Finger Prints Are Not Passwords

Dashrender

@MattSpeller said:

@scottalanmiller Fortunately my defences against that are hardened. I have a deep allergic reaction to fruity brands.

LOL - I follow this allergy too..

Dashrender

@scottalanmiller said:

@MattSpeller said:

@Dashrender I'm not sure how much I want a cached digital "signature" of my person to be floating around either (voice, face, etc)

And now Apple has started using your heartbeat to bio-recognize you too!

Again this is something that can be public information. I guess the reality is that we can't have any authentication tech that uses something about our being that can't be faked with enough time and advanced computers.

Passwords, public/private crypto, etc are the only things that can keep us some what secure from these hacks.

scottalanmiller

@MattSpeller said:

@scottalanmiller Fortunately my defences against that are hardened. I have a deep allergic reaction to fruity brands.

So here is the question, though, would you rather have no security at all (the Google watch approach) or have simple biometrics to at least keep casual people from grabbing your device when you aren't looking at the bus station? Is some security not better than no security?

And honestly, just because someone CAN hack in is no different than any security system. Having fingerprint or fingerprint + passcode on the phone AND heartbeat on the watch is a lot of security. Enough to thwart nearly any real world threat for real people.

scottalanmiller

@Dashrender said:

Passwords, public/private crypto, etc are the only things that can keep us some what secure from these hacks.

What does "keeps us secure" mean to you? Passwords are often easier to break than biometrics. Not always, but often. A lot of "it depends" that goes on, but for normal people, biometrics are way more secure even without trusted sensors. While biometrics are far from perfect, they aren't as bad as they are being made out to be here.

And don't forget, passwords are a form of biometrics.

MattSpeller

@scottalanmiller said:

So here is the question, though, would you rather have no security at all (the Google watch approach) or have simple biometrics to at least keep casual people from grabbing your device when you aren't looking at the bus station? Is some security not better than no security?

And honestly, just because someone CAN hack in is no different than any security system. Having fingerprint or fingerprint + passcode on the phone AND heartbeat on the watch is a lot of security. Enough to thwart nearly any real world threat for real people.

Call me one of the tin foil hatters if you must, but I don't trust any company with my bio-metrics. Worse yet, they all have two of the most key ones already (voice and photo).

scottalanmiller

@MattSpeller said:

Call me one of the tin foil hatters if you must, but I don't trust any company with my bio-metrics. Worse yet, they all have two of the most key ones already (voice and photo).

Yup, gotta call tin foil hat. I totally understand not wanting companies to have your biometrics. But here is reality - they have them. Now, it is your choice to either leverage them and make them useful to you too, or you can let them only be useful to others.

They have more biometrics than you think. They have heartbeat, typing patterns, word patterns, cadence and much, much more. Biometrics are everywhere. They are in when you wake up, when you sleep, how you sleep, when you post, how your eyes move, passwords over time, purchasing history, etc. Everywhere.

Biometrics are what allow other humans to recognize you and read your body language.

scottalanmiller

I got a security talk at a high school once over a decade ago (OMG!!) At the school there was real concern about letting the kids be "online" because the Internet was this scary place and the moment you were online you were at risk. Very tin foil hat.

So I gave a talk where I took a kid from the school (someone I knew had never used a computer, never been online, was 18 and knew his parents) and demonstrated that doing a search online for the name of the high school that in 180 seconds I went from school name, to a photograph of the kid, his full name, his hobbies and activities, his home address, aerial photos of his house, a map and directions to get to his house and a list of recommended places to eat along the way.

In fact, never being online himself he had made himself more of a target because he wasn't being aware and wasn't controlling anything about his online presence. And nothing that I produced was because of the Internet, it just allowed me to do it in under three minutes.

This, I feel, is the same here. We all know that avoiding the Internet doesn't keep us safe. Avoiding biometrics for your own use does not protect you either.

MattSpeller

@scottalanmiller So we should just blindly give out all our info? Trust no harm will be done? I'll pass on that and continue to be exceptionally careful about what new data of mine I introduce to the giant vacuum cleaner that is the interwebs.

scottalanmiller

@MattSpeller said:

@scottalanmiller So we should just blindly give out all our info? Trust no harm will be done? I'll pass on that and continue to be exceptionally careful about what new data of mine I introduce to the giant vacuum cleaner that is the interwebs.

See, that's the response that makes me feel you aren't seriously considering what all this means. Why would you blindly give out your info? And what exactly do you mean? Are you not using passwords with these same vendors? Why do you trust them "blindly" with one form of biometrics that they can trivially exploit and not another that they have no useful means of exploiting and can get whether you hand it out or not?

The thing you are reacting to, is exactly the thing that I feel like you are doing. Biometrics, like a fingerprint on my phone, means I am handing out LESS data, not more.

JaredBusch

@MattSpeller said:

@scottalanmiller So we should just blindly give out all our info? Trust no harm will be done? I'll pass on that and continue to be exceptionally careful about what new data of mine I introduce to the giant vacuum cleaner that is the interwebs.

The point you are missing is that the information is mostly already in the public domain. The internet just makes it easier to search for it. You do not have to physically go to 100 different offices and look up information.

scottalanmiller

And thinking of "the Internet" as a big scary entity just doesn't help. It's just a network. It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security worse than imagined security, that's when dangerous things happen.

You just need to be realistic. Data about you is being mined. There is data that is highly useful to someone (like passwords) and data that is effectively useless (like your fingerprint.) Sure, if you are insane you can come up with ways to expose your data in ways that would make it easy to harm you. But that's not the cases we are discussing. Using your fingerprint on your phone to log in puts you at no additional risk. If you fear that Google is stealing that data - guess what, they can steal it whether you leverage it or not.

It's not about you sharing or not sharing, it's about you benefiting or not.

A Former User

@scottalanmiller said:

It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security.

Where's Your data to back that up? Most of the Municipalities Networks are very secure. It's things like the NSA that think they are IT themselves and manage their own network as hackers (and miss lots of wide open doors) that are really at risk.

Dashrender

One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

In the US anyway.

Granted you need to use a GOOD password, otherwise assuming offline attacks can be done against your data, a shake of Azure and that baby will be cracked in days typically or less.

scottalanmiller

@thecreativeone91 said:

@scottalanmiller said:

It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security.

Where's Your data to back that up? Most of the Municipalities Networks are very secure. It's things like the NSA that think they are IT themselves and manage their own network as hackers (and miss lots of wide open doors) that are really at risk.

Where have you found a secure municipality in the US? I've never even heard of a rumour of one, let alone a municipality that was secure at all. I've rarely found a municipality that even hires what we would consider real IT let alone high end IT needed for real security.

scottalanmiller

@Dashrender said:

One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

In the US anyway.

Yes, and I mentioned this earlier that the US has a specific law that breaks logical security that would otherwise exist. However, be aware that a judge could use the same biometric ruling to compel you to give up passwords as they are actually biometric - it all comes down to interpretation. Not nearly as likely, but in the US the law is what a judge decides it to me. And as there is already a notion of you have to give up "who you are", that your selected password is part of who you are is a logical extension of that.

scottalanmiller

@thecreativeone91 said:

@scottalanmiller said:

It is still individual companies storing data. And the big ones, like the government, are the ones that are least secure in most cases (especially in the US.) There is no security.

Where's Your data to back that up? Most of the Municipalities Networks are very secure. It's things like the NSA that think they are IT themselves and manage their own network as hackers (and miss lots of wide open doors) that are really at risk.

I worked for the senate and know that they used unencrypted, public, low end consumer services to pass around the high security passwords. No security, at all. Not even the slightest attempt at it. Since the government can't be sued, it doesn't care.

JaredBusch

@Dashrender said:

One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

It is not a benefit, you simply need to know how your devices works. I use the fingerprint sensor for convenience. But I know that I can be compelled legally.

Because of this, as soon as I go through the initial TSA checkpoint where I need my phone on to scan my boarding pass (yes I could not use my phone and go with paper...) I power cycle my phone and do not enter my password until I am done with security.

I do the same for any time I interact with any authority that has the right to take my device.

Edit: This is because iOS based devices require the password be manually entered after a power cycle. I have no idea how Android works.

scottalanmiller

@JaredBusch said:

@Dashrender said:

One benefit to not using fingerprint or retina, etc is that you can't be compelled to give up a password, you can be compelled to give up your finger/eye to unlock files.

It is not a benefit, you simply need to know how your devices works. I use the fingerprint sensor for convenience. But I know that I can be compelled legally.

Because of this, as soon as I go through the initial TSA checkpoint where I need my phone on to scan my boarding pass (yes I could not use my phone and go with paper...) I power cycle my phone and do not enter my password until I am done with security.

I do the same for any time I interact with any authority that has the right to take my device.

Edit: This is because iOS based devices require the password be manually entered after a power cycle. I have no idea how Android works.

yes, I love that feature. There is a VERY quick "off" button that lets you lock the device and keep people from compelling you to use the fingerprint feature. It would be nice if you could do something further, like use the wrong finger to perma-lock it too. But the power cycle trick is pretty fast and easy.

scottalanmiller

Also this makes it important to note that the fingerprint stealing issue (which was Android, not iPhone) would only work against an iPhone if you had the shim AND you did not have the device lose power. In theory you could keep it from ever powering off, but it is an extra level of security. If you leave your device somewhere and it power cycles, a biometric hack like the one in the OP would be useless. So that reduces the effectiveness of it.

MattSpeller

This has been an invigorating chat but I'm still against biometrics - I think the potential for abuse is astronomical.