Physical Security Is #1: hand/fingerprint scanning from an old scanner?

[pex]

Few of us take adequate protective measures for our computers, our data, and our homes.  Most of us accept nominal security and just 'hope we don't become the victim'.  

I'm always thinking about where value in security lies: what is the useful cost to benefit ratio.  So that brings me to today's ponderance.

Can we take an old scanner we are about to throw away and instead set it up to be the hardware for a N-print scanner, and find open source software to create an access control system?  (Wouldn't that be cool, like we see on all the movies?)

People drop scanners for free or nearly on classifieds all the time.  I'm starting to look into recognition software now.

[IBI]

Scanners tend to be slow though, even on low quality you won't get the half second hand scan of hollywood.

[o2dazone]

I've heard fingerprint security just isn't quite there yet. It allows a lot of things even when it shouldn't (people have tested 'gummi bears' and it allowed them to bypass that). Not to mention, fingerprint security, while cool, isn't really all that safe. If you're at a coffee shop and you get up from your table to get something to drink, I could see it kind of being useful there (not anymore safe than locking your machine). But if someone steals your laptop, they can just pull the hdd out of it, mount it as a slave and take all your sh!t.

I was talking to Viett in IRC, and he had just got a new hard-drive. I was telling him the wonders of TrueCrypt. A headerless encrypted volume with OTFE (On The Fly Encryption). I use it on all my harddrives (except for the two sitting in my 40lbs full tower). I feel this is about as much security as I need, as it's completely headerless, cannot be bypassed, and even allows hidden volumes, for if you live in the EU where laws like being legally forced to give up your passwords is a problem.

I know this isn't quite the topic of your post, but if you're looking for general software computer security, this would be the route to take.

[Rajagra]

I remember testing one of Compaq's early fingerprint devices at the bank where I worked. It was set up so you had to type the password AND scan your fingerprint. Very secure right?

Then I discovered that pressing Ctrl-Alt-Del and Escape a few times and deliberately scaning the wrong finger, in the right order logged you in. It had reduced security to zero, not improved it.

I've been wary of security gimmicks ever since.

[lal]

AFAIK all the finger print readers available today can be tricked with ridiculously simple ingredients. http://www.ccc.de/biometrie/fingerabdruck_kopieren

[pex]

Scanners tend to be slow though, even on low quality you won't get the half second hand scan of hollywood.

Well that's when you break out "Everything isn't like it is on the movies!"  I know that high DPI scans take time and will especially do so on old scanners.

I've heard fingerprint security just isn't quite there yet. It allows a lot of things even when it shouldn't (people have tested 'gummi bears' and it allowed them to bypass that).

Gummi bear tricks are akin to what happens to users logging onto Windows under an administrator account for normal-user use, as most often prints are lifted from the scanner itself (WIPE OFF AFTER USE, GEE!).  Obviously process failure will cause holes.  It's like buying a 1000 dollar lock on a 15 dollar hollow wood door.  To defeat the lock, kick the door in.  And you can still probably 'pick' the lock anyway.  All of that is even moot if they can just open a window and climb in instead.

AFAIK all the finger print readers available today can be tricked with ridiculously simple ingredients. http://www.ccc.de/biometrie/fingerabdruck_kopieren

I don't see how this is different than picking a simple pinned door lock or hacking a Windows pass remotely through some IPC exploit.  Obviously professional biometric systems need enhancements (I have to believe the industry has since thought about things like temperature, electrical resistance, passing a magnetic field, etc. to prevent fake finger shenanigans.  I mean, you should have to cut a guy's hand off...)

I envision my test for door access as opposed to computer security.  Clearly just setting up a single biometric (and outdated instrument) is of questionable prudence, its most probable issue probably not that it is any less secure than a standard house lock but that if it is the sole access control that opens the door and only mains power is applied, a power disruption will lock someone out.

Because the lock on the door is only such a deterrent for those unwilling to brute force their way in, any key system should probably be paired with at least a camera, and in the case of an access control using electricity, a significant backup battery.

Moving from a single print to at least 4 fingers or even a combined palm (that's the joy of the fullsized scanner window) probably decreases the ability of someone doing preliminary stalking work for prints because not only will they have to collect all the individual parts, they will have to assemble them at the 'appropriate places' which they may not be familiar enough with, to reconstruct the hand.

There's of course always the question, can someone attack the interface by removing the part that images the hand and just pumps in a false image electronically (i.e. the 'hand' has already been 'scanned' elsewhere and some sort of electronic interception/deposition is occurring to pump in what the scanner thinks is an image it took.)

Just things to think about.  Maybe the only difference between a print and a key is how you might lose one or the other and what the consequences are.  Can a locksmith pick your scanner?  What happens when you finger is damaged?