Security quotes of the week [LWN.net]

The NSA's actions are making us all less safe. They're not just spying on the bad guys, they're deliberately weakening Internet security for everyone—including the good guys. It's sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they're building the technical infrastructure for a police state.

We're not there yet, but already we've learned that both the DEA and the IRS use NSA surveillance data in prosecutions and then lie about it in court. Power without accountability or oversight is dangerous to society at a very fundamental level.

— Bruce Schneier

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC [Chaos Computer Club] team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

— Chaos Computer Club breaks Apple's much-vaunted TouchID fingerprint unlocking feature

(Log in to post comments)

Security quotes of the week

Posted Sep 26, 2013 17:07 UTC (Thu) by dvdeug (subscriber, #10998) [Link]

As for the iPhone, bah. The face unlock on my phone can probably be beat a similar way; I look at the phone at an angle and can see the smear left by the swipe unlock. An actual password is surely stronger, assuming no camera is watching when I type it in. Maybe someone paranoid enough can hide the phone completely every time they type in their password, but most of us aren't going to look that silly. Elcomsoft claims they can crack the encyption on iOS 5 with a 6-digit PIN in 22 hours; you want to type in a 9-digit PIN every single time you open your phone?

There are people out there who need this level of security. For most of us, securing the phone against the government or the CCC is a farce. We're simply not going to curl up into a little ball and type in a 9-digit PIN everytime we want to use our phone.

Security quotes of the week

Posted Oct 3, 2013 2:33 UTC (Thu) by eternaleye (guest, #67051) [Link]

There _are_ nice, simple ways to improve the security of unlocking a phone; there's even a nice article in Forbes with a link to a research paper about it: http://www.forbes.com/sites/andygreenberg/2011/06/03/andr...

I'm particularly fond of the one that arranges the buttons vertically like this:

[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]

and after you type in the code, you need to drag a slider from the top to the bottom as the final unlock step.

Simple, doesn't mess with you by reordering the buttons, and self-securing.

Security quotes of the week

Posted Oct 3, 2013 3:00 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

That's still a toy. You are still going to get only a couple bytes worth of key data from this, so it can be brute-forced in a short amount of time by an attacker that can read your device hardware.

Security quotes of the week

Posted Oct 3, 2013 18:59 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

You're never going to get users to memorize and enter a secure key as their unlock code, but there are ways around that. Assuming you have something like a TPM, have it generate and store a secure key and use that to encrypt everything. When locking the device, tell the TPM to disable the decryption key until presented with a valid unlock code. The TPM can enforce rate limits and wipe the key (or require a more secure form of unlock) if there are too many failures; even a four-digit code can be reasonably secure if attackers only get a handful of guesses. Bypassing the unlock screen would then mean bypassing the TPM, which requires not only extended physical access but extremely expensive and specialized tools and a few unusual skills.