One possibility for using biometric data is enabling passwordless sign-ins.
No, in both android and ios biometric data is never given to the app for touchid/faceid. It just notifies the app if the authentication passed/failed. So they would never need biometric data to enable biometric authentication.
Exactly. Wasn't the whole point of passkeys that all the user-facing authentication happens on the device and all the server gets to see is a signature?
End up? If you listen to the podcast, you'll know that the episode was inspired by actual already happened real life events. In fact the real story was even more infuriating.
Needing the cloud to connect your keys, keyless entry or not, to ypur car (which idealy is an embedded system anyway than works fine without any server connection) is just stupid...
I did not say, or mean, “access to the data”, which is why I used the word “control”. Apple designed a system that runs on their devices and are the ones steering its evolution.
I don’t mean to sound argumentative, but that’s a knee jerk response.
It’s possible to reverse engineer the OS code to verify that the biometrics indeed end up on the SEP’s encrypted storage, and several people have done this in the past.
Here’s an excellent presentation on the SEP, found by just a simple Google search. [0]
an apple nerd will come along with a real answer but i believe the answer is no. that even if they patched software.. the chip involved is not going to (or physixally can't) cooperate
> i believe the answer is no. that even if they patched software.. the chip involved is not going to (or physixally can't) cooperate
Indeed.
The whole point of the Secure Enclave is that it is the hardware root of trust. See the Apple Platform Security Guide[1].
The Secure Enclave also contains things like a UID (unique root cryptographic key) and GID (Device Group ID), both of which are fused at time of manufacturing and are not externally readable, not even through debugging interfaces such as JTAG.
As hardware root of trust the Secure Enclave is fundamental to all parts of device security, including secure boot and verifying that system software (sepOS) is verified and signed by Apple.
Apple put a lot of effort into Secure Enclave and hardware revisions have brought improvements as you might expect, so always be weary if you come across old presentations !
Even if the chip didn't cooperate, Apple has the key derivation function and presumably everything used to generate your key. While we're on the topic of unlikely first-party attacks, it would be interesting to hear (or see) how Apple limits their ability to create duplicate keys.
> Apple has the key derivation function and presumably everything used to generate your key.
Nope.
The Secure Enclave still contains things like UID and GID which are fused into hardware at manufacturing and are not externally accessible, not even through debugging interfaces such as JTAG.
So Apple will never have all the input parameters for the key derivation functions.
And please, lets not go into tin-foil hat territory where you somehow think Apple logs all keys ever fused during manufacturing and then somehow ties these to you personally.
Unlikely. Having the key generation function is worthless, as you also would need the truly randomized nonce and salt used in any modern cryptographic function. There are plenty of methods to have truly unknowable functions even knowing exactly how the function is generated. That's the whole point of trustless security.
"The sensor captures the biometric image and securely transmits it to the Secure Enclave"[1]
IIRC the implementation detail is AES-GCM-256 with ECDH P-256, i.e. the biometric sensor and the secure enclave derive a unique session key via ECDH each and every time.
Clearly some software layer is required to interface with the secure enclave but its not the app.
The app opens an authentication context through the API and asks the API to perform the authentication. It is the API (through a standardised GUI interface) not the App that collects the biometrics. The API then returns yes/no to the app.
There is further a strict seperation of duties between biometric sensor and secure enclave.
Apple puts a significant amount of effort into making that software layer secure, and as this document[1] shows as time progresses the amount of security has only increased with the various chipset revisions.
The thing I say to all the Apple bashers is this. Sure you might not trust Apple (or Google), but even if you go buy the latest $Cool_Sounding_Open_Phone, you still need to trust someone and trust the supply chain.
Sure $Cool_Sounding_Open_Phone might have open-source firmware, but have you actually read every single line of code AND do you have the knowledge to do a security review of the code ? Not many people do. And if you are truly security conscious, you cannot possibly trust "the community" to review it for you.
Unless you're going to start from scratch, build your own PCB, your own firmware etc. But even then, you still need to trust the chip manufacturers, unless you open up your own foundry. So let's put our tin foil hats to one side shall we ?
Yes. And if your threat model really includes distrusting the manufacturer of your phone and its software after a specific point in time at which you have reversed all of its internals, you should have disabled software auto updates.
Why would they need to lie about that? They control the entire OS and all of the applications, including the app that their users use to access Twitter.
It's more like Apple or Samsung or Sony or Nokia or Google or One or whatever your phone manufacturer is. There's no way around trusting your phone manufacturer with your biometrics.
Even phones that don't offer biometric devices officially need to be trusted not to have hidden fingerprint sensors or iris scanners or whatnot.
The point of my post was huge assumptions about how the data would be collected. It’s such in the box thinking that the only systems that exist are that of Apple and Android.
Further more the responses and down votes just hi-lighted the bias reactions of all those musk haters.
I don’t even have twitter or what ever they call it know. I just know what a bias zero thinking assertion looks like.
Nobody said there was a X phone. I was just giving alternatives to the probably wrong assumption that Android and apples biometrics are the only ways password less login could be implemented.
He thinks LinkedIn is cringe (fair) but has a position where he can ignore lots of professional norms. LinkedIn is cringe because people are deliberately trying to respect professional norms and post weird, sanitized, work-appropriate content.
Imagine you’re a recruiter. The selling point of X jobs is that they will give you access to people who found professional norms too hard to follow? And probably some specialists who would be hard to recruit, but maybe they get income that’s a multiple of several boutique recruiting agencies from that.
This isn’t like stackoverflow jobs where the base is correlated with technical expertise - X jobs is correlated with people who are terminally online who think being polite in their work-facing lives is something that people don’t actually want. What hiring manager wants to draw from that pool?
It's weird to admit, but ever since Twitter jumped the shark LinkedIn has become my main replacement. Closest thing to vaguely broad views and updates from people most of which I know to some degree.
It _is_ cringe, but not the stuff my "network" writes, and not really based on writing style, for the most part. It's mostly just the sponsored and boosted stuff. That also wasn't my favourite content on Twitter.
If X tries to become LinkedIn, it sounds like their major opportunity is to become the worst of both worlds. And what Elon thought was "cool" in the past was, at least in my opinion, mostly not.
I'm humbled to hear that you have announced the LinkedIn has replaced Twitter as your firehose of nonsense. That is a significant shift that realigns your media consumption with strategic goals.
Yeah, me too. It's boring, but after the last decade I'm more than willing to accept that "cost" for the benefit of having a sense of what's going on with my contacts.
Does anyone know how to efficiently unfollow large numbers of people though? I was way to promiscuous in the early days and want to winnow down to someone I've actually worked/socialized with.
>If X tries to become LinkedIn, it sounds like their major opportunity is to become the worst of both worlds. And what Elon thought was "cool" in the past was, at least in my opinion, mostly not.
Wouldn't the impact largely be on how people looking for jobs on X would have to clean up their profiles/history?
Not sure. I rather envision lots of thinly veiled self promotion and bad con-artistry with a "cool" tone spamming all kinds of threads. At least with LinkedIn I know to run for the hills based on post length and the first sentence, I feel on Twitter, or X or whatever, that kind of stuff would be more of a sucker punch.
LinkedIn is a perfect social media. Does exactly what it says on the box. You post a profile, and recruiters will hit your inbox. You can post if you want, and the feed is full of sometimes cringe posts, but it's not super algorithmic, they don't really care if you're spending a lot of time on the site. I've spend this last year curating my feed, muting annoying connections, following people that post genuinely interesting content. I probably check it twice a week, check in with people, then I get bored and log off.
Elon wants twitteX to be the west's version of WeChat, seems like he's forgetting WeChat is practically used universally in China because it's controlled by the government and forced on people. I see no way of twittex pulling this off.
Facebook wanted to do this 8 years ago. There are many, many reasons this is difficult, but for starters neither Twitter nor Facebook control a meaningful hardware platform. Apple/Google get a little closer with some of their payment stuff, but I’m skeptical they will ever displace credit cards.
> Elon wants twitteX to be the west's version of WeChat, seems like he's forgetting WeChat is practically used universally in China because it's controlled by the government and forced on people.
I think you have some pretty serious misunderstandings. WeChat isn't popular in China because it's controlled by the government. IIRC, it's popular because it was better than other Chinese social apps. It's only controlled by the government to the extent that everything is controlled by them. It's only "forced" on people to the extent that Visa, the telephone, or Facebook is forced on Americans.
In other words: WeChat can't be lazily though of as the Chinese equivalent of Telescreen from 1984, where everyone is forced to have and use one, even through it may function similarly in other ways.
He has the dubious distinction of being the first foreigner to write a fluff piece for China's state internet censor. Particularly funny given his posturing on speech.
Second I could criticize Apples business in China even if I would use an iPhone.
Third, I wrote people like Musk, that already says I don't mean Tesla only but all the companies that don't have a problem exploiting people in countries like China, Saudi Arabia, Russia etc.
Just look how well VW played together with Pinochet in Chile.
My claim is that powerful people that own multinational companies work with dictatorial governments but parent asked to show list of such people who don't work with them. That's the opposite of my claim.
That is an extraordinarily unhelpful simplification of why WeChat is popular.
It's popular because it's functional, has strong network effects, and people don't care about centralization or second-order effects.
Now, in the US, we see it as the role of regulators to break up unfair monopolies, and even "fair" monopolies get a lot of scrutiny. In China, the gov doesn't really complain because they can piggyback on WeChat as a control mechanism. But the government is not why WeChat is popular. It's popular because it's good!
in the immediate, effective sense. it works and people use it.
Back in the 80s Twix was called Raider in Germany and, I believe all of continental Europe, up until the early 90s, when they decided to standardise on Twix Europe-wide. So they flooded the airwaves with this rhyming advertisement jingle:
Raider heisst jetzt Twix, sonst ändert sich nix.
(Raider is now known as Twix, nothing else changes.)
Ever since the Twitter/X renaming my brain short circuits and I got this annoying jingle stuck in my head. Twix - harmful even 30 years later.
It's just "who doesn't have WeChat?" mindset and laziness to offer a different method of payment that makes it not easy to live without it.
I was in China in Sept 2019 (what good timing..) and without WeChat I did feel if people thought I was from some remote remote village. I saw an old lady who had a rickety old cart with coals and a big pot, inside the pot were warm corn she was selling, and on the cart was a QR code to pay her with WeChat/AliPay.
The CCP rules as much through soft power as through hard power (threat of being disappeared/jailed), WeChat is just another tool in their tool box. I don't think they are twisty mustache cartoon villains, but the CCP definitely are belligerent to anyone feeling personal liberty from the government beyond what they allow, and knowing you are always being watched is part of that.
I think the topic of conversation was how some businesses don't offer payment options beyond WeChat/AliPay.. maybe the CCP talked to these businesses? But it seems the more logical answer is the businesses thinking "Who the hell doesn't have WeChat?"
I think it can be both. The app becomes very popular, CCP analyzes it, sees that it is a very useful tool for surveillance, so they encourage it and promote its spread and give its execs special status.
You can fill out official government documents in WeChat is entirely different from the government endorsing it. The US government can use AWS without endorsing everyone buy from Amazon.
Is it a big deal if foreign competitors aren't active in that market? I wouldn't expect a Chinese payment app to work with my US bank account any more than I would expect Huawei network equipment to be used to transmit domestic traffic.
The CCP is notorious for boosting domestic ventures, and strangling any foreign attempt to compete. And while I would agree that keeping strategic industries under domestic control is a good thing, social media and mobile payments are arguably not part of those.
There aren't any payment apps in the US from friendly countries either. I think payments are a strategic industry, or at least one where the public doesn't benefit from having a Visa or Paypal take a cut of everything. As publicly funded infrastructure like interbank transfers gain greater adoption, I can see European governments discouraging use of American processors (Visa, MC) unless absolutely necessary.
Elon should collect all this PI, then swap user names for real names, and disable the ability to delete anything at the same time, with a ninja EULA update.
What in the world makes you think that? Musk is pretty clearly against this government, and openly so - if he wants to sell services to government agencies, he's definitely on the wrong path.
But he can get the government he likes into power... and then, he's golden, baby.
Hah, owning Twitter, if was competent, he could've gotten a Rupert Murdoch level of kingmaker powers. Too bad his shrewedness is as great as his level of wit: thinking that dragging in a kitchen sink into the offices is a clever pun.
I don't this would have been the case even if he chose to not insert himself as the main character when it came to making product changes. Satisfaction with social media use has dropped like a stone in recent years. It's not 2016 anymore, people are inured to the deluge of ragebait and political content.
"Musk wants X to become more like Tencent Holdings Ltd.'s WeChat, a messaging service turned super-app that offers everything from social media and video games to fintech. X Chief Executive Officer Linda Yaccarino has said X will include features such as payments and banking."
If that doesn't scream social credit score then you're intentionally ignoring it.
The only reason it works in China because it disallows the competition and also lets the government spy on everyone through a single app. In China the Internet might as well be WeChat. Twitter, sorry "X", is in for a rude awakening unless Elon pulls the app from the EU.
Also disliking popular things is just a fundamental part of American society. You’d think Musk would get this, given that his whole vibe is “king of the misanthropes.” There’s no way “everything under one brand” works here for long enough to escape the fate of us turning on that brand.
Are there major micro/restaurant payment apps in China other than WeChat? I imagine it's difficult to compete with an app that's preinstalled on every phone, integrated with every bank and used by every restaurant and street vendor. And that's ignoring the social network effect of the 900+ million daily users.
Aggressive lock-in and positioning their conglomerate's holdings to be blocks to conducting normal activity in society via any competitor.
How about I flood your whole city with robotaxi cars and make it cost a nickel a mile, but you must be an X account holder, must use the X app, must pay in X-coin, and must submit to whatever other perverse encapsulation Lord Musk decides to implement. How about I only carry X-related data over my global net of satellites, forcing most connected people to buy from my ISP, must pay in X-coin but it also only costs 20 bucks a month. On and on, it seems pretty transparent to me.
It's all a furious and cynical land-grab in preparation for a very dystopian future.
Is he going to make an "X" account required to operate a Tesla? Sort of like what Microsoft is trying to do with Windows 11, or Facebook did with the Oculus.
You get in your car to drive to the store, but it demands you makes several public posts about how great the car is before letting you go to the store or exit the car.
> It's all a furious and cynical land-grab in preparation for a very dystopian future
But in this scenario Twitter is like Vanuatu planning world domination. They have absolutely no leverage to compel anbody to sign up for a Twitter account. Musk would need to spend significanty more money to do any of this, and frankly, I feel like he will spend the coming year being an election provocateur than do anything productive.
Yea but competitors (Apple, Meta, Google, etc.) are better across the board and they would be able to provide alternatives or prevent these activities.
> How about I only carry X-related data over my global net of satellites
Just cherry-picking this one but, but it would get regulated and competitors would come on to the market, and you can also obtain service from traditional providers (ISPs, and mobile providers) like you do today.
Also you can see how well these items work now ala Apple (maybe Google too?). Apple Card, iCloud, iPhone, Car Play, etc. good luck competing with that when people actively hate your products lol. I'm not super worried about this. I'm much more concerned about something like disinformation campaigns on social media or something along those lines than I am any sort of competence with Twitter turning into a dystopian nightmare machine.
You nailed the killer question. That leads to all sorts of thinking about brand management and the skills of the person at the top.
Twitter had the same level of brand recognition that google has. Musk threw that away for a bad rebrand. He just wrecked a company out of spite, or ignorance.
It's surprising he didn't do his own social media to try and outflank them on features from the ground up. It would have been cheaper too.
I think the point is that if he can pivot to do all the other things, then the social media will follow. However, the markets that he wants to get into require a high degree of customer trust--and I'm thinking he doesn't have much of that left.
Banking and social posting are at odds with one another, at least in countries where people feel they can express themselves unreservedly. In China it works as people are conditioned not to do that.
Unless he aims for influencer branding and consumption of curated content [1] and not the free expression of unpopular opinion, then it's a very cold and one dimensional target market. It's the opposite of what Twitter once was - brief musings thrown into the wind. Instead, people will consciously and deliberately pander to an audience for subs, views, and income. It'll no-longer be a platform for casual, jokey, sarcastic fluff, or raw, honest, and radical perspectives.
Musk is a staunch free speech opponent. You need not listen to what he says, just observe what he does. There may not be a single thing on this earth Musk hates more than free speech.
I've seen estimates that 65M Americans have twitter. 65M/330M is definitely enough of a critical mass to start something big.
Effectively, Musk paid $675 per (American) user to bootstrap his everything app. Probably easier to incrementally add features to the-app-formerly-known-as-Twitter than to build something brand new, even if you can get a ton of sign ups when it is first announced. Take threads as an example, people got excited for approximately 1 minute, then forgot about it.
Google has probably had 100% of every American adult and child in the past 20 years, and they haven't made a dent in payments, even with their own phone ecosystem. This 65m/330m back of the envelope stuff is pure fantasy.
Unless people have no option but to use it, it won't work. For example, the onl reason I use Paypal is that 20 years ago, Ebay didn't offer an alternative. Today, I use it because I can unsubscribe from stuff with one click. I'd never use it otherwise.
Threads died because the content trends was consistent with that of Facebook, highly monetized and therefore unappealing to Twitter users. Totally irrespective of Threads, Facebook is a superior replacement to Twitter in terms of its systems, and the value of Twitter is its violent flow of unmonetizable content generated by explicitly anonymous users, and so the whole thing is where capitalism goes to die and financially there's just no way out.
That billionaire man paying generous amount to users would have been a fortunate event to users collectively, but that's it.
You have to assume they would want to limit their audience, which why would they?
They would prefer everyone using their app and not artifically limiting to a subset.
That's only something governments or captured corporations do and Twitter/X is neither. Although that could change and worth raising the possibility. Is there any way they could institute a hard constitution-like policy that could prevent it from ever sliding down that slope?
"Job Applications / Recommendations. We may collect and use your personal information (such as your employment history, educational history, employment preferences, skills and abilities, job search activity and engagement, and so on) to recommend potential jobs for you, to share with potential employers when you apply for a job, to enable employers to find potential candidates, and to show you more relevant advertising."
I am no longer a Twitter user, but if I remember correctly, a recent musk tweet was talking about how bad LinkedIn was and that the new X app should go after that market.
He just assumes X will disrupt everything, and it won't. It's already on life support, dude can't even pay his bills for office space he still occupies.
That would be a decent analogy, if only it wasn't said by someone who managed to do almost exactly that a hundred times over.
Who is more believable, a person who has built/built-up and runs several multi-billion dollar companies and accomplished more in his life than 99.999% of people that have ever lived?, or the random person on the internet who likes to anonymously criticize successful people?
He bought into those companies willingly and on his terms though. Twitter he was force to buy. Now he is flailing around for some kind of exit strategy from his 1 billion a year interest payments.
Also today's Musk isn't the same as yesteryear's Musk. Back then people still gave him the benefit of the doubt and allowing him to hype things to the moon. Today he is disliked by a hell of a lot of people making everything he touches toxic to those people.
Can't or doesn't... regardless, he isn't. I think his wealth is inflated. When he defaults on his twitter loan, lenders will sell their collateral aka Tesla shares, to make up the difference dragging Tesla down with it and eliminating a huge portion of his wealth and the wealth of people/shareholders invested in Tesla.
It’s almost as though he’s using that money to bully smaller people because they can’t afford to sue him. Which, in a shocking coincidence, is how Trump ran his companies.
He is not adhering to a contract, so that's the point he is making for some reason, and not the opposite. t was more of a joke, because he does hold some weird views about free market ("rules for thee and not for me", stuff like that).
Let me put it another way. If 𝕏 has $6 million to buy another company, why is the company delinquent on hundreds of millions, if not billions of dollars in debts, including office space rent, google cloud expenses, Oracle services, AWS, and so on?
That's just because Musk thinks "just don't pay your bills" is a negotiation tactic. He's just trying to abuse his debtors into agreeing to smaller amounts.
Musk and twitter has cash, precisely because they are choosing not to pay anything. That tends to do wonders for your cash flow. That doesn't mean they are profitable, or sustainable.
Kinda exists already. Google TheWorkNumber owned by Equifax. They most likely have your data too as every single major HR payroll processor sends your data to them without permission.
It's like some mornings you wake up and your toaster decides it's going to try and be a washing machine, which is kind of annoying when you just wanted some toast. But it's not about what you want, it's about what the toaster wants.
It's easier if you remember it's not your kitchen, lower your expectations, or just stop easting toast, breakfast is overrated anyway.
You mean a modern rework that doesn't quite take off and takes a decade or more to achieve broad usage and acceptance, while a large part of community still sticks with the old version for specific reasons not supported by the new one?
Honestly it seems like it already has that with all the other half-baked microblogging services.
Mastodon mainly since it's been around 7+ years, but can also lump in Threads + Nostr + Farcaster + Bluesky + Cohost + whatever others there are out there.
Trending posts in Mastodon need to be reviewed by the admin. That message generally means the admin just never bothered to do that (common on single-user instances).
But yes, the server is also not very popular (Because it was just set up as a joke after twitter was renamed).
"People send me LinkedIn links sometimes, but the cringe level is so high that I just can’t bring myself to use it, so I ask for the resume or bio to be emailed.
We will make sure that the X competitor to LinkedIn is cool."
That's pretty hilarious. LinkedIn will be forced to respond by attracting loud chuds writing problematic screeds and complaining that they get blocked.
It's the same niche of content; people who repeat what the wealthy and powerful want to hear in the hope that a few crumbs will be thrown their way, eventually.
To be fair, I also cringe at LinkedIn links. If you're using that site for anything else other than fulfilling social obligations, you're likely in marketing eugh
How many hours have gone into developing technologies for better ad targeting and yet still the same playbook for social media revenues? Has the approach of sucking up more data about you changed in 10 years? I get it’s been very profitable…
Why don't we give them a pair of calipers while they're at it; maybe while they're logging all this info, they can assess how how well I fit into Musk's dystopian nightmare world he's attempting to establish.
I confess, it's difficult for me to think about the company as "they" (plural). It seems only "he" (narcissistic singular) since no one in his orbit can disagree with him and survive. Moreover, from watching what he does (rather than listening to what he says) it seems that keeping users & advertisers hasn't been a priority, so I'm not expecting that to change.
>>The new policy for the service formerly known as Twitter says it will use collected biometric data for ‘safety, security, and identification purposes.’
Clearly does NOT say safety and security of *WHOM". My first thought is the priority is the safety and security of X Corp.
I know it's generally accepted that "the guy on the street" doesn't care about privacy, but honestly this seems a step too far even for such accepting souls. I guess Musk superfans may go for it, but everybody else? Just to use twitter? C'mon.
> It doesn’t include any details on what kind of biometric information this includes — or how X plans to collect it — but it typically involves fingerprints, iris patterns, or facial features.
To post to Twitter, simply look at one of Sam Altman's weird orb things.
So, how many people will fall for it? The very last thing you want to do is to put a guy like Elon Musk (or Mark Zuckerberg, or Jeff Bezos for that matter) in charge of collecting this sort of data. Before you know it your now mandatory Twitter(sorry, X), Amazon or Facebook account is your life and these wealthy and empathy free people will be in charge of it.
Has anyone found a way to wipe your data from Twitter/X without deleting the account? I dont trust them to do it and they seem to be rate limiting anyone who attempts to themselves
Pretend to be the parent of the US based 11 year old who created the account and you want it closed and everything deleted. Fastest way to get any unwanted account removed.
At this point I'm surprised they haven't simply paid Pegasus to pull all that info remotely already. There's a certain gulf prince Musk is pals with that would have their number.
The only reason I use things like HN, reddit, twitter is relative anonymity without a lot of effort. I've used the past few months to set up my own mastodon, password server, matrix server for my friends group. I'm just waiting for everyone to start demanding ID and that will be the final nail in the coffin for this stuff and end of an era for me. I don't need anyone telling me to "end it now!", that's impractical until they force my hand, I'm a pragmatist.
Who said it was fine? I'm telling you (or anyone else) to delete your social media accounts on all platforms. I did that a long time ago and years before the Twitter takeover.