Slashdot Mirror
Does Apple Need To Get Serious About Security?
An anonymous reader writes "An article at The Verge makes the case that Apple's development of its cloud services hasn't been accompanied by the necessary effort to ramp up security to match users' increasing levels of risk. As evidence, they use a recent (and very simple) security hole that allowed anyone to reset an Apple ID password with just a user's email address and birth date. Apple's initial response failed to fully stop the exploit, and then it took several days for them to fix the issue. 'A server-side attack on Apple's cloud could get customers' credit card numbers and addresses, device backups with their encryption keys — as well as contacts and Apple IDs — anonymously and in bulk. Those systems may be defended like a castle, but bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone. There's nothing sexy about securing these systems. None of them contribute directly to Apple's bottom line. And when it came to securing a business netting it an estimated $2 billion each year, Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe.' The article also points out that many other cloud service providers have detailed privacy and security policies, and actively participate in developing best practices, whereas Apple's procedures are shrouded in the company's typical secrecy. The article comes alongside reports of a way for people to DDoS other users' iMessage box."
Apple needs to get serious at the moment that it's customers care or at the moment someone put's legal liability on them and not a minute earlier. Given that the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model, I don't think that's going to happen some time soon.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.
compared to everyone else?
that journalist was one case. the article mentioned a lot of scary things, but no one has done any of it yet. and some of these services have been around for almost 2 years.
the famed incident was more of a social engineering hack than anything else. Which, lets be fair, you can have the best security in the world, but humans are the biggest weaknesses in any real system.
Security is a constantly evolving game - people are constantly developing exploits. Could Apple be better? Everyone can. Are they bad? I don't think they are horrible.
Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.
Every single one of these "possible attacks" exists in nothing more than the submitters mind.
"bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone"
None of these things are possible. FaceTime and iMessage are encrypted end-to-end. iTunes updates are signed. If you want to know how they work, buy a fucking disassembler. Until then, don't spout off bullshit, it just makes you sound like an ignoramus.
"Anybody could access ... with just AppleID and date of birth" is not true. You needed someone's AppleID, date of birth, _and_ the knowledge of a clever hack. As a reaction, Apple first shut down the site, then fixed the problem.
The "social engineering hack" won't work anymore once you switch your AppleID to two factor authentication. The disadvantage is that if you lose two of (password, backup code, trusted device), Apple _cannot_ restore your account. It becomes unusable. The reason social engineering won't work is that even a proven genuine account owner cannot get help.
Actually - there are few similarities between Apple and Microsoft. The two greatest similarities are market hype, and financial success. And, we might say that each has enjoyed something of a cult following, although the cults themselves are quite different.
I would elaborate further, but I'd be typing for half the day if I ever got started. Especially since I would probably start googling for citations on some of it.
But, you go ahead and believe that Apple and Microsoft are similar on security. Whatever . . .
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.
Apple wasn't involved.
Apple will be irrelevant soon.
I hate being bipolar; it's awesome!
Also, it was made by asians, so it thinks all white people look the same.
Do you even lift?
These aren't the 'roids you're looking for.
Why can't both be true? The new CEO doesn't seem to have the same luck or marketing ability. Even if they were an innovative company, you frequently still need marketing and luck to really succeed.
Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.
Wait. When Paris Hilton's phone got hacked a number of years ago, it was a T-Mobile Sidekick.
#DeleteChrome
Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)
And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ ?
If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.
iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device.
A six digit PIN would be nice, but would probably be birth dates too hohum.
Samsung has come up with ideas such as facial recognition.
I thought that was cool too. But once I had fooled it with a (bad) photo of me displayed from my iPhone I decided that it was a terrible idea. I'm sure it would have problems with my habit of growing a beard and shaving it off every month or so too.
It would be perfectly possible to sell an RFID bracelet with the phone and unlock when within a few CM of it.
Yes, because RFID and NFC tokens can't be hacked, cloned or masqueraded as ... http://www.libnfc.org/ has a nice toolkit there.
Those are the ideas I can come up with in three seconds of thinking each of which is better than a PIN code.
And probably why you've not got a role in the IT security industry too, I'd wager?
I agree with your assertion that short PINs are a terrible idea, but biometrics are worse.
However, there's a huge gap between what a user will accept and what's accepted as good practice.
Users will undoubtably choose the lazy option.