I guess I had it coming... This bug has nothing to do with the fact we're talking about a fingerprint reader here, it is the equivalent of passwd(1) not asking for the old password when setting a new one, which would obviously be a bad idea. A fix is also just as easy: Just move the fingerprints to a secure location, so that you have to be root in order to enroll a new fingerprint (and maybe create a SUID root program to so that users not in the group adm can set their fingerprint, but I doubt that would be necessary in most usage scenarios).
That said, I do wonder about about this knee-jerk bashing of fingerprint readers. I'd argue that, for the average user, they actually provide a level of security at least comparable to good old fashioned passwords -- if not better: all the attacks on fingerprint readers I've seen described require a much higher level of sophistication than looking over someone's shoulder while they're typing in their password or maybe buying and installing a hardware keylogger. And if someone determined enough to create a device emulating the fingerprint reader has physical access to my machine, I'm pretty much screwed anyway (never mind that it would probably much easier to get a hold of my password for them, too). -- Fingerprints stored in unsafe location https://bugs.launchpad.net/bugs/235297 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
