iPhone Fingerprint ID: More Trouble Than It's Worth?

If you believe the security pronouncements of any of the giant tech firms, please leave your information in the comments, I have a bridge to sell you.  Of course, the mainstream media are not nearly so skeptical.  Indeed, they're eating it up.  From Bloomberg:
Apple’s use of fingerprint scanning in its new iPhone models could lead more device makers to adopt the authentication method as a successor to passwords - - and that’s fine with privacy advocates.

The introduction coincides with the rise of cybercrime and revelations that the U.S. National Security Agency has intercepted Internet communications and cracked encryption codes on devices including the iPhone.

Apple said that on the new iPhone, information about the fingerprint is stored on the device and not uploaded to company networks -- meaning it wouldn’t be in data batches that may be sent to or collected by U.S. intelligence agencies under court orders.

“They’re not building some vast biometric database with your identity associated with your fingerprint that the NSA could then get access to,” Joseph Lorenzo Hall . . . .
That latter quote is rather funny, as governments and corporations routinely deny that they are building vast databases on us as they build vast databases on us.  Wired is a bit more circumspect:
There’s a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, it’s probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).
While there’s a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one’s focusing on the legal effects of moving from PINs to fingerprints.
Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints . . .

Technophobic Court Warns Against Open Source Software

From the EFF:
Should we fear open source software? Of course not. But that hasn’t stopped federal courts from issuing bizarre warnings like this:
The court would like to make CM/ECF filers aware of certain security concerns relating to a software application or .plug-in. called RECAP … Please be aware that RECAP is “open-source” software, which can be freely obtained by anyone with Internet access and modified for benign or malicious purposes … .
To understand this strange edict, we need to review the history of RECAP and why it might be unpopular with court officials . . .
Read the whole thing for all the gory details. 

Technologically Illiterate Court Claims Use of Open Wifi Is Wiretapping

While government agencies illegally and routinely spy on our everyday communications without repercussion, a court has ruled that sniffing open wifi signals may be considered wiretapping.  From Tech Dirt:
A couple years ago, we were disappointed to see a judge take the technologically wrong stance that data transmitted over WiFi is not a "radio communication," thereby making sniffing of unencrypted WiFi signals potentially a form of wiretapping. Indeed, based on that, the court eventually ruled that Google's infamous WiFi sniffing could be a violation of wiretap laws. This is wrong on so many levels... and tragically, an appeals court has now upheld the lower court's ruling.

There are serious problems with this. Under no reasonable view is WiFi not a radio communication first of all. That's exactly what it is. Second, sniffing unencrypted packets on an open network is a perfectly normal thing to do. The data is unencrypted and it's done on a network that is decidedly open. It's like saying it's "wiretapping" for turning on your radio and having it catch the signals your neighbor is broadcasting. That's not wiretapping. Third, even the court here admits that based on this ruling, parts of the law don't make any sense, because it renders those parts superfluous. Generally speaking, when a court ruling would render a part of a law completely superfluous, it means that the court misinterpreted the law . . . 

Coming Soon: Wireless Charging

From Tech Crunch:
Wireless power. It’s less sci-fi sounding than it once was, thanks to induction charging like that based on the Qi standard, but that’s still a tech that essentially requires contact, if not incredibly close proximity. Magnetic resonance is another means to achieve wireless power, and perfect for much higher-demand applications, like charging cars. But there’s been very little work done in terms of building a solution that can power your everyday devices in a way that doesn’t require thought or changing the way we use our devices dramatically. That’s where Cota by Ossia comes in.

The startup is the brainchild of physicist Hatem Zeine, who decided to focus on delivering wireless power in a way that was commercially viable, both for large-scale industrial applications and for consumer use . . . 

Verizon Lawsuit Against Open Internet in Court Today

From Ars Technica:
In December 2010, the Federal Communications Commission adopted the Open Internet Order, enshrining the concept of "network neutrality"—that Internet Service Providers must treat all data on the Internet equally—into law. . . .

ISPs don't like this, naturally, but Verizon has objected most strenuously of all. The company sued to halt the Open Internet Order, and after a couple of years worth of legal filings the case is now set to be decided by the US Court of Appeals for the District of Columbia Circuit.

Verizon and the FCC on Monday will each get 20 minutes to make their oral arguments . . . 

Google Seeks to Get in Ahead of NSA Scheme to Undermine Internet Encryption

From The Washington Post:
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.

Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program . . . 

Netizen Self-Defense Against the NSA Adversary

Bruce Schneier literally wrote the book on Applied Cryptography.  In an article for the Guardian, provides some advice for those who are concerned about privacy and security and explains what measures he takes in order to secure his information.  From the Guardian:
I have five pieces of advice:
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.