If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Security analysts wait to see whether Apple will patch a serious flaw in its fingerprint recognition software that's used by Asus, Dell, Gateway, IBM, Lenovo, NEC, Sony and Toshiba, or just gloat   (arstechnica.com) divider line 13
    More: Unlikely, NEC, Lenovo, Asus, company, Toshiba, IBM, Sony, educational software  
•       •       •

1561 clicks; posted to Geek » on 11 Oct 2012 at 1:21 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



13 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-10-11 01:22:59 PM
No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.

... yet.
 
ZAZ [TotalFark]
2012-10-11 01:24:39 PM
As I understand this attack, if you elect fingerprint authentication the OS stores your password encrypted with a key that is also stored on the computer?

Or is the problem that a fingerprint doesn't have enough bits to prevent a brute force attack on a password encrypted with a fingerprint?
 
2012-10-11 01:46:37 PM

ZAZ: As I understand this attack, if you elect fingerprint authentication the OS stores your password encrypted with a key that is also stored on the computer?

Or is the problem that a fingerprint doesn't have enough bits to prevent a brute force attack on a password encrypted with a fingerprint?


The former.

FTFA: "Last month, Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve." [emphasis added, naturally]
 
2012-10-11 01:51:17 PM

Theaetetus: No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.

... yet.


Those f*ckers patent EVERY little thing they do. That's gotta leave a paper trail. Even if it was totally accidental, chances are that there is a patent for this thing sitting somewhere with a big ol' Apple logo stamped prominently on the front.
 
2012-10-11 03:28:33 PM
I love picking on Apple, but BFD on this one. The Windows password is a joke to begin with. You can easiy reset it by booting into DaRT or ERD. There are probably other tools out there that can be used just as easily.
 
2012-10-11 03:31:16 PM

HMS_Blinkin: Those f*ckers patent EVERY little thing they do.


They didn't do it. They bought the company that did. And dollars to donuts, they're just going to retire that product anyway (or sell it to somebody else) and use whatever IP they actually bought the company for in their own products.

Also: WHY WOULD YOU STORE PASSWORDS IN THE REGISTRY?
 
2012-10-11 05:43:17 PM

Electric_Banana: I love picking on Apple, but BFD on this one. The Windows password is a joke to begin with. You can easiy reset it by booting into DaRT or ERD. There are probably other tools out there that can be used just as easily.


It's not as if it's hard to reset the PW in a Linux environment either
 
2012-10-11 06:29:38 PM
I'd rather they fix the farking IOS 6 / Activesync issue where declining an invite cancels the farking meeting for everyone. Finally just had to tell all users, stop using your iDevice for calendar functions.

Days of troubleshooting calendar issues reported by users......

/can't say we've ever had users use the fingerprint scanner thingie anyhow.
 
2012-10-11 07:00:11 PM

t3knomanser: HMS_Blinkin: Those f*ckers patent EVERY little thing they do.

They didn't do it. They bought the company that did. And dollars to donuts, they're just going to retire that product anyway (or sell it to somebody else) and use whatever IP they actually bought the company for in their own products.

Also: WHY WOULD YOU STORE PASSWORDS IN THE REGISTRY?


Seriously. That's where I balance my checkbook.
 
2012-10-11 07:02:19 PM
Ah shiat, you mean I didn't have to cut off that guy's hand? I almost feel guilty now.
 
2012-10-11 07:12:26 PM

ZAZ: As I understand this attack, if you elect fingerprint authentication the OS stores your password encrypted with a key that is also stored on the computer?


That is correct. They do no use anything secret to encrypt the password.

/ The real flaw is that they allow fingerprint-only auth, instead of fingerprint + password.
 
2012-10-12 05:55:40 PM
Here's an easy solution. Enact "You break it, you bought it" legislation for these events. Basically, if you hack code and publicize flaws, you owe the IP rightsholder the estimated profits lost due to low sales and unfavorable publicity, plus damages to the corporation's reputation.

Bam, no more hackers. They couldn't afford the fines. And all our software would be safe.

Right?
 
2012-10-13 12:20:04 AM

BolloxReader: Here's an easy solution. Enact "You break it, you bought it" legislation for these events. Basically, if you hack code and publicize flaws, you owe the IP rightsholder the estimated profits lost due to low sales and unfavorable publicity, plus damages to the corporation's reputation.

Bam, no more hackers. They couldn't afford the fines. And all our software would be safe.

Right?


It's actually better for the companies to know about the found exploits before it's used against them. Numerous cases of companies that scrambled to patch software flaws before a security expert would, for example, do a talk on it at a hacker conference a month or two later. Then it becomes bad publicity if they can't fix it by the time of the talk (although some, through courts, have also stopped the expert from doing his talk emphasizing they were working on a fix)
 
Displayed 13 of 13 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report