112 comments

[ 3.9 ms ] story [ 181 ms ] thread
Can the mods or OP change the url to the english version? https://www.truekey.com/
It seems to do a redirect from .com to .com/de for some reason.
Does that too for me. Probably GeoIP gone horribly wrong.

Click on "sprache" at the bottom and select English, or just change the URL to /en in the location bar.

The owner of this website (www.truekey.com) has banned the country or region your IP address is in (BY) from accessing this website.

Awesome.

Strangely - Tor may work. I connected via a Brazillian VPN (from Australia) and got a Cloudflare challenge.
I don't see why I'd want to use a service that bans my country from even accessing their website.
I don't see why I'd want to use a service that bans my country from even accessing their website.
I was just going to say the same. The intel.com page does not have pricing information and just states that it's free for up to 15 passwords, whereas the True Key site [1] provides pricing information ($19.99 a year for unlimited passwords) and also has links to the mobile apps.

[1]: https://www.truekey.com/

(comment deleted)
I'm rather concerned about the face recognition part and how easily that might be fooled. Has anyone tried that?

It's an interesting take on a password manager though, I do like the second factor through an additional device before it grants access.

Although not this particular face recognition. I managed to fool face recognition passwords in the past with a simple photograph of the person. As you would expect it works perfectly fine.
This is part of the reason Windows Hello won't use standard webcams for facial recognition. They require a depth camera (very unusual feature on laptops, usually marketed as Intel Real Sense) so that a simple photograph isn't enough to fool the camera.

This is still far from perfect though; a truly determined bad actor could create a passable 3D model, or even a face mask, and probably still fool the sensor. It just takes more work. The whole point of passwords is that no one can know them but the person intending to use them. Using a publicly visible part of my body is just asking for trouble.

>AES-256, one of the strongest encryption algorithms available

Hmm... I'd take 4096-bit GPG over this any day. I rather like using pass[0]

[0]https://www.passwordstore.org/

A KeePass database over Dropbox is what works for me.
Little do you know that gpg uses a symmetric cipher like AES-128, only encrypting the symmetric key with your asymmetric RSA keys.
(comment deleted)
True Key makes use of the Intel Management Engine (IME). It gives a hint at what Intel is up to with the IME. One of the intended uses is "identity protection", storing secrets like e.g. biometric data in the realm of the IME, and to ultimately get rid of passwords.

Considering the security concerns regarding the IME, I doubt that it is a good idea to hand your passwords over to Intel (ME). At least I don't want to support this technology by using apps that utilize the IME.

To read up on the IME there is a free book by one of the developers on it...

http://link.springer.com/book/10.1007%2F978-1-4302-6572-6

Inside is an entire chapter on Intel's identity protection.

Interesting that Apple is doing similar things with the embedded ARM stuff in the new touchbar MBPs.
The thing is that Apple actually has a pretty good track record for security and not violating the privacy or integrity of customers' products. I have a lot more trust in Apple doing this correctly. I'd be fine with Intel taking on secure computing, but there's been some pretty bad stuff with the IME (like sending data to the internet outside of user control when using intel NICs), so I'm skeptical of this approach (especially when they're talking about facial recognition as a security measure).
> but there's been some pretty bad stuff with the IME (like sending data to the internet outside of user control when using intel NICs)

That's also a typical concern about baseband processors - and Apple has a baseband processor integrated into their iPhones and iPads. OK, there is a difference: While for ethernet ports (and with a little bit more effor WiFi connections) you can at least theoretically analyze whether there is dubious traffic, this is nearly impossible for connections over mobile networks.

That's sort of the FCC's fault; it's very hard to get a high-bandwidth device certified under FCC regs (e.g. part 15) if it doesn't have a locked-down processor that controls radio functionality. See this article about the FCC intentionally/unintentionally locking down Wifi routers due to licensing requirements: https://www.wired.com/2016/03/way-go-fcc-now-manufacturers-l...

I'm sure if it were up to apple they'd be putting high-level radio functionality in the main CPU. It's cheaper that way, and matches with Apple's security/privacy-oriented marketing.

Just to give an idea of how bad the stuff is with the IME, I recommend reading up Chapter 4 here:

Intel x86 considered harmful by Joanna Rutkowska

https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

The IME is basically a second computer inside your computer, running as the most privileged component on the platform. It has privileged access to all components of the system, and runs as long as the computer is plugged in or has battery (even if it the computer is switched off). It is under the control of Intel, they decide what the IME does, and it can use the NIC as it pleases, unnoticeable for the host system. It can not be disabled, switched off or removed. The rootkit researcher Rutkowska described it as "an ideal rootkiting infrastructure".

Even if I would not consider "... considered harmful" essays as screamers for attention, I would still take detraction about ME with a grain of salt, because:

* it's easy to counteract, just not use an Intel NIC * it gets a lot of scrutinity * Intel is quite open about what it does, short of releasing signing keys for the firmware * the mobile platforms have similar secure enclaves (think baseband processors on phones), which nobody actually audits

All of these make me think Rutkowska found out that bashing x86 gets her attention, and now she uses it as a beating horse.

We need a "Rutkowska Hand-Waving Considered Harmful".

This paper is a bunch of insinuation. It goes into great dramatic length to describe how Intel ME is more evil than AMT/vPro, which runs in the same service processor context, but then selectively uses the features of AMT and attributes them to ME. If we were talking about servers, this paper would be talking about how the service processors on HP servers could be used to build a "bad iLO" that phoned home or allowed unauthorized parties to access.

Intel devices aren't "phoning home". These claims require evidence... I don't see a network capture. Activated AMT implementations will phone back to your home, and allow things like remote control, remote bricking, or remote repair of management software.

Saying that ME is "an ideal rootkiting infrastructure" is a statement without a lot of meaning. You could make the same statement about Windows, Linux or any number of components in a modern computer.

Apple went a lot farther with the iPhone a few years ago.
They never seem to understand:

Your fingerprint like your face can be the username, but never the password.

Your fingerprint is exactly like your username: you cannot change it and you always leave it in public.

You can use fingerprints as a password. They aren't perfect but in many situations they are fine.

Security isn't black and white.

Since you can't change them, long term security is nonexistant.
Providing you have them, I can chop then off and use them.

Seriously, use your eye or fingerprint as a password and there is someone ruthless enough to remove them from your body.

Who is this mythical fellow who's not going to give up his password in such a situation anyway? No one's going to protect their accounts at the cost of their finger. Certainly not me.

I mean, I agree with not using fingerprints as passwords but not because I want to protect myself from the fingermen.

I think you have missed the point. In poorer areas of the world where life is cheaper than cheap, I'm not going to bother negotiating with you, so that you to come to the ATM with me because I need you to place your finger on the scanner. I'm just going to take my machete and remove your whole hand and leave you to bleed out in the dirt.

Placing any security value on human body parts is a stupid idea, whether as a password or as a automated proof of identity.

I mean that it doesn't matter. If I had a password, you're not suddenly going to leave me alone. You're probably going to extract it from me and then kill me anyway.

I think it's quite clear we shouldn't use biometrics as passwords but I don't think this is a strong argument.

Dear IshKebab,

We at startup xyz take security seriously. We regret to inform you that on the night of 1st December 2016 our database was compromised. The database contained your name, address and fingerprint data.

Please see a plastic surgeon about resetting your fingerprints at as soon as possible.

Thank you, Startup Xyz

Genuinely surprised to not see this happen yet. I guess it's a good thing Apple and Google are the ones who typically store Fingerprints and not third party apps.
Who exactly has been storing fingerprints centrally? I know plenty of devices that store them locally, but have not seen one phoning it home.
The EU is planning to. http://europa.eu/rapid/press-release_IP-16-1247_en.htm:

"The proposed system stores alphanumeric and biometric data (a combination of four fingerprints and the facial image). [...] The System is composed of a central database connected to national entry points."

If/when this comes to be, that database will probably be both well-protected and an incredibly tempting attack target.

Governments have been storing biometric data for decades. I was asking which private company has been doing so - as that is what was being alluded to.

*more to the point, the only way I see a government who stores biometric data being an issue WRT security: the government is after you (in which case they're likely getting what they want anyway), or it's a targeted attack from a foreign government (in which case biometric theft is the least of your concerns).

Few examples: USICS/CBP/DHS (not sure who among them maintains finger print db) in the USA. UIDAI in India.
Thankfully, nobody stores full fingerprints, just derivations (sort of like a hash). And, when those are stored, they are so far always stored in secure hardware elements. The data is never accessible from within the OS, and never uploaded anywhere.
Obviously fingerprints can't be used in that situation, buy think about something like your front door lock. You don't need paranoia-level security (you probably have breakable windows anyway) but you want to stop random people who aren't motivated enough to steal your fingerprint from walking in.

Or think about locking your phone. Most people only want to stop their friends and family - they're not going to copy you fingerprint. Even FBI nearly defeated by TouchID. (You're probably thinking that they could have easily bypassed it, but they only had 48 hours to do so.)

There's a little bit of a difference between breaking a window (noise, glass everywhere), and discretely walking in through your front door and out with your jewellery.
I don't understand the qualifier "in that situation": the user cannot determine what the "situation" may be at some point in the future.

I do use the fingerprint reader on my iPhone, and I believe that the fingerprint data is never sent to another device. Ever.

There are real problems to using the iPhone fingerprint with apps, in that the apps tells me it needs to store an encrypted version of my password on iCloud in order to enable fingerprint unlock. The Bad Guys could get my encrypted password and I might never know.

But I wouldn't have to change my fingerprint in that case.

In the situation where a website stores your fingerprint.
Comparable to a social security number, but a SSN which you rubber stamp upon literally everything you touch. I make this analogy to illustrate the ridiculousness of both.
I think it's a good comparison, even if it may not seem quite like it yet because we still don't have that many things for which to use our fingerprints.

But soon we will have. All the banks are considering some form of biometric authentication for ATMs, and so on, and this could expand to many other types of services. That means you'll have to scan and store your fingerprint on a range of devices with highly variable security. Eventually your fingerprint will be sold on the black market, just like your SSN is.

> All the banks are considering some form of biometric authentication for ATMs

First I've heard of this. Is this a regional thing or a global trend? Got any sources?

The problem is:

There is a market for it because the average Joe and Jane are pretty lazy and would rather touch something to unlock it than having to go through the hassle of typing and remembering (forgetting) a password. They probably don't understand the secrutiy implications of it either.

This is an adorably bad idea:

+ As fdik said above, you can't change your fingerprint or face easily, and it's always public

+ Face recognition and fingerprint scanning are not robust against spoofing — there are known ways to circumvent both

+ You can be compelled to authenticate a biometric without a warrant

Don't use biometrics as a password; use them as a username.

> Don't use biometrics as a password; use them as a username

Even then people's faces change and through accidents fingerprints can also be changed / removed and then you're shit out of luck. I'm terrified I would store my important shit in something like that then get into a car accident or something and be no longer able to open it.

Yet another reason why this is a horrible idea.
Implement it like the Xbox Kinect auto-signin where you still have a username but the camera lets the device figure it out on its own. That way people can still manually enter their username in the event of any disfiguring injury or technical glitches but don't have to normally.
Right but the post I was responding to said to use biometrics as the username hence my comment. You're suggesting using it as a type of password :)
No I'm not, I'm suggesting it be used to identify the user, then they can enter their password the same as always.
"We couldn't detect your face/fingerprints please enter your username directly instead."

What if you get into a car accident and no longer remember the master password to your hardware password safe?

What if you remember it but lost your arms and are no longer able to type?

The car accident scenario is not very useful.

You can write down your master password somewhere, or share it with a loved one. This is no different from having backups for important data. You can't easily backup your iris, face, or fingerprints.
Biometrics are in a really weird place as far as security goes.

For the average person who's more concerned about opportunistic theft of a device than a targeted attack I'd argue that biometrics are more secure because you can't have the equivalent of a shitty password. There is no fingerprint equivalent of "1111" as your device PIN. A random pickpocket in the subway doesn't know who you are and thus can't implement any spoofs.

For anyone trying to defend against an attacker specifically targeting them, you're completely right.

Your fingerprints are probably all over the device they stole, though.

It's like if you wrapped your laptop in a decorative cover of your password written everywhere.

Similarly, if facial recognition becomes the standard, thieves will just take a snap when they rob you.

You average pick-pocket is not going to lift fingerprints of a phone. He will drop the phone in a plastic bag and fence it to someone who can lift the prints or factory reset it without the prints.
And this is better, somehow?
Depends if it reduces theft.
I think post Activation Lock and similar features on smartphone platforms, thieves usually sell stolen devices to those who rip them apart to get to specific parts that they can resell. That will continue until the phone makers figure out how to disable the display, digitizer, battery and other parts that have value even in a "bricked" phone.
Can you factory reset an iPhone without the passcode? I thought Activation Lock was supposed to prevent this?
You can wipe without a passcode, but if the user turned on Find My iPhone before the phone was wiped, the phone will be a brick until one logs into the associated iCloud account.
Probably worth more as parts to a more shady repair shop. Last I heard, a shiny new laptop's only worth a couple hundred when fenced.
> Your fingerprints are probably all over the device they stole, though

Including very likely the fingerprint scanner itself.

What's your point? If a random pick-pocketer steals a phone from me, they don't care about accessing my data. If they wanted to, it's easier with face/fingerprint recognition. Just grab my picture from facebook/twitter/find me by email or phone number, fingerprints are on my phone, batter, sim card, screen... everywhere. It's slightly more expensive than printing my picture from facebook but many times proven, doable. On the other hand... how can you guess my pattern lock or SHITYPassword1111?

If I'm a victim of a targetted attack, better not to have a phone at all.

Fingerprint and face recognition don't have the same threat models. And two differ from password too. For end users, fingerprint makes sense:

- Stealing fingerprint requires access to your fingerprint in the first place. That narrows down the attack surface A LOT. - Coercing someone to authenticate is possible for password too. Unlike fingerprints passwords can be stolen remotely. - People tend to use same PIN everywhere. Therefore "can't change your biometric info" isn't that big of a problem. Fingerprints aren't prone to dictionary attack either because there are no "common fingerprints".

Face recognition can be bypassed more easily thanks to a huge database of faces called facebook.

But we shouldn't reject a security solution outright before properly analyzing the threat model. They all can have their legitimate use cases for certain scenarios.

> Stealing fingerprint requires access to your fingerprint in the first place.

This is not as difficult as some might think. We leave them all over our devices for example, but physical access is not even necessary. Jan Krissler managed to get the fingerprint of the German defense minister 2 years ago using only photos of her.

Fingerprint technology is hackable, easily so.

Edit: Face recognition is even easier. Iris scanners are the only sure way to recognize someone.

> Iris scanners are the only sure way to recognize someone

For now.

This relies on all iris scanners everywhere not being hotwired to feed them a saved iris scan.
> Iris scanners […]

Iris scanners for authentication kind of lost their appeal to me after watching Demolition Man.

My skeptic-sense is tingling!
The truth is that we can't trust INTEL. Their CPU micro-code or ME (Management engine) can and does "phone home" to the internet, grab updates and update the CPU. They don't allow the customer to turn this OFF, which betray's the customer who purchased the CPU. Anyone who can sign the update and intercept the download channel can update your CPU with you having no ability to protect yourself. We can't trust intel.

Intel needs to allow 3rd parties to build a small piece of hardware for private key storage, generation, signing and encryption, with self-distruction upon tampering. Then customers need to be able to go to the store, pick which vendor they want, and they plug it into their motherboard. By selling them in the store when the customer can make a surprise purchase, then that prevents tampering upon shipping withe ecommerce deliverables.

What are some good resources to learn more about the phone-home functionality in their microcode? I've been trying to find more details and have been unable to do so.
You've been unable to find that information because no such "functionality" exists. Microcode just patches bugs or configuration details of the CPU; it doesn't "phone home".
That was my initial understanding, but I figured I'd give the parent commenter the benefit of the doubt in case my understanding was flawed.

Some more searching seems to lead back to where I started: the microcode itself isn't phoning home, the only phoning "home" that occurs is the normal process of "when you pull down an update for something, it requires phoning to the repository holding the updates".

ME does have ability to do that, tho.
Just like IPMI, or any other standard for allowing hardware-level admin of a system.
By using the word 'standard' you're trying to legitimize something that's fully encrypted, impossible to code-audit and fully under control of Intel, while pretending to be your property and controlled by you.

So yes, it's a standard. I believe there was also a standard on how to tie a noose for hanging a human, but that didn't mean much to the one getting hanged.

Do you think you could fit drivers for all common ethernet/wifi cards in there and proper TCP/IP implementation? It's below assembly abstraction level.
The ME is basically an independent universal computer in its own right, it comes with its own clock, RAM, CPU etc...

It is like a Matryoshka doll sitting inside the Intel CPU of your computer. Therefore, yes, it can contain all of that. For further details see my other two posts.

Intel ME has independent NIC access and usually cannot be disabled by the user.

It has only been six days since it has become possible to neutralize the ME firmware for Sandy Bridge and Ivy Bridge[1].

[1]: https://news.ycombinator.com/item?id=13056997

How else would you implement remote server management that works even when the hardware is shut down (put still connected to power) if not with a seperate CPU that has access to the NIC?
How could it possibly patch bugs without phoning home? Are you claiming that it is self modifying code?
I wouldn't consider "running an update where it pulls new code" to be "phoning home", any more than my car is "phoning home" when I drive it to the dealership for repairs.

The implication the comment I was replying to gave was that the device sent unexpected network traffic back to Intel HQ, with the connotation that it was doing so to leak information about my system.

"Running an update where it pulls new code" is definitely an example of phoning home, and it opens the door to all sorts of vulnerabilities, such as the one featured in the Apple vs the FBI case.
Intel microcode updates on Linux are provided through regular distribution repositories. There is no phoning home feature.
Do they get updated when you run the package manager, or do they update automatically?
Binary packaging systems download microcode.dat (a text blob containing microcode) from Intel during the build process. Microcode.dat gets converted into an initramfs image that supplies the new microcode early in the system boot. Users download the built binary package, which then modifies the boot parameters of their system.

So normally only the build servers contact Intel. Source-based distributions may. But even then the source files are verified with cryptographic hashes (which are in turn signed by the maintainers' private keys).

Edit: I may have misread your question. I thought you were asking by implication if the microcode blob is pulled after the install. If not, then: No. Updates happen when the package manager decides.

https://www.kernel.org/doc/Documentation/x86/early-microcode...

https://gitlab.com/iucode-tool/iucode-tool

https://downloadcenter.intel.com/download/26400/Linux-Proces...

(comment deleted)
A more subtle way to communicate with the mother ship would be to ship an update that makes the CPU leak some desired information. For example change how some specific cryptographic operation works under certain conditions to make it possible for eavesdropper to break the encryption. Or just make some funny things with memory and make certain information available to be retrieved via web browser when user visits malicious page.
> Anyone who can sign the update and intercept the download channel can update your CPU with you having no ability to protect yourself. We can't trust intel.

Intel's microcode updates are cryptographically signed; the CPU will not accept an update without Intel's signature. The format is not publicly documented, but independent research [1] suggests that it's 2048-bit RSA.

[1]: http://inertiawar.com/microcode/

The nice thing about that is the Intel and NSA could just share that key and everyone would be none the wiser.
First, it's important to realize that biometric identifiers are not constitutionally protected in the United States under the fifth amendment given current legal precedents:

"A Virginia Circuit Court judge ruled Tuesday that police officers cannot force criminal suspects to divulge cellphone passwords, but they can force them to unlock the phone with a fingerprint scanner."

Source: http://blogs.wsj.com/digits/2014/10/31/judge-rules-suspect-c...

Second, as others have already noted, you cannot hide or change most biometric identifiers and some people may not even have them at all. Therefore, passwords will always be the safest, most accessible option. However, more education regarding their creation, use, and support needs to occur:

Password Strength: https://xkcd.com/936/

Password Reuse: https://xkcd.com/792/

NIST’s new password rules – what you need to know: https://nakedsecurity.sophos.com/2016/08/18/nists-new-passwo...

Personally, I like to choose a small token representing the site or service at hand, then surround it with multiple pass phrases I've memorized over the years. This creates a strong password which is both unique and easy to remember. Not to mention when a site I use is inevitably hacked and my hash is stolen, I only need to update a single instance of this pattern--not reevaluate my entire system.

I'm not sure of the wisdom of doing this without realsense cameras.
> Intel Security

Hmmm... Let's Google that.

> Intel Security Group (previously McAfee, Inc. /ˈmækəfiː/[3])

And I'm out of here.

And in honor of the sacred McAfee traditions, Intel Security True Key is bundled by default within the Flash installer; once you've downladed the default installer, you can't even opt out of it. You need to pay attention and unchecked the bundleware before downloading it. Sneaky!
Also worth saying is that if True Key is installed via Flash Mcafee bundle you can't actually uninstall it, you have to manually remove the service and delete the files/reg keys.
After reading all the comments there is not one person who is in support for the biometrics as a secure method but I see people being okay with biometric on iPhones by saying apples security better.