For PITY'S SAKE, DON'T BUY an iPHONE 5S, begs FSF The Free Software Foundation has taken issue with fingerprint recognition in the iPhone 5S and has called on users to reject Apple’s closed system smartphones. Executive director John Sullivan used the launch of the iPhone 5S and 5C on Tuesday to zero in on the iPhone 5S, the expensive iPhone variant that comes equipped with a …
They do have a point though. A universal finger print scanner that, in all probability will be stored within the US domiciled iCloud, either through backups or some other mechanism, that shady agencies can get access to for the slightest of reasons. They have an instant, convenient large database of fingerprints without the rigmarole of having to charge the users, data protection or that whole inconvenient innocent until proven guilt fad - it's all there, freely given up!
A year ago this would have been dismissed as tin-foil paranoia. Now, it doesn't seem that far fetched...
This! So very this. What people say about security and what actually happens aren't the same thing. Imagine:
1: They're plain lying and handing fingerprints to the NSA.
2: They hand a hash to their cloud (and thus the NSA) but it's a really weak one.
3: Their device security is weak and it's easy to get the fingerprints and/or their hashes off the device.
Plain-lying used to be the tinfoil brigade, but as we've seen, the weirdy beardies are kinda turning out to be correct.
You are quite right. There is only on answer to this: if you buy an iPhone 5S then i am afraid that the first thing an AppleStore will have to do is to use an acidbath to erase your fingerprints and use a blunt spoon to scoop out your eyeballs.
That way you will be completely and totally safe from the NSA, the Free Software Foundation will applaud you and bloggers all over the world will rejoice that someone had the strength of character to deny the nasty corporate dataminers their biometric data.
Of course the fact that the NSA has been storing your voice data from Siri for the past few years is by the by ... How do you think Snowden got as far as Moscow, if not by using Putin's voiceprint?
That specifically? No.
On the other hand they may be legally unable to reveal that all fingerprint data is sent straight to the government, because it turns out we do actually live in that sort of Kafka-esque world after all, with secret trials, secret evidence gathering, gag orders etc etc
By implication fingerprint verification is done in hardware on the A7 chip. How are your VHDL/Verilog reading skills? There's no such thing as a totally open system, and even as close as we get to it there isn't anyone who understands the whole system in its entirety.
And what happens to that inaccessible black box of fingerprint dat when you trade in or lose your phone?
If someone is able to crack the black box and make a simple web tool (web tools seem popular), then what's stopping someone from thieving your biometrics straight from your handset? No need for snooping.
Not so improbable when you consider how easy it is to recover data from supposedly erased iPhones. I remember giving my sister my old 3GS after thinking I'd erased it, yet lo and behold she started receiving iMessages sent to me (they've patched that now, but took their time).
Sigh. but it's your fingerprints... You know what, if you loose your phone (even if it doesn't have a fingerprint scanner on it) there will be an easier, low tech method to obtain your print...
You know what... if you're so paranoid about your fingerprints falling into the wrong hanfs, why do you leave them everywhere?
It's fingerprints people, and you know, for now, that's of limited interest to most, if not all criminals....
What people are worried about are law enforcement, not joe criminal.
You know, if someone stole you're iphone or any nice glossy phone they could probably lift your finger prints off the case anyway so why bother trying to crack into the security chip in the first place! The cops have been getting finger prints in that way for decades!!! It does also beg one question, how secure is a finger print scanner when the finger prints to unlock the device are probably all over the device in question?
If you've ever visited the US then the US government already has your fingerprints — all visitors are required to provide them at the border.
If you carry a mobile phone then you almost certainly already allow yourself to be tracked — probably you provided details of your identity to obtain the device but even if not then you can likely be identified by the contents of your communications.
As I've visited the US and carry a contract mobile, I seem already to have sold myself out. Something about locking stable doors jumps to mind. It'd be nice to believe that everybody else has managed to avoid becoming traceable but it sounds unlikely, so while I strongly ideologically support a stand against increasing biometric intrusion, it's likely a token gesture.
Seems like every other time I log on to, open or otherwise look cross at an Apple product I have to agree to some new license agreement. Nah, they'll ALWAYS only ever store it on the chip...until we change the license. "Oh come on, click on agree. You know you want to. What are you going to do? Give up your iPhone and use something else? Muwahahhahahahahahahah!"
Words are very precise. This does not mean the same as "cannot be accessed by NSA". Perhaps they're stored in signature form inside a chip inside a system with a dirty great back door, and the signature hash can be downloaded and added to the database by whoever. A big database of hashed prints might be every bit as useful as full scans, or maybe moreso as it's already in searchable form?
The whole point is that we don't know.
@Steve Todd 14:41 said: you missed the bit where Apple said that fingerprint data would only ever be stored inside of the A7 chip and be accessed by their security API
And you obviously missed Obama overruling the ban of iPhone sales handed to Apple by the courts, weeks before Apple introduced a fingerprint scanner into iDevices? Coincidence?
They specifically said at the event that the fingerprints are only stored on the device and are NOT uploaded via iTunes or to iCloud.
So, just like the SSL people specifically said the certificates and encryption were never released... and now we find out that government agencies (e.g. GCHQ, NSA etc) can access "secure" SSL data through backdoor cheats built into the system specifically for that purpose.
If they can do it, they will do it. They are spooks after all.
Just a technical question - what is the quality/resolution/accuracy of these scanners? I saw one on a work laptop the other day, looks like a flat dimple that reminds me of the audio/tracking head in an old Betamax. Do you drag your finger down it or what? While the result might be biometrically "you" as opposed to "me", does it bear sufficient resemblance to a genuine inky paw print?
Well, you *shouldn't* store the fingerprint. That doesn't mean they don't - think of all the stories of supposedly professional services keeping plaintext passwords. And it doesn't mean the code is well-written - it could easily have a recent_scans cache that is more vulnerable than the identity data proper.
The new iPhone's two killer new features:
1) A bling new fingerprint scanner that the iTards will all obligingly scan their own fingerprints with in order to operate their new shiny... possibly or possibly not transmitting fingerprint images to god only knows who.
2) A bling new motion sensor circuit which remains on and actively tracking the iTard's movements at all times... possibly or possibly not transmitting the tracking data to god only knows who.
Methinks NSA might be "assisting" Apple's "innovation" department.
Apple have said it is locked in the fingerprint scanner subsystem never to get out. We have no way of verifying that. However I tend to believe corporation when they say things like that loudly and unequivocally. The reason being I used to work in a corporation and remember full well the often paranoid suspicions of customers about deliberate corporate malpractice and crafty screwing of customers that were invariably simply untrue. Also people outside corporations tend to think there is a cosy group of fat-cats at the top prepared to twist rules to get what they want. The reality however is that in any of the big corporations I've worked in, asking for some dodgy deal to be ratified by legal would simply be wholly unacceptable, there are too many people from too many walks of life, and too much in the way of the rule of law. It is highly unlikely Phil Schiller would say what he said, make himself a hostage to fortune, and tell porkies for the world and his colleagues to see if he didn't think what he was saying was true.
As to whether there is a back-door he might not be aware of though - with all the shenanigans the NSA has been up to, that's a quite different matter.
The corporate I worked for had a very bad name for a while (due to digging up all the streets to install network). And people always attributed the worst motives to everything we did. To be fair there were some pretty shoddy PR cock-ups, but that's the point, they were cock-ups and not conspiracy. Like the time one of our contractors digging up a road, hit a gas main and blew up a house. The company rushed out an apology and PR statement saying compensation would be paid, the house repaired to a state better than it's previous condition and that the occupant would be receiving free cable for life. Only the statement was rushed out before checking who the occupant was. The Free Cable for life offer didn't go down to well with the press when it turned out the occupant was a 90 year old lady.
The point I'm making is that the press were attributing the worst and most cynical motives to the episode as though the company were trying to skimp on paying out, when the reality was it was pure cock-up. As though a large corporation with deep pockets, faced with those circumstances, would do anything other than say "were really sorry, we'll pay."
"Also people outside corporations tend to think there is a cosy group of fat-cats at the top prepared to twist rules to get what they want." - "sponsored lobby group" and "party political donation" come to mind.
Oh wait? You meant break the law? Why bother doing that when you are big enough to exert pressure to ameliorate current legislation to your favour, or just be too big and important to knock down (hello ebooks pricing, I'm looking at you).
CNN is already covering the device as "IPhone fingerprint scanner will start security revolution".
money dot cnn.com/2013/09/11/technology/security/iphone-fingerprint-scanner/index.html?hpt=hp_t2
Ah, iSheep.
Can we PLEASE amend the classic phrase to "A fool and his money, plus his data and privacy as well as his rights to expect thereto, are soon easily parted".
I await the run on the those pretty-shiny fruity stores by the great unwashed masses, looking for their next salvation in soul-selling technology. They have proven that they will gladly give away anything they own - including both their money and their life history - if only to acquire the next fashioin trend.
I'm in the middle on this one. JDX and Steve Todd are correct in saying that a proper fingerprint reader doesn't store an image of the actual fingerprint. It takes certain specific points and uses them as the basis for a hash (equivalent to a really complex password). The worry that people have about having to get new fingers if the reader is compromised is silly - delete the old file, re-enrol the finger(s), and all is back to good, just like setting a new password. In addition, it makes no more obvious sense that the iPhone sends its fingerprint data anywhere in "the cloud" than does my Lenovo X61, or anything with a password entered the old way.
However, given the recent confirmation of what bastards the security agencies and various companies, especially the USA-ican ones, are regarding personal data, the very specific comment about where things aren't sent raises flags. It is hard to trust anyone at the moment, especially those with past form for being secretive - which defines Apple to the core (pun intended).
Exactly. If anything, the FSF's debate on this topic is simply not focused enough (as witnessed by the "blah blah blah entry, above"). If the FSF has said, point blank:
"Apple's new fingerprint scanner, in association with their closed ecosystem, guarantees that you will have NO audit trail to your personal and very private biometric data. Will you be able to tell exactly who has access to your fingerprint, and when??"
then people would understand the [serious] concern here. But they didn't, so people don't.
Fingerprint scanner + closed system access to users = "NO"
Yes, because on your open system, you audit every piece of code you install and your skills for detecting issues is beyond any hacker?
Open or closed makes no difference if you're not checking. Apple is closed, but they do check. Now, are their checks good enough, that's another story, but with a closed system such as apple, at lease someone is checking. How many unchecked 'droid apps get installed every day?
Even with 'droid (some of) the libraries that link the OS to the hardware have to be provided by the manufacturers, the OS only provides a framework, so you still have closed elements - I don't know of any manufacturer who publishes those libraries.
This really isn't a straightforward problem, except to say that you shouldn't carry a phone at all if any of this stuff is an issue for you. At the very least, don't buy an iPhone 5S; it's not rocket science.
>> How many unchecked 'droid apps get installed every day?
The point is not Android vs iPhone. The FSF are not coming forward as Android fanboys, and I'm sure they're aware that not everything is open about android either.
The point is that, in isolation, not comparing to other vendors, not making favourites out of anything else at all, the iPhone is a closed ecosystem and you cannot know what's going on there, and this is pretty much against everything the FSF think is right and good with the world.
Open systems at least *can* be audited, and you hope that with a fully open system (which I agree, android as it comes from a manufacturer is not either) then people have eyes on it.
"Open systems at least *can* be audited, and you hope that with a fully open system (which I agree, android as it comes from a manufacturer is not either) then people have eyes on it."
Christ! How many ordinary people audit anything of this nature? If somebody (FSF or otherwise) does it for us, can we trust them? If so, upon what basis?
But, more realistically, what about the reams of private information we send god-only-knows-where? I will give you two examples:
1) I live in France. My British passport needed renewal. I filled in all the bits of paper, and gave my mobile number for contacting me along with photos and such and such. None of this is unusual. What is unusual was that a few weeks following my application, my French mobile (not a number I give out freely) started to receive spam texts in English. While I cannot say absolutely that the passport service gave out my private contact details, it seems pretty coincidental timing. So, where is the audit trail here? I can be reasonably certain that the UK government is a load of spineless twats so they'll have sent the lot to the Americans; but was the information also left on a USB key on the Tube? Or did they have the nerve to charge more than the rest of the civilised world for a passport and sell my data? If so, how much of it? [PS that number expired two years ago, snigger snigger]
2) Ever fill out a census form? Where did you send it? What was done with that information? How can you be certain?
2.5) Ditto loan applications, job applications, etc etc. We spaffify personal data with alarming frequency and in many cases no audit trail is possible. In a world where it can be a battle getting access to all the data held on us, also getting access to what was done with this data and who it was shared with...well, that's just not gonna happen.
But, hey, rant about the iPhone instead if it'll make ya feel happier...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
