SoylentNews is people
SoylentNews
Wired is running a story of hackers claiming to have broken Face ID on the new iPhone X.
When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. A week later, hackers on the actual other side of the world claim to have successfully duplicated someone's face to unlock his iPhone X—with what looks like a simpler technique than some security researchers believed possible.
On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking.
On a similar note Apple has repeatedly fought working with governments to unlock phones, if the police have a dead or detained criminal what is to stop them from just pointing the phone at their face and getting all the juicy data bits inside? Does Face ID *help* police/governments?
(Score: 5, Informative) by Justin Case on Tuesday November 14 2017, @04:53PM (10 children)
"Biometric" is not your password. It is your user-ID.
Still need something else for authentication.
(Score: 1, Insightful) by Anonymous Coward on Tuesday November 14 2017, @05:06PM (9 children)
"User ID" is just the portion of a password that a user seemingly doesn't mind being published widely.
(Score: 0) by Anonymous Coward on Tuesday November 14 2017, @05:14PM (6 children)
"Password" is just the portion of a user ID that a user seemingly wants to keep as secret as possible.
(Score: -1, Offtopic) by Anonymous Coward on Tuesday November 14 2017, @05:32PM
"I'm on fire! Everything's on fire! Save me, Jesus!"
- Steve
(Score: 3, Touché) by bob_super on Tuesday November 14 2017, @05:46PM (4 children)
"Password" is covered by the fifth, while "biometric" isn't...
(Score: 0) by Anonymous Coward on Tuesday November 14 2017, @06:09PM (3 children)
But what amendment protects this insane level of pedantry?
(Score: 2) by bob_super on Tuesday November 14 2017, @06:34PM (1 child)
The first.
(Score: 2) by Gaaark on Wednesday November 15 2017, @01:31AM
Why?
Who's on first?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Tuesday November 14 2017, @06:34PM
The anti-1st?
(Score: 4, Insightful) by darkfeline on Tuesday November 14 2017, @10:12PM (1 child)
Why is this marked insightful? This is wrong.
Identification != authentication
The purpose of an ID is to uniquely IDentify a user. If you need to refer to a specific user, you cannot say "the user with the password password" because we all know half of your users use that password.
Instead you say "the user with the username foo".
In the "real world", things that are often used for identification include national ID numbers, Social Security (*gasp* it's for identification, not authentication), driver's license number, and name+address.
The thing is, all of those have downsides, and using biometrics is really really good ID. Almost certainly unique when combining multiple types, no need for a centralized database.
Of course, identification != authentication. Don't use biometrics for auth, you lowlives.
Join the SDF Public Access UNIX System today!
(Score: 2) by Gaaark on Wednesday November 15 2017, @01:39AM
Except for computer systems that make you type in a username AND a password, the username CAN be almost like a password: you have to guess the username AND the password.
If you don't know that Gaaark username for his laptop is Unic0rnPr0n, you have to guess correctly both username and password.
I'd rather someone have to guess both than just use my face.
***Or, did I misunderstand your point?? Tired...might have.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Insightful) by Anonymous Coward on Tuesday November 14 2017, @05:02PM (1 child)
Uh it's the same for the other easy methods like fingerprints.
You can use passwords or if you think you can get lucky that you'll be able to press the "cop sequence" so the phone requires a passwords .
(Score: 2) by frojack on Tuesday November 14 2017, @07:23PM
Swat tactics will almost certainly be updated to avoid head shots, and quickly search for a phone, and unlock it even before the perp is actually dead.
Faceid does time out after a few hours (I forget the details maybe overnight, IDK) so you have to be relatively quick about it.
Turns out
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by quacking duck on Tuesday November 14 2017, @05:09PM
Apple was up front about how FaceID isn't good enough to distinguish between identical twins. No one with a clue ever claimed it to be a 100% bullet proof authorization system.
That said, it's also far superior to the latest Samsung Galaxy S8's version, which was famously cracked on day zero with a mere photograph. Samsung still hadn't fixed this flaw when the Note 8 was released six months later [businessinsider.com].
Insofar as the older TouchID required physically forcing a suspect to touch the scanner, and now with FaceID they can just point it at their face, sure, the police/government now have an easier time. On the other hand, quickly pressing the standby button 5 times disables FaceID (and TouchID on older phones), requiring the passcode to re-enable it.
Anyone thinking about harping on Apple have far more legitimate targets. Like that infamous 1+1+1=12 bug in iOS 11's default calculator app, which was known back in the v11.0 betas and still hasn't been fixed.
(Score: 0) by Anonymous Coward on Tuesday November 14 2017, @05:25PM (1 child)
WHOA
https://www.usatoday.com/story/news/2017/11/13/widow-says-she-got-closure-after-meeting-man-who-got-her-husbanmtouches-man-who-got-her-husbands-fac/857537001/ [usatoday.com]
(Score: 2) by tangomargarine on Wednesday November 15 2017, @03:54PM
I love how that URL comes really close to telling you the entire headline, has a seizure in the middle, starts over, then cuts out one letter before completing the last word to make it actually make sense. Bravo.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by EvilSS on Tuesday November 14 2017, @05:48PM
What is more interesting is this story where a woman's son is able to open her iPhoneX with his own face: https://www.macrumors.com/2017/11/14/face-id-spoofed-by-child-and-mask/ [macrumors.com]
(Score: 1, Informative) by Anonymous Coward on Tuesday November 14 2017, @05:58PM (2 children)
I guess this means they have to stop shooting people in the face. Talk about crimping their style ...
(Score: 2) by Justin Case on Tuesday November 14 2017, @06:06PM (1 child)
No, just use the stun gun you hate because movie cops don't use it. Then, when the "suspect" is down, use the unconscious face to unlock the phone.
Now you can blow their head clean off. In self defense of course.
(Score: 3, Funny) by Gaaark on Wednesday November 15 2017, @01:47AM
You just have to remember to turn off the bodycam first!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Tuesday November 14 2017, @06:11PM (1 child)
If you're concerned about it, just don't use those biometric functions. Use the good ol' password/pin and make it a good one.
(Score: 2) by frojack on Tuesday November 14 2017, @07:29PM
Given the frequency with which most people are in and out of their phones, no password is likely to be fast enough. They'd rather run naked.
Given the total disregard that millennials have for privacy, any password they use is likely to be very short and simple.
I wouldn't be surprised if Many just opt for words like "no".
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by meustrus on Tuesday November 14 2017, @06:34PM (9 children)
The battle lines drawn for police vs. privacy are wrong.
We need the state, as part of due process, to have access to all evidence that exists. We need due process to make this access accountable to the public and limited to a narrow legal scope.
In service of this, police have the capability to open locks but may only do so with a court order. Why should electronics be any different?
In practice, however, this argument falls short for technical reasons. If the police had the ability to unlock any device, we do not have legal frameworks in place to prevent them from unlocking every device. If there is one lesson to be learned about computing, it is that there is no longer a meaningful difference in effort between doing something once and doing it billions of times. And in the name of counter-terrorism, the process of obtaining a warrant has become frighteningly less transparent.
Most importantly, however, no means have yet been devised for police to have controlled access to electronic locks in a manner similar to physical locks that don't fundamentally compromise the locks themselves. Let's face it: if I could lock my front door in a way that would-be burglars would definitely not be able to open, it would be irrational to sacrifice definite protection against such criminals to create privileged access for anybody.
Unfortunately, those that understand the implications of technology have thus far advocated for a world that shelters everyone's privacy in absolution, because we know that it is technically possible and we want our own activities to remain invisible. It's what a rational self-motivated person would want, but it's not what's best for society.
What is best for society would be a system in which we maintain all ability to protect ourselves, but an agent of the law can through transparent due process obtain all evidence that exists in the course of a single investigation. I don't see how this is technically possible, but it's what we need. Otherwise, our technology will lead us into a lawless world where power comes unchecked from concealable technological resources, leaving us all caught in the crossfire between increasingly invisible state agents and the already invisible agents of the criminal underworld.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by tangomargarine on Tuesday November 14 2017, @07:06PM (2 children)
It wouldn't be hard with PKI and key escrow. The problem is how trustworthy the government agent is who gets the copy of your key.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by meustrus on Tuesday November 14 2017, @11:14PM (1 child)
If you create a backdoor key, anybody can steal the backdoor key. If you create a backdoor key that applies to every single lock, stealing that one key becomes exponentially more valuable. The same goes for separate backdoor keys for every lock that are all kept in the same place.
Information security is about keeping secrets. The moment you have told anybody else, your attack vector expands to include theirs.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by tangomargarine on Wednesday November 15 2017, @03:52PM
Give the government agent your original key; there's no backdoor involved at all.
It's easy to do technically, it's just not a very good idea. At that point everything hinges on 1) the security of the government key escrow system, and B) how robust and trustworthy the process for obtaining permission to use the keys is.
Yup. But of course the point of this whole "secure backdoor encryption" nonsense isn't to make *us* more secure; it's to help the government get their greasy fingers into all of our data.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday November 14 2017, @07:17PM (1 child)
People destroy evidence all the time, so your argument kinda falls apart. There is almost never some safe containing all the incriminating evidence which is why we have subpoenas. If someone does not provide access for law enforcement when there is a legal subpoena then it does not go well for them.
Your comparison of physical and digital locks is ridiculous, all we will see is criminals using alternate methods to go about their activities while the average person loses privacy and can be easily targeted by the criminals you want to catch! Not only is it not possible, but it is not desirable. The biggest flaw in your thinking is presuming that law enforcement is always "the good guy". We have seen plenty of modern examples of this not being true.
(Score: 2) by meustrus on Tuesday November 14 2017, @11:24PM
That's why I don't have a solution. Creating backdoors solves nothing for this reason and just creates more problems.
To compare it to a physical lock: if the government mandated that every deadbolt accept the government's master key, average citizens would become less secure while criminals would use black market locks with no such restrictions. The metaphor actually works pretty well when properly applied.
And no, I do not presume that law enforcement is "the good guy". I presume that it is the designated agent of enforcing the laws that we have already agreed to. Appropriate oversight is necessary to keep law enforcement from becoming corrupt. But my entire argument does assume a lot about how the state functions which is not always true. Selective enforcement, minority disenfranchisement, and corruption are all serious problems, but they are outside the scope of discussing how law enforcement can best accomplish the job that they have been given.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 3, Insightful) by frojack on Tuesday November 14 2017, @07:34PM (3 children)
You started out wrong, and it went down hill from there.
There's absolutely no justification for the police to have all evidence that exists.
With that as your standard, there is nobody who is innocent. You've just called for a real world "Go to Jail, go directly to jail" card.
You, sir, are an idiot.
No, you are mistaken. I've always had this sig.
(Score: 2) by meustrus on Tuesday November 14 2017, @11:36PM (2 children)
That nobody is innocent is a fault in our laws, not a fault in the powers of law enforcement. It unfortunately leads to selective enforcement, targeted at people the police are already otherwise interested in.
But don't miss the "as part of due process" part of my argument. Due process does not allow anybody to broadly sweep all evidence of criminal activity. It only allows for a targeted search based on existing suspicion. And when there is an existing suspicion, the best way to prove whether that suspicion is correct or whether the police need to look elsewhere is if they can look at all evidence that exists.
But think for a moment about what you misinterpreted in my argument. Nobody wants to put everybody in jail. Who would pay taxes? Who would guard the prison? If law enforcement were truly omniscient, we would be having some interesting conversations about all those laws that are technically being broken but don't hurt anybody. We might even have the information to say for sure that certain activities currently illegal are good for society. Granted, we'd also have some serious corruption problems that would probably tank any real reform of our legal system pretty quickly.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by Gaaark on Wednesday November 15 2017, @01:54AM (1 child)
"Nobody wants to put everybody in jail. "
But there are people who may want to put YOU in jail: give them the power to, and it may happen.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by meustrus on Wednesday November 15 2017, @08:03PM
You're remarkably naïve to think that they couldn't already lock you or me away if they wanted to. The vast majority of evidence can already be obtained through warrants, and even if all they have is "reasonable suspicion" they can still use that to make your life unlivable.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 4, Insightful) by GreatAuntAnesthesia on Tuesday November 14 2017, @10:05PM (2 children)
For fuck's sake. On the whole I don't mind Apple, but one thing about them that really does piss me off is this:
As if Apple fucking invented it. IT'S NOT NEW! I have an HTC One Mini Two in my hand from about 2014 that unlocks with face recognition, and I doubt that was the first phone to do it.
I remember when I had drooling Apple fanboys in 2010 telling me how awesome facetime was and how awesome Apple was for inventing it, when I had already got bored of video calling on my old Motorola Razr 5 years earlier. And then there's iPods, which were of course the first ever mp3 players in the universe.....
Why is it then when Apple releases some feature on their products, the entire world goes suddenly gaga over it and wows at how new it is, while simultaneously going totally blind to all the other brands and products that have been doing the EXACT SAME THING FOR YEARS?
(Score: 4, Informative) by meustrus on Tuesday November 14 2017, @11:38PM
Mainly because Apple's design and marketing make it easy for normal people to understand how to do these things. Apple's business strategy has long been to be late to market with the easiest-to-use product.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 0) by Anonymous Coward on Thursday November 16 2017, @01:05AM
From a 2015 Popular Science article [popsci.com]:
From TFA:
Apple is doing 3-D. Sounds new to me.