

GNAA (-1, Troll)

lolndon (898838) | more than 9 years ago | (#13031409)

I must say, it doesn't look very good. I think that lysol or Penisbird is much better and user friendly. What about Scientology?
http://elderlycarecenter.org/ [elderlycarecenter.org]
lol jews did wtc lol jews lol wtc/. viva la gnaa! GNAA! GAY NIGGER ASSOCIATION OF AMERICA

Fingerprints in Linux? (0, Redundant)

necromcr (836137) | more than 9 years ago | (#13031413)

.. one small small step for mankind, one giant leap for Linux.. ..or sth. like that.

This is great news because... (3, Funny)

Linker3000 (626634) | more than 9 years ago | (#13031424)

Wow, I am really looking forward to giving Linux the finger...er wait..

Re:This is great news because... (1)

bn557 (183935) | more than 9 years ago | (#13031538)

but will it know it's your finger? Think of linux as your girlfriend, and you want her to know(and perhaps care) that you're the one giving her the finger. If she doesn't care, then she's just a promiscuous mode bitch.

Sounds good (0, Troll)

ANTI ISLAMS CRUSADOR (898729) | more than 9 years ago | (#13031435)

I hope this will protect our society against muslim psychopats.

By the way, biometrics & DRM ? (2, Insightful)

Arthur B. (806360) | more than 9 years ago | (#13031436)

Put now your finger on the scanner to play this drm-protected wma. Well... kinda better than hardware fingerprinting anyway. But way more spooky.

Re:By the way, biometrics & DRM ? (2, Insightful)

dancallaghan (890674) | more than 9 years ago | (#13031567)

Mod parent insightful! DRMing content according to the buyer's fingerprint pattern is an excellent way to make sure they are the only person using the content. Oh and as a side effect, M$ and [insert other evil DRM proponents here] would get to see your fingerprint ...

Spooky indeed.

Re:By the way, biometrics & DRM ? (0)

Anonymous Coward | more than 9 years ago | (#13031692)

Isn't a fingerprint reader on a laptop extremely unsecured? I mean, if someone steal your laptop, wouldn't he relatively easily collect the fingerprints left on keys, screen, battery, ... and put it on a medium accepted by the reader and use it to log in?

Re:By the way, biometrics & DRM ? (1)

Arthur B. (806360) | more than 9 years ago | (#13031727)

True, collecting fingerprints is easy and the scanner can be lured. Iris is other business... but it's still vulnerable to "fake login screen" phishing technics.

Re:By the way, biometrics & DRM ? (2, Informative)

ajs318 (655362) | more than 9 years ago | (#13031801)

Yes, it's dead easy and can be done using readily-available and household materials. You just need some graphite dust and sellotape {from your desk}, photoresist PCB board and processing chemicals {from Maplin or similar; unless electronics is considered bomb-making nowadays}, and plant gelatin {from a health food store}. Dust laptop for {presubably the rightful user's} fingerprints with graphite and lift with sellotape. {Option: enhance image electronically}. Make a printed circuit board using the fingerprint pattern. Ideally use negative working photoresist or take a negative as part of enhancing the image, though in practice negative images are acceptable to fingerprint scanners {which seem to respond to edges in blissful ignorance of actual direction}. Use PCB to cast a gelatin mould of the rightful user's fingerprint. Use artificial gelatin fingerprint {possibly on the end of your own finger} to operate scanner. In the event of a bust, it can be disposed of safely by eating {you did use plant gelatin, didn't you?}

References here [ncl.ac.uk] and here [schneier.com] .

To answer the question: No. (3, Informative)

Keeper (56691) | more than 9 years ago | (#13031442)

Windows has supported biometric authentication (in addition to smart cards) since Win2k. Hell, they've been selling keyboards with fingerprint scanners built in for almost a year now ...

Re:To answer the question: No. (-1, Troll)

rylin (688457) | more than 9 years ago | (#13031470)

But this is OPEN SORES!
OF COURSE NOBODY WILL BOTHER COUNTING AVAILABLE MAINSTREAM OPERATING SYSTEMS.

Questions asked on slashdot have their own rules, much like the polls regularly conducted on the frontpage.

Which mainstream operating system is the most likely to be first when it comes to biometric authentication:
(*) Linux
( ) Hurd

Re:To answer the question: No. (1, Funny)

GekkePrutser (548776) | more than 9 years ago | (#13031481)

The question said 'out of the box', I think that means 'without having to install any drivers'.

All biometric solutions I've seen use the OmniPass software from Softex that needs to be installed first. Just plugging one of those fingerprint scanners in your computer (e.g. APC Biopod) does nothing without installing the software.

Re:To answer the question: No. (1)

rylin (688457) | more than 9 years ago | (#13031492)

So I guess OEM installations don't count?
I mean, who buys computers with preloaded operating systems, drivers and productivity suites these days?

Re:To answer the question: No. (1)

GekkePrutser (548776) | more than 9 years ago | (#13031519)

Well then you're not just buying an 'operating system' :-) But I do agree that the question was very vague. It can be interpreted both ways depending on your definition of 'operating system' or 'out of the box'. I don't think this will be something where Linux will really be better than windows, especially this is all yet to be developed, and there are so many biometric devices already available for Windows. By the way, the IBM T42's we have here at work don't seem to have the fingerprint option enabled when they are delivered to us, but it could be that they took it out of the corporate preload they put on it.

Re:To answer the question: No. (2, Funny)

stevey (64018) | more than 9 years ago | (#13031552)

But this is OPEN SORES!

The combination of open sores and a finger scanner doesn't sound too hygenic to me.

I guess if I had a fingerprint scanner I'd want to clean it regularly if people are going to start trying to use it randomly...

Re:To answer the question: No. (-1, Redundant)

Pecisk (688001) | more than 9 years ago | (#13031532)

'Out of box' means 'I plug this thingy in USB and it works'. Windows needs usually some SP/Hotfix action and driver installation. So it is quite difference.

Re:To answer the question: No. (2, Informative)

VE3MTM (635378) | more than 9 years ago | (#13031807)

My boss has one of those Microsoft keyboards with the fingerprint scanner. It does not work for Windows logins, only for things like passwords on webpages.

Re:To answer the question: No. (0, Funny)

Anonymous Coward | more than 9 years ago | (#13031824)

Bullshit.

W2k and XP implimentation of smartcards sucks and is 1/2 assed requireing a "suprise" windows server on the network to use them.

the fingerprint crap is CERTIANLY not built into the OS but a crappy add-on application that does not work worth a damn and will not work decently with active directory and domain models. It's a "toy" for people to use at home nothing more.

when they pull their heads out of their asses and impliment it right and you see it easily deployed in corperate without special software requirements (and the morons at IT let it happen) then I'll agree..

Until then it's still a half assed bolt-on.

Finally... (1, Insightful)

Anonymous Coward | more than 9 years ago | (#13031451)

now I can REALLY finger my computer!

Obviously not (-1, Offtopic)

shanen (462549) | more than 9 years ago | (#13031482)

Sorry, but the "stimulating" question is obviously foolish. By the definition implied by the question, the answer is "Obviously not", since the feature already exists for Windows on this particular IBM box, and there is no way that all Linux boxes will support it any time soon. Any way you try to slice that question, it comes out broken. The editors often add feeble attempts to encourage conversation, but this one is outstandingly feeble.

I don't mind that the editors want to be slightly provocative. What I mostly mind is that the the /. moderation system frequently penalizes people who rise to the bait. I suppose I should also be bothered that such leading questions sometimes provoke trolling, but the moderation system usually handles the trolls pretty well. Not always, however.

By the way, can any moderators (M1ers) out there answer a couple of questions about M1? My theory is that M1ers also do M2--but they do it differently than I do. I just answer honestly, the way it says in the M2 instructions, but I rarely agree with 90% of the M1s (I think it's more like 70% on average), and I think that prevents me from being asked to M1. Two implications are that the description of M2 is misleading (or false), and that some M1ers are probably gaming the system by always M2ing at 100% agreement, and this gets them more chances to do M1.

Yes, I admit this meta-topic is wandering away from the current topic, but that's one of the side effects of picking a bad topic, so I'm blaming the /. editor. Well, actually the topic isn't bad, but (as already noted) the "provocative question" is terrible.

Do they have a meta-funny mod?

Re:Obviously not (1)

Knome_fan (898727) | more than 9 years ago | (#13031502)

I think the magic words here are "out of the box". So the question isn't as foolish as you seem to think but pretty irrelevant I agree.

Re:Obviously not (1)

shanen (462549) | more than 9 years ago | (#13032121)

I'm not following you. The ThinkPad comes "out of the box" with the fingerprint recognition, though only for certain models. I know that because I work next door to where they designed them. (Disclaimer time: Yes, I'm in the IBM food chain.) No way for Linux to be first for something that already exists.

I also referred to the preposterous of the alternative reading, since the scope of "Linux" is so broad. Of course, a good editor should also be a good writer--and a good writer will not write such ambiguous and misleading stuff in the first place.

Since the introduction was so misguided, I admit I didn't even read the article. There's no reasonable way it could be talking about something else like an add-on fingerprint scanner, because in that case it wouldn't be limited to the T series.

Re:Obviously not (1)

Knome_fan (898727) | more than 9 years ago | (#13032195)

Well I don't own a ThinkPad so I'm only speculating, but I think the author was suggesting that Windows itself doesn't come with fingerprint recognition, though the version installed on the ThinkPad probably does. Now if this is indeed the case the author might be right that Linux (or rather a "normal" Linux install) might be the first OS to have such a feature "out of the box". However, as I said, I think it's really irrelevant, because who cares as long as it works..

Re:Obviously not (1)

Mister Mudge (472276) | more than 9 years ago | (#13031504)

Hasn't OS X had biometric user verification/login, albeit voice not fingerprint, since it was first released back in 2000 (or was it 1999?)

Re:Obviously not (1)

timgoh0 (781057) | more than 9 years ago | (#13031549)

No. OS X dropped the voiceprint identification system. It was only present back in the OS 9 days.

Finally... (3, Insightful)

Ranma-sensei (800217) | more than 9 years ago | (#13031487)

I think it's great - and time! I really don't like having to remember 20 or so passwords just so because if one of them gets hacked my other data is secure. :(

Re:Finally... (2, Insightful)

dancallaghan (890674) | more than 9 years ago | (#13031583)

Except you couldn't switch to using only biometric authentication (not until they get a little DNA blood pinprick scanner thingy, anyway), so the best place for biometric authentication is as an added layer of protection on top of the 20 regularly-rotated random passwords stored in your brain.

Yes, my tin foil hat fits very nicely thankyouverymuch.

Re:Finally... (1)

amcdiarmid (856796) | more than 9 years ago | (#13031697)

Yeah, I just want my fingers hacked instead;)

That wouldn't be a first (3, Interesting)

JohnnyNoSPAM (815401) | more than 9 years ago | (#13031515)

Linux frequently supports a lot of hardware out of the box. Some folks argue that there is better hardware support for Windows. And that is true in and of itself. However, how often when installing a Windows operating system do yo need a load of driver CDs to accompany the installation? In my experience: always, especially if there is additional hardware such as a printer. Linux, on the other, is frequently distributed with drivers for suppoorted hardware out of the box. What's better is that as Linux grows in popularity, so will the hardware support.

Re:That wouldn't be a first (1)

mwvdlee (775178) | more than 9 years ago | (#13031649)

Pardon my ignorance, but aren't you supposed to compile the kernel with that hardware support in Linux, before that hardware is actually supported by Linux?

So what's the difference for a user between Windows' installable drivers and Linux' kernel-compiled drivers?

Every time a driver gets updated or a new driver is released for EITHER OS, it will require some sort of installation.

So Linux may come supplied with the driver inside a precompiled kernel, what's the difference with a Windows installation disk which includes the equivalent driver? It's both "in-the-box".

Next version of Linux you'll install probably has the fingerprint thing, next version of Windows you install will have so too.

Re:That wouldn't be a first (2, Informative)

porkThreeWays (895269) | more than 9 years ago | (#13031894)

Linux uses kernel modules to insert code into a running kernel. Most distributions come shipped with a crapload of modules. They will use an initial ramdisk to do hardware detection and only modprobe modules with hardware present.

To the end user, all they have to do is install their linux distribution and it just works.

I've been using Linux for a while now (Red Hat 6.2 was my first). When I first started, you kinda had to plan your hardware for linux or hope it would work. Today, I don't think twice about linux support. Most times I can plug in my new usb device right out of the box (via hotplug) with no driver disks, update searches, searching HP's website, etc etc.

Obviously there are exceptions, but it's been a looooooooong time that I've bought hardware that doesn't work with Linux.

Re:That wouldn't be a first (2, Informative)

Trelane (16124) | more than 9 years ago | (#13031934)

Pardon my ignorance, but aren't you supposed to compile the kernel with that hardware support in Linux, before that hardware is actually supported by Linux?
Generally, what will happen is that a distribution will ship with a somewhat minimal kernel and a bunch of kernel modules that take care of different things, e.g. USB devices, iptables modules (adds functionality to the firewall), drivers, and so on. So no, if you don't want to do things the hard-ish way, there's no need to ever compile a kernel.
So what's the difference for a user between Windows' installable drivers and Linux' kernel-compiled drivers?
Well, the first difference is that not all drivers are kernel-compiled. You can certainly do that if you wish, which has certain advantages (e.g. on a server, it makes it just a little harder to install a kernel-level rootkit if you disable modules and compile everything in). However, most drivers that people will use are just kernel modules, which are loaded as needed. The difference then between Windows and Linux is that Linux's driver support, due to the fact that generally vendors don't believe it to be worth the investement, is mostly available with your distribution because the drivers aren't coming from the vendor. With a few notable exceptions (e.g. video drivers), if you can use it under Linux, its driver is on your distribution's CD or DVD. With Windows' driver support, due to the fact that most vendors don't believe it worth dying not to support Windows, is generally only available from the vendors and much, much fewer drivers come with your Windows CD or DVD. Now a few drivers may well be shipped on the CD/DVD, but not nearly as many as with Linux, in my experience.

Re:That wouldn't be a first (0)

Anonymous Coward | more than 9 years ago | (#13032035)

Magic unicorns and gumdrops! Everything is perfect in Linux world! Consider these two counterpoints:

1) There are still many devices which, though they require a CD in Windows, will not work at all in Linux.

2) For virtually everything else, if the driver is not loaded at install, the user may not be able to figure it out. Unlike the glitzy, user-oriented Windows driver install process, installing the driver in Linux requires you to modprobe a module which may have a name NOTHING like the thing you just bought.

To sum up, given the popularity of projects like NDISWrapper, it is plainly nonsense to suggest that Linux has surpassed Windows in either hardware support, or ease of installation. Please.

Re:That wouldn't be a first (1)

Jumpin' Jon (731892) | more than 9 years ago | (#13032279)

What's better is that as Linux grows in popularity, so will the hardware support.

...or visa-versa

Anyone on breaking the biometric authentication? (3, Interesting)

SpaghettiPattern (609814) | more than 9 years ago | (#13031550)

Anyone on breaking the biometric authentication?
  • Chopping off finger.
  • Finger print out or finger skin resembling synthetic material.
  • Looks easier that guessing passwds.
  • How long before finger print kits appear in my Gmail->spam box?

Re:Anyone on breaking the biometric authentication (-1)

Anonymous Coward | more than 9 years ago | (#13031596)

Google on Gummi Bear. It was done years ago.

Re:Anyone on breaking the biometric authentication (0)

Anonymous Coward | more than 9 years ago | (#13031669)

More to the point, how long until I stop getting spam from gmail accounts???

Re:Anyone on breaking the biometric authentication (1)

aspargillus (640992) | more than 9 years ago | (#13031761)

Anyone on breaking the biometric authentication?
Check out the work on biometrics at the CCC Berlin [berlin.ccc.de] . Lots of links too, but mostly German. They have a guy who managed to build fake fingerprints with a thin layer of ordinary wood glue. I know it sounds silly, but I have seen it work. Here [www.ccc.de] is a summary in English.

Quick simple and faster. (0)

Anonymous Coward | more than 9 years ago | (#13031766)

Get user to scan finger on a equivent scanner. Some how.

Save data.

Electronicly remove the scanner and plug in a electric equivlent. System is shot.

Aquire a full set of finger prints from a glass or a drink can or laptop(normally only one person has handled it recently).If this is not a 3d scanner.

Feed this information in to a scanner replacement.

By by protection.

Final methords most problem methord from a law point of vew.

Kill the person required and use thier dead hands.

Cut of both hands and take the laptop to get the information.

Biometric means more reason to kill the user. Since killing the user is the best methord. Heck in Australia you get 15 years for computer crime any how and for murder you will get 15 years so really what is the difference. The grade of jail that is about it.

Really think about if the hacker thinks he has a chance of aquiring the information by stealling the laptop and not killing the person. He/She thinks their is no chance they will kill the person.

Better methord passwords take X about of time to crack. In build a harddrive self destruct if harddrive is not returned to coded cradle inside X about of time data will be destroyed.

Reason kill the user they cannot tell you the password so no point. Don't have the cradle data will be lost anyhow. Crack open drive auto activate self destruct.

And if everything is time locked heck the hacker is stuffed.

Re:Anyone on breaking the biometric authentication (1)

sebFlyte (844277) | more than 9 years ago | (#13031768)

You don't even need to go to the extreme lengths of chopping off someone's finger...

All you need is some fingerptinting dust and some clear tape. Dust the laptop (paying particular attenstion to the central keys on the keyboard where the index finger is most likely to be used, but try the back too, as that might have been brushed off recently, then picked up firmly using several identifiable fingers), pick up a selection of fingerprints with the tape, et voila.

Unless, of course, you always wear gloves when using your laptop...

Even worse... (1)

ccharles (799761) | more than 9 years ago | (#13031811)

...once it's broken, you don't have many options for a new 'password'.

Re:Anyone on breaking the biometric authentication (1)

geo_2677 (593590) | more than 9 years ago | (#13031895)

Well actually breaking a the fingerprint authentication is not simple but its not foolproof either.
One of the place I worked had fingerprinting for attendance. After it was introduced some smart chap figured how to fool it; put his fingerprint with somekind of ink on a transparent plastic strip. and the system was fooled. I don't know how the system function but if the laptops or whatever security mechanism uses only fingerprints to authenticate you, beleive me you should be wiping off every fingerprint you leave on anything, else ur fingerprint will be photographed, reproduced on somekind of sheet and your security is as good as none.

So big brother will run on Linux... (3, Interesting)

james_gnz (663440) | more than 9 years ago | (#13031566)

I am reminded that when I was reading Stallman's The Right To Read [gnu.org] (linked from the recent Slashdot story Old-Fashioned DRM Protects Harry Potter Book [slashdot.org] ), I wondered why it didn't include biometrics. That would have prevented the happy ending.

Having biometrics on my computer with a free / open source OS wouldn't be scary like having biometrics on my computer with a closed OS and hardware DRM, of course.

For public / institutional networks though, I can't help but wonder where it's going. But on the plus side, at least if big brother runs on Linux I won't worry so much about script kiddies stealing my identity.

Re:So big brother will run on Linux... (1)

QuantumG (50515) | more than 9 years ago | (#13031684)

Worse yet is that employers will demand a thumb print to clock on/off in minimum wage jobs or to use company resources in white collar jobs. Piss off your employer, your name will go onto a blacklist and you won't be able to find another job. Best way to get people to tow the line.

Re:So big brother will run on Linux... (1, Informative)

Anonymous Coward | more than 9 years ago | (#13031758)

Re:So big brother will run on Linux... (1)

DrSkwid (118965) | more than 9 years ago | (#13032004)

toe the line

Re:So big brother will run on Linux... (1)

QuantumG (50515) | more than 9 years ago | (#13032025)

Yeah, I have trouble with writing verbal idioms.

Re:So big brother will run on Linux... (1)

delire (809063) | more than 9 years ago | (#13031722)



if you don't like Big Brother, don't compile him..

Likely SuSE, RH et al will play the PlaySafe card in order to meet hw vendor obligations, and so will likely ship with the kind of DRM that prevents use of restrictively copyrighted media. Similarly, they will be fighting to be the first distro to support biometrics for laptops. If you don't like this sort of carry on, grab the kernel sources, RTFM and ensure the offending 'Y' is not in your /usr/src/kernel-source-$(uname -r)/.config, make clean && make. If you can't do it, and it's enough of a problem, pay someone to do it for you.

DRM is largely misunderstood anyway, while I don't support DRM as a model for protected media, DRM can be a valuable tool for securing a machine by specifiying what a user can and cannot do on that box.

Torvalds on this polemic matter said [zeropaid.com] :

"Linux is an operating system, not a political movement, and people should ultimately be able to do what they want with it, he said.. This is why I refuse to disallow even the 'bad' kinds of uses--because not allowing them would automatically also mean that 'good' uses aren't allowed."

Wake up Timothy (1)

ReidMaynard (161608) | more than 9 years ago | (#13031568)

It's Lenovo's T42 Notebook now

Re:Wake up Timothy (0, Flamebait)

Donny Smith (567043) | more than 9 years ago | (#13031600)

Of course, but the retards prefer to use IBM to give the news additional credibility.

And not to mention the disaster recovery feature - the notebook automatically sends user's fingerprint scan to an IP address in China.

Re:Wake up Timothy (1)

SubS (108008) | more than 9 years ago | (#13031602)

Yes it is, and as a new owner of a brand new IBM Thinkpad X41 (with fingerprint reader also equipped) I can say that it propably is the only thing not working in Linux, yet.

All essential hardware (wlan, lan, graphics, sata, etc.) is working out of the box (Ubuntu Hoary) with this one. Way to go IBM/Lenovo!

Re:Wake up Timothy (0)

hacker (14635) | more than 9 years ago | (#13032089)

"It's Lenovo's T42 Notebook now."

Its been Lenovo's notebook for a couple of years now. Lenovo has been manufacturing IBM's Thinkpad line of laptops for 2-3 years, maybe even longer. The whole reason for the "sale" was to get them to handle the whole operation, front-to-back, instead of just the manufacturing bit.

*Bah*, fingerprint scanning is yesterdays news... (5, Insightful)

de Bois-Guilbert (807304) | more than 9 years ago | (#13031572)

...what I want is retinal scanning!

I'd imagine the patterns in our eyes are more difficult to duplicate for nefarious purposes than our fingerprints, which (besides the cool factor) would mean increased security... On the other hand, I'd rather have the arch-villain chop off my finger than carve out my eyeball.

Re:*Bah*, fingerprint scanning is yesterdays news. (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13031874)

" ...what I want is retinal scanning!"

Not to be confused with Microsoft's new 'rectal scanning' feature being integrated into Longhorn...

DUPE!!!! (1)

tom17 (659054) | more than 9 years ago | (#13031621)

Oh wait, no.. that was T-43 not T42. My bad!

Here's a guy that won't be using it! (3, Informative)

Jonti (795505) | more than 9 years ago | (#13031660)

Mr Kumaran, a Malaysian accountant, had a Mercedes protected by biometric finfger print recognition. He still lost his car to thieves, tho' -- and the end of his finger as well. You can read about the, uhh, downside, to finger-print recognition here [theregister.co.uk] .

OK, so the Merc was worth USD 75,000 to the thieves, a little more than a laptop. But if a dead finger works, a plastic replica would work as well. Before using a system like this, it may be worth considering the value that the data on a laptop might have to unscrupulous rivals ... Is it worth this kind of horror to protect the laptop itself? There are easier and better ways to protect *data*.

Re:Here's a guy that won't be using it! (1, Insightful)

t_allardyce (48447) | more than 9 years ago | (#13031745)

Unfortunately most people don't think about the consequences of anything. If fingerprint recognition grows as a technology its likely we're going to see more of this, which is why I believe its a basic human right not to be forced to use fingerprints to identify yourself. Fingerprints belong in crime investigation only.

1984 is here (-1)

Anonymous Coward | more than 9 years ago | (#13031678)

you were right george

Password renewal (3, Interesting)

CaxDot (869821) | more than 9 years ago | (#13031691)

How on earth do I change my login data once it has been compromised? How do I randomly regrow a new fingerprint? Or retina?

Re:Password renewal (1, Funny)

Anonymous Coward | more than 9 years ago | (#13031886)

You use another finger. =oP
The cool part begins when you start having to take off your shoes to log in.

Yes. (-1)

Anonymous Coward | more than 9 years ago | (#13031711)

indeed...

Actually, Mac OS 9 shipped with biometric ID (1)

neccoant (3345) | more than 9 years ago | (#13031736)

In MacOS 9, one could use a "voice-print" to log into their user account right out of the box. This isn't in OS X, for some reason, but it used to be there. Then again, at least OS X has real users, and not an At Ease retrofit.

Ipaqs (1)

HydrogenOxide (751753) | more than 9 years ago | (#13031750)

Anyone know the state of support for fingerprint recognition with Familiar on the Ipaq's that have the scanner? I've got one of those, and would love to switch to linux, but am worried about this and wifi support.

Re:Ipaqs (2, Informative)

Antique Geekmeister (740220) | more than 9 years ago | (#13031854)

It's about the same as the state for speech recognition elsewhere. The systems use way too little data to actually analyze and get at best a 95% or so recognition of the acutal user, and the sensor acuity to defeat even the fake gelatin fingers (Google keyword: gummi fingers) is simply not there, since with a fake finger made from a fingerprint lifted from elsewhere the class that did the Gummi fingers still got better than 80% recognition.

Basically, the ability to detect a fake fingerprint with a casual test has never existed. The sensors just aren't good enough, even if the software authors were willing to invest the resources to store really thorough images of fingerprints, which they're not.

Re:Ipaqs (2, Informative)

hacker (14635) | more than 9 years ago | (#13032039)

Basically, the ability to detect a fake fingerprint with a casual test has never existed. The sensors just aren't good enough, even if the software authors were willing to invest the resources to store really thorough images of fingerprints, which they're not.

The FingerChip(tm) has been doing exactly this since about 1998 or earlier (that's 7+ years). The FingerChip is about 1mm x 8mm in size (about 1/2" long, about the width of a wooden matchstick). I think the company sold its technology to someone else now over the years, but lots of companies are using it... including IBM.

I was investigating their scanners back in 1998 when I was doing biometric authentication on wireless tablets running Citrix Metaframe for $BIG_PHARMA. This was back in 1998!! Technology has, of course, improved considerably since then.

Basically you swipe your finger across the FingerChip and at least 52 separate datapoints are gathered, which include speed of the swipe, pressure, heat, and of course the standard whoops and swirls of your fingerprint itself. We tried using lifting techniques and other things on it (as did the manufacturer), and it was simply not possible.

It is similar to trying to forge a signature. Sure you can forge it so the end result looks identical, but did you press your pen with the same pressure? Did you dot your "I" before you finished the word, or after? Did you cross your "T" from left to right, or right to left?

Any biometric scanner that doesn't measure these kinds of things shouldn't be used.

Incidentally, we tried lots of different kinds of scanners, including voice. The voice biometric scanners had about a 90% failure rate in our tests. I could log in as my colleague, just by repeating his exact intonation and speed... I could not, of course, imitate his fingerprint.

What about AuthenTec? (1)

jwr (20994) | more than 9 years ago | (#13031792)

Sadly, AuthenTec still lags behind and I still can't use the built-in fingerprint sensor in my laptop.

When will hardware companies realize that providing documentation and software increases sales?

Use of finger-prints !=security (1)

B5_geek (638928) | more than 9 years ago | (#13031860)

I wish companies and .gov would stop pushing biometrics as the end-all solution to password & user security.

If the server where the passwords are stored is insecure, then the passwords are insecure!

The only benefit that fingerprint scanners offer is the instant ability to have 10 different passwords "at your fingertips"!
Downside: I have to label each of my fingers so I know which password belongs to which site. Well, there's one finger that i don't need to label, that special middle finger is reserved for just one site.

Re:Use of finger-prints !=security (3, Informative)

hacker (14635) | more than 9 years ago | (#13031994)

"I wish companies and .gov would stop pushing biometrics as the end-all solution to password & user security.

[...]

The only benefit that fingerprint scanners offer is the instant ability to have 10 different passwords "at your fingertips"!"

Unfortunately, fingerprint authentication does NOT satisfy government requirements (not to mention the inherent insecurity should you ever be prosecuted).

CFR 21 part 11 (Code of Federal Regulations governing electronic signatures) mandates that you have to have at least 2 out of 3 things to be said to have securely authenticated:

  1. Something you HAVE (card key, key fob, etc.)
  2. Something you ARE (biometric, iris, fingerprint)
  3. Something you KNOW (password, passphrase, etc.)

If any system is compromised, and 2 out of the 3 above are used, then there is a conspiracy (like you gave your keycard and password to someone else).

The issue about security when prosecuted, is that your physical body (fingerprints as well) are subject to "search and seizure" if you are ever arrested (even if 100% innocent). There was a case that went to the Supreme Court (which I can't recall the name of) where a man argued that his fingerprints were "property", and until he waived his rights to his property, he could not be fingerprinted. I'm not sure how that turned out though.

Basically if you're arrested and they fingerprint you, they could just as easily scan in your fingerprints electronically and "replay" those back later to gain access to your biometric laptop or other devices.

Best to use 2 out of the 3 (or 3 out of the 3) above, so they can't gain access to your protected data without your approval or consent.

man finger (1)

strider44 (650833) | more than 9 years ago | (#13031904)

Sorry this is a misinterpretation. When I said you can use finger in linux I didn't mean biometric identification, I really meant

strider44@strider44:~$ finger strider44
Login: strider44 Name: strider44
Directory: /home/strider44 Shell: /bin/bash

How it works on Windows XP (2, Insightful)

brunogirin (783691) | more than 9 years ago | (#13031971)

I currently have a T42 on my desk running Windows XP and I set up the fingerprint authentication. It took about 5 minutes. Here's how it works:

When configuring the system, you provide original prints from any number of your fingers. It suggests you provide 2 of them. Then, you just have to slowly pass any of the fingers on the sensor for it to authenticate you. So for instance, you could make sure you have an electronic print of your right index finger and of your left ring finger. I suppose the redundancy is meant to make sure you have a back-up the day you nicked you finger doing DIY during the week-end.

If you want to change the print (the same way as you would change password), you just remove some existing prints from the authentication DB and replace them with new ones. Then you just have to remember what finger to use this week.

Finally, there is always the solution to press CTRL-ATL-DEL to get a normal password prompt.

So, all in all, the way it is implemented in Windows is not as a substitute to the standard password authentication but as an extension that makes it easier for you, the owner of the machine, to log in but not more difficult for a third party to do so.

I quite like the way it's implemented on Windows but it would be nice if its use could be extended to provide digital signatures and authentication to other systems, such as a Firefox plug-in.

I forgot to mention: the Windows XP implementation doesn't come out of the box. It's an IBM extension that is provided with the T42.

which one shall we hack? (-1)

Anonymous Coward | more than 9 years ago | (#13031975)

I would rather someone hack my password than hack my freekin finger off!

Conspiracy (1)

chrisnewbie (708349) | more than 9 years ago | (#13032177)

That's the best way to get your prints digitalized and stolen over the net.

I dont want to be accuse of the murder of a colombian drug lord.

Digital Persona Support (2, Interesting)

sonixtwo (878390) | more than 9 years ago | (#13032282)

I have had a Digital Persona Biometric Fingerprint scanner that I have been trying to get working for ages now. It works great in Windows, but I havent yet found a program to get it to actually perform in Linux. It is USB, and does get identified by hotplug. Digital Persona does provide an SDK for their devices. My opinion is Biometric authentication will be a pretty regular standard in the future.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?