IBM Introduces Biometric Thinkpad

An anonymous reader writes "IBM has added biometric security to its thinkpad notebooks. The next generation of T series thinkpads will have an integrated fingerprint scanner for added security. The latest machines will also include some pretty cool encryption software, that will keep your hard disk safe, but still let you backup and restore images. This guy managed to get his hands on an early prototype T42 with the new security features integrated."

swipe scan

[dirvish]

"IBM has chosen to go with a swipe-scanner rather than a touch-scanner, for a number of reasons. First and foremost is that a swipe-scanner provides better security. Because you have to drag your fingertip across the scanner, there is no way to "lift" a fingerprint from the surface."

That is a great idea. Such an elegant solution to what could have been a big problem.

Remember your friends

[lifeblender]

Does this mean you can hack it to record your friends' (or co-workers') fingerprints? Sounds fun and scary.

But...

[Sensible Clod]

will IBM include linux support?

Safe... but from whom?

[Tackhead]

If they designed it in such a way that the LEA backdoor is secure (say, it's got an LEA public key on it, and the private key is kept in the forensics labs), I'll buy one tomorrow. I don't have a need to defend against .gov adversaries - I just want to know that the data on my drives remains secure even after someone steals 'em to get his or her crack fix.

If, however, they designed it in such a way that the backdoor is not secure (say, a default password stored in cleartext on a serial EEPROM), that's another story. I'll download the crack when it comes out next week, and my soldering iron and I will have an endless supply of cheap entertainment when the machines start showing up at the surplus stores in 2009.

Notebook Nirvana...

[NetJunkie]

I love my Thinkpad. I had a T30 before that stayed on 24/7 for over a year. The only time it was turned off was to/from vacation. The rest of the time it was a workhorse. Now I have a T42P and love it as much or more. Functional and VERY stable. Sure, it doesn't have some super new gizmos like others, but it works every time.

Every time someone asks me about a notebook I recommend IBM. They go out to Best Buy and get some other brand with 20 other options they don't need and then get mad when it breaks or isn't stable. Thanks IBM!

I feel sorry for someone who loses a finger.

[CyberLord Seven]

This is cool though. I like how IBM put the fingerprint ID tech in front of Windows. That means Linux based OSs can also take advantage of this when these machines are being sold as refurbished in a few years.

I'm a little disappointed that the encryption stuff may not transfer well to non-Windows OSs.

Now what happens when someones finger is damaged to due fire, electrical shock, or blunt trauma? I had this problem with an old Compaq laptop that had a system password at the BIOS level. It made the laptop permanently mine since I didn't want to disclose my password to anyone else.

I know there's room for 21 different fingerprints, but I wonder how many end users are going to think to register more than one of their fingers...just in case.

Re:A bit of false security.

[avalys]

Under threat of physical violence, most security systems that involve humans tend to break down.

I'd give up my PGP private key to someone who put a gun to my head - that doesn't mean that PGP itself is insecure.

Re:swipe scan

[Dman33]

I love the swipe scanner that I have been using on my Ipaq H5450 for the past few years.

(I always wondered why this was not common on laptops when it has been common on my PDA for so long...)

Re:swipe scan

[Anne Thwacks]

That is a great idea. Such an elegant solution to what could have been a big problem.

Or maybe not - what is wrong with a lock and key to open the laptop?

Not only would it protect the data, it would prevent the HD and DVD combo from being stolen from the laptop while its sitting on the desk (happened to two colleagues lately).

And stop the keyboard from being damaged by children and small animals.

Given that the T series have titanium cases, a lot of force would be needed to open them and they would probably be wrecked if forced open (assuming a suitably strong lock.) This is the feature I want most next time I buy a T series (I have an IPaq with fingerprint recognition, and its great, but I would still prefer a lock and key for the laptop (I have a T series - they are great too).

Student's Thesis makes this feature useless!

[xanthines-R-yummy]

A la this article [slashdot.org].

I didn't RTFA, admittedly, but did IBM take her results into consideration before designing/implementing this feature?

But but but... what about the Leenooks!

[hacker]

Sure, thats all well and good, but is the API to the hardware scanner components exposed in such a way that allows Linux developers such as myself to poke at it, and write a compatible AES encryption layer to interface with it?

Encrypting a Windows machine prior to login is nice, but in the rest of the world, the GUI is the last thing we run, not the first.

In Windows, you run the GUI, and execute the shell.

In Linux (and most Unixes), you run the shell, and execute the GUI. Its a very different paradigm.

You need to encrypt the data (AND swap!) at the bootloader level, otherwise the whole point of it is irrelevant.

Integration with Windows?

[Anonymous Coward]

I'm intrigued by the section that mentions that fingerprint authentication can also be used at Windows logon... I wonder how this is integrating with Windows? It would be cool if all of the user profiles on the active directory could get fingerprint data associated with them, but I suspect they're probably just submitting a stored password or something.

We've been using Safeguard Easy on Thinkpad laptops in our office for some years now, and it really doesn't seem to affect performance much... certainly not for office use anyway. Takes a hell of a long time to initially encrypt though.

Limited Credential Revocation

[Aumaden]

Never use biometrics to control access to critical data. Barring such silliness as using toeprints, biometrics allows you 10 credentials (or only 2 is using full palm prints).

If your RSA key is compromised, you can just generate another. You can do this as often as necessary. However, if you fingerprint is compromised, all you can do is switch fingers. Nine compromises later, you're SOL.

Now for ordinary folks who just use this to keep others from messing with their laptops, this isn't an issue. However, if security is critical, biometrics just won't cut it.

And, yes it's fairly easy to fool a finger print scanner. All it takes is some Krazy glue and a Gummi bear [theregister.co.uk].

copycat

[oneishy]

. The latest machines will also include some pretty cool encryption software, that will keep your hard disk safe, but still let you backup and restore images.

How is this different than apples FileVault [apple.com] feature in OSX which uses 128bit AES encription on your home directory?

I have a powerbook and I must say that the FileVault works beautifully (and seamlessly)

It used to be Microsoft copying Apple, but I guess IBM can do it to. Granted my powerbook doesn't use a fingerprint as the encryption key.. but still.

A funny story about this...

[sczimme]

There was an interview in Business 2.0 a couple years ago with an individual who claimed she had had a very similar problem: she had just finished a presentation for a conference; the weekend before the conference she had a mishap in the kitchen and burned her finger, so she couldn't use the biometric authentication mechanism on her laptop. Her solution? She got on a plane and went to see her twin sister in Florida. She actually claimed in the article that "twins have identical fingerprints" and her sister was able to log in to her laptop for her and save the day.

The huge, glaring flaw in this scenario is that even identical twins will have fingerprints that look as much alike as the fingerprints of two random strangers on the street. The interview was good for a laugh, but sadly it does not appear to be available on the Business 2.0 site any more.

The individual was Bondra Bchneider, where B==S. She also referred to binary 1010 as "ten-ten"...

Re:I'm sorry, but you're an idiot.

[cHALiTO]

Both wrong. The data stored is usually some kind of array or matrix of the finger minutiae (relative position, direction, etc). No serious fingerprint identification system compares -images-. Te image of the fingerprint is analyzed, the minutiae are extracted, and that's used to perform the matching against the database. A single fingerprint can contain more than 50 minutiae, while 12 are enough to identify a person.

Insecure?

[Kent Recal]

This [heise.de] article from 2002 claims that most fingerprint readers available to joe user by that time were easy to fool. Easy as in: press a plastic bag filled with warm water on it to replay the last print.
Are we looking at a new, better generation of readers today or are they still as insecure as they used to be?