Hacker News new | past | comments | ask | show | jobs | submit login

Yes. And how exactly do we check this? Why is it that we can still trust Apple? For all we know, the data gets sent directly to the NSA or, if it doesn't, there might be some secret backdoor that will make the device send the data at a later point. The last round of leaks was specifically talking about backdoors with all bigger US companies in order to circumvent encryption.

That's what I means by "we have to consider the iPhones backdoored". Once you can't trust the device any more, all bets are off and thus we can't be sure that what Apple says they do with that fingerprint is what they actually are doing.

(edit: regarding jailbreaking, I seriously doubt that a sufficiently well-hidden backdoor would be found by a jailbreaker. Or have we found the backdoors in OSX or Windows yet? Since the latest leak, we know they are there)

This is incorrect - we do not know any particular products which are backdoored.

edit: Also, there is a difference between a subtle crypto vulnerability and sending data to a server that, according to the announcement, is designed to be protected in its own enclave and never sent anywhere. The latter would be far more obvious in the code and easier to spot.

> The latter would be far more obvious in the code and easier to spot.

But we can't see the code. And it's far from certain you'd be able to pick it up through watching data packages.

I'm pretty sure, when they jailbreak it the truth will come out. And I doubt Apple would take the risk for lying about that.

Well, as a computer/network security professional, historically there are plenty examples of companies who have lied about the security of their systems (eg. "without your password, our flash drives cannot be decrypted" when in fact the key is not related to the password and stored in plaintext in a sector on the drive).

Would you be able to give some examples? I enjoy reading those types of stories.

Who has the decryption key?

In the ideal world, there is no decryption key. They should use a one-way hash of the encoded fingerprint.

They might want to do approximate matching, though. That could make it hard or impossible to do without the decryption key.

Which is also when we can start hacking it for fun and profit.

Have you ever used an ATM? Did you check that it didn't have embedded fingerprint readers in it?

Seems to work when I have my gloves on.

So does your iPhone's home button.

Yea but they explicitly say it has a fingerprint sensor.

Which seems like the more likely covert NSA spy device? The iPhone fingerprint sensor that Apple prominently mentioned in a product launch or the hidden ATM fingerprint sensor that your bank says isn't there?

It's probably where you least expect it, and you seem to be suggesting it's less expected in the iPhone ;).

The NSA has the ability to compromise the devices http://www.spiegel.de/international/world/how-the-nsa-spies-...

good spy novel stuff... steal the prints of some foreign bigwig, or say Julian Assange, plant a copy in some compromising crime scene...

Well, you can sniff packets in/out I guess and know if the process will or not send info to the internet.

Well, you can't trust _any_ device if that's your line of thinking. Not an iPhone, not an Ubuntu phone, no device whatsoever. Not unless you've baked your own chips, or made some contraption running your software in parallel on different CPU architectures.

If you're going to do anything, including working on the computer you're typing your comments on, you have to trust a lot of parties. Some of that trust involves knowing who made the code, and some of it may involve the knowledge that the NSA will not be using their best, most secret backdoors against a whole lot of people.

If you don't trust the iPhone not to steal your fingerprints then you probably shouldn't own an iPhone -- fingerprint reader or not. I mean, that's sort of obvious, no?

What phone should you own instead? It seems like the only choice if you want to real privacy is to stop using a phone at all, but that's obviously unrealistic for many people.

So toss a packet-sniffer between your phone and the backup servers. See if the iCloud backup has sufficiently more data inside than before.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact