Tag Archives: security

iPhone 5s Touch ID sensor is a Big Deal

Updates (September 12, 2013):

Since this post was published, more information has become clear. First, this MacWorld article has details about the Touch ID fingerprint reader. It’s very interesting.

Second, Apple pulled the iCloud Keychain feature from iOS 7 GM. This makes Touch ID a lot less useful. It looks like access to Touch ID is also not yet allowed for third party apps. This is a shame. My guess is that these two things have been delayed, not cancelled. Perhaps iOS 7.1 released alongside OS X Mavericks, which still lists iCloud Keychain as a feature?

Security vs Convenience

There is always a battle between security and convenience. Not only when it comes to technology, but in every aspect of our lives. Otherwise we wouldn’t have locks in our house doors that force us to carry keys everywhere.

When it comes to personal computing, the importance of security has increased exponentially. Smartphones are computers that have lots of personal data and that we carry with us everywhere. Contacts, email, apps with financial info, photographs of our family with embedded GPS coordinates… Someone with malicious intent can do a lot of damage if they get to your phone.

Not only do we carry all this with us, but we keep a lot of personal information online. Some websites may be good about safeguarding it. But many aren’t. Stolen databases are scarily common.

To make things worse, most people re-use the same password (or a few of them) everywhere. And to make things even worse, computer power and sophisticated tools for brute-force cracking of passwords are more effective than you would think, especially if you aren’t using particularly strong passwords.

Why do we do this? It’s the battle. We have limited human memories, and typing strong passwords on a phone is a pain in the ass. Tools like 1Password (I’m a big fan) are very helpful but they still add a layer of inconvenience to the user experience.

Fixing the security issue while adding convenience


Touch ID is a new fingerprint sensor that lives inside the home button of the iPhone 5s. Someone who doesn’t understand security may think it’s boring. But this both improves security (put your finger on the button, the software fills in a unique strong password for you) and removes inconvenience.

Other iPhone 5s features are important but incremental improvements: better camera, faster processor… this one is a leap in functionality. It’s a solution to one of the most annoying usability aspects of smartphones: typing passwords at all times. And it’s a solution to the most glaring problem with most user’s security: reusing weak passwords.

Why wasn’t it done before

Surely you’ve seen Lenovo or Dell laptops with fingerprint readers. Why didn’t anyone slap one on a phone before?

Because they sucked. They are large, slow, require a swipe, in a specific direction and are inaccurate. I don’t know of anyone who uses his other than when mandated by work. Just read this.

Now see the video about Touch ID.

All these technical challenges had to be solved in order to embed a fingerprint sensor into the iPhone 5s. There is a special new sensor, a sapphire crystal button, special co-processor hardware in the A7 chip for storing and decoding fingerprints, and code in the operating system to integrate the functionality. No other company could pull something like this off. Not Google, not Microsoft, not Samsung.

Online security 2

Another ridiculous hacker image recommended by Eva. Click on it for more.

I wrote about password reuse a while ago and I promised to follow up – I just didn’t promise to follow up quickly.

Today, LinkedIn suffered a massive security breach, and 6.5 million passwords were stolen. I went and I changed my password for a new one and I am done. You should do the same, but it doesn’t necessarily mean that you are done.

If you re-use your password, then you are in trouble. You may be really good about not writing down your password and not telling it to anyone… but the breach can happen on the other side. It’s trivial for a hacker to write code to try out every username/password combination on many popular websites (Google, banks, Facebook, etc). Out of 6.5 million passwords, I’m willing to bet they would have lots of success. You should really, really use different passwords for each different account you have.

Impossible to manage? No. Just use a password manager. I use 1Password on the Mac, iPhone, iPad. It stores all the passwords locally and securely encrypted. The browser plug-in for the desktop is really good, and the app for the iPad and iPhone is ok. It all synchronizes seamlessly. It’s an expensive solution, but having your bank account drained or your identity stolen will be way more expensive. There are other similar products but I haven’t tried them.

Will this make you completely secure? Well, no…

…you are never 100% safe. But you can always do better.

And last, and admission: While I knew I was vulnerable because I was reusing just 2-3 passwords on all my online accounts, what prompted me to get serious is when I saw one of my passwords on this list. Shameful.


Hacker stock art for just this kind of occasions - link from Eva


The MKX® along with several sister sites (The MKX® Photo Central, La Polla América, etc.) were all hacked sometime in the last two days.

It looks like it was done through a security flaw in tinymce, a WYSIWYG text editor used by zenPHOTO, the photo gallery software I use extensively. Google blacklisted me (the horror!) but after I cleaned things up (or rather, Moi did) I can be visited again without raising any flags.

The extent of the damage is still unknown. So far I know that

  • The hack occurred on 2011-11-07 at 18:48.
  • Every .htaccess in my sites were injected with malicious redirects. Moi got rid of them. Here’s one sample .htaccess file (as text).
  • A malicious file class.images.php with obfuscated code was created somewhere inside the zenPhoto installation. I have no desire to reverse engineer it. Here’s the link to the file (as text).
  • An empty index.php file was created next to it.

Looks like I have quite a bit of work ahead of me. Those damn russian hackers! More info here.

Online security

Eva thinks I should use this image in this post. Click on the image for others I could have used.

The many high profile hacks that have occurred recently, like the one on Sony and Gawker (and those are the ones we know about) have made me think a lot about my online security. We all know what we need to do: Use different strong passwords that cannot be guessed using dictionary attacks for every single account.

The stakes range from the mildly annoying (someone sending spam from your email account, which can get it deactivated) to the really annoying (damage to your reputation due to inappropriate posts made from your Facebook/Twitter/Google+/whatever account), to the really painful (money stolen from bank accounts, identity theft).

I think password reuse is especially bad: someone gets access to one password database, they can now try them on many popular websites. It will work. Hackers don’t do this because “I” or “you” are terribly interesting people to hack. They do it because it’s profitable. Spam, Google Bombing, you name it. It happens all the time, just see how many fake emails you get from for friend’s email accounts. Just a few weeks ago my friend Rafa had his Skype account compromised and his SkypeOut credit used. It’s real.

Ok, but is there a practical way to have different strong passwords for every service we use? I think there is, and I’ve decided to do it. Follow up post coming.

Prey Project

Prey is an Open Source software project for locating your lost or stolen machine. You install a faceless background service on your computer that runs every X minutes. When it runs, it connects to a server and asks “Is the computer reported as missing?”.

If it is, it takes a webcam photo, a screenshot, gets the geographical location of the computer (think GPS but without GPS hardware which your laptop probably lacks, using WiFi triangulation instead, similar to this) plus some other info. It then uploads the results to the server.

All configuration is done from the website. This way the program on your computer is harder to find and thus to uninstall. Most thieves will not know where to look and there’s a good chance they aren’t sophisticated enough to even format your computer.

So, don’t be a schmuck and wait for your laptop to be stolen: install this thing. It’s free, it’s invisible until you need it, and it may recover your computer one day.

Edit: Removed a redundant mention of “background service”that was repeated and also unnecessary. Pointed out by Daniel Jaramillo.