[ltp] Slightly off topic: windows fingerprint checker bad flaw

Alejandro Bonilla Beeche linux-thinkpad@linux-thinkpad.org
Tue, 15 Nov 2005 20:49:42 -0600 

Jiang Qian wrote:

>If you don't have fingerprint reader or have blown away your xp 
>partition, stop reading now.
>
>This is off topic but I seem to have discovered a critical flaw in the 
>dual-boot windows partition of my computer in the way it check the 
>fingerprint.  It seems that if you configure windows to use fingerprint 
>log in and enroll several fingers, and boot up windows. when you roll 
>any finger, *not* the ones you log in, *as soon as* the fingerprint 
>login screen appear but has not been properly initialized(when it's 
>saying "please wait...") you get logged right in. No matter what 
>finger you use. This defeat the whole fingerprint login protection.
>
>Note this does not happen if once logged in, you log out then try to 
>log in again. In that case only the fingers you enrolled log you in.
>
>Also this does not seem to affect when you use fingerprint as power-on 
>security like hard drive password. So it does not affect my linux 
>partition at all, where pam, combined with beta driver, does a proper 
>job authenticating finger print. It is a windows software flaw.
>
>For those of you who keep a windows partition, be aware, you might want 
>to check your fingerprint login in windows. This is on a T43 with 
>windows xp sp2.
>  
>
It works for me. I have this enabled:
POST password or fingerprint, if you boot with the fingerprint, it will 
do Single Sign-On in Windows and kick you right in, if you reboot the 
box, if should ask for the finger again.

I have /dev/hda1 as Windows and /dev/hda2 Linux, it all works fine in 
Windows...

Please check if you are assuming something while it is that way.

That reminds me that I have to ask Upek for an update on the framework.

.Alejandro

>If people can confirm this, does anyone know who to report? Frankly I 
>don't care about this flaw, I use windows only for hardware testing 
>purpose.  Yet I'm sure there're gazillion of windows only users who 
>should be aware of this.
>
>Jiang
>  
>