[bb10adopter111]

Did you catch that Chen was completely on the wrong side of the Apple/FBI fight? It sounds like you didn't. Chen either did not understand the implications of what the Feds were asking Apple to do, or didn't care. Either way, he could not have been more wrong.

I followed it closely. Apple built a phone in such a way that they could argue they would have to build a back door to give law enforcement access to the device. And they didn't want to build the back door.

Blackberry also doesn't build back doors, but does provide the data on its servers to law enforcement when a warrant is shown. In effect they let law enforcement use the front door when a warrant is produced.

If you are arguing that people should not cooperate with law enforcement when legally compelled to do so, then I simply disagree with you.

Posted with my trusty Z10

[app_Developer]

What's stored in the secure element in these devices is a hash of (features of your fingerprint combined with device specific key), so even if the hash itself is compromised, it's really not very useful outside of that device.

Similarly, the API that allows apps to use fingerprint verification for purchases, etc., doesn't expose the fingerprint features themselves through the API, or even to the OS itself. The question you get to ask of the secure element is "yes or no, does the finger on the sensor match any of the fingers configured by the owner of this device".

[bbaleno]

They already have mine. So no worries from me.

I'm a baaaad boy

[TGR1]

I followed it closely. Apple built a phone in such a way that they could argue they would have to build a back door to give law enforcement access to the device. And they didn't want to build the back door.

Blackberry also doesn't build back doors, but does provide the data on its servers to law enforcement when a warrant is shown. In effect they let law enforcement use the front door when a warrant is produced.

If you are arguing that people should not cooperate with law enforcement when legally compelled to do so, then I simply disagree with you.

Posted with my trusty Z10

You missed the gist of the fight. Apple like the other companies does indeed comply with legal requests. What they did in this particular case was challenge the legality of the warrant, with a whole bunch of reasons including unreasonable effort. That was perfectly legal. Had it gone all the up to SCOTUS and been found legal, then Apple would have to comply or face contempt.

Comey was likely told he was going to lose, hence the FBI did not escalate.

[bb10adopter111]

You missed the gist of the fight. Apple like the other companies does indeed comply with legal requests. What they did in this particular case was challenge the legality of the warrant, with a whole bunch of reasons including unreasonable effort. That was perfectly legal. Had it gone all the up to SCOTUS and been found legal, then Apple would have to comply or face contempt.

Comey was likely told he was going to lose, hence the FBI did not escalate.

Your description of the case is accurate. I was referring to Apple's legal strategy of building a phone that they can legitimately claim to be unable to unlock upon request, which was novel.

The technological challenge to the traditional methods of investigating and prosecuting crime by examining electronic communications has serious implications for the public (as do legitimate privacy and constitutional rights) . I believe this requires a more thorough public discussion and clear policy decision rather than a simplistic us vs. them debate about government, citizens, and the role of technology and the private sector.

Historically, law enforcement agencies have been able to obtain a warrant by showing probable cause or search devices, but they haven't been allowed to compel individuals to provide their passwords. With encryption and auto-wipe security features, manufacturers can now make phones that are essentially warrant-proof, challenging law enforcement's traditional role. (This issue is completely separate from the question of data aggregation for intelligence and surveillance for national security, which are just as important and even more contentious for society.)

In the end, I think we need to decide as a society if personal electronics have special status so that they are not subject to searches with a warrant. That is not a decision that a manufacturer like Apple should decide for us by including x or y encryption and security technology in a smart phone.

In any case, this is OT, so I'll stop here. Thanks for sharing your thoughts.

Posted with my trusty Z10

[Tornado99]

I still think BlackBerry picture password is a great feature...a view shared by many of my friends using Androids when I show them how it works on my Z30.

Posted via CB10

[deadcowboy]

This is the assumption.. and what we are told. Lol aren't conspiracy thoughts fun?

Posted Via Passport with CB10 app

The fact that countless conspiracy theories have been proven true over the past year, I'd think that people would have trouble trusting anything at this point.

Posted via CB10

[deadcowboy]

I think BlackBerry's approach is very sensible. They protect privacy under normal circumstances but cooperate with law enforcement when a formal request, under the law, is made. Typically this is basically warrant where probable cause for a specific crime having been committed by a specific suspect has been shown to the satisfaction of a judge.

To me, the same protections that apply to searching one's home should apply to one's physical property, such as phones, journals, etc.

Personally, I WANT crimes investigated and prosecuted for my protection and to prevent a safe haven for criminals communicating over mobile phones.

What I oppose strongly, and what BlackBerry also has opposed, is a "back door" that permits warrantless surveillance that is not subject to judicial review and political accountability.

Posted with my trusty Z10

That's not what's at stake. The freedom of Americans is at stake, think about it longterm. Your Samsung TV is recording you in your house. Do you really think our intelligence agencies care about warrants? NSA mass-collects user data...your emails, everything. CIA is far more capable than the NSA.

Posted via CB10

[early2bed]

If you look at the fingerprint sensor on the KEYone, does it look like it's even capable of storing your entire fingerprint? It's a space bar. It looks to me that all it could possibly sense is a horizontal rectangle that is about 4mm tall and isn't even the entire width of your thumb. In the hands – on video, you don't scan your whole thumb. How could this store your entire thumbprint? When setting it up, you are probably are supposed to let it scan different areas of your finger in order to improve recognition but you would have to be pretty systematic about it in order to reproduce an entire print.

Storing a hash for later recognition is like transposing the lyrics and word timing of a song recording. The hash can be stored and used to uniquely identify this specific recording if transposed a later time but it's impossible to reproduce the recording from the hash. Even a hacker can't make a hardware sensor do what is physically incapable doing.

[deadcowboy]

So in the new MacBook Pro, a separate Apple Watch-derived processing unit handles fingerprints and Apple's password manager. Apparently the iPhone also has some walled-off hardware for fingerprints, right?

How does Android handle those hashes derived from fingerprints. Or the processing of that fingerprint information?

Posted via CB10

[early2bed]

How does Android handle those hashes derived from fingerprints. Or the processing of that fingerprint information?

That's probably left to the specific device. Android's job is to say: Hey, is this hash that you have just read off this finger one of the ones that you have stored in your memory from when it was set-up? Ideally, the secure hardware element is incapable of actually giving out the actual hash.

Starting Android 6.0:

Below is an excerpt of Google’s official guidelines for OEMs implementing fingerprint unlock in their smartphones. Considering that this same document already requires OEMs to enable full-disk encryption out of the box, the end result should be quite decent security-wise (but not speed-wise, as we discovered in our previous research).

7.3.10. Fingerprint Sensor Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:

MUST declare support for the android.hardware.fingerprint feature.
MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].
MUST have a false acceptance rate not higher than 0.002%.
Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.
MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.
MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].
MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.
MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.
SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.

[deadcowboy]

That's probably left to the specific device. Android's job is to say: Hey, is this hash that you have just read off this finger one of the ones that you have stored in your memory from when it was set-up? Ideally, the secure hardware element is incapable of actually giving out the actual hash.

Interesting. I wonder how BlackBerry will implement this in the KeyONE, as TCL is heavily involved.

Posted via CB10

[bb10adopter111]

That's not what's at stake. The freedom of Americans is at stake, think about it longterm. Your Samsung TV is recording you in your house. Do you really think our intelligence agencies care about warrants? NSA mass-collects user data...your emails, everything. CIA is far more capable than the NSA.

Posted via CB10

I agree with you that the stakes are high. Our right to privacy is threatened by our new technologies, and I think governments (I'm in the US, so that means Washington for me) have failed to establish clear goals, laws and policies since 9/11 to guarantee our rights and freedoms in its attempt to stay nimble and responsive to both domestic and international terrorist threats.

The result is a stupid arms race between the private sector and the government which results in a lack of both security and accountability for all concerned.

However, technology won't save us from this issue, anymore than more powerful bombs can protect us against war. Innovations in computation technology will break all existing encryption technologies within the next few years, if they haven't already. Companies like Apple can't save you.

In a democracy, the solution has to include a proper public discussion and a set of comprehensive laws that make the rules clear to everyone and create legal accountability if either government agencies, companies, or individuals violate the laws.

Legitimate investigation and security needs must be accommodated in any solution unless we want to cede huge advantages to organized crime, terrorism and foreign powers with fewer scruples. We still live in the real world where we have to deal with aggressor nations and evil people.

It's just naive to think that companies like Facebook or Apple can or want to protect you from state-sponsored actors with vastly superior technology and manpower. They just want your money, and are happy to sell your data to the highest bidder.

Posted with my trusty Z10

[deadcowboy]

I agree with you that the stakes are high. Our right to privacy is threatened by our new technologies, and I think governments (I'm in the US, so that means Washington for me) have failed to establish clear goals, laws and policies since 9/11 to guarantee our rights and freedoms in its attempt to stay nimble and responsive to both domestic and international terrorist threats.

The result is a stupid arms race between the private sector and the government which results in a lack of both security and accountability for all concerned.

However, technology won't save us from this issue, anymore than more powerful bombs can protect us against war. Innovations in computation technology will break all existing encryption technologies within the next few years, if they haven't already. Companies like Apple can't save you.

In a democracy, the solution has to include a proper public discussion and a set of comprehensive laws that make the rules clear to everyone and create legal accountability if either government agencies, companies, or individuals violate the laws.

Legitimate investigation and security needs must be accommodated in any solution unless we want to cede huge advantages to organized crime, terrorism and foreign powers with fewer scruples. We still live in the real world where we have to deal with aggressor nations and evil people.

It's just naive to think that companies like Facebook or Apple can or want to protect you from state-sponsored actors with vastly superior technology and manpower. They just want your money, and are happy to sell your data to the highest bidder.

Posted with my trusty Z10

Good post, rings true. However how to we convince the rest of the world of the same thing? The Russian hacking narrative is probably untrue, and while Russia is now an ally, in modern geopolitics, everyone is an adversary, especially Russia. Cyberwar is the new Cold War, and it will never end.

Legislation that protects US citizens would be a massive step in the right direction, however. Major fines, litigation, jailtime for companies that are adding microphones and cameras to everyday items like cable boxes or TVs. It's hard to separate the relevant from the fear mongering at this point, but it's plain to see that this is a widespread issue. Just the other week, in Germany, toy dolls were transmitting recorded audio back to the manufacturer servers, the dolls were banned. But computers, phones...what can be done?

Posted via CB10