Gentlefolk,
Fingerprint scanners have shipped on laptops and phones for years.
Yesterday, Apple made the bold, unaudited claim that it will never save
the fingerprint data outside of the A7 chip.
Why should we trust Cook & Co.? They are subject to the laws of the
land and will properly respond to lawful subpoenas. What are they doing to
ensure the user's confidence that they cannot spread my fingerprint data to the
cloud? (POI frequently have fingerprints on file. Finding out which phone is
used by whom when you have fingerprint data is a Big Data query away.)
These questions also apply to things like keychain storage. Who has
audited in a public fashion that Apple actually keeps keychains secure? How do
we know whether Apple has perverted under secret court order the common crypto
and other libraries in every phone and iPad? iOS 7 supports keychain storage in
iCloud. Why should we trust Apple to keep our keys safe there? Where is the
audit of their claims?
Why should we trust Cook & Co. without verifying their claims?
IOW, where is the culture of public audit around security? Why did we
ever trust the Canadian company RIM with our email without a public audit? Why
do we trust Apple, MS, Google and others?
The culture of secrecy around the security stack inside popular OSes
needs to stop. (I am proposing "after the fact" audits of shipping OSes. They
should never be an impediment to any organization shipping software in a timely
fashion.) Sunlight on the libraries being used is the best disinfectant for
security concerns.
President Reagan had it right: "Trust but verify." Why should we trust
Apple? Because their executives said so in a video? We need something stronger.
Anon,
Andrew
P.S. All you Android fanboys know how to globally replace Apple above with
Google/Samsung.
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
[email protected], +1 (512) 750-7596, twitter.com/adonoho
Download Retweever here: <http://Retweever.com>
No risk, no art.
No art, no reward.
-- Seth Godin
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
