Fingerprint Unlocking

February 6, 2022

Naomi Brockwell made a new video about fingerprint unlocking.

Naomi Brockwell is decent and I pay attention whenever her latest video isn't cryptocurrency related (because I am a stupid primate and can't get into cryptocurrency).

I mean, it's good that the cryptocurrency nerds (I've increased my nuance now since I've now realized many of the understandably excited cryptocurrency fans aren't all crytocurrency coin hypebeast techbros/fuckbois) are much more receptive to the general intersection of privacy, security, and anonymity than the general public — probably due to their collective hatred for the SEC of the U.S. — so, I can't complain too much in the fight for actual privacy and security.

I like Brockwell because she basically influenced me to make the move to eventually stop using WiFi on all of my devices — yes, even on my GrapheneOS and LineageOS devices. You can't use the hack that Mr. Robot used in the deleted scene of S3E7 in Mr. Robot to find Irving's car dealership: by visually inspecting the list of known WiFi networks on Angela's unlocked Dark Army Android phone, seeing only 1 unique network name, and finding where the unique WiFi network is in NYC with WiGLE and Google Maps.

Refer to Brockwell's original video on WiFi and the response video.

There are actually only a few small moments in my life at home in which I actually need to use WiFi — probably because I'm doing a low-bandwith task that is using up all of the physical ports of my laptop, making Ethernet usage impossible, and using a USB hub isn't highly desirable for a very quick task.

(Additionally, there may be additional health benefits from reducing cell phone radio and WiFi radio radiation.)

Pros

The video is fact-based. There is no FUD spreading.
At least for smartphones, fingerprint readers should be wired locally.
- It's likely true that smartphones don't upload your fingerprint to the cloud.
  - However, if you distrust your own hardware that much that you find fingerprint scanners to be unacceptable, then avoid fingerprint scanners.
- This approach should also be the same for laptops, such as the X1 Carbon line.
- The news article is from 2018, so that's quite old as a roughly 4 year old article.
I think Brockwell has a point about usability: fingerprint scanning is quite convenient — even if it's not good for higher threat models.
I think physical or remote fingerprint acquisition should be a techy CIA or NSA staple in their tradecrafts.
I think the Network would like to try empirical trials on unwilling test subjects to see if the “TouchID on iPhone doesn't work on severed fingers” claim. That way, you can sidestep the entire issue of being a serial killer (or necrophillic morgue worker)... by being coming a literal nation-state sponsored, lawful evil serial killer.
- Some sick bioengineering students could force severed fingers work on TouchID...
- TouchID can't save you from Agent 47s going around and knocking you out to scan your finger while you sleep... so much for hyping up cutting people's fingers off.
  - This is why I don't trust FaceID: the police can just unlock your phone by knocking you out (because you were “resisting” and/or “being dangerous” and then hold you by your hair to unlock your iPhone, before the PIN/password time limit ends).
- Oh yeah, that's why you don't leave anything remotely incriminating outside on top of tables, so the police can't seize your belongings. This includes open mail. I think police aren't supposed to be even looking in your drawers and cabinets with no locks, but just put things you don't want the police to see behind locks (even “bad” locks that can be easily lockpicked) so that you can stop them from doing so by reminding them they need a scoped or wide warrant to look through your locked cabinets and other storage areas (at least in the U.S.).
  - But if the FBI is there, then you're probably screwed in practical terms...
You can be positively identified by the literal geometry of your blood vessels... might actually be helpful as knowledge to forensic experts for non-decomposed bodies.

Cons

This advice is good enough for Naomi Brockwell's audience (which alludes to threat modeling), but not enough for The Hated One's audience.
- Just like how SMS 2FA is better than nothing but inferior to TOTP or WebAuthn, fingerprint unlock is better than nothing but inferior to even a 6-8 digit PIN/a 4-word Diceware passphrase & Weaver on Google Pixels
  - The best form of Android security is currently GrapheneOS devices, which uses Weaver, the Titan M security chip (with Tensor Core, on the Pixel 6 line devices), and probably something else.
  - iPhone is roughly equivalent or slightly better for “normal” people against common thieves, but unacceptable against TLAs/IC agencies (such as FBI, CIA, NSA, and so on), because nation-state hackers will probably buy a 0-day exploit from Zerodium, if those organizations don't already have their remote or physical “iPhone cracker” fixer contact on speed dial.
Let's be real and address that the current iPhones (since the iPhone X in 2017?) use FaceID instead of any fingerprint reader.
- The only exceptions are the “older” style of Apple devices: iPhone SE (Gen 2), what's probably the current and last iPod Touch, & the older iPads (if those even have TouchID anymore).
- You can't use a password manager for unlocking your smartphone — since this is a “primitive” password and has to be remembered in order to use your secured electronic devices.
Hopefully I can find polarized security screen protectors... unless you can't take pictures and videos in landscape mode due to the screen protector?
- Just get under a blanket to type in your “primitive” password — just like Snowden in Citizenfour.