Lohkee wrote:
Your snarkyness is really uncalled for.

For some reason, people who are hit with snark tend to respond with it.

Strange but true fact.

Lohkee wrote:

Wye wrote:
I merely think it borders on the absurd to comment on something nobody has physical access to yet.

I'm pretty sure there are patents one can read to understand how the device works without having one in hand.

True. Have they been examined by the people who have been mocking it here? If not, it's just as absurd to comment.

"Billy-Joe used one of them things once. Dint work a'tall."
"Was that the same model as this one?"
"Naw. Billy-Joe died back in 96. But it was the same darn thing, and it dint work."

Now, it might be the same-old-same-old technology, or have the same weaknesses--and it might not. Give it a couple of days in the field and see what you or other security experts can do with it in real life; or a few days for other specialists to examine the patents and look for flaws. At least then, there'll be some data, and not guesswork.

After all, the usual up-up-down-down-left-right-up kind of holes generally don't surface until a few hours after the product goes into widespread use. (Like the lockscreen hole.)

Jerry Nemeth wrote:

Fingerprint sensors have been around before iPhone 5.  All of our registers have fingerprint sensors which are used for the cashier to sign into the register.  I take their fingerprints and put them into the system.

My H.P. laptop have it too. I use it all the time to log in. Purchased this laptop 3 yrs ago brand new and is in mint condition today.

Kevin Connery wrote:
True. Have they been examined by the people who have been mocking it here? If not, it's just as absurd to comment.

well, yes and no. For those with a background in electronics R & D the answer is probably no, it is not absurd because one can make an educated guess based on their knowledge of what sensors are capable of and what the problems are, for example:

We can measure capacitance, pulse, oxygen levels, etc. The problem here is that all of these things can vary considerably depending on the environment and recent activity. I digress. The potential for false positives (or negatives) forces the engineer to make trade-offs with regard to how data from the sensor should be processed. Too sloppy and people will be unhappy because it doesn't work as expected. Too strict and people will simply not use it because, well, it's not very useful if it continually rejects legitimate users.

This is not a problem unique to Apple by any means. It has been the bane of bio-metric  identification and authentication devices (of all kinds) since they first came out. All of them have been beaten using low-tech inexpensive methods because of the aforementioned limitations.

So, time will tell. It is possible that they have indeed come up with something really different? Sure. Anything is possible, but it's not very likely. If the company that Apple bought really had something truly new (and unbeatable) I would think that it would be worth one hell of a lot more than 350M. All of those three-letter government agencies would be lining up at the door willing to spend a lot more than that

One thing I did find very interesting **if** it turns out to be true (and I strongly suspect that it is not), is that Apple is supposedly using the tip of the digit opposed to a regular (flat) print. That could make it one hell of a lot harder to snag someone's print from some object because of the way people tend to hold things. Sometimes a small simple change to an existing approach can be a real game changer. Of course it could also cause problems for the ladies after a trip to the nail salon

I'm sorry that you think people are mocking Apple's attempts. I, for one, am not. Nor am I suggesting by any stretch of the imagination that people should not buy an Iphone. As I said in an earlier post, most people will go through life with little or no security on any of their devices and never suffer any serious consequences.

Frankly, I don't really have a dog in this fight. The electronics and system-level programming chapter in my life is now (finally) over and I really like it that way. What's under the hood is no longer of any serious interest to me and I really don't give a rat's ass who makes my gear as long as it does what I want, works when I need it, at a price that I can afford.

My sole purpose in trying to contribute to this thread was to raise awareness with regard to the limitations of technology in general. Had it been some other company, I would have done/said the same as I firmly believe that the customer has a right to make an informed decision opposed to blindly accepting what the marketing department drones want you to believe. I don't see that as a bad thing. Even if Apple's Iphone security is circumvented, does this mean you should not get one? Nope. Not at all. It does mean that you might give a little more thought to what or how you store things on that device. That's all.

Strange as it may seem, I got a free Ipad thingy and, although the interface is really taking some getting used to for a life-long PC guy, I really kind of like it. If I can find an affordable plan, I will seriously considering getting an Iphone because, after playing around with my sister-in-law's for a bit, I really kind of like its interface and level of integration between apps as well. Of course, me being me, I will wait for a bit until the hype dies down and Apple has had a chance to iron out the kinks that are sure to arise with any new product. A good example of this is iOS7. One day after its release and security has already been broken.

NothingIsRealButTheGirl wrote:
They work with nipples

http://kotaku.com/lock-your-new-iphone- … 1360743607

ROTFLMAO! I wonder if the engineers ever considered that possibility. People, if anything, are most certainly creative.

"Honey, can you stick this on your boobie so I can make a call?"

Michael Bots wrote:
It would certainly a cost efficient method of collection --

Senator asks if FBI can get iPhone 5S fingerprint data via Patriot Act
http://arstechnica.com/tech-policy/2013 … triot-act/

"Under American intelligence law, the Federal Bureau of Investigation can seek an order requiring the production of "any tangible thing (including books, records, papers, documents, and other items)" if they are deemed relevant to certain foreign intelligence investigations. See 50 U.S.C. § 1861. Does Apple consider fingerprint data to be "tangible things" as defined in the USA Patriot Act?"

Given the government can compel the disclosure of data and passwords (or the encryption keys used to protect either) I think the Senator is asking a question that he really already knows the answer to.

Lohkee wrote:
A good example of this is iOS7. One day after its release and security has already been broken.

What??

j3_photo wrote:

What??

http://news.yahoo.com/big-ios-7-securit … 27537.html

j3_photo wrote:
What??

http://techcrunch.com/2013/09/19/ios-7- … l-sharing/

http://www.forbes.com/sites/andygreenbe … r-twitter/


and many more links via Google.

Tony Lawrence wrote:

http://news.yahoo.com/big-ios-7-securit … 27537.html

Fromt the articles "potentially"

from a commenter:
"Siri can be disabled from the lock screen by the user.
2. Control center can be disabled from the lock screen by the user.
3. Turning on Airplane mode does not open up security vulnerabilities in the iPhone.
4. Even if you *can* (*incredibly unlikely*) break into the iPhone before someone locates you using "find my iPhone" you still cannot restore the phone because of the activation lock feature."

It never ends from the haters lol

j3_photo wrote:
Fromt the articles "potentially"

from a commenter:
"Siri can be disabled from the lock screen by the user.
2. Control center can be disabled from the lock screen by the user.
3. Turning on Airplane mode does not open up security vulnerabilities in the iPhone.
4. Even if you *can* (*incredibly unlikely*) break into the iPhone before someone locates you using "find my iPhone" you still cannot restore the phone because of the activation lock feature."

It never ends from the haters lol

Man, that Apple dog whistle must be very loud. 7 has been broken (Apple has confirmed this and is working on a fix). What's the big deal? Haters? Get a grip man. It is what it is, and it will be fixed. No biggie. Happens to all vendors who roll out a new product.

ETA:

Question: How many times has M$ rolled out fixes for their security "fixes"

Answer Many.


http://techcrunch.com/2013/09/19/ios-7- … l-sharing/

http://www.forbes.com/sites/andygreenbe … r-twitter/


Translation: It's not an Apple issue nor is Apple immune from the issue.

Robb Mann wrote:
I think Apple learned their lesson with iMaps and Siri - no
More beta testing on users. I'll bet this is prime-time ready.

You might want to rethink your position -

http://techcrunch.com/2013/09/19/ios-7- … l-sharing/

http://www.forbes.com/sites/andygreenbe … r-twitter/



Just sayin'

Lohkee wrote:
Given the government can compel the disclosure of data and passwords (or the encryption keys used to protect either) I think the Senator is asking a question that he really already knows the answer to.

Oddly enough, a fingerprint is considered ineligible for protection under the 5th amendment.

A file protected by a password lets the owner avoid self-incrimination by not providing the password. A file protected by a fingerprint isn't eligible.

Don't know how long that'll last.

Lohkee wrote:
Given the government can compel the disclosure of data and passwords (or the encryption keys used to protect either) I think the Senator is asking a question that he really already knows the answer to.

Apple can't give the government something that it doesn't have.  Unless Apple has been telling rather bold lies this week, the fingerprint data never leaves the phone.

Lohkee wrote:

You might want to rethink your position -

http://techcrunch.com/2013/09/19/ios-7- … l-sharing/

http://www.forbes.com/sites/andygreenbe … r-twitter/



Just sayin'

Apple is still by far the most stable and secure mobile platform out there, baring possibly RIM, who has found other ways to render itself irrelevant to any but the most paranoid.

Apple is the leader. The king of the hill. The big cheese. The head honcho. Want proof? Look at how aggressively the hacker & hater communities have responded to a simple evolutionary change in the iPhone. Every post you make proves my point more.

Kevin Connery wrote:

Oddly enough, a fingerprint is considered ineligible for protection under the 5th amendment.

A file protected by a password lets the owner avoid self-incrimination by not providing the password. A file protected by a fingerprint isn't eligible.

Don't know how long that'll last.

Well, one appellant court says yes, and another says no, so probably just long enough for the scotus to weigh in. Who knows?

Robert Lynch wrote:

Apple can't give the government something that it doesn't have.  Unless Apple has been telling rather bold lies this week, the fingerprint data never leaves the phone.

I see no reason why Apple would lie about something like that as it would likely be uncovered at some point. I wasn't really referring to apple; rather the individual. Apparently, we now have two appellant courts which have come to opposing conclusions. I suppose that the scotus will have to sort it all out.

Robb Mann wrote:
Every post you make proves my point more.

I'm not sure how on earth you arrived at that conclusion, but whatever trips your trigger I suppose.

ETA: I think you misunderstand where I'm coming from. Who introduced the technology is of little interest to me. I neither like or dislike Apple (well, that's not quite true. The more I use my Ipad gizmo – the first Apple device that I have ever owned - the more I like it. I am most impressed with the battery life. No matter how much I seem to use it the battery has never gone below 75%). My interest is in the print recognition technology per se. Nothing more. Is it really a game changer or a lot of marketing hype?

If proven to be easily bypassed, would this prevent me from getting an Iphone? Not at all. At most it would probably make me consider a little more carefully what I was willing to store on the device. That's about it. Without definitive data one way or the other, I consider the print reader to be more of a user convenience than a meaningful security device (That opinion could obviously change considerably as more hard data becomes available or if Apple decides to open it up to other applications).

Lohkee wrote:
Chuckles: For all of my talk about this (security) chapter of my life being closed, and how much I like it that way, I guess that old dog whistle keeps a callin' and I still fall for it on occasion 

We do live in interesting times.

Most of us really don't stand to lose much anyway if our phones are compromised. Most of us aren't dumb enough to have our banking passwords on there, our SS number, or things that will really hurt us a whole lot. If you lose your phone some opportunist might manage to run up a huge long-distance bill calling all their relatives on some other country or something, but we'll recover from such an incident.

The much more serious threat of course is the government. We've seen that the government does indeed use the full weight of their resources (NSA, IRS, FCC, and other agencies now) to ruin people and groups based on their political orientation. The public has decided to accept this sort of behavior, so it's currently being expanded and made a permanent part of life. Currently terrorists (and other big-time criminals) can still use their electronic devices without worry, since as we saw with the Boston Bombers, Nidal Hassan, Times Square bomber, and several others, the government isn't concerned with those people. All the government's resources are aimed at political "enemies".

There's little to nothing one can do to avoid being caught up in the government's net in this way, except to simply avoid using these devices all together. Don't bring your GPS enabled device to political meetings, don't discuss your  beliefs via the Internet or the telephone channels. Do everything in person. I understand that the half of the country that supports the current leaders isn't concerned by this sort of thing, but they should be reminded that the political pendulum ALWAYS swings back in the other direction. It's just a matter of time. Since this sort of wholesale use of spying and harassment is now completely acceptable, it's here to stay. It's not inconceivable that a government which is on the other end of the spectrum could take over, and could be just as corrupt as the current one, in which case it would shift its sights to the other groups and ruin their lives in a similar manner.

We're entering new and dangerous times since we have opted to give government this level of power over us. Low-tech solutions (i.e. avoiding electronic communications for doing anything serious) will be the answer for people who at any point in time are on the wrong side of the political fence.

Wye wrote:
If they can document it from start to finish then it looks like that's that.

Though I think that, for the huge masses of people who don't bother securing their phone because of the so-called inconvenience, the touch id will be an improvement.

Strangely, I agree with both of your comments. Maybe planetary alignment or something

I will say this – CCC is not a bunch of script-kiddies. They have a lot of very serious talent and are not given to making false claims. I would be very surprised at this point if they could not deliver the required video (unless the whole thing is an elaborate hoax - in which case I would really hate for the CCC to come after me looking for revenge).   

Wow, one day to break the security of iOS7, and two days to break the thumb print reader. Very impressive if nothing else. I wonder if Apple can get a refund on their 350M?

I feel vindicated.

** does a happy dance **

Robb Mann wrote:
Well, with a 4-digit pin or that swipe-thing android does all someone needs to do is look over your shoulder to steal the passcode for your phone. The amazingly simple method CCC concocted can be easily done in about an hour by any well-organized group of well-supplied and equipped theives. Far easier to steal a pin by shoulder surfing.

Well, yeah, except that you really don't need to be well organized or equipped. A lot of people probably already have everything needed - which is the beauty of it all.

Robb Mann wrote:
The fingerprint scanner may not be failsafe, but is is much better than anything else available.

Not really when you take into account that their "new generation" reader is easily defeated by a very old and low tech attack. Not only is it not failsafe, it's not even particularly that good (from a technical perspective).

I would agree that if it is true most people do not bother to passcode their phones, this is probably a big leap forward in that people will probably try it out of curiosity and then keep on using it for no other reason that they can't be bothered to disable it as using it will just become second nature. Basically, it will fade into the background and they won't even think about it. Given the alternative of having a totally unprotected phone IMHO this is an improvement (of sorts).

Also, I think it important that we keep in mind that Chaos has not yet provided the required video to claim the prize.

photoimager wrote:
Another report on the hack success:
http://www.bbc.co.uk/news/technology-24203929

Maybe, the people who were adamant about Apple's technology being beyond this and doing things like sensing a pulse in the finger will have their blinkers removed.

Please consider the post directly above yours. If the test parameters are flawed as I have suggested, the thumbprint reader **may**, in fact, not be broken at all. I'm keeping an open mind until I see someone use a fake print **other** than the person who registered the original.

Another issue that people may not appreciate is that the security researcher has the home court advantage (and then some).

Suppose that Apple's tech can be defeated in the manner suggested by Chaos. This does not necessarily mean that it is a viable real world attack. As a researcher, I get to control the environment. It is one thing to create a nice clean print and replicate it to bypass the reader as I know what part of the print was registered. The younger folks seem to be amazingly flexible these days. Many hold their phone in one hand and navigate with their thumb (jebus, just watching them text is a sight to behold –  Who ever heard of typing with your thumb fer christ sake? Hell, I'd get a hernia if I even tried to do what appears to be second nature for them). I digress. This suggests that it may be more likely that the side of their thumb would be registered as the print to unlock the phone. Because of the way people hold things, like glasses, stealing a usable print might be damn near impossible. So yes, the reader might well be broken in the technical sense, but this does not necessarily mean an attack conducted in a controlled environment is really all that viable in the real world.

I have demonstrated many attacks, the apparent ease of which, sent management types into a freaking tailspin. The thing is, most were really not a very big deal. It's one thing to launch a successful attack, and quite another to be in a position where you can actually launch it. In all honesty, calming freaked out management types was often far more difficult than designing and demonstrating the actual attacks 

Lohkee wrote:
If the test parameters are flawed as I have suggested, the thumbprint reader **may**, in fact, not be broken at all.

Hacked is hacked, irrespective of the parameters. Yes, there are some things and resources that these people have that your standard 'man in the street will have access to. However, that does not change hacked into not hacked.

photoimager wrote:
Hacked is hacked, irrespective of the parameters. Yes, there are some things and resources that these people have that your standard 'man in the street will have access to. However, that does not change hacked into not hacked.

Apparently you did not understand what I was saying. I'll try it again. If Apple is somehow measuring something other than a simple image of the print, then having the same person who registered the print use a fake print to bypass the device is a flawed test. The parameters are indeed critical (for a valid test). So, no, you are dead wrong. Hacked does not necessarily mean hacked.

photoimager wrote:
Hacked is hacked, irrespective of the parameters.

Negative. If, as Lohkee points out, the real registered user is "recognized" by reading other biometric data through the "hack media", then that's not a hack, but a fail of the test...

joeyk wrote:

Negative. If, as Lohkee points out, the real registered user is "recognized" by reading other biometric data through the "hack media", then that's not a hack, but a fail of the test...

Exactly!

joeyk wrote:

Negative. If, as Lohkee points out, the real registered user is "recognized" by reading other biometric data through the "hack media", then that's not a hack, but a fail of the test...

Perhaps the phone detected the guy's aftershave or something.