Thomas Delrue on 6 Sep 2015 12:07:18 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Cheap Nexus 6

I take serious issue with the sentence "any smart phone that doesn't
have one is obsolete junk".
Sure, fingerprints are more /convenient/ than entering a strong
password. But they are most certainly *NOT* more secure. They are not
even much more secure than 4 digit pins (You do know that your
fingerprint gets reduced to a handful of integers, right?); one of the
many reasons is that when I steal your phone, I can *see* your dirty
fingerprints all over it and easily reproduce it using a gel printer.
(just one example here:

Remember kids, whenever you are dealing with security, convenience is
your enemy. I'm ok with you claiming that you find fingerprint readers
much more convenient than pins or passwords, but I am most certainly not
ok with you propagating the untruth that these things are secure in any way.

Biometrics are an absolutely horrible way of doing security. I don't
know why people think that biometrics are a good substitute for strong
_and_ frequently changing passwords.
"Something you know & something you have" is much more secure than
"something you have and something you *are*". At least the 'something
you know' is something you can rotate; good luck rotating your
fingerprints or your retina. (And don't get me started on "we'll
identify you using your heartbeat/blood glucose level/flavor of the day
Once your biometric data gets compromised, and this /will/ happen, you
now find yourself unable to securely use your
'password'(/fingerprint/retina scan/...).
Let me repeat what I said before: Biometrics are an absolutely horrible
way of doing security.

Unless you are dealing with expensive toys that make extremely large
bangs and result in clouds shaped like the fruits of fungi, you do not
need biometrics! You also don't have enough money to afford an actually
working biometrics solution.
People who do have a genuine need for these kinds of biometrics don't
use it to *gain access* to a facility. They use it to *keep people out*
of facilities. (and this is a very subtle but crucially important
difference) In fact, a false negative is a good thing in (99% of) those

Anyone succeeding in convincing you that 1) you need biometrics and 2)
they have this biometrics solution here for you and it will work
wonders, is selling you snake oil and would like to hand all your
contact info over to me because, I've got this nice bridge for sale
here, you see...

Lastly, regarding security and password strength, always remember this
beauty: (the alt-text is also very relevant)

On 09/06/2015 01:31 PM, brainbuz wrote:
> I think that fingerprint readers are far from perfection in
> security, but at a physical level (and we're talking about devices
> that are stolen with alarming frequency) they're better protection
> than a 4 digit pin. And given how much more convenient a touch is
> versus pins and gestures...
> Combining gestures/pins with fingerprint in some manner would be the 
> more secure way to go (ie LE might be able to compel you to put your 
> finger on the reader, but the pin would still have the same
> protection).
> On 09/06/2015 12:51 PM, Eric H. Johnson wrote:
>> From the standpoint of privacy, there is a difference legally
>> between a pin / passcode and a fingerprint. The Virginia circuit
>> court held that the defendant in a particular case could not be
>> compelled to reveal the passcode to his phone, but could be
>> compelled to produce his fingerprint. The former constitutes
>> revealing knowledge, and therefore is protected by the 5th 
>> amendment, while the latter is a physical attribute, and therefore
>> is not.
>> While technically, a fingerprint can potentially be more secure
>> than a passcode, legally it would currently seem to be more
>> vulnerable.
>> Regards, Eric
>> With so many phones coming to market with a fingerprint reader, any
>> smart phone that doesn't have one is obsolete junk. PINS and swipes
>> are really inconvenient compared to fingerprint and given the
>> personal data thats going on phones these days I don't see how a
>> more secure and more convenient means of securing the device can be
>> considered optional.
>> If the nexus 5 or 6 had one I would jump at these prices to replace
>> a phone I bought just a few months ago (it has neither neither a
>> fingerprint reader nor lollipop support). On 09/04/2015 09:46 AM,
>> Will wrote: Thanks Anthony. Now the question is... New Nexus 5 vs.
>> Nexus 6... What to get. On Sep 4, 2015 06:00, "Anthony Martin"
>> <> wrote: Just in case anyone was in
>> need of a new phone I figured I would let everyone know they
>> dropped the price of the 32gb/64gb nexus 6 unlocked to 
>> 349.99/399.99. 
>> rds=Motorola+Nexus+6&pebp=1441352800654&perid=05BSN8THPZEBASS0SE92
>> ___________________________________________________________________________
Philadelphia Linux Users Group         --
>> Announcements - 
>> General
>> Discussion  --

Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --