HTC Doesn't Protect Fingerprint Data

← Back to Stories (view on slashdot.org)

HTC Doesn't Protect Fingerprint Data

Posted by Soulskill on Monday August 10, 2015 @01:27AM from the thumbs-down-on-the-scanner dept.

An anonymous reader writes: Biometric authentication is becoming commonplace — fingerprint scanners have been used on laptops for years, and now they're becoming commonplace on phones, as well. As more devices require your fingerprint to unlock, it becomes more important for each of them to guard that data. It's significant, then, that researchers from FireEye were able to easily grab fingerprint data off several recent phones. The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access. "Any unprivileged processes or apps can steal user's fingerprints by reading this file." According to the research they presented at Black Hat (PDF), it would also be simple for hackers who have remotely compromised the device to upload their own fingerprints to grant themselves physical access.

66 comments

Min score:

Reason:

Sort:

Amateurs by U2xhc2hkb3QgU3Vja3M · 2015-08-10 01:34 · Score: 4, Funny

The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access.
What a bunch of amateurs. Everyone who's learned a thing or two about graphic file formats knows that PNG is much superior.
Security Alert by Anonymous Coward · 2015-08-10 01:36 · Score: 0, Funny

In a horrifying security alert, researchers have revealed that your fingerprints are stored in unprotected memory on ANYTHING YOU TOUCH! Until a fix for this flaw can be found, it is suggested that all people immediately start wearing blue nitrile gloves at all time to mitigate this vulnerability.
1. Re:Security Alert by TWX · 2015-08-10 04:04 · Score: 1
  
  The blue nitrile gloves aren't durable enough, you'll tear the glove and leave fingerprints anyway.
  
  You're better off with the heavy duty black nitrile gloves. Just be sure to stock up on talcum powder so your hands don't look like they've been soaking in dishwater for four hours.
  
  --
  Do not look into laser with remaining eye.
2. Re:Security Alert by davester666 · 2015-08-10 06:39 · Score: 1
  
  and of course, destroy the gloves after use.
  
  --
  Sleep your way to a whiter smile...date a dentist!
Don't use this stuff ... by gstoddart · 2015-08-10 01:38 · Score: 2

Even if we trusted that vendors weren't lazy, incompetent, and indifferent to security (and that is a big if) ... why should we be entrusting them with our biometric data in the first place?
Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.
Sorry, but until such time we get to use the CEO as a pinata for bad security, assume there simply is none. Because that's where we're at right now.
With no penalties for crap security, they're not going to implement good security. Stop treating them as if they have.
I'd wager that if you bought 20 products which claim to have security features, likely all 20 of them are easily defeated or bordering on non-existent in terms of actual security.

--
Lost at C:>. Found at C.
1. Re:Don't use this stuff ... by macs4all · 2015-08-10 02:23 · Score: 5, Informative
  
  Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.
  Not all of them.
  
  For example, in iOS Devices, even the Device itself can't retrieve the biometric data. It is locked inside a "secure enclave" chip, that has ZERO exposure to the rest of the system.
  
  Neither Apple, nor anyone else, including the Gummint, can access that information without physically taking apart the Secure Enclave chip and using God-Knows-What to read the memory in the chip directly.
  
  Easier and cheaper to just to apply blowtorches and pliers to the actual fingerprint-holder, as per the obligatory XKCD 'toon.
2. Re:Don't use this stuff ... by ComputerGeek01 · 2015-08-10 02:32 · Score: 2
  
  You should also assume they'll hand any of this crap over to governments if they demand it.
  Due to that child abduction prevention database that came to my school when I was a kid, and my inherent inability to keep my mouth shut when interacting with the police; the government already has several copies of my full fingerprint sets on file. I can safely assume that I'm not the only one that falls into a similar category so, I'm not to saying that your concern is invalid, it's simply redundant.
  The real question this brings up is "how secure is your fingerprint as a means of identification?". And the answer is half a million hits on Google for 'How to fake fingerprints'. This just goes to show the convenience is still inversely proportional to security.
3. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-10 03:22 · Score: 0
  
  So you're saying "if you have nothing to hide you have nothing to fear", and that we should all accept a surveillance society because you've already been arrested.
  Fuck you.
  You may like living under fascists in a police state. That doesn't mean the rest of us should.
4. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-10 03:26 · Score: 0
  
  Well, most biometric data is basicly public anyway.
  Frankly, Biometrics are a lot like social security numbers. Only people with absolutely no idea how security works think they're useful for securing things.
  Fingerprint scanners for example are useful only in cases where you want something more convenient than entering an insecure pin code but more secure than 'slide to unlock'. That makes them useful on phones and laptops for the general public. But not so much on anything that needs to repel an actual attack.
5. Re:Don't use this stuff ... by tlhIngan · 2015-08-10 04:01 · Score: 2
  
  For example, in iOS Devices, even the Device itself can't retrieve the biometric data. It is locked inside a "secure enclave" chip, that has ZERO exposure to the rest of the system.
  Neither Apple, nor anyone else, including the Gummint, can access that information without physically taking apart the Secure Enclave chip and using God-Knows-What to read the memory in the chip directly.
  Even harder, in iOS, the fingerprint reader traffic is encrypted, and the reader and secure enclave do a public-private key thing to keep the fingerprint secure.
  So not only is the information in the secure enclave, but it's traffic is secured by the hardware. Two reasons - one, to prevent sniffing, and the other, to prevent malware from commandeering the fingerprint reader.
6. Re:Don't use this stuff ... by Dixie_Flatline · 2015-08-10 05:15 · Score: 4, Insightful
  
  I haven't heard of anyone cracking it yet, and that's the sort of thing you'd hear about immediately if it happened. Breaking into an Apple device comes with a lot of press and noise. It's something we'd all know about if it'd happened. We immediately heard about how the security of the device was 'compromised' if you had access to a lab, a really incredibly clear picture of a finger print, and more time on your hands than your average criminal would be willing to expend.
  Based on that, I feel reasonably confident that there's been no breach of security of the secure enclave.
  But even if there were, this theoretical setup of Apple's is an indication that someone that thinks about security was involved in the development. There's no image. There's not really even useful data being stored, per se. You put your finger on the sensor and it creates a cryptographic hash from your fingerprint data, and every time you want to unlock the phone, it goes through the process again and compares it against the data it has stored. It's not even clear to me that if you had what was in the enclave that you could unlock the phone with it. (Someone that understands the tech better than me can correct me.)
7. Re:Don't use this stuff ... by macs4all · 2015-08-10 06:13 · Score: 1
  
  And you believe this shit they spew?
  Why yes. Yes I do. At least generally, and certainly about this particular subject.
  
  Where's our open source / standard video conferencing protocol? If you're saying that some company sued them to prevent their use...
  See? You answered your own objection. That was easy...
  
  Remember when they sold LTE tablets in the UK that couldn't be used in the UK (it had US bands at the time)?
  Nope. Never heard of that. According to your own words, you must've been the only one butt-hurt about that, apparently.
8. Re:Don't use this stuff ... by macs4all · 2015-08-10 06:16 · Score: 1
  
  Even harder, in iOS, the fingerprint reader traffic is encrypted, and the reader and secure enclave do a public-private key thing to keep the fingerprint secure.
  
  So not only is the information in the secure enclave, but it's traffic is secured by the hardware. Two reasons - one, to prevent sniffing, and the other, to prevent malware from commandeering the fingerprint reader.
  You're right. I'd forgotten about those details.
9. Re: Don't use this stuff ... by Quila · 2015-08-10 08:37 · Score: 1
  
  Last I read, the fingerprint system submits the numerical representation of the fingerprint to the Trusted Enclave, which responds with match or no match. You don't get to see existing fingerprint data.
10. Re:Don't use this stuff ... by ComputerGeek01 · 2015-08-10 08:50 · Score: 1
  
  So you're saying "if you have nothing to hide you have nothing to fear", and that we should all accept a surveillance society because you've already been arrested.
  Not even close, I'm saying that the information that GP was trying to protect is likely to already be on record. I can't wish away that they already have my fingerprints, that's just a fact that I and many others need to live with.
11. Re: Don't use this stuff ... by Anonymous Coward · 2015-08-10 09:16 · Score: 0
  
  Nobody asks you to "accept" the surveillance society. It's already in place whether you like it or not. There's absolutely nothing you can do about it.
12. Re:Don't use this stuff ... by Jane+Q.+Public · 2015-08-10 11:24 · Score: 1
  
  Not that it really matters, and the damned things aren't very accurate or secure anyway.
  
  That myth was busted on Mythbusters a number of years ago, and the technology hasn't really changed significantly since.
13. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-10 11:34 · Score: 0
  
  ... See that first chart? It's from this paper: researchgate.net/publication/22... BUT that paper has a qualification about the chart: "To avoid distortions in the calculation of DTI linked with dating uncertainties, we correlate the records by performing a peak to peak adjustment between the ice and ocean isotopic records." In other words, they shifted the CO2 timeline back by something like 300-800 years. Temperature rises actually PRECEDED higher CO2. But it's not obvious. And it's plain criminal that Ramnstorf mentions that nowhere in his derived chart. CO2 has been shifted. Shifted in time by several hundred years at least, to make it appear that the peaks coincide. [Lonny Eachus, 2015-08-10]
  As I explained six years ago, Jane/Lonny is actually quoting from a paragraph that's devoted to understanding shortcomings in the deuterium-temperature connection. It has absolutely nothing to do with the CO2 timeline! As usual, Lonny's claim that Petit et al. "shifted the CO2 timeline back by something like 300-800 years" is completely wrong.
  If you don't believe me, open Petit et al. 1999 to page 431, and notice that Lonny's quote comes from the "temperature" section where "CO2" doesn't appear in the text until a new section called "greenhouse gases" starts on page 433.
  But why would mainstream scientists even want to be plain criminals who shift the CO2 timeline? I've repeatedly told Jane/Lonny that mainstream science expects orbitally-driven glacial transitions to show temperatures leading CO2 because ocean outgassing of CO2 amplifies the orbitally-driven glacial cycle.
  Again, Jane/Lonny Eachus should really consider watching Richard Alley's 2009 AGU talk at 33:51. A reasonable person would understand that interest on a debt adds to that debt, despite lagging the original debt. Would that reasonable person agree with the email shared at 3:42 sent to Richard Alley's university trying to get him fired?
  Now Lonny, remember that your accusation of "plain criminal" is much more serious and libelous than merely trying to get a scientist fired. If Lonny Eachus were put on trial for his libelous attacks, does he really think a reasonable person would believe Lonny was just hopelessly confused about the fact that interest adds to debt despite lagging the original debt? Or would they conclude that Lonny was maliciously spreading lies that no reasonable person could possibly believe?
  For instance, Lonny baselessly claims that Petit et al. 1999 "shifted the CO2 timeline back by something like 300-800 years ... to make it appear that the peaks coincide."
  A reasonable person could read these quotes from Petit et al. 1999:
14. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-12 08:25 · Score: 0
  
  Lonny, you were just asked to please find it in your heart to stop hurling these baseless accusations. You responded by continuing to regurgitate Mark Steyn's baseless accusations and saying:
  
  Then @KenCaldeira should commit suicide immediately. He emits 40,000 ppm CO2. Talk about unacceptable levels! @tan123 [Lonny Eachus, 2015-08-11]
  
  Lonny Eachus, please stop telling scientists to commit suicide. That's NOT FUNNY.
  It's hard to even pretend that Lonny Eachus's disgusting suggestion was intended as a joke, because:
  
  Well, do you truly understand that EPA's proposed regulations (truly, no joke) declare your body a toxic polluter? Because you exhale 40,000 ppm CO2. [Lonny Eachus, 2014-10-27]
  
  Truly, no joke, Lonny Eachus is still making the same mistake I've repeatedly tried to explain to him. Breathing simply can't increase atmospheric CO2. But as usual Lonny Eachus just doubles down:
  
  Apparently you didn't understand my comment. Emissions are emissions. You emit or you don't. "No safe level." [Lonny Eachus, 2015-08-11]
  
  Apparently Lonny is still pretending to be confused about the fact that breathing is like the circulation pump in a pool. It simply can't raise CO2 levels.
  A plumber who understood plumbing as well as Lonny Eachus understands the carbon cycle would confuse a pool's circulation pump with a hose filling up the pool. They both pump water! The circulation pump even pumps more gallons per minute. So obviously the circulation pump is why the pool is filling up.
  A surgeon who understood surgery as well as Lonny Eachus understands the carbon cycle would confuse a severed artery with the patient's heartbeat. They both pump blood! The heart even pumps more gallons per minute. So obviously the heart is responsible for that inexplicable long-term decreasing trend in blood pressure.
  Fortunately, a surgeon that incompetent couldn't affect many people. Spreading misinformation which theatens the future of civilization, on the other hand...
  Lonny Eachus, please stop telling scientists to commit suicide. That's NOT FUNNY.
15. Re:Don't use this stuff ... by Jane+Q.+Public · 2015-08-12 18:42 · Score: 1
  
  Lonny Eachus' comment was a remark about the logical fallacy of Caldeira's statement that "no amount" of CO2 emission is safe or acceptable, when he emits a rather large amount all by himself.
  
  No SANE, rational person could read it in context, and honestly think it was a call for anybody to actually commit suicide.
  
  You can't even get this right. What a loser.
16. Re:Don't use this stuff ... by Jane+Q.+Public · 2015-08-12 18:47 · Score: 1
  
  Well, do you truly understand that EPA's proposed regulations (truly, no joke) declare your body a toxic polluter? Because you exhale 40,000 ppm CO2. [Lonny Eachus, 2014-10-27]
  The EPA does not distinguish among sources, or whether it is "circulation". Emission is emission. Emission from vehicles burning ethanol is also "circulation", via a very real and rather simple cycle, yet EPA still classes it as emission. So you are wrong in principle and fact.
  
  Apparently Lonny is still pretending to be confused about the fact that breathing is like the circulation pump in a pool. It simply can't raise CO2 levels.
  Apparently you are confused about context. As usual.
17. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-12 19:44 · Score: 0
  
  Then @KenCaldeira should commit suicide immediately. He emits 40,000 ppm CO2. Talk about unacceptable levels! @tan123 [Lonny Eachus, 2015-08-11]
  
  Lonny Eachus' comment was a remark about the logical fallacy of Caldeira's statement that "no amount" of CO2 emission is safe or acceptable, when he emits a rather large amount all by himself. No SANE, rational person could read it in context, and honestly think it was a call for anybody to actually commit suicide. You can't even get this right. What a loser. [Jane Q. Public, 2015-08-12]
  
  No, Lonny. Your despicable statement was morally and scientifically wrong. He doesn't emit "a rather large amount all by himself" because breathing simply can't raise CO2 levels.
  
  Well, do you truly understand that EPA's proposed regulations (truly, no joke) declare your body a toxic polluter? Because you exhale 40,000 ppm CO2. [Lonny Eachus, 2014-10-27]
  
  The EPA does not distinguish among sources, or whether it is "circulation". Emission is emission. Emission from vehicles burning ethanol is also "circulation", via a very real and rather simple cycle, yet EPA still classes it as emission. So you are wrong in principle and fact. [Jane Q. Public, 2015-08-12]
  
  Lonny Eachus, please support your ridiculous accusation that the EPA declares your body a toxic polluter because you exhale 40,000 ppm CO2. You know, with a quote from an actual link.
  That might help SANE, rational people see your point, because until now the only people making those ridiculous claims are WUWTers like Jane/Lonny Eachus. Until you provide a quote from an actual link it just seems like you're projecting your ignorance onto yet another organization.
  
  Then @KenCaldeira should commit suicide immediately. He emits 40,000 ppm CO2. Talk about unacceptable levels! @tan123 [Lonny Eachus, 2015-08-11]
  
  Apparently Lonny is still pretending to be confused about the fact that breathing is like the circulation pump in a pool. It simply can't raise CO2 levels. [Dumb Scientist]
  
  Apparently you are confused about context. As usual. [Jane Q. Public, 2015-08-12]
  
  Wow! Lonny Eachus, I just gave you an effective defense and you rejected it! You might have a chance if you swear you were just confused about how breathing can't raise CO2 levels, and only said this out of confusion: "@KenCaldeira should commit suicide immediately. He emits 40,000 ppm CO2."
  Are you now saying that you already knew that breathing can't raise CO2 levels, but you made your despicable statement anyway? Hopefully not. Think, Lonny! Think!
18. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-12 19:46 · Score: 0
  
  ... See that first chart? It's from this paper: researchgate.net/publication/22... BUT that paper has a qualification about the chart: "To avoid distortions in the calculation of DTI linked with dating uncertainties, we correlate the records by performing a peak to peak adjustment between the ice and ocean isotopic records." In other words, they shifted the CO2 timeline back by something like 300-800 years. Temperature rises actually PRECEDED higher CO2. But it's not obvious. And it's plain criminal that Ramnstorf mentions that nowhere in his derived chart. CO2 has been shifted. Shifted in time by several hundred years at least, to make it appear that the peaks coincide. [Lonny Eachus, 2015-08-10]
  As I explained six years ago, Jane/Lonny is actually quoting from a paragraph that's devoted to understanding shortcomings in the deuterium-temperature connection. It has absolutely nothing to do with the CO2 timeline! As usual, Lonny's claim that Petit et al. "shifted the CO2 timeline back by something like 300-800 years" is completely wrong.
  If you don't believe me, open Petit et al. 1999 to page 431, and notice that Lonny's quote comes from the "temperature" section where "CO2" doesn't appear in the text until a new section called "greenhouse gases" starts on page 433.
  But why would mainstream scientists even want to be plain criminals who shift the CO2 timeline? I've repeatedly told Jane/Lonny that mainstream science expects orbitally-driven glacial transitions to show temperatures leading CO2 because ocean outgassing of CO2 amplifies the orbitally-driven glacial cycle.
  Again, Jane/Lonny Eachus should really consider watching Richard Alley's 2009 AGU talk at 33:51. A reasonable person would understand that interest on a debt adds to that debt, despite lagging the original debt. Would that reasonable person agree with the email shared at 3:42 sent to Richard Alley's university trying to get him fired?
  Now Lonny, remember that your accusation of "plain criminal" is much more serious and libelous than merely trying to get a scientist fired. If Lonny Eachus were put on trial for his libelous attacks, does he really think a reasonable person would believe Lonny was just hopelessly confused about the fact that interest adds to debt despite lagging the original debt? Or would they conclude that Lonny was maliciously spreading lies that no reasonable person could possibly believe?
  For instance, Lonny baselessly claims that Petit et al. 1999 "shifted the CO2 timeline back by something like 300-800 years ... to make it appear that the peaks coincide."
  A reasonable person could read these quotes from Petit et al. 1999:
19. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-12 19:56 · Score: 0
  
  What a funny coincidence! Lonny Eachus did "appear" in social media dressed as a Nazi. Is the picture real or photoshopped? Who knows? Maybe Lonny Eachus was dressed up (in poor taste) for Halloween.
  And maybe somebody who is not my friend is trying to make me look bad, which is vastly more likely. [Jane Q. Public, 2015-08-08]
  
  Make you look bad, Jane? That's not a picture of Jane Q. Public maybe dressed up (in poor taste) for Halloween. It's a picture of Lonny Eachus maybe dressed up (in poor taste) for Halloween.
  
  The difference is that Cook's picture appeared in a forum frequented by friends and colleagues, not in a post aimed at mocking or character-assassinating him.
  What a funny coincidence! So did Eachus's picture. Exactly how is Jane's claim any better supported?
  Jane's claim is based on the word of a script kiddie who illegally hacked into a private forum, then asked "what if I wanted to try to sell the data, perhaps even back to Cook et al?"
  So I asked the script kiddie: isn't there a word for this?
  But the script kiddie just confused blackmail with "courtesy".
  Does Jane/Lonny make a habit of regurgitating accusations from people who dig through illegally obtained private material, then publicly and shamelessly consider blackmailing others? Or was this the only time you ever sunk to that disgusting level, Jane/Lonny Eachus?
20. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-12 20:02 · Score: 0
  
  ... Cook did dress as Nazi in picture in social media. He ALSO was recently found to have been using the name of Lubos Motl in some private blog posts, later published publicly. And that's definitely not okay. [Lonny Eachus, 2015-07-29]
  
  ... Cook also made injudicious comments in a private forum which later became public, using the name of Lubos Motl. [Jane Q. Public, 2015-08-06]
  Is Jane/Lonny Eachus coyly referring to comments made in a private forum which later became public because a script kiddie illegally hacked in and released those comments after publicly considering blackmail? Now that Jane/Lonny knows about this crime, can he agree that it's "definitely not okay" to accuse someone of "identity theft" because of private comments made in a mock debate which are only public because a script kiddie illegally hacked in?
  
  John Cook (stupid debunked "97% climate consensus" paper), caught impersonating others. Supposedly for "science". wattsupwiththat.com/2015/07/23/yes... And it's NOT a small thing. He was making false statements in the name of a Harvard physics professor. You're gone now, John. [Lonny Eachus, 2015-07-24]
  During The Newsroom's mock debate here at 2:33, watch in horror as a man is caught impersonating and making false statements in the name of Michele Bachmann. Is Jane/Lonny Eachus also going to regurgitate blackmail threats against HBO? Is HBO "gone now"?
  (And, seriously... "stupid debunked"? No, Lonny. Just... no. Calm down.)
  
  Hey John Cook @skepticscience Did you steal Lubos Motl's identity?goo.gl/uQNCgN @clim8resistance @lumidek
  Because John Cook has committed identity theft, won various grants and prizes, and his wrongdoing has been revealed, I demand all the funds – like his share of those $240,000 in 2011 – to be sent back where they belong, namely to my account. ;-) It's just some $240,000 and you will increase your chance that you won't spend the rest of your life in prison, despite your being a fraudster, and a very incompetent one. [Steve Milloy, retweeted by Lonny Eachus, 2015-07-27]
  Good grief. Lonny, you're regurgitating shameless threats of blackmail and libelous accusations of "identity theft" based on illegally obtained private correspondence! Can't you see that overwhelming irony?
  Lonny, suppose you hold a mock debate in your private home. However, a script kiddie finds an unlocked door and lets himself into your private home, recording everything you say. Against your wishes, that script kiddie then releases your private mock debate on the internet. Hordes of gullible people then accuse you of identity theft, not realizing that you were just holding a private mock debate and that all these baseless and libelous accusations are ironically based on illegally obtained private correspondence.
  Wouldn't that seem a little ridiculous? (Let me guess: this analogy is totally different from Jane/Lonny's regurgitated accusations b
21. Re:Don't use this stuff ... by Jane+Q.+Public · 2015-08-13 15:08 · Score: 1
  
  I'm not going to argue with you on Slashdot about somebody's comments on Twitter.
  
  I will say that people make mistakes. Like the time you claimed (as shown in one of your links above) that the Wegman report wasn't peer-reviewed. The report had been reviewed by no less than 6 other professional statisticians with no axe to grind, before it was presented.
  
  I do not, at this time, think Rahmstorf is a criminal in any legal sense. I do think that using graphs that are created to mislead in order to press an agenda is "criminal" in the sense of "harmful to society", apart from the law. But I'm not about to say here that was what Rahmstorf did. I didn't read his mind.
22. Re:Don't use this stuff ... by Jane+Q.+Public · 2015-08-13 15:19 · Score: 1
  
  No, Lonny. Your despicable statement was morally and scientifically wrong. He doesn't emit "a rather large amount all by himself" because breathing simply can't raise CO2 levels.
  This is a CLASSIC straw-man argument. There was no claim that he raised CO2 levels. Only that he emits CO2. He does.
  
  emit v. to send forth (liquid, light, heat, sound, particles, etc.); discharge.
  There is nothing there about "increasing levels" or averages. Everbody knows what "emit" means, regardless of your attempts to narrow the definition to your liking. He does emit a rather large amount by himself, according to every common definition of the word "emit". As I illustrated above, CO2 from exhaust pipes from burning ethanol derived from organic sources goes through a very similar cycle to what you described, yet nobody denies that the CO2 coming out of the exhaust pipe is an "emission".
  
  Lonny Eachus, please support your ridiculous accusation that the EPA declares your body a toxic polluter because you exhale 40,000 ppm CO2. You know, with a quote from an actual link.
  There was no "accusation" that EPA declares bodies toxic polluters. 1. Straw-man. 2. Moving the goalposts. Such statement doesn't exist.
  
  Until you provide a quote from an actual link it just seems like you're projecting your ignorance onto yet another organization.
  So, you have evidence to refute the statement? You are free to ignore it if you like, but I flatly deny making the statements you claim in this comment, so I have nothing to prove.
  
  Wow! Lonny Eachus, I just gave you an effective defense and you rejected it! You might have a chance if you swear you were just confused about how breathing can't raise CO2 levels, and only said this out of confusion: "@KenCaldeira should commit suicide immediately. He emits 40,000 ppm CO2."
  There is no need for a defense, since this comment was clearly taken out of context and subsequently misrepresented. Anyone who cares to look can see that for themselves.
23. Re:Don't use this stuff ... by Jane+Q.+Public · 2015-08-13 16:43 · Score: 1
  
  Jane, in less than an hour you changed from defending "Lonny Eachus' comment" to defending your comment! Are you actually such a pathological liar that you really think you can just shrug off your libelous attacks by saying they were "somebody's comments on Twitter"?
  You haven't shown that any of my comments were intentionally libelous. I have already stated to you many times that I am not commenting to you about identity. I make no claims or denials... nor do I have any reason to do so.
  
  But "pathological liar"? That's a libelous statement if I've ever seen one.
  
  You have repeatedly (actually quite consistently, over a period of years) failed to demonstrate that I have intentionally lied about anything. Therefore you have excellent evidence that your frequent claims and insinuations that I am a "pathological liar" are false and libelous.
  
  Your accusations are wrong in every way, not just in a legal sense. The graphs you're endlessly whining about aren't misleading. And you don't need to read anyone's mind to see that your absurd accusations were already disproved over a decade ago by the very paper you're lecturing about!
  Excuse me? What accusation did I make in my previous comment above? I don't see one. And you continue to present comments out of context.
  
  What is your problem? Why do you refuse to make honest arguments? While again I am not making accusations, but I am certainly beginning to think that this whole "pathological liar" bit is nothing but projection on your part.
  
  No. I'll be honest. I'm not "beginning" to think it. I've been thinking it for a very long time.
24. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-14 12:36 · Score: 0
  
  2C target old idea, phys unsafe,see @KenCaldeira thinkprogress.org/climate/2013/0... "There is some noise around the idea that it useful to think about some amount of 'allowable CO2 emissions budget' that would keep the world under 2 C of global warming. ..." [Peter Shepherd, 2015-08-11]
  
  Then @KenCaldeira should commit suicide immediately. He emits 40,000 ppm CO2. Talk about unacceptable levels! @tan123 [Lonny Eachus, 2015-08-11]
  No, Lonny. Your despicable statement was morally and scientifically wrong. He doesn't emit "a rather large amount all by himself" because breathing simply can't raise CO2 levels. [Dumb Scientist]
  This is a CLASSIC straw-man argument. There was no claim that he raised CO2 levels. Only that he emits CO2. He does. ... this comment was clearly taken out of context and subsequently misrepresented. Anyone who cares to look can see that for themselves. [Jane Q. Public, 2015-08-13]
  Anyone who cares to look can see that Lonny's disgusting statement was a "response" to a statement about anthropogenic global warming, which is primarily caused by raising CO2 levels. That's what scientists mean by "CO2 emissions": adding CO2 to the atmosphere+oceans+biosphere.
  Once again, breathing can't do that because it's like a circulation pump in a pool. Therefore mainstream scientists don't include breathing in an "'allowable CO2 emissions budget' that would keep the world under 2 C of global warming." In exactly the same way, plumbers don't include a circulation pump's flow in an "'allowable water budget' that keeps the pool from overflowing."
  
  Are you now saying that you already knew that breathing can't raise CO2 levels, but you made your despicable statement anyway? Hopefully not. Think, Lonny! Think! [Dumb Scientist]
  Since the subject of breathing raising overall CO2 levels was not mentioned or even implied by anyone except you, I have no reason to respond to this. Once again, your out-of-context straw-manning gets you nowhere. [Jane Q. Public, 2015-08-13]
  Lonny, your disgusting statement was a "response" to a statement about anthropogenic global warming, which is primarily caused by raising CO2 levels. So your original disgusting statement was either accidentally or deliberately "out of context" of the statements you were replying to. Which is it, Lonny Eachus? Are you honestly confused, or are you deliberately trying to confuse others?
  
  emit v. to send forth (liquid, light, heat, sound, particles, etc.); discharge.
  There is nothing there about "increasing levels" or averages. Everbody knows what "emit" means, regardless of your attempts to narrow the definition to your liking. He does emit a rather large amount by himself, according to every common definition of the word "emit". ... [Jane Q. Public, 2015-08-13]
  As usual, Jane/Lonny completely ignores context and quotes a dictionary to support his disgusting statement. Ironically, Jane has previously said: "Di
25. Re:Don't use this stuff ... by Anonymous Coward · 2015-08-22 14:28 · Score: 0
  
  Your accusations are wrong in every way, not just in a legal sense. The graphs you're endlessly whining about aren't misleading. And you don't need to read anyone's mind to see that your absurd accusations were already disproved over a decade ago by the very paper you're lecturing about!
  Excuse me? What accusation did I make in my previous comment above? I don't see one. And you continue to present comments out of context. [Jane Q. Public, 2015-08-13]
  Good grief. Jane's amnesia strikes again:
  
  ... See that first chart? It's from this paper: researchgate.net/publication/22... BUT that paper has a qualification about the chart: "To avoid distortions in the calculation of DTI linked with dating uncertainties, we correlate the records by performing a peak to peak adjustment between the ice and ocean isotopic records." In other words, they shifted the CO2 timeline back by something like 300-800 years. Temperature rises actually PRECEDED higher CO2. But it's not obvious. And it's plain criminal that Ramnstorf mentions that nowhere in his derived chart. CO2 has been shifted. Shifted in time by several hundred years at least, to make it appear that the peaks coincide. [Lonny Eachus, 2015-08-10]
  I've already explained in my previous comment above why Jane/Lonny's accusation was completely baseless.
  
  I do not, at this time, think Rahmstorf is a criminal in any legal sense. I do think that using graphs that are created to mislead in order to press an agenda is "criminal" in the sense of "harmful to society", apart from the law. But I'm not about to say here that was what Rahmstorf did. I didn't read his mind. [Jane Q. Public, 2015-08-13]
  At the same time that Jane can't seem to remember his accusations, Jane also doubles down on his accusation that the Petit et al. 1999 graph is "created to mislead" and "harmful to society". Once again, Jane/Lonny is wrong. And once again, Jane tries his favorite "out of context" evasion when his lies are challenged. So here's some more context behind Jane's baseless accusations:
  
  ... That other giant graph in the movie that correlates warming with CO2? (A misleading graph with no numbers, showing data that had been shifted in time.) Should I believe THAT "science" too? [Jane Q. Public, 2009-07-09]
  
  A giant chart comparing temperature proxies against CO2 concentrations from ice cores, showing a high correlation. But no labels or indices, or even a casual mention that one of the two lines had been shifted somewhere between 300 to 800 years to the left! Even assuming the correlation is correct, if you don't tell people you have massaged the data in some way, you are "lying with statistics".
26. Re:Don't use this stuff ... by khayman80 · 2015-08-23 13:56 · Score: 1
  
  Honest people can be wrong or disagree.Ur claim I'm lying about Ru Academy leaders opposing AGW indicates more about U than me? U've exposed the level discussion to which GWarming advocates sink. Yep, pretty sad labeling some who disagrees a liar. Not wrong, but even if I was, only Fanatics claim people who believe in what they R advocating R liars if they R wrong. I don't lose my temper & I don't call people who disagree liars. The way U disagree consistent with most GWarming advocates [Rep. Dana Rohrabacher (R-CA), August 2015]
  That's unbelievably ironic, coming from a man who's been hurling accusations like lying lying lies lies lies lies lied lied lied lied lied lied lied lied lie dishonest dishonest dishonest dishonest dishonest dishonesty dishonesty dishonesty fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud
27. Re:Don't use this stuff ... by khayman80 · 2015-08-23 14:23 · Score: 1
  
  Oops, forgot the ellipses:
  
  Honest people can be wrong or disagree.Ur claim I'm lying about Ru Academy leaders opposing AGW indicates more about U than me? ... U've exposed the level discussion to which GWarming advocates sink. Yep, pretty sad labeling some who disagrees a liar. ... Not wrong, but even if I was, only Fanatics claim people who believe in what they R advocating R liars if they R wrong. ... I don't lose my temper & I don't call people who disagree liars. The way U disagree consistent with most GWarming advocates [Rep. Dana Rohrabacher (R-CA), August 2015]
  That's unbelievably ironic, coming from a man who's been hurling accusations like lying lying lies lies lies lies lied lied lied lied lied lied lied lied lie dishonest dishonest dishonest dishonest dishonest dishonesty dishonesty dishonesty fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud fraud
28. Re:Don't use this stuff ... by khayman80 · 2015-08-23 14:33 · Score: 1
  
  Fixed the first fraud link.
29. Re:Don't use this stuff ... by khayman80 · 2015-08-24 08:28 · Score: 1
  
  Continued here.
Finger Prints - the ID you leave everywhere you go by Anonymous Coward · 2015-08-10 01:39 · Score: 0

I know that finger prints on phones is convenient but it still seems to odd to me to "secure" something with a pattern that you leave everywhere you go, on everything you touch. If you used a thumb print to secure your bank account it would be like writing your bank details on everything single surface you came into contact with. Sure you'd be writing them very small, and it'd take some effect to make them useful, and you couldn't just use them anywhere, "Excuse me while I pay for my groceries with this rubber glove I found that I've affixed some one else's prints to." isn't exactly subtle.
It still seems like a bad plan though.
If you have your fingers on it, you HAVE access by Anonymous Coward · 2015-08-10 01:42 · Score: 0

If you have your fingers on a device, you ALREADY have physical access.
Being able to spoof a fingerprint reader on a device you can stick in your pocket seems to have limited utility.
That's the great thing about biometrics by metamatic · 2015-08-10 01:46 · Score: 5, Insightful

All the affected people have to do is change their fingerprints.

--
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
upload their own fingerprints??? by Anonymous Coward · 2015-08-10 01:51 · Score: 1

In related news, a burglar was arrested because he left an ID card in the house...
It doesn't matter by Beamer145 · 2015-08-10 02:00 · Score: 1

Fingerprints are Usernames, not Passwords. Using them as passwords is bad practice anyway .
Now compare this to Apple's approach by nbvb · 2015-08-10 02:03 · Score: 4, Informative

I know that it's all the rage to crap on Apple, but compare this "approach" to security vs Apple's approach ...
https://www.apple.com/business...
Apple isn't perfect by any means but at least they put the time and energy into actually trying to do the right things. They make mistakes - like everyone else - but at least there's some forethought.
1. Re:Now compare this to Apple's approach by Anonymous Coward · 2015-08-10 02:13 · Score: 0
  
  It should be stated that this is not the Android approach, but yet another stupid decision from HTC and HTC alone. Also, the Fingerprint API's and security are being introduced in Android M.
2. Re:Now compare this to Apple's approach by nbvb · 2015-08-10 02:20 · Score: 3, Insightful
  
  The difference between making a piece of hardware and making the whole widget.
  I'll leave it as an exercise to the reader to identify which approach I prefer.
on page 2 by Anonymous Coward · 2015-08-10 02:03 · Score: 0

2 HTC has patched this vulnerability per our notification
1. Re:on page 2 by Minwee · 2015-08-10 02:06 · Score: 1
  
  And I'm sure that every affected device has already been updated, in accordance with HTC's proactive support policies.
  Since it has been patched, I'm also sure that there will never be any kind of mysterious regression where a future build exhibits the same issue. That could never happen.
  Nothing more to see here, just move along.
2. Re:on page 2 by mlts · 2015-08-10 03:18 · Score: 2
  
  Wonder what the patch is:
  The ideal would be to not use a bitmap, but store some type of hash with a salt, as well as a part of the hashed value coming from a secure key store, for example sha3 (regular_nonce + fingerprint bitmap + nonce_stashed_in_secure_storage) . This means that if the hash was pulled off the phone, there is no way that it would be usable on other media.
  If the bitmap -had- to be decrypted, again, it should be either encrypted and the key stashed in a protected part of the system, or at the minimum, encrypted by the user's PIN/password that is used when the device is first unlocked after a reboot.
3. Re:on page 2 by Fnord666 · 2015-08-10 04:34 · Score: 1
  
  And I'm sure that every affected device has already been updated, in accordance with HTC's proactive support policies.
  Since it has been patched, I'm also sure that there will never be any kind of mysterious regression where a future build exhibits the same issue. That could never happen.
  Nothing more to see here, just move along.
  hmmm. The sarcasm is strong with this one....
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
congress? by Anonymous Coward · 2015-08-10 02:33 · Score: 0

So Apple introduces fingerprint sensors and the world is abuzz and Congress sends nasty letters demanding information about how they will protect the fingerprint information.
Now somebody else does it and they don't even make a rudimentary effort to protect the information. Where's the congressional indignation now?
1. Re:congress? by Anonymous Coward · 2015-08-10 03:13 · Score: 0
  
  Don't worry... The EU will haul Google in for another kangaroo court session to demand why Android allows this info to be stored in the clear. Anti-Americanism keeps the judges in business, as opposed to trying to keep their own house clean, which might actually take some effort.
Things you know, have and are by sjbe · 2015-08-10 02:50 · Score: 2

Fingerprints are Usernames, not Passwords. Using them as passwords is bad practice anyway .
Fingerprints are not usernames nor are they passwords. Security comes from having Things-You-Are, Things-You-Have, and Things-You-Know. Good security typically involves at least two of those Things if not all three. No security is unbreakable. Both usernames and passwords fall into the Things-You-Know which is why they are relatively easy to crack. This is why two factor authentication is a good idea because it generally relies on both a Thing-You-Know and a Thing-You-Have. Fingerprints are a Thing-You-Are though if not secured can become a Thing-You-Know/Have. At times they can be used like a username or a password but they are not the same thing and assuming they are the same thing is generally a mistake.
The biggest problem with Things-You-Are is also the biggest strength. Things-You-Are are generally the hardest to forge or circumvent but when they are they cannot be changed unlike Things-You-Have or Things-You-Know. So you don't want to use Things-You-Are too much.
1. Re:Things you know, have and are by Archangel+Michael · 2015-08-10 03:28 · Score: 0
  
  I disagree with the premise that security comes from "Things you are. Things you have. And Things you know"
  True security is a web of trust relationships. I can present a badge (things you have) , and pretend to be someone else (things you are) and even have some knowledge (things you know) and still be lying. REAL security is verifying these things against another "trusted" source.
  If I present a ID card representing ABC Corp, saying my name is Archie Angel and pretend to know what I am doing (here to check on the copier) THAT is not identification, though it usually is represented that way.
  The real ID is when I call my contact at ABC Corp, and say "I have an Archie Angel here wanting to fix the Copier, did you dispatch him" and having that contact say "Yeah, he's a tall chap with a grey beard".
  True ID requires a web of trust. The better the web, the higher the trust.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
2. Re: Things you know, have and are by Anonymous Coward · 2015-08-10 23:25 · Score: 0
  
  There's an extra qualification:
  Things you have that others don't.
  Things you are that others aren't.
  Things you know that others don't.
  I know "1+1=2", but that's not identification. I have my fingerprints, but so does anyone else who wants a copy... thus that's not identification either.
what a perfect opportunity by Anonymous Coward · 2015-08-10 03:45 · Score: 0

to laugh at android shitting its pants once more
they allow this, but in the name of se
remind me, why is android popular, again? because it has ads? a free sdk? cheap devices?
does android have any redeeming qualities, or is it a case of windows 3.1 all over again? "it's popular because it's popular"?
1. Re:what a perfect opportunity by Anonymous Coward · 2015-08-10 03:50 · Score: 0
  
  for anyone curious, the editbox in which i typed my post *did* have the complete sentence... but since it is android, something fucked up and even though the text appeared in the editbox, it did not actually exist in the string that was sent to /.
  i'm as surprised as you are. (latest firefox on z ultra running 5.0)
  "...in the name of security no program may write to the external sd, as if *reading* from it is any more secure"
Repeat after me: Fingerprints are not secrets by swillden · 2015-08-10 03:58 · Score: 2

I think there's a fundamental misunderstanding of biometrics and biometric security that is prevalent throughout much of the industry, and it's often expressed as "biometrics are identifiers, not passwords!", though usually with more exclamation points, or the verbal equivalent, except when the even more foolish version "biometrics are passwords" is used.
These statements are wrong. Biometrics are not identifiers. They're lousy identifiers, actually, since identifiers need to be unique and consistent, while biometrics aren't either. Biometrics are also not passwords. Passwords rely on secrecy and need to be rotated. Biometrics are not secret and cannot be rotated.
But, if biometrics don't fit into either of these buckets we're accustomed to, if they're not usernames and not passwords doesn't that mean they're useless? No, it does not.
Biometrics are authenticators. Passwords are also authenticators, but they operate on different principles, validating information that is expected to be a secret. Biometrics attempt to validate the presence of a physical body that is the one expected. What's funny about this to me is that humans, in general, are extremely comfortable with biometric identification and authentication because it's the way we identify and authenticate everyone around us all the time. But we've trained ourselves to think differently about these issues in the context of computer security. (Note that personal identification is considered the best form of authentication in physical security systems as well... the biometric auth systems built into our heads are extremely hard to fool at close range with more than a few seconds' interaction).
Biometric authentication provides security without relying on the secrecy of your fingerprints, because they aren't. You leave them everywhere you go all over everything you touch. Including, by the way, your phone. They provide security because it is supposed to be hard for anyone else to use your fingerprints, even if they know exactly what they look like, to unlock your phone. That is, the security comes from the meat/sensor interface, not from the content of the data delivered via that interface.
This fact points out some rather obvious potential exploits. Since making gummy fingers isn't particularly hard, and since phone sensors aren't very good at distinguishing between real fingers and fake fingers, the security level isn't very high against an attacker who is willing to go to the effort of lifting a print and making a fake finger. It's also not good against an attacker willing to crack the phone open and replay image data directly to the system, bypassing the sensor.
Fingerprints provide a very different security model than passwords. They're stronger against casual attackers (can't be shoulder surfed; often hard to phish), but potentially weaker against more sophisticated attackers, and don't rely on secrecy.
With this proper contextualization, it's clear that the "attacks" referenced in the article are non-issues. Leaking your fingerprints isn't a security problem, it's a privacy problem. Fingerprints are like any other PII (personally-identifiable information) on your phone. The device should secure PII against remote extraction, and should make it reasonably hard for local attackers to get. But when the attack begins with, step 1, "root the device", I just tune out, because of all of the PII on my phone, my fingerprints are among the least important.

--
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
1. Re:Repeat after me: Fingerprints are not secrets by tompaulco · 2015-08-10 06:14 · Score: 1
  
  Passwords rely on secrecy and need to be rotated.
  Why do passwords need to be rotated? I have read lots of things saying that you should but never seen a compelling argument. All of the reasons for rotating passwords are more appropriately handled by changing password immediately. Rotating passwords happens regardless of an incident, which is wasteful, and only ensures that somebody locks up after the horse has left the barn.
  
  --
  If you are not allowed to question your government then the government has answered your question.
2. Re:Repeat after me: Fingerprints are not secrets by swillden · 2015-08-10 14:42 · Score: 1
  
  Passwords rely on secrecy and need to be rotated.
  Why do passwords need to be rotated? I have read lots of things saying that you should but never seen a compelling argument.
  The longer you keep a password, the more likely it is that it has been compromised in some way. Rotating it closes the window of vulnerability.
  
  All of the reasons for rotating passwords are more appropriately handled by changing password immediately. Rotating passwords happens regardless of an incident, which is wasteful, and only ensures that somebody locks up after the horse has left the barn.
  You're assuming that you have some indication that your password is compromised. You may not, which means the barn won't get locked. Unlike the horse/barn analogy, there is often value in locking up even after the attacker has been in.
  With that said, if you have a decent password and reasonably-good password security habits (e.g. don't use it on multiple systems), I don't think there's any need to rotate your password more than annually.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:Repeat after me: Fingerprints are not secrets by Anonymous Coward · 2015-08-10 19:11 · Score: 0
  
  There must be a better system for rotating passwords, because my keychain holds more than 200 passwords. It will take several days to rotate those.
4. Re:Repeat after me: Fingerprints are not secrets by swillden · 2015-08-11 00:33 · Score: 1
  
  The best solution is not to have so many passwords. Single sign-on (SSO) should be able to consolidate many of them. For the rest, most are probably fairly low-value, and needn't be rotated.
  Personally I have one password for work and another for my personal e-mail account that I consider really high value and rotate annually (I also use two-factor auth on both of those). I also rotate my password manager password annually. Then I have a second tier of important passwords (bank, etc.). Those I don't rotate regularly, but I do generate long, random, non-memorable passwords for them and keep them in my password manager. At any hint of strangeness, I change them, and I change them all every two or three years.
  Then I have a couple of passwords I use on all the sites I don't care about (like slashdot). I would have only one password for all of those sites, but they don't all agree on password requirements.
  If your company hasn't got a decent SSO system deployed, or if you work on systems belonging to a lot of different clients, or for some other reason have no way to consolidate your important logins, I don't have any good suggestions for you.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Biometrics by Lord+Bitman · 2015-08-10 04:09 · Score: 1

Biometric data is *NOT SECRET* and never has been. The idea isn't "nobody has access to your fingerprints", it's "if you control the device, and can monitor the person attempting to access the device, you can easily detect attempts to use someone else's data"
eg: Yes, your fingerprint reader can be defeated by the person holding a photocopy of someone else's hand. If you leave them alone with the device, they can also defeat it by pulling the back cover off, so that's not particularly an issue.

--
-- 'The' Lord and Master Bitman On High, Master Of All
Re:Finger Prints - the ID you leave everywhere you by TWX · 2015-08-10 04:14 · Score: 1

Honestly, given the dollar amount that one can spend in big-box retailers that happen to have grocery store departments, if one could pay with a fingerprint it wouldn't be unreasonable to make a practical special effects finger with a fingerprint on it that would pass under normal scrutiny. If such were to develop I could see someone going in and buying the high-end television, the home theatre receiver, the speakers, the tablet computer, and some bread, milk, cereal, fresh fruit, and beer in one trip...

Normally one needs to use a two-fold method. Think username and password. Think ATM card and PIN. Something you have, and something you know.

--
Do not look into laser with remaining eye.
The biggest problem with fingerprint security... by mark-t · 2015-08-10 06:10 · Score: 1

... is that you don't generally have any real ability to limit anyone else from collecting your fingerprints without wearing gloves everywhere... and if you are even *suspected* of a crime, you have no legal right at all to refuse to be fingerprinted by law enforcement (if you are acquitted, you can usually request that the information be destroyed, however, YMMV on this, depending on the jurisdiction). At least with passwords, you can simply refuse to divulge them. Some jurisdictions may throw a person in prison for not divulging a password, but of course, they still don't get the password by doing so, and are ultimately just keeping someone in prison at the taxpayer's expense that they won't necessarily get anything out of. While you won't necessarily be thrown in prison for refusing to give your fingerprints, that's only because law enforcement is authorized to use reasonable force to take fingerprints without your consent anyways.

--
File under 'M' for 'Manic ranting'
HTC Doesn't Protect Fingerprint Data by Anonymous Coward · 2015-08-10 11:07 · Score: 0

Wasn't this already patched for the "MAX" offender?
The Sprint HTC One Max is receiving an OTA update with software version 3.02.651.8, and as per the official changelog the only thing that is set to shift with this update is “Fingerprint security enhancement”.
HTC One Max software update - version 3.02.651.8
Enhancements/Fixes:
Fingerprint security issue
Fix for persistent "Smith" expiration notification
Important Info:
Deployment to all devices starts on 7/29/15. All devices should receive update on 7/29/15
For additional info, check out the software update article in Sprint Device Support
http://support.sprint.com/support/article/Find-and-update-the-software-version-on-your-HTC-One-max/WServiceAdvisory_542_GKB61419-dvc7830006prd?INTNAV=SU:DP:OV:UG:HtcOneMax:FindAndUpdateTheSoftwareVersionOnYourHtcOneMax#!/
Biometrics doesn't work anymore by Anonymous Coward · 2015-08-10 20:49 · Score: 0

Well now that's a conundrum. If your fingerprint get's lifted, what is the difference between this and an ill conceived password?
Rep. Rohrabacher accuses scientists of lying. by khayman80 · 2015-08-24 08:13 · Score: 1

so where is the example of me calling someone a liar? questioning facts & logic is honest disagreement U should try that approach [Rep. Dana Rohrabacher (R-CA), 2015-08-24]
I've repeatedly showed Dana links to his incredibly ironic accusations of dishonest lying fraud. Here are just a few:

whoever gave U the 97 percent scientists endorsing Man made Global warming theory is lying 2 U. [Rep. Dana Rohrabacher (R-CA), 2013-07-05]

97% is fake number & reflects dishonesty of those giving U info on GWarming. ask Urself what process used 2determine it [Rep. Dana Rohrabacher (R-CA), 2013-09-15]

James Taylor's Forbes oped 5/30/13 detailed blatant fraud behind 97 claim yet alarmists R so brazen they keep using it [Rep. Dana Rohrabacher (R-CA), 2013-09-16]

That figure is a total fraud. U may not know where it came from but I do. In the end it was 97% of 87 selected scientists. [Rep. Dana Rohrabacher (R-CA), 2014-03-26]

who ever told U that is the same one pushing the lie. I have read full account & 97% is fraud, other GWarming evidence [Rep. Dana Rohrabacher (R-CA), 2014-03-28]

If U knew fraud behind that 97% number surely U'd quit using it. ... fess up that the 97% figure is the percent of the few scientists who responded to a poll that was itself selectively sent.FRAUD ... the 97 % figure you use is a total fraud, just like the rest of the phony evidence of man made Global Warming [Rep. Dana Rohrabacher (R-CA), 2014-04-01]

97% figure is just as much a fraud as GWarming theory. Some times U should question what this crowd is feeding U [Rep. Dana Rohrabacher (R-CA), 2014-04-04]

major figures refuse to support 97% claim. That should tip U off as to lies that many advocates of GWarming support [Rep. Dana Rohrabacher (R-CA), 2014-06-05]

... it is a lie to say 97% agree [Rep. Dana Rohrabacher (R-CA), 2014-06-27]

CO2 theory is fraud [Rep. Dana Rohrabacher (R-CA), 2015-01-12]
It's especially ironic that Rep. Dana Rohrabacher (R-CA) has spent years accusing scientists of lying dishonest fraud when scientists tell him what scientists think.
Does Rep. Rohrabacher also accuse surgeons of lying dishonest fraud when surgeons tell him what surgeons think? Or does Rep. Rohrabacher realize that surgeons probably know what surgeons think better than he does?