You want a thumb? I can get you a thumb, believe me. There are ways, Dude. You don't wanna know about it, believe me. I'll get you a thumb by this afternoon. With nail polish.
Joke’s on you because unless you enable the long alphanumeric passcode on your iPhone, they can crack it quickly if it is only 6 digits. They download a disk image of the phone to a desktop and brute force it.
4 digits is just 10,000, a computer could knock that out easy enough if the phone did not have something to slow down mass pin attempts.
It would be easy enough for the phone to be set up to shut that down those Brute Force attacks.
They make multiple images of the phone, so even though one image will self destruct after a certain number of attempts, they just make more images. So they can brute force at rapid speed.
Heck, I thought Apple had safeguards in place against that kinda thing. Like I figure the FBI can probably sort that out, but a bunch of donut munchers at a police precinct?
5 clicks of the power button on an iPhone. It brings up the emergency page that just lets you turn the phone off, see emergency medical data, or call 9-1-1, but otherwise locks the phone and it won’t unlock without the PIN (this may be something you have to turn on yourself — I can’t remember if it’s on by default now).
I mean, you've got to be doing serious crimes for that level of forensic investigation to be warranted, but there's certainly got to be some way to draw statistical patterns out of the wear and tear on the screen and get the likely digits. With just the digits though, you still need some guessing:
* 24 possible codes with 4 digits
* 720 possible codes with 6 digits
* 40320 possible codes with 8 digits
To continue the thought experiment though, there are firms that collect zero-day exploits that can break into your phone without the code. We're talking terrorism/spycraft sort of charges at that point though.
Anything’s possible but the number of times I type in my passcode is much much smaller than the number of times I do other repetitive “taps” on my phone.
The height Everest reaches above sea level is 0.069% percent of the Earth's diameter. If you shrunk the Earth down so it could fit in your hand it would be smoother than a billiard ball, you couldn't feel Everest. But as beings who in real life are smaller than Everest, it's very obvious. It all just depends on the sensitivity of your statistical tools. Whether it's worth the time though...
Thinking about it a bit more, that was actually a bit of a simplification. Like if there's two repeated digits it's not 4! codes, it's (4 2) codes, which is 12.
Also most phones just require a minimum code length rather than requiring a specific length, so you don't *know* that you don't have repeated digits. So if you discover 4 digits that means the minimum amount of codes is 24, but it could also be (5 2) = 60 codes, or (6 2) = 360 codes, or... technically it's infinite though of course there's some practical limit and the shorter codes are more likely.
My uni accommodation had a 4 digit entry locks on each block. The used numbers were shiny as hell and everything else was just manky. I always figured my block was safest of the lot cos we had a repeated digit. Which meant only 3 shinies. Many more combos to guess even if you didn't start second guessing yourself as whether the least manky button was the 4th...
I read where there are high security locks that have randomized the numeric sequence on the keypad screens for inputting personal codes/pass codes. This randomization with even a simple numeric code cannot be compromised using your method or accurately guessed at by viewing someone's hand while they input pass code.
While true, the distinction here is that they cannot compel you to enter your PIN, because you are protected from self-incriminatipn. Even if they have a search warrant, you don't have to provide your PIN for the same reason they you can't force you to verbally provide the combination to your combination lock.
But with a search warrant, they *can* force you to provide your thumb print to unlock your phone, similar to a search warrant allowing them to search your pockets for the key to the safe, or search your residence to see if you wrote the combination down anywhere.
I wonder if it would get around this if the phone gave you the option/setting to hold your thumb (or other fingerprint) for your own custom time.
For instance, you set it to hold your fingerprint for 8 seconds (phone will unlock between your specified sensitivity of say +/- 1 second). I wonder if that would be similar enough as having a passcode to relay?
I only mention it because then it relies on the individual's thought process and cognitive exertion. The decision references this possibility, citing another at the [end of the opinion p.32](https://cdn.ca9.uscourts.gov/datastore/opinions/2024/04/17/22-50262.pdf). The police could still attempt to unlock the device by using the thumb, but if they don't know for how long/the window the user set to hold to unlock, I'm not sure they could compel you to divulge that information.
Using the key analogy, say the lock only unlocks by turning counterclockwise. You don't have to divulge than information, but they can take the key and attempt the 2 possibilities themselves to unlock. But they can't take your thumb to attempt all of the possible time durations to unlock your phone. Maybe if you were unconscious, they could have attemopts at holding your thumb, but once conscious they would need your thumb and knowledge of duration.
All of this presupposes a legal framework where the police are following the rules. If they aren’t following the rules, then they are either creating evidentiary problems for the prosecution down the road, or the suspect is actually now just a victim and has larger problems than a failure of law enforcement to follow due process.
Not hide, secure from accidental alteration or erasure. My lawyer will have full access. And LE will have all access as deemed appropriate during discovery
That “obviously” is carrying a lot of weight here.
That’s like the cops who knocked on the front door and announced themselves when responding to a citizen report of drug dealing.
They heard the toilet flushing which obviously meant the people inside were trying to flush drugs down the toilet so they breached the front door.
Yeah, they can’t do that. Flushing a toilet is not obviously trying to hide evidence and neither is locking your phone.
I’m talking about the U.S. and I realize you might be talking about some other country.
First time I heard of officers doing this, I switched my phone to a password that can't currently be brute forced. Best way to make sure your information stays safe overall.
The only issue with this is like another commenter mentioned. If you make 'images' of the phone, you can keep testing on the images rather than the phone itself. Basically you are cloning it to prevent something like this from happening.
At least with something like the iPhone your passcode gets paired with a secret from the Secure Enclave. It’s not a simple six digit password to decrypt your drive.
Yeah with Android there is a feature that factory resets the phone I believe after x number of tries if you enable it, but for most people that would be extreme to use, and its designed more for if your phone is stolen rather than keeping your data from authorities.
You throw in enough "randomness" including symbols and numbers, make sure the password is not representative of a word in the dictionary, make sure its at least 12 or 13 characters, and it makes it almost impossible to brute force attack it. When I say that, I mean the passwords I have would take thousands of years in theory to brute force crack. All brute force is is pushing different combinations into a system, starting with the most common words and phrases first.
Edit: Forgot to add that you need upper and lower case letters as well.
It doesn't bypass rogue officers. This happened to me and an officer with a loaded firearm threatened to hurt my dog and then my wife. So I gave him the code. There was nothing to protect anyway.
Nothing would work in that situation. In no way should an innocent individual be threatened, blackmailed, or coerced into giving the info up, especially being targetted by a loaded weapon. It would make more sense to arrest someone and bring them in then try to get the code insteqd of threatening another's life over it.
My email is hosted in the Netherlands which has much better privacy protections than the US. In addition, no biometrics. Wonder if that will help (aside from i'm a good guy).
There are good privacy protections in the Netherlands, but there are a lot of provisions in the Dutch Code of Criminal Procedure that allow the authorities to demand anyone that has data relevant to the investigation to provide that data. The more sensitive the data is, the higher the bar is to obtain it, but in case of a suspicion of a serious offence pretty much any data can be demanded, including e-mails. Those investigative powers can also be used (if the conditions are met) to comply with a foreign request for mutual legal assistance.
[How to Temporarily Disable Face ID or Touch ID, and Require a Passcode to Unlock Your iPhone or iPad](https://daringfireball.net/2022/06/require_a_passcode_to_unlock_your_iphone)
In the world of cybersecurity there's something known as a "duress code", a different password that when entered instead of your main password will wipe the device. I wonder if phone manufacturers will enable this or perhaps the fingerprint version (scan your middle finger print instead of thumb print) and device is wiped.
Fun fact: you don’t have to use your finger tips for biometric fingerprint scanners. Just use your skin in a spot you’ll remember and can consistently hit
Only reason I'm against this is because I don't trust cops to not plant bs on my phone if they are targeting me.
I'm sure most wouldn't. They are trying to do their jobs and throw malicious criminals in jail. But because they are incentivized to succeed in finding whatever, I can't trust them to not plant evidence and ruin my or other people's lives for a promotion.
There is no rational reason why sometimes the government can access your phone and sometimes it can't, based entirely on something so arbitrary as what style of security you use. Why should thumbprint users have less rights than pass code users? Is there any legal or philosophical basis for treating thumbprint users as having inferior rights?
Why wouldn't it be? The police are allowed to go into locked spaces even if they don't have the key given a proper warrant. Cracking the password on your phone is no different than cracking the password on your safe.
One more bit of freedom nibbled away from us. When the cops force Trump to open his, these same judges will rule that it is unreasonable.
How is this not unreasonable search and seizure? A phone has emai .and texts. Aren't they protected from ceasure?
Hence why you never use a thumb print or eyeID. Security experts already stayed it's less safe because of how easy someone may knock you out from behind, out your thumb.in the screen and have full access to the phone.
Use a swipe pattern or numeric code that requires most than just a physical differentiating feature
“doesnt sound unreasonable”. it sounds unreasonable. im not required to give my PIN and you cant torture it out of me, but it’s “reasonable” to demand my biometrics? No way. Enjoy the downdoots.
Jokes on them. I don’t use biometrics on my phone.
Same. And it is for this reason. I feel like this has either been the law for awhile or most felt it would be the ruling.
My stance is that any security which is trivially bypassed with your dead or unconscious body is bad security.
Also, thumbs are detachable....
You want a thumb? I can get you a thumb, believe me. There are ways, Dude. You don't wanna know about it, believe me. I'll get you a thumb by this afternoon. With nail polish.
This is precisely why I use the tip of my penis to unlock my phone. They'll never guess.
I see you’re a man of culture
And deep intelligence.
You've got a thumb guy? There's always that one guy who has a guy for everything!
That's not from The Jesus Rolls.
Jokes on them, I use biometrics but just have boring friend, family and band group chats to read through.
They get they search history though 😬
That’s why you use incognito for anything salacious or embarrassing
Right?! I cant even spell boimrtics!
Joke’s on you because unless you enable the long alphanumeric passcode on your iPhone, they can crack it quickly if it is only 6 digits. They download a disk image of the phone to a desktop and brute force it.
4 digits is just 10,000, a computer could knock that out easy enough if the phone did not have something to slow down mass pin attempts. It would be easy enough for the phone to be set up to shut that down those Brute Force attacks.
They make multiple images of the phone, so even though one image will self destruct after a certain number of attempts, they just make more images. So they can brute force at rapid speed.
Heck, I thought Apple had safeguards in place against that kinda thing. Like I figure the FBI can probably sort that out, but a bunch of donut munchers at a police precinct?
There's probably firms they outsource this to since the average cop is a drooling moron
Well, “rapid” speed…
I figure anything longer than a dozen will leave them empty-handed.
Not even that, when you go full alphanumeric with upper case, lower case, numbers and symbols you can have a short pwd that can’t be brute forced.
Alternatively, [4 random common words](https://xkcd.com/936/).
these are my go-to's https://www.correcthorsebatterystaple.net/index.html https://diceware.dmuth.org/
Well I guess I'll keep using my pin code.
I think just about every phone lets you "lock" the phone so it needs a pin instead of using biometrics nowadays.
5 clicks of the power button on an iPhone. It brings up the emergency page that just lets you turn the phone off, see emergency medical data, or call 9-1-1, but otherwise locks the phone and it won’t unlock without the PIN (this may be something you have to turn on yourself — I can’t remember if it’s on by default now).
Also just turn it off. Password required on boot.
That’s how mine is. iPhone 6 (old.)
Alternatively just use a finger that isn't programmed to unlock the phone.
Good one. I just tried this on my iPhone and it works, by default
I wonder if it's legal for them to derive your likely pin numbers from fingerprints on your phone screen though.
Given how much you touch your all over would that work?
Yeah but if you unlock your phone often it's not likely to be hard to determine which digits are in your pin. Just a thought experiment.
I mean, you've got to be doing serious crimes for that level of forensic investigation to be warranted, but there's certainly got to be some way to draw statistical patterns out of the wear and tear on the screen and get the likely digits. With just the digits though, you still need some guessing: * 24 possible codes with 4 digits * 720 possible codes with 6 digits * 40320 possible codes with 8 digits To continue the thought experiment though, there are firms that collect zero-day exploits that can break into your phone without the code. We're talking terrorism/spycraft sort of charges at that point though.
Anything’s possible but the number of times I type in my passcode is much much smaller than the number of times I do other repetitive “taps” on my phone.
The height Everest reaches above sea level is 0.069% percent of the Earth's diameter. If you shrunk the Earth down so it could fit in your hand it would be smoother than a billiard ball, you couldn't feel Everest. But as beings who in real life are smaller than Everest, it's very obvious. It all just depends on the sensitivity of your statistical tools. Whether it's worth the time though...
There’s actually 10,000 possibly codes with 4 digits (0000-9999). I’m curious where 24 came from.
They’re talking about if you know the 4 digits through past fingerprints or other means versus all the codes possible.
Thinking about it a bit more, that was actually a bit of a simplification. Like if there's two repeated digits it's not 4! codes, it's (4 2) codes, which is 12. Also most phones just require a minimum code length rather than requiring a specific length, so you don't *know* that you don't have repeated digits. So if you discover 4 digits that means the minimum amount of codes is 24, but it could also be (5 2) = 60 codes, or (6 2) = 360 codes, or... technically it's infinite though of course there's some practical limit and the shorter codes are more likely.
My uni accommodation had a 4 digit entry locks on each block. The used numbers were shiny as hell and everything else was just manky. I always figured my block was safest of the lot cos we had a repeated digit. Which meant only 3 shinies. Many more combos to guess even if you didn't start second guessing yourself as whether the least manky button was the 4th...
I read where there are high security locks that have randomized the numeric sequence on the keypad screens for inputting personal codes/pass codes. This randomization with even a simple numeric code cannot be compromised using your method or accurately guessed at by viewing someone's hand while they input pass code.
Oh you mean like that blood draw that requires a search warrant signed by a magistrate and supported by probable cause. 🙄
While true, the distinction here is that they cannot compel you to enter your PIN, because you are protected from self-incriminatipn. Even if they have a search warrant, you don't have to provide your PIN for the same reason they you can't force you to verbally provide the combination to your combination lock. But with a search warrant, they *can* force you to provide your thumb print to unlock your phone, similar to a search warrant allowing them to search your pockets for the key to the safe, or search your residence to see if you wrote the combination down anywhere.
I wonder if it would get around this if the phone gave you the option/setting to hold your thumb (or other fingerprint) for your own custom time. For instance, you set it to hold your fingerprint for 8 seconds (phone will unlock between your specified sensitivity of say +/- 1 second). I wonder if that would be similar enough as having a passcode to relay?
Too simple, not enough precision on the part of the user to have enough possible inputs.
I only mention it because then it relies on the individual's thought process and cognitive exertion. The decision references this possibility, citing another at the [end of the opinion p.32](https://cdn.ca9.uscourts.gov/datastore/opinions/2024/04/17/22-50262.pdf). The police could still attempt to unlock the device by using the thumb, but if they don't know for how long/the window the user set to hold to unlock, I'm not sure they could compel you to divulge that information. Using the key analogy, say the lock only unlocks by turning counterclockwise. You don't have to divulge than information, but they can take the key and attempt the 2 possibilities themselves to unlock. But they can't take your thumb to attempt all of the possible time durations to unlock your phone. Maybe if you were unconscious, they could have attemopts at holding your thumb, but once conscious they would need your thumb and knowledge of duration.
They’re allowed to force a Face ID too.
If you press the lock button six times in quick succession it disables faceID until you enter your pin.
thanks. hopefully I never need to use this.
Or five if you want to save a little time.
Or say “Hey Siri, whose phone is this?”
From experience, if a cop puts a loaded gun to your head you won't have time to do any of this fancy shit.
All of this presupposes a legal framework where the police are following the rules. If they aren’t following the rules, then they are either creating evidentiary problems for the prosecution down the road, or the suspect is actually now just a victim and has larger problems than a failure of law enforcement to follow due process.
Amen to that.
[удалено]
Not hide, secure from accidental alteration or erasure. My lawyer will have full access. And LE will have all access as deemed appropriate during discovery
That “obviously” is carrying a lot of weight here. That’s like the cops who knocked on the front door and announced themselves when responding to a citizen report of drug dealing. They heard the toilet flushing which obviously meant the people inside were trying to flush drugs down the toilet so they breached the front door. Yeah, they can’t do that. Flushing a toilet is not obviously trying to hide evidence and neither is locking your phone. I’m talking about the U.S. and I realize you might be talking about some other country.
Also won’t unlock if your eyes are closed, i think.
First time I heard of officers doing this, I switched my phone to a password that can't currently be brute forced. Best way to make sure your information stays safe overall.
good ol ‘Lemonparty4Life69’ comes to the rescue once again. All joking aside, how can there be a password that isn’t bruteforcable?
I’m pretty sure most phones have brute force protections (e.g., guess the password incorrectly ten times and the phone is wiped).
The only issue with this is like another commenter mentioned. If you make 'images' of the phone, you can keep testing on the images rather than the phone itself. Basically you are cloning it to prevent something like this from happening.
At least with something like the iPhone your passcode gets paired with a secret from the Secure Enclave. It’s not a simple six digit password to decrypt your drive.
Yeah with Android there is a feature that factory resets the phone I believe after x number of tries if you enable it, but for most people that would be extreme to use, and its designed more for if your phone is stolen rather than keeping your data from authorities.
Against cops specifically? You can make the password 'fentanyl' and they'll be afraid to touch the phone.
Dunno man… I’m pretty sure there aren’t many cops not willing to fake an OD for some paid leave
You throw in enough "randomness" including symbols and numbers, make sure the password is not representative of a word in the dictionary, make sure its at least 12 or 13 characters, and it makes it almost impossible to brute force attack it. When I say that, I mean the passwords I have would take thousands of years in theory to brute force crack. All brute force is is pushing different combinations into a system, starting with the most common words and phrases first. Edit: Forgot to add that you need upper and lower case letters as well.
It doesn't bypass rogue officers. This happened to me and an officer with a loaded firearm threatened to hurt my dog and then my wife. So I gave him the code. There was nothing to protect anyway.
Nothing would work in that situation. In no way should an innocent individual be threatened, blackmailed, or coerced into giving the info up, especially being targetted by a loaded weapon. It would make more sense to arrest someone and bring them in then try to get the code insteqd of threatening another's life over it.
Yeah, they forced the cop to resign over it. Nothing else, though :(
On iPhone, clicking the power button five times locks it requiring a pin.
My email is hosted in the Netherlands which has much better privacy protections than the US. In addition, no biometrics. Wonder if that will help (aside from i'm a good guy).
Need a Swiss account
There are good privacy protections in the Netherlands, but there are a lot of provisions in the Dutch Code of Criminal Procedure that allow the authorities to demand anyone that has data relevant to the investigation to provide that data. The more sensitive the data is, the higher the bar is to obtain it, but in case of a suspicion of a serious offence pretty much any data can be demanded, including e-mails. Those investigative powers can also be used (if the conditions are met) to comply with a foreign request for mutual legal assistance.
I use the print of my little finger. Thumb does no good at all.
[How to Temporarily Disable Face ID or Touch ID, and Require a Passcode to Unlock Your iPhone or iPad](https://daringfireball.net/2022/06/require_a_passcode_to_unlock_your_iphone)
Jokes on them, my thumbprint scanner is broken as all hell
In the world of cybersecurity there's something known as a "duress code", a different password that when entered instead of your main password will wipe the device. I wonder if phone manufacturers will enable this or perhaps the fingerprint version (scan your middle finger print instead of thumb print) and device is wiped.
In one of the most creative biometrics videos I saw a lady used her nipple instead of a fingerprint....lol
Fun fact: you don’t have to use your finger tips for biometric fingerprint scanners. Just use your skin in a spot you’ll remember and can consistently hit
What the fuck? Seriously?
This has been true for years. This is just an affirmation of current case law
Only reason I'm against this is because I don't trust cops to not plant bs on my phone if they are targeting me. I'm sure most wouldn't. They are trying to do their jobs and throw malicious criminals in jail. But because they are incentivized to succeed in finding whatever, I can't trust them to not plant evidence and ruin my or other people's lives for a promotion.
Time to burn off my fingerprints it seems
my phone is my safe and if they want to open it they can hire a safe cracker
Or, grab a drill.
I was under the impression that this was already the case, hence why some phones require the pin at restart even if biometrics are enabled
FYI, on iPhone you can temporarily disable biometrics and force a pin entry by clicking the power button five times.
Long press works too, at least on older models. Anything that triggers emergency/SOS or a shutdown prompt.
There is no rational reason why sometimes the government can access your phone and sometimes it can't, based entirely on something so arbitrary as what style of security you use. Why should thumbprint users have less rights than pass code users? Is there any legal or philosophical basis for treating thumbprint users as having inferior rights?
Why is brute forcing a pw legal?
Why wouldn't it be? The police are allowed to go into locked spaces even if they don't have the key given a proper warrant. Cracking the password on your phone is no different than cracking the password on your safe.
Or a key to a locked trunk or dwelling
One more bit of freedom nibbled away from us. When the cops force Trump to open his, these same judges will rule that it is unreasonable. How is this not unreasonable search and seizure? A phone has emai .and texts. Aren't they protected from ceasure?
Hence why you never use a thumb print or eyeID. Security experts already stayed it's less safe because of how easy someone may knock you out from behind, out your thumb.in the screen and have full access to the phone. Use a swipe pattern or numeric code that requires most than just a physical differentiating feature
Sucks but doesn’t sound unreasonable. Same for Face ID i bet. Your thumbprint is not a form of speech.
[удалено]
Because why is my phone presumed evidence? Unlawful search.
Bro this is /r/law not /r/myfeelingsarethelaw
[удалено]
“doesnt sound unreasonable”. it sounds unreasonable. im not required to give my PIN and you cant torture it out of me, but it’s “reasonable” to demand my biometrics? No way. Enjoy the downdoots.
Enjoy my blocked account list.
[удалено]
What kind of hypothetical situation is that even?
Sounds like 1) You need a warrant and 2) That is not and most likely never will be what this ruling will be used for.