[ltp] Fingerprint reader and the Bios

Torsten Wagner linux-thinkpad@linux-thinkpad.org
Thu, 26 Jan 2006 16:12:57 +0100 

I agree with Aaron,

someone how is such intrigued to catch my data, can catch my data. 
Independent whether I use a finger-print reader, a password or whatever 
for log on and boot.
It take him just 30 sec. and a screwdriver to detach my harddisk from my 
Thinkpad.
In fact, you all know, that a Linux box is pretty insecure (as all other 
OSs) if the bad guy is able to stay physically in front of the computer.
If the guy is a geek and has plenty time, he will try to fake the 
fingerprint, but just for fun. If he is in hurry he will just take your 
harddisk and plug it into his computer. Nothing easier than that. 
Especially for notebooks, with all these slots and modules stuff, the 
changing of a harddisk is as easy as insert a CD.   ;)

The finger-print reader is in my opinion as save as a good password. Not 
more not less. In addition it is somewhat more user-friendly and has a 
geek-factor.

My two cents...

Torsten



Aaron Mulder wrote:
> This whole conversation seems kind of surreal to me.  If anyone wants
> to log in to my machine so much that they'll capture my fingerprint
> and make a mold of my finger to fool the fingerprint sensor, then
> surely they could equivalently mount a camera to capture my password. 
> Or hell, spend 5 minutes at the machine and install a compact
> keystroke logger between the keyboard and motherboard socket.
>
> When I reported the fingerprint module to SuSE, the response I got was
> that integrating the driver was out of the question because it was
> proprietary code that required root privs and thus was inherently
> insecure.
>
> I don't get this either.  To me, the fingerprint reader is way more
> secure because the only meaningful risk I feel I run is typing in my
> password when unsuspending the machine or deactivating the screen
> saver.  Which I have to do in front of clients, on airplanes, in
> meetings, etc.  In other words, there are hundreds of opportunities
> for someone to shoulder surf my password.  But with the fingerprint
> reader, I eliminate all of those in an instant.  How could this be
> considered less secure?
>
> Finally, raise your hand if you're participating in this thread and
> you've used a wireless or bluetooth keyboard.  I had to talk myself
> out of that one, though granted, not for my ThinkPad.  :)
>
> Thanks,
>     Aaron
>