[Cryptography] About those fingerprints ...

Wed, 11 Sep 2013 09:34:01 -0700 

Gentlefolk,



        Fingerprint scanners have shipped on laptops and phones for years.

        Yesterday, Apple made the bold, unaudited claim that it will never save 
the fingerprint data outside of the A7 chip.

        Why should we trust Cook & Co.? They are subject to the laws of the 
land and will properly respond to lawful subpoenas. What are they doing to 
ensure the user's confidence that they cannot spread my fingerprint data to the 
cloud? (POI frequently have fingerprints on file. Finding out which phone is 
used by whom when you have fingerprint data is a Big Data query away.)

        These questions also apply to things like keychain storage. Who has 
audited in a public fashion that Apple actually keeps keychains secure? How do 
we know whether Apple has perverted under secret court order the common crypto 
and other libraries in every phone and iPad? iOS 7 supports keychain storage in 
iCloud. Why should we trust Apple to keep our keys safe there? Where is the 
audit of their claims?

        Why should we trust Cook & Co. without verifying their claims? 

        IOW, where is the culture of public audit around security? Why did we 
ever trust the Canadian company RIM with our email without a public audit? Why 
do we trust Apple, MS, Google and others?

        The culture of secrecy around the security stack inside popular OSes 
needs to stop. (I am proposing "after the fact" audits of shipping OSes. They 
should never be an impediment to any organization shipping software in a timely 
fashion.) Sunlight on the libraries being used is the best disinfectant for 
security concerns.

        President Reagan had it right: "Trust but verify." Why should we trust 
Apple? Because their executives said so in a video? We need something stronger.



Anon,
Andrew

P.S.    All you Android fanboys know how to globally replace Apple above with 
Google/Samsung.

____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
a...@ddg.com, +1 (512) 750-7596, twitter.com/adonoho

Download Retweever here: <http://Retweever.com>

No risk, no art.
        No art, no reward.
                -- Seth Godin




_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to