Slashdot Mirror
Apple Denies Systems Breach In Photo Leak
Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Remember 2008? Some random douche on 4chan just looked up her dog's name?
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Wrong-think.
If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.
It little behooves the best of us to comment on the rest of us.
Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.
I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
But dealing with reality is very logical.
If you don't want people to see pictures of you naked, don't take the pictures.
And if you do, don't put them on a computer.
And if you do, don't put them on a computer on the internet.
And if you do, don't put them on someone else's computer on the internet.
If they're out there, someone is going to get them.
Sheesh, evil *and* a jerk. -- Jade
Wrong-think on several levels indeed.
1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.
2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)
3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.
So as far as assigning blame for this one:
1) The Hackers.
2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.
3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.
4) Tech industry for pushing cloud-based storage.
5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).
6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).
7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.
You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.
"P@$$w0rd12"
If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managing keys. Otherwise, if you're letting people set their own password, they're going to choose bad passwords.
Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.
"Seven Deadly Sins? I thought it was a to-do list!"