bodz's comments

Small but important correction: the chemical is injected into the retina, not the cornea.

I was thinking this was cool because if it works in the cornea, it could possibly be injected into a contact lens and achieve the same effect. But it looks like that won't work because the effect depends on the chemical being in (very) close proximity to photoreceptors in the retina.

I think so too, but I wonder about the long term effect that doing everything in the virtual world will have on abilities in the physical world. It's extremely anecdotal, but my little brother, who almost exclusively plays Minecraft, seems to have a fantastic imagination but very poor fine motor skills. He has trouble doing anything physical that requires not using a keyboard and mouse.

There's something to be said for getting rid of excessive waste and unnecessarily large warehouses of "cheap junk", but it's also worth remembering that toys play a very important part in teaching children fundamental skills like hand-eye coordination, simple problem solving, fostering imagination, etc.

It's a game of "what-ifs", but I'm fairly confident in saying I wouldn't be pursuing the career I am now if I had never had the experiences of walking down the Lego aisle at the toy store and falling in love with piecing together toy cities.

I don't necessarily think so. Just because he manages the risk management offering which is sold to other companies doesn't mean he would be aware of or involved in day-to-day risk management at his own company.

At my consulting firm, the execs in charge of our cybersecurity consulting practice are absolutely not involved in any internal cybersec investigations that happen to our own firm. In fact, we have specific procedures which say that our cybersecurity consultants cannot be involved with internal incidents. All internal investigations have to be done by outside, impartial firms.

They had a CISO as well as a CIO. Both have been fired/resigned now, though.

FYI the "President of US Information Solutions" at Equifax is a role that has nothing to do with their IT/security department. It's not the same thing as the CIO or head of IT, as many people are confusing him for. He's the head of a product line which is called "information solutions". The head of IT/CIO is a completely different person (who has since been fired/resigned).

Having worked on the incident response teams for these types of breaches, the "PR machine" is only part of the reason why companies "sit" on the info. It also takes a long time to do investigations on the breach to know what was stolen, how much was stolen, and how to mitigate it. The FBI also gets involved in breaches like this, and sometimes they'll ask to put off announcing the breach while they do their investigation of it as well.

It doesn't do anyone any good if you release a statement as soon as you notice abnormal behavior that just says "we might have been breached and our customers may be affected, but we don't know who is affected and we don't know how it affects them yet".

None of the managers had anything to do with or were in the chain of command of the security team, so it's entirely possible they had absolutely no idea about the breach until long after 8/2.

The CFO is the one that is a little iffy, because the CFO might be involved in the hiring of the external firm. However, having worked for security consulting firms, it's also entirely possible that the CISO is given a blank check for this type of stuff without having to get CFO approval. I've worked in plenty of organizations doing cybersecurity work where the C-suite (including CIO, CFO, etc) was completely unaware we are there because they don't have to rubber stamp every single transaction.

It's also a possibility that the 8/2 date on which they "contacted" the firm was just when discussions started between the two parties, and it might have been a few days before a contract was ironed out enough to involve the CFO or anyone else.

There's a bunch of other possibilities/scenarios in which I think it's entirely believable that they didn't know. It's shady and worthy of investigation, yes, but I'm not willing to convict them just yet.

I don't believe there's any claim that they didn't learn of it until the public announcement, only that they didn't know of it at the time of the stock sale which was on Aug 1st, only a few days after the breach was "discovered".

Now, based on my experience, it's entirely possible that the July 29th "discovery" date only refers to the date on which some security analyst noticed abnormal behavior. That, combined with the possibility that Equifax doesn't have good security communication practices in place, it easily could have been a few days (or even weeks) before the security team looked into it enough to know the size of the breach and escalated it up to the C-suite.

Lifted it off a glass/phone/anything else you touched. Or it can be "compromised" in the same way your SSN can be compromised through hacking. The millions of people who were exposed in the OPM hack all have records of their fingerprints now floating out on the darkweb somewhere.

> The face scan isn't "insecure" even if you're worried about border searches. Just turn off your phone when you get in the security line! Pin will be required on start.

As far as border searches go, border officers have the authority to request your PIN just as they have the authority to request your thumbprint/faceprint/etc. If you don't give it to them, you can be detained and/or your phone confiscated [1]. Rebooting your phone won't help.

1: https://www.washingtonpost.com/news/volokh-conspiracy/wp/201...

> I don't think the average person in their audience has a strong reason to understand the difference.

In my experience as a security consultant, one of the biggest problems (and it's a very big problem) we face is that average users lack training and awareness of good security principles. It's really bad to rely solely on system designers for your security. Even if your system designer is 100% effective, it just takes one unaware user to do something bad such as give their password over to a phishing call and you're screwed. And if for nothing else, training and awareness is necessary because without it, you get users kicking and screaming when they don't understand why you've implemented certain security features, which typically means you end up implementing less security to avoid the kicking and screaming.

And just like in your average security training and awareness session you'll have a lesson on "don't give your password to someone on the phone, even if they claim to be your IT guy", we also have lessons on "fingerprints are not passwords, and you should not use them as such", but this is hard to get through people's heads when Apple's marketing material says otherwise (as shown in my previous comment).

> They can't be phished because they aren't secrets.

And here lies the problem. Apple treats them as if they are.

"Your fingerprint is one of the best passwords in the world" - Apple during the keynote when they introduced TouchID[1]

"Your face is now your secure password" - Apple during yesterday's keynote introducing FaceID[2]

1: https://youtu.be/X5zt1V7H88I?t=227

2: https://youtu.be/K4wEI5zhHB0?t=109

> You're conflating every fingerprint scanner with the Apple's implementation of TouchID, which is far more secure than the check-the-box-to-win-a-government-contract stuff that's been built into most laptops.

No, I'm not. TouchID is the most popular implementation, and because it's present on every iPhone (which is the most common device to be a work phone, and thus also connected to work email and work networks), and because TouchID is also insecure, thus arises the problem.

> If it's that important, use a biometric print AND a PIN.

This is not possible on the iPhone, and wouldn't solve the problem anyway: consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck and they can't use fingerprint locks (or have to use fingerprint + something else) if they also use their phone for work stuff.

> And by having a person physically press the correct finger onto your obvious fingerprint-stealing device. . .k But if someone has the power to compel you to do that, they have the power to compel you to just put your finger on your phone for them.

What? No, you don't. You're just making stuff up now. You can steal someone's fingerprint by simply having access to something they touched, and then you can duplicate it with $10 worth of office supplies.

> This is even more involved. This involves having to lift the print with a high fidelity scanner and create a latex mold of it. What are you securing on your phone where this is a concern?

Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again.

> Maybe if fewer services forced people into using inane and impossible-to-remember passwords and just relied on biometric authentication instead folks wouldn’t need password managers that are so easy to unlock.

You miss the point. This wouldn't solve the issue at all, and would actually worsen it. Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure.

> I don't understand how you derived THAT from this:

I "derived" it from years of experience working as a cybersecurity consultant where at every company someone complains that "Apple says it's secure, so you must be wrong". Watch the keynote. Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security".

It's worth noting that despite the prosecutors saying "its a foregone conclusion", they have not actually even charged Reynolds with possession of child pornography. It seems to me that while their words say they already have proof, their actions say they don't have any.

> Biometrics can't be rotated. But they also can't be phished.

Sure they can. Haven't you ever seen a cop show where the detective tricks the suspect into drinking from a cup of coffee so they can lift the suspect's fingerprint from the cup?

"Hi John, nice to meet you! * shakes hand *" I now have John's fingerprints from where he touched me when he shook my hand.

"Hey John, can you send me a selfie?" I now have a picture of John's face and possibly his iris.

Hell, I bet it won't be long at all until someone finds a way to use the iPhone X's own "TrueDepth" camera to record a 3D scan of the user's face which can then be used to fool FaceID.

Unfortunately I can't find any archives of Apple's website advertising TouchID when it first came out, but as I remember it was touted as "revolutionary, most secure way to protect your phone", etc. Below[1] is the keynote from 2013 when it was announced. At one point the speaker says "Your fingerprint is one of the best passwords in the world." He also says stuff like "this is the most advanced technology ever in an iPhone", refers to TouchID as "very high level of security", etc.

The FaceID marketing is the same. The iPhone X advertisement released today[2] says "your face is now your secure password". The website says "Face ID is so secure you can use it with Apple Pay". During the keynote today they actually even said up until FaceID, TouchID "was the gold standard". About FaceID they said "FaceID is the future of how we will unlock smartphones".

You'll note that nowhere in any of it's materials or even in the deep recesses of it's website does Apple acknowledge that even though Face/TouchID is great, it's still not as good as a strong passcode. The closest they come is during the key note they acknowledge "nothing is perfect, not even biometric", but you'll notice that even this statement subtly tries to imply that biometrics is the highest security available ("not even biometrics").

1: https://youtu.be/X5zt1V7H88I?t=227 2: https://youtu.be/K4wEI5zhHB0

> At what point is stealing a fingerprint, retina print, or face going to be economical enough for the thief that this would be an actual valid concern in 99% of use cases?

For the average person who is just securing their phone that only stores pictures of their cat, this isn't a concern, but that's far less than 99%. For pretty much anyone who is logged into their work email/VPN via their phone, or is using fingerprint scanners to secure their work laptop, this is a very real concern that I have seen exploited a few times in the real world.

> Both FaceID and TouchID need to read a living person with a pulse in order to authenticate.

TBD with FaceID, but with TouchID this isn't the case. You can defeat TouchID with $10 worth of office supplies and some play-dough.

> Which bank accounts are taking fingerprints? Do you mean people's banking apps on their phones? In order to get to that they would need to steal both your phone AND your fingerprint.

Since your phone literally has your fingerprint left on it from when you touched it, this isn't really a difficult task.

And as I mentioned, it's even worse if you're one of the people who uses a password manager on your phone that is also locked with fingerprint. Then, every account you have is now compromised. And even if you're using 2FA, your phone is likely your 2FA device, which the thief also has.

> This often happens when someone shoves policy down people's throats without explaining themselves or getting buy-in from their clients. This is a communication skills problem, not an issue with biometrics.

No, it is undeniably an issue with biometrics (and the way they're treated). Training and awareness (communications) is one of the primary problems that any security implementation will try to tackle, but it's just made more difficult to do that when Apple is pushing falsehoods like "TouchID is the most secure thing ever!" in all of their marketing materials.

The OPM hack resulted in millions of people's fingerprints and names being hacked, and now are floating out on the internet for anyone to look up.

Individuals who had their fingerprints stolen in that hack can now never use fingerprint readers with any reasonable confidence, since now all a hacker has to do is search that person's name and pull their fingerprint from one of aforementioned databases.

> fake your fingerprints with a cast

Fingerprint scanners like those on phones have been shown to be able to be fooled by using $10 worth of office supplies and some play-dough. It's not like we're talking mastermind levels of intelligence to do this stuff.

Of course, all of this completely ignores the fact that your phone likely already has several copies of your fingerprint already on it since you touched it, so it's not like someone hacking your fingerprints is even necessary. That's an entirely different reason of why fingerprint security is abysmal, though.

No security is going to keep "determined" intruders out. But the point is that you should still strive to achieve "good enough" security.

The problem is that while the actual ranking from least secure to most secure is "nothing < touchid/faceid < passcode", Apple's marketing and implementation gives people the false impression that its "nothing < passcode < touchid/faceid", which is bad for security.