The company - Biolink technologies (www.biolinkusa.com), supposedly has a Linux driver and software in the works. At least thats what they told me 4 months ago. Who knows if that will ever actually come to reality. My guess is that demand will drive their decision. I could certainly ask the engineering contacts. I have actually been BCC'ing some of this discussion to a contact at Biolink. He's been getting a kick out of it. I should note that I was very much an anti-biometric guy like you and Crispin until I started playing with this mouse. I won't claim its perfect, but its certainly one of the best I've ever seen. The driver is not as critical as the application the mouse uses. The software takes the raw data coming off the mouse and creates a mathematical model of the print based on 125 points. It then hashes that model and then compares that hash to a stored set of private key hashes. These private keys are generated when the user "enrolls" in the system. 4 separate keys are stored, each key uses a randomly chosen 500 byte chunk of the hash as the "private key" The print currently in memory (just scanned in) must "fill in the gaps" of the key to provide authentication. So coding a driver for it would not be enough. You would have to have some software that could DO something with the data coming off the mouse to make it useful. ------------------------------------ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com ------------------------------------ -----Original Message----- From: Greg KH [mailto:gregat_private] Sent: Tue 9/3/2002 9:00 PM To: Andrew Plato Cc: crimeat_private Subject: Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow! On Tue, Sep 03, 2002 at 05:33:33PM -0700, Andrew Plato wrote: > > > No, this means I can just walk up to your machine, and plug > > my mouse in, > > replacing your biometric mouse. Then when the host asks for the > > biometric info, my mouse sends back the proper info, and access is > > granted. > > Actually no - that isn't how the Biolink biometric system system works > (that's the one we sell). The templates for prints are not stored > anywhere on the mouse. They are stored within the actual computer or > within a secured network appliance. Even if you stole the templates > off the computer, you couldn't just input them into any old computer - > you would have know the private key / template combination to use as > well as pass in a live print. Ok, I looked at the marketing stuff for this device, and it is different from the device I have looked at previously. Sorry for jumping to conclusions. But marketing fluff is often much different than reality. > > In short, a broken design :) > > Yes, but what you describe is not how the biometric system we sell works. > > > See the c't article for more technical info on how to do this > > if you are interested. > > I've read it. Its fascinating. We've tried it at work. Its not that > easy to do. You have to be pretty commited and have resources at your > disposal. But that's true of virtually ALL hacking activities. Heh, ok then, I imagine that you would have no problem a Linux driver being created for this device? When I asked the previously alluded to company, they rebuffed me saying, "We can not reveal our proprietary USB protocol, so no Linux driver can be written." I am pretty sure that the c't article refers to this device, and points out all of the problems that I stated (you can't hide USB data...) So would you mind me writing a Linux driver? If what you say is true about the protocol and design of the system, an open-source driver would do a lot to make people feel better about such products. If you aren't the person to talk to about this, do you know who I can talk to? And yes, I have a bit of USB and Linux experience... :) thanks, greg k-h
This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 01:50:02 PDT