Posts Tagged ‘Apple’

“ZEIT Online” Interview with Starbug

September 26th, 2013 No comments

Starbug-TouchID“The matter for Apple was comfort, not Security”

For Jan Krissler (aka Starbug) it wasn’t a struggle to bypass the fingerprint scanner of the iPhone 5s. In an interview he explains why passwords mostly are more secure than biometry.

ZEIT ONLINE: You did hack the fingerprint scanner of the iPhone 5s, why?

Jan Krissler: Since 10 years I deal with security of biometric systems, especially how to override them. From time to time, when a new product emerges, I look at it and check if the old techniques of bypassing still work, or if there are new challenges. With the TouchID sensor I assumed challenges but unfortunately was disappointed.

ZEIT ONLINE: Are fingerprints qualified at all to secure a telephone, a door or other things?

Jan Krissler: As with all biometric systems one must ask, what data or things you want to protect with it. If their value exceeds the effort to crack a system, the choice of an easily bypassable biometric system might not be the best choice.

ZEIT ONLINE: Which means that biometry is easier to overcome than a password for example?

Krissler: That depends on the password and how the user deals with it and, of course, also the biometric system. At least I assume my passwords to be more secure than my fingerprint. The problem is that one leaves fingerprints everywhere, that faces can be photographed unnoticed. My password is in my head and if I’m careful typing, I will remain the only one who knows it.

ZEIT ONLINE: Which biometric data would be appropriate to establish access control?

Krissler: There are certain characteristics that are better and characteristics which are less suitable. The better ones include those which you do not leave anywhere, or the ones that cannot be taken off easily and unnoticed. Which means, characteristics that you can actually only be read with an appropriate sensor. The vein pattern is a good example. I had assumed that Apple would apply something of the kind. After all at the launch of the iPhone it was announced that the scanner will have a sub-epidermal finger recognition, i.e. one that not only relies on finger ridges on the surface. Frankly spoken, I was shocked by how easy it was to bypass it.

But also in other processes such as vein patterns it must be clear: if someone gets access to such a characteristic, he will find a way to replicate it and thereafter to overcome the system.

ZEIT ONLINE: So why is biometry presently so highly touted as a security mechanism?

Krissler: As there is a big industry behind it and because biometry also is capable of identifying people.

ZEIT ONLINE: But isn’t it that biometry works fine to clearly identify someone, but not as good to have something secured?

Krissler: One can customize systems quite well, as long as they only need to distinguish people from each other. In this case the error rate is quite low. But once you have the whole of humanity, or in this case all iPhone users as a target group, things get quite impossible. Simply because its characteristics vary greatly. Biometry just also has its weaknesses. Unlike passwords that are either right or wrong, there is always a certain probability of match. Therefore the TouchID scanner isn’t really a security method, but a comfortable method. Had Apple made the mechanism more secure, too many people would have struggled turning on their iPhone and too many people would have been rejected too often.

Many don’t use any passcode on their smartphone at all, whereas using a fingerprint is still better than nothing – as Apple said at the launch. But it’s obviously about convenience and ease of use, not about security. Therefore I would not even want to rate TouchID associated with security practices.

ZEIT ONLINE: The iPhone has a fairly high status, many find it great. Is it a problem if such a popular device relies on biometry, and thus spread a, shall we say, problematic security method to be used?

Krissler: This has already begun with the fingerprints in the German identification card and the passport. Thus, methods that were actually intended to identify criminals, carried out to the general public. This of course is problematic. On one hand, because data is gathered that would not have to be captured and could be abused for other things. On the other hand because this way everyone is getting used to biometry and then use it for all sorts of applications. The best example for this is Hamburg, where at one school all students had to submit their fingerprints to get their lunch.

The interview was conducted in written via Jabber.

Original Interview (in German) by Kai Biermann (with kind permission for publication of my english translation).

ZEIT Online Article
Chaos Computer Club

[Update 1st of October 2013]
Dustin Kirkland, a GNU/Linux Ubuntu Developer writes:

But biometrics cannot, and absolutely must not, be used to authenticate an identity. For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated. I will continue to advocate this within the Ubuntu development community, as I have since 2009.

read Fingerprints are Usernames, not Passwords

Apple corrupting RFC 6352 (by Apple)

December 1st, 2012 No comments

In the nice setup of my own “un-clouded” PIM (personal information manager), in which DAViCal plays a major role, OS X Lion (10.7) & OS X Mountain Lion (10.8) seemingly can’t handle the groups in the address book ( any longer. – When connecting through CardDAV, the groups just remain empty.
In the respective paragraph 7.1.1 of RFC 6352, which Apple released in August 2011, states:

Description: The CARDDAV:addressbook-home-set property is meant to
allow users to easily find the address book collections owned by
the principal. Typically, users will group all the address book
collections that they own under a common collection. This
property specifies the URL of collections that are either address
book collections or ordinary collections that have child or
descendant address book collections owned by the principal.

… though sets the value of addressbook-home-set to /caldav.php/foobar/ instead of /caldav.php/foobar/addressbook/ in ~/Library/Application\ Support/AddressBook/Sources/XYZ-123456-FOOBAR/Configuration.plist, which is a violation of RFC 6352.

Simply said: OS X 10.7/10.8 cant handle its own technical specifications…

[Update: The very same bug has been reported to the sogo bugtracker.]

[Update: Here is a fix for this OS X bug.]

Why OS X Lion is crap

August 30th, 2011 No comments

1. Unconsiousness
With the OS X 10.7 software release Apple fulfills and nurtures the users unconscious handling of his computer. The users data, such as photos, documents, etc. are geo- and meta-tagged and the accordant applications connect to the respective servers, such as Google maps, “the Cloud”, several Akamai servers, keeping the user in the dark about how and where his personal data is shared.

2. Self-surveillance
Further the operation system entrap and mislead the user to activities of self-surveillance, by eliminating “Big Brother” and leading the operator through “sexy” and technically well designed applications, which conceal where data and meta-data is shared and stored. The nebulous “Cloud”, easing the users data replication, inducing potential privacy hazards, assuming that the user has “nothing to hide”.

3. Anti-Social
By implementing Social Media applications and functionalities, explicitly based on proprietary standards and formats, caching cookies that track their users continuously, even after having logged out, complete patterns on the users behaviors are tracked, locally stored and shared on obscure servers and nebulous “Clouds”. The friends counter remains a real-time raising number of people whom the user never meets in real life (any more)…

4. Average
Apple Macintosh used to be a product of computers that come together with an operation system that is designed for professionals. Graphic Designers, Film Directors and Musicians. Since OS X 10.7 the system is designed to merge into the needs of a mediocre human to nurture his archaic behavior by caressing a touch-pad with his finger. A built-in baby comforter may follow in upcoming versions…

5. status_msg > /dev/null && userinfo > /apple/survey && echo –bold “WTF!”
By suggesting the user to improve the functionalities of programs, the operation system shares system data which can explicitly identify the computer and the user. Users privacy is deliberately violated.

6. Contemptuous
No ext2, ext3 or ext4 support. Gimme back my control over my data & choice of filesystem!

Julian thinks different

December 22nd, 2010 No comments

Another paradigm shift:

Julian thinks different – Apple doesn’t. It’s main stream!

1997: Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes.

The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo. You can praise them, disagree with them, quote them, disbelieve them, glorify or vilify them.

About the only thing you can’t do is ignore them. Because they change things. They invent. They imagine. They heal. They explore. They create. They inspire. They push the human race forward.

Maybe they have to be crazy.

How else can you stare at an empty canvas and see a work of art? Or sit in silence and hear a song that’s never been written? Or gaze at a red planet and see a laboratory on wheels?

While some see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do.

Think different

December 22nd, 2010 No comments

Steve Jobs (22. December 2010):

“We removed WikiLeaks because it violated developer guidelines. An app must comply with all local laws. It may not put an individual or target group in harms way.”

– What local laws does Wikileaks violate?

Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them. About the only thing you can’t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do.

25 years ago Apple promised to its customers that “1984 won’t be like 1984”. – This is beyond sarcasm!

Encryption bug in Apple Mail (… or feature?)

November 15th, 2010 1 comment

Hi Steve

When using s/mime encryption, which is nicely integrated in the users keychain, with IMAP configured accounts in, the app does not encrypt the mail and stores it (e.g. as draft) unencrypted on the server before it has been sent.

An attacker can either read the unencrypted mail, if he has access to the server (sysadmin), or in case the IMAP connection is unencrypted, read the unencrypted message on the nodes/routers.

Please fix this.

Take care & best, lx