Does Apple Need To Get Serious About Security?

An anonymous reader writes "An article at The Verge makes the case that Apple's development of its cloud services hasn't been accompanied by the necessary effort to ramp up security to match users' increasing levels of risk. As evidence, they use a recent (and very simple) security hole that allowed anyone to reset an Apple ID password with just a user's email address and birth date. Apple's initial response failed to fully stop the exploit, and then it took several days for them to fix the issue. 'A server-side attack on Apple's cloud could get customers' credit card numbers and addresses, device backups with their encryption keys — as well as contacts and Apple IDs — anonymously and in bulk. Those systems may be defended like a castle, but bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone. There's nothing sexy about securing these systems. None of them contribute directly to Apple's bottom line. And when it came to securing a business netting it an estimated $2 billion each year, Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe.' The article also points out that many other cloud service providers have detailed privacy and security policies, and actively participate in developing best practices, whereas Apple's procedures are shrouded in the company's typical secrecy. The article comes alongside reports of a way for people to DDoS other users' iMessage box."

Apple will get serious when you do.

[rtfa-troll]

Apple needs to get serious at the moment that it's customers care or at the moment someone put's legal liability on them and not a minute earlier. Given that the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model, I don't think that's going to happen some time soon.

Re:Apple will get serious when you do.

[BrokenHalo]

...customers don't take security seriously.

Disregarding your jibe about Microsoft (because it's irrelevant and I don't care about them anyway), Apple and just about everybody else is in a bind. They need their services to be available to the individuals who have signed up for them. But those individuals are often too overloaded to take the trouble to use strong passwords and/or multi-factor authentication when available. Even if they do, there's always the risk of interception. At the same time, the service provider has to offer a means to reset credentials when they have been lost or potentially compromised, but users need to do a lot of work to keep track of all the things they've said to them in order to facilitate this.

Sure, wallet systems can take some of the drudgery out of authentication, but these do nothing for you if the provider (or your computer/connection) is compromised.

I know how I feel when I have had to recover signon credentials. The process is tedious, and it pisses me off. And if the service provider makes it too hard for me, it pisses me off even more, even to the extent that I might take my business (FWIW) elsewhere.

I don't have much sympathy for any individual who gets bitten by a virus or phishing exercise, since that is largely a matter for education and common sense, but the service providers definitely need a better means of securing login credentials and user data.

Re:Apple will get serious when you do.

[jbolden]

IMHO I think obviously systems like calling a home phone (they call you) to do a password reset work pretty well. The phone system while not hack proof is fairly resilient.

That failing we do have institutions available in huge numbers all over the world that do authentication as part of their core business function, banks. I'd say Apple, Google, etc... should partner with banks and allow them to do resets based on physical credentials (like a passport) for a nominal fee (say $10).

Re:Apple will get serious when you do.

[Sable+Drakon]

Or they could start caring about it now and save themselves even more litigation. I'm sure Apple's lawyers would rather deal with Apple's constant patent trolling than something serious.

Re:Apple will get serious when you do.

[martin-boundary]

Apple needs to get serious at the moment that it's customers care or at the moment someone put's legal liability on them and not a minute earlier.

It's too late by then. Security needs to be designed into a system from the start. You can't put it in within minutes of somebody wanting it.

See Microsoft, they've been trying for decades to retrofit security into their systems, and failing. You think Apple's engineers are can do better?

The more a phone is Cracked

[tuppe666]

the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model

I think that was more down to accidental celebrity endorsement than any security vulnerability.

Re:The more a phone is Cracked

[Chris+Mattern]

Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.

Re:The more a phone is Cracked

Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

Re:The more a phone is Cracked

[rtfa-troll]

Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

Typical blame the victim IT security type.

If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.

Samsung has come up with ideas such as facial recognition. Some devices allow full passphrases by default. It would be perfectly possible to sell an RFID bracelet with the phone and unlock when within a few CM of it. Those are the ideas I can come up with in three seconds of thinking each of which is better than a PIN code. Apple's designers should be able to do better with years and gigadollars on their side.

Re:The more a phone is Cracked

iPhone supports > 4 digit passcodes so I don't know what you're smoking.

Facial recognition is crap because it is defeated by printing out a picture of the owner and waiving it in front of the phone's camera.

Re:The more a phone is Cracked

[Teun]

I think the word you're looking for is Infectious'.

Re:The more a phone is Cracked

[larry+bagina]

Also, it was made by asians, so it thinks all white people look the same.

Re:The more a phone is Cracked

[93+Escort+Wagon]

Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.

Wait. When Paris Hilton's phone got hacked a number of years ago, it was a T-Mobile Sidekick.

Re:The more a phone is Cracked

[oPless]

Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ ?

If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.

iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device.
A six digit PIN would be nice, but would probably be birth dates too hohum.

Samsung has come up with ideas such as facial recognition.

I thought that was cool too. But once I had fooled it with a (bad) photo of me displayed from my iPhone I decided that it was a terrible idea. I'm sure it would have problems with my habit of growing a beard and shaving it off every month or so too.

It would be perfectly possible to sell an RFID bracelet with the phone and unlock when within a few CM of it.

Yes, because RFID and NFC tokens can't be hacked, cloned or masqueraded as ... http://www.libnfc.org/ has a nice toolkit there.

Those are the ideas I can come up with in three seconds of thinking each of which is better than a PIN code.

And probably why you've not got a role in the IT security industry too, I'd wager?

I agree with your assertion that short PINs are a terrible idea, but biometrics are worse.
However, there's a huge gap between what a user will accept and what's accepted as good practice.
Users will undoubtably choose the lazy option.

Re:The more a phone is Cracked

[rtfa-troll]

Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ ?

Not my quote please note. It is well known that to avoid the complexity of 1234 most people switch to 1111. This makes PIN codes terrible for exposed data.

If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.

iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device. A six digit PIN would be nice, but would probably be birth dates too hohum.

It's typical for someone with little security experience to miss the fact that the attacker always goes for the weakest link. Having two different codes is likely to make things weaker than having one unless you are very very careful. In this particular case elcomsoft provides standard software which can use just the PIN to bypass all the other security measures. The hint that Apple got the implementation wrong is that the PIN still works after you have done a power on/off cycle. HoHumm indeed.

Samsung has come up with ideas such as facial recognition.

I thought that was cool too. But once I had fooled it with a (bad) photo of me displayed from my iPhone I decided that it was a terrible idea. I'm sure it would have problems with my habit of growing a beard and shaving it off every month or so too.

This is hardly new. The same problems apply to fingerprint readers and have been demonstrated many times. There are a number of solutions to this and it shouldn't be beyond Apple to come up with some of them. E.g. using the camera's focus make sure that the object is at the right distance for a face of its size; e.g. check for correct movement of the face and if the same movement repeats ask for a specific expression. E.g. check for three dimensionality using two separate cameras.

It would be perfectly possible to sell an RFID bracelet with the phone and unlock when within a few CM of it.

Yes, because RFID and NFC tokens can't be hacked, cloned or masqueraded as ... http://www.libnfc.org/ has a nice toolkit there.

NFC is just an energy and data transfer standard. There is nothing to stop you implementing proper security behind that (e.g. even a public key challenge response crypto system).

Those are the ideas I can come up with in three seconds of thinking each of which is better than a PIN code.

And probably why you've not got a role in the IT security industry too, I'd wager?

I agree with your assertion that short PINs are a terrible idea, but biometrics are worse. However, there's a huge gap between what a user will accept and what's accepted as good practice. Users will undoubtably choose the lazy option.

Biometrics are really crap in some situations. For example on credit cards in dangerous countries where they can jus

Re:The more a phone is Cracked

[Plumpaquatsch]

Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

Typical blame the victim IT security type.

That's funny coming from somebody who blames Apple for the fact that Paris Hilton's T-Mobile Sidekick was hacked.

Ya!

[tuppe666]

So, I'll answer the question with "Nah! They're doing fine!" just to be Troll.

Its more likely going to move the discussion onto redefining the word troll.

My Experience

[koan]

I worked for them until recently, and I can say people walk around (in my area) talking about the impervious OS X, and I chuckle.
I honestly don't think Apple has taken security as seriously as say, Microsoft.

But this is one persons experience and I was seriously disillusioned after working for them, but that's more likely a result of my initial naïveté.

Without Jobs fascism Apple is another corporation that will quickly slide into suck, here's hoping you got out above 600.

Re:My Experience

[deniable]

Yeah, but Microsoft used to be similar until they got repeatedly slammed by security issues. Once they got serious, things changed but it took time.

Re:My Experience

[Grashnak]

This just in... obvious fanboi is obvious.

"They aren't trying do help at all" - no, clearly Microsoft has done nothing to improve the security of their OSes in the last decade. At least in the bizarro world you live in. Wouldn't it be great if they released a great, free product like Microsoft Security Essentials? That would be awesome. If only that happened.

The fact that you believe vulnerability to viruses is "a loophole" means you don't even know what the words you're using mean.

Re:My Experience

[Runaway1956]

Actually - there are few similarities between Apple and Microsoft. The two greatest similarities are market hype, and financial success. And, we might say that each has enjoyed something of a cult following, although the cults themselves are quite different.

I would elaborate further, but I'd be typing for half the day if I ever got started. Especially since I would probably start googling for citations on some of it.

But, you go ahead and believe that Apple and Microsoft are similar on security. Whatever . . .

Re:My Experience

[Lumpy]

So you consider a Virus scanner a "security suite"?

Let me guess you are a upper level manager or an executive of some type.

Re:My Experience

[__aaltlg1547]

It took time because of the mountain of deferred security work. Same thing for Apple but before anybody writes them off, check out the mountain of money piled up to their chins.

Re: My Experience

[gnasher719]

It wont be a quick slide but it will be a slow steady slide down steve jobs made the whole package. No other company can do that and be competitive. Just look at RIM, Palm, etc.

Let me just make an observation. There are plenty of people claiming that Apple will inevitably go downhill without Steve Jobs. On the other hand, on theregister where they discuss Nolan Bushnell (ex-Atari) mentioned his ex-employee Steve Jobs, they insist that he didn't actually do anything worthwhile at all, that he is just a marketing guy doing nothing of any worth, and his success is all due to pure luck.

So which one is it?

Re: My Experience

[Nerdfest]

Why can't both be true? The new CEO doesn't seem to have the same luck or marketing ability. Even if they were an innovative company, you frequently still need marketing and luck to really succeed.

Re:My Experience

[Sable+Drakon]

They've done a few things to improve security. Enforcing DEP, making UAC the default, and enforcing ASLR all go a long way to keeping Windows secure. But at the same time, it doesn't keep the user from being a complete and total idiot and rendering their system FUBAR. To paraphrase from Kevin Mitnick, it doesn't matter how secure the system is if the user is allowed to interact with it.

Re:My Experience

[foniksonik]

All apps from the Mac App Store are both signed and sandboxed. Incredibly more secure by design for the very things you mentioned than an app installed and run from anywhere else.

Re:My Experience

[putaro]

That security is just designed to let Apple spend less effort curating the App Store. Most commercial applications are not trying to do bad things to customer's computers and most commercial applications do not have wide enough distribution to be an effective attack vector. All of that security is just there so that it is hard for people to use the App Store as a malware distribution platform. It doesn't actually provide much benefit for software users and it is a royal pain in the ass for software developers.

And who says the sandbox is secure? Java has had a "secure" sandbox for years - now that it's getting some attention it turns out to be full of holes. The OS X sandbox is not as simple as a chroot'd jail and has lots of "magic" in it to make things happen. There will turn out to be a massive exploit in there somewhere, just watch.

Re:My Experience

[tlhIngan]

That security is just designed to let Apple spend less effort curating the App Store. Most commercial applications are not trying to do bad things to customer's computers and most commercial applications do not have wide enough distribution to be an effective attack vector. All of that security is just there so that it is hard for people to use the App Store as a malware distribution platform. It doesn't actually provide much benefit for software users and it is a royal pain in the ass for software developers.

And who says the sandbox is secure? Java has had a "secure" sandbox for years - now that it's getting some attention it turns out to be full of holes. The OS X sandbox is not as simple as a chroot'd jail and has lots of "magic" in it to make things happen. There will turn out to be a massive exploit in there somewhere, just watch.

The sandbox is there as an additional production. It's primary purpose is iCloud though, and if you're take off your blinders, you'll see a potential security flaw in all "cloud" or "cloud-backed" services.

Let's say you buy a brand new PC. You install your usual apps, let's say Office which is cloud-backed. Now some malware comes around via a Word document and infects your default template. That template si now synced to the cloud. You clear the malware (the payload was a dropper) and you reformat the machine. You reinstall Office and it syncs to get your documents from backup... and it syncs your template as well. Thus reinfecting your newly cleaned PC.

With a sandbox, it's a lot less pervasive as the infected document can only infect the app. It can't interact with the rest of the system without breaking out of it.

The OS X sandbox is a capability based one - you need to specify what capabilities you need, and simply saying "all" is discouraged (in fact, you need to structure your program in the form of helpers - each of which has only the capabilities it needs. If you look at QuickTime on OS X, it does this - it has helpers to read files off the filesystem, another one to actually play the video (isolating the filesystem from the codecs), etc.

Yes, they are a pain - ask anyone who wants to set up SELinux properly (also a capability-based system). Going through endless binaries and figuring out what needs to be done is no trivial job, and having to refactor code so it works is long, boring and tedious (e.g., think of servers that operate on "low" powers needing root - sure most will drop root after acquiring the port, but it's probably safer if they didn't even try - just give the daemon the right to use a low port without root, or even better, the daemon could use only ONE SPECIFIC port).

As for software developers - well, it's time they buck up as well and quit bitching about "how hard it is to code securely". Security is not an easy job, it's also a really, really, really boring one. And taking care of things like Dancing Pigs is very difficult. Far too many are "cowboy coders" or "Give me the codez" from Stack Overflow who just want to get someone else to do their work, security be damned.

Hell, it's one reason why Windows has been wide open until Vista - far too many applications assumed admin priviledges and didn't properly go and figure out WHAT they needed or WHY. (When Vista decided that admin was optional with UAC, it lead to all sorts of breakage. These days, most apps are better behaved because developers took time to see if they really needed admin).

OS X has the same problem, though less so as apps already had to contend with multiple users. Still things often broke, like fast user switching because the apps weren't designed to be instantiated multiple times and often made global what was supposed to be private. Of course, Apple generally decided decades ago that they will not stoop to backwards compatibility at all costs (unlike Microsoft, where we still have "Program Manager" (explorer.exe creates a window with this title) and other legacy crap because apps break), so they break

how many security issues has apple had?

[alen]

compared to everyone else?

that journalist was one case. the article mentioned a lot of scary things, but no one has done any of it yet. and some of these services have been around for almost 2 years.

Re:how many security issues has apple had?

[silviuc]

How would you measure? How would you compare?

MS and Apple disclose only what they fix. They also don't have the same amount of users for their operating systems. The more eyeballs on one's product, the more flaws get discovered.

Re:how many security issues has apple had?

[Runaway1956]

How would you measure?

Google might help to find how many billions of dollars have been spent by corporations and businesses to alleviate damage from Microsoft's security flaws.

A similar search might find similar figures for Apple's security flaws. Or not.

Microsoft started out without any security model at all. Further, Microsoft has often sacrificed security for convenience and/or backward compatibility. Apple started with a Unix-like security model. It is fair to say that Microsoft has been steadily improving their security for about 18 years now. Apple hasn't had a comparable rate of improvement, but they didn't start so far down the food chain, either. Today - Microsoft might be considered to be competitive with Apple.

Before you ASSume me to be an Apple Fanboi - I use Unix-like operating systems, but I don't own a single Apple product. In regards to security, I'll put my faith in ANY Unix-like before I trust Microsoft products.

Re:how many security issues has apple had?

[jbolden]

Actually Microsoft NT started with a capability based system, not a permissions system which is vastly vastly more secure. The problem they realized very quickly was that end users couldn't handle capabilities, and their application ecosystem wasn't compatible with it. Internet Explorer being an serious example because at that point it was the default shell. So end users ended up granting almost unlimited capabilities to most applications. At that point Microsoft began introducing permissions...

I'd say Microsoft's NT problems are a classic example of different parts of Microsoft fundamentally disagreeing about objectives, like security vs. backwards compatibility.

____

Apple's initially had overlapping permissions systems: the BSD based one, the NeXT based one and the various applications one from the mess that was OpenStep's security. They had to introduce a fourth one for connectivity to Microsoft networks. They've unified them somewhat and added 2 more security modules based on capabilities but they had a tremendous mess.

_____

Arguably:
Microsoft started further ahead but couldn't handle the conflicts between competing interests.
Apple had a total mess but made better compromises.

That is the opposite of what you were claiming.

Re:how many security issues has apple had?

[Runaway1956]

Opposite. Ohhh-kay . . . I think that you are offering a more nuanced explanation of things, and probably more accurate for the nuances. But, the case I'm making is, Apple's finished product was demonstrably more secure in real world environments, for real world users, for a long time. Microsoft has made tremendous improvements since then, and may rival Apple today, depending on one's perspective.

I'll return to my original statements, regarding the costs of dealing with compromised systems.

I'm somewhat surprised though. My post has been up for awhile now, and not even Anonymous Coward has attempted to tell us of an un-hackable system, or made a fanboy post about how superior BSD, or Windows, or Apple, or even Linux is to all the others. ;^)

Re:how many security issues has apple had?

NT started by actually being a VMS kernel, with much of the code lifted straghit from the work David Cutler brought with him from DEC when his latest project got canned and Microsoft hired him. (Look at the old lawsuits from DEC, the settlements, and the memory architecture of NT for evidence of this.). It was basically written for the 64-bit Alpha architecture from DEC. It was possible to rewrite for the Pentium because much of the Pentium architecture was stolen from the Alpha! So it's not surprising NT worked better on Pentiums than one might expect, and it's not surprising that the original architecture was more robust and more secure.

Then it met Microsoft Office, MS games, MS gui's, and everything else ever written to run on DOS and Windows. The security model and much of its formerly clean architecture had to be discarded, and it was profoundly destabilized. it's taken most of a decade to clean up the resulting mess.

Re:how many security issues has apple had?

[jbolden]

Thank you for the polite response.

Apple's finished product was demonstrably more secure in real world environments, for real world users, for a long time

I can absolutely agree with that. Since 2001 Mac end users who do not have complex security needs have had a much more secure experience. As my daily home and often work machine I've been on a Mac since 10.1 and don't run anti-virus don't really have to think about it. That's rather impressive.

Re:how many security issues has apple had?

[jbolden]

The security model and much of its formerly clean architecture had to be discarded

I don't know that it had to be. Microsoft choose to discard. They could easily have made opposite choices. They could have for example introduced a porting system. They could have introduced individual applications sandboxes (remember these were part of OS/2, so Microsoft did know how to do them), etc...

Microsoft choose to make the migration from Wind95/98 painless for application developers. That gave them a huge applications advantage. It helped them establish a monopoly quickly and it avoided several years of complex transitioning pains. But it bought them a security mess they still haven't gotten clear of.

It also bought them a developer culture, that expects good backwards compatibility and that has been an albatross for 1 1/2 decades.

Who says they aren't?

[hsmith]

the famed incident was more of a social engineering hack than anything else. Which, lets be fair, you can have the best security in the world, but humans are the biggest weaknesses in any real system.

Security is a constantly evolving game - people are constantly developing exploits. Could Apple be better? Everyone can. Are they bad? I don't think they are horrible.

Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.

Re:Who says they aren't?

[GNULinuxGuy]

I think most people just realize PINs are more hassle than they're worth. Having to enter them all the time while in public with people and CCTV cameras everywhere it's not exactly a secret number anymore.

Re:Who says they aren't?

Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.

That may be because they are practically useless except to fend off children and non-tech people. You can use one of the screen unlocking mechanisms people have figured out (lol Apple engineers don't know how to make a state diagram and implement it properly) or simply connect the device to a computer and let it brute force the pin, since pin failures through the USB access don't count towards the "fail x times and delete the device" and testing 10000 possible combinations doesn't take long (which is why people recommend using whole keyboard password, not just numeric).

Seriously, don't use iOS for anything requiring real security.

Re:Who says they aren't?

[GNULinuxGuy]

The protection they rely on is holding the device like they should. If it's taken the PIN will be trivially bypassed anyway. Now I feel like an idiot for replying to what probably amounts to a troll, but you never know.

Re:Who says they aren't?

[__aaltlg1547]

True, but my company sez I have to set a PIN if I want to see my corporate email on my phone.

Re:Who says they aren't?

[hsmith]

But, I'd say for a majority of people - the PIN is simply enough. Yes, iOS and Android are trivial to hack, but lacking one opens them up to easy exploits. I mean, a 4 digit numeric pin is virtuously useless - but it would protect you when your phone got stolen.

Think of the Little People

[tuppe666]

Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.

No! not in the slightest. People who *admire* Paris Hilton...definitely not "most"(sic) or even some, but that select group of people who are swayed by her. I suspect it actually did a lot of harm, as many of that select group, who I would not be astonished would have given iPhones by Apple as (cough) gifts, as those people love exposure, but only the type they manage. I suspect those people have ditched those phones now.

...but again its simply celebrity endorsement.

Re: OH God.

The fuck are you talking about? What would you call this, for example?

Bullshit

Every single one of these "possible attacks" exists in nothing more than the submitters mind.

"bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone"

None of these things are possible. FaceTime and iMessage are encrypted end-to-end. iTunes updates are signed. If you want to know how they work, buy a fucking disassembler. Until then, don't spout off bullshit, it just makes you sound like an ignoramus.

Re:OH God.

[robthebloke]

So, I'll answer the question with "Nah! They're doing fine!" just to be Troll.

Everytime I read any connectivity spec regarding apple products, these days it always bangs on about thunderbolts and lightning. I find that very very frightening.

Not quite true

[gnasher719]

"Anybody could access ... with just AppleID and date of birth" is not true. You needed someone's AppleID, date of birth, _and_ the knowledge of a clever hack. As a reaction, Apple first shut down the site, then fixed the problem.

The "social engineering hack" won't work anymore once you switch your AppleID to two factor authentication. The disadvantage is that if you lose two of (password, backup code, trusted device), Apple _cannot_ restore your account. It becomes unusable. The reason social engineering won't work is that even a proven genuine account owner cannot get help.

Re:Not quite true

[AdamWill]

"As a reaction, Apple first shut down the site"

They 'shut down the site' in a way which did not prevent access to the hack. They just hung an 'Under Construction' sign over the front page of the site, but the 'hack' - really, just entering a deeper-level URL - continued to work just fine. They screwed up what ought to have been the simplest step of the fix process: "block access to the exploit".

Paris = sidekick

[jbolden]

Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.

Apple wasn't involved.

Re:Paris = sidekick

[rtfa-troll]

Apple wasn't involved.

I know that failing to read the article is de rigueur. I do follow the new fashion on Slashdot of not reading the summary. However, failing to read the comment you are replying to is a new and excellent level of trolling. Well played that man. At no point in my comment did I claim Apple was involved but you just read a random sentence and then assumed I would. Cool.

Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.

Actually, it was widely publicised at the time that it the publicity campaign had been pretty much a failure up till the hack and that the hack caused a vast increase in sales. This teaches us several things

• the public doesn't care about security
• getting your systems hacked might be a major publicity win
• there is no penalty.

This is not Apple's fault. In fact other offenders are worse. This is the fault of (in this order) a) the general public and b) the politicians and c) Microsoft (who taught this habit over long years) d) the rest of the industry which keeps failing to point this out.

Ask yourself whether Apple allows the plans for their latest secret product to be stored on their public cloud? I think you will find out that Apple knows fine well how to do security better than it currently chooses to.

Re:Paris = sidekick

[jbolden]

Actually, it was widely publicised at the time [playstation.com] that it the publicity campaign had been pretty much a failure up till the hack and that the hack caused a vast increase in sales.

Nonsense. Paris was hacked Feb 2005. Oct 2002 the Sidekick went on sale. By the time of Paris' hack they were 3 very successful models in: original, color and Sidekick 2. This is a video which shows you the promotions on TV from the year before.

A backup failure incidentally is what killed the Sidekick. While not a security issue that does show the public cares.

the public doesn't care about security

No the public does care about security. Mac has benefited tremendously from less problems with virus and worms. Doesn't care and isn't their top priority are different things. End users want heightened security that doesn't interfere with functionality.

Ask yourself whether Apple allows the plans for their latest secret product to be stored on their public cloud? I think you will find out that Apple knows fine well how to do security better than it currently chooses to.

Of course they do. What they don't know how to do, but are working hard on, is how to do security in a way that is user friendly and doesn't interfere with other features end users care about more. They are making efforts and doing a good job in trying to balance security against other features. I think iOS is a terrific example of good compromise. Which is not to say there aren't mistakes or areas where someone could disagree. But iOS represents a major security upgrade (from OSX) that end users find palatable. That's a much harder problem then just boosting security.

 

PLEASE!

[__aaltlg1547]

Can we stop with the mentioning of DDOS and security in the same breath as if they were related?

Sigh.

[BrokenHalo]

Seriously, don't use iOS for anything requiring real security.

I hate those FTFY posts, but in this case I believe it's called for:

Don't use a phone of any kind for anything requiring real security.

No Need to Worry

[Trip6]

Apple will be irrelevant soon.

Re:No Need to Worry

Apple will be irrelevant soon.

This quote has been spoken by:

Amiga
Be
Commodore
Compaq
DEC
IBM's PC division
Sun
Gateway

Soon to be joining them,
HP
Dell

Not Flamebait - True

[Trip6]

I really mean this - not intended to be flamebait. Without Jobs, Apple's grasp of the perfect user experience will give way to engineers' insistence of packing on new features. The products will become harder and more cumbersome to use, and the premium Apple charges for the perfect user experience will be shunned by the market. And then they will be toast.