Android P Will Encourage OEMs to Adopt Stronger Biometric Systems

Status
Not open for further replies.

InvalidError

Titan
Moderator
I personally don't care how strong biometrics are: no matter how good they are, relying on biometrics mean you can be strong-harmed into unlocking your devices against your will. With reasonably strong passwords only known to you on a secure device, your data is as safe as you are willing it to be.
 

mrjhh

Distinguished
Sep 18, 2007
31
0
18,530
INVALIDERROR - And you think a password is safe from a strong-arm approach? Passwords can also be captured from taking a video of you entering the password. This is why a strong authentication is recommended to have two factors from the three options of what you know, what you have, and biometrics. But, with strong authentication, bad guys look for weaker links, like someone at your bank who uses a password of abc123.
 

TJ Hooker

Titan
Ambassador
@InvalidError If an attack is willing/able to grab you, force your eye/face/thumb up to your phone and steal your device, I wouldn't put it past that person to just beat any password out of you instead if required. Unless you're including 'standing up to torture' as part of "as safe as you are willing it to be".
 

InvalidError

Titan
Moderator

I was.

With biometrics only, you have very limited capability of preventing forceful unlock and once your biometrics are compromised by whatever means, you can't change them either. With passwords or "things only you know", you have the option of taking your passwords and your data all the way to the grave if you want to.

Personally, I would be mainly concerned with warrantless searches. If police wants to break into my phone, I'll have them produce proof of plausible cause before I give them access.
 

randomizer

Champion
Moderator

I think this is the biggest issue with biometrics. They're convenient but they're basically static. It's comparable to using the same password everywhere and being unable to change it when it's compromised.


It's a nice option to have but in practice few people would take it. I only need one of your fingers to pass the biometric scan. I can use the other nine to extract the password from your head. :)
 

InvalidError

Titan
Moderator

For people who are mainly concerned about resisting warrantless searches, the torture option is generally not available to law enforcement in civilized countries :)
 


Not to mention in the US, you can plead the 5th on a password, you can not on a fingerprint. You can be forced to unlock your phone by finger print if it will. At least this has been the way this has gone down historically.
 

InvalidError

Titan
Moderator

Pleading the fifth only comes after you have been indicted and are facing possible criminal charges. With biometric unlock, police can perform multiple breaches of due process such as wrongful arrest, arrest under false pretense and warrantless search, then charge you of other stuff based on what it finds on your devices, then you have tons of extra accusations to deal with while building your violation of due process case to get the whole thing thrown out of court.

With a strong password, the police will have to prove just cause to want your devices decrypted before there are any consequences to denying access and you have a fair chance of not getting to the point of needing to plead the fifth. (At least not for reasons completely unrelated to your original arrest.)

Got to love how the privately run prison system in the USA has corrupted or is colluding with large chunks of the legal system to imprison as many people as possible for as long as possible for profit.
 
Jun 26, 2018
9
0
10
What difference does it make when all the CPU's in the market are plagued with security holes that allows hackers to steal passwords and encryption keys.
 

InvalidError

Titan
Moderator

Spectre and Meltdown may sound bad, but they are much harder to actually exploit in the real world, especially on single-user systems. To successfully compromise data with those exploits, you first need to compromise the system to install the malware. For single-user systems, this may very well never happen, rendering Spectre and Meltdown non-issues.

Once the malware is installed, the exploits can only compromise data as it is being processed by the CPU. On a server where thousands of transactions may be processed per second, the chances of a successful compromise are already low, just not low enough to be considered safe. On a single-user system where encryption keys and other similarly sensitive data is being processed once every now and then on a generally irregular basis, the chances of the exploit having exactly the right timing to piece the data back together is very low.

Also, since those exploits require intensive cache content and timing monitoring, there is a pretty good chance people would notice their CPU being pegged at 100% load across all hardware threads for no apparent reason.

For side-channel attacks like these, there is a fairly wide gap between an exploit being demonstrated in a controlled environment and turning it into a practical exploit in the wild.
 
Jun 26, 2018
9
0
10


Do you know that all Consoles in the market are already hacked ? Every one of them. and without the need of any modding. each one of them ... but it is not released to the public yet .

Intel and AMD should be ashamed of this. because there is no way to counter this until new CPU Designs come ..

Consoles will be in BIG trouble soon VERY SOON. and there is no way to protect the Consoles/Games Encryption now at all. All are open , from Nintendo to Xbox one X to PS4 Pro.

and there will be no fix .. nothing can fix it. they need another CPU.

And what makes me more angry , is releasing the info to the public. Why on Earth did they Release the info about the Specter and meltdown to the public ?

ALL Consoles hackers in China and Germany started using it from Day one After the info was released.
 
Status
Not open for further replies.