Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Hardware

Mouse That Scans Your Fingerprints 90

Pac writes: "The U-Match mouse has an embedded fingerprint scanning device. It is currently available only for Windows 9x/NT, but Biolink says it will have a Unix\Linux version by the end of the year and a Mac version in the beginning of 2001." I've been eyeballing finger scanners since I saw a nifty one that worked through PAM at a tradeshow one time: I still think it'd be very convenient if it worked, but I'm very skeptical that something like this could gain widespread acceptance.
This discussion has been archived. No new comments can be posted.

Mouse That Scans Your Fingerprints

Comments Filter:
  • by Panaflex ( 13191 ) <`moc.oohay' `ta' `ognidlaivivnoc'> on Saturday July 15, 2000 @08:04AM (#930850)
    First off, it's optical recognition. Pretty much means that "rubber finger" is quite likely to work. (Compaq's optical scanner was recently spoofed using a flashlight. The print was already on the glass, so the flashlight just fooled it into taking the image on the glass)

    Secondly, How often do you replace your mouse? Mine last about 1.5 years.

    The best quality is that the hardware captures the minutae. Fairly advanced, IMHO (If, in fact the hardware does actually do this.)

    Probably the best finger scanning technology is (ahem, plug) by ethentica. We use a plastic with embeded phosphors over a glass CCD. (Abour 1/16" thick.. 500 DPI) The scan can only be induced by having a live finger because of the electrical properties we use to detect a finger. Also, there is no glass to clean regularly. The plastic is cheap, and lasts for millions of scans. And it's the smallest of all.

    Pan
  • Actually this probably has nothing to do with marketshare.

    If I were a hardware developer, I would not create a product for the existing Mac OS. I would create it for Mac OS X. Since Mac OS X isn't being released until 2001, I would hesitate to announce a product before the OS is released.
  • Dude, 1 million x 0.01% = 100 false rejections. 100,000 would be 10%.


    --

  • Maybe it's because Macs use a different kind of mouse from PC's. To adapt the system to Unix/Linux all they have to do is write a new driver. For Mac, though, they actually have to go to the trouble of building a different piece of hardware.

  • The Slashdot Troll on WonkoSlice [wonko.com] is pretty smart.

    --

  • How come all these computer vendors are designing parts we do NOT need? I mean, I know how cool fingerprint scanning is -- we've been exposed to it our entire lives, in movies and such. But there's no substitute for a good password. To me, fingerprint scanning is just a Bad Idea.

    Here's why: It'll create a black market for fingers.

    Think about it! If you want access to someone's financial history, personal information, bank accounts, complete LIFE, all you need to do is chop off a finger or two! Don't think criminals wouldn't be able to go through with this -- it's very easy to see an organized crime syndicate pop up that specializes in fingers, eyeballs, even larynx's if we go as far as to implement widespread voice recognition as a way of identification.

    We already have password sniffers -- that's bad enough, but at least it's intellectual theft. We don't need theft of body parts to accomplish the same goals.

    Thank you.

  • Why would I want one of these?

    At home, to prevent unauthorized access? If you're that worried about the wife or kids finding your porn collection, encrypt it.

    At work, to prevent unauthorized access? If you're the sysadmin, this might be a good security measure for your terminal, but do you really want to make things that much harder for Joe Temp to work at whatever desk is available?

    What I really see it being used for is tracking users, in a way which can provide legally binding evidence.
  • Secondly, How often do you replace your mouse? Mine last about 1.5 years.

    I agree. While I don't go through mice as quickly as you do (I've been using the same optical mouse for about 6 years now on my home machine), it doesn't make much sense to embed an expensive biometrics scanner in a very cheap input device that is subject to regular mechanical stress. A stand-alone reader would seem to make alot more sense.

    Probably the best finger scanning technology is (ahem, plug) by...

    It's not an official plug unless you give a link to the web site [ethentica.com]. :) I wonder how long until systems such as these become standard in secure computing environments. One-time pass codes are nice, but a combination of one-time pass codes and biometrics would seem to be much more secure.
  • Yeahm but imagine how much more interesting that kind of crime would make those 'reality' cop shows.

  • my 31173 windows hacking skills permit me to access and copy each of your precious files with the mysterious and undocumented Ctrl-Esc Ctrl-C Ctrl-V magic keys.... muhahahaha

    The fingerprint is used for login and screensaver passwords. I guess that's useful 95% of the time.

    A boot flopppy or mounting the harddrive on another machine should gain access to the files.

  • Why does everyone mention ATM security as a good reason for top security. Its not my money... its the banks money if it gets ripped off and I'm not going to use a system that I can't instruct another person to use on my behalf.

    What I want is decent security for my front door so I don't have to hold a collection of nice 1960's pickable keys and no real authentication. I basicly want my front to be unlocked for me and locked for everyone else.
  • It'd be nice to have this for all those things that I really don't care enough to make a password for, but don't want people accessing. My junkmail at yahoo.com? Yeah, just log in using my finger print. Yahoo.com won't get my print, the computer will just verify it's me and remember the password.

    Confirm X.10 to turn off my security system.....confirm my computer to delete certain files (projects, essays, etc)....
  • I've used a competeing device (sajin?) for a bit on a Win NT box. It was a pain to use since it added even longer to the three finger salute login. It worked ok in the house were several people used a common computer but if you knew someone elses password, you could still get in. The worst part about it is that the mouse had two buttons and no wheel so its not even in the realm of being a real mouse.

    I found that the "finger print scanner" program could be fooled into to taking a picture of what was already on the glass and with the right combination of red and IR I expect you could build a keychain sized device to trip these things up.

    No thinks, I'll use real security.
  • I don't think biometrics are ever going to be useful for a widely deployed e-commerce system.

    Consider:

    - The system has to store the biometric signatures somewhere. Biometrics takes a set of measurements of some analog quantity, and compares how close they are to those on file. Because they are testing how _close_ the measurements are, within a margin of error, instead of whether they're exactly the same, they _cannot_ use a one way hash like we do with passwords.

    - Every comany you deal with is going to have a copy of your biometric information. Even if its not enough to reconstruct (say) your entire fingerprint, it will be enough to spoof anyone else who uses the same implementation, or a different implentation with similar algorithms.

    - The system is only as secure as the most insecure company/organization/site useing it. Imagine if you use retina scanning at your job at the CIA to access Top Secret files, and your favorite pr0n site introduces retinal scanning to stop your kids/younger siblings from using your account. Anyone who could hack into the pr0n site could potentially access your top secret files.

    - If a few (or just one) organization[s] held all the biometric signatures and did all the verifications, we might get a bit more security, but we'd have to kiss what little privacy we have left goodbye. Those groups could (and would) track all interactions we had with other companys. Because biometrics can uniquely identify you, you couldn't get a false email or isp account. And if a site holding a large % of the populations signatures were comprimised, it could destroy the trust of the entire system, and anything that was based on it (eg global ecommerce).

    - Biometrics are often easy to steal without comprimising the server side of the system. Fingerprints, palmprints and DNA tests all leave traces on the sensor. You don't even have to be on the same continent to get hold of a mugshot or voice sample. And once a biometric signature is stolen, it is useless for the rest of your _life_. You can't repudiate like a PGP key, or pick a new one, like a password.

  • I've actually used this mouse and it does have optical scanners in the thing that can detect whether a real finger is there or not. The guy who was showing it off said it detects heat and scans a couple layers deep within the finger to get past oil and dirt. Unfortunately I couldn't pull any more specs out of the guy and he seemed to be totally lost when I started talking about a possiblity to integrate this with PGP. Oh, well.

    The thing requires three samples before it will take and an image of your fingerprint does appear on the screen if that means anything.

  • Sorry CmdrTaco, I just had to chime-in on this one!
    Others have already commented on the possible privacy implications here. And I agree with them. I remember it said that our Social Security #'s were never meant to be used as I.D. except for the purposes, and business of maintaining one's SS account. Now it's used by everyone and everything as an additional ID.
    Next we'll have retinal-scans, blood samples, skin-samples and what-ever-else, where users will gleefully participate in. With such data one's general health, use of illegal drugs, etc. will be used by law-enforcement, insurance companies, pharmaceutical companies, and others to "better serve the needs of the public" ( read into this as you wish ).
    So I'm paranoid. But I'm also an old fart that has seen ALOT in my years.
  • I would say you rest too heavily on cryptography. Sure, it will keep away the vast majority, but I'm concerned about corporations, governments, etc., that would most likely have the means to de-crypt this information. I don't trust the general attitude of such entities. Despite the cryptography, once such information is in a computer, in ANY FASHION, it can and will be used by whomever feels there is money, or control to be had. And such information will be a favorite target of those that make it their business to obtain it. The Internet is STILL not as secure as I would like to see it.
  • Most good biometric devices check life signs (i.e. pulse and warmth). For example even if you cut off the hand of the person who had the correct thumb print it wouldn't work. This generally makes the people in high security installations feel a little more comfortable that someone isn't going to come along when they are off duty and cut off their hand. I would hope that this device includes some such features.
  • This still does not solve one of the problems with any system that requires the user to have physical access. I have seen devices that you plug in between your motherboard and keyboard that capture all input and can replay it. Someone could easily do the same with this device. I really doubt there is a good encryption algorithm that is enbedded in the mouse and encrypts the bioreading between the mouse and the software.

    All someone needs to do is create a device that records the input from the mouse and can replay it. Then you can replay any fingerprint of anyone who has used the device since the capture hardware was installed.
  • It worked for OJ!
  • If I got a mouse like this, it would be saying "hey -- wash your hands before you use the computer. And use soap this time."

    check out my mp3 page [mp3.com]
    check out my mp3 page [mp3.com]

  • This type of device is useful for ensuring only authenticated staff are using coporate assets. It's one extra level of legal CYA for the coporation. This coupled with a cheap price for the technology (i saw a keyboard at Comdex Canada that did this with an MSRP of $100.00. they also had a mouse.) will more than likely cause a fast adoption of the technology for the coporate desktop. IMHO, the keyboard or mouse device itself should also be authenticated with the machine via a dongle or some sort of hard coded serial (sort of like a MAC address) that ensures that no one swaps the device for one that can spoof the authentication.
  • The story doesn't specify to which Mac OS it will be ported. The developers may be bidding their time until OS X comes out. Presumably it will be easier to port to it as it's based on BSD.
    John
  • by MenTaLguY ( 5483 ) on Saturday July 15, 2000 @08:06AM (#930873) Homepage
    Okay, so, my password is permanently attached to my body and I can't change it, but anyone can use a password-equivalent hash to falsify my identity/authorization?

    greeeeaat...
  • If you want fingerprint identification for Linux right now, check out American BioMetrics [abio.com] and their BioMouse (around $100). Although they don't ship Linux drivers, there are drivers available from MUSCLE [linuxnet.com] on this page. [linuxnet.com]

    ---
  • Are spammers ever smart?
  • Having written POS software to read those strips, the record goes something like this:

    ID#
    FIRST NAME
    MIDDLE INITIAL
    LAST NAME
    WEIGHT
    HEIGHT (in inches I think?)
    EYECOLOR (lookup.. don't remember the records)

    But there is some "trash" as the end of the record. Actually,quite a bit. (I had previously thought it was a hash of the data)

    It is quite possible to store your fingerprints on the card as well (Cards typically hold about 1-4Kb).

    Using minutae-extraction can give you a "starmap" of x,y,theta values. Most people have about 20-30 useful points. (400 bytes is the industry average)

    Nobody expects the spanish inquisition!
    Pan
  • Ten years from now:
    Johnny, age twelve, decides he's going to buy a new computer, because he's tired of little Julie using his computer. (After all, she's only six.) But even then, his computer's so cool, he's worried she'll use it anyway. So he buys this mouse.
    Fast forward four years. Johnny is now a fully blown hacker, producing programs that are the coolest thing in the world and inserting stuff into his kernel that only a Code God could think of. What's up?
    The FBI comes after him. Yet... because of the awesome power of a system implemented, you can't get into his computer -- at all -- without mouse input that matches his fingerprints.

    The thing about this sort of device is just that sort of situation. I'm sure the FBI will find a way around it, but it's our responsibility to stay six steps ahead of them all the time. Let's be realistic: They don't have the manpower that we have. Plus, of course, we have people that think that American imperialistic `secret service' conduct is idiotic, and they'll help out!

    With the help of devices like these, we can finally -- if we choose to have it -- the ultimate security. (On workstations, though; models serving as servers on the Internet would still be open to breaches, of course.)

    Talk about a good way to thumb your nose at the anti-security people, like Republicans.
  • Did you see "Gone In 60 Seconds"? There was a part in it where one of the car thieves glued Elvis' fingerprints over his own...
  • Here in Geneva, Switzerland, there's been such mice for sale at the computer floor of a big departmen store. They cost around US $120.

    They've been there for months.

    .m
  • There is one basic flaw with bio-metric security systems. Even though they seem like a good idea in principle the transmission of the bio-metric information across any network or piece of hardware can always be intercepted by a third party and then simply be re-transmitted to spoof the real user. Ultimately, any bio-metrics gets transmitted into a stream of ones and zeros which can be recorded and then used by a malicous third party. More work is needed in this area to come up with better authentication schemes.


    Nathaniel P. Wilkerson
    NPS Internet Solutions, LLC
    www.npsis.com [npsis.com]
  • Good authentication systems don't store the actual data used for authentication (passwords, fingerprints). They store One Way Hashes of this data in a central authentication DB, and usually large enough hashes that doing a brute force search of the hash value space won't return valid values. Sure, you can tap the line and capture these hashes, but ideally, the hashes aren't sent in the clear (they're encrypted), so that's not too much of a problem.

    Before spouting off about how terrible these solutions are and how they present a risk to security, you should read Applied Cryptography [counterpane.com] (which explains how most of these issues are solved problems) and check to see that the vendors of these products have also read the relavent literature.

    -pjf

  • Sheer unremitted c**p!
    Sorry to let the side down by glorifying a troll like that with an answer but I think most people who are not "mentally disadvantaged" would agree that the sender is round the twist...
    We have to be wary of such a device but there could be a place for it. I am Tech support in a hospital. We need seroius system security, but doctors & nurses tell me that they have got better things to do than mess about with passwords all day!
    If you got this mixed in with a nice Open Source encryption method it would be really secure and could be made impossible to misuse - like some proprietary products...

  • The specific application that I had in mind for ATMs was to prevent hold ups. If someone was being forced at gunpoint to make a withdrawl, a system such as I described would silently alert the security service to check the video feed, and they would be able to make a determination as to whether a response (armed or otherwise) was neccessary.
    --
  • I won't trust these things until I can use urine.
    now that is going to make using the laptop on the train on the way to work interesting!
    "Indecent exposure? But I was just entering my password!"
    ...and i really don't want to know what the guys advocating chopping people's fingers off for the fingerprint are going to try with this one...
  • Yeah, :) rofl im busted, but it would work for that kind of system if it just wanted any ole finger print. And I do believe ive seen some advertisements in like popular science for some garbage like that


    If you think education is expensive, try ignornace
  • OK so say you can't use a mouse (have no fingers and use a head-stick etc), kinda scuttles all this. At least most of messy-windows can still be accessed via the keyboard.

    Just a thought
  • You didn't read the article did you? That's okay, just read this post [slashdot.org], and you'll quickly realize the solution to your pseudo-problem.
  • Fingerprint?

    I won't trust these things until I can use urine.

    There would be at least one benefit, I can set a preference oh how low my alcohol level is set before I start buying stuff online.
  • Tell me how an optically reflective based scanner can scan "several layers" deep and analyze this information.

    The technology to scan seismic data requires alot of FFT experience and engineers, scientist, and other professionals. Only 1 in 3 wells hits. (I used to work in the seismis analysis sector)

    There may be some little hacks to check an optical density of an object, and maybe a IR CCD that could read the heat from a finger. But is this going to work on an oil pipeline in alaska? Or on a cold New York morning?

    pan
  • I think it's a good idea that it's unable to regenerate fingerprints. Finally, some people with sense!

    What happens, I wonder, when you smash your finger in a door and it doesn't recognize it? I assume there's some other way past this.

    Also, does it continually validate, or is it more like a one-time 'screen saver password' replacement? That would be nifty.

    It says Unix-compatible...I presume that means Linux, too?

    Dlugar
  • Recognition accuracy:

    False Rejection rate is 0.01%
    False Acceptance rate is 10-9
    Fingerprints are stored as templates that cannot be used to regenerate fingerprint images, thus eliminating any threat to personal privacy.
    With a rejection rate that high who would use it?
  • Imagine walking up to a public terminal with such a mouse. You do some web surfing or check your email. Now the administrator of that system has your fingerprint on file.

    When a crime is commited in the area, the FBI subpoenas the fingerprint database to look for the crimanal. Might as well just have a national database of fingerprints of non-criminals.

    Or perhaps the administrator of that system simply decides to use your fingerprint to act as you, messing around with your finances.

    No, fingerprint scanners should be separate devices that are intentionally activated by the user.
  • /me forbids any trolling beyond this post!

    ---------------
  • So they're only recording a signature derived from the fingerprint (a one-way hash or such)? That doesn't matter. If the same system is used elsewhere, then the same signature can be used in a replay attack. The signature can be used to trick another system into thinking it just read a fingerprint, when instead, it is just the pre-recorded signature being sent to it.

    You can also compare against other fingerprints by generating their signatures.
  • Wear gloves
    _
    / /pyder.....
    \_\ sig under construction
  • by rgmoore ( 133276 ) <glandauer@charter.net> on Saturday July 15, 2000 @07:41AM (#930896) Homepage

    One of the best parts of the system is that it doesn't actually send a complete fingerprint scan to the computer. Instead, it crunches it down into a 500 byte "template" that can't be used to reconstruct the user's fingerprint. This seems intelligent both from the standpoint of minimizing necessary mouse-computer bandwidth and for their stated objective of protecting privacy. I guess that this is sort of like storing passwords using an MD5 hash.

    The only problem I can see is that it seems as though it would be comparatively straightforward to spoof. All you'd need would be a hardware tap on the mouse plug and you could capture the fingerprint template as it's sent to the computer. Then you can log in as anyone else by reversing the transmission and sending their fingerprint template instead of your. Since it uses a standard PS/2 port, this shouldn't be too hard to engineer. I guess that you'll have to use this as a secondary system together with a password.

  • This technology is so far from flawless that there is no benefit. It's security is too easy to bypass, and god forbid people try and use some security like this for e-commerce. All a cracker needs to do is intercept the TCP packets and with some work could probably autheticate himself as that person almost as easily as intercepting a clear text password...
  • Couldn't you just hold an image of someone else's prints up to the mous and fool it into thinking your were someone else?
  • I enjoy Biometrics greatly. If they arose that biometric devices could be developed cheaply and effectively, a data revolution would occur. If people felt that their information was totally secure, they would be more willing to store it at a central server.

    One must ask the question, though: how conspicious is this mouse? Would you know that you were using the mouse? A industrial designer would tell you that this would be the final stage of evolution for the product, but I could see problems arising.
  • Not only that, but templates must be matched using advanced software. (Points rotate, are closer or farther, and typically appear and dissapear with each different scan).

    They are in fact, nothing like an MD5 or SHA1

    Pan
  • by Anonymous Coward
    Someone steals your password. You change it. Someone steals the digital representation of your fingerprint. You... err... well, you certainly don't change it. You're screwed.
  • Yeah, saw this at JavaOne. Fairly interesting, but I asked about the key authority deployment/security. He basically said they hadn't figured that out yet.

    Using this for logging into your personal computer might be okay but over the network? No thanks.
  • The computer probably generates an unique identifier first and sends it to the mouse. Then the mouse concatenates the identifier and the fingerprint together and sends it back. This prevents replay attacks. I understands secure POP3 authentication does it in a similar way.
  • Now I'm no big Mac fan, but this is just FUD. All Macs since the launch of the iMac a few years ago have used USB for mouse and keyboard interface. Same USB that you use on a PC. It's simply a matter of device drivers.

    So more likely, they're just putting off writing a USB driver for this new invasion of privacy^H^H^H^H^H^H^H tool for security...

    -J

  • Biolink said it is currently developing an upgrade which would combine technologies from several partners to enable the real-time collection, transmission and storage of DNA profiles and other data.

    "The mouse is second only to the keyboard as a natural collection site for users hair, skin flakes, nail clippings, and traces of any controlled substances being used while online." said J. Mimpton Cleeb III, Director of Research & Development. "Our piece is ready, we're only waiting to close deals with our potential partners".

    Sources say Biolink is negotiating deals with Real Networks and AOL/Netscape for the data transport functionality, and the FBI for data storage and archival services.

    "I will gladly pay you today, sir, and eat up

  • Excuse the heck out of me, I suppose I did not *WATCH* them feed this into the damn machine and it pull up the fingerprint

    The LIC does store fingerprints. *looks at his lic*

    IT IS NOT magnetic either, I can be certain because the device used optics to read the information.

    It looks like a majorly condensed barcode all scrambled up. It is more than a magnetic strip.

    It does not store the picture I take that back but I you take a fingerprint scan at the time of your LIC.

    So yes im sure a lot of stupid people believe that for a good reason, it is true.

    Mysteriously mine was scratched up and now the readers cant seem to read it.. hmmn I dont know just HOW it got scratched ;-(

    Also just to save people the trouble from calling me stupid or implying it... again, I know that my Lic being scratched does me absolutely no good anyways.

    Just a little side note.. Looking over the strip part that is still somewhat 'readable' There are at least 220+ distinc 'columns' of varying width and at least like 30 rows, probably more and lets see we are talking probably just something similar to a coordinate system so a bunch of sets of numbers, 3-4 numbers per set to map out a fingerprint?? I dont really know but I know compression is no secret and you can squeeze 10K of data on the back of this card pretty easily by my guessing. Have you ever seen a small GIF? Anyways.

    Jeremy


    If you think education is expensive, try ignornace
  • Next time someone want access to my files. They will have to cut of my fingers. This really make me feel good to know.
  • CmdrTaco wrote:
    I've been eyeballing finger scanners since I saw a nifty one that worked through PAM at a tradeshow one time: I still think it'd be very convenient if it worked,...

    I can tell you why it didn't work: You're not supposed to use your eyeball! Why do you think they're called fingerscanners?!? Would you use your finger in an eyeball scanner?

  • So, if I need to log in for some really important reason (e.g. I want to log back in before the rm -rf / does too much more damage), your system will detect that, and prevent me from logging in?

    As a Microsoft Software Designer{tm}, I can tell you that we would write a Wizard{tm} which would methodically determine the exact nature of your distress via a series of simple dialog boxes. But of course, due to the underlying design superiority of our OS products, many important system tasks such as deleting the file system are commonly available to users, so the point is moot.

    Innovation. UNIX doesn't get it.

    "I will gladly pay you today, sir, and eat up

  • It's not quite as fuddy as you claim. There's a lot of Macs in use that have no USB port and use ADB connectors (3 or 4 in my little company). To sell mice to users of those boxes, they would indeed have to make a different mouse and that's what this poster was talking about. That shouldn't be a big problem; they already have serial, PS/2 and USB versions. The USB version, of course, only needs a driver to provide the fingerprinting service to Mac users. (Presumably is works as a regular mouse already, due to the wonders of the HID protocol)
    --
  • This is rare right now, but I suspect that we will see a lot more of this happening. As Linux (and to a lesser extent, BSD[*]) grows, we will see much greater acceptance of Linux as an alternative platform at equal or greater standing relative to the Mac.

    It's great that Linux is starting to resemble a mainstream OS choice. But let's remember, Linux and Mac are vastly different markets. In particular, there is a large bias in Linux numbers towards servers, and a desktop bias on the Mac side. These gaps will begin to fill in and we may see more overlap as 1) Mac OS X public beta ships in the next several weeks 2) Linux becomes more desktop-friendly.

    But for the time being, it is not surprising that something like, say, an IDE would arrive first on Linux, and then later on the Mac. But conversely, it will be some time before Linux users will get the the full attention of graphics app and page layout developers. Either way, having two viable alternative operating systems is certainly better for everyone, particularly if developers support both equally. It sucks when you're forced to use an OS purely because that application you need to use runs on it.

    - Scott


    ------
    Scott Stevenson
  • I think you are wrong on the count of the need for any company you would have to deal with to know your biometric information, or of the need for a biometric database.

    You could just use a smart card to check the biometric information (after some preprocessing by the host, since biometric recognition is likely to be too expensive for smart cards at least in the near future). The card would then sign the transaction.

    Smart cards signing transactions when the correct PIN is input have been in use in France for more than ten years.

  • But it's likely that the Mac version will actually work before the Linux one, or like an Ethernet card I own, work fine on Mac Linux but not PeeCee. Also, which Linux? Which Unix? Which MacOS for that matter? Really, every other Unix except MacOS X?

    Sounds like some salesdroid talking with the usual amount of intelligence that salesdroids have. Salesdroids and other imbeciles are very used to giving the Mac short shrift.

  • What this system needs is a challenge-response system like a smart card.

    The computer should send a key to the mouse, the mouse hashes the biometric data, then hashes it again with the key. As long as both hashes are one-way, this would ensure that tapping data between the mouse and cpu would be worthless.

    Kevin Fox
  • I don't understand why these types of biometric aythentication devices get so much press!

    A fingerprint is like a password. A password can be used for authentication since it is secret. And to keep it secret you change your password often, and avoid using the same password at multiple sites. How do you change your fingerprints?

    Take this fingerprint mouse. Understand that each fileserver, web shop company, or other program that needs to perform authentication needs to have your fingerprint to match with what the mouse transmits. It does not matter how well you encrypt or hash your fingerprints. If fingerprint "authentication" catches on, the prints will NOT be secret!

  • So they don't capture the entire fingerprint. So what???

    Instead they capture a biometric (their 500 byte file). I can see two ways the forces of evil (read: the government) could use this:

    No more anonymous computer use. After all if the computer knows who is using it because it identified you, it can transmit that.

    Also, if the FBI finds a fingerprint, they could just run it through the same algorithm, giving them a 500 byte file and compare that to their database of fingerprints. This is probably very close to what they do right now.

    This is truly scary!!!!!
  • by XNormal ( 8617 ) on Sunday July 16, 2000 @02:15AM (#930917) Homepage
    AFAIK, all fingerprint verifiers use a reduced set of extracted features for comparison. This is the first one I see that tries to claim it's a privacy feature - it's simply how it works. Give a marketroid a bunch of technical details and he's always find a way to present them as features.

    Biometric systems should always assume that the fingerprint, iris scan, etc is not a secret and is known to the attacker. Your password can only be considered secret because you can change it.

    To have any meaningful security a biometric system must have a trusted reader and a secure path from the reader to the verifier.

    Two examples:

    1. The verifier is inside the reader. Your private key is embedded into a tamper-resistant device and a fingerprint is required to perform a private key operation (signing, decryption).

    2. The verifier is in a secure remote server, but communication between the reader and the verifier is cryptographically protected. The reader should sign the scan and also use a timestamp or challenge/response system to prevent replay attacks. Each reader would have a separate signing key so they can be revoked, if necessary. Even the best tamper resistance cannot be trusted with a global reader signing key that results in catastrophic failure if it is compromised.

    Suggested protocol:

    Before being used for the first time the readers are connected to the verification server for initialization. The server generates random keys and sends them to the readers. These keys cannot be read back from the reader, only overwritten.

    For authentication, the client first asks the verification server for a challenge. It sends the challenge into the reader which calculates a hash of the biometric scan, reader signing key and the challenge. This hash is sent to the server along with the biometric scan for verification.

    The reader key should be kept in battery backed static RAM rather than EEPROM. This makes it easier to self-destruct in case a tampering attempt is detected. To prevent the value from permanently affecting the memory cells via ion migration or similar phenomena it could be cycled continously.

    The key database on the server is a single point of failure - but the server is probably the same resource you are trying to protect anyway. It would still be nice to make the key database less vulnerable by using asymmetric cryptography - a key pair is generated during initialization and only the public key is stored on the server.

    The Sony fingerprint scanner (also featured on slashdot recently) appears to implement #1. Does anyone know of a system similar to #2?

    ----
  • To the poster who said wear gloves, a finger print is required (just use a fake finger print)

    I just wanted to make a comment, Here in Georgia, finger prints are mandantory when you get your driver lic.

    Its all encoded into a bar strip on the back, everything, your finger print a digital picture...

    To late to stop the national database thing huh? :-\


    If you think education is expensive, try ignornace
  • Um....that rejection rate is actually very low. As is the false acceptance rate.

    --

  • by MostlyHarmless ( 75501 ) <artdent@nOsPAM.freeshell.org> on Saturday July 15, 2000 @07:46AM (#930920)
    and I don't mean first post.

    Look closely at the text. It says that there will be a Unix/Linux version at the end of the year, but the mac version will not come into 2001.

    This is rare right now, but I suspect that we will see a lot more of this happening. As Linux (and to a lesser extent, BSD[*]) grows, we will see much greater acceptance of Linux as an alternative platform at equal or greater standing relative to the Mac.

    [*] Nothing against the technical merits of BSD; they just have a smaller marketshare at the moment, thus having a lesser affect as an alternative OS.
  • So, is the fingerprint really not captured? I would guess the mouse is a dumb scanner that send the entire fingerprint to the computer, and it's simply their software running on the computer that generates the 500-byte "minutia file" from it. The web page isn't precise on the matter.

    Think about it. Why embed a processor to do that work when they could use the one already installed on the other side of the port?
  • by jjr ( 6873 )
    I would like to see this at my job so you don't
    have to worry about lost password. And thing to that affect. It could help in security so you don't have to worry about changing password every month and things to that affect
  • would have a magnetic resonance scanner for your head.

    This is the only biometric that everyone has.

    Some people don't have fingerprints, some people have skin conditions that prevent hand scanners and face recognition from working, some people don't have eyes (so no retina or iris scanners), some people are mute (no voice print), but everyone has a head.

    Also, a dead head will not work, and this sort of scanner may even be able to detect emotional distress.
    --
  • Comment removed based on user account deletion
  • When I went to go see ESR speak at the world trade center, it was being hosted in one of Sybase's "Best-of-Breed" technology demo'ing facilities.



    I think they had a screensaver locked and you had
    to press your thumb against the side of the mouse,
    it would then draw your fingerprint and tell
    you access denied (since I obviously wasn't
    the correct finger).



    It was nifty. I hope I remember this correctly. :)

  • Um, no. The site claims, at least, that the "template" is not reversible. They specifically mention that it's not possible to regenerate the fingerprint from the "template", and mention this as a privacy feature.

  • Now are were gonna have all these damn computer criminals chopping our thumbs off for access?
  • Someone needs to combind all the good features that have came out on mice rencently.

    I would love to use that mouse but where is the electronic eye. I want one with a Microsoft TYPE electronic eye.
  • Did they get a billion people to use it, and one got accepted? Or did they use a computer/mathematical model? Do they mind if I take a look at the model?

    Oh well, I'm sure a biometrics company would never imply it was secure if it wasn't.

  • besides the earlier stated ways of getting by this device...such as putting a device inbetween the mouse and computer to capture the signal and store it for another person a program(a basic trojan horse could do the job) could capture signals from the mouse so that it could be stored in another device that could stored in a "mouse lock pick" if you will, which could store many and could also a brute force approach

  • So, if I need to log in for some really important reason (e.g. I want to log back in before the rm -rf / does too much more damage), your system will detect that, and prevent me from logging in?

    No, the applications that come to mind are things like ATMs that possibly alert a security company to take a look at the video camera, or you could set up your own system to not let you send email when upset (to cut down on flaming). The applications of a mood-detection sytem in conjunction with an identification system are up to the developer/administrator.

    The context of a security system determines how various features would be implemented. No formulation will be appropriate in all cases.
    --
  • Hehehhe, thanks :)


    If you think education is expensive, try ignornace
  • I work for a lab which does biometric research for sony and the company who microsoft recently licensced fingerprint technology from (I can't recall their name right!)... This thing is bunk :) Theres no way their false accept number is as high as 10^9, reasonable error rates are around 10^3, which is of course scary to rely on as a security device. Why? Because your fingers usually have enough dirt in them to screw up the image even when they LOOK clean, the finger plate collects grease, and most finger scanners have a sweet spot due to the small size of their CCDs. I think anytime you rely on one identification modality, your asking for trouble.
  • Sure, if you're scanning a dozen fingerprints. If you scan one million fingerprints, on average 100000 will be falsely rejected. That's too much for me.
  • What does it say that a Unix/Linux version is coming out before a Mac version?? I mean, Macolytes are used to being second-class citizens, but third class? The Mac population is pretty puny, but I don't think it's smaller than the Linux population that would use this.

    Maybe they are aiming this also at the server market.


    --

  • Think about it. Why embed a processor to do that work when they could use the one already installed on the other side of the port?

    Because they already have a processor in the mouse anyhow, to drive the scanner and otherwise process mouse movement. (High-power processor cores are cheap, and when you already have one for some other reason they're free.)

    Because they're concerned about privacy issues, and don't want a raw fingerprint on the wire.

    Because they want to compress the data before it hits the wire.

    Because they want to be compatable across many platforms without dumping a lot of code into the driver where it might need tweaking - or they don't want to expose their compression/signature algorithm in an open-source or hackable driver.

    Mind you, I'm not saying they DO compress the fingerprint in the mouse. I'm just providing reasons why they might chose to do so.
  • by Anonymous Coward
    A lot of stupid people think that your "fingerprint" and a digital picture of you are stored on that magnetic strip. That's not true, and not even possible. What is on that strip is your drivers license number, which can be cross referenced with your pictures and fingerprint images which are available through a database. Your drivers license number is the key to that info. Not only that, but you are under no obligation to keep that magnetic strip free of damage. You can erase it. I don't think it is about branding people and stripping you of your rights, as much as it is about saving the hassle of having to type in a bunch of info.
  • All a cracker needs to do is intercept the TCP packets and with some work could probably autheticate himself as that person almost as easily as intercepting a clear text password...

    I'd imagine that this wouldn't occur quite as simply as you paint it. Firstly, there are too many legacy devices without snazzy fingerprint scanners. Secondly, any self-respecting company will want to protect their customers, so you can be assured encryption will be a given. Naturally, anyone dedicated enough can crack or hack anything, but to say that the method itself is unusable for 'Net applications is silly.

    Honestly, I'd prefer the authentication to be in a separate device. I use a repackaged and modified Logitech Marble+ due to my physical limitations, and I'm not upgrading any time soon. ;] And two buttons? I like three m'self.

    *gel

  • ...and this sort of scanner may even be able to detect emotional distress.

    So, if I need to log in for some really important reason (e.g. I want to log back in before the rm -rf / does too much more damage), your system will detect that, and prevent me from logging in?


If you steal from one author it's plagiarism; if you steal from many it's research. -- Wilson Mizner

Working...