Finger Prints Are Not Passwords
-
This has been an invigorating chat but I'm still against biometrics - I think the potential for abuse is astronomical.
-
@MattSpeller said:
This has been an invigorating chat but I'm still against biometrics - I think the potential for abuse is astronomical.
Again, how can this be abused?
First, if I set up an Apple iPhone 6, Samsung Galaxy (whatever), and a Sony Experia with my authorized fingerprint scan.
Second, assuming that the same man in the middle shim was able to be put in place on all three devices.
Third, the hash of your fingerprint will not be the same, the stolen hash will only work on the original phone.Biometrics are not any more or less secure than anything else.
-
@MattSpeller said:
This has been an invigorating chat but I'm still against biometrics - I think the potential for abuse is astronomical.
Okay, being against them as a concept is fine. But not using them makes no sense no matter how much you fear them conceptually. You have to channel the fear into something practical, not into hampering yourself while not protecting yourself.
I agree, there is big potential for abuse. But pretty much all of that potential is around governments and what they allow to be done with them. We could have the same fear about anything. What if the government decided that your password was an ID and anyone using your password qualified as you?
The fear is real. But I think that the reaction to it is the issue - how does your reaction help protect you from the thing that you fear? It's a bit like fearing drowning so refusing to eat fish.
-
@JaredBusch said:
Again, how can this be abused?
Your scope is too narrow and short term. I'm not concerned with today's phones.
@scottalanmiller I have no fear about these things, I am simply thinking longer term. There is no substantial gain to using these technologies at present (at least I've yet to see how they are any more secure than a decent password, maybe I've missed that). I'll wait a while and watch and see.
A concern that, while I confess is an outlier, is that these companies own that data. Is it so difficult to imagine a scenario where your personal data would be sold to the highest bidder? Despite all promises for decades by that company?
-
@MattSpeller said:
@scottalanmiller I have no fear about these things, I am simply thinking longer term. There is no substantial gain to using these technologies at present (at least I've yet to see how they are any more secure than a decent password, maybe I've missed that). I'll wait a while and watch and see.
You see no substantial gains to be had because you are looking only from the value perspective of enhanced security, not increased usability. I thought a finger print scanner was the dumbest thing until I ended up with an iPhone that uses that. Now I realize that it is just about the best thing ever added to a phone and simply will not buy a phone without it anymore and have considered upgrading my iPad based on no other need! Once you have "always locked / instant on" devices, you realize the value of a "presence based unlocking" system like people used to try to do with badge proximity sensors.
It's not about "more" security. Phones are not highly secure devices. It's about more useful security. I now lock my device, I didn't used to, because it was too cumbersome to unlock. The security gains for me have been huge, as they are for a lot of users.
-
@MattSpeller said:
A concern that, while I confess is an outlier, is that these companies own that data. Is it so difficult to imagine a scenario where your personal data would be sold to the highest bidder? Despite all promises for decades by that company?
So, just to be clear, you are fearing that these vendors are stealing your biometrics today and will then sell that stolen data (a sale that could put people in jail since hacking is a massive offense and that's what we are discussing) to someone who will then use it to do illegal things with your identity?
-
I get the fear that all these companies are actively stealing data off of your phones. I doubt that they are, but they might be. But stolen personal data is a pretty risky thing to sell. That I see as a pretty extreme fear.
Not that it wouldn't happen. But to be clear, I see this as a lesser or at least equal fear to these companies directly harvesting all private data, including passwords, off of your phone and selling them. So unless you also are unwilling to use passwords, I'm unclear as to the concern. Your passwords, passwords style and password patterns are biometrics just like your fingerprint. You can try to change them over time, and can more easily change them than your fingerprints, but the value of selling a password is thousands or millions of times higher than selling your fingerprint (for now.)
So if you fear this behaviour, wouldn't using your fingerprint be the logical response to that fear rather than the thing to avoid?
-
@scottalanmiller For the difference of a few seconds I'll keep using a password. As to who owns what etc, I'm curious enough to go find out. I will report back later with my findings.
-
@scottalanmiller said:
Where have you found a secure municipality in the US? I've never even heard of a rumour of one, let alone a municipality that was secure at all. I've rarely found a municipality that even hires what we would consider real IT let alone high end IT needed for real security.
Just because you've never seen them or worked for them doesn't mean they don't exist. You make a lot of blanket statements without knowing the facts. I guess we should all just quit our govt jobs and go work at the local fast food chain as we aren't IT pros in Scott's book.
-
@scottalanmiller said:
I worked for the senate and know that they used unencrypted, public, low end consumer services to pass around the high security passwords. No security, at all. Not even the slightest attempt at it. Since the government can't be sued, it doesn't care.
Only the Federal Government Can't be sued. You can infact sue local governments and many state governments.
-
@MattSpeller said:
@scottalanmiller For the difference of a few seconds I'll keep using a password. As to who owns what etc, I'm curious enough to go find out. I will report back later with my findings.
But why, what's the benefit? Sure, it costs you a few seconds, everytime you use the device. But you've not explained the downside to the fingerprint. If they are going to steal it, it's already gone. If they aren't going to steal it, isn't to your benefit. Where is the additional risk?
-
@scottalanmiller said:
If they are going to steal it, it's already gone.
I'm curious how you got to there
-
@thecreativeone91 said:
@scottalanmiller said:
Where have you found a secure municipality in the US? I've never even heard of a rumour of one, let alone a municipality that was secure at all. I've rarely found a municipality that even hires what we would consider real IT let alone high end IT needed for real security.
Just because you've never seen them or worked for them doesn't mean they don't exist. You make a lot of blanket statements without knowing the facts. I guess we should all just quit our govt jobs and go work at the local fast food chain as we aren't IT pros in Scott's book.
I didn't say all. I said the US had a lot of security issues in government - which is obviously the case since few government jobs pay anywhere near median. Are there exceptions? I would assume. Are there people doing government jobs because they feel that they should donate their skills? Presumaly somewhere. But that some are secure or might be secure or could be secure does not mean that the average is.
I've worked in government, it's the least secure thing I've ever seen. I've worked for a lot of different types of government. And I know tons of people who won't work in government, generally due to the income reasons. Tons and tons of the industry won't accept those jobs.
If you have some examples of outstanding government security, that's great. I didn't supply any blanket statement. But I provide examples that I knew, have many examples I did not supply, and only stated that in my experience I've never heard anyone make the claim that any municipality was providing adequate security. They might be, but I've not seen it and you are the first I've seen defending how governments do IT in the US.
-
@thecreativeone91 said:
Only the Federal Government Can't be sued. You can infact sue local governments and many state governments.
You can sue your state? I knew that the Fed can sue a state, and they do constantly. I was not aware that there was any way to sue a state. Or that that would be state by state, I would assume. I've had local judges break the law and I've had no recourse. But NY is extremely bad in that regard. Might be a local problem.
-
@thecreativeone91 said:
I guess we should all just quit our govt jobs and go work at the local fast food chain as we aren't IT pros in Scott's book.
To be fair, I actually did this. New York tried to hire me when I was getting back into IT. It wasn't fast food anymore, it was working a hotel front desk which is slightly better (I've done both, so that's an honest comparison.) But the money was about the same, the job was just cleaner and nicer. I had to work overnights and swing shifts. But the jobs with the state were so bad that I turned them down to keep working the hotel because they only thought of IT as being on par with fast food work based on their pay scales. So while I didn't say to do this, I did actually live this advice and I honestly believe that failing to have done so would have crippled my career. I was far beyond the careers of the people who tried to hire me within six months - and they had many years just in their state jobs alone and I was effectively starting from the bottom.
There are thousands and thousands of government agencies in the US. Some must be good. But I think it sounds pretty surprising to hear that you feel that any percentage of them have the necessary will or capability to address security well.
Working with some municipal governments, many that I have worked with have no IT whatsoever and use whatever free or cheap resource they can find to patch things together. They get grants to buy equipment but never spent money on governance. No security oversight at all.
-
@MattSpeller said:
@scottalanmiller said:
If they are going to steal it, it's already gone.
I'm curious how you got to there
You are assuming that theft will occur because you decided to leverage a feature. Why? That makes no sense. You are assuming that the thief is in your house but only steals your TV if you've been watching it. That's not how it works. If you are assuming that the thief is in your house (is on your device and has access to the biometric scanner) then he is going to steal your biometrics whether you chose to use them or not. Unless you are pressing that button with gloves on or otherwise avoiding letting the scanner see your fingers.
-
What timing...
-
@mlnews so much better with moustaches lol
I actually did a bit of reading, apparently it's stored independently on a separate chip. According to Apple's specs it's reasonably secure. I'm still really uncomfortable with this technology and I'll opt out.
From your post below, how do I avoid biometrics? By not purchasing/using any devices that use them
-
@MattSpeller said:
From your post below, how do I avoid biometrics? By not purchasing/using any devices that use them
What phone available today, for example, does not use them? Nearly every sensor on a phone collects identifying biometrics of some sort. Even your desktop keyboard does that (there are systems that use your typing patterns as biometric passcodes!!)
Fingerprints are just the ones that we talk about. But the amount of identifying information collected by all computing devices is staggering.
-
@scottalanmiller said:
What phone available today, for example, does not use them?
Almost all expect the Newest iPhones. Voice Command, And predictive text both can be turned off. Very few android and no windows phones have finger print.
