IBM Introduces Biometric Thinkpad 195
An anonymous reader writes "IBM has added biometric security to its thinkpad notebooks. The next generation of T series thinkpads will have an integrated fingerprint scanner for added security. The latest machines will also include some pretty cool encryption software, that will keep your hard disk safe, but still let you backup and restore images. This guy managed to get his hands on an early prototype T42 with the new security features integrated."
swipe scan (Score:5, Interesting)
That is a great idea. Such an elegant solution to what could have been a big problem.
Re:swipe scan (Score:5, Insightful)
Re:swipe scan (Score:2)
Hmm. I guess the question then becomes: How accurate of a digital recreation can we make from partials? If it's enough to pass biometric verification then there's no need to waste money/time on a fingerprint scanner.
Re:swipe scan (Score:2)
Well, at least it's a little better than yellow sticky notes with 'passw0rd' written on them stuck to the monitor :)
Re:swipe scan (Score:2)
Re:swipe scan (Score:5, Informative)
That is a great idea. Such an elegant solution to what could have been a big problem.
Actually, the swipe scanner is cheaper, consumes less power, and has a smaller footprint than the original designs. So it's really best suited for devices such as cell phones, PDAs, etc.
Re:swipe scan (Score:3, Interesting)
(I always wondered why this was not common on laptops when it has been common on my PDA for so long...)
Re:swipe scan (Score:3, Funny)
I'm afraid you completely misunderstood the article. You are supposed to swipe your finger across the scanner, not your foot!
I hope this helped!
Re:swipe scan (Score:3, Interesting)
Or maybe not - what is wrong with a lock and key to open the laptop?
Not only would it protect the data, it would prevent the HD and DVD combo from being stolen from the laptop while its sitting on the desk (happened to two colleagues lately).
And stop the keyboard from being damaged by children and small animals.
Given that the T series have titanium cases, a lot of force would be needed to open them and they would probab
Re:swipe scan (Score:2)
Re:swipe scan (Score:2)
Remember your friends (Score:3, Interesting)
Re:Remember your friends (Score:5, Informative)
No, you can't. From the article:
"Of course since the Power On security layer is something that occurs well before Windows has started up, the fingerprint data can't be stored in a Windows file or folder. Instead, the fingerprint scanner itself stores the fingerprint data and retrieves it when the Power On security request is made. You can store a total of 21 profiles in the scanner, which should be more than enough, unless you share one notebook between a score of users. If you're worried about someone extracting the fingerprint data from the scanner and breaking your security, dont be. The scanner only stores a tiny amount of data for each fingerprint, just enough to ensure an accurate match, and nowhere near enough to recreate a complete fingerprint."
Made for Men Only? (Score:3, Funny)
Weird on a Monday,
myke
Re:Remember your friends (Score:3, Insightful)
Unless I'm an idiot, this means that the amount of data the scanner stores is inversely proportional to its accuracy. For example, if one were to store a critical 20% of the data neccessary to recreate a fingerprint, with use of the partials on the keyboard and the top of the laptop, one should be able to recreate the print accurately enough using means like a laser (3d) printer, a bit of spare rubb
I'm sorry, but you're an idiot. (Score:2)
The "partial data" is almost certainly a checksum, that takes hundreds of datapoints and combines them into one non-reversible number. This is also done with text passwords.
A xerox of a finger won't work, since this is not an optical scanner. it measures the capacitance between ridges. Any fake is going to need to be 3D, have the electrical properties of a human, and be swipeable (so perhaps not jello..)
Finally, I doubt that the signal to the bios is as simple as a on-
Re:I'm sorry, but you're an idiot. (Score:2, Interesting)
Re:I'm sorry, but you're an idiot. (Score:2)
Re:Remember your friends (Score:2)
"...make a fake finger from a lifted print..." - don't make me laugh. You watch too much tv mate: the first thing to try when you want somebody's password is asking them for it.
Re:Remember your friends (Score:3, Funny)
Pronunciation: 'hak-ing
Function: verb
The process of removing someone's finger so that you can gain access to their Thinkpad.
I'm just glad it isn't retina scanning. Ouch!
hal (Score:5, Funny)
Re:hal (Score:2)
Micron has biometric support (Score:5, Informative)
Some models of Micron laptops have had this feature [mpccorp.com] for a while.
But... (Score:5, Interesting)
Re:But... (Score:3, Informative)
And yet, the ThinkPad configurator (at least on their Canadian site) has options for Windows XP Home or Professional, but no Linux distributions (nor BSD) and no "no operating system" option.
Linux Thinkpads on sale in Germany (Score:2)
At present, however there's only an R51 model on sale... and even that is somewhat of a weird offer, it ships with XP preinstalled, and you get an install CD for a custom IBM version of SuSE 9.
Re:Linux Thinkpads on sale in Germany (Score:2)
IBM is pretty cool (Score:3, Insightful)
Back on topic now, this laptop is nifty in itself. EArlier on another
=) happy
Safe... but from whom? (Score:5, Interesting)
If they designed it in such a way that the LEA backdoor is secure (say, it's got an LEA public key on it, and the private key is kept in the forensics labs), I'll buy one tomorrow. I don't have a need to defend against .gov adversaries - I just want to know that the data on my drives remains secure even after someone steals 'em to get his or her crack fix.
If, however, they designed it in such a way that the backdoor is not secure (say, a default password stored in cleartext on a serial EEPROM), that's another story. I'll download the crack when it comes out next week, and my soldering iron and I will have an endless supply of cheap entertainment when the machines start showing up at the surplus stores in 2009.
Re:Safe... but from whom? (Score:2)
Good thinking, you will need something to do in the evenings anyway...since Conan O Brien is taking the tonight show.
For those not familiar w/ the term 'LEA'... (Score:2)
If they designed it in such a way that the LEA backdoor is secure (say, it's got an LEA public key on it, and the private key is kept in the forensics labs), I'll buy one tomorrow. I don't have a need to defend against
LEA means Law Enforcement Access. Some crypto and other security tokens [as in hardware, not Kerberos] have what is called LEAF - the Law Enforcement Access Field. The tokens themselves can be referenced as 'non-LEAF' and 'LEAF-enabled'.
Re:Safe... but from whom? (Score:2)
That may be true, but, playing devil's advocate, just because information (e.g., keys) is stored on government information systems doesn't mean that the government is the only body who has access to it. You are implicitly relying on a specific department or agency to secure their information systems.
Re: (Score:2)
I feel sorry for... (Score:1, Funny)
Re:I feel sorry for... (Score:2)
Yes, but... (Score:5, Insightful)
Re:Yes, but... (Score:2)
Re:Yes, but... (Score:3, Informative)
no, it would probably work (Score:2)
Also, arteries and veins don't really show up on a thermal imprint, especially not the fine vessels you would see in fingertips. So it's not necessary to fake that level of detail.
So, IR over optical shouldn't make that big a difference.
Re:Yes, but... (Score:3, Informative)
Biometric measurements are attractive candidates for the "something you have" part because they are unique, in most cases easy to read and convenient... i.e. never left behind. On there own though they do not provide a strong authentication solution... but even then, a large bit-length key
er, fingerprints hard to steal? (Score:2)
However, given that you leave thousands of impressions of them all over the place every day I wouldn't really call them that hard to steal.
Do you plan on wearing cotton gloves everywhere?
Re:er, fingerprints hard to steal? (Score:2)
There have been stranger fashions throughout history. If fingerprint identification became a big deal, then yes it's quite likely that one might wear gloves as a matter of course.
It might even be a sign of trust to remove one's gloves in another's home.
Re:Yes, but... (Score:2)
The significance of this is that while it is hard/unlikely to physically take your fingerprint from you, while not trivial, it is not extremely diff
Can't Access My Computer Please Help!!! (Score:5, Funny)
"Cut my finger slicing tomoatoes, can't access my Thinkpad, HELP!!"
Re:Can't Access My Computer Please Help!!! (Score:5, Informative)
Re:Can't Access My Computer Please Help!!! (Score:2)
and actively encourages users to store more than one finger
This goes back to the same problem as strong passwords. You can encourage users to make strong passwords, but they (or a significant portion) won't unless you require them to.
A funny story about this... (Score:3, Interesting)
There was an interview in Business 2.0 a couple years ago with an individual who claimed she had had a very similar problem: she had just finished a presentation for a conference; the weekend before the conference she had a mishap in the kitchen and burned her finger, so she couldn't use the biometric authentication mechanism on her laptop. Her solution? She got on a plane and went to see her twin sister in Florida. She actually claimed in the article that "twins have identical fingerprints" and her s
But what happens... (Score:2, Insightful)
Re:But what happens... (Score:3, Informative)
Re:But what happens... (Score:3, Insightful)
Sounds like a good pretense for Social Engineering ones way into such a system.
Interface like iPAQ (Score:2)
Otherwise it would remain a Win-only feature and useless to the converts.
The Mafia loves it already! (Score:5, Funny)
Re:The Mafia loves it already! (Score:2)
A bit of false security. (Score:1)
If Bad Guys really want your data, they'll take you along with your laptop and say "Unlock your machine or we'll cut off fingers until we find the one that works. Starting with your toes."
Re:A bit of false security. (Score:2)
Re:A bit of false security. (Score:3, Interesting)
I'd give up my PGP private key to someone who put a gun to my head - that doesn't mean that PGP itself is insecure.
I realize IBM is a mainstream notebook company... (Score:4, Informative)
http://ruggedpower.motorola.com/ [motorola.com] Our local PD has them for detectives. Heavy, but nice feature set.
Hype Factor 9 (Score:5, Informative)
For an IT manager, biometric security will make life much easier. Gone will be all those phone calls from users who've forgotten their passwords. And there will be no more worries about insecure passwords, or even keystroke loggers, trapping passwords and passing them onto hackers and fraudsters.
Gone may be phone calls for forgotten passwords but there'll be plenty of new calls as to why their fingerprints aren't scanning. The function of accuracy for fingerprint scanners varies according to things such as the skin's elasticity. This changes with age, humidity, cuts, etc. So biometrics aren't a 100% fix. There will always be "goats," the people for whom biometrics just doesn't work well, including the biometrics professor around here who's missing a fingertips (not due to any experiment mishap, mind you). I'd also worry about the security of your stored biometric data. Hopefully it'd be a hash and not the raw data, which could be harvested and used. Then again, I wonder what the incidence of collisions in a hash that uses biometric data is?
Re:Hype Factor 9 (Score:2)
Re:Hype Factor 9 (Score:2)
Re:Hype Factor 9 (Score:3, Informative)
Biometrics stored for authentication are stored in a reduced, non-reversable format. Its designed to be searched and matched, but not extracte
Re:Obviously you're not an IT manager (Score:2)
On average, it took up to 15 min to get the fucking thing to work.
We quickly ditched that company but ended up several
hundred bucks in the red.
False security (Score:5, Insightful)
Re:False security (Score:3, Informative)
Are you aware that:
Re:False security (Score:2)
Would that be because it runs on a popular OS that has a security model based on Swiss cheese, thus eliminating the need to crack the app? I am actually asking not trolling, I do not know what Notes runs on.
Re:Tech detail on Lotus Notes (Score:2)
I understand that. It is a good point, I just often wonder how many more apps would be shown as vulnerable if people didn't have the 'EZ Access' OS letting them in.
Re:False security (Score:4, Informative)
RTFM.
Do you know how password protection and data encryption works on laptops? No, you don't.
There are several layers of security involved. First, the BIOS and the HDD both have password authentication mechanism. The BIOS stores its passwords on a custom chip which scrambles its I/O. Resetting the BIOS master password is possible, but it requires a highly modified chip programmator and a skillful person.
The HDD stores its password on the platter and requires it before it will allow access to any data. To bypass this mechanism, you must engineer your own HDD controller chip which will skip the authentication and the PCB for it and transplant it in place of the one on the HDD. This is virtually impossible unless you have very good friends in the HDD manufacturer company.
Finally, after the HDD allows access, the software encrypts selected files using strong encryption and stores the keys on the secure (TCPA) chip. The secure chip requires a passphrase before it will allow access to the keystore. It is virtually impossible to bypass this and retrieve the keys from the secure chip without knowing the passphrase.
Therefore, to retrieve the data from the stolen laptop's HDD, you must first possess either extreme competence in electronics or extremely good illicit connections in the industry, and second, brute-force industrial-strength encryption on the files. Good luck.
Re:False security (Score:2)
Until someone in some other country with a chip fab does it, and then starts selling the controller boards.
Why is this useful? (Score:1, Insightful)
If the thief has physical access to the machine, nothing short of encryption is going to prevent him or her from getting at your data.
Re:Why is this useful? (Score:2)
Which this laptop also has.
The Ironing is Delicious. (Score:2)
Notebook Nirvana... (Score:3, Interesting)
Every time someone asks me about a notebook I recommend IBM. They go out to Best Buy and get some other brand with 20 other options they don't need and then get mad when it breaks or isn't stable. Thanks IBM!
Re:OT: How good are Thinkpads? (Score:2)
I have to agree with most posters, the laptops are very well thought out and designed, and really easy to work on if you ever need to take anything apart.
Re:OT: How good are Thinkpads? (Score:2)
The 570e had a screen failure when I was living in France, and despite I bought it in the US, and had lost all the related documents (I did not even remembered where I bought it), IBM accepted w
Are genitals unique? (Score:2, Funny)
I feel sorry for someone who loses a finger. (Score:4, Interesting)
I'm a little disappointed that the encryption stuff may not transfer well to non-Windows OSs.
Now what happens when someones finger is damaged to due fire, electrical shock, or blunt trauma? I had this problem with an old Compaq laptop that had a system password at the BIOS level. It made the laptop permanently mine since I didn't want to disclose my password to anyone else.
I know there's room for 21 different fingerprints, but I wonder how many end users are going to think to register more than one of their fingers...just in case.
Re:I feel sorry for someone who loses a finger. (Score:2)
Re:I feel sorry for someone who loses a finger. (Score:3, Funny)
21 fingerprint slots, eh? That's enough for all my fingers and all my toes with one leftover. What's the 21st one for?
Re:I feel sorry for someone who loses a finger. (Score:2)
If you don't want an IBM... (Score:2, Informative)
My friend bought one a while back and used it rather successfully on his Dell D800 before he had to give the computer back to his employer. It was pretty accurate in scanning his fingerprint. He never got locked out of his machine.
I can't remember if the machine would NOT allow a login without the reader or not. If it would, th
Good for security, annoying for everything else (Score:2, Insightful)
for the _appearance_ of security (Score:2)
vascular scan biometrics are the only adequate security solution to date (with the possible exception of facial geometry). even iris scanners are susceptible to spoofing.
vascual ! always = retinal scan; many foreign banks are using hand vascular scans for banking transactions. facial vascular scans can also be less intrusive than retinal scans.
In other news... (Score:2)
If I lose a finger... (Score:2, Redundant)
Student's Thesis makes this feature useless! (Score:3, Interesting)
I didn't RTFA, admittedly, but did IBM take her results into consideration before designing/implementing this feature?
IBM - DRM? (Score:2)
Re:IBM - DRM? (Score:2)
But but but... what about the Leenooks! (Score:2, Interesting)
Encrypting a Windows machine prior to login is nice, but in the rest of the world, the GUI is the last thing we run, not the first.
In Windows, you run the GUI, and execute the shell.
In Linux (and most Unixes), you run the shell, and execute the GUI. Its a very different paradigm
Limited Credential Revocation (Score:3, Interesting)
If your RSA key is compromised, you can just generate another. You can do this as often as necessary. However, if you fingerprint is compromised, all you can do is switch fingers. Nine compromises later, you're SOL.
Now for ordinary folks who just use this to keep others from messing with their laptops, this isn't an issue. However, if security is critical, biometrics just won't cut it.
And, yes it's fairly easy to fool a finger print scanner. All it takes is some Krazy glue and a Gummi bear [theregister.co.uk].
So many critics... (Score:4, Insightful)
My 2 cents...
The fingerprint reader is of a type that has not been 'fooled' yet. Yes, contact readers are easy to fool. This is not a contact reader. It reads the capacitive properties of the ridges and valleys that make up your finger print. This is actually quite cool since a severed finger does not have the same capacitive properties, and the reading is of live tissue *under* the skin, not your dead skin at the surface. So, a minor injury isn't going to be a big deal and the mafia cannot cut your finger off and use it. Furthermore, the extra small footprint of the reader is nice because there is less opportunity to damage the reader with scratches.
The idea is to register more than one finger and fingers from both hands. Of course, nothing is foolproof, but the idea here was to include a low cost yet effective way to provide biometric access control to the laptop. The embedded security system (ESS) protects a lot of things including a password vault. Password vaults have their drawbacks, the most obvious of which is if you have the 'master' password, you now have *all* of the passwords that user has stored in the vault. Average users tend to use simple master passwords, making the password vault a huge risk. This is a way to provide the functional equivalent of a strong password to unlock the vault without making the user have to remember a complicated password or some hardware key.
I am very impressed with the entire package. I think it will make it much simpler for IT to deploy things like ESS without destroying all of the value in ESS because users choose crappy passwords. There are a number of add-ons that make it very appropriate for enterprise deployment, including centralized key storage and disaster recovery software.
My biggest problem to date with this kind of software was it hasn't been real reliable in the recovery category. I could make it very secure, but God help me if I had a hard drive crash or an OS go belly up. The 'backups' of this data were often times 'too secure' to be recovered. This latest package of hardware/software has many of the previous holes filled in and I am happy to report success in all of the tests I have conducted so far.
Of course, anybody can implement this poorly. However, IBM has done a stellar job with it this time. I feel privileged to get to play with stuff like this.
-Shawn
copycat (Score:3, Interesting)
How is this different than apples FileVault [apple.com] feature in OSX which uses 128bit AES encription on your home directory?
I have a powerbook and I must say that the FileVault works beautifully (and seamlessly)
It used to be Microsoft copying Apple, but I guess IBM can do it to. Granted my powerbook doesn't use a fingerprint as the encryption key.. but still.
Hacked, stolen, ID fraud (Score:2)
At the moment, with current levels of security, if anyone's account/CC/whatever gets hacked, you at least have the option to change password, account UID etc. etc.
When it all comes down to biometrics, and the hacks come out to mimic finger prints, eye scans, pubic hair et al, what we all going to do? You can't like change your fingerprints/DNS overnight???
Doh!
Insecure? (Score:3, Interesting)
Are we looking at a new, better generation of readers today or are they still as insecure as they used to be?
U.S.gov (Score:2)
And face shots. Basically they are a bunch of assholes, I'll stick to passwords for the timebeing.
Re:yeah, but... (Score:2)
Re:yeah, but... (Score:2)
Re:Nice until... (Score:2)
A linux
Now, come on! (Score:2)
IBM's would go into a full screen loop of George Carlin standup routines. Uncensored, of course.
-Jellisky
Re:fingerprints are everywhere (Score:3, Informative)
Re:the fujitsu lifebook P7010 already has fp scann (Score:3, Informative)
http://www.electrovaya.com/product/scribbler_pr