Apple Offers Additional Details on Touch ID, iPhone 5s Won't Store Fingerprint Images

[gnasher729]

Can someone please enlighten me on why people are so fussy about the NSA getting fingerprint data? What can they do with that information? It's not like they can even sell it to marketers.

There's a lot of paranoia going on.

If the police has your fingerprints in a database, they they could find you if your fingerprints are found at a crime scene. (On the other hand, I think the infamous Unabomber was found because the police found a fingerprint on a letter that he sent, which was found to belong to an employee at a copy shop where the paper had been purchased, and that led eventually to the bomber. )

I wouldn't really know what the NSA could do with my fingerprints. They might be able to forge evidence against me. But if they wanted to do that, surely they could get hold of my fingerprints in some other way.

Now even with all the paranoia, there are lots of things that should be done to prevent people spying on us. But with all the paranoia going on, and idiotic claims about what the NSA can do or does, that kind of thing gets lost in the noise.

 

[Bensalama21]

Didn't cross my mind. Guess i was asking for too much.

We will probably see it one day... I am sure they will invent a better remote in the near future for the iTV

 

[lilo777]

Nope. I've seen the sensor in action. It's fast. Much faster than 'swipe-tap-tap-tap-tap'. And much, much faster than 'swipe-tap-tap-tap-tap-tap-tap-OK' if you use an alpha numeric passcode. And, much, much, MUCH faster than 'shift-tap-tap-tap-altkeyboard-nextaltkeyboard-tap-mainkeyboard-tap-tap-altkeyboard-tap-tap-tap-OK' when authenticating an iTunes or AppStore purchase/download.

Even in the simplest case, it's absolutely faster, more convenient, and more secure.

We'll see about the faster part. The scanner does not add any security because you will still has the pin. If anything, having two ways to unlock the device creates more options for hacking (compared with he single option).

 

[Mr. Retrofire]

I don't get why people get so uptight about NSA. It's there to protect you.

The NSA protects the U.S. as an entity, not you as a single citizen. And certainly not, if you live abroad.

----------

explain yourself

If i have time for you, my dear.

 

[chairguru22]

You guys worried about the NSA are ridiculous...

If you are that paranoid, DON'T USE IT!

and don't go to Disney World either, they've been collecting finger prints: http://www.youtube.com/watch?v=zWfjLwdutGw

 

[daijholt]

I don't get why people get so uptight about NSA. It's there to protect you. If you aren't doing anything wrong then they have no reason to snoop on your data. Simple.

This has always been my opinion as well. I'd genuinely be interested to hear this position be proven wrong, because as far as I can tell, it can't be.

I'm happy for intelligence services to snoop on me, my phone calls and my emails, I'm not involved in anything seedy and as long as it helps keep terrorists or other aggressors away from the people I care about, they can carry on.

Granted, you could preach privacy laws and all, but try using the "but it's wrong to spy" argument on a psychopath bent on the destruction and death of millions of people. Ain't gonna fly.

 

[eoblaed]

im more concernced of getting mugged for my phone then having a pair of secateurs taken to my thumb!! hahahaa

The sensor is capacitive touch. A severed thumb almost certainly will not activate it properly.

 

[Mr. Retrofire]

The only way to know FOR SURE is to gain the knowledge and tools to examine the physical chips and connections.

Of course, even if you did find no possible way for this data to be captured by Apple or the NSA, something tells me that you wouldn't believe your own research, because Apple is inheritently evil.

No one knows all technical possibilities, not even you.

 

[eoblaed]

We'll see about the faster part. The scanner does not add any security because you will still has the pin. If anything, having two ways to unlock the device creates more options for hacking (compared with he single option).

Of course it adds security.

With only the passcode, it means I need to use that passcode every time I access the device. This means that anyone that's within sight of me can watch me type in my passcode ... or at the very least, the potential is there for someone to see you type it in. Once that happens, you've lost all control over who has that passcode.

With the fingerprint scanner, you could have 50 people standing around watching you very closely as you unlock your phone and it doesn't give them even the slightest ability to unlock it themselves.

 

[Battlefield Fan]

All I know is that it takes 4-5 seconds to home button + slide to unlock + passcode and even longer if you are using alpha numeric password.

Personally I unlock my phone ~50 times per day.

Saving ~4 seconds between slide to unlock and passcode is roughly ~200 seconds per day saved unlocking my phone or ~3 minutes. 3 minutes per day equates to roughly ~18 hours per year or more than $5,000 worth of lost productivity unlocking my phone.

That alone makes this touch sensor worth while.

So you make over half a million dollars a year? Roughly $575,00?!?!

 

[jimbles]

The thing about conspiracy and paranoia is that those terms are only really applicable when there's no proof to back the claims up, only conjecture. Apple HAS gotten in bed with the NSA, and leaked documents show that the NSA HAS made companies build backdoors into both software and hardware devices. It doesn't matter how encrypted these things are when the NSA holds the keys to decrypt it.

I can't believe that this is even a matter for debate, unless someone is so attached to a brand that they refuse to get their head out of the sand and admit to what is actually out there in plain black and white facts.

 

[mozumder]

Kinda stupid to worry about this when you can just get the fingerprint off the home button.

 

[Mr. Retrofire]

I'm happy for intelligence services to snoop on me...

...Granted, you could preach privacy laws and all, but try using the "but it's wrong to spy" argument on a psychopath bent on the destruction and death of millions of people. Ain't gonna fly.

You live obviously in a parallel world, consisting of fear, fear and fear. Thank god, that i live in the real world.

----------

Kinda stupid to worry about this when you can just get the fingerprint off the home button.

Breaking news: We live in a connected world.

 

[eoblaed]

This is going to be like Siri... People will use it for a few months - figure out it is just easier the old way and move on.

Even with simple passcodes, the fingerprint will be faster. No swipe and 4 taps. With complex passcodes, the fingerprint will be way more convenient.

And everyone seems to forget you can use it to authorize iTunes/AppStore purchases/downloads. This is a godsend. How many times have I been driving in my car, listening to pandora or iTunes Radio, hear a song I want to buy, hit the convenient 'buy' button, only to be presented with a password prompt that's just not practical for me to type in while driving. No longer a worry. For all my purchases, instead of typing in a 10 character passcode with all kinds of fancy characters, I just 'press' and done.

This is not a 'move on' in a few months piece of tech. This is significant.

 

[gnasher729]

I don't get why people get so uptight about NSA. It's there to protect you. If you aren't doing anything wrong then they have no reason to snoop on your data. Simple.

I don't know if this was meant to be sarcastic...

There's this well-reported case of a couple where the wife wanted to buy a pressure cooker, while at the same time her husband was interested in buying a backpack, and suddenly they had police in force on their doorstep...

Or let's say I'm just a curious person. I'm always interested in how things work and ask questions about all kinds of stuff. So when I hear that you can create a massive bomb using diesel oil and fertilizer, I google to find out how this actually works because I'm curious. There's nothing wrong with that, but with the NSA being paranoid I might be in trouble if I want to visit Disneyland, Florida, on my next holiday.

And you may know someone who knows someone who knows someone who is interested in terrorist activities. Actually, it is quite likely that you do. And that is apparently enough to make it legal to spy on you.

 

[portishead]

All I know is that it takes 4-5 seconds to home button + slide to unlock + passcode and even longer if you are using alpha numeric password.

Personally I unlock my phone ~50 times per day.

Saving ~4 seconds between slide to unlock and passcode is roughly ~200 seconds per day saved unlocking my phone or ~3 minutes. 3 minutes per day equates to roughly ~18 hours per year or more than $5,000 worth of lost productivity unlocking my phone.

That alone makes this touch sensor worth while.

That's interesting, but it appears it still takes ~2 seconds to unlock using touch ID. Still an improvement, and a lot better than several keystrokes. I can't wait to use it to bypass having to enter in my iTunes password. That is a pain.

 

[gnasher729]

Apple HAS gotten in bed with the NSA, and leaked documents show that the NSA HAS made companies build backdoors into both software and hardware devices. It doesn't matter how encrypted these things are when the NSA holds the keys to decrypt it.

And that, my friend, is nonsense. There are websites who put up that kind of information as headlines, after reading and completely misunderstanding articles about what the NSA does. Not that they are up to any good, but there are no leaked documents about any actual backdoors.

If you think otherwise, tell us where you got your information from. What the NSA _can_ do: If they manage to hack into your Windows PC (which is demonstrably possible), _and_ you use that PC to make unencrypted backups of your iPhone data, then they can read the iPhone data that is backed up on that PC. There are several very easy methods to avoid this.

 

[johncrab]

Fairly simple in concept. They are using fingerprints to derive an encryption key and the key is stored. Without the fingerprint, it is useless even if it is cracked or hacked. It needs the set of data points form the user's finger to decrypt the key and unlock the phone. Brilliant in its simplicity but I'd love to know how they carried it out. While there isn't anything that can't be hacked eventually, this would require extreme resources. Well done, Apple.

 

[jmann]

I don't care if the NSA has my fingerprint and neither should anyone else...unless you're planning on committing a crime.

 

[tripleg]

At this point in time both sides are tainted by past actions and people should be leery of any statement given by either Apple/NSA. PR rarely holds any grains of truth in it. Only way the public would know for sure is if another whistleblower comes forward.

 

[Rigby]

BTW, here's a blog post about fingerprint sensors in mobile phones by well-known security expert Bruce Schneier:

https://www.schneier.com/blog/archives/2013/09/iphone_fingerpr.html

 

[SpectatorHere]

For those who don't understand cryptographic one-way hashes, they cannot be reversed to produce the original data without a dictionary attack. A dictionary attack in this case would require a collection of actual human fingers or replicas of them to run through Apple's Touch ID to see which cryptographic hashes match the one stored on the device.

Also note, that their is a really really really small chance that two fingerprints will generate the same cryptographic hash. Cryptographic hashes by their very nature have LESS data than the source data for which they are hash. This means that the if the source data has potentially quadrillions of combinations that there may be only billions of values that they hash to (a one to many mapping of hashes to source data). More likely scenario is that your fingerprint hashes to the same value as a fingerprint that does not currently exist on the planet today and may never exist.

Think of a large 500-page book as a just a collection of letters, numbers, spaces, and punctation. You could pound on the keyboard and produce a book of random text or you could carefully craft an actual readable book. The hash reduces the book to a hash of say 500 characters which is generated in such a way that even changing a single letter in the book or the capitalization of a single letter produces an entirely different hash (cryptographic hash algorithms magnify any change to cyclically change other parts). Obviously, there is no way you could take 500 characters of data and regenerate the 500-page book (that would be the most amazing lossless-compression algorithm in the world, but also mathematically impossible). Because of this you cannot reverse it. You could however, run a hash on all books known to man to find the one that matches the same value (a dictionary attack). Finally, there is a possibility that two carefully crafted books hash to the same value, but it is far more likely that a book's hash would match some of the billions of permutations of random letters , numbers, spaces, and symbols that have never been bound into a book.

It is the same for fingerprint data. Your actual fingerprint could only be determined if somebody already had a replica of your finger in a database and could make Apple's Touch ID sensor generate the same hash from it. The worst somebody could do is break into your phone or prove that a phone did indeed belong to you. What's more, the odds of somebody else's fingerprint matching yours is like two monkeys pounding out the exact same content on a keyboard after an hour of bashing away at it. Either way, there is no chance of your fingerprint being cloned and used in other places to impersonate your presence.

All true, but who's to say they don't have a back door to grab the sensor data raw and read to another memory address space or pipe it right out?

I don't much see what the NSA would do with our finger prints anyway, they have a million other ways to link you to your phone, like oh say your phone number for just one of those...still, if they wanted your print, now they'll be able to get it.

 

[SilentLoner]

It's not called paranoid anymore.

This reply from an Apple spokesperson makes me more nervous, actually, because of its misdirection.
The distinction between a fingerprint and name correlation versus a "fingerprint data" and name correlation seems artificial.

If I get a phone that has this (likely) i will never turn this feature on.

Oh come on! Been on holiday outside the US? yep they will have your prints. Seriously its not hard to trace a place you have touched something. You gonna wipe everything you touch? Seriously.

 

[cclloyd]

I believe there is an optional tin-foil hat that you can purchase to help with this. (Sorry, not being mean, it was just hanging out there and I couldn't help myself).

Actually it's a custom built MBP case.

 

[smoking monkey]

Dear Apple, I'm sorry because I realise it's not really your fault, but I don't trust that the NSA haven't nobbled you, and nothing you have said so far leads me to… um think different, as it were.

Seriously? You conspiracy jobbies crack me up.

Get over it. They know all about you already as you've just posted NSA on a message board!!