Apple Denies Systems Breach In Photo Leak

← Back to Stories (view on slashdot.org)

Apple Denies Systems Breach In Photo Leak

Posted by Soulskill on Wednesday September 3, 2014 @03:00AM from the not-my-fault-i-promise dept.

Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

60 of 311 comments (clear)

Min score:

Reason:

Sort:

Seemed pretty obvious this was the case by John3 · 2014-09-03 03:04 · Score: 5, Insightful

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

--
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
1. Re:Seemed pretty obvious this was the case by Anonymous Coward · 2014-09-03 03:10 · Score: 3, Insightful
  
  I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
2. Re:Seemed pretty obvious this was the case by Anonymous Coward · 2014-09-03 03:17 · Score: 4, Funny
  
  protect your password manager with a strong password from another password manager to protect!
3. Re:Seemed pretty obvious this was the case by Sique · 2014-09-03 03:21 · Score: 5, Funny
  
  It's Password Managers all the way down!
  
  --
  .sig: Sique *sigh*
4. Re:Seemed pretty obvious this was the case by John3 · 2014-09-03 03:23 · Score: 4, Insightful
  
  Use one very strong password for the password manager. That allows you to have hundreds of different passwords so each site you visit uses a different password and you don't need to remember them. If you use a strong enough password then you'll be fine.
  
  --
  "We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
5. Re:Seemed pretty obvious this was the case by Macrat · 2014-09-03 03:27 · Score: 5, Insightful
  
  Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
  What good is a password manager when the answers to your security questions are public knowledge?
6. Re:Seemed pretty obvious this was the case by heypete · 2014-09-03 03:31 · Score: 5, Insightful
  
  Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
  What good is a password manager when the answers to your security questions are public knowledge?
  Who says you need to tell the truth on those questions?
  Q: "What is your mother's maiden name?"
  A: "Purple monkey dishwasher."
  Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.
7. Re:Seemed pretty obvious this was the case by Megol · 2014-09-03 03:39 · Score: 2
  
  Don't use them - input random crap instead of correct information.
8. Re:Seemed pretty obvious this was the case by fuzzyfuzzyfungus · 2014-09-03 03:47 · Score: 2
  
  I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
  Password 'managers' make me nervous(unless based on proper crypto/key storage ICs with actual vetting by people who actually care, which is rare indeed, if it exists at all, since the people who care that much don't use passwords, just proper cryptographic authentication); but they do have the advantage of allowing those of us without eidetic memories to use passwords that might actually be strong enough to resist casual attack, and force the casual attacker to use the ultra-weak password reset process instead...
9. Re:Seemed pretty obvious this was the case by Anonymous Coward · 2014-09-03 04:17 · Score: 5, Insightful
  
  I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
  And yet, in reality, regardless of your personal security measures, you already have this today
  It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.
  All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.
10. Re:Seemed pretty obvious this was the case by CanHasDIY · 2014-09-03 04:23 · Score: 2
  
  OK - A password manager is a great way to keep track of all the nonsense answers you put in for security questions.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
11. Re:Seemed pretty obvious this was the case by Anonymous Coward · 2014-09-03 04:37 · Score: 2, Insightful
  
  I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
  If you don't want to put all your passwords in your password manager, you don't have to do so. However if you put all your second tier passwords in it (the ones that you use to maintain privacy rather than fiscal security), then you can make them much more complex without requiring ridiculous complexity to memorize. You can also save arbitrary answers to security questions (if the answer to your dog's name is saved as sFjksL23549&@*^*% rather than Fido, it's not possible to get from investigating personal history).
  I'm unconvinced that an attack based on manipulating the secret questions is not Apple's fault. As others have pointed out, this is useless for celebrities whose lives are relatively public. Birthplace, pet names, mother's maiden name, etc. are the kind of things that are relatively easily collected from fluff interviews. For non-celebrities, such information may only require a personal meeting.
  A brute force attack is even worse. Unless everyone's using aardvark as their password, you would think that Apple would notice before the account is actually compromised.
  People should not have to have degrees in information security to maintain privacy on their accounts. Apple should be pushing people to follow good security practices rather than blaming their customers when security fails. Can Apple even point to an account that the attackers tried to access but failed?
12. Re:Seemed pretty obvious this was the case by hairyfeet · 2014-09-03 04:39 · Score: 4, Insightful
  
  WTF good is that gonna do when the "find my iPhone" feature allowed for unlimited password tries with NO TIME LIMIT as has been reported on several sites? You can have the best password ever created and if I can just brute force the site all day long without penalty then you be fucked friend, after all you can throw together an AMD octocore box for a couple hundred bucks that can crank out attempts in the millions if not tens of millions if you have a big enough pipe!
  Lets face it, somebody at Apple done fucked up REAL bad and instead of admitting it they are doing a "you're holding it wrong" level of BS spinjob trying to cover it up.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
13. Re:Seemed pretty obvious this was the case by St.Creed · 2014-09-03 04:42 · Score: 2
  
  In keeping with the theme of todays Q&A: Security questions are for people who don't use password managers. People who use password managers don't need them and can thus put random crap in them.
  
  --
  Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
14. Re:Seemed pretty obvious this was the case by Anonymous Coward · 2014-09-03 05:04 · Score: 2, Insightful
  
  But also be sure you properly vet your password manager as they's a very delicious target for a trojan so unless you wrote the manager yourself or it comes from a source you trust (I'd recommend the creator of your OS as is they have malicious intent you're already fucked) you're asking fro trouble using a third party program to store all your passwords.
  Whatever you do don't download an open source password manager form the Internet.
15. Re:Seemed pretty obvious this was the case by wiredog · 2014-09-03 05:16 · Score: 2
  
  Oblig. XKCD.
  
  --
  
  Best Slashdot Co
16. Re:Seemed pretty obvious this was the case by DMUTPeregrine · 2014-09-03 05:34 · Score: 2
  
  My Mother's maiden name is 52Vg8alTkWjJ92AXLq8c. I was born in the town of iyUJuoE5go9pWhylGHJT, where I got my first pet, 9DurEntFD7WU9lpZJCKI.
  
  If you ever tell the truth with a security question, you've done it wrong. If you ever use the same answer to a security question twice, you've done it wrong. If your answers have less entropy than your passwords, you've done it wrong.
  
  --
  Not a sentence!
17. Re:Seemed pretty obvious this was the case by DarkOx · 2014-09-03 05:42 · Score: 4, Insightful
  
  You need to take a step back and consider the actual threat. If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.
  If you going to keep it on your desktop or on your phone and NOT send it over the network. Than I would say the value it affords you in being able to use longer passwords, with greater randomness, and unique passwords for every account is a win. The only anyone is going to get hold of it is if they pwn your computing device. If they do that than they don't need to beak the crypto they will just wait with the keylogger running for your to unlock it and collect the secret.
  At that point though you rather than $PUBLIC_WEBSITE have become the attackers target. Once we are talking about a targeted persistent attack, there is little any of us will do personally to be safe if our attackers are any better equipped/capable than script kiddies.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
18. Re:Seemed pretty obvious this was the case by Yaztromo · 2014-09-03 06:40 · Score: 4, Informative
  A strong password CAN be easily remembered. How about remembering 10 and 11?
  "Ten!!!!!!!!!!!"
  That's 10 and eleven "!" characters.
  There are a number of ways to calculate password effectiveness. If you assume zero knowledge of the password characteristics, then the 290 million years the website you linked to calculated may be accurate.
  Hackers, however, have typically found that certain patterns are used by humans more frequently than others, and instead of brute-forcing the password from the beginning (following UTF-8 order " ", " ", " !"... etc.), you can instead skip a significant part of the overall password space by only testing these common patterns.
  I prefer this tool, which evaluates password entropy. The figures it comes up with do tend to presume that something about the structure of the password is known (i.e: in your example that it is a word followed by a repeating symbol), but IMO this is a good figure to base your password decisions off as it represents a worst-case scenario, and not the best-case scenario the tool you linked presumes.
  Using that tooling instead, your passwords strength and estimated crack time is as follows:
  
  password: Ten!!!!!!!!!!!
  entropy: 18.669
  crack time (seconds): 20.836
  crack time (display): instant
  score from 0 to 4: 0
  calculation time (ms): 3
  FWIW, (and purely for the sake of comparison) one of the passwords I use online has, according to this tool, an entropy of 61.819 and a crack time of 203355820622500.06s (about 6.4 million years). And yes, it's something I both change often and have memorized.
  Yaz
19. Re:Seemed pretty obvious this was the case by vux984 · 2014-09-03 06:52 · Score: 3, Interesting
  
  Use one very strong password for the password manager.
  Actually, I recommend using multiple safes/vaults/etc with different passwords; make the passwords appropriate to the contents of the safe; and treat the safes appropriate relative to their contents.
  My safe with my passwords for throwaway email accounts and forum accounts, club memberships, etc is fairly simple. (It still counts as strong by all usual metrics, but its easy for me to remember and type in, which is good because I have to type it several times a day on average -- sometimes via a smartphone keyboard. Its sync'd via cloud to my smart phone, laptop, work computer, etc.
  My safe with passwords for my life savings, domain registrar, email account and other assets which would be quite devastating to lose is MUCH longer and stronger, and it isn't synchronized with my devices. (Actually I have 4 - 5 safes with different groups of passwords in them.)
  If you use a strong enough password then you'll be fine.
  Unless you get hit with a keylogger. Then you lose everything. Does it really even make sense to have your online pay-parking app passwords and your numbered offshore banking in the same vault? All protected by the same password?
  Its just silly.
  And its another reason why I've split things up. If the phone gets compromised, my high value passwords aren't even in it. My higher value password safes get opened less frequently and on fewer systems, so a keylogger will have to be in the right system and wait longer to get into them -- giving me better odds of dodging the bullet, and more time to detect and remove them.
20. Re:Seemed pretty obvious this was the case by neoritter · 2014-09-03 07:18 · Score: 2
  
  Not necessarily. Security questions are essentially the same thing as passwords in every respect, except they're giving a clue as to their answer. But there are ways to make security questions secure, some of which are the same for passwords. A) use sentences to answer the question. They may know your pet is named "Scout" but will they probably won't know the answer if it's, "My third pet who was a dog was named scout" (assuming you could use that long of answer). B) Security questions could be determined by the user, instead of from a selection by the system. This enables you to pick questions that can be very hard to glean from social media or other sources. E.g. What was the last thing my father said to me before he died. C) Email notifications of password reset attempts. Some sites do this, others don't. If someone goes into "forgot password" option and sees your security questions, an email is sent notifying you that someone saw your security questions or attempted to reset the password; whether they tried to guess the questions or not. This could give you an opportunity to change the security questions if you feel a compromise is probable.
21. Re:Seemed pretty obvious this was the case by byjove · 2014-09-03 12:12 · Score: 2
  
  Based on analysis of the EXIF data and file names some of the images came from GoogleDrive, DropBox, and private Twitter messages.
  Citation?
22. Re:Seemed pretty obvious this was the case by mjwx · 2014-09-03 12:43 · Score: 2
  
  I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
  And yet, in reality, regardless of your personal security measures, you already have this today
  It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.
  All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.
  I certainly dont have this today.
  
  I've got 3 different email addresses and 1 phone number, this isn't including my work email and all ordered by security level. The password reset for slashdot doesn't go to the same email my address domain registrar or accountant. Below this I have another email address I use for signing onto services that I know are going to spam me. The low security accounts are not linked in any way to the high security accounts and my high security account is only accessed from devices I know are safe.
  
  When throwaway email addresses are easy to get, I dont understand why anyone would have a single email address.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
23. Re:Seemed pretty obvious this was the case by drkim · 2014-09-03 16:36 · Score: 2
  
  ...I recommend using multiple safes/vaults/etc with different passwords...
  It's just funny - because Pamela Anderson had her sex tape stolen from her safe. (back when there were 'tapes')
This is also how Sarah Palin's email got "hacked" by i+kan+reed · 2014-09-03 03:05 · Score: 5, Insightful

Remember 2008? Some random douche on 4chan just looked up her dog's name?
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
At the risk of blaming the victim... by erp_consultant · 2014-09-03 03:09 · Score: 3, Interesting

what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.
1. Re:At the risk of blaming the victim... by CaptainDork · 2014-09-03 03:14 · Score: 4, Insightful
  
  Wrong-think.
  If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.
  
  --
  It little behooves the best of us to comment on the rest of us.
2. Re:At the risk of blaming the victim... by Black+Parrot · 2014-09-03 03:34 · Score: 3, Insightful
  
  But dealing with reality is very logical.
  If you don't want people to see pictures of you naked, don't take the pictures.
  And if you do, don't put them on a computer.
  And if you do, don't put them on a computer on the internet.
  And if you do, don't put them on someone else's computer on the internet.
  If they're out there, someone is going to get them.
  
  --
  Sheesh, evil *and* a jerk. -- Jade
3. Re:At the risk of blaming the victim... by QuasiSteve · 2014-09-03 03:46 · Score: 2
  
  I'd imagine that most of them really didn't want that stuff leaked - or they'd just leak them, themselves, in a coordinated manner.
  Of course now that they are out, most of them will be working with their PR agent(s) to put as positive a spin on it as they can - be that to be indignant, outraged, shrugging it off, claiming it's not them, thinking of how they're going to put themselves in a PSA about password security so that their idolizing fans don't make the same mistake, etc.
  And, yes, some of them will probably come out of this better.
  But that doesn't mean that this is what they wanted all along.
4. Re:At the risk of blaming the victim... by Aaden42 · 2014-09-03 04:32 · Score: 3, Insightful
  
  Wrong-think on several levels indeed.
  1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.
  2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)
  3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.
  So as far as assigning blame for this one:
  1) The Hackers.
  2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.
  3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.
  4) Tech industry for pushing cloud-based storage.
  5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).
  6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).
  7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.
  You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.
5. Re:At the risk of blaming the victim... by nine-times · 2014-09-03 04:37 · Score: 2, Insightful
  
  What does this have to do with a secure method of log-in? If I make my password "password", then it's my own fault, not the login system's fault. You could say that they could require a strong password, which is great. Require it to be 10 characters, including at least 1 upper-case, 1 lower-case, 1 number, and one symbol. You know what the password will be then?
  "P@$$w0rd12"
  If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managing keys. Otherwise, if you're letting people set their own password, they're going to choose bad passwords.
6. Re:At the risk of blaming the victim... by Lehk228 · 2014-09-03 04:40 · Score: 3, Interesting
  
  Working systems are available, but fools want their iThing or $20 droid and then act all surprised when their genitals end up on 4chan. It's not a new problem when was it Paris hilton's sidekick got hacked again?
  
  if you buy trash with security ranging from "fuck it we have none" to "well I guess we tried" because it's ooh shiney let's play flappy bird that is a choice with consequences.
  
  --
  Snowden and Manning are heroes.
7. Re:At the risk of blaming the victim... by CaptainDork · 2014-09-03 04:47 · Score: 2
  
  See? There's the wrong-think.
  Recall that systems people are the ones who are driving the freaking truck.
  How hard is it to inspect a password and tell a person that it's just too weak and here are the rules, so please comply or die?
  How hard is it to enforce two level authorization at sign-up?
  The paradigm where we blame the victims instead of unimaginative and lazy IT jockeys has got to stop.
  
  --
  It little behooves the best of us to comment on the rest of us.
8. Re:At the risk of blaming the victim... by edremy · 2014-09-03 05:43 · Score: 4, Insightful
  
  If you don't want people stealing your money don't store money online. Don't use credit/debit cards, an online brokerage account, web access to your checking account, etc. If it's out there someone is going to steal it.
  Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.
  
  --
  "Seven Deadly Sins? I thought it was a to-do list!"
9. Re:At the risk of blaming the victim... by nine-times · 2014-09-03 06:30 · Score: 2
  
  How hard is it to inspect a password and tell a person that it's just too weak and here are the rules, so please comply or die?
  It's pretty hard. Whatever rules you use to automate the detection of weak passwords can be fooled. That was my point with "P@$$w0rd12". By most automated systems' ability to check, that's a strong password. Still, if you're running a dictionary attack, you're going to include things like that.
  
  How hard is it to enforce two level authorization at sign-up?
  Not necessarily easy, unless you can assume (a) everyone has whatever they need for the second factor; and (b) people will tolerate using the second factor. Even if you strictly enforce a second factor which sends an SMS to a person's cell phone, you're assuming that they have a cell phone. Most people do, but do all of your customers?
  And I'm not actually blaming the victim. I'm blaming the Internet at large, which is still using passwords alone. Like I said, "we need to be using a public key system, and create a secure, reliable, easy method of managing keys."
Solution lies with users, not Apple by davidwr · 2014-09-03 03:10 · Score: 5, Interesting

Well, mostly.
What Apple can do is require 2-factor authentication.
They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Solution lies with users, not Apple by MickyTheIdiot · 2014-09-03 03:15 · Score: 4, Informative
  
  Yeah. They can do two factor auth. The key fob they sell will only cost $595 and work only with Safari.
2. Re:Solution lies with users, not Apple by ixs · 2014-09-03 03:42 · Score: 5, Interesting
  And I am sure you realize that the 2factor Authorization as currently designed and utilized by Apple only protects against your account data being used to purchase things from the AppStore and interact with your account.
  Details are at http://support.apple.com/kb/ht5570 and quoting from there:
  It requires you to verify your identity using one of your devices before you can take any of these actions:
  
  Sign in to My Apple ID to manage your account
  Make an iTunes, App Store, or iBooks Store purchase from a new device
  Get Apple ID related support from Apple
  All iCloud communication is still unprotected. Bzzzzt. Neeext!
3. Re: Solution lies with users, not Apple by CanHasDIY · 2014-09-03 04:28 · Score: 2
  
  so only the stupidest dolts continue to 'sync to the cloud.'
  And then your phone breaks and you lose all your data.
  Because there's no other options than "lose everything" or "put it all on someone else's computer?"
  I expect that sort of non-thinking response from the crowd over at Yahoo, but c'mon man - this is /., we expect more thinky from our community.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
4. Re:Solution lies with users, not Apple by Ksevio · 2014-09-03 05:09 · Score: 3, Informative
  
  You can use any phone with SMS support which seems pretty standard. Since people are typically syncing from their iPhones to the iCloud they usually have an iPhone, but it's possible to use a freebie 10 year old brick phone if you wanted.
5. Re:Solution lies with users, not Apple by Tharkkun · 2014-09-03 07:21 · Score: 2
  
  You can buy RSA tokens, the same that governments and militaries around the world rely on, for $10 a piece.
  With an Apple logo stamped on them they will still be $595 like the above poster said.
No surprise here by qbast · 2014-09-03 03:10 · Score: 2

It is not like they would admit to getting hacked if they can shift the blame to user. And let's not forget that probably half of NSA was fapping to these pictures.
1. Re:No surprise here by AmiMoJo · 2014-09-03 03:22 · Score: 5, Insightful
  
  Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.
  I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:No surprise here by nine-times · 2014-09-03 04:43 · Score: 4, Informative
  
  There's no real reason to think that Apple is at fault here, or even that all of the photos came from compromised accounts on iCloud. The rumor going around last I saw was that this was a collection that was acquired over sever years, contributed by many different people who acquired the photos from many different accounts that were attacked in many different ways. It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.
  I have no evidence of that-- just the rumor I've seen on a couple different sites-- but it makes more sense than a massive iCloud hack that scooped up all of these photos at once.
3. Re:No surprise here by rogoshen1 · 2014-09-03 05:23 · Score: 2
  
  Yar, from what I've heard is that there is basically an underground ring that trades in these sorts of things -- not too dissimilar from the 'carding' groups. And, many different sources makes sense. File names in particular -- some are time stamps, others random characters. Pictures taken with a variety of phones (not all of which were iPhones etc.
Re:This is also how Sarah Palin's email got "hacke by i+kan+reed · 2014-09-03 03:13 · Score: 2, Funny

Sarah Palin has proven to be good at that.
BOOM politics slam.
Our dumb users are holding it wrong! by NotDrWho · 2014-09-03 03:14 · Score: 5, Funny

It's THEIR fault. Apple MAKES NO MISTAKES!!!

--
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Find My Friends password flaw by Noah+Haders · 2014-09-03 03:15 · Score: 5, Interesting

You know, I'm really annoyed at Apple about this. They say that iCloud wasn't breached and it was a targeted account attack with weak passwords. But on Monday (the day after the pics were posted) they patched a flaw in Find My Friends where the account would be vulnerable to a dictionary attack:

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely. A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.
http://9to5mac.com/2014/09/01/...

so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...

also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.
1. Re:Find My Friends password flaw by Anubis+IV · 2014-09-03 04:00 · Score: 4, Informative
  
  It's not known that this exploit was used on the celebrities
  The pics were apparently circulating over a week ago in some parts of the Internet, and were, by all indications, collected over the course of several months from a variety of sources (i.e. not all of the celebrities are in the Apple ecosystem; a number of them use Android). The "iBrute" exploit code didn't become available until earlier this week.
  There's actually a fairly detailed breakdown of this and similar attacks already available, most of which rely on various social engineering techniques, basic detective work, or turning (ex-)friends of the celebrities against them to get malware installed or procure more intimate information (sometimes in exchange for receiving their own copies of the pics).
  Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.
Re:Of course... by NotDrWho · 2014-09-03 03:18 · Score: 4, Funny

"Your Holiness, people are accusing our priests of molesting their children!"
"My son, send out a missive immediately--chastising the parishioners for letting their children seduce our priests."

--
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Ummmm by Chewbacon · 2014-09-03 03:21 · Score: 2

I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

--
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
1. Re:Ummmm by mean+pun · 2014-09-03 05:58 · Score: 2
  
  I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?
  As far as I know, the only website that I use that enforces such a limit is my bank, and even there I think it is heavy-handed. They could just block you for an hour after three failed attempts, or make the time exponential, or something.
  Logging in to FMi will be a relatively slow process anyway. A full brute-force attempt is extremely unlikely to succeed, so scripting only makes sense if the attacker knows at least some of the password. That is, if you want to try if one of 'fido1' to 'fido9999' is the right password, you may succeed. Beyond that the search will quickly require too much time.
  It is good they plugged the hole, but I hardly consider this an epic failure. Sometimes I think people are just searching for things to grumble at, and the big players, be they Apple, Google, Microsoft, or whatever, are held to impossibly strict standards.
Re:But how do the hackers get the email addresses? by John3 · 2014-09-03 03:25 · Score: 5, Funny

I'd imagine once you hack a celebrity email you can then get emails of their friends, and so on. The key is to get the email address of Kevin Bacon and then you're golden.

--
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Not just public figures by mozumder · 2014-09-03 03:32 · Score: 5, Interesting

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Modern social media can also be used to identify personal information of regular people.
If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.
Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.
Isnt it weird? by drake2k · 2014-09-03 03:42 · Score: 2

That we use secure 2 factor authentication for our World of Warcraft accounts but we don't for important stuff like iCloud stored nudies?
Re:This is also how Sarah Palin's email got "hacke by Cro+Magnon · 2014-09-03 03:46 · Score: 5, Informative

Because it's easier to remember the truth than a lie.

--
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Brute Force Protection by brunes69 · 2014-09-03 03:49 · Score: 2

If your system does not offer any kind of brute force protection mechanism at all, which Find My iPhone does not seem to have based on my readings, then your system is broken by design. Brute force protections like 'only allow 10 login attempts within 5 minutes, and then block that IP from all login attempts for 30 minutes" are so trivial to implement that they should be part of any authentication system.
I honestly don't get it... by fuzzyfuzzyfungus · 2014-09-03 03:56 · Score: 5, Interesting

Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.

Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?

In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).
1. Re:I honestly don't get it... by robstout · 2014-09-03 04:20 · Score: 3, Interesting
  
  I think the issue is that security isn't pretty, and Apple wants pretty. Look at the two-factor authentication. Having to wait until a PIN is sent to you before you can access whatever? That isn't elegant at all (from Apple's POV. It removes the one click convenience.). Personally, I'd rather have the security, but I'm a geek, like most people on Slashdot.
Five reasons to blame Apple by Sara+Chan · 2014-09-03 08:46 · Score: 3, Informative

There is a good article "Five reasons to blame Apple in nude celebrity photo leak", in The Hamilton Spectator. Here are the key points (read the article for elaborations).

1. The vulnerability is Security 101 stuff (even a good password, like “D0nM@tt1ngly!”, was still vulnerable).
2. The vulnerability was publicly known since May.
3. Apple defaults users into the cloud (and Apple makes it very hard to not store in the cloud).
4. Apple does not encourage two-factor authentication (it discourages this).
5. Two-factor authentication wouldn't have worked anyway (it is not actually enforced on iCloud).