Apple Denies Systems Breach In Photo Leak

Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

Seemed pretty obvious this was the case

[John3]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

Re:Seemed pretty obvious this was the case

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

Re:Seemed pretty obvious this was the case

protect your password manager with a strong password from another password manager to protect!

Re:Seemed pretty obvious this was the case

[Sique]

It's Password Managers all the way down!

Re:Seemed pretty obvious this was the case

[John3]

Use one very strong password for the password manager. That allows you to have hundreds of different passwords so each site you visit uses a different password and you don't need to remember them. If you use a strong enough password then you'll be fine.

Re:Seemed pretty obvious this was the case

[Macrat]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Re:Seemed pretty obvious this was the case

[heypete]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Who says you need to tell the truth on those questions?

Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."

Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.

Re:Seemed pretty obvious this was the case

[Megol]

Don't use them - input random crap instead of correct information.

Re:Seemed pretty obvious this was the case

[ericloewe]

Don't be so short-sighted. Use the password managers to store passwords that are employed instead of answers to secret questions.

Re:Seemed pretty obvious this was the case

[fuzzyfuzzyfungus]

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

Password 'managers' make me nervous(unless based on proper crypto/key storage ICs with actual vetting by people who actually care, which is rare indeed, if it exists at all, since the people who care that much don't use passwords, just proper cryptographic authentication); but they do have the advantage of allowing those of us without eidetic memories to use passwords that might actually be strong enough to resist casual attack, and force the casual attacker to use the ultra-weak password reset process instead...

Re:Seemed pretty obvious this was the case

Yes, people who care have subverted the need to use passwords. I bet they don't even use the public internet!

Re:Seemed pretty obvious this was the case

I've done this before. In my password manager:

"All secret question answers are FART"

Re:Seemed pretty obvious this was the case

[neoritter]

The point of security questions are to have things that you can remember without having to write them down. If you input random crap like you and others are suggesting you're just extending the stupidity to a different level OR being needlessly redundant, because then you have to write down what that stupid crap was. Which might as well be the same thing as writing down your password.

Re:Seemed pretty obvious this was the case

[AmiMoJo]

You don't answer those things honestly do you?

Re:Seemed pretty obvious this was the case

[gmhowell]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Who says you need to tell the truth on those questions?

Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."

Damnit, time to change the security question on the password manager for my luggage.

Re:Seemed pretty obvious this was the case

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

And yet, in reality, regardless of your personal security measures, you already have this today

It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

Re:Seemed pretty obvious this was the case

[CanHasDIY]

OK - A password manager is a great way to keep track of all the nonsense answers you put in for security questions.

Re:Seemed pretty obvious this was the case

[Dishevel]

If it is a trusted implementation, and you are using a very strong password (20 Characters, Upper case, Lower Case, numbers and symbols.), then you use unique generated passwords for each site you are really quite safe.

Re:Seemed pretty obvious this was the case

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

If you don't want to put all your passwords in your password manager, you don't have to do so. However if you put all your second tier passwords in it (the ones that you use to maintain privacy rather than fiscal security), then you can make them much more complex without requiring ridiculous complexity to memorize. You can also save arbitrary answers to security questions (if the answer to your dog's name is saved as sFjksL23549&@*^*% rather than Fido, it's not possible to get from investigating personal history).

I'm unconvinced that an attack based on manipulating the secret questions is not Apple's fault. As others have pointed out, this is useless for celebrities whose lives are relatively public. Birthplace, pet names, mother's maiden name, etc. are the kind of things that are relatively easily collected from fluff interviews. For non-celebrities, such information may only require a personal meeting.

A brute force attack is even worse. Unless everyone's using aardvark as their password, you would think that Apple would notice before the account is actually compromised.

People should not have to have degrees in information security to maintain privacy on their accounts. Apple should be pushing people to follow good security practices rather than blaming their customers when security fails. Can Apple even point to an account that the attackers tried to access but failed?

Re:Seemed pretty obvious this was the case

[hairyfeet]

WTF good is that gonna do when the "find my iPhone" feature allowed for unlimited password tries with NO TIME LIMIT as has been reported on several sites? You can have the best password ever created and if I can just brute force the site all day long without penalty then you be fucked friend, after all you can throw together an AMD octocore box for a couple hundred bucks that can crank out attempts in the millions if not tens of millions if you have a big enough pipe!

Lets face it, somebody at Apple done fucked up REAL bad and instead of admitting it they are doing a "you're holding it wrong" level of BS spinjob trying to cover it up.

Re:Seemed pretty obvious this was the case

[St.Creed]

In keeping with the theme of todays Q&A: Security questions are for people who don't use password managers. People who use password managers don't need them and can thus put random crap in them.

Re:Seemed pretty obvious this was the case

[ShanghaiBill]

What good is a password manager when the answers to your security questions are public knowledge?

Many sites, including all the financial institutions that I deal with, use the security questions as an additional layer of authentication, rather than as a mechanism to bypass passwords. If I login from a device that they do not recognize, they will ask the security questions. If I answer them correctly, then I still have to enter the correct password.

Re:Seemed pretty obvious this was the case

But also be sure you properly vet your password manager as they's a very delicious target for a trojan so unless you wrote the manager yourself or it comes from a source you trust (I'd recommend the creator of your OS as is they have malicious intent you're already fucked) you're asking fro trouble using a third party program to store all your passwords.

Whatever you do don't download an open source password manager form the Internet.

Re:Seemed pretty obvious this was the case

"Use passwords so strong only a password manager could practically remember them" is advice implied by a brute force attack.
"change them often" is not implied by this attack because the passwords were not leaked or intercepted.

  https://www.schneier.com/blog/archives/2010/11/changing_passwo.html

User-blaming advice like "change your passwords often" is holding back technical people from doing a proper job solving the authentication disaster we've created. We can do better.

Using a 2nd factor token is the best way to fix this. Some 2nd factor tokens have the property that the binding between user record in the database and the token remains secure even if the attacker gets the SSL keys of the server side so that after, for example, Heartbleed, there would be no technical reason for the user to take any action. IMHO the hysteria about changing passwords after that was misguided, but we should look for the right kind of 2nd factor system to make the advice actually wrong and remove that burden from the user. I think the TOTP method that Google Authenticator uses is based on a shared secret and does _not_ have this property.

I guess sending SMS to a phone number does have this property, but I don't think anyone should use that as a 2nd factor because (a) it allows the site doing the authentication to collect evercookies and collapse pseudonymous accounts onto bags of meat by forcing you to pay for a SIM per account, (b) I think just logging in with the recovery email is better security than this. SMS networks are based on ancient protocols, approaching-n^2 neglected X.25 federation channels, run by people who have overcooperated with governments throughout their entire existence, and include a lot of security by obscurity and customer-service social-engineering recovery channels. We could build a federated login system based on a browser extension and rigorously machine-parsable recovery emails, use a GMail account protected by 2nd factor as the recovery email address, and that would be better than SMS 2nd factor implemented by a long tail of crappy sites. This is not an actual suggestion but a reducto-ad-absurdum. It annoys me that SMS is the method most sites choose. We should actually build something that doesn't suck instead.

"Use one very strong password for the password manager"? I don't think so. I think it's better if the password manager is not Internet-accessible, so access is based on holding a token, like a phone or a laptop, and most of the security comes from that. The password is only for cases of theft or imaging at border crossings, so the password manager may stay unlocked for hours on one feeding of the password if not manually locked. It should be protected by a memorable and therefore weak password, but with two properties: attempts against this password should be throttled to prevent brute forcing, and if you change the password then old passwords shouldn't work against old disk images of the phone or laptop. The disk encryption implemented by ChromeOS has those two properties, which it gets by using a TPM chip. On some platforms, the Pond asynchronous communications platform uses the TPM to get the second of those two properties, secure erasure, so that proves it's possible to use the TPM on notChromeOS to get fancy password properties. It doesn't work everywhere, but I think a good password manager would try to use this, and then say, "It's up to you whether you want to use a weak or a strong password, but because we have done this, weak passwords are much less bad with our password manager than other password managers." You need to consider the entire stack. If you use strong passwords and change them often, they're either going to be forgotten or end up written on scraps of paper, or probably a mixture of both at once. Forgetting your password and losing access to a bunch of accounts or data permanently is a failure of the authentication system, and if you allow yourself to blame that on the user you will not finish your work as an engineer. If you follow out the entire exception path, once you have the two properties a weak password with fewer recovery channels may be objectively more secure.

Re:Seemed pretty obvious this was the case

[wiredog]

Oblig. XKCD.

Re: Seemed pretty obvious this was the case

To sign up for an appleID, you need to use a password that has a min. length, upper and lower case and a number. Saying the passwords were weak is a lame excuse from apple.

Re:Seemed pretty obvious this was the case

[freeze128]

Hey! That's *MY* mother's maiden name too! We must be brothers!

Re:Seemed pretty obvious this was the case

[neoritter]

Using a password manager is pretty much the same thing as writing down your password. And personally, I think it's less secure than writing the password down on paper and storing it securely.

Re:Seemed pretty obvious this was the case

[DarkOx]

Yes they are a good idea because you have to consider the threat model. If you were say a political target, or perhaps a famous actress you might have people gunning for your directly in which case you might be right it might not be the best idea to have all the goods in one place.

For most of us though the risk is $WEBSITE we used gets hacked and password hashes (you hope they are at least hashed) leak. If you don't have an obscenely long password 15chars+ that is also not a diction word, name of someone or something popular, etc; someone with a couple video cards will very shortly have the clear text brute forced. They will then go about using your set of credentials and all the others they bruteforced on every other major website out there (use a big bank?) to see if they work.

So for most people YES password managers are GOOD because they encourage passwords to be unique, long, and to have good entropy when used on public sites that are targets.

Now a bunch of folks are going to argue that the corpus of password manager software out there frequently suffers from terrible implantation, used unsound cryptographic methods etc. They are right! If you are use one of those that replicates between devices STOP NOW. Use one on your phone or something that you take everywhere. Make SURE IT IS NOT PART OF ANY CLOUD BACKUP/SYNC etc. Make your backups to an SD card or to your PC on your own wireless or via cable.

For attackers to get hold of the data to try and break into it they will now probably have to pop your box, get some malware running etc, at which point they don't need to download the cipher text and try and crack it, they will just wait for you to unlock it and get what they need from the keylogger or screen shots, clipboard etc directly. So while it would be better if you used a sound tool, as long as its not itself malware and phoning your passwords home or something its probably fine. Hell even a password protected excel sheet is probably good enough (but not advised).

Re:Seemed pretty obvious this was the case

[Rich0]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

Sure, but mobile apps make this sort of thing a pain.

I have apps that want you to enter your password frequently. That encourages trivial passwords unless you have some way to have a password vault app to fill them in for you, and that doesn't always work.

Then you have stuff like Android only supporting full-device encryption if your encryption key is the same as your screen lock PIN. Screen-lock PINs normally only have to defeat online attacks, and they can throttle attempts, lock out, etc to defeat brute force attacks. The whole point of disk encryption is to defeat offline attacks, so you need to use strong keys to make it work. You can potentially make them readable if you use multiple rounds to make cracking harder, but you can't make it a 4-digit number unless you design it such that the correct key takes a day and drains your battery to unlock the thing on the first attempt.

In the mobile world we really need to get away from hand-entered passwords. They're an acceptable one-time kludge during app setup, but after then you really need to move to some kind of token stored in a vault, and then use sandboxing at the OS level to keep the app safe from tampering.

Re:Seemed pretty obvious this was the case

[DMUTPeregrine]

My Mother's maiden name is 52Vg8alTkWjJ92AXLq8c. I was born in the town of iyUJuoE5go9pWhylGHJT, where I got my first pet, 9DurEntFD7WU9lpZJCKI.

If you ever tell the truth with a security question, you've done it wrong. If you ever use the same answer to a security question twice, you've done it wrong. If your answers have less entropy than your passwords, you've done it wrong.

Re:Seemed pretty obvious this was the case

Nothing wrong with a manager, I use one well it's not online it's isolated on a clean PI+3.5 LCD with heavy restrictions + encrypted. There is no incoming access, it's one way I scroll down and shoot the password to myself with a custom app. There is no company to be hacked and even if the device was stolen it would be worthless encrypted.

It's too bad it's not social engineering proof. I'm not hack proof, nobody is, but I'm going to make it hard as I possibly can.

Strong encryption.
Data storage like passwords on a clean non-internet device.
One completely random email per account recovery.
All data uploaded to online storage is automatically encrypted first with services like Cloud Fogger or Boxcryptor.
Banking requires mandatory in person password resets.
All multifactor authentication is done with a clean non networked cellphone through text only.
Multifactor authentication is used on everything that offers it and if they don't I complain until they do.

Most importantly I use the Duct Tape 5000 Cam Protector with the Rick Roll Microphone Protector upgrade. I was going to use the Meatspin Cam Protector but I couldn't afford the upgrade. :(

Re:Seemed pretty obvious this was the case

[DMUTPeregrine]

I put "random crap" generated by my password manager, and store it in the password manager. Security questions are just secondary passwords to the same account. They need to have the same amount of entropy as the real password to be of any use whatsoever.

Re:Seemed pretty obvious this was the case

[DarkOx]

You need to take a step back and consider the actual threat. If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.

If you going to keep it on your desktop or on your phone and NOT send it over the network. Than I would say the value it affords you in being able to use longer passwords, with greater randomness, and unique passwords for every account is a win. The only anyone is going to get hold of it is if they pwn your computing device. If they do that than they don't need to beak the crypto they will just wait with the keylogger running for your to unlock it and collect the secret.

At that point though you rather than $PUBLIC_WEBSITE have become the attackers target. Once we are talking about a targeted persistent attack, there is little any of us will do personally to be safe if our attackers are any better equipped/capable than script kiddies.

Re:Seemed pretty obvious this was the case

[John3]

Yup, I agree. I have Lastpass for my iPhone but some of my banking apps won't let me paste a copied password into their app. Try typing "$eR#g,Q2!yu?" into a banking app using the touch screen.....argh! I could drive to the bank by then to make my deposit. :)

Re:Seemed pretty obvious this was the case

[m_vand]

Yo, dawg. I heard you like password managers

Re:Seemed pretty obvious this was the case

[John3]

A strong password CAN be easily remembered. How about remembering 10 and 11?
"Ten!!!!!!!!!!!"
That's 10 and eleven "!" characters.
https://howsecureismypassword....

Length is really the primary consideration and once you get to 10+ characters the repetition isn't necessarily an issue.

But to your point about the cloud, I agree. I truly despise how all the vendors (Google, Apple, Microsoft among others) are driving data to cloud storage. It's so difficult just to save a file to the local device...every other prompt is trying to get you to save to their server farm.

Re: Seemed pretty obvious this was the case

Considering some of the celebrities used Android and Berry, it would seem to be a socialized attack rather than an exposure.

Re:Seemed pretty obvious this was the case

[Just+Some+Guy]

Using a password manager is pretty much the same thing as writing down your password. And personally, I think it's less secure than writing the password down on paper and storing it securely.

Thank you for warning us of your opinion in advance. That saves time later when trying to decide whether to have an intelligent conversation with you on the subject.

Re:Seemed pretty obvious this was the case

[wiredlogic]

protect your password manager with a strong password from another password manager to protect!

That's the way Xzibit rolls. You don't see any of his nudies out there do you?

Re:Seemed pretty obvious this was the case

[wiredlogic]

Having hundreds of different (auto-generated) passwords means you're screwed if you don't have access to the manager or the database is lost. Backing it up to "the cloud" means you're only a key logger away from being completely compromised. Passwords that stay in your head can't be stolen.

Re:Seemed pretty obvious this was the case

[neoritter]

Let me warn you of my opinion in advance. This saves time later when trying to decide whether you should have an intelligent conversation with me on the subject.

There fixed that for you

Re: Seemed pretty obvious this was the case

[wiredlogic]

Look at the top 500 RockYou password list that pass the Apple filter:

#1 Password1
#2 Princess1

Most of the passwords on the list are Capitalized dictionary word + digit. It's trivial to brute force or prepare a rainbow table that targets that scheme.

Re:Seemed pretty obvious this was the case

[Yaztromo]

A strong password CAN be easily remembered. How about remembering 10 and 11?

"Ten!!!!!!!!!!!"

That's 10 and eleven "!" characters.

There are a number of ways to calculate password effectiveness. If you assume zero knowledge of the password characteristics, then the 290 million years the website you linked to calculated may be accurate.

Hackers, however, have typically found that certain patterns are used by humans more frequently than others, and instead of brute-forcing the password from the beginning (following UTF-8 order " ", " ", " !"... etc.), you can instead skip a significant part of the overall password space by only testing these common patterns.

I prefer this tool, which evaluates password entropy. The figures it comes up with do tend to presume that something about the structure of the password is known (i.e: in your example that it is a word followed by a repeating symbol), but IMO this is a good figure to base your password decisions off as it represents a worst-case scenario, and not the best-case scenario the tool you linked presumes.

Using that tooling instead, your passwords strength and estimated crack time is as follows:

• password: Ten!!!!!!!!!!!
• entropy: 18.669
• crack time (seconds): 20.836
• crack time (display): instant
• score from 0 to 4: 0
• calculation time (ms): 3

FWIW, (and purely for the sake of comparison) one of the passwords I use online has, according to this tool, an entropy of 61.819 and a crack time of 203355820622500.06s (about 6.4 million years). And yes, it's something I both change often and have memorized.

Yaz

Re:Seemed pretty obvious this was the case

[vux984]

Use one very strong password for the password manager.

Actually, I recommend using multiple safes/vaults/etc with different passwords; make the passwords appropriate to the contents of the safe; and treat the safes appropriate relative to their contents.

My safe with my passwords for throwaway email accounts and forum accounts, club memberships, etc is fairly simple. (It still counts as strong by all usual metrics, but its easy for me to remember and type in, which is good because I have to type it several times a day on average -- sometimes via a smartphone keyboard. Its sync'd via cloud to my smart phone, laptop, work computer, etc.

My safe with passwords for my life savings, domain registrar, email account and other assets which would be quite devastating to lose is MUCH longer and stronger, and it isn't synchronized with my devices. (Actually I have 4 - 5 safes with different groups of passwords in them.)

If you use a strong enough password then you'll be fine.

Unless you get hit with a keylogger. Then you lose everything. Does it really even make sense to have your online pay-parking app passwords and your numbered offshore banking in the same vault? All protected by the same password?

Its just silly.

And its another reason why I've split things up. If the phone gets compromised, my high value passwords aren't even in it. My higher value password safes get opened less frequently and on fewer systems, so a keylogger will have to be in the right system and wait longer to get into them -- giving me better odds of dodging the bullet, and more time to detect and remove them.

Re:Seemed pretty obvious this was the case

"Q: "What is your mother's maiden name?"
"A: "Purple monkey dishwasher."

My long lost brother! We are reunited by Slashdot!

How IS dear old Mom?

Re:Seemed pretty obvious this was the case

[jeremyp]

The answer to a security question is just another password that's easy to guess.

Re:Seemed pretty obvious this was the case

That's amazing, I have the same answer for my mother's maiden name!

Re:Seemed pretty obvious this was the case

[John3]

I forgot to also mention two-factor authentication. The downside of all this is if the phone is lost/damaged then you may not be able to access your passwords.

But of course, none of these celebrities have time for this. Technology has enabled them to do things that were competently handled by manager and agents in the past.

Re:Seemed pretty obvious this was the case

[WuphonsReach]

Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.

That's what GPG encrypted text files were invented for.

One text file per account, the contents are a GPG ASCII armored encryption block containing things like the site name, password, account name, answers to security questions, or anything else.

I then store those text files in a version control system, which makes it easy to share across multiple machines.

(The weak link in all of this is the GPG key - but there are options to strengthen that like smartcards.)

Re:Seemed pretty obvious this was the case

[Tharkkun]

Having hundreds of different (auto-generated) passwords means you're screwed if you don't have access to the manager or the database is lost. Backing it up to "the cloud" means you're only a key logger away from being completely compromised. Passwords that stay in your head can't be stolen.

Your auto generated passwords can be victim of a keylogger as it records input as well as keystrokes.

Re:Seemed pretty obvious this was the case

[neoritter]

Not necessarily. Security questions are essentially the same thing as passwords in every respect, except they're giving a clue as to their answer. But there are ways to make security questions secure, some of which are the same for passwords. A) use sentences to answer the question. They may know your pet is named "Scout" but will they probably won't know the answer if it's, "My third pet who was a dog was named scout" (assuming you could use that long of answer). B) Security questions could be determined by the user, instead of from a selection by the system. This enables you to pick questions that can be very hard to glean from social media or other sources. E.g. What was the last thing my father said to me before he died. C) Email notifications of password reset attempts. Some sites do this, others don't. If someone goes into "forgot password" option and sees your security questions, an email is sent notifying you that someone saw your security questions or attempted to reset the password; whether they tried to guess the questions or not. This could give you an opportunity to change the security questions if you feel a compromise is probable.

Re:Seemed pretty obvious this was the case

[bruce_the_loon]

One day Facebook is going to tell you the answer to your mother's maiden name question appears to be incorrect.

Re:Seemed pretty obvious this was the case

[BasilBrush]

"In your head" means that you'll be sharing passwords between multiple services, as you can't possibly remember a unique password for every service. And this in itself is a big threat. Once hackers discover one password from one hacked site they will have access to other sites that use the same credentials.

The answer to the nightmare situation of losing the password database is a paper copy somewhere safe, like at home. Whilst it's vulnerable to burglars, they are usually more interested in stealing objects than passwords, and depending on where you put the paper are unlikely to find it anyway. It's vulnerable to police searches, but that's not an issue for most people.

The risks of passwords on paper are less than the risks of reusing passwords on multiple services.

Re:Seemed pretty obvious this was the case

Indeed, but many services now require you to have 1 or more security questions. So the only way to handle this is like random passphrases.
Sadly security questions are meant to be human readable, so they will not be one-way-hashed into a database.

Security Question is like countries with Democratic in their name.

Re:Seemed pretty obvious this was the case

If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.

Well, it seems that a huge number of people here implicitly trust the crypto and upload the password database to leaky online sieves like Dropbox, iCloud, and Google. It's not quite as bad as posting it to Slashdot, but risk management is not a skill that even techy Slashdotters seem to have.

Re:Seemed pretty obvious this was the case

Except that feature was not used as a means to break into the iCoud accounts. Also, Apple was one of many providers. Based on analysis of the EXIF data and file names some of the images came from GoogleDrive, DropBox, and private Twitter messages.

You may want to know what you are talking about before you open your mouth again.

Re:Seemed pretty obvious this was the case

Well you're personally wrong.

A local password safe with a single, strong password is probably better than pieces of paper laying around with cleartext sensitive data.

Now lastpass, I don't trust safes like that with my phone number, much less my bank info.

Re:Seemed pretty obvious this was the case

[byjove]

Based on analysis of the EXIF data and file names some of the images came from GoogleDrive, DropBox, and private Twitter messages.

Citation?

Re:Seemed pretty obvious this was the case

[dgatwood]

I'm unconvinced that an attack based on manipulating the secret questions is not Apple's fault. As others have pointed out, this is useless for celebrities whose lives are relatively public. Birthplace, pet names, mother's maiden name, etc. are the kind of things that are relatively easily collected from fluff interviews. For non-celebrities, such information may only require a personal meeting.

Yes. The mere existence of security questions is a fundamental security hole—doubly so when users are forced to provide answers to those questions. Users have only two choices:

• Answer truthfully, which catastrophically weakens security on their account, because quite frankly, everybody on my Facebook friends list knows the answers to about half of those questions; anything that I'm guaranteed to remember is also something that anyone I know also knows.
• Make up answers, which is now a secret piece of information that is no better than a password, and no more likely to be remembered, but still weakens security by virtue of the fact that there are now five or six of those secret answers that magically unlock the account, rather than just one.

IMO, not only should security questions not be required, they should not even be an option, precisely because most people don't understand enough about security to recognize just how horribly dangerous it is to answer the questions truthfully, leading to unfortunate incidents like these.

As far as I'm concerned, there are only three safe ways to allow a user to regain access to accounts without knowing the password:

1. Callback/email-back to a registered phone number or email address.
2. Presenting proof of death along with proof of executorship.
3. Presenting multiple forms of ID, either in person or with a combination of fax/email and video chat. Ideally, one of these forms of ID should be a photo ID, and the other should be a credit card (the physical card or a photocopy thereof, not just the number). The company should charge a $1 fee, both to discourage people from forgetting their password repeatedly and to ensure that the credit card was not stolen and used to impersonate the account holder. If the password was changed by someone else, the fee could be refunded after it goes through. Then, the company should provide a temporary password to the user, lock the account, and wait for the charge to go through before unlocking it again.

And users should have the option of disabling the first one, precisely because some of those external accounts may require security questions, and thus may be easier to compromise, allowing a springboard attack.

Re:Seemed pretty obvious this was the case

[mjwx]

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

And yet, in reality, regardless of your personal security measures, you already have this today

It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

I certainly dont have this today.

I've got 3 different email addresses and 1 phone number, this isn't including my work email and all ordered by security level. The password reset for slashdot doesn't go to the same email my address domain registrar or accountant. Below this I have another email address I use for signing onto services that I know are going to spam me. The low security accounts are not linked in any way to the high security accounts and my high security account is only accessed from devices I know are safe.

When throwaway email addresses are easy to get, I dont understand why anyone would have a single email address.

Re:Seemed pretty obvious this was the case

[dgatwood]

A cell phone is not a second factor, or at least not a meaningful one. If somebody hacks your phone to install a keylogger, they'll be able to convince any software running on your phone to do their bidding as well. Either you trust the device or you don't. If you do, you don't need a second factor. If you don't, then all bets are off.

For a reasonably strong second factor, you need a device that has basically no network connectivity whatsoever, like a CryptoCard token. And even then, you're potentially at the mercy of man-in-the-middle attacks stealing your credential, using it elsewhere, and temporarily providing bogus credential to the site that's requesting authentication, thus forcing you to generate another new number and concealing the fact that it just hijacked your second factor....

For a truly strong second factor, you need a device that communicates using a dog-simple protocol, does nothing more than verifying the signature on a signed authentication request, displaying the signer's identity on a screen, waiting for the user to approve the transaction, signing the request with its own private key, and sending it back as the response. And even that isn't without its security risks.

Re:Seemed pretty obvious this was the case

[dgatwood]

Do you mean Yorkshire Pudding Purple Monkey Dishwasher or her sister, Idaho Potato Purple Monkey Dishwasher?

Re: Seemed pretty obvious this was the case

Password managers are the only to use random, different passwords in every site. The risk of having your own local data stolen is significantly less than non random or same passwords stolen from a third party site.

Re: Seemed pretty obvious this was the case

They are worse unfortunately as they are usually stored in clear text on the server.

Re:Seemed pretty obvious this was the case

[quenda]

Just another reminder to use strong passwords,

It does not matter how good your password is, if it can be reset by anyone researching the answer to Apple's "security questions", like:
- What was the model of your first car?
- What was your childhood nickname?
- In what city did your parents first meet?

Never mind social engineering, a lot of those could be answered by Google for a starlet.

Re:Seemed pretty obvious this was the case

[drkim]

...I recommend using multiple safes/vaults/etc with different passwords...

It's just funny - because Pamela Anderson had her sex tape stolen from her safe. (back when there were 'tapes')

Re:Seemed pretty obvious this was the case

[Jack+Griffin]

The flaw I've noticed these days, is a lot of these web services force you to have a security question, then limit you to 3 obvious choices (such as mother's maiden name, first pet, favourite teacher etc) Of course those of use with a brain don't use real answers, but for ma and pa kettle it is an open door.

Re:Seemed pretty obvious this was the case

[Jack+Griffin]

That's fine for you, but would you expect you mother to do the same thing? I'm pretty sure that 99.9% of people who aren't into tech use real answers and get burnt. Account providers really need to get their act together on this flaw.

Re:Seemed pretty obvious this was the case

[drkim]

Or perhaps for nude or sensitive pictures or video, use a stand-alone camera; not a camera phone or networked device.

I'm pretty sure most of these movie stars could afford a cheap point-n-shoot or DSLR.

Re:Seemed pretty obvious this was the case

[hairyfeet]

The Anon Coward can't provide one because he is one of the faithful iFanboys protecting his God by any means, truth or no. I have seen this same claim made on multiple sites and every single time when somebody asked for a citation? Nothing but silence.

This is why iFanboys scare me, as the closest analogy is a Scientologist, they both have this insane devotion to their cause and will happily lie and mislead if it furthers their religon.

Re:Seemed pretty obvious this was the case

[John3]

Or they use really obscure questions. Verizon prompted me for "Favorite Vacation Spot" the other day, and I could not recall my answer. Wound up resetting the password and account.

Re:Seemed pretty obvious this was the case

[hufter]

How do I know this tool doesn't collect passwords that people try, which could then be used to break into people's accounts?

Re:Seemed pretty obvious this was the case

[Cro+Magnon]

One question that bugged me was "Favorite Book". My favorite book in 2000 may not be my favorite in 2014.

Re:Seemed pretty obvious this was the case

[neoritter]

Who said anything about papers laying around. Is the password manager on a computer hooked up to the internet? Then it's less safe than a piece of paper in a safe or locked drawer. With a password manager, anyone that is able to infect your computer has the opportunity to get your passwords. Most cyber criminals are not going to break into your house just so they can try to find a piece of paper with your passwords on it. You should already have a safe or something like it where you keep your important documents anyway. Birth certificate, social security card, passport, etc. Is that method of storage somehow not worthy enough for a piece of paper with your passwords?

Re:Seemed pretty obvious this was the case

[neoritter]

Sure hope the password on your PM is good...or no one manages to get a key logger on your computer.

Re:Seemed pretty obvious this was the case

[Yaztromo]

How do I know this tool doesn't collect passwords that people try, which could then be used to break into people's accounts?

Well, you could always read the source and verify that this is not the case.

Yaz

Re:Seemed pretty obvious this was the case

I go the other way - 1 strong password, and a different email for each service.

Re:Seemed pretty obvious this was the case

[byjove]

To be fair, any 'fanboy' is scary.

Re:Seemed pretty obvious this was the case

[gstoddart]

So, those are the two options? Keep it in your head or back it up to the cloud?

Really? In all of computing we've never solved this?

I know for a fact that things like KeePass have their DB as an encrypted file. I know you can have that copied onto your phone, or your tablet ... and I also know for a fact that you can have a phone or a tablet which isn't backed up to the cloud.

Passwords that stay in your head can't be stolen.

They can be beaten out of you. They can be compelled by the court. They can also be forgotten, which is why password managers exist in the first place. (And, yes, obviously the same applied to the password for your password manager.)

I know a lot of people who have switched to using something like KeePass for their personal stuff.

And I know quite a few places which use it when passwords need to be available and shared among a team of people.

Re:Seemed pretty obvious this was the case

[hairyfeet]

What I don't get is WHY? Why in the fuck would you worship a fricking corporation? Its not like they have stock in the company, hell the company doesn't even give them iFanboy discounts or anything, so why?

Are there products that I like? Sure but I'll drop their asses like a bad habit if they screw me over, take Nvidia, I used to LOVE Nvidia cards...until I got fucked over by bumpgate. Now? I use and sell nothing but ATI/AMD cards. And I sure as hell ain't trying to cover when a company fucks their customers, see the diatribes I wrote about MSFT when they released Windows "LULZ I Iz A Cellphone LULZ" Mist8ke Edition.

So i just don't fucking get it, I really don't.

Re:Seemed pretty obvious this was the case

[byjove]

It's just a variation of my god is better than your god. Some people get religious about brands. They project their identity onto them. You attack the brand, you threaten their identity.

Re:Seemed pretty obvious this was the case

Unless you're going to change those passwords at a significantly higher frequency than the cracking software can break a pword, you're wasting your time.

Re:Seemed pretty obvious this was the case

[jwhitener]

That is an interesting tool. I'm not sure how 'real world' accurate it is, but some passwords I had that are comprised of just words and numbers, not even upper case, had years to crack times. While others, with odd special characters, upper/lower, and not resembling words at all, had seconds crack times.

Re:Seemed pretty obvious this was the case

[Yaztromo]

FWIW, I agree that it may not entirely be "real-world accurate". It does pre-suppose that whomever is attempting to crack your password already knows something about the structure of your password (such as it being a dictionary word followed by a repeating sequence, as in the original "Ten!!!!!!!!!!!" example). However, if we take this at face value, it does give us a better worst-case scenario for password strength than those which simply presume a brute-force approach.

That is, given someone looking over your shoulder (but without sufficient accuracy to see exactly what you're typing), and then applying computational tools, how quickly could your password be cracked? That's certainly an interesting question to have the answer to, and if your password is resistant to a known-pattern based cracking approach, it's certainly going to kill any attempts to purely brute-force it.

Yaz

This is also how Sarah Palin's email got "hacked"

[i+kan+reed]

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

Surprised?

You expected apple to say whoops, our bad? come on

But how do the hackers get the email addresses?

[Camembert]

I can indeed imagine that in some cases it would be possible to find the answer to the password security questions by doing some googling about the celebrity. With 2 factor authentication this would not have been an issue.
I still wonder how the hackers got access to the email addresses of the celebrities they targeted? Because this is the necessary first step. Sloppy industry agents perhaps?

Re:But how do the hackers get the email addresses?

[Russ1642]

That would be the easy part. If they use their email address for anything presumably it's to receive and send email so they CAN'T keep it a secret.

Re:But how do the hackers get the email addresses?

[John3]

I'd imagine once you hack a celebrity email you can then get emails of their friends, and so on. The key is to get the email address of Kevin Bacon and then you're golden.

Re:But how do the hackers get the email addresses?

Forget the celebrity, target the agent

Re:But how do the hackers get the email addresses?

That's what I was thinking.

Also wonder if the phones were provided as gifts by some agency where they were preconfigured for the celeb so whoever set them up had access to the emails.

Wonder if there's a common connection between all the celebs affected.

There has to be someone inside that got the email addresses which then they were able to brute force to get the password.

Although hopefully it wasn't as simple as social engineering where someone pretended to be the celebs agent/rep calling on their behalf to get their password. I'd hope Apple wouldn't fall for that. Anyway even if they did they probably couldn't provide password info and they'd only be able to reset the password which would indicate to the celebrity that something is up. Unless that's how they got the emails "Hey I represent so and so and she forgot her iCloud email..."

Wow that was a lot of speculation! I'd love to know how it really happened though especially as an iCloud user (not that anyone would want to see my fat naked body)

At the risk of blaming the victim...

[erp_consultant]

what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.

Re:At the risk of blaming the victim...

[CaptainDork]

Wrong-think.

If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

Re:At the risk of blaming the victim...

[Black+Parrot]

But dealing with reality is very logical.

If you don't want people to see pictures of you naked, don't take the pictures.
And if you do, don't put them on a computer.
And if you do, don't put them on a computer on the internet.
And if you do, don't put them on someone else's computer on the internet.

If they're out there, someone is going to get them.

Re:At the risk of blaming the victim...

[JustNiz]

What those celebs are actually thinking is that there's no such thing as bad publicity, especially when backed up with fake self-righteous indignation.

I think its funny that most people still genuinely believe that those celebs really didn't want that stuff leaked.

Re:At the risk of blaming the victim...

[CaptainDork]

Or ...

Sue the hell out of companies that don't have the sense god gave a piss ant to provide a secure method of log in.

Re:At the risk of blaming the victim...

[QuasiSteve]

I'd imagine that most of them really didn't want that stuff leaked - or they'd just leak them, themselves, in a coordinated manner.

Of course now that they are out, most of them will be working with their PR agent(s) to put as positive a spin on it as they can - be that to be indignant, outraged, shrugging it off, claiming it's not them, thinking of how they're going to put themselves in a PSA about password security so that their idolizing fans don't make the same mistake, etc.
And, yes, some of them will probably come out of this better.
But that doesn't mean that this is what they wanted all along.

Re:At the risk of blaming the victim...

Wrong-think.

If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

Parent doesn't state that the perpetrators did nothing wrong, he stated that the victims behaved irresponsibly with their data. Don't confuse that with victim-blaming, those are two very different things.

Taking no precautions as if you lived in utopia is straight out retarded and pushing the agenda that people shouldn't behave responsibly to protect their information is inconsiderate and/or malicious, you only create more victims.

Re:At the risk of blaming the victim...

what the heck are these people thinking? Putting valuables in your house, and installing windows so people can see right in? It's like they're INVITING robberies!!!

Criminal trespass is criminal trespass. It doesn't matter if it was "easy" to get to the photos - they were not yours, or anybody else's, to access without permission.

Re:At the risk of blaming the victim...

and this is where el CapitanSJW screams 'Not rabbit, not rabbit' because someone has an opinion not like his own.

No such thing as wrong-think but there is such a thing as bully people for expressing their opinion.

Re:At the risk of blaming the victim...

[neoritter]

Lemonade out of lemons? Or lemonade out of sugar water?

Re:At the risk of blaming the victim...

[Aaden42]

Wrong-think on several levels indeed.

1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.

2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)

3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.

So as far as assigning blame for this one:

1) The Hackers.
2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.
3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.
4) Tech industry for pushing cloud-based storage.
5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).
6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).
7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.

You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.

Re:At the risk of blaming the victim...

I think You missed the summary of the article up above. Apple does have a secure method to log in: two-factor authentication plus strong passwords. Apparently, the Celebrities in question didn't use it.

Re:At the risk of blaming the victim...

[nine-times]

What does this have to do with a secure method of log-in? If I make my password "password", then it's my own fault, not the login system's fault. You could say that they could require a strong password, which is great. Require it to be 10 characters, including at least 1 upper-case, 1 lower-case, 1 number, and one symbol. You know what the password will be then?

"P@$$w0rd12"

If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managing keys. Otherwise, if you're letting people set their own password, they're going to choose bad passwords.

Re:At the risk of blaming the victim...

[Lehk228]

Working systems are available, but fools want their iThing or $20 droid and then act all surprised when their genitals end up on 4chan. It's not a new problem when was it Paris hilton's sidekick got hacked again?

if you buy trash with security ranging from "fuck it we have none" to "well I guess we tried" because it's ooh shiney let's play flappy bird that is a choice with consequences.

Re:At the risk of blaming the victim...

[dunkindave]

what the heck are these people thinking? Putting valuables in your house, and installing windows so people can see right in? It's like they're INVITING robberies!!!

Criminal trespass is criminal trespass. It doesn't matter if it was "easy" to get to the photos - they were not yours, or anybody else's, to access without permission.

I don't think the debate is about whether the access of the photos was a crime, rather it is turning into a debate about the thought given, or not, of how sensitive information is being handled, in this case celebrity nude pics of themselves. Having valuables in my house and having windows in my house are both OK, but placing valuables right up against the front windows where a smash-and-grab can get them is stupid. If a person takes nude pics of themselves, then the person better understand that they have introduced the risk that the pics exist and can therefore be stolen. Note that I am not blaming the victim, and it doesn't mean a theft is OK, it isn't and is still illegal, but actions come with consequences. What is flaming the debate here is the difficulty of knowing the dangers involved with the way the pictures were stored. In a perfect world the pictures would be safe, but we don't live in a perfect world and the news has many stories of people's accounts getting compromised and photos, emails, documents, ..., all being stolen and posted. I think what sets this episode apart is the scale of the compromise, and who the people are, not really the manner in which it happened.

Re:At the risk of blaming the victim...

[CaptainDork]

See? There's the wrong-think.

Recall that systems people are the ones who are driving the freaking truck.

How hard is it to inspect a password and tell a person that it's just too weak and here are the rules, so please comply or die?

How hard is it to enforce two level authorization at sign-up?

The paradigm where we blame the victims instead of unimaginative and lazy IT jockeys has got to stop.

Re:At the risk of blaming the victim...

[St.Creed]

f you don't want people to see pictures of you naked, don't take the pictures.

Yes, it's probably too much to ask for some security on your private files, nowadays. Options like "only sync photo's with permission" or "Do not sync" folders are way to complex to implement. So let's put the burden of dealing with failing technology on the consumer. After all, that worked really well for car vendors, right?

I foresee the day when Apple et al are going to pay HUGE settlements in class action suits if they keep up this rather cavalier attitude towards security.

Re:At the risk of blaming the victim...

[rHBa]

Better education of users is the answer. To coin a car analogy, most people now know not to leave their purse, computer, other valuable items visible in their car, they take extra measures like leaving it in the boot/trunk or not leaving it there in the first place.

This was (and unfortunately still is) not always the case but because of advertising campaigns people tend to know they should be more aware.

Re:At the risk of blaming the victim...

[JustNiz]

>> I'd imagine that most of them really didn't want that stuff leaked ...Because most normal people tend to put naked pictures of themselves in a cloud somewhere?

>> or they'd just leak them, themselves, in a coordinated manner.

That was exactly my point, that this is actually coordinated.

Re:At the risk of blaming the victim...

If you don't want people to see pictures of you naked, don't take the pictures.
And if you do, don't put them on a computer.
And if you do, don't put them on a computer on the internet.
And if you do, don't put them on someone else's computer on the internet.

And if you do, insist on a percentage of the site's fee and change your profession to "porn star".

Re:At the risk of blaming the victim...

[Charliemopps]

fair enough, but the system doesn't work the way It's "supposed to" so now what?

Re:At the risk of blaming the victim...

[q4Fry]

No no no no.

Those idiotic hoops frankly make my passwords worse. Given these (and potentially many other permutations) of password rules for hypothetical different sites, you can't formulate a decent method for acceptably strong passwords that can be kept to memory:

10+ chars; no char restriction
8-14 chars; must have 2+ ASCII symbols outside of [a-zA-Z0-9]
6-12 chars; must have 1+ number, 1+ uppercase, 1+ lowercase; must have 1+ symbol from the following set: [&$#@!^+=~]
8+ chars; must have 1+ number, 1+ uppercase, 1+ lowercase; must have 1+ symbol from the following set: [&$#@!^+=~,.?/{}]
Exactly 10 characters; must have 1+ number, 2+ uppercase, 2+ lowercase; NO special characters

Re:At the risk of blaming the victim...

[edremy]

If you don't want people stealing your money don't store money online. Don't use credit/debit cards, an online brokerage account, web access to your checking account, etc. If it's out there someone is going to steal it.

Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.

Re:At the risk of blaming the victim...

So basically, what you're saying is, "If you don't want to get raped, don't wear that sexy outfit".

I don't think you've thought through this common tech-bro notion. That if someone has done something wrong and illegal to you, the solution is for everyone to shame you into not doing what you want.

If someone beats you over the head and steals your wallet, how would you feel if the police said, "That's what you get for going out in public"? There is an implicit second step in your logic that nobody wants to take. If we should treat everything personal we put online as if it were public, then what kind of failure is this Internet? You want to be able to do financial transactions online? Buy a book from Amazon or a video card from Newegg? Then accept the fact that your money is now public. Accept the fact that the armies of neckbeards doing internet security are really just a bunch of overpaid jackoffs. [In fact, yesterday one of the national news programs was covering this story and brought on a "noted internet security expert" and sure as shit, he had a neckbeard. You could tell it was one of the proudest moments in his life. Did he say, "Well, Katy, the fact is that people like me really don't know a goddamn thing about what we're doing and we haven't been able to come up with shit to protect you when you use the internet". No, he was talking about complex passwords and encryption and blah blah, knowing full well that it was all just a bunch of security theater on par with taking your shoes off at the airport.]

Give me a fucking break. We're what thirty years into this "internet" thing? Nobody can figure out how to keep JP Morgan Chase from getting hacked?

Re:At the risk of blaming the victim...

No, make lemonade out of Jennifer Lawrence's mams.

Which, by the way, are really nice. Now that you know, you don't have to go invade the young woman's privacy. I checked so you don't have to.

Re:At the risk of blaming the victim...

[Actually,+I+do+RTFA]

Wrong-think.

If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

It is if the victim, exercising a reasonable amount of care, would have known the system was broken. Now, what is reasonable is up for debate. I think everyone agrees if you ignore the "Beware of the Leopard" sign that everyone agrees you don't get to complain when you don't get a super-awesome adventure (possibly also mauled by a leopard). And I think if the breaks in your Prius go bad, then no one would think you could have predicted that (unless you are the Woz; because he did and told Toyota...)

I would say that it is perfectly reasonable to blame the victim for not realizing that nothing you put on the internet can ever hope to be private. If you are leader of a country, you should expect other countries to tap your phones. If you are a celebrity who makes a lot of money off your sexiness, you should expect people will want nude pictures of you.

You may disagree. And it is distasteful to blame the victim. But there is some point, which different people can have a discussion about, when it is starts becoming their fault.

Re:At the risk of blaming the victim...

[Actually,+I+do+RTFA]

Youâ(TM)ll note the celebs arenâ(TM)t in the above list of people who share in the blame here. I donâ(TM)t even expect them to know enough to use good passwords. Theyâ(TM)re ordinary humans whose focus should be on things not related to IT security.

I expect them to know enough to use good passwords, because I expect all people to know that. I expect them to know enough that they are a high-profile target. And I expect them to know enough to know that computer security is often shittily done.

That is, I expect them to know enough not to trust anything. I don't expect them to know enough to choose to trust anything.

Re:At the risk of blaming the victim...

[nine-times]

How hard is it to inspect a password and tell a person that it's just too weak and here are the rules, so please comply or die?

It's pretty hard. Whatever rules you use to automate the detection of weak passwords can be fooled. That was my point with "P@$$w0rd12". By most automated systems' ability to check, that's a strong password. Still, if you're running a dictionary attack, you're going to include things like that.

How hard is it to enforce two level authorization at sign-up?

Not necessarily easy, unless you can assume (a) everyone has whatever they need for the second factor; and (b) people will tolerate using the second factor. Even if you strictly enforce a second factor which sends an SMS to a person's cell phone, you're assuming that they have a cell phone. Most people do, but do all of your customers?

And I'm not actually blaming the victim. I'm blaming the Internet at large, which is still using passwords alone. Like I said, "we need to be using a public key system, and create a secure, reliable, easy method of managing keys."

Re:At the risk of blaming the victim...

[Areyoukiddingme]

The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.

Held against them or affect their careers? I don't read mainstream news or pay attention to celebrities, so when this story hit the Slashdot front page, I didn't recognize any of the names, but I'm going to go out on a limb here and guess that the people named are all pretty girls. I'm quite certain that in Hollywood, naked pictures of already famous pretty girls are only a help to their careers, not a hindrance. With the possible exception of Disney stars, but that's probably only momentary. They'll just sign with Sony instead.

All the false outrage over naked people is just that: false outrage. The rumor-mongering, scandal-spreading, gossip-loving general public laps this shit up and begs for more. It sells papers (metaphorically), it drives hits, it pushes up ratings, and a bunch of pretty girls are going to see their star currency ratings climb substantially for a while.

In the end, much sound and fury signifying nothing.

Re:At the risk of blaming the victim...

[bws111]

Your own analogy illustrates the problem with that approach. Putting your purse in the trunk may stop an opportunistic theif from strolling by, seeing your purse, and taking it. It does absolutely nothing to protect against a determined theif who has a strong suspicion that there is something of value stored in the vehicle. But in the case of online data, people here are taking the position that the user must protect against determined foes. It would be like telling everyone that the proper thing to do is always put your purse in Ft Knox. Of course, nobody will actually do that because it is totally impractical.

The answer is that we need to let go of the idea that the ancient idea of passwords is sufficient. It obviously is not.

Re:At the risk of blaming the victim...

[imidan]

When I got my iPod, one of the first things that it did when I turned it on is it prompted me to set up iCloud. Since I know enough to try to avoid the "cloud" whenever possible, I just skipped the iCloud sign-up. I'd imagine that the vast majority of people, when they turn on their iPhone for the first time, are prompted to set up iCloud and just go ahead and do it. They see it as just part of setting up their phone. They don't understand the security implications, and they trust Apple to not leak their private data to strangers.

Maybe people should be more security conscious, but I think there should be some significant penalties for corporations that leak data that they are supposed to be keeping private. (And maybe in this case it's not really Apple's fault, but there are plenty of other data leaks happening these days.)

Re:At the risk of blaming the victim...

[WhatHump]

What if it's not intimate photos? What if you have a bad day and type out a rant about your employer or the government in a document on your PC, and it gets auto-sync'd to the cloud? Most of my family and friends who mentioned this issue had no idea that when they checked the "backup" option on their phone, that it was copying EVERYTHING to a cloud server. They're just not that technically-literate.

Re:At the risk of blaming the victim...

[Ravaldy]

I agree with both of you. Blaming the victim is non-sense but dealing with reality isn't product friendly. The fact is that companies like Apple cannot protect their users data with certainty (That is the reality). So this comes back to the fact that all internet users have the ability to perform crimes anonymously. As technology evolves and authorities become better equipped, crimes like this one will be less likely to occur since they will be able to find the offenders.

In the mean while cloud storage remains unsafe from capable predators.

Re:At the risk of blaming the victim...

[Austerity+Empowers]

If I walk down the street in a bad neighborhood with fat baggies of 100 bills taped to my clothes, it's a crime if even a single 100 bill gets stolen. The perpetrator should be thrown in jail and punished to the full extent of the law. But that doesn't make me less of a moron for doing it in the first place.

Don't take nudes of yourself if you can't handle the consequence of them getting out in public. Mom's advice circa 1985, long before our communications devices were either portable or had built in cameras and linked to a world-wide net of perverts. It's not victim blaming or victim hating to point out obvious mistakes. We all know there are bad people out there, we cannot catch every one before they strike, so protect your damned self. Where possible, avoid being the victim in the first place.

Re:At the risk of blaming the victim...

[AthanasiusKircher]

If it's out there someone is going to steal it.

Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.

Only if you miss the point.

There's a difference between "blaming the victim" and "taking reasonable precautions." In an ideal world where everything is happy rainbows and roses, a woman should be able to walk naked down a dark alley with no risk of anything bad happening to her. A guy should be able to walk down a dark alley in a part of town known for pickpocketing and muggings wearing expensive gold jewelry showing everywhere and a fancy expensive electronic device hanging off of every part of his body... with no fear.

In the REAL WORLD, bad people are out there. Bad people suck. So, if you're a single young woman, it may not be a good idea to walk down that dark alley alone in the middle of the night, even if you're wearing clothes. It may not be a good idea to flash your iPhone around alone with your fancy wristwatch and jewelry late at night when you're alone in an area known for muggings.

If something bad happens to people like this, we should NOT "blame the victim." But we SHOULD encourage people to take appropriate precautions to avoid ending up in a similar bad situation.

The reality is that there are lots of weird and bad people out there who want to access nudey photos of famous women, and they'll go to stupid lengths to do it. So, if you're a famous woman (or even if you're not -- and just don't want nude pictures of you showing up somewhere), it's a reasonable precaution to take GP's advice. Either don't take the photos in the first place, or keep them in a place where you are incredibly certain that no one else could EVER have access -- and an electronic device attached to the internet is NEVER one of those "safe" places.

Similarly, to use your example of online finances, I assume you wouldn't advise people to post all of their financial passwords and account numbers in plaintext on the internet, would you? Why not? We should just TRUST that no one would ever use that information in a bad way, shouldn't we!? So, please reply to my post with all of your financial account information immediately. I promise -- I won't do anything at all with it. And surely you can trust the rest of the internet crowd who reads Slashdot, no?

No -- the real world has jerks in it. It's sad. And it's terrible that good people have to be restricted in their actions because of it, but that's what living in the real world is like. So, you can do online finance, but you take reasonable precautions... like using strong passwords and not posting your financial data on the internet for anyone to see. If you are likely to be a hacking target -- like a rich person with lots of financial stuff, or a famous actress with nudey photos of yourself -- you may want to go up a few more levels in terms of precaution.

Re:At the risk of blaming the victim...

[Tharkkun]

What does this have to do with a secure method of log-in? If I make my password "password", then it's my own fault, not the login system's fault. You could say that they could require a strong password, which is great. Require it to be 10 characters, including at least 1 upper-case, 1 lower-case, 1 number, and one symbol. You know what the password will be then?

"P@$$w0rd12"

If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managing keys. Otherwise, if you're letting people set their own password, they're going to choose bad passwords.

The fact that you can successfully brute force their password system is completely Apple's fault. You should be locked out and be required to reset via email or call Apple after say 5 or more attempts. But this would also require Apple spending more money on tech support for password resets.

Re:At the risk of blaming the victim...

It's called 'risk mitigation' for a reason. Blaming the victim may be classless but they are not blameless. If you bath in BBQ sauce and go for a walk in the woods, is it the bears fault you were eaten? It's a jungle out there, padawan. Not a fucking schoolyard. Basic pre-emptive personal security efforts are expected. Don't believe me? Call your insurance agent and tell them your house was robbed. They _will_ ask you if the doors were locked. Same with the car. Leave your keys on the visor? You're shit out of luck. As to your online purchase example, that's pretty much how it worked until the credit people got tired of fighting with their pissed off customers, tried improving their PCI shit then said 'Fuck it, it's covered.' because they make enough off the interest to cover the fraud.

You gotta live in the world that is, not the one you wish it was.

Re:At the risk of blaming the victim...

[Nyder]

what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.

I as Joe-nobody thinks it's brilliant. Keep being stupid, keep giving me photo's and movies to check out.

Re:At the risk of blaming the victim...

You can change your credit card number to keep people from using it. You can't change your tits to keep people from seeing what they look like.

Well, ok, you can, but I think you get my point.

Re:At the risk of blaming the victim...

http://maximumble.thebookofbiff.com/2014/09/03/932-privacy/

hold still...

Re:At the risk of blaming the victim...

You have to explicitly go into the settings of your phone, or the preferences of iPhoto to enable cloud syncing. Many people wouldn't even manage the process to do so.

Re:At the risk of blaming the victim...

[NoKaOi]

If you don't want people stealing your money don't store money online. Don't use credit/debit cards, an online brokerage account, web access to your checking account, etc. If it's out there someone is going to steal it.

Great analogy. Most everyone knows that it's possible for your credit card number to get stolen. Heck, many of us have had our banks cancel our credit card (and send us a new one of course) because it was stolen from some merchant we purchased something from. So, just like using a credit card, if you're going to put nude pictures of yourself on the Internet (or anything on the Internet) then you should know there's a reasonable possibility that it is going to get stolen.

Re:At the risk of blaming the victim...

[edremy]

If it's out there someone is going to steal it.

Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.

Only if you miss the point.

.... No -- the real world has jerks in it. It's sad. And it's terrible that good people have to be restricted in their actions because of it, but that's what living in the real world is like. So, you can do online finance, but you take reasonable precautions... like using strong passwords and not posting your financial data on the internet for anyone to see. If you are likely to be a hacking target -- like a rich person with lots of financial stuff, or a famous actress with nudey photos of yourself -- you may want to go up a few more levels in terms of precaution.

Except that these people didn't post their information on the internet for everyone to see. They uploaded the photos (possibly without their knowledge, since they might not really understand iCloud) to what they thought was a secure account. From Apple's own page on iCloud: "With iCloud, you can share exactly what you want, with exactly whom you want." It was only Apple's piss-poor understanding of security that allowed the accounts to be brute forced.

Should they have used better passwords, or better reset questions? Sure, but I bet that 75% of Etrade account passwords could be brute forced using the same script if Etrade allowed it. Hell, I only updated mine a year or so ago since it was 10 digits long and I figured that wasn't enough anymore

I'm actually really annoyed at the focus on the "Don't upload nude selfies" bit. The foci in this story should be 1) Don't trust cloud vendors. 1a) Especially Apple 2) Push for better multi-factor authentication systems on *everything*- cloud photo accounts, checking accounts, ATMs, etc.

Re:At the risk of blaming the victim...

"Working systems" are available, until they fail too, when you will also decry that particular implementation as being created by idiots and blah blah blah real security like implementation Y.

Truth is, humans are all idiots, and security is a losing battle over time. Don't trust anyone else to handle stuff you want kept private.

Re:At the risk of blaming the victim...

[Kjella]

I wouldnâ(TM)t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server.

My cell phone is by far the most likely tech device I have to get broken, lost or stolen as I bring and use it almost everywhere. Pictures you take with the cell phone are the first and only copy in existence, what if you phrase "cloud" as "instant online backup", does that sound like a better idea? Yes, ideally I'd like to have them backed up on my computer instead of Apple's or Google's but very few run 24x7 boxes and sending them by email again requires a trusted third party. Unless you could integrate this all with GPG so it'd send encrypted email my home computer can pick up next time it's switched on. And hopefully avoid any attachment/mailbox size limits. But I don't know any software that does that, and the average person sure couldn't set that up. So if you don't want to lose all your photos and don't want to remember syncing all the time (because that totally happens, right?) you flip a switch and hope Apple doesn't screw it up.

I think if you actually went out and asked people, a lot of tech-inclined people use cloud sync too. It's very convenient until something like this happens.

Re:At the risk of blaming the victim...

Sorry if I'm late to this party, but is "wrong-think" code for "some garbage premised on people not bearing any responsibility for their actions, laced with vapid PC terminology, is about to follow"?

Saying that you shouldn't have walked down that dark alley late at night is not blaming-the-victim. If we chide people for pointing out unwise behavior in others, we're just setting up more people to become victims of preventable crimes.

Re:At the risk of blaming the victim...

[CaptainDork]

Thankfully, you are not a sysadmin.

We who are competent can handle basic security by twiggling the knobs.

Because you are not on our lawn, your analogy is useless.

Re:At the risk of blaming the victim...

[CaptainDork]

We are converging on agreement, still ...

No sysadmin should allow a computer to harm someone.

I didn't suggest SMS as part of two step authorization ... you did.

In reality, some sites offer choices. A person can opt out of SMS and choose to have several security questions (with a note to lie like hell), or, conceivably, use email.

The details are just speed bumps.

Re:At the risk of blaming the victim...

[CaptainDork]

To make your analogy less broken, try it again and include the part where you failed to lock the gate.

Re:At the risk of blaming the victim...

[CaptainDork]

I recognize the language, but I don't grok the mesage.

In any case, how about using a URL?

Try this password at your bank:

http://slashdot.org/bitemybutt

or:

"I like to log into slashdot at least once a day." (quotes optional)

Re:At the risk of blaming the victim...

[CaptainDork]

Sue the bastards.

Seriously, litigation is the only way.

Re:At the risk of blaming the victim...

[CaptainDork]

I am a "user advocate" and I disagree with you. The analogy is flawed because, as a sysadmin, I can't get to people's cars.

I can sure get to my front doors. I can establish rules.

Look: We all know what the best practices are. Let's enforce rules.

When people sign up, don't let them move past "password," until they put in one that meets our definition of best practice.

In the next step, force people to choose their poison regarding two step authentication.

For security questions, be sure to advise them to LIE.

Every month, or two months, ot three months or six months (we get to set the timer), tell the customer, "Whoops! It's "Password Tuesday!"

"Let's go through this again or you don't get to play."

Re:At the risk of blaming the victim...

[CaptainDork]

You can't have it both ways.

Either you can use the Internet or you can't.

The episodes we've experienced over the last few years would be fixed by now if the actually culprits had their asses handed to them on a platter in a court of law.

Manning? Walked in with a Lady Gaga CD (that's 1) inserted into a CD player (that's 2) accessed data he had no need to see (that's 3) ...

Snowden? Vetted by a contract company (that's 1) hired by a contractor to the gubmint (that's 2) see 3 above ...

Target, Home Depot, etc? Where the hell was sysadmin?

For other sites where are their "best practices" restrictions?

Let's place blame where it really belongs, OK?

Re:At the risk of blaming the victim...

Wow, so you blame everyone except those with ultimate control over their security for Orwellian reasons ("wrong-think")?

If that's the case that we can blame any random person however removed from the incident, then I blame you for encouraging people to become victims by expecting other people to protect them when that's demonstrably out of line with reality.

Fool me once, shame on you. Fool me twice, shame on me.

How many times have we been fooled here, again?

Re:At the risk of blaming the victim...

[nine-times]

No sysadmin should allow a computer to harm someone.

I think this statement indicates some kind of misunderstanding of security. If you want a perfectly secure system that prevents any unauthorized access must also prevent authorized access. Any security model that prevents users from doing anything potentially harmful will also prevent users from doing anything useful.

Everything else is compromise. How much are you willing to restrict a user's freedom, convenience, access, and power?

Because if you give a user access to their own data, then you're also allowing for a social engineering attack where they hand over their own data. If you allow people to share their data, you open up the possibility that they will share data with someone who will abuse the data. Keep in mind, I'm not even talking about issues where there's a technical security exploit. Normal functionality constitutes a security hole.

Re:At the risk of blaming the victim...

What part of targeted attack do you not understand? These were not brute force guesses. And Apple was one of many service providers in which these images originated.

Re:At the risk of blaming the victim...

[CaptainDork]

The "all or nothing" approach is unnecessary.

You know as well as I do that the system side of things is busted.

Let's fix what we can, OK?

Re:At the risk of blaming the victim...

[nine-times]

The "all or nothing" approach is unnecessary.

when I had just said,

Everything else is compromise.

Obviously I'd advocating a balanced approach, and not an "all or nothing" approach.

But I agree. The system is broken, and we should fix it-- not with stricter password requirements, but with a public key system. That will require developing standards and building infrastructure. Unfortunately, nobody is going to do that.

Re:At the risk of blaming the victim...

iCloud in this case is like the sketchy alley that the local Commerce Bureau is trying to paint over as a nice part of town. What we need is better education of users and a little healthy skepticism regarding marketing claims.

Better security server-side would be nice, but what we'll get is half-assed security marketed as Fort Knox.

Re:At the risk of blaming the victim...

But the Apple said them it is completely safe thing to do, they can not be broken into. If one pays double the price of a hardware for a certain logo, they are kind of vulnerable for being exploited by the greedy and unshameful companies anyway.

Re:At the risk of blaming the victim...

[Actually,+I+do+RTFA]

In this case they did lock the gate, I assume. By which you mean use passwords.

However, that doesn't help if the gate is set in a 4 foot high picket fence

Re:At the risk of blaming the victim...

And yet so many people get their identities and money stolen because of the internet when companies get hacked into or they post to a different site due to phishing. Yes, anyone who puts their CC number into a system unaware of how it could affect them, esp into systems that STORE and KEEP your credit card number, are insane IMO.

The other difference being, you can usually get your money back because it IS stolen. The people had their photos copied, and if I "copied" your money, and you still had it, you wouldn't complain 2 shits.

If they had their photos printed out and someone broke into their house and took the photos, THAT would be theft.

Personally, I wouldn't take naked photos with anything that is attached to the internet, only because COMMON SENSE dictates that once its left MY devices, its out of MY control.

Seriously, does everyone trust every employee at these companies? Including the $5 an hour, Apple "Genius's"?

Re:At the risk of blaming the victim...

[Gerner]

It is not as black and white as you are implying. There is always a risk vs. reward decision that needs to be made. I choose to use credit cards online, because the risk is low (especially knowing that the credit card companies will make me whole should bad stuff happen). I choose not to upload items that I don't want the world to see. This is because there is no one to make it better, if the worst should happen. You are saying that if you use a credit card online, then you should just store all of your personal secrets, information, evidence online also. That's just dumb, the risk is not the same.

Re:At the risk of blaming the victim...

Wrong-think.

If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

TANSTAAFL: security is a process that requires the participation of the secured to succeed. No system can be smarter than these celebs were stupid.

Expecting security of your private parts from a radio broadcasting device is well past simply naive.

Re:At the risk of blaming the victim...

So if someone decides to get several handfuls of benjamins and pin them to their clothes then wander around the scuzzy parts of downtown, I should be sympathetic when they get mugged?

It's all about RISK MANAGEMENT and they DIDN'T.

You can get your balance credited after the fact, but you can't have the interwebs unsee your naughty bits! Your money and your integrity should never be confused with each other.

Re:At the risk of blaming the victim...

[jwhitener]

If you don't want people stealing your money don't store money online. Don't use credit/debit cards, an online brokerage account, web access to your checking account, etc. If it's out there someone is going to steal it.

Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.

The only difference being, most of us are not celebrities. We have some security through obscurity. If I were an A-List celebrity, I would probably be more cautious than the average person.

Re:At the risk of blaming the victim...

[jwhitener]

I agree with a lot of what you said.

However, (not blaming the victims, I'm just surprised), I would think that celebrities would inherently try to be more secure than the average person. They have physical paparazzi chasing them all over town.... you think that would lead them to the conclusion that those same paparazzi (and hackers) are likely to be chasing them online as well.

So it just continually surprises me that A-List stars with tons of money don't hire IT security specialists just like they probably hire physical bodyguards.

Solution lies with users, not Apple

[davidwr]

Well, mostly.

What Apple can do is require 2-factor authentication.

They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.

Re:Solution lies with users, not Apple

[MickyTheIdiot]

Yeah. They can do two factor auth. The key fob they sell will only cost $595 and work only with Safari.

Re: Solution lies with users, not Apple

What users can do is turn off the 'sync to the cloud' function.

What vendors can do is stop setting up a slick greased trail so that the easy thing to do is click 'yeah, okay' when setting up a new device, and it syncs everything to 'the cloud.'

And our job as regular people is to spread the word and encourage skepticism, so only the stupidest dolts continue to 'sync to the cloud.'

The cloud concept can be killed with the proper buzz out there.

Re:Solution lies with users, not Apple

[ixs]

And I am sure you realize that the 2factor Authorization as currently designed and utilized by Apple only protects against your account data being used to purchase things from the AppStore and interact with your account.

Details are at http://support.apple.com/kb/ht5570 and quoting from there:
It requires you to verify your identity using one of your devices before you can take any of these actions:

• Sign in to My Apple ID to manage your account
• Make an iTunes, App Store, or iBooks Store purchase from a new device
• Get Apple ID related support from Apple

All iCloud communication is still unprotected. Bzzzzt. Neeext!

Re:Solution lies with users, not Apple

Relevant:

http://lifehacker.com/iclouds-two-factor-authentication-doesnt-secure-your-ph-1630021133?utm_campaign=socialflow_lifehacker_facebook&utm_source=lifehacker_facebook&utm_medium=socialflow

Re: Solution lies with users, not Apple

[Drethon]

Tried it a couple times on my non apple phone and it is still uploading. I just don't use a networked camera for anything I don't want anyone else to see.

Re: Solution lies with users, not Apple

[Ultra64]

so only the stupidest dolts continue to 'sync to the cloud.'

And then your phone breaks and you lose all your data.

Re: Solution lies with users, not Apple

Or, like driving, we require a test to use the internet. I'm okay with something simple like having read at least 20 linux man pages, being able to work from a command line and move a few files around, using an FTP server for 3 file transfers, and maybe learning C enough that a person can store a string (char array) and display it to the user.

Not really internet specific but a little computer intelligence goes a long way.

Or, we just mass distribute t-shirts that say: "IF YOU DON'T WANT PEOPLE TO SEE IT, DON'T PUT IT ON THE INTERNET."

Re:Solution lies with users, not Apple

WOW authenticators do it for $8. Just make the Apple one solar powered and cost $29.95 and it will be "greatest security invention ever"

Re: Solution lies with users, not Apple

[CanHasDIY]

so only the stupidest dolts continue to 'sync to the cloud.'

And then your phone breaks and you lose all your data.

Because there's no other options than "lose everything" or "put it all on someone else's computer?"

I expect that sort of non-thinking response from the crowd over at Yahoo, but c'mon man - this is /., we expect more thinky from our community.

Re:Solution lies with users, not Apple

[kaiser423]

and like Google's 2FA already does. I love that thing. You have trusted devices/agents, but they also have some extra fun stuff in the background. A couple of times I've taken my trusted laptop that I don't have to enter the 2FA in but once a month to re-authorize it and had Google still prompt for for a 2FA PIN because they noticed it coming from an untypical IP range or some other fuzzy metric that got high enough that they decided to proactively ask for a reauth.

Makes me feel all warm, fuzzy and safe that even if someone steals a trusted device, there's a chance that they can't get in. Google really does security pretty well, not that they don't mess up like everyone else, but I've been pretty happy that they're obviously thinking it through and mitigating as many attack vectors as possible.

Re:Solution lies with users, not Apple

[Hodr]

You can buy RSA tokens, the same that governments and militaries around the world rely on, for $10 a piece.

Re: Solution lies with users, not Apple

[Ultra64]

Because there's no other options than "lose everything" or "put it all on someone else's computer?"

Sometimes. Not everyone that has a smartphone also owns a computer.

Re: Solution lies with users, not Apple

[angel'o'sphere]

Actually phone users that don't own a PC (or a Mac for that matter, if you don't count them as PCs) do exit.
How do you backup your phone if you don't want to use a cloud and have no computer at home?

Re:Solution lies with users, not Apple

[Ksevio]

You can use any phone with SMS support which seems pretty standard. Since people are typically syncing from their iPhones to the iCloud they usually have an iPhone, but it's possible to use a freebie 10 year old brick phone if you wanted.

Re:Solution lies with users, not Apple

[Tharkkun]

You can buy RSA tokens, the same that governments and militaries around the world rely on, for $10 a piece.

With an Apple logo stamped on them they will still be $595 like the above poster said.

Re: Solution lies with users, not Apple

[Tharkkun]

so only the stupidest dolts continue to 'sync to the cloud.'

And then your phone breaks and you lose all your data.

Because there's no other options than "lose everything" or "put it all on someone else's computer?"

I expect that sort of non-thinking response from the crowd over at Yahoo, but c'mon man - this is /., we expect more thinky from our community.

By storing it digitally there's a chance it be accessed either remotely or by having your property stolen. So the cloud is as good of a solution as any.

Re: Solution lies with users, not Apple

[CanHasDIY]

Because there's no other options than "lose everything" or "put it all on someone else's computer?"

Sometimes. Not everyone that has a smartphone also owns a computer.

"Some people are idiots" doesn't mean other options don't exist.

Yes, if you have a smartphone and no way to back it up locally, I am calling you an idiot. Enjoy it, that's not a term I bandy about lightly.

Re: Solution lies with users, not Apple

[Ultra64]

You must store your money under the mattress instead of in one of those "banks" that could be robbed at anytime, then.

Right?

Re: Solution lies with users, not Apple

[CanHasDIY]

Actually phone users that don't own a PC (or a Mac for that matter, if you don't count them as PCs) do exit.

I presume that was supposed to be, "do exist."

To which I say yes, idiots do in fact exist.

How do you backup your phone if you don't want to use a cloud and have no computer at home?

Get a frigging home computer - If you can afford a $600 phone, you can afford a $200 desktop to back it up with.

Re: Solution lies with users, not Apple

[CanHasDIY]

so only the stupidest dolts continue to 'sync to the cloud.'

And then your phone breaks and you lose all your data.

Because there's no other options than "lose everything" or "put it all on someone else's computer?"

I expect that sort of non-thinking response from the crowd over at Yahoo, but c'mon man - this is /., we expect more thinky from our community.

By storing it digitally there's a chance it be accessed either remotely or by having your property stolen. So the cloud is as good of a solution as any.

"It could get stolen anyway" is probably the worst excuse for idiocy ever.

That's like saying 'since lockpicks exist, you shouldn't bother locking your doors when you leave the house.'

Re: Solution lies with users, not Apple

[CanHasDIY]

"It could get stolen anyway" is probably the worst excuse for idiocy ever.

... after "for the children," of course.

Re: Solution lies with users, not Apple

[CanHasDIY]

You must store your money under the mattress instead of in one of those "banks" that could be robbed at anytime, then.

Right?

Because cloud storage services have the exact same information storage and security standards as banks, right?

False equivalence - stop using it.

Re: Solution lies with users, not Apple

[angel'o'sphere]

Get a frigging home computer - If you can afford a $600 phone, you can afford a $200 desktop to back it up with.
Ah, you are one of the brave souls that help (for free?) your friends to overcome every computer obstacle?
Like explaining your iPhone friend how to back up the phone on a windows PC?
Or how to back up the Android phone one linux box or on a Mac?
I draw my hat, I only help very very special friends with PC issues in our days ... there are plenty of tortures I can imagine, that are less pain than explaining to an iPhone owner with a fresh bought PC how backups work.

My ex GF "lost all data" when she plugged in a new iPhone and overwrote its new pictures collected during the previous two months. "You never connected this phone to your Mac. do you want to install the backup of the previous phone?" (yes) (no).
Guess what she clicked ... guess the tears later. Guess the "how the fuck should I know what a back up is?" screams?

Re: Solution lies with users, not Apple

[CanHasDIY]

Ah, you are one of the brave souls that help (for free?) your friends to overcome every computer obstacle?

Yup; what are friends for?

Or how to back up the Android phone one linux box or on a Mac?
I draw my hat, I only help very very special friends with PC issues in our days ... there are plenty of tortures I can imagine, that are less pain than explaining to an iPhone owner with a fresh bought PC how backups work.

OK, so your computer skills and Google-fu are weak. What, precisely, does that have to do with my statement that if you can afford a $600 phone, you can afford a $200 computer to back it up with?

My ex GF "lost all data" when she plugged in a new iPhone and overwrote its new pictures collected during the previous two months. "You never connected this phone to your Mac. do you want to install the backup of the previous phone?" (yes) (no).
Guess what she clicked ... guess the tears later. Guess the "how the fuck should I know what a back up is?" screams?

Because "backup" is a new word that hasn't been around since before any of us were born, right?

I really fail to see what your point is - are you saying that because you have no computer skills, and your former girlfriend doesn't know how to find and read instructions, cloud storage is the only option? Because that sounds idiotic.

Re:Solution lies with users, not Apple

Sadly hackers seem to be able to make a copy of the database containing the serial number/key combination from RSA. A database that should not have been in the possession of RSA in the first place.

Re:Solution lies with users, not Apple

If you are a developer; please never implement SMS two factor authentication. It has been proven that the system is insecure and criminals have already taken advantage of SMS two factor authentication. The problem is that GSM is not secure enough and it is easy to redirect an SMS to another phone.

Re: Solution lies with users, not Apple

[Cro+Magnon]

Some of the banks require easier passwords than cloud storage services. One of my banks used to prohibit special characters, and I've heard of banks that limit password length.

Re: Solution lies with users, not Apple

[CanHasDIY]

Some of the banks require easier passwords than cloud storage services. One of my banks used to prohibit special characters, and I've heard of banks that limit password length.

My bank used to have a 8-12 character limit on passwords, but they've always used 2-factor authentication.

YMMV, but my general point is that computer storage systems at banks have to be PCI compliant, whereas cloud storage, not so much.

Re: Solution lies with users, not Apple

[angel'o'sphere]

The point is not 'afford' the point is:
a) wanting one
b) learning how to use it
c) not messing up anyway (by either not doing back ups regular enough, or losing the back ups etc etc.)
d) likely needing an extra internet connection for the PC when they think their iPhone or iPad is enough (you could tether with the iPhone, but can't with the iPad)

Yes, backup is a new word if you are not a native english speaker and not a pro computer user.

Hint, my GF is a user (close to a loser regarding PCs), she is Armenian, born in Turkey and raised in Germany living in France using a Mac with french keyboard settings but german UI. And yes, in german we mostly say 'backup' at least as a 'programmer'. I doubt the word 'Sicherheitskopie' had prevented her from overwriting the content of the iPhone (and also *I* find it strange that in case of playing in 'old data' on an obviously used phone, the new pictures on the phone get deleted. It is a bit counterintuitive, even for a coder. That is why I don't use the 'restore from back up function' but play back data manually)

Regarding your or mine google fu ... no I google in english so I find enough help to solve problems people would not have if they used a decent operation system. I decided 15 years ago to stop help to fix windows. Now most of my friends have Macs or Linux, so if they are in trouble now, I know it is serious and then ofc I help ...

But a Windows 2000 machine, that stops during booting because it can not find its domain controller ... and after fixing it, a few weeks or months later the same problem shows up: nope. (Hint: the machine never had a domain controller. Worked for years perfectly, suddenly it started with this missbehaviour ... was my last fixing nightmare ;) )

So, you missed all the points I made? Or do you just like to annoy other people by proclaiming them incompetent? (Also I doubt you get a PC + Screen + Keyboard + Mouse for $200 ... but no need to show me otherwise, I'm not interested in PCs anyway ;) )

Re: Solution lies with users, not Apple

[CanHasDIY]

I think you missed my point: the initial discussion was whether or not there are options for backups other than "none" or "the cloud," to which I pointed out yes, there are indeed other options.

Then, you got off on some barely related tangent, and shit digressed from there.

Re: Solution lies with users, not Apple

[angel'o'sphere]

No, it is the other way around.
You missed my point.

There are iPhone users who have no PCs ... or simply don't figure they could use their PC.

You went ballistc and argued: if they are so rich, why don't they buy one? I told you: that is for many reasons not really an option.

There never was a question wether there are other options. You created that question; I believe americans call that a 'straw man'? So it was not the initial discussion. You answered to my post where I pointed out that iCloud back ups are activated by default and that IMHO many users don't know that ... and don't think about back upsanyway

My backups are on my Mac ofc ... I only 'synch' address books etc. via the cloud.

Re:Solution lies with users, not Apple

As I recall, Two factor auth isn't implemented with the find phone feature because... well, you can't exactly use a text message on a phone you don't have. This was one of the things that was brought up when the community thought (and I personally still believe, as nothing that comes out of their mouths has been true in a long time) the found phone feature was the weak point.

As such, two factor auth as it's implemented is pointless.

Re: Solution lies with users, not Apple

SD card and / or USB host mode to another tablet / device (see Carbon on Google Play).

Seems pretty easy to me.

OH WAIT, they don't have either of those, do you?

Re: Solution lies with users, not Apple

[CanHasDIY]

No, it is the other way around.
You missed my point.

You responded to me, fuckwit. I don't care what your point is, because it's completely non sequitur to the discussion I was trying to have when you derailed me with your idiotic, juvenile nonsense.

No surprise here

[qbast]

It is not like they would admit to getting hacked if they can shift the blame to user. And let's not forget that probably half of NSA was fapping to these pictures.

Re:No surprise here

[AmiMoJo]

Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.

I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.

Re:No surprise here

There are a lot of people out there holding it wrong thanks to Apple now.

Re:No surprise here

So what you're saying is, Apple denies that the problem exists, but then acknowledges the problem exists through their actions.

So what action have they taken that acknowledges this problem exists?

None?

How's that apple hate working out for you, stupid?

Re:No surprise here

[nine-times]

There's no real reason to think that Apple is at fault here, or even that all of the photos came from compromised accounts on iCloud. The rumor going around last I saw was that this was a collection that was acquired over sever years, contributed by many different people who acquired the photos from many different accounts that were attacked in many different ways. It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.

I have no evidence of that-- just the rumor I've seen on a couple different sites-- but it makes more sense than a massive iCloud hack that scooped up all of these photos at once.

Re:No surprise here

[rogoshen1]

Yar, from what I've heard is that there is basically an underground ring that trades in these sorts of things -- not too dissimilar from the 'carding' groups. And, many different sources makes sense. File names in particular -- some are time stamps, others random characters. Pictures taken with a variety of phones (not all of which were iPhones etc.

Re:No surprise here

[AmiMoJo]

TFA says that people on anon-ib have been openly talking about using the two tools mentioned to break in to iCloud accounts by first guessing the password and then pretending to be an iOS device to harvest as much data as possible. The flaws that allow this are unique to iCloud.

Re:No surprise here

My experience with Apple is that they pay up when they have a defect. Sorry that they're not getting your approval but I've had out of warranty items from Apple that got warranty service without me even asking about it. That's part of what will keep me with Apple for sometime to come.
 
Given that this is Slashdot you could have probably have claimed that Steve Jobs was the mastermind behind the Holocaust and gotten modded up for it.

Re:No surprise here

[nine-times]

TFA indicates that people were discussing hacking tools on one of the same websites where people were talking about the leaks. There were early rumors that this hack (or some similar hack) was exploited to get access to all kinds of information on iCloud, and then quickly released a lot of data gathered from the attack.

After investigating these early rumors, more information came out (both reliable information and unreliable rumors) that indicate while *some* of the photos seem to have come from iCloud, they were probably not acquired through this hack. The photos most likely represent a collection that has been in existence for a some time already, gathered from various sources. The fact that the collection was leaked around the same time as an iCloud exploit was discovered is likely to be a coincidence.

Now, enough of this is still rumor and conjecture, but the more recent explanation seems more likely.

Re:No surprise here

[Tharkkun]

Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.

I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.

You forget Apple maps. :)

Re:No surprise here

Yes, yes there is. What you are hearing from Apple is the usual spin that is "technically true, but worded in such a way that people will come to the wrong assumption because of what you are leaving out." See General Alexander et al speaking about the NSA's practices before congress.

The rumor stuff is just rumor stuff where a few random people are talking on a board, but there are a lot of things we know. There are entire boards devoted to iCloud hacking, for several reasons:

1. Apple was not rate-limiting access attempts, not locking out repeated bad attempts. This meant if you had the email address (which you could help find by trying to setup an account and seeing if it was taken) you could run automated tools to bang password after password a million times until you got in. This was finally fixed right after the hacks, when iBrute started only giving you 5 attemps.

2. Apple generally defautls to syncing your stuff into iCloud automatically, especially anything added to iPhoto. Many people simply aren't aware this is happening, after all with DropBox you have to go through a whole setup thing.

3. There are forensic tools used by the police that have cracked versions available for the public on torrents that instead of just grabbing some picture rolls grab every bit of data synced by pretending to be an iPhone grabbing everything again. This makes grabbing it all much easier and more automated, and is partially why you saw random dropbox files and other stuff included in some of them.

Quite honestly, the iCloud rate limiting and other stuff has been known for *ages* -- Google the researchers who basically said they were able to unlock 750 phones an hour based on an iCloud vulnerability that they notified Apple of -- which I believe was the lack of rate limiting. Apple simply ignored it, let alone what happened in Australia recently with people having their phones locked up for ransom. Apple simply has never been great at this stuff, and we've gone through so many iterations of it from eworld to .mac to ping to .me...

Re:No surprise here

> It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.

That much is true, but there were a lot of things about iCloud that made it an attractive and easy target. In particular, they made it easy to find or guess valid accounts, in addition to the part I don't really blame them for, where they automatically synched the pictures, meaning that they had tons of great data.

Re:No surprise here

And you think that nobody would have leaked any of these pictures the first chance they got, obscuring where they may have gotten the picture from and / or sold them to tabloids for several hundred dollars?

Dumb rumour is dumb.

Re:No surprise here

This is correct. Having seen a version of the distributed files, it's a random assortment which may or may not be catalogued in any particular way, with fairly random file naming conventions, and sometimes duplicates. A few of the images were named to indicate that the subject was unidentified. There were even images that were not taken from subjects' phones, but were instead pulled from released paparazzo photos online. Apple is still covering for the inattention to iCloud vulnerabilities, but the media and people on 4chan incorrectly stated that there was a sudden mass attack on iCloud in order to get these images. Again, the naming conventions of the files and the presence of web images proves that these weren't collected in one attack.

Re:This is also how Sarah Palin's email got "hacke

[CaptainDork]

The advice from people like you and me is to lie like hell.

Re:This is also how Sarah Palin's email got "hacke

[i+kan+reed]

Sarah Palin has proven to be good at that.

BOOM politics slam.

Our dumb users are holding it wrong!

[NotDrWho]

It's THEIR fault. Apple MAKES NO MISTAKES!!!

Find My Friends password flaw

[Noah+Haders]

You know, I'm really annoyed at Apple about this. They say that iCloud wasn't breached and it was a targeted account attack with weak passwords. But on Monday (the day after the pics were posted) they patched a flaw in Find My Friends where the account would be vulnerable to a dictionary attack:

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely. A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

http://9to5mac.com/2014/09/01/...

so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...

also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

Re:Find My Friends password flaw

[Wulfstan]

Yes, and I just don't believe them. It's super-bad press for them a week before they release their new device.

The core problem is that in order to improve iCloud use they have actively encouraged users during the signup process to enable iCloud syncing - and default settings push all of your photos, docs and data. For a time-pressed celeb who may not be that tech savvy this is just asking for trouble.

I'm a bit surprised by the number of people who send around naked photos of themselves though. I must be in the prurient minority.

Re:Find My Friends password flaw

[Wulfstan]

Not prurient. Whatever the opposite is.

Re:Find My Friends password flaw

[Anubis+IV]

It's not known that this exploit was used on the celebrities

The pics were apparently circulating over a week ago in some parts of the Internet, and were, by all indications, collected over the course of several months from a variety of sources (i.e. not all of the celebrities are in the Apple ecosystem; a number of them use Android). The "iBrute" exploit code didn't become available until earlier this week.

There's actually a fairly detailed breakdown of this and similar attacks already available, most of which rely on various social engineering techniques, basic detective work, or turning (ex-)friends of the celebrities against them to get malware installed or procure more intimate information (sometimes in exchange for receiving their own copies of the pics).

Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

Re:Find My Friends password flaw

[Noah+Haders]

he's thinking prudish.

Re:Find My Friends password flaw

also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

it's not their code, it's their systems. Salting pre-hash values? Rate-limiting requests? Lockout after > 10 incorrect attempts?

These are system design issues, not coding issues ... although they can't get the code right, either (see also: "goto fail")

Re:Find My Friends password flaw

[Noah+Haders]

Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

WaPo article "Apple then goes on to offer some security suggestions for iCloud users who might be confused about how to protect themselves. The subtext is clear: If there's anything wrong here, it's in the way that individual users secured their accounts."

Apple press release: "To protect against this type of attack, we advise all users to always use a strong password".

read different things into it, but the fact remains: human being suck at passwords. we have sucked at passwords for 30 years, and we will continue to suck at passwords. There has been enormous effort to get people to be better about passwords. As a result, the most popular password is no longer "12345" - it's now "123456".

considering this, all software makers need to recognize that they have a much greater burden to create a security solution that people don't suck at. Apple did that with the touch id thing. brilliant and simple. until software makers (including apple themselves) take more responsibility, they will continue to get owned (yes the user gets hacked, but the reputation of the software suffers too).

a bright spot: in ios8 apple is supposed to open up touch ID so it can be used for things other than the phone unlock. there are a whole host of dangers with touch id, but at least it solves the weak password issue.

Re:Find My Friends password flaw

[m00sh]

The "iBrute" exploit code didn't become available until earlier this week.

The iBrute was just an open source project to exploit this. Before that there were many people offering tools to break iCloud. Do a search and you'll see results from May 2014 about the bug.

Top Dude of Master Bunny

The goals of apple are to subtivate and motivate the audience. Since Steve Jobs died there have been changes in the industry of the goals we would provide. The difference is that the motivation for the audience has become more subdued some would say due to changes like these. If you look at the general goals of organizations like Compcost you notice instantly that the whole worker's compensation issue is basically directly related to general issues of this nature. The goal then of the general public should be to motivate these people and not change on general topics. We are hoping that each person would identify with their goals. The basic premise of motivation is not subliminal or hierarichal but instead a motivation aspect of topic. Do not change the topic, rather find the heirarchy of need of each subject. Maslow was not entirely incorrect.

http://www.samefacts.com/2010/09/health-medicine/what-abraham-maslow-got-wrong-about-the-limits-of-science-and-psychological-knowledge/

That pretty much explains it.

Re:This is also how Sarah Palin's email got

I always do the SHA1 of the answer..

Re:Of course...

[NotDrWho]

"Your Holiness, people are accusing our priests of molesting their children!"

"My son, send out a missive immediately--chastising the parishioners for letting their children seduce our priests."

Ummmm

[Chewbacon]

I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

Re:Ummmm

[mean+pun]

I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

As far as I know, the only website that I use that enforces such a limit is my bank, and even there I think it is heavy-handed. They could just block you for an hour after three failed attempts, or make the time exponential, or something.

Logging in to FMi will be a relatively slow process anyway. A full brute-force attempt is extremely unlikely to succeed, so scripting only makes sense if the attacker knows at least some of the password. That is, if you want to try if one of 'fido1' to 'fido9999' is the right password, you may succeed. Beyond that the search will quickly require too much time.

It is good they plugged the hole, but I hardly consider this an epic failure. Sometimes I think people are just searching for things to grumble at, and the big players, be they Apple, Google, Microsoft, or whatever, are held to impossibly strict standards.

Re:Ummmm

[Just+Some+Guy]

I thought Find My iPhone didn't lock accounts after too many failed logins? [...] I call that a failure in Apple's security.

I call that a way to keep the guy who stole my phone from being able to DOS my attempts to find it afterward.

Or not. Maybe it was just an oversight. But you're making the common mistake of assuming that the requirement you care about is the only one that the designer should have cared about.

Re:Ummmm

Notice Google didn't have this problem?

All of their logins effectively redirect to the same page and are:
1) rate limited
2) location limited (if you're in US and then China, it will ask you to verify using pre-supplied information / text / call / etc).
3) have 2 factor authentication

Solution lies with users, not Apple

They already offer two factor authentication. I have it enabled on my account.

I don't get it

[pem]

Good security doesn't depend on protocol secrecy.

How the heck does it matter if Apple works with elcomsoft or not? If reverse-engineering a protocol is all it takes to jeapordize user's data, it's security-by-obscurity in the best case.

Not just public figures

[mozumder]

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

Modern social media can also be used to identify personal information of regular people.

If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.

Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.

Re:Not just public figures

[i+kan+reed]

You're clearly arguing that the best solution is to have no friends.

(Also how did you get Karma so bad that you're lower than ACs?)

Re:Not just public figures

[Cro+Magnon]

My first pet predated social media, and there are no online pics of it. There's probably 2 people who could guess that one, and I'm not worried about either of them cracking my accounts.

Re:Not just public figures

[gtall]

If you are a celebrity, every douche and their brother's dog is going to be looking for nude photos. Don't take them, instead populate your collections with variations on goatse, it will maim the perps for life.

Re:Not just public figures

[AmiMoJo]

How likely is it that the pet's name is on a list of pet names that brute force crackers use?

Re:Not just public figures

[Charliemopps]

My first pet predated social media, and there are no online pics of it. There's probably 2 people who could guess that one, and I'm not worried about either of them cracking my accounts.

Most of the time the attacker is your spouse. Would your wife know?

My answers to security questions are always as many characters of gibberish as it will allow.

Re:Not just public figures

Crap, now I'm going to have to rename my dog. :(

Re:Not just public figures

[Noah+Haders]

My first pet predated social media, and there are no online pics of it. There's probably 2 people who could guess that one, and I'm not worried about either of them cracking my accounts.

Most of the time the attacker is your spouse. Would your wife know?

My answers to security questions are always as many characters of gibberish as it will allow.

I agree. My spouse is my greatest enemy.

Re:Not just public figures

[synapse7]

If you have friends what the fuck are you doing posting here? Liar!!

Re:Not just public figures

[chihowa]

Your first pet's name is also known to every site that used that as a security question. You don't keep stuff like that confidential by telling it to anyone who asks.

In combination with an accurate summary ...

[Wrath0fb0b]

In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victimâ(TM)s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.

So basically, in combination with your password, this tools let's you access resources secured by your password. Amazing! Next up you'll tell me there's a tool that lets you open my front door in combination with a copy of my house key!

Let's put this another way -- you tell some /.er that he can buy a new iPhone, enter his password and immediately restore from an iCloud backup. Logically then, we expect that he understands that the password controls access to the backup, since the only thing he needed to provide was that password.

Re:In combination with an accurate summary ...

[St.Creed]

Not "your password" but "any password".

Using the correct answer to a security question, you can reset the password for the backup. After that, you can download it and then apply the password you just entered. So the security is as strong as the weakest link, in this case still most likely the security questions.

Isnt it weird?

[drake2k]

That we use secure 2 factor authentication for our World of Warcraft accounts but we don't for important stuff like iCloud stored nudies?

Re:Isnt it weird?

Not really. People with World of Warcraft accounts don't have iCloud stored nudies.

Re:Isnt it weird?

Not really. People with World of Warcraft accounts don't have iCloud stored nudies.

They do have nudies, but nobody wants to see them.

Re:Isnt it weird?

Different audiences. The nerds playing WoW understand the value of 2-factor auth. The people having sex that are storing nudies in iCloud don't understand. These two segments of the market are ENTIRELY different, so it's not weird or surprising at all.

You're like a bird looking at a fish and going, "No feathers. Less wingspan than a sparrow. Lame."

Re:Isnt it weird?

[kruach+aum]

And that's why birds eat fish. How many fish eat birds?

Re:Isnt it weird?

[angel'o'sphere]

Catfishs and Sharks do ... perhaps a few more where I'm not aware about.
Erm, but that was not a serious question, or was it?

Re:Isnt it weird?

[rHBa]

Not many but there are some!

Re:Isnt it weird?

[m00sh]

Not really. People with World of Warcraft accounts don't have iCloud stored nudies.

They do have nudies, but nobody wants to see them.

Or if you ask them, they'll send you the nudies all day.

Re:This is also how Sarah Palin's email got "hacke

Security questions work really well, you just have to fill them out creatively.

Mother's maiden name:
The moon is a mysterious mistress

Name of your pet:
I move like night from land to land

Childhood home address:
'Tis the Moor! I know him by his trumpet

No-one is gonna guess that shit because there's no link between question and answer.

Re:This is also how Sarah Palin's email got "hacke

[Registered+Coward+v2]

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

More to the point why does anybody use real information for security questions? As long as I can remember the answer the accuracy is irrelevant. Same with birthdays. If I decide some random date is my birthday it makes it a lot harder to guess.

Don't trust cloud with your personal stuff

I doubt many people focus on creating good passwords. Nobody said, Stars were any more intelligent then the rest of us. Note to self, don't store any really sensitive stuff on a cloud storage solution. Unless you have half a wit to create a strong password and change it often. Don't blame everyone else for being lax when you yourself are. Put you very private and sensitive information on a local storage device. Preferably encrypted and stored in a safe place. The cloud is about as secure as your password is. That is the only thing standing between your information and the hackers.

Re:This is also how Sarah Palin's email got

SHA-1 is compromised. See: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

Use Skein.

...amateurs

Re:This is also how Sarah Palin's email got "hacke

[Cro+Magnon]

Because it's easier to remember the truth than a lie.

Re:This is also how Sarah Palin's email got "hacke

[kruach+aum]

If that were true there would be no religions or climate change deniers, they'd all be forgotten.

Brute Force Protection

[brunes69]

If your system does not offer any kind of brute force protection mechanism at all, which Find My iPhone does not seem to have based on my readings, then your system is broken by design. Brute force protections like 'only allow 10 login attempts within 5 minutes, and then block that IP from all login attempts for 30 minutes" are so trivial to implement that they should be part of any authentication system.

I honestly don't get it...

[fuzzyfuzzyfungus]

Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.

Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?

In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).

Re:I honestly don't get it...

[robstout]

I think the issue is that security isn't pretty, and Apple wants pretty. Look at the two-factor authentication. Having to wait until a PIN is sent to you before you can access whatever? That isn't elegant at all (from Apple's POV. It removes the one click convenience.). Personally, I'd rather have the security, but I'm a geek, like most people on Slashdot.

Re:I honestly don't get it...

[kaiser423]

Why does a PIN have to be sent to you? I have plenty of RSA, Google Authenticator, and other FOB apps on my phone/tablets that I just punch a PIN in for and get my 2FA out of.

That said, it would be great for Andoird/Apple/whomever to introduce a security API that let webpages and other apps request PINs from other installed apps (provided the user authenticates properly) so that you don't have to hop apps. Would be like another password, but one that requires a shared secret that's only on that phone/hardware device. Heck, even have a "simple" version and call it 1.5FA where it just hashes with a shared secret that you have to put on every device the first time you login and then use 2FA for untrusted devices.

Re:I honestly don't get it...

[Rich0]

Yeah, but that Google authenticator app is a two-edged sword. I just upgraded my android phone the other day and realized that I lost all my two-factor credentials. Granted, I could have created new ones, but it was easier to do a TitaniumBackup restore of the application (which otherwise does not let you export your credentials - I get the security implications but it isn't like the credentials aren't copyable anyway and I'd rather have a backup).

Re:I honestly don't get it...

[fuzzyfuzzyfungus]

Does the behavior of the 'authenticator' app differ depending on whether the device has a hardware-backed keystore or not?

Uptake on such hardware is rather patchy(more likely on newer gear; but hardly assured), so I assume that there is a software-based fallback that just obfuscates the keystore as nicely as possible; but if the application were talking to an actual hardware keystore device, Titanium backup(or equivalent) would have absolutely no effect); but updating the application(or even switching to an entirely new one, in some cases) should be doable without losing anything.

Android key handling is an area I really haven't poked at all, so I know little about it; but I'd be interested to know how it is supposed to work.

Re:I honestly don't get it...

[Rich0]

It doesn't use TPM or anything like that. I fully agree that it would buy you something if it did, but I'd still want a way to export my credentials. If I want to have more than one two-factor device, why shouldn't I? I have more than one set of car keys, and I fully appreciate that either could be used to steal my car.

Re:I honestly don't get it...

[fuzzyfuzzyfungus]

It looks like I was thinking of something quite different from the 'Authenticator' app and got confused: Recent Android versions include the 'keymaster' HAL component, which uses a software-based set of cryptographic capabilities by default, or can interact with a device-specific hardware module(mostly on Nexus devices, not sure about any third party implementations, usually based on 'trustzone' rather than TPM, just because ARM SoCs do that already).

Looks like it addresses a different use case; but that's what I was thinking about when wondering whether the behavior varied between hardware and software backed platforms. Sorry about that, I get fuzzy sometimes.

Biometrics

[StrangeBrew]

This is going to put a damper in Apples wish to use nipple morphology in their newest biometric security system.

If this leak

[future+assassin]

was about normal people, no one would have lifted a finger. Since its the "intellectual property" creators and precious entertainment stars it gets full media and FBI attention.

Re:This is also how Sarah Palin's email got "hacke

[Aaden42]

I always use something related to the question asked that isn’t technically the right answer but is something I’d remember.

Example: Ask my mother-in-law’s name, I’ll enter “waste of oxygen”. Never gonna forget that one

Pasword manager busta

[future+assassin]

busta. Plug and and play mofo, yo...

https://www.youtube.com/watch?...

Re:This is also how Sarah Palin's email got

[i+kan+reed]

He's using SHA1 as a one time pad against people who know the answers to his questions, but not that he encrypts them.

The algorithm being broken doesn't do the theoretical malicious actor any good. He could use a checksum/rot13/whatever and the effect would be the same.

dumb as fuck celebrities

[tekrat]

Your life is already under a microscope. You can't go to the supermarket without a crew from TMZ following you and paparazzi are camped out on your lawn.... just how freaking stupid do you have to be to post nude pics of yourself to the cloud?

I'm going to start a consulting agency to the stars, called "Common Sense", and get paid to distribute my common sense to people who obviously have none of their own.

Here's a free tip: If you don't want nude pics of yourself spread to the web, don't take nude pics of yourself!

Re:dumb as fuck celebrities

[StrangeBrew]

Your life is already under a microscope. You can't go to the supermarket without a crew from TMZ following you and paparazzi are camped out on your lawn.... just how freaking stupid do you have to be to post nude pics of yourself to the cloud?

I'm going to start a consulting agency to the stars, called "Common Sense", and get paid to distribute my common sense to people who obviously have none of their own.

Here's a free tip: If you don't want nude pics of yourself spread to the web, don't take nude pics of yourself!

Damn straight. They also shouldn't own smart tv's with built-in cameras, xbox's with kinects, or any other hackable device including their cell phones. If they're stupid enough to walk around their own home naked with any hackable technology, it's their own f'n fault if pictures make their way to the internet!!! Give your head a shake. Yes what they did was stupid, but that doesn't make it their fault. The truth of the matter is that trusting humans to do the right (ethical) thing is stupid in any and all situations.

Re:dumb as fuck celebrities

[angel'o'sphere]

People don't post nude pics to the cloud.
They have a little check box in their iPhone named something like "synch photos with your mac via icloud".
The checkbox is checked by default when you buy the phone.
All new photos are automatically transferred to the iCloud and when you open your Mac at home it "magically" shows up there.
No one ever is doing a "now I have to upload my photos to the cloud" thing. So most people don't even know that their photos are up there.

Re:dumb as fuck celebrities

[m00sh]

Your life is already under a microscope. You can't go to the supermarket without a crew from TMZ following you and paparazzi are camped out on your lawn.... just how freaking stupid do you have to be to post nude pics of yourself to the cloud?

I'm going to start a consulting agency to the stars, called "Common Sense", and get paid to distribute my common sense to people who obviously have none of their own.

Here's a free tip: If you don't want nude pics of yourself spread to the web, don't take nude pics of yourself!

Or even better yet, never be nude. Always wear clothes. Then, there there is absolutely no chance of nude pics.

Re:dumb as fuck celebrities

The checkbox is checked by default when you buy the phone.

No, it is not checked, you fucking imbecile.

Fact

Never take naked pictures of you FINAL, NEVER, EVER, specially when your dumb enough to sync it on the internet

Re:This is also how Sarah Palin's email got "hacke

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Oh, so it's 4chan who's the douche here, and not [random idiot celebrity] who uses their dog's name(that has their own Twitter feed) as a security question.

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

You know what is also pointless? Assuming that public figures actually have a fucking brain, and would choose a secure, private security question.

And for fucks sake, you can't lie on those security questions? Hell, that's half the way you make them secure. Hollywood figures should be damn good at putting up facade. They get paid to do it professionally.

Re:This is also how Sarah Palin's email got "hacke

[theedgeofoblivious]

That depends.

Re:This is also how Sarah Palin's email got "hacke

[i+kan+reed]

No, I'm pretty sure it's the random guy, not 4chan as a whole, that's the douche, Mr. Anonymous-needs-defending.

This is the "your lock could be picked so I let myself in" defense.

Re:This is also how Sarah Palin's email got "hacke

[nine-times]

All the more reason why they just shouldn't have these security questions.

Two Points

1) The cloud works. Jennifer Lawrence, et al have found that the internet does provide a near infinite backup solution that guarantees your images* will be available forever.

2) Internet 101. Never upload on the internet what you don't want to be on the internet. Encryption? Passwords? Special dongles? People get far worse punishments (Chinese dissenters and child porn viewers) who use the internet. That your nipple or pussy is now visible online to the general public? Oh, the horror! So, I presume the privacy advocates would be just as upset if all the leaked photos were of celebrities drinking tea (clothed). Right, yea, that's what the NSA spying does and there's no uproar over that. This is all about nipple and pussy.

* This obviously only applies if your (1) famous, (2) you're sexy, (3) you pose at least somewhat provocatively, and (4) you don't engage in legal action that quickly drives outweighs all of items 1 to 3 combined. So, yea, (1) and (3) are the big reason this leak is permanent.

Re:This is also how Sarah Palin's email got "hacke

[danaris]

If that were true there would be no religions or climate change deniers, they'd all be forgotten.

You're (apparently willfully obtusely) mixing up objective truth with what one believes to be true. It's always easier to remember facts that one has already learned (particularly from one's own past) than lies one has made up on the spot.

Dan Aris

Obligatory XKCD reference ...

Comic #936. I'll take "correct horse battery staple" for the win.

Not plausible -- 2 previous hacks of this nature

[hessian]

See here:

http://slashdot.org/submission...

Re:Of course...

[John+Bokma]

It looks to me like this hack didn't happen only on Sunday but is something that has been going on for a while: http://i.imgur.com/M41Z5o3.jpg and http://i.imgur.com/ctefDUd.jpg

Pics or it didn't happen...

I'll just leave this here:

The fappening

Re:This is also how Sarah Palin's email got "hacke

[GNious]

BOOM politics slam.

Time to stop watching John Stewart

Seemed pretty obvious this was the case

[drakstalker]

Strong passwords are irrelevant! Any password can be cracked, and the strongest passwords are not something that normal humans can remember and therefor need documentation making them vulnerable. The number of times you change your password is irrelevant, break it once, if the person changes it, just do it again. The problem here is the "cloud". People, and yes many in IT as well, do not understand that using cloud services does not mean that your data, or your companies data, is private. It gets copied to several servers. These servers have admins that likely can see your data in order to do their jobs. If your company does it expect employees to follow suit. When you use a cloud service you basically put your information/pictures/videos in the hands of somebody else. The blame here is not on celebs, or the hackers, or even Apple. It's on the tech industry for selling and promoting an inherently insecure infrastructure. It is nice having all of your picture on all of your devices, but don't tell people that it's private or secure. As I tell my clients, Don't put anything in the cloud that you would not want posted on a billboard along an expressway.

I don't trust password managers

[Rinikusu]

That's why I write everything down on paper. No one reads papers anymore, right?

Re:I don't trust password managers

Are you a stoner? Do you have a computer? Congratulations! You possess the necessary tools to use secure passwords!

Run your friendly neighborhood pwgen -sy in a loop. About 100,000 times ought to be good. You're going to blow through your computer's entropy pool doing this. Take a camera, preferably a device without networking. Take a photo of the screen (fast shutter speed here!). Copy two of the generated passwords you see down onto a rolling paper. That's your new password. Securely wipe the SD card on your camera. (Note to beginners: you can use fill up the card completely. This works pretty well.) Keep the rolling paper on you for a few days until you no longer refer to it anymore. Then put it in a normal household bowl (the kind used for containing food--sheesh) and set it on fire. They burn cleanly. Rinse out the bowl. Smoke another bowl (the kind you smoke out of, not the kind you use for food).

Re:This is also how Sarah Palin's email got "hacke

[i+kan+reed]

Guess what I don't do. That thing you guessed I do.

Re:This is also how Sarah Palin's email got "hacke

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Oh, so it's 4chan who's the douche here, and not [random idiot celebrity] who uses their dog's name(that has their own Twitter feed) as a security question.

4chan is just a domain so it isn't anything, but frankly, the hacker that uses [random idiot celebrity]'s dog's name to obtain access to her iCloud account is the douche. I generally think infiltrating personal photo collections and sharing them with the world is a rather douchy thing to do.

If they used better security protocols this would be less likely, but a person is not a douche because their security question sucked. Yes, celebrities are still people.

Re:Of course...

Oh fuck you. More kids are raped/molested every single day by their teachers than the entire scope of the Catholic church scandal combined. Yet fucktards like you never make these disgusting jokes about the teachers union.

Piss off douche bag

Re:This is also how Sarah Palin's email got "hacke

[quantaman]

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

More to the point why does anybody use real information for security questions? As long as I can remember the answer the accuracy is irrelevant. Same with birthdays. If I decide some random date is my birthday it makes it a lot harder to guess.

So your solution for forgetting your password is another password?

The solution isn't random info. It's questions you create with personal information that is memorable enough that you're remember in an instance, but only you, or a very small handful of intimate people, would know. Ie, 'Who was that girl you had a really secret crush on in grade 10?"

The current suite of questions, mother's maiden name, cars, etc, is all information that's potentially communicated to casual friends, as such it can easily slip out into public knowledge.

The problem is there's only so many questions that fit that description, so instead of sharing passwords you end up sharing answers.

Breaking new security technology apple should use

Anus scans.

Every celebrity should require a password along with a thorough scan of their anus to ensure proper access.

Re:This is also how Sarah Palin's email got "hacke

[Registered+Coward+v2]

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

More to the point why does anybody use real information for security questions? As long as I can remember the answer the accuracy is irrelevant. Same with birthdays. If I decide some random date is my birthday it makes it a lot harder to guess.

So your solution for forgetting your password is another password?

The solution isn't random info. It's questions you create with personal information that is memorable enough that you're remember in an instance, but only you, or a very small handful of intimate people, would know. Ie, 'Who was that girl you had a really secret crush on in grade 10?"

The current suite of questions, mother's maiden name, cars, etc, is all information that's potentially communicated to casual friends, as such it can easily slip out into public knowledge.

The problem is there's only so many questions that fit that description, so instead of sharing passwords you end up sharing answers.

First of all, it doesn't have to random every time. I simply would be using answer that no one would associate with me but that I can remember. I already do that for car, street I was born on, mom's maiden name. I also add a number and special character to the answer. Is it fool proof? No, but better than using easily discovered real information. It's not that difficult and the point is to make it hard to find the answers via web searches, for example. Sure, making up your own questions would work but many sites do not let you do that.

Re:This is also how Sarah Palin's email got "hacke

[quantaman]

First of all, it doesn't have to random every time. I simply would be using answer that no one would associate with me but that I can remember. I already do that for car, street I was born on, mom's maiden name. I also add a number and special character to the answer. Is it fool proof? No, but better than using easily discovered real information. It's not that difficult and the point is to make it hard to find the answers via web searches, for example. Sure, making up your own questions would work but many sites do not let you do that.

Adding a special character sounds like a good idea, a simple permutation or rule you can remember across all accounts.

But remember for it to work you can't rely on yourself remembering the answer, you need to know it without remembering it's creation.

Re:This is also how Sarah Palin's email got "hacke

Also, what do you call a piece of arbitrary information you make up for the purposes of authentication? A password.

The difference between a sec. q. and a password is that the sec. q. is easier and related to your reality.

Wired article...

As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

“Use the script to hack her passwduse eppb to download the backup,” wrote one anonymous user on Anon-IB explaining the process to a less-experienced hacker. “Post your wins here ;-)”

Apple’s security nightmare began over the weekend, when hackers began leaking nude photos that included shots of Jennifer Lawrence, Kate Upton, and Kirsten Dunst. The security community quickly pointed fingers at the iBrute software, a tool released by security researcher Alexey Troshichev designed to take advantage of a flaw in Apple’s “Find My iPhone” feature to “brute-force” users’ iCloud passwords, cycling through thousands of guesses to crack the account.

If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.

On Tuesday afternoon, Apple issued a statement calling the security debacle a “very targeted attack on user names, passwords and security questions.” It added that “none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.”

But the conversations on Anon-IB make clear the photo-stealing attacks aren’t limited to a few celebrities. And Zdziarski argues that Apple may be defining a “breach” as not including a password-guessing attack like iBrute. Based on his analysis of the metadata from leaked photos of Kate Upton, he says he’s determined that the photos came from a downloaded backup that would be consistent with the use of iBrute and EPPB. If a full device backup was accessed, he believes the rest of the backup’s data may still be possessed by the hacker and could be used for blackmail or finding other targets. “You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”

Elcomsoft is just one of a number of forensics firms like Oxygen and Cellebrite that reverse engineer smartphone software to allow government investigators to dump the devices’ data. But El

Five reasons to blame Apple

[Sara+Chan]

There is a good article "Five reasons to blame Apple in nude celebrity photo leak", in The Hamilton Spectator. Here are the key points (read the article for elaborations).

1. The vulnerability is Security 101 stuff (even a good password, like “D0nM@tt1ngly!”, was still vulnerable).
2. The vulnerability was publicly known since May.
3. Apple defaults users into the cloud (and Apple makes it very hard to not store in the cloud).
4. Apple does not encourage two-factor authentication (it discourages this).
5. Two-factor authentication wouldn't have worked anyway (it is not actually enforced on iCloud).

Re:Five reasons to blame Apple

[John3]

Wish I could mod this up...I do have points, but if I mod this the thread gets deleted. :(

Re:Five reasons to blame Apple

[N3x)(]

D0nM@tt1ngly! is NOT a good password

Re:This is also how Sarah Palin's email got "hacke

Unless, of course, the celebrity in question is not a moron (pause for the reader to make the obvious joke here him/herself), and chooses security question responses which are obtuse -- ya know; the way we all should? (Personally, the answer to every one of my various accounts' security questions is "Sarah Palin." Yes, Sarah Palin is/was my first pet, my mother's maiden name, and the location of my birth.)

Re:This is also how Sarah Palin's email got "hacke

[vux984]

Security questions do not work for public figures.

Security questions do not work for ANYONE.

Most attackers know you, and have better than even odds of guessing your security questions. Your ex-girlfriend... She knows your birthday (duh), your mothers maiden name? (she was even at grandma's funeral), she knows all about your first gerbil Roscoe, and she knows your youngest siblings name, your favorite colour, what city you were born in, your first car, your likely answer to favorite food...

Most of your friends can probably do better than 50% on the list above.

And if you are on facebook, good odds a random stranger can get most of what they need to. Even if you don't announce it all or put fake info in your profile. Your mom send you "Happy Birthday" message anyway and you are sunk.

Chrome for $300 or less.

Hmmmm. More data in the cloud. Living dangerously.

Re:This is also how Sarah Palin's email got "hacke

[dgatwood]

The solution isn't random info. It's questions you create with personal information that is memorable enough that you're remember in an instance, but only you, or a very small handful of intimate people, would know. Ie, 'Who was that girl you had a really secret crush on in grade 10?"

This is a great example of why security questions are inherently dangerous. Most people—even geeks—have no idea what makes a good security question. Cracking an account secured with this question is almost always very, very easy:

• Determine what high school the person went to.
• Iterate through all the girls who attended that school that year, providing both first-name form and a couple of first-and-last-name forms, beginning with the ones who were in your grade, then moving on to other grades. Include teachers.

Better than 95% of of the time, this will result in a successful compromise of the user's account. And if you branch out from there into organizations that the person was in, churches, etc., you'll rapidly approach 100% coverage. And of course if someone really knew you or your crush back in 10th grade, it probably wasn't nearly as much of a secret as you thought it was, which could mean that it won't take many tries at all.

To be fair, unless you're someone famous or there's a significant financial incentive to do so, it probably wouldn't be worth someone's time to type in the names of all the several hundred girls who attended your school, but once you have that information in electronic form, it would probably take a matter of seconds to crack such a security question in the absence of mechanisms to prevent repeat guessing. And even those mechanisms only slow down the process.

Re:This is also how Sarah Palin's email got "hacke

Is your pseudonym Cal Easy?

Re:Of course...

[NotDrWho]

You really shouldn't use that sort of language, Father.

Re:This is also how Sarah Palin's email got "hacke

[Registered+Coward+v2]

Adding a special character sounds like a good idea, a simple permutation or rule you can remember across all accounts.

Exactly. You could always add the same number to the front and special character to the end or x spaces from the front. Easy to remember but hard to guess

But remember for it to work you can't rely on yourself remembering the answer, you need to know it without remembering it's creation.

Very good point. You still pick things related in a pattern you can remember but would be hard for someone to guess. For example, a street 4 blocks over, an old girlfriend's or someone you knew with a strange last name, the first car you wanted but didn't buy or that a neighbor owned that you liked. The goal is to make it hard for someone to guess so they move on without you forgetting it. It's sort of like setting a password with 3 unrelated words with numbers and or special characters included. Use a pattern you can remember but would be hard to guess.

Stupid Passwords

[DarthVain]

True Story:

Was at a stag party, held at a cabin. One of the previous occupants left her wallet under one of the sofas. In it was all her identification as well as her iPhone. She was something like 19-20 years old. One of the guys jokingly said "I wonder how stupid this girl is" and tried to crack the "password". Tried "1234" which didn't work. Then said "hey", looked at her drivers licence, and entered her birthday. "Click".

Two tries.

Granted that is a 4 letter password, but if you pick something stupid, and lets face it many people do, not just 19 year old girls, it won't be hard to crack. Particularly if your life's details are open for public inspection.

In the end we called the girls mom, and got her to contact us with an address we could mail the package to (minus the little baggy of coke we flushed down the toilet).