Linked by Thom Holwerda on Wed 11th Sep 2013 22:16 UTC
Apple

Apple's new iPhone 5S, which comes with a fingerprint scanner, won't store actual images of users' fingerprints on the device, a company spokesman confirmed Wednesday, a decision that could ease concerns from privacy hawks.

Rather, Apple's new Touch ID system only stores "fingerprint data", which remains encrypted within the iPhone's processor, a company representative said Wednesday. The phone then uses the digital signature to unlock itself or make purchases in Apple's iTunes, iBooks or App stores.

In practice, this means that even if someone cracked an iPhone's encrypted chip, they likely wouldn't be able to reverse engineer someone's fingerprint.

This seems relatively safe - but then again, only if you trust that government agencies don't have some sort of backdoor access anyway. This used to be tinfoil hat stuff, but those days are long gone.

I dislike the characterisation of privacy "hawks", though. It reminds me of how warmongering politicians in Washington are referred to as 'hawks", and at least in my view, it has a very negative connotation.

Order by: Score:
wait
by arb1 on Wed 11th Sep 2013 22:52 UTC
arb1
Member since:
2011-08-19

So if it don't store it on the device then where? If its stored on Apple's then could could mean some type of back-dooring is possible since they could just tell phone its right finger print even when its not.

Reply Score: 1

RE: wait
by jared_wilkes on Wed 11th Sep 2013 23:26 UTC in reply to "wait"
jared_wilkes Member since:
2011-04-25

RFTM

Reply Score: 4

RE[2]: wait
by tylerdurden on Thu 12th Sep 2013 03:16 UTC in reply to "RE: wait"
tylerdurden Member since:
2009-03-17

So where's the manual describing in detail the finger print subsystem, and where is the actual code so people can review it?

Reply Score: 3

RE[3]: wait
by jared_wilkes on Thu 12th Sep 2013 04:14 UTC in reply to "RE[2]: wait"
jared_wilkes Member since:
2011-04-25

I don't see any reporting that is unclear, inconsistent, or ambivalent about there being a dedicated processor on the A7 SOC that stores the data necessary to identify enrolled fingerprints — locally and encrypted. And that this data never leaves the phone.

If you are interested in Touch ID and have questions, RT the MFing metaphorical manual. Read what Thom wrote, read the source article, read Apple's web site, watch the keynote, watch the 5S video.

The parents questions are answered. His speculation is baseless.

Are there any number of unanswered questions? Absolutely. Do I trust anyone? No way. But start with a little self-education then ask an interesting question.

Edited 2013-09-12 04:14 UTC

Reply Score: 3

RE[3]: wait
by jared_wilkes on Thu 12th Sep 2013 04:22 UTC in reply to "RE[2]: wait"
jared_wilkes Member since:
2011-04-25

Further, I presume the parent mistook "images of your fingerprints" (a pretty ludicrous concern and lack of understanding in the first place, a good showing of how poor technology reporting is at informing the general public) for "the information necessary, likely one-way hashed and encrypted, (we don't really learn anything from this article on the implementation beyond what was in the keynote and a general understanding of the state-of-the-art) that authenticates your fingerprint with your ID".... so he thought your unique Touch ID is not stored locally... which would likely be less secure. But it is. And it's only stored locally. Do I think that's been reasonably well reported and trustable as the truth? Yes I do. RTFM.

Do I trust that it can't be hacked? No way. Do I think it's perfect? No, but it doesn't sound worse than an 18-digit passphrase with at least one case variation, a number, and a special character. I want to know more. But this does sound better than most current forms of authenticating when considering all factors.

Edited 2013-09-12 04:27 UTC

Reply Score: 4

RE[4]: wait
by tylerdurden on Thu 12th Sep 2013 08:30 UTC in reply to "RE[3]: wait"
tylerdurden Member since:
2009-03-17

TFM only exposes what the manufacturer wants 3rd party developers and users to see. It does not expose much if any details of the actual design and implementation. Specially since tons of trade secrets are present and the manufacturer does not want to share with the public for fear of releasing their IP to competitors. Which is worse in the case of a company as paranoid and secretive as Apple.

So perhaps you should apply your advice to yourself and actually understand what TFM is and isn't.

Basically your point is that you trust Apple because they say so and that's that. And basically proceeded to question the character or level of knowledge of those who don't trust a corporation blindly.

Do I think Apple is going to do anything "naughty" with these sensor and the information it generates? Not necessarily. Do I trust them? No, not really. The only way they can demonstrate that they're trustworthy is by releasing the actual code and design details. Trust is earned not granted. Specially when it comes to very large companies, which are known to do plenty of naughty things.

Edited 2013-09-12 08:32 UTC

Reply Score: 3

RE[5]: wait
by jared_wilkes on Thu 12th Sep 2013 11:30 UTC in reply to "RE[4]: wait"
jared_wilkes Member since:
2011-04-25

No, RTFComments I left. That is not my point. My point is: the first comment was idiotic and completely misread this post and clearly showed no understanding of what has been said in ANY post. I explicitly stated there is plenty more to learn and that I don't trust anyone.

Reply Score: 2

RE[6]: wait
by tylerdurden on Thu 12th Sep 2013 18:11 UTC in reply to "RE[5]: wait"
tylerdurden Member since:
2009-03-17

Wow, were we supposed to infer all that from a single RTFM?

Reply Score: 1

RE[7]: wait
by jared_wilkes on Thu 12th Sep 2013 18:18 UTC in reply to "RE[6]: wait"
jared_wilkes Member since:
2011-04-25

Based on the general meaning of RTFM (you asked a stupid question, the answer is provided if you just read correctly), votes on my comment, my subsequent comments, and the complete idiocy of the first post: YES!

Edited 2013-09-12 18:21 UTC

Reply Score: 3

RE[5]: wait
by Neolander on Thu 12th Sep 2013 17:50 UTC in reply to "RE[4]: wait"
Neolander Member since:
2010-03-08

Do I think Apple is going to do anything "naughty" with these sensor and the information it generates? Not necessarily. Do I trust them? No, not really. The only way they can demonstrate that they're trustworthy is by releasing the actual code and design details. Trust is earned not granted. Specially when it comes to very large companies, which are known to do plenty of naughty things.

Then again, even if they did gave you some piece of source code and told you "this is the source of the fingerprint reader software", how would you be sure that it's actually this code that is used inside of the iPhone ?

Reply Score: 2

RE[6]: wait
by tylerdurden on Thu 12th Sep 2013 19:01 UTC in reply to "RE[5]: wait"
tylerdurden Member since:
2009-03-17

That's a good point. As I said trust is earned, so it's Apple's job to earn that trust if its very difficult for Apple to do that, then that's their problem. The burden is on them, not the consumer.

Reply Score: 3

RE[7]: wait
by leos on Fri 13th Sep 2013 02:40 UTC in reply to "RE[6]: wait"
leos Member since:
2005-09-21

That's a good point. As I said trust is earned, so it's Apple's job to earn that trust if its very difficult for Apple to do that, then that's their problem. The burden is on them, not the consumer.


They have earned it. Clearly not from you, but from millions of their customers. Trying to earn it from you is pointless, since you would never be satisfied until you saw the code, and then you'd invent a different reason not to trust them.

In reality, you have to think about motivations. Let's put aside the NSA for a moment and think about what is in Apple's best interest. Do you think it is in their interest to upload fingerprints to their server, or not adequately protect the information? You think it is in their interest to create something that will end in a massive security scandal? No of course not. They are just as interested in making this system secure as you are. That doesn't mean there aren't vulnerabilities present, but the idea that they are somehow misleading people and not doing their best to make this thing secure just doesn't pass the common sense test.

Reply Score: 3

RE: wait
by flypig on Wed 11th Sep 2013 23:28 UTC in reply to "wait"
flypig Member since:
2005-07-13

They do store some data on the device (at least according to the article), it's just not an actual image of your fingerprint. This probably isn't unusual for fingerprint readers: I believe only certain features are needed to repeat an identification.

Unfortunately the conclusion that "this means that even if someone cracked an iPhone’s encrypted chip, they likely wouldn’t be able to reverse engineer someone’s fingerprint" doesn't necessarily follow. It seems like a strange claim to make anyway. What exactly is it that they think the "privacy hawks" are worried about?

Reply Score: 3

RE: wait
by Drumhellar on Thu 12th Sep 2013 00:51 UTC in reply to "wait"
Drumhellar Member since:
2005-07-12

Presumably, it works like this:

Since fingerprints aren't compared in their entirety normally, since there's too much variability in quality of data to match exactly, certain types of features are located, usually whirls and loops, and their location is calculated relative to the the other features in a standardized way.

This data is used to generate a one-way hash, and that hash itself is compared to an original hash. The fingerprint is never stored permanently, and ideally is erased from memory the moment the hash is generated.

In the original announcement, Apple explicitly stated that it isn't stored in the cloud, and I'm inclined to believe them, since it would be quite trivial to discover that it isn't true.

Reply Score: 6

RE[2]: wait
by Lennie on Fri 13th Sep 2013 09:23 UTC in reply to "RE: wait"
Lennie Member since:
2007-09-22

I don't think they use a hash.

Because I think finger print readers use 'probability', it's not exact.

So what they store (encrypted) is about-here-is-a-whatever and about-there-is-a-something and if these mostly match the device will 'recognize' your fingerprint.

Reply Score: 2

RE: wait
by Soulbender on Thu 12th Sep 2013 05:51 UTC in reply to "wait"
Soulbender Member since:
2005-08-18

I"m going to guess that what they use is some kind of biometric equivalent to one-way hashes.
It would however be nice if this was documented the same way industry standard hashes are, especially since these hashes can't be changed and they uniquely identify you.

Edited 2013-09-12 05:59 UTC

Reply Score: 4

Comment by v_bobok
by v_bobok on Wed 11th Sep 2013 23:22 UTC
v_bobok
Member since:
2008-08-01

In this day and age would you ever trust these guys completely?

Edited 2013-09-11 23:22 UTC

Reply Score: 3

RE: Comment by v_bobok
by WorknMan on Wed 11th Sep 2013 23:28 UTC in reply to "Comment by v_bobok"
WorknMan Member since:
2005-11-13

In this day and age would you ever trust these guys completely?


No, of course not. On the other hand, I live in the US, in a state that requires fingerprints to get a drivers license. So if they want my fingerprint, they have it already.

Reply Score: 5

RE[2]: Comment by v_bobok
by drstorm on Thu 12th Sep 2013 08:15 UTC in reply to "RE: Comment by v_bobok"
drstorm Member since:
2009-04-24

Yes, but they are still not *sure* that it is you using a particular phone - until now!

Reply Score: 3

RE[2]: Comment by v_bobok
by Alfman on Thu 12th Sep 2013 16:59 UTC in reply to "RE: Comment by v_bobok"
Alfman Member since:
2011-01-28

WorknMan,

"No, of course not. On the other hand, I live in the US, in a state that requires fingerprints to get a drivers license. So if they want my fingerprint, they have it already."

It makes me wonder what proportion of people have their prints recorded?

As a green card holder in US, my thumb print is displayed on my green card. I have to go to DHS to get new prints every several years, and the TSA has taken my fingerprints every time I've flown internationally (I'm not sure if this is routine policy?).

The local PD has a program to finger & footprint newborns but there's no legal requirement to do so, I wonder who takes them up on it.


I'm not one to cherish the privacy of my fingerprints so much, but the prospect of being falsely implicated in a crime due to false positives is a chilling thought.

Edited 2013-09-12 17:00 UTC

Reply Score: 4

RE: Comment by v_bobok
by Tony Swash on Thu 12th Sep 2013 16:25 UTC in reply to "Comment by v_bobok"
Tony Swash Member since:
2009-08-22

I understand the worry and fuss about the NSA stuff but the simple reality is that the actual danger of a thief stealing and accessing my phone is about ten thousand times more of an actual threat than the government getting hold of a scan of my fingerprints.

Personally I couldn't care less if the government has my fingerprints. I do care a great deal about thieves accessing the stuff on my phone and but I also find find entering a pass code every time I use the phone very tedious indeed. Touch ID seems a great step forward to me, more insecurity and less intrusion, what's not to like?

Reply Score: 2

RE[2]: Comment by v_bobok
by Lennie on Fri 13th Sep 2013 09:29 UTC in reply to "RE: Comment by v_bobok"
Lennie Member since:
2007-09-22

Actually, when the police start to look at your phone, you'll be very disappointed about how much information is actually kept on your phone. And they'll twist that information to fit their need. You think you are innocent, the police or other agency might have a different idea.

Reply Score: 2

RE[3]: Comment by v_bobok
by Tony Swash on Fri 13th Sep 2013 10:32 UTC in reply to "RE[2]: Comment by v_bobok"
Tony Swash Member since:
2009-08-22

I think paranoia is a bit too rampart. Are you engaged in activities that the cops should be interested in? If so by all means be paranoid. I on the other hand take a more relaxed view. The cops got my fingerprints 40 years ago when I was briefly a bad boy in my youth (1968 radical street fighting and all that) now I am a sedate older person and the cops are the good guys.

I don't use a pass code lock on my phone either. What are people going to discover if they steal my phone, how many friends I have ;)

Reply Score: 2

RE[4]: Comment by v_bobok
by Lennie on Fri 13th Sep 2013 11:05 UTC in reply to "RE[3]: Comment by v_bobok"
Lennie Member since:
2007-09-22

There is a lot of data stored on your phone:

http://www.youtube.com/watch?v=ibTjBY-_Dbc

Don't give the police any information, it's going to be a problem. It doesn't matter if you are innocent:

http://www.youtube.com/watch?v=6wXkI4t7nuc

Reply Score: 5

Bill Shooter of Bul
Member since:
2006-07-14

Can anyone tell me what that really means? I understand its really a System on a Chip they are talking about, but those have non volatile storage? I wouldn't have thought they would, but I guess that's possible.

And "encrypted" do they really mean hashed? That's what I would assume, treat it like a password. Finger print scanner spits out some sort of number based on the positioning of various finger print features sends it to processor where that data is salted and hashed and only the hash is stored "on the chip".

I mean, there's no reason to actually store the finger print encrypted via symmetric encryption, that just seems silly and theoretically unsafe.

Reply Score: 4

galvanash Member since:
2006-01-25

And "encrypted" do they really mean hashed? That's what I would assume, treat it like a password. Finger print scanner spits out some sort of number based on the positioning of various finger print features sends it to processor where that data is salted and hashed and only the hash is stored "on the chip".

I mean, there's no reason to actually store the finger print encrypted via symmetric encryption, that just seems silly and theoretically unsafe.


Bingo. That is pretty much exactly what they are doing.

Reply Score: 4

Hexadecima Member since:
2010-09-01

A hash is no security in this situation. No one wants to forge fingerprints! If the NSA or some other intelligence organization knows the hashing algorithm, you can be identified. All Apple can really promise is that they aren't transmitted anywhere.

Reply Score: 4

Bill Shooter of Bul Member since:
2006-07-14

Once they can be used to sign into your bank account, there will be plenty of people.

Knowing the hashing algorithm and having the un salted hash of a password would allow an attacker to construct a rainbow table to discover the most common dictionary words used. This is why it is good practice to have strong password requirements, and to salt each password stored in a system differently. That should defeat rainbow tables. Also, in this case its not a dictionary word, but a binary representation of a finger print which would make it even more difficult. Hashing done correctly would be the best approach in this situation.

Reply Score: 2

shotsman Member since:
2005-07-22

you have more than one digit don't you?

I never use my forefinger for FP systems. A different digit for different systems. Simples!

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

So I can only ever have ten logins, after that I'm pretty much screwed.

I've had a new credit card issued five times in the last ten years due to data breaches. With a finger print login, I'm essentially leaving my password in plain text on thousands of sticky notes in thousands of different places every day.

Edited 2013-09-12 15:58 UTC

Reply Score: 4

Lennie Member since:
2007-09-22

I don't see how you get from some fuzzy image for reading finger prints to the same numbers each time.

Because that is what you need when you are going to use a hash. The numbers would have to match exactly.

So they are encrypted and than compared to the image to see if they match for 90% or whatever they use.

Reply Score: 2

Bill Shooter of Bul
Member since:
2006-07-14

I usually play along with the tin foil hat crew, as paranoia tends to lead to innovative security solutions .. to a point. But its nice to have realistic conversations about security tradeoffs that we all must live with.

Reply Score: 2

Comment by Drumhellar
by Drumhellar on Thu 12th Sep 2013 00:29 UTC
Drumhellar
Member since:
2005-07-12

I dislike the characterisation of privacy "hawks", though. It reminds me of how warmongering politicians in Washington are referred to as 'hawks", and at least in my view, it has a very negative connotation.


I always interpret "hawks" as keeping a keen eye out, since hawks are well known for keen eyesight.

In my mind, the idea of war hawks is the exception to that usage.

Reply Score: 3

RE: Comment by Drumhellar
by timalot on Thu 12th Sep 2013 02:04 UTC in reply to "Comment by Drumhellar"
timalot Member since:
2006-07-17

I thought the "war" hawks usage was the most common?

I agree with Thom, the word used in this context implies that "Apple would never do such a thing as compromize your privacy". But even people who scrutinize too much should not be worried.

Reply Score: 2

RE[2]: Comment by Drumhellar
by jared_wilkes on Thu 12th Sep 2013 02:22 UTC in reply to "RE: Comment by Drumhellar"
jared_wilkes Member since:
2011-04-25

Hawk is applied to innumerable policies that attract a constituency of representatives who align and fight with consistency, vehemence, aggressiveness and primacy above other issues.

That it's original derivation is specifically War Hawk and War Dove in respect to declaring war against Britain for American Independence leaves an odd taste in Thom's mouth is bizarre but largely irrelevant.

Reply Score: 3

RE[2]: Comment by Drumhellar
by jared_wilkes on Thu 12th Sep 2013 02:32 UTC in reply to "RE: Comment by Drumhellar"
jared_wilkes Member since:
2011-04-25

I agree with Thom, the word used in this context implies that "Apple would never do such a thing as compromize your privacy".


I see no such context. The context here is: a privacy hawk may never be satisfied with any answers provided for an enabling technology that could be abused. If apple did this right, those privacy hawks may be somewhat more satisfied. In fact, using "hawk" specifically implies that if everyone else is blinded into believing everything is okay, you still have a hawk who is looking out for you... can that hawk even be satisfied with this design?

Thom's point is that to him a "hawk" must be a whacko militant and someone who is "hawkish" is not inherently a whacko, conspiracist, nutjob militant. However, what Thom doesn't realize is that War Hawks are often widely respected — even by those who oppose them — and that hawk is applied to many policies and with good regard. (Depending on your point of view.) For many, hawk is not negative. And for most, they appreciate that the "hawk" term applies to vehemence, sincerity, watchfulness, steadfastness — not anything particularly negative whether or not they agree with the perspective of the "hawk."

Edited 2013-09-12 02:48 UTC

Reply Score: 2

Not an image. Ok...
by Flatland_Spider on Thu 12th Sep 2013 01:01 UTC
Flatland_Spider
Member since:
2006-09-01

There are still questions.

Presumably this could be used to collect all of the fingerprints of people who touch the phone. iOS is built so that everyone has to touch the home button multiple times during a session. Is the sensor still active outside of areas that need authentication, and does it store a list of the incorrect fingerprints?

Then there is the anonymity aspect. How easy is the fingerprint signature to reverse? Now there is proof who the phone belongs to.

Then there is the question of how much tracking is Apple using this for. Do they have a log of when the phone has been used and by whom?

Reply Score: 3

RE: Not an image. Ok...
by galvanash on Thu 12th Sep 2013 01:55 UTC in reply to "Not an image. Ok..."
galvanash Member since:
2006-01-25

There are still questions.

Presumably this could be used to collect all of the fingerprints of people who touch the phone.


But they don't actually store fingerprints... So worst case scenario they are storing a hash of your fingerprint - which (if they do it right) cannot be used to determine the actual fingerprint that was used to compute the hash.

iOS is built so that everyone has to touch the home button multiple times during a session. Is the sensor still active outside of areas that need authentication, and does it store a list of the incorrect fingerprints?


I don't see any reason why they would store incorrect fingerprints - it just doesn't make any sense at all to do that (on a technical or functionality level).

Then there is the anonymity aspect. How easy is the fingerprint signature to reverse? Now there is proof who the phone belongs to.


Again, it should be mathematically impossible, and if it isn't the lawsuits will start flying like bullets in a drive by...

Then there is the question of how much tracking is Apple using this for. Do they have a log of when the phone has been used and by whom?


That is an interesting one, because if they are trying to go after the enterprise market this would actually be a very valuable feature - HIPPA laws practically require it. That said, it is probably an undesirable feature in the consumer market (obviously). If they are smart there would be some way to turn such logging off and on using provisioning profiles - but I don't know if they do anything like this or not currently.

Reply Score: 2

RE[2]: Not an image. Ok...
by tylerdurden on Thu 12th Sep 2013 03:07 UTC in reply to "RE: Not an image. Ok..."
tylerdurden Member since:
2009-03-17

So worst case scenario they are storing a hash of your fingerprint - which (if they do it right) cannot be used to determine the actual fingerprint that was used to compute the hash.


What you define as "doing it right" it's actually "doing it absolutely wrong": If the system can't be used to determine the actual correct fingerprint (the owner's) then it is useless.


Then there is the anonymity aspect. How easy is the fingerprint signature to reverse? Now there is proof who the phone belongs to.


Again, it should be mathematically impossible, and if it isn't the lawsuits will start flying like bullets in a drive by...



I think both of you may be missing the point. If a 3rd party manages to get a hold of the fingerprint signature, they already have all the information they need about said fingerprint. There is no point in "reverse engineer."

The point of a database of finger prints. It's not about reverse engineer the print, but rather to match the signature of an unknown finger print, probably gathered in the field, against a data base of "known" signatures. If there is a positive, then you can easily figure out who that "unknown" signature belongs to, because the positive signature is associated with a specific phone/device and the owner of such is known.

Edited 2013-09-12 03:14 UTC

Reply Score: 5

RE[3]: Not an image. Ok...
by Soulbender on Thu 12th Sep 2013 06:03 UTC in reply to "RE[2]: Not an image. Ok..."
Soulbender Member since:
2005-08-18

What you define as "doing it right" it's actually "doing it absolutely wrong": If the system can't be used to determine the actual correct fingerprint (the owner's) then it is useless.


That's like saying password hashes are wrong since you can't use them to deduce the original password.
Also, he didn't say it can't be used to determine if a fingerprint is correct, he said it can't be used to determine the original fingerprint.

Reply Score: 4

RE[4]: Not an image. Ok...
by tylerdurden on Thu 12th Sep 2013 09:00 UTC in reply to "RE[3]: Not an image. Ok..."
tylerdurden Member since:
2009-03-17

No, that's no what I said. In fact it's the opposite of what I was trying to express;

There is no point for the NSA, or whatever other naughty agency, to reverse engineer the hash/digital signature/or what have you in order to reconstruct the entire fingerprint that generated it. The unique digital signature itself is all the data they need.

That's because after isolating an unknown fingerprint in the field, all one needs to do is to simply run that print through the same algorithm that generates those unique digital signatures. After we have generated the signature for the unknown fingerprint (unknown as in we don't know who the isolated finger print belongs to). Then all one has to do is run the signature just generate against the DB with the "known" signatures, i.e. signatures that have been extracted from devices we have id for, thus revealing the identity of the owner of the specific device. If there is a match in the database, then you can assume those two unique signatures come from the same finger print, as such we, in turn, know who the owner of that fingerprint and device could be.

Not that I'm implying the NSA is doing such thing. But the way people seem to be thinking about the entire fingerprint as being the actual data of interest is wrong. The unique hash that identifies a specific fingerprint is. So as long we know the actual device that produced a specific unique hash/vector machine/digital signature. That's all that is needed to identify a person just by their finger print isolated from other surfaces (as long as it matches a digital signature extracted from a specific device).

Edited 2013-09-12 09:06 UTC

Reply Score: 4

RE[5]: Not an image. Ok...
by lucas_maximus on Fri 13th Sep 2013 05:29 UTC in reply to "RE[4]: Not an image. Ok..."
lucas_maximus Member since:
2009-08-18

What sort of level of paranoia do you have?

Edited 2013-09-13 05:39 UTC

Reply Score: 4

RE[6]: Not an image. Ok...
by tylerdurden on Fri 13th Sep 2013 20:29 UTC in reply to "RE[5]: Not an image. Ok..."
tylerdurden Member since:
2009-03-17

If I had to guess a figure, I'd say about one hundredth of your level of infatuation with all things Microsoft. So very paranoid, I am afraid.

Edited 2013-09-13 20:33 UTC

Reply Score: 1

RE[7]: Not an image. Ok...
by lucas_maximus on Fri 13th Sep 2013 22:25 UTC in reply to "RE[6]: Not an image. Ok..."
lucas_maximus Member since:
2009-08-18

I think you have got it on more on the mind than I have considering you brought them up.

TBH I find it utterly boring that you act like a complete c*nt about the fact that I like ASP.NET and Visual Studio for development. I don't like it when people create a echo chamber of bad jokes about Microsoft that are no longer relevant, funny or constructive in the industry I work in, because it is the joke that stupid people make. Especially when there could be a more interesting discussion.

I work in corporate style environments, and I guess I kinda think that way, so I comment accordingly. A lot of things that Microsoft does works really well for corporations and me knowing the tech pays well. So yeah I do kinda love Microsoft because I get PAID!

I don't know however how this anything to do with iPhones and finger print scanners. But I suppose attacking me rather than explaining the reasons behind your paranoia is easier for you to vocalise.

Edited 2013-09-13 22:36 UTC

Reply Score: 3

RE[3]: Not an image. Ok...
by galvanash on Thu 12th Sep 2013 14:29 UTC in reply to "RE[2]: Not an image. Ok..."
galvanash Member since:
2006-01-25

What you define as "doing it right" it's actually "doing it absolutely wrong": If the system can't be used to determine the actual correct fingerprint (the owner's) then it is useless.


Whether it is a password, a fingerprint, a time based key (google authenticator), etc... - it doesn't matter. The authentication system's job is not to know your credentials, and if it does actually know your credentials it is simply not built responsibly. The authentication system only has to determine that you know your credentials, and there are very well established ways to do that without having to ever store them.

I think both of you may be missing the point. If a 3rd party manages to get a hold of the fingerprint signature, they already have all the information they need about said fingerprint. There is no point in "reverse engineer."

The point of a database of finger prints. It's not about reverse engineer the print, but rather to match the signature of an unknown finger print, probably gathered in the field, against a data base of "known" signatures. If there is a positive, then you can easily figure out who that "unknown" signature belongs to, because the positive signature is associated with a specific phone/device and the owner of such is known.


Oh, I understand your point perfectly. What you are describing is a rainbow table ;) Im not arguing that using biometrics is a good idea - I was just answering the specific points brought up. There are many reasons why this is a horrible idea:

1. Fingerprints can't be changed, so if someone figures out how to compromised the authentication system using "fake" fingerprints you are pretty much screwed.

2. You leave them everywhere. Its kind of stupid to trust security to a piece of information that is in fact fairly trivial to acquire. Its like writing a post-it note with your password on it, but you do it virtually every time you touch anything...

3. They are unique enough that they can serve as compelling evidence legally for identification purposes. Knowing someone logged into a system with a password of "foo" is not going to be very useful in identifying a person, because lots of people could be using that password - if you have the hash of a fingerprint and can generate that hash from the suspect's fingerprint... well that is pretty much the opposite.

The first two points are certainly problems, but considering that this is replacing a system that uses a trivial 4 digit numeric passcode by default, well it isn't all that much worse - and it does have some compelling advantages when it comes to simplicity for the user.

The third point (and your main concern) can be dealt with quite effectively - I just don't know if Apple did this responsibly or not. You can make the hash less effective for identification purposes by simply making sure that it has a fair number of collisions - i.e. the odds of two fingerprints resulting in the same hash is say 1 in 10,000 or something like that - far too low to be useful for identification all on its own.

That would make it pretty much useless for the purposes of "drag netting", having the hash would be useless without other supporting evidence, because lots of people could have the same hash. It would also make it fair less secure of course. Considering the intended use case, I would argue that being less secure would actually be the right thing to do. I would really be interested to know what the collision rate actually is...

But I would add that it might also be a moot point. I mean, if the NSA has your phone, and the phone is yours... well they don't really need the fingerprint then do they? They have the phone, if they can get the hash they have already broken its security - there is probably lots of other evidence on it identifying you...

All in all I think the privacy concerns are a red herring. The problem is its just a dumb way to do security. But seeing it is for something most people don't bother securing effectively anyway, I don't really see what the big deal is.

Edited 2013-09-12 14:29 UTC

Reply Score: 4

RE[4]: Not an image. Ok...
by tylerdurden on Thu 12th Sep 2013 18:58 UTC in reply to "RE[3]: Not an image. Ok..."
tylerdurden Member since:
2009-03-17


Whether it is a password, a fingerprint, a time based key (google authenticator), etc... - it doesn't matter. The authentication system's job is not to know your credentials


Well, a fingerprint is a credential, all the sensor really does is create a digital signature for any fingerprint it reads and passes it to the OS. The authorization module in the OS then proceeds to validate that signature against a database of "known/correct" signatures and then proceeds to determine the identity of the owner of that fingerprint's digital signature.

"Digital Credentials" refers to many things, perhaps you're thinking of "credentials" as being the same as the user's identity. But I think we're thinking of the same concept and perhaps we were hung up on each other's way of referring to it.


All in all I think the privacy concerns are a red herring. The problem is its just a dumb way to do security. But seeing it is for something most people don't bother securing effectively anyway, I don't really see what the big deal is.


I wasn't trying to make an appeal to paranoia. And yes, it'a bad way to go about security. I was simply talking about a different thing; that a digital signature for a fingerprint is all that would be required to track somebody even if their phone is off or not with them. There is no need to "reconstruct" the fingerprint itself. Which is what other comments seemed to be concerned about.

I'm not saying it is being done, or that a 3-letter agency is interested in creating such a database. But we still need to be vigilant so that it remains so.

In a time of diminishing privacy people should have the right to know exactly what's being collected about them. It's only fair that the expectation of decreased privacy goes both ways. If a corporation or government agency wants to know specifi details about me, then I should be able find out what specific details about me they know.

Reply Score: 3

RE[2]: Not an image. Ok...
by Flatland_Spider on Thu 12th Sep 2013 19:09 UTC in reply to "RE: Not an image. Ok..."
Flatland_Spider Member since:
2006-09-01

But they don't actually store fingerprints... So worst case scenario they are storing a hash of your fingerprint - which (if they do it right) cannot be used to determine the actual fingerprint that was used to compute the hash.


Presumably they're using a hash, but the article didn't state how they are storing the fingerprint data. It said they aren't storing an "image", so I erred on the side of ambiguity used fingerprint to reference whatever data is generated and stored.

Of course, it can't be used to get the actual fingerprint. Fingerprint scanners work by creating graphs of features on the finger.

The point is Apple hasn't released any information on how this works, so it's an unknown black box.

Then there is the anonymity aspect. How easy is the fingerprint signature to reverse? Now there is proof who the phone belongs to.


Again, it should be mathematically impossible, and if it isn't the lawsuits will start flying like bullets in a drive by...


Reverse was the wrong word. I should have used replicate since I was contemplating how hard it would be for some law enforcement agency to tie people to a specific phone.

I don't see any reason why they would store incorrect fingerprints - it just doesn't make any sense at all to do that (on a technical or functionality level).


Evidence that people tried to access the phone without permission.

If the phone is stolen, the thieves would provide evidence that they were in possession of the phone. If the phone is a company phone, people who are trying to circumvent security policies would be logged.

You kind of agree with this at the end of your post. The negatives are just as important as the positives.

Reply Score: 3

RE[2]: Not an image. Ok...
by Lennie on Fri 13th Sep 2013 09:36 UTC in reply to "RE: Not an image. Ok..."
Lennie Member since:
2007-09-22

I really doubt it isn't a hash. Fingerprint reading isn't exact. Every read does not give you the same numbers. Not even ones.

So they store the characteristics of your finger print, something like coordinates of where features like mountains and valleys are.

Let's say you have a list of these features, that won't allow you to create an image of what your fingerprint looks like.

But it however would be enough to make a new fake fingerprint, though. So it doesn't matter.

Reply Score: 2

Not a great idea...
by JLF65 on Thu 12th Sep 2013 02:52 UTC
JLF65
Member since:
2005-07-06

So when the thieves steal your iPhone, they'll need to steal a finger, too, right? Don't think it'll happen? It already has with other items with biometric locks.

Reply Score: 4

RE: Not a great idea...
by Sauron on Thu 12th Sep 2013 04:24 UTC in reply to "Not a great idea..."
Sauron Member since:
2005-08-02

My thoughts exactly. They toughened up bank card security which led to more intrusive ways the criminals used to get what they wanted. They toughened up car security so there was no way it could be stolen without the keys, that led to burglaries so the f*****s could get the keys, some violent ones at that. Now wait for the violence to escalate and some poor sod have their fingers removed with a penknife and stolen along with their device.

Reply Score: 3

RE: Not a great idea...
by jared_wilkes on Thu 12th Sep 2013 04:36 UTC in reply to "Not a great idea..."
jared_wilkes Member since:
2011-04-25

If someone is about to cut off your fingers, touch your home button and give them the phone.

Likewise, presently, if someone is going to caught off your fingers or do anything mortally harmful to you to access your phone, give them your passcode and the phone.

If your phone contains something that is worth losing your fingers — or any other part of your body — for, do not get into situations where someone will cut off your fingers to get into your phone.

If you generally don't want to lose your phone or fingers, try to avoid or be prepared for situations where someone will cut off your fingers or steal a phone that is useless to them.

Try to be more self-aware, vigilant, and less stupid.

Edited 2013-09-12 04:40 UTC

Reply Score: 3

RE[2]: Not a great idea...
by Sauron on Thu 12th Sep 2013 04:56 UTC in reply to "RE: Not a great idea..."
Sauron Member since:
2005-08-02

Ha, there's always one! Do you really think any of that is going to stop a druggy arsehole? If so you need to get out more and see what happens in certain areas. None of it effects me, I don't have or want a smartphone and if I did I wouldn't touch anything made by Apple with a ten foot bargepole! I just feel for the poor sods that may come across this.

Reply Score: 2

RE[3]: Not a great idea...
by jared_wilkes on Thu 12th Sep 2013 05:46 UTC in reply to "RE[2]: Not a great idea..."
jared_wilkes Member since:
2011-04-25

Do you really think any of that is going to stop a druggy arsehole? If so you need to get out more and see what happens in certain areas. None of it effects me, I don't have or want a smartphone and if I did I wouldn't touch anything made by Apple with a ten foot bargepole!


Yeah, I can see why a "druggy arsehole" might want to cut off your fingers. I've had my fair share of experience with drug addicts and drug users and people willing to break the law or cause physical harm to get what they want... I feel confident in my ability to navigate the world without losing my fingers... without being paranoid... or a douche bag.

Reply Score: 3

RE: Not a great idea...
by ichi on Thu 12th Sep 2013 08:04 UTC in reply to "Not a great idea..."
ichi Member since:
2007-03-06

So when the thieves steal your iPhone, they'll need to steal a finger, too, right? Don't think it'll happen? It already has with other items with biometric locks.


They don't need to steal your finger: you are holding the phone with your hands, your fingerprints are already all over the device.

Reply Score: 4

No scientific basis
by unclefester on Thu 12th Sep 2013 05:22 UTC
unclefester
Member since:
2007-01-13

Fingerprints, biometrics, polygraphs, fibre analysis and most other forensic "techniques" (including many genetic tests) are quasi-scientific nonsense. They are not unsupported by any rigorous experimental data.

Reply Score: 3

fingerprints leads to bad security
by hakossem on Thu 12th Sep 2013 06:08 UTC
hakossem
Member since:
2005-07-15

There are three problems with fingerprints:
- privacy
- accuracy
- replication

Fingerprint identification is not done by comparing the pictures but by identifying number of features of the fingerprint and tested it against the fingerprint that has been just scanned.
Apple doesn't need to store the pictures, just the features they look for in each fingerprint.

But they don't need to store the picture to have a security risk. Any security agency that scan for fingerprints use similar algorithms. The question is does Apple look for the same features than those agencies. If it is possible to make apple's fingerprint database compatible with let say the FBI database, we can assume it will be done if it isn't already.
Even if Apple use only some of the characteristics of the agency, they might integrate it and use it.... or simply had a new comparison program to test the prints against apple database.
Even if Apple doesn't store the pictures of the fingerprints, we can be sure it these databases will be available to US security agencies.

Accuracy is another problem. There are 2 kinds of accuracy problems.
The first is when the computer doesn't recognize you (false negative). This is the lesser problem, you just rescan your finger.
The other is when the computer recognize you as someone else (false positive).
Experts at a tribunal do make many errors: 0.1% of false positives and 7.5% of false negative (http://content.usatoday.com/communities/sciencefair/post/2011/04/fi...)
I remember than a few ago I read that laptops that did have fingerprint has password did had around 1% of false positive and 1% of false negative.
Even if apple system is good enough to have 0.01% there is still a risk that it will recognize you as someone else. How does apple ensure that you are not paying for someone else?

The last problem is that fingerprints are a password you let on every items you touch. The fact that most people cannot read it, doesn't mean that none can. In fact the methods to reproduce a fingerprint is easy (just look at mythbuster). If you lose your iphone, you need to assume that in the next couple of hours people will have duplicate your finger print and enter into your iphone.

My point is that using fingerprints to unlock a door, a computer or a smartphone is a bad bad idea

Reply Score: 4

shotsman Member since:
2005-07-22

I'd change your last point to

My point is that ONLY using fingerprints to unlock a door, a computer or a smartphone is a bad bad idea

Reply Score: 2

Lennie Member since:
2007-09-22

You do know what the problem is what biometrics ?

When your identity is stolen, it becomes really hard to change it.

Reply Score: 2

Just enough knowledge of English
by Vinegar Joe on Thu 12th Sep 2013 06:37 UTC
Vinegar Joe
Member since:
2006-08-16

to look stupid.

"I dislike the characterisation of privacy "hawks", though. It reminds me of how warmongering politicians in Washington are referred to as 'hawks", and at least in my view, it has a very negative connotation."

Reply Score: 3

You don't have to cut the finger
by orsg on Thu 12th Sep 2013 07:40 UTC
orsg
Member since:
2011-02-09

The easiest way is to spot a glass you have been drinking from, take a strip of adhesive foil and you're done "reverse engineering" the fingerprint. Once you have it, it's trivial to create a "model" of this fingerprint, that you can just stick to your finger to spoof a fingerprint reader. The German CCC actually demonstrated this with the then current minister Schäuble.

And the problem is: Once you know a fingerprint has been compromised, you only have 9 fingers left. You cannot change them unlimited times like a password.

Edited 2013-09-12 07:41 UTC

Reply Score: 4

tylerdurden Member since:
2009-03-17

The process is far more straight forward: capture fingerprint from a surface with an adhesive device. Use the adhesive now imprinted with fingerprint directly on the bio-metric sensor. That seems to work remarkably with some systems. Although I presume that only works only with sensors that are very simple and only have a 2D model.

Reply Score: 2

ichi Member since:
2007-03-06

Although I presume that only works only with sensors that are very simple and only have a 2D model.


With 3D printers becoming affordable, if fingerprints as ID method becomes mainstream enough I'd bet you'd soon see specialized software to create 3D finger models out of a fingerprint scan, ready to be 3D-printed and used anywhere.

Reply Score: 3

Adurbe Member since:
2005-07-06

Trust me, as someone who is building a 3D printer. That problem is still quite far away! The current methods are not at the level of detail required for that. Give it a decade or so, then maybe.

Reply Score: 2

All I can keep thinking about is..
by siraf72 on Thu 12th Sep 2013 09:09 UTC
siraf72
Member since:
2006-02-22

...what a Privacy Hawk is?

Some sort of large scary noble raptor that goes for the eyes of anyone that messes with my privacy.

Possibly with a cape. And a badge or medal.

Reply Score: 3

Biometrics != crypto
by Alfman on Thu 12th Sep 2013 16:36 UTC
Alfman
Member since:
2011-01-28

I'm nitpicking the claim about not storing the fingerprints on the device. It may be literally true, and yet it will lead consumers to draw completely false and/or naive conclusions about the safety of their fingerprints. Biometric one way hashing is not really backed by the same mathematical challenges that are the foundation for genuinely strong crypto. A one way biometric fingerprint hash will never be cryptographically strong.


Firstly, there's the implicit tradeoffs with security and reliability due to the fact that unlike computer data, biometric data isn't *exactly* reproducible between reads. Therefor a considerable amount of fault tolerance has to be built in to decrease false negatives, which has the side effect of opening up false positives[1].

Secondly, fingerprints are not unique within the margins of error[2]. While odds of encountering seemingly identical prints is low, with billions of people on earth odds are very high that many or most of us will have fingers which match within margins of error (similar to a birthday attack where there's a ~60% chance that two students will share a birthday in a class of just 30). Even the FBI has been proven to have made mistakes in claiming an exact fingerprint match[3]. Algorithmically the biometric fingerprint hash could be vulnerable to generating arbitrarily numerous fingerprints at random (which will with very high probability "match" everyone on earth's within undetectable margins of error) and then build a reverse hash index to obtain fingerprint images from everyone's "one way hash" suitable for impersonation.


Thirdly there's so much redundancy in a natural fingerprint that one can reconstruct it entirety from a few minute samples [4]. This property makes fingerprint hashing fairly effective (it eliminates the need to store the entire fingerprint to identify it), but at the same time it makes reversing the hash nearly trivial due to the fact that a fingerprint doesn't contain enough entropy.

This isn't just a problem for biometrics, ALL mathematical crypto algorithms can be exploited when the input lacks entropy. Consider how even cryptographic hashes like sha1 and Windows password hashes can be reversed using personal computers depending on how predictable the hashed inputs were [5,6].



Of course, when put in perspective, a finger scanner is probably good enough for the vast majority of us who's data is worth less than the phone is itself. Regarding vulnerabilities of one way hashes, common thieves will probably resort to less technical hacks anyways[7]. The real issue arises when biometrics become commonplace for banking and commerce, that's when a lost iphone containing fingerprint hashes (and possibly cached bank details) could come back to harm the victim in a very big way.

Biometrics should only be used for causal or supplemental security. Today biometrics offers a bit of "security by obscurity", but mark my words as we transition to widespread biometric identification in the future, biometric data will show up on the black markets just like the credit card information sold there today.


1. http://lockstep.com.au/blog/2012/05/06/biometrics-must-be-fallible

2. http://lockstep.com.au/blog/2011/10/25/false-advertising-biometrics

3. http://math-blog.com/2011/09/20/are-fingerprints-unique/

4. http://www.cse.msu.edu/~rossarun/pubs/RossReconstruct_SPIE05.pdf

5. https://isc.sans.edu/tools/reversehash.html

6. http://www.openwall.com/john/

7. http://www2.washjeff.edu/users/ahollandminkley/Biometric/index.html

Reply Score: 5

TSA claims
by Brunis on Thu 12th Sep 2013 18:20 UTC
Brunis
Member since:
2005-11-01

TSA claimed their xray machines couldn't even store images, they were immediately discarded, yet somehow they ended up on the internet.

Reply Score: 3

It's about time
by fretinator on Thu 12th Sep 2013 22:09 UTC
fretinator
Member since:
2005-07-06

To give the new iPhone the finger.

Reply Score: 4

Tony Swash
Member since:
2009-08-22

This is an interesting video of fingerprint training on an iPhone 5s

http://youtu.be/GM2sZLLWHeI

Looks impressive.

Reply Score: 3

v lifting prints from glass, etc.
by ezraz on Fri 13th Sep 2013 15:04 UTC
And if you believe that
by Luke McCarthy on Fri 13th Sep 2013 23:55 UTC
Luke McCarthy
Member since:
2005-07-06

You'll believe anything.

Reply Score: 2

Comment by ilovebeer
by ilovebeer on Sat 14th Sep 2013 17:01 UTC
ilovebeer
Member since:
2011-08-08

The next headline is going to read, "Apple keeps fingerprints but doesn't use them". After that it will be "NSA keeps Apple fingerprints but doesn't use them without cause".

And so on, and so on.... Like peeling an onion.

Reply Score: 4