BB Mercury Fingerprint Security
-
Blackberry also doesn't build back doors, but does provide the data on its servers to law enforcement when a warrant is shown. In effect they let law enforcement use the front door when a warrant is produced.
If you are arguing that people should not cooperate with law enforcement when legally compelled to do so, then I simply disagree with you.
Posted with my trusty Z10anon(2313227) likes this.03-05-17 05:19 PMLike 1 - What's stored in the secure element in these devices is a hash of (features of your fingerprint combined with device specific key), so even if the hash itself is compromised, it's really not very useful outside of that device.
Similarly, the API that allows apps to use fingerprint verification for purchases, etc., doesn't expose the fingerprint features themselves through the API, or even to the OS itself. The question you get to ask of the secure element is "yes or no, does the finger on the sensor match any of the fingers configured by the owner of this device".maltesh likes this.03-05-17 06:55 PMLike 1 - I followed it closely. Apple built a phone in such a way that they could argue they would have to build a back door to give law enforcement access to the device. And they didn't want to build the back door.
Blackberry also doesn't build back doors, but does provide the data on its servers to law enforcement when a warrant is shown. In effect they let law enforcement use the front door when a warrant is produced.
If you are arguing that people should not cooperate with law enforcement when legally compelled to do so, then I simply disagree with you.
Posted with my trusty Z10
Comey was likely told he was going to lose, hence the FBI did not escalate.03-06-17 07:26 AMLike 0 - You missed the gist of the fight. Apple like the other companies does indeed comply with legal requests. What they did in this particular case was challenge the legality of the warrant, with a whole bunch of reasons including unreasonable effort. That was perfectly legal. Had it gone all the up to SCOTUS and been found legal, then Apple would have to comply or face contempt.
Comey was likely told he was going to lose, hence the FBI did not escalate.
The technological challenge to the traditional methods of investigating and prosecuting crime by examining electronic communications has serious implications for the public (as do legitimate privacy and constitutional rights) . I believe this requires a more thorough public discussion and clear policy decision rather than a simplistic us vs. them debate about government, citizens, and the role of technology and the private sector.
Historically, law enforcement agencies have been able to obtain a warrant by showing probable cause or search devices, but they haven't been allowed to compel individuals to provide their passwords. With encryption and auto-wipe security features, manufacturers can now make phones that are essentially warrant-proof, challenging law enforcement's traditional role. (This issue is completely separate from the question of data aggregation for intelligence and surveillance for national security, which are just as important and even more contentious for society.)
In the end, I think we need to decide as a society if personal electronics have special status so that they are not subject to searches with a warrant. That is not a decision that a manufacturer like Apple should decide for us by including x or y encryption and security technology in a smart phone.
In any case, this is OT, so I'll stop here. Thanks for sharing your thoughts.
Posted with my trusty Z10TGR1 likes this.03-06-17 09:30 AMLike 1 -
Posted via CB1003-08-17 06:45 AMLike 0 - I think BlackBerry's approach is very sensible. They protect privacy under normal circumstances but cooperate with law enforcement when a formal request, under the law, is made. Typically this is basically warrant where probable cause for a specific crime having been committed by a specific suspect has been shown to the satisfaction of a judge.
To me, the same protections that apply to searching one's home should apply to one's physical property, such as phones, journals, etc.
Personally, I WANT crimes investigated and prosecuted for my protection and to prevent a safe haven for criminals communicating over mobile phones.
What I oppose strongly, and what BlackBerry also has opposed, is a "back door" that permits warrantless surveillance that is not subject to judicial review and political accountability.
Posted with my trusty Z10
Posted via CB1003-08-17 06:49 AMLike 0 - If you look at the fingerprint sensor on the KEYone, does it look like it's even capable of storing your entire fingerprint? It's a space bar. It looks to me that all it could possibly sense is a horizontal rectangle that is about 4mm tall and isn't even the entire width of your thumb. In the hands – on video, you don't scan your whole thumb. How could this store your entire thumbprint? When setting it up, you are probably are supposed to let it scan different areas of your finger in order to improve recognition but you would have to be pretty systematic about it in order to reproduce an entire print.
Storing a hash for later recognition is like transposing the lyrics and word timing of a song recording. The hash can be stored and used to uniquely identify this specific recording if transposed a later time but it's impossible to reproduce the recording from the hash. Even a hacker can't make a hardware sensor do what is physically incapable doing.Last edited by early2bed; 03-08-17 at 08:16 AM.
03-08-17 08:04 AMLike 0 - So in the new MacBook Pro, a separate Apple Watch-derived processing unit handles fingerprints and Apple's password manager. Apparently the iPhone also has some walled-off hardware for fingerprints, right?
How does Android handle those hashes derived from fingerprints. Or the processing of that fingerprint information?
Posted via CB1003-08-17 09:23 AMLike 0 -
That's probably left to the specific device. Android's job is to say: Hey, is this hash that you have just read off this finger one of the ones that you have stored in your memory from when it was set-up? Ideally, the secure hardware element is incapable of actually giving out the actual hash.
Starting Android 6.0:
Below is an excerpt of Google’s official guidelines for OEMs implementing fingerprint unlock in their smartphones. Considering that this same document already requires OEMs to enable full-disk encryption out of the box, the end result should be quite decent security-wise (but not speed-wise, as we discovered in our previous research).
7.3.10. Fingerprint Sensor Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:
MUST declare support for the android.hardware.fingerprint feature.
MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].
MUST have a false acceptance rate not higher than 0.002%.
Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.
MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.
MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].
MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.
MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.
SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.03-08-17 09:38 AMLike 0 - That's probably left to the specific device. Android's job is to say: Hey, is this hash that you have just read off this finger one of the ones that you have stored in your memory from when it was set-up? Ideally, the secure hardware element is incapable of actually giving out the actual hash.
Posted via CB1003-08-17 09:40 AMLike 0 - That's not what's at stake. The freedom of Americans is at stake, think about it longterm. Your Samsung TV is recording you in your house. Do you really think our intelligence agencies care about warrants? NSA mass-collects user data...your emails, everything. CIA is far more capable than the NSA.
Posted via CB10
The result is a stupid arms race between the private sector and the government which results in a lack of both security and accountability for all concerned.
However, technology won't save us from this issue, anymore than more powerful bombs can protect us against war. Innovations in computation technology will break all existing encryption technologies within the next few years, if they haven't already. Companies like Apple can't save you.
In a democracy, the solution has to include a proper public discussion and a set of comprehensive laws that make the rules clear to everyone and create legal accountability if either government agencies, companies, or individuals violate the laws.
Legitimate investigation and security needs must be accommodated in any solution unless we want to cede huge advantages to organized crime, terrorism and foreign powers with fewer scruples. We still live in the real world where we have to deal with aggressor nations and evil people.
It's just naive to think that companies like Facebook or Apple can or want to protect you from state-sponsored actors with vastly superior technology and manpower. They just want your money, and are happy to sell your data to the highest bidder.
Posted with my trusty Z1003-08-17 11:27 AMLike 0 - I agree with you that the stakes are high. Our right to privacy is threatened by our new technologies, and I think governments (I'm in the US, so that means Washington for me) have failed to establish clear goals, laws and policies since 9/11 to guarantee our rights and freedoms in its attempt to stay nimble and responsive to both domestic and international terrorist threats.
The result is a stupid arms race between the private sector and the government which results in a lack of both security and accountability for all concerned.
However, technology won't save us from this issue, anymore than more powerful bombs can protect us against war. Innovations in computation technology will break all existing encryption technologies within the next few years, if they haven't already. Companies like Apple can't save you.
In a democracy, the solution has to include a proper public discussion and a set of comprehensive laws that make the rules clear to everyone and create legal accountability if either government agencies, companies, or individuals violate the laws.
Legitimate investigation and security needs must be accommodated in any solution unless we want to cede huge advantages to organized crime, terrorism and foreign powers with fewer scruples. We still live in the real world where we have to deal with aggressor nations and evil people.
It's just naive to think that companies like Facebook or Apple can or want to protect you from state-sponsored actors with vastly superior technology and manpower. They just want your money, and are happy to sell your data to the highest bidder.
Posted with my trusty Z10
Legislation that protects US citizens would be a massive step in the right direction, however. Major fines, litigation, jailtime for companies that are adding microphones and cameras to everyday items like cable boxes or TVs. It's hard to separate the relevant from the fear mongering at this point, but it's plain to see that this is a widespread issue. Just the other week, in Germany, toy dolls were transmitting recorded audio back to the manufacturer servers, the dolls were banned. But computers, phones...what can be done?
Posted via CB1003-08-17 02:08 PMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
BB Mercury Fingerprint Security
« dual drive usb type c
|
Unable to install Fossil Q apk app on BB Q5. It says "Unable to install app". »
Similar Threads
-
Should I Upgrade my BB TORCH 9810?
By madmax12345 in forum BlackBerry Torch SeriesReplies: 14Last Post: 06-14-17, 01:11 PM -
Indonesian BB Merah Putih's Device called BB Aurora
By adhisakti in forum General BlackBerry News, Discussion & RumorsReplies: 2Last Post: 03-04-17, 04:36 PM -
BB Merah Putih built BlackBerry-branded device now has a name - BB Aurora
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 1Last Post: 03-01-17, 05:54 PM -
How do i update BB Link on my BB Passport? How do I access my SD card files on BB passport
By CrackBerry Question in forum Ask a QuestionReplies: 3Last Post: 03-01-17, 05:47 PM -
Alleged images of new BB Merah Putih BlackBerry-branded device emerge
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 1Last Post: 02-28-17, 08:27 PM
LINK TO POST COPIED TO CLIPBOARD