This article is a bit on the technical side, but it provides some insight as to how backdoors creep into security software:
Yes , but - specifically - it's not really "news" (from a technical standpoint), the comment by user twilightomni is accurate:
This is ludicrous.
Academic cryptographers have been ringing alarm bells about the Dual EC_DRNG algorithm since 2007. It's suspicious construction was *known*.
Anyone using the algorithm after the paper by Shumow and Ferguson was published at the CRYPTO 2007:
and after the article by Bruce Schneier posted:
was eidently doing that intentionally or because of unexcusable ignorance.
As Matthew Green puts it in this excellent article:
Now I should point out that much of this is ancient history. What is news today is the recent leak of classified documents that points a very emphatic finger towards Dual_EC, or rather, to an unnamed '2006 NIST standard'. The evidence that Dual-EC is this standard has now become so hard to ignore that NIST recently took the unprecedented step of warning implementers to avoid it altogether.
About the live finger vs. cut out finger, it is the good ol' same bull$hit.
A US$ 5 wrench:
has traditionally proved to work alright for ol'passwords, no matter the algorithm used, elliptic curves or whatever, this time you will have the additional issue that if you forget your phone at the office you will not anymore be able to instruct your secretary to access it to retrieve that address or phone number that is only stored there and you will have to drive back some 300 miles instead
The only good thing that can come out of it is that if you accidentally break your finger or hand and need to have it bandaged/put in a cast, you are cut out of the rest of the world for the time needed for it to heal.
Of course this will never happen, as there will be surely an "alternate" way (password) to access the phone (unless the good Apple guys are completely crazy).
Does this mean I don’t need iOS passcodes anymore?
No, passcodes are still here to stay. For one thing, you need a way back into your iPhone if you lose a finger (or cut it in the wrong spot) or break the sensor. But, effectively, you won’t need to use your passcode day to day. We’ll have to see how Apple handles alternate recovery options; I suspect you will still use a recovery passcode.
Since you won' t be using it for months (as you would normally use the fingerprint) you'll risk forgetting it, so you will jolt it down on a post-it stored in a handy place, and access to the device will be as-easy-as-it-was-before (or even easier) for the "bad guys".
Edited by jaclaz, 21 September 2013 - 03:48 AM.