[ltp] Fingerprint reader and the Bios

Aaron Mulder linux-thinkpad@linux-thinkpad.org
Thu, 26 Jan 2006 13:19:32 -0500 

Regarding a camera: I often sit in a cubicle in a room with a drop
ceiling and speckly-patterened ceiling tiles.  If someone hid a small
camera on top of a ceiling tile and ran a small hole/lens/whatever
through the tile, I'd never notice.  Even if I looked.  OK, they need
physical access, but they need physical access to execute any of these
attacks.

Granted, I don't know when my fingerprint has been compromised.  That
is a problem I hadn't thought of.

As far as a complex password being more secure goes, I don't buy it.=20
I think a finger swipe that no one can shoulder-surf is better than a
complex password that no one is likely to shoulder-surf accurately on
the first try.

Finally, I do have my home partition encrypted with a long and complex
password, but that only helps if the attacker is dumb enough to turn
off my laptop once they get it.  I generally suspend or hibernate it,
which means the partition is effectively unencrypted.  I guess if I
was more security conscious, I'd find a way to unmount and remount the
encrypted partition during the suspend/resume, but then I'd be back to
typing in a password in public.

And finally, I don't see asking everyone to turn around or closing the
lid while typing my password.  While that has a security advantage,
IMHO it's outweighed by the social disadvantage.  :)

Thanks,
   Aaron

On 1/26/06, Richard Neill <rn214@hermes.cam.ac.uk> wrote:
>
>
> Aaron Mulder wrote:
>
> > When I reported the fingerprint module to SuSE, the response I got was
> > that integrating the driver was out of the question because it was
> > proprietary code that required root privs and thus was inherently
> > insecure.
>
> SuSE's response isn't actually related to the issue of whether the
> fingerprint reader is any good (which it probably isn't:
> http://www.schneier.com/crypto-gram-0205.html#5 )
> It's because you should never trust code for which you don't have the
> source.
>
> However, I think that distros would be ill-advised to adopt the
> fingerprint reader: it encourages a false sense of security.
>
> My personal recommendation is a password containing
> mixed-numbers,punctuation and letters, and being at least 12 characters
> long. It's very hard (without a video-camera) for someone to recognise
> that. Personally, I don't put upper-case in passwords, because this
> makes them much harder to type, especially if you are trying to do so
> rapidly to avoid observation.
>
> Lastly, if the laptop can be booted with knoppix, any password-mechanism
> may be trivially defeated. You need encryption of /home to be secure.
>
> Richard
> --
> The linux-thinkpad mailing list home page is at:
> http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
>