Slashdot Mirror
Reported iCloud Hack Leaks Hundreds of Private Celebrity Photos
swinferno writes with news about the leak of hundreds of private celebrity photos over the weekend. Hundreds of revealing pictures of female celebrities were leaked overnight after being stolen from their private collections. Hunger Games actress Jennifer Lawrence, Kirsten Dunst, and pop star Ariana Grande were among the celebrities apparently shown in the pictures, which were posted on infamous web forum 4chan. It's unclear how the images were obtained, but anonymous 4chan users said that they were taken from celebrities' iCloud accounts. The accounts are designed to allow iPhone, iPad, and Mac users to synchronize images, settings, calendar information, and other data between devices, but the service has been criticized for being unreliable and confusing. Earlier this year, Jennifer Lawrence herself complained about the service in an interview with MTV.
Where are these photos you speak of?
I guess the internets are dead.
Actually the source was anonib.
But they were then posted all over 4chan yeah.
https://thepiratebay.se/torrent/10942405/09.01.2014_Celebrity_Nude_Photo_Hack_Collection_-__fappening
Paraphrasing something I just read somewhere on the Internet:
When somebody says 'the cloud', mentally replace it by 'somebody else's computer'.
Pretty good detective work: http://pastebin.com/cwAz9Y2r
Then dont use it. Pretty simple. There is no law that says you have to use any cloud service, so if you dont trust/like them, dont use them. And dont bitch about it when you choose to do so.
---- Booth was a patriot ----
seriously, what am i missing?
But I has a silver lining.
-- I ignore anonymous replies to my comments and postings.
It's a little weird since a lot of the phones that took the photos aren't running iOS and some of the folders have Dropbox-specific files.
Don't use the same password on multiple sites!
Slashdot: Where we care about privacy, unless there's a chance to see a naked girl Pro-tip: There are millions of photos of naked women out there that can be viewed wiithout violating anyone's privacy. Go make use of those if you're in so desperate need.
I worked for Apple for 9 years. I would never use iCloud for anything I needed to keep private.
Apple's own culture of secrecy works against them. You don't discuss what you are doing outside your immediate team. This means that you often don't know enough about what you are doing to understand where your code will be used. You are working from a design (or an API) specified by another team and you have to assume they have the complete picture. If they don't specify brute force protection for your code you must assume that they have a reason or they are using some other method.
The internal secrecy also results in multiple implementations of the same function, because each team knows its own code and doesn't see what others have already implemented or are working on. No doubt somebody in the organization thinks that the internal secrecy is worth the cost.
Ok, first of all, if I some how got hold of these pictures, I'd delete them. Integrity is good for us all. I've no animosity towards the famous.
That being said, these people sold their privacy for cold hard cash. Not small amounts either, enough to buy the town I live in. Maybe I'm a jerk, but I just don't feel all that bad for them. They sell sex every day, all day. I have a feeling most are more upset that some of the pictures are unflattering than they are that they're nude in them.
Still, allowing brute force over the internet is a big mistake.
Somebody:
1) Takes nude photos of themselves with an internet-connected device.
2) Has said photos of themselves synchronized with an internet service
3) Is surprised / outraged that said photos are accessed by somebody on the internet.
I'm not saying that those people are to blame, but rather that there is a significant disconnect between technology and users' expectations. And the companies involved aren't making things any better with their hand-waving "cloud" mumbo-jumbo.
And how odd is it that your b.f. needs to answer one 'important' text message just as the blow job commences?
Have gnu, will travel.
As far as I know, Jennifer Lawrence has never done a nude scene in a movie. Is some of the outrage due to that maybe Jennifer Lawrence as an actress is more appealing/alluring in some roles because she's not been seen on screen nude and thus manages to increase her allure by keeping the mystery alive (although X-Men and American Hustle did about everything possible to reveal that mystery)
It does seem to be something of a female celebrity career trope that when they hit a mature phase of their careers they start opting for roles that involve a lot of nudity under some kind of guise that it's a challenging or artistically complex thing to do. Usually the more explicit the nudity and/or sex the greater press it draws and with any luck a bump to the actress' career.
Could Jennifer Lawrence ALSO be motivated by the fact that being nude in a movie is some way passé now -- ie, taking a role with nudity would no longer bring any added celebrity or notoriety because we've already seen that?
I'm not implying she doesn't have other, better reasons to be annoyed -- celebrities are people too, and like their privacy. I'm just curious to what extent the outrage isn't somewhat motivated by a celebrity's desire to flog an image of sexuality for maximum return.
No. What it comes down to is who, and what, are trustworthy. Cloud services are not trustworthy. Some people are not trustworthy. This doesn't just apply to images; it applies to financial information (banks are not trustworthy), to your behavior in public (those other people at parties are not trustworthy) and so on.
There's no need to give up intimate entertainment. You just need to learn to be discrete, and this means very carefully evaluating who, and what, are trustworthy. I will grant that in the face of all the cloud propaganda, the social networking tsunami, the government's drive to list everyone and everything, and people's innate tendency to gossip, this may no longer be obvious, but discretion is, in fact, one of the key characteristics of a mature and healthy personality.
If you don't want something repeated, don't say it. If you don't want it shared, don't share it. But you can still do it. From there, the advisability of "doing it" becomes a question of one's morals and ethics -- and perhaps the law. While the law is often completely wrongheaded, we must always remember the amount of power in the system's hands.
Discretion: That's what is at the core of all of this. Not self-censorship.
I've fallen off your lawn, and I can't get up.
No. There isn't. There's good use of cloud and bad use of cloud. If it's not a problem for random people, business entities, criminals and governments to have access to your data, then cloud storage can be convenient and harmless. Using cloud for storage of anything personal, proprietary, secret or dangerous is outright stupid. Marketing bullshit aside, you are putting your data in multiple-someone-else's hands and you have *zero* control over where it goes from there. There is no assurance of security whatsoever. There never has been. It is extremely unlikely there ever will be.
These truths extend to your own use of storage. Storing information on your boot drive can expose it to others if the machine ever needs repair and you cannot do the work yourself and you let the machine out the door with the boot drive and/or backup drives still installed. Connecting a machine with information on any attached storage device to the Internet creates a risk constructed of a very long list of possible errors whose genesis can be traced to the author(s) of your operating system and/or your own security procedures. Allowing others physical access to your machine can expose your data. Even the possibility of physical access to your machine, regardless of your authorization, can do so.
Most people don't understand security, and have not learned to be discrete, and are very poor evaluators of who, and what, are actually trustworthy. Unfortunately, this creates a situation where the gullible fall into the trap set by marketers claiming things like cloud storage are "safe." We can't fix this without specific education on the matter, and with a school system that can't even graduate people who can read and write well, the required understanding of secure data handling will almost certainly remain in the realm of the sophisticated technical person. And the clouds will continue to precipitate data the owners wanted to remain undistributed to many places it wasn't expected to go.
I've fallen off your lawn, and I can't get up.
User IDs ARE NOT a security device at all. If that was true every corporation would give people obfuscated email addresses instead of basing them on their name.
Good-bye
> If you cannot even trust the platform, then how does your logic work?
The logic works fine. Platforms can work fine too. Society, however, doesn't. So that part is up to you.
> Can't trust cell phone cameras. By definition it's a camera attached to a communications device. It's designed to share that photo.
Exactly right. Buy a DSLR if you require discretion in photography. Ensure it does not have network connectivity (some do... Canon 6D, for instance.) If you take an image with a cellphone camera, be aware before you ever shoot it that you can have no reasonable expectation of privacy whatsoever. It goes further than that, too. When using a smartphone, again be aware you have no reasonable expectation of privacy whatsoever with regard to texts, voice conversations, video conversations, email, your location, billing, logging and so one for every service the phone provides you (or others) with.
> Can't trust storing it on a PC as PCs are connected to the Internet in the overwhelming majority of instances.
No. If you want to store something that requires discretion, then you require a non-network connected PC. There's no inherent need to connect a PC to a network. Just because you can, doesn't mean you have to. Nor is there a need to construct a PC with bluetooth, wifi and so on. Nor is there a need to leave a PC in a generally accessible location and/or condition. These are all user choices. Make them wrongly, and your security is compromised. But they are not inevitabilities. There's a lesson here: just because others do something in some particular manner does not mean that you have to do so.
> Then there's the whole point of a picture, looking it at it. Typically that means more than just the picture-taker looking at it
Again, no. This is also user choice. You are responsible for the consequences of your choices, and for knowing the things you need to know to make those choices well. The key here is to be informed enough to make the most correct choices. "It's typical" is not a metric that binds anyone in any way. If you embrace such a thing, you either choose to do so or you are so ignorant that you know no better, in which case anyone who trusts you with data that requires discretion is making a serious mistake.
The images I have taken or otherwise created that I have *decided* you may see are here. The ones I have *decided* you may not have access to, you will never, ever see, barring use of military levels of force. These conditions were quite literally trivial to instantiate and maintain. Think, choose, easy implementation, all done.
> For all we know, none of these women's accounts were compromised. Their boyfriends, husbands, ex-boyfriends, ex-husbands, girlfriends, ex-girlfriends accounts could have been, or those people could have shared the photos with others, and their accounts were compromised.
The issue isn't account centric. It is behavior centric. You must identify data that needs protection; you must identify the trustworthy in regard to both persons and systems; you must control distribution; you must employ discretion and ensure that your knowledge is up to the task of seeing all these things through. If you cannot do these things, you are (at the very least) a potential victim of your own limitations. And you should probably fix that. :)
I've fallen off your lawn, and I can't get up.
When are 4chan users human?
Crumb's Corollary: Never bring a knife to a bun fight.
Fact of the matter is, tech-types who should know better still struggle with digital security and lose; laymen don't really have a chance.
The only winning move is not to play.
I'm just surprised this didn't happen sooner. Perhaps the amount of hip/trendy celebs using iphones/mac/icloud just reached critical mass and this is the resulting explosion.
To get philosophical about it. this is another example of the cool people getting owned by the geeks. Revenge of the nerds, right? Too soon?
Flappinbooger isn't my real name
Did the brute-force attack sidestep Apple ID two-step verification? I'm guessing no, and that none of the celebs who were hacked had bothered to enable the two-step login shuffle. You might think a celebrity could afford to hire someone to beef up their online security and advise them in such matters. Why don't they?
"Mit der Dummheit kaempfen Goetter selbst vergebens." - Schiller
It could have just as easily been a packet sniffing engine on a local ISP, cellular network, data center etc. Maybe in front of Amazon? Were these all transferred through snapchat, dropbox or some other file sharing service that leverages AWS or some other cloud provider? Were any taken from those services by admins?
My point is, many of these images were *taken* with non-apple devices and *deleted* before photo stream was a thing. At this point it is likely someone got access to a darknet cache of images -- the sources are unlikely from one location, but from many many sources over many years.
LTDR; 1. Enable 2FA 2. If you upload something to the internet, assume someday someone will be able to see it and do whatever they want with it. Are you okay with that?
Looking at the EXIF data attached to the photographs, where it's available, and the structure of the filenames I can see that only some of them came from iPhones/iCloud. I can also see photographs from Android phones (Nexus 7 and Samsung Galaxy 5s) likely acquired via Google Drive, other photographs clearly taken from Dropbox accounts (the dumps include default dropbox files), and many clearly taken from Twitter and Facebook private messages (filenames are a dead giveaway).
Some of the filenames look like those you would get from a recovery or backup programme rather than an auto generated one, which chimes with what victims have said on Twitter regarding deleting the images months or even years ago.
In any case there are clearly multiple sources and as usual Apple Derangement Syndrome is in full swing.
Likely as not this was related to the heartbleed bug. Large amounts of passwords were acquired around that time, and were probably being used on multiple services. It's equally possible that this wasn't a breach at Apple et al but a breach of Amazon Web Services or Microsoft's Azure as those services are used to backup data from iCloud, Google Drive, and many others.
What's worse for some of the celebs is that the pictures contain GPS data that could compromise their homes.
...how some speculation posted on the internet has to be true. So far there is zero evidence it has anything to do with iCloud or even Apple, just speculation. The brute password hack was real but there is no evidentiary connection so far. Unless 100% of the celebrities were using iPhones and iCloud to store their photos it's just as likely there was some other kind of hack such as some place they all were at (people pointed to the Emmys as one possibility). But the internet is all about pumping up the noise. It might be iCloud, or it might not be, we don't have any proof yet. It could be someone at the NSA had too much booze one day.
If you don't want something to leak on the Internet in the 21st century, DON'T DO IT!
Perhaps the NSA could have learned that lesson with Edward Snowden...
These really are just nude pictures, some with sex. But are we all shocked that are celebrities look hot when they're naked?
Far worse would have been for photos to leak showing criminal activity, such as torturing dogs, doing drugs, or acting like complete assholes by beating up and torturing people.
Hey, my friend just sent me a message to tell you that you suck at this job.
Get free satoshi (Bitcoin) and Dogecoins
So we can look forward to Judy Dench doing some excessive nudity now that she's firmly established?