Hacker News new | comments | show | ask | jobs | submit | brador's comments login

My morning routine is still http://skimfeed.com

> It's no longer considered an appropriate place for candid conversation.

So what are they using instead? Whatsapp? Other messaging app? Instagram?


Snapchat.

And don't make the mistake of thinking Snapchat is just about nude pics. It is mostly used for saying things you want to disappear rather than have everyone reread in the morning.


As soon as people like me know, they move on. The day that professors (me) cops (old people) and parents (very old people) start noticing a platform it's time to switch. Some of my students are using services more popular in Asia. But many, particularly females, simply aren't sharing information about themselves as they might have 5-10 years ago. The novelty is gone.

The issue is Apple cannot verify a secure touch ID replacement over a compromised touch ID replacement. Without knowing if your replacement is secure the change potentially compromises the security of the whole device.

IMO bricking on touch ID issues is extreme, but maximises the security of the device.


>IMO bricking on touch ID issues is extreme, but maximises the security of the device.

We are all smart people here and there are several ways to have security without bricking expensive hardware.

First, the update can wipe the device instead of bricking it.

Second, Apple can provide an option to replace the fingerprint chip and charge, $150-$200 or whatever it costs for it.

There would be several better solutions that the most profitable company in the world could figure out if they wanted to. It's funny how their particular solution happens to make them even more money through shutting down third party repairs and making people buy new phones.

This is like your home alarm software(made by the home builder) remotely burning down your house and telling you to build a new one because someone may have tampered with home access and could possibly enter your home.


  Second, Apple can provide an option to replace the fingerprint chip and charge, $150-$200 or whatever it costs for it.
At the end of the article, it said that affected customers should contact Apple Support. Are you sure they are not offering a hardware fix at that point? It doesn't sound to me like they're just letting people hang.

From a different article:

>When Olmos, who says he has spent thousands of pounds on Apple products over the years, took it to an Apple store in London, staff told him there was nothing they could do, and that his phone was now junk. He had to pay £270 for a replacement and is furious.


There is a failure in the apple stores vs phone support. I went to two Apple stores to try to get my watch band replaced or fixed under warranty and was told by both of them "no way no how" - but phone support had no problem replacing the band.

I find the stores are somewhat inconsistent in their application of policy. (Particular if the policy isn't well defined ahead of time, as in this case)

(As an aside, the practice of requiring an appointment to talk to a support person or even just drop off a broken computer is maddening.)


Alternative interpretation -- "A custom voided his warranty by installing some rando third-party aftermarket parts, and is furious that it didn't work out."

Yes. Just as destroying the phone with a hammer maximizes the security of the device. Effective but entirely useless.

The phone would still work perfectly fine and safe if Touch ID would be disabled and input from the sensor wouldn't be trusted.


> The issue is Apple cannot verify a secure touch ID replacement over a compromised touch ID replacement. Without knowing if your replacement is secure the change potentially compromises the security of the whole device.

What are you even talking about?

If the fingerprint scanner is suspicious, just disable it and leave the rest running. And this is in fact what happens, until a software update is installed and then the phone suddenly decides to brick itself completely.


Does the 911 feature still works on these phones? 911 should work even without a SIM card and without any other authentication, to purposefully disable a phone in this way may have bigger repercussions than just 'security'.

How? TouchID is the less secure authentication than password/PIN anyway (which is shown by the fact that you need to enter PIN/Pass right after boot). How would just disabling TouchID auth be a worse option?

>TouchID is the less secure authentication than password/PIN anyway (which is shown by the fact that you need to enter PIN/Pass right after boot).

The fact that you need to enter PIN right after boot, just shows that they use "two factor authentication" to make it even more secure.

It doesn't IN ANY WAY show that TouchID is "the less secure authentication" method of the two.


You can do anything you want on the phone without using Touch ID at all. The fingerprint sensor is not a necessary factor in their implementation, while the passcode is.

> You can do anything you want on the phone without using Touch ID at all

I believe ApplePay requires TouchID.


I can't try because Apple Pay isn't available here yet. According to this support document it works without Touch ID (emphasis mine):

> To help ensure the security of Apple Pay, you must have a passcode set on your device and, optionally, Touch ID. [...] To send your payment information, you must authenticate using Touch ID or your passcode.

https://support.apple.com/en-us/HT203027


Fingerprints are impossible to change and can be brute-forced. Therefore, fingerprint security is less secure than a password that can be changed.

Brute forced with what? Trying different fingers?

A fingerprint, like any piece of data, is handled at the lowest levels as a number. A number with some constraints, but a number.

By feeding numbers into the scanner instead of fingers, you can accomplish the same effect as feeding random strings into a password box. Further, it's also possible to take fingerprints through social engineering, or by getting at the database of a company that uses fingerprints as security. Five bucks says someone's already storing a bunch of fingerprint data as plaintext.


>By feeding numbers into the scanner instead of fingers, you can accomplish the same effect as feeding random strings into a password box.

Isn't this exactly why they DON'T allow you to use the iPhone with a potentially tampered with HW/TouchID -- e.g. the very feature/issue we're discussing?


Well, yes.

I'd argue that fingerprints for security are just silly to begin with.


> The issue is Apple cannot verify a secure touch ID replacement over a compromised touch ID replacement. Without knowing if your replacement is secure the change potentially compromises the security of the whole device.

The correct solution there would be to pop up a warning saying the TouchID hardware has been tampered with, and giving the user an option to validate it.


That wouldn't really be a good idea. Someone could steal your phone and replace the TouchID hardware. Then this popup comes up and they say, oh yeah this hardware is totally legit! Then they get your data, impersonate you, charge stuff etc.

The prompt would have to be after you authenticated your phone in some other way, like via the passcode.

I think it's totally OK not to accept authentication from an unvalidated device, but a legitimate user should be able to do the validation.


I think the post is referring to a hotel maid scenario.

Fingerprint scanners are useless for security. My fingerprints are everywhete, especially all over my phone. Touch id merely buys time, which can increase security but if they get my fingerprints, make a dummy finger then they need very little time to open my phone. If they are determined they'll do it. If they are not, probably they won't care about the data in my phone.

They have at most 48 hours (or perhaps 24?) and 5 tries to find your fingerprint and unlock the device. TouchID will discard the keys and require a passphrase if it is not used for a while or after the fifth invalid fingerprint attempt. The window of opportunity is not that big. I would not characterize it as useless at all.

> The issue is Apple cannot verify a secure touch ID replacement over a compromised touch ID replacement.

Couldn't they just ask the user? Use the backup password to authenticate.

If it's my device, I want to be the one who chooses what I trust.


No bubble burst this time, it will be a sequence of large corrections. Too many small time investors willing to invest for low returns to crash like 2k.

> ├── GrandLodge_DB_backup.tar

Don't the Freemasons call their clubhouse a Grand Lodge?

-----


More than one group uses that varnacular, but yeah that's a good context clue. Freemasonry is frequently popular among law enforcement types.

-----


grandlodgefop.org is actually one of their domains, pointing to the same page as fop.net

-----


...aaaaand now I'm interested enough to download.

-----


As a company founded on disruption and (mostly) willing phd dropouts i'm surprised you've set this at 5 years.

Ask yourself, is the additional research in extra years worth it over what can be accomplished in x years? (1-2 years in this case).

I say do what you've always done: fund disruptive ideas. In this case, research proposals with short timescales and big impact.

-----


> The purpose of advertising is to make you buy more than you need.

That's an incredibly cynical way of looking at the situation. There is also the purpose of telling you about a product you can buy that might possibly be beneficial to your lifestyle. Through advertising you get to find out about that product faster, something especially important in these days of brisk innovation.

-----


I can't recall ever having learned anything of value from an ad, but YMMV. Still, it's not cynical to say that advertising is meant to make you buy more, because that's why ad space is bought: to boost sales. And it's also not cynical to say that those extra sales would not have occurred without the ad, hence they were for goods people could have done without. Something which can be done without is unneeded, hence, it is not cynical to say ads are meant to make you buy things you don't need. Or rather, they're meant to make you think you need more than you did before. Advertising is the engine of consumerism.

-----


> And it's also not cynical to say that those extra sales would not have occurred without the ad, hence they were for goods people could have done without

Here's the error.

Yes, they were products the target could have done without, but not something they can do without once they have the product.

Consider: The first iPhone. A device that opens possibilities to improve your life that never existed before. You could do without it, but once you have it you can't do without it.

I think you'd have appreciated an ad for the original iPhone if it eventually led to you buying one.

-----


You're confusing need with want. Nobody needs an iPhone, not even after they get one. Plenty of people want an iPhone. To be fair, the statement "advertising makes you want what you don't need" is not a value judgment on whether that is a good or bad thing. It could be that advertising is beneficial to the world. It just seems unlikely.

-----


> end user trusts the transaction is legit

Maybe that's the hard part these companies solve for. When a deal turns sour you have someone to shout at. With a blockchain, you have no one. In effect, the companies you mentioned are the facilitators of trustful transactions.

-----


What would it take to completely wipe out all student debt? In theory, could a Presidents pen stroke do it?

-----


Obama has already done such a giveaway, writing off student loans for certain schools that were paper mills and shut down once they got any scrutiny. The loser? Taxpayers.

Instead of discharging that debt, he could have offered to apply that balance to genuine, accredited programs (e.g. if the student had $80K in debt principal, she could get the first $80K taken from that balance instead of new debt). In other words, they made that money commitment in search of a degree -- they shouldn't just dump all that on the taxpayers with no societal gain from it.

Another parallel taxpayer-funded debt reduction done by the current administration was to change such windfalls to non-taxable (as regular income, as it always had been), again at the expense of other taxpayers.

-----


> improving inner city schools is simply not contingent upon how much money is thrown at them.

Because of the prevailing infrastructure. If instead he had created a customized boarding school for the inner city kids somewhere safe and pleasant we'd be seeing real meaingingful change in their outlook right now.

As it is, they were in the same unhealthy environment they've always been in. It's not the schools, it's the teachers, the streets, their peers, the home life, everything.

A boarding school is the best solution to fix all that.

-----


Research shows that school racial integration alone increases outcomes for all children by high double digits. In fact, racial integration is to my knowledge the only reliable method anyone has bothered to attempt to improve educational outcomes in underachieving schools.

What are referred to as "inner city schools" can more relevantly be referred to as re-segregated schools or just never-integrated schools.

ProPublica came out with extremely compelling data on this subject just several weeks ago.

-----


Is this the article you're referring to?

http://www.propublica.org/podcast/item/how-5-florida-schools...

It's a bit thin on data / statistics..

-----


What about the fact that you're removing them from their families? Yes, the children may have a better future but they also become disconnected from their communities.

-----

More

Applications are open for YC Summer 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: