Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

celebgate

apple really screwed the pooch with celebgate. protecting against brute force attacks is like security 101

Re:celebgate

Don't forget their newest phones that bend. Oh and that great update that removes all phone functionality.

Re:celebgate

Stating facts is modded as "troll"? The Apple defense force sure is touchy this week.

Re:celebgate

You would be too if you had messed up so badly so much in recent history... Every time the phone rang or your boss walked by you'd be sweating bricks...

Re:celebgate

[bobbied]

apple really screwed the pooch with celebgate. protecting against brute force attacks is like security 101

Seriously? I think the celebrities where/are stupid.

Who in their right mind takes compromising photos and allow them to be stored on anybody's cloud, while knowing that said pictures would be of great value to the public? Security 101 says, DON'T TAKE THE PICTURES in the first place, but if you insist on doing so, DON'T PUT THEM ON THE INTERNET.

Apple may have messed up by not notifying their customers of hacking attempts, but you are not thinking if you put things of value in anybody's hands for safe keeping up on the net, even if it's Apple. It's a bad idea to give up control of your data if it is sensitive in any way, unless it's well encrypted.

Celebrities where primarily responsible, they where plain stupid to allow such pictures to be taken, much less store them protected by no more than a password. What do they THINK is going to happen? Putting tens of thousands of dollars worth of "personal photos" online protected by a password? Even if Apple had done all due dalliance, you can bet somebody would have eventually found a way.

Re:celebgate

[Fwipp]

Yeah, those stupid celebrities. Why, I'll bet they keep their money in the bank, protected only by a PIN or online password! And park their cars *outside* some times, where anyone passing by could steal it. Heck, even their homes and loved ones are protected by little more than a simple series of alarm/gate codes. They're *definitely* primarily responsible for when criminals target them for deliberate harm.

P.S: 's/where/were/g'

Re:celebgate

[Noah+Haders]

also, consider that apple automatically backs up phones and this isn't even visible when it's happened (no notice box or anything). I'm not sure if its default or not. so celbs may have thought it was local, not in the cloud.

look, it's a generational thing. the younger generation snaps naked selfies. you probably would too if you were a girl that age. dont be so quick to judge.

Re:celebgate

[Revek]

I know not of this celebgate. Perhaps I know it by a different name?

Re:celebgate

[Lunix+Nutcase]

The Fappening.

Re:celebgate

Are you an iDiot or an iFan?

My bank allows only five mistakes before locking my account or swallowing my card. I have insurance for my car. If someone steals it (and it happened to me once), it's just a minor annoyance. As for my house, even if it's only a lock and an alarm, the moment the alarm goes off, I'll first get a call from ADT, then the police will come to check it out if I don't answer (most alarm companies here pay the local police to treat their call as a priority call).

As the OP said, protecting against brute force attack is basic security. This is another major screw up from Apple.

Re:celebgate

Celebrities where primarily responsible, they where plain stupid to allow such pictures to be taken, much less store them protected by no more than a password.

Yeah just like it's plain stupid to have your money accessible via the net and protected by no more than a password ... oh wait! No my bank isn't as stupid as Apple and doesn't allow more than 5 password attempts before it locks out.

Re:celebgate

Nice try ... are you being deliberately obtuse?

Banking is protected by law, any lost money will be reimbursed.

Cars and houses have insurance.

What insurance do you have for being an idiot and uploading naked photos of yourself to a cloud provider, when any person with a bloody clue will know how much of a pathetic joke computer security is.

While it is wrong to blame them for having their photos stolen, it is 100% correct to tell them they're idiots for uploading them in the first place.

Q.E.D.

Re:celebgate

[The_One_Ring]

Yeah, they should get Steve Jobs back in as CEO to clean up the company. Oh, wait........

Re:celebgate

[michelcolman]

I agree, if you do take nude pictures, at least use an old fashioned film roll camera and have the pics developed at a local photo lab.

Re:celebgate

[Isca]

heh. You never worked in a photo lab.

Re:celebgate

[Kielistic]

A multi-billion dollar company told them their photos were "secure". These people are not computer scientists; they cannot judge security on their own. Do you think these people understand the difference in security between their bank and iCloud? In both cases they are trusting in the perceived expertise of those successfully running the services.

Not even sure what you are replying to either. The parent was clearly not defending Apple.

Re:celebgate

Ya, but the online bank is not subject to brute force attack. So what exactly is your point?

And I don't think car thieves target celebrity cars because their muffler is not worth any more than a non celebrities.

What I love is that Apple will pay off all the celebs and not a single mention of class action lawsuits will be mentioned by any of them. Seriously. 100 people have nude photos leaked and not a single person is suing? Strange statistical anomaly I'm sure.

Oh, and remember only the nudes were leaked. So how many celebs actually were hacked? It's not exactly that celebs with nude photos were brute force attacked. They probably got nudes 1% of the time so in reality there were probably 10,000 accounts that are compromised. And how on earth is there no server side notification that there is a brute force attack like this occurring? And here is the more shocking thing. Maybe only photos of people that are famous were leaked. Maybe it wasn't targeted. Have the attackers actually stated this? Has Apple provided any logs proving the extent of the attack?

Sorry, I am fed up with the worlds love for Apple. They sell a consumer toy. Why anyone trusts them with security is beyond me.

Re:celebgate

[Khyber]

"Banking is protected by law, any lost money will be reimbursed."

Up to $250,000. After that, you're shit out of luck.

Re:celebgate

Have to disagree. The pictures part, sure, but the keychain if you encrypted your backups...
Source: http://www.elcomsoft.com/phone_password_recovery.html

Access to all sorts of peripheral stuff was probably in play.

Re:celebgate

's/where/were/g' :)

Re:celebgate

[TRRosen]

Your bank account info is private by nature an icloud account is not. People will know your email.
Apple must maintain a balance between security and usability. If Apple were stupid enough to use a 5, 10 or even 20 attempt then cutoff system it would simply create a huge weakness for DOS attacks. Having a cool off period after multiple fails is the best strategy it makes brute force attacks useless as I could take years to get in. Alerting people after failed attempts is useless. Any webmaster knows that every possible point of entry will but subject to constant attemps. People would get these alerts all the time making them meaningless.
In the end it is all dependent on the user. The more sensitive what your protecting the stronger your passwords need to be.

Re:celebgate

[Fwipp]

Yes, that is what I'm getting at. OP is blaming the celebrities for Apple allowing brute force attacks.

Re:celebgate

[Fwipp]

My point is that bobbied was blaming the celebrities for trusting a password to secure photos, which doesn't actually make any sense of him. Perhaps it wasn't clear in my post, but I also blame Apple for allowing such an obvious security hole.

Shady business is best business!

Just like all the retail companies with credit card breaches who hit it from the public so it didn't hinder their optimal selling season, Apple did it to protect the launch of their new baby.

Scumbags

He was holding it wrong

Apple certainly didn't do anything wrong.

Re:He was holding it wrong

No, he was entering passwords wrong. You're only supposed to enter one password not 20,000. The latter is not part of crApple's UX design.

Re:He was holding it wrong

[turkeydance]

i'm busted. my password was 20000.

Re:He was holding it wrong

Not if 00000 is the first one to be tried. You're safe buddy - carry on; but can you first send me a list of places you typically log into so I can verify?

damn bugs!

They take so long to fix.......so many sleepless nights squishing bugs....................</whine>

Exploited in real life?

[mveloso]

Has anyone actually shown that this was exploited by anyone?

Re:Exploited in real life?

Yeah the people who had their images taken from iCloud.

Re:Exploited in real life?

[ruir]

Apple swears the iCloud fiasco was due to a long running phishing campaign and not the iCloud bug. Maybe it is true, I do remember last year receiving weeks in a row in my gmail account phishing stating my "Apple account was to be cancelled, and I need to...". The emails appeared to really to be the real thing except for the headers. My own family called me to ask if such emails where legit; so I would not be surprised non-technical people and not that smart people have fallen for such schemes. This, coupled to the fact there is no need to access iCloud once you have got the password...you dont even need special software or "law enforcement" software, you just go to icloud.com, and watch the iCloud photo stream. Which comes activated by default with every iPhone, and is a pain in the ass, because once you are in whatever kind of wifi after taking photos, it starts to synchronise. In many parts of the world in holidays with limited wifi it will kill your ability to use the wifi until all the photos are in sync. And about deleted photos appearing, I bet many deleted them locally in the iPhone, but forget to delete them in iCloud. So no hi tech there, just people being dumb people, as usual.

Re:Exploited in real life?

No, but who cares.

This is Apple bashing, so it MUST be true.

But while we are at it, this has just come through from out IT department at work.

"A security bulletin has been released advising of a serious vulnerability with the stock web browser that comes with many versions of Android - the Operating System (OS) used on many smartphones and tablets.

The vulnerability allows a malicious web page to "read cookies and password fields, submit forms, grab keyboard input, or do practically anything else." - Ars Technica

As "many as 75 per cent of Android devices and millions of users could be open to attack, according to Google’s own stats, though not all are likely to be using the affected Android Open Source Platform (AOSP) Browser." - Forbes"

Re:Exploited in real life?

No, but who cares.

Yeah totally! Until we can confirm that somebody exploited it it isn't an issue.

This is Apple bashing, so it MUST be true.

Well the vulnerability exists, if you call that "apple bashing" then obviously you're a corporate apologist. It's a problem, it's existence has been known for a long time and the fix is simple, stop making excuses for them.

But while we are at it, this has just come through from out IT department at work.

Yes, quickly, divert attention away from Apple and on to Google instead, that will fix the problem! Why not submit a story about the Android issue (if one hasn't already been submitted already) rather than polluting this one?

Re:Exploited in real life?

This is Apple bashing, so it MUST be true.

If Apple acknowledged and explicitly fixed the brute force flaw how can it not be true?

Re:Exploited in real life?

[AmiMoJo]

There are forum posts detailing how it was done and offering to do it if people can supply email addresses. It worked by brute forcing passwords, which for celebs isn't hard because you can find the name of their boyfriend or pet with Google. Then software from Elcomsoft was used to download the data from icloud, including deleted images that were in old backups etc.

Expect it all to be spelled out in detail in the inevitable lawsuits. It will be interesting to see what the dignity of a celebrity is worth.

Re:Exploited in real life?

https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/

Re:Exploited in real life?

[dcollins117]

I would not be surprised non-technical people and not that smart people have fallen for such schemes.

A well-crafted phishing attack like this appears to be is going to snare a certain amount of people regardless of their intelligence or computer expertise. It's impossible to be viligant 100% of the time at any task, much less security.

Also I think the overuse of notifications and popup alerts actively condition users to respond without really giving it a whole lot of concious thought. I've caught myself clicking these alerts with "how do I get rid of this annoyance" rather than "what are the security implications of this" in the forefront of my mind.

Re:Exploited in real life?

[ruir]

I have several approach to this problem. I dont do Windows, and also try to my extended family do not use it. My father used OS/X and now an iPad, my wife Linux, and me a mix of OS/X, Linux and FreeBSD. Also, my department, due mainly to my influence, is also using Mac. That helps. I also have adblock, disconnected 2, social fixer, Ghostery, clickToflash and some plug-in that blocks animated images. I also routinely inspect and delete plug-ins installed either by OS or software updates. I also use a hosts file with known advert addresses and some I put there that gave me problems (fake AV adverts, betting pages that open out of nowhere for instance). And I also block out google adverts with BIND response policy zones.

Re:Exploited in real life?

"A security bulletin has been released advising of a serious vulnerability with the stock web browser that comes with many versions of Android - the Operating System (OS) used on many smartphones and tablets.

The vulnerability allows a malicious web page to "read cookies and password fields, submit forms, grab keyboard input, or do practically anything else."

Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

I replaced the bit you forgot to paste. You can thank me later.

Re:Exploited in real life?

[Kielistic]

It will be interesting to see what the dignity of a celebrity is worth.

The fact that there was even a story about this shows that their dignity is worth vastly more than yours or mine. Not that I think photos have anything to do with dignity.

Re:Exploited in real life?

And this has what to do with Apple?

Re:Exploited in real life?

There are forum posts detailing how it was done

No, there were forum posts detailing how it could be done.

Then software from Elcomsoft was used to download the data from icloud, including deleted images that were in old backups etc.

That software (Elcomsoft iOS Forensic Toolkit/ Elcomsoft Phone Password Breaker) requires physical access to the device in question. Just look at their website, it has nothing to do with iCloud accounts.

Re:Exploited in real life?

it happens. one time I accidentally sent a nude selfie to everyone in my address book. it was embarrassing and cost a fortune in stamps.

Re:Exploited in real life?

[AmiMoJo]

Anonymous Coward owes me a keyboard because I just blew coffee all over mine.

ONE MORE THING...

I live in the U.S. When I go to Check Order Status in my Apple on-line account (store.apple.com), I find hundreds of orders, none of which are mine, coming from all over Western Europe, dating back to July of this year. I see the items ordered, order numbers, mailing and shipping addresses and e-mail information for them all. I can track shipments, but I can't cancel orders.

I can tell you the iPhone 5s is still being order in significant quantities, but the iPhone 6 and 6 Plus orders are vastly greater and roughly equal in number, particularly for bulk orders.

I called Apple about this problem immediately, when I first found out about it, after having received a suspicious e-mail from Apple inquiring about my on-line store experience written in French. After calling two more times and seemingly wasting all of those hours talking with Apple representatives, nothing has changed. More orders just keep showing up in my on-line account. I changed my password right away and already had 2-factor authentication in place. No change. The last Apple rep said they would call me back the next day but never did. There seem to be many layers of escalation and every time I called, the time difference between the U.S. and Europe was claimed to be an impediment. The Apple reps could never see the order information either--I always had to read them examples of order numbers over the phone. A brain-dead support system.

Re:ONE MORE THING...

No worries. You were just using the web page wrong.

Re:ONE MORE THING...

[sexconker]

Create an anonymous Twitter account and start tweeting details and mentioning @Apple . Partially redact them, if you want.
The only way to get attention from a major corporation is to make a big public stink.

Re:ONE MORE THING...

[dgatwood]

I live in the U.S. When I go to Check Order Status in my Apple on-line account (store.apple.com), I find hundreds of orders, none of which are mine, coming from all over Western Europe, dating back to July of this year. I see the items ordered, order numbers, mailing and shipping addresses and e-mail information for them all. I can track shipments, but I can't cancel orders.

Somebody with a volume purchase plan account probably made a typo when adding administrator email addresses or something.

Go here and see if it lets you sign in. If so, contact Apple Store support from within the VPP site and let them know that your Apple ID is incorrectly associated with a VPP plan.

Re:ONE MORE THING...

No, I can't login there. The orders appear from all over Western Europe, including individuals and many companies with no apparent relationship to one another (or to me!) A few orders are tiny, just for an accessory like a charger or cable, while others include multiple Mac Pros or many new iPhones.

Re:ONE MORE THING...

I hate to do it, but sadly you might be right. It might be even faster to send an e-mail to each of the people listed on the orders and have them complain to Apple. Their full contact information is displayed when I click on "Show Order Details".

Re:ONE MORE THING...

[mccalli]

That's a serious one - take it to the exec team. Used to be that if you mailed sjobs@apple.com and you had something valid, you would get a reply. I had my laptops sorted out in this manner.

It might be the address to use these days is tcook@apple.com, but I'll bet the same system exists.

Re:ONE MORE THING...

I have exactly the same thing, different companies, different products. But it seem all to be business (non-operator) orders. Good to see that you don't get a discount if you order 100 iPhone 6. I went to the Apple store and showed it. They called their support and the only thing they did was disabling my account. Thanks for nothing. :(

Re:ONE MORE THING...

[HornWumpus]

Can you change all the shipping addresses on pending orders to a local mail drop or PO box? How about 300 I street, Sacramento CA (Jail).

That will get their attention, right quick.

Re:ONE MORE THING...

[dgatwood]

Hmm. Maybe your Apple ID is associated with some magic sentinel value, like NULL. :-D

File a bug report at bugreport.apple.com.

Not Brute Force

[abhi_beckert]

"Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account."

20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

I find it hard to believe anyone was actually vulnerable to this.

Re:Not Brute Force

I'd say 20,000 attempts is plenty. There have been enough leaks of real passwords from all over the web to compile an extremely accurate list of 20k of the most used passwords. Unless you are computer literate and security concious enough to use a unique, randomly generated password for everything there is a fair chance you've used one of the 20k passwords for something.

Re:Not Brute Force

[aardvarkjoe]

20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

I find it hard to believe anyone was actually vulnerable to this.

While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.

Re:Not Brute Force

[MatthiasF]

Or just grab a list from one of those studies of stolen passwords and sort by most used password.

Pretty sure one of the top 20,000 passwords on those lists will get you into 80% of the accounts out there.

Re:Not Brute Force

[ljw1004]

20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

I find it hard to believe anyone was actually vulnerable to this.

20,000 not brute force?!! Would you call it "subtle and refined"?

Re:Not Brute Force

http://uwnthesis.wordpress.com/2012/08/30/top-10000-passwords-are-used-by-98-8-of-all-users/

The top 10k passwords are used by 98.8% of all users. 20k would get them plenty!

Re:Not Brute Force

[Eythian]

Probably he stopped there. It's enough to be fairly sure there's no brute force protection in place.

Re:Not Brute Force

[Elbart]

tender trying.

Re:Not Brute Force

[gnasher719]

I'd want to see where this information comes from. There are websites where I have no idea why the idiots want a password from me, so it is entirely possible that many users of such a site would use stupid passwords. And use a much safe password for their AppleID password.

Re:Not Brute Force

[HornWumpus]

These are MacIdiots (iIdiots?) we're talking about.

Monorail

[sexconker]

Well, sir, there's nothing on Earth
Like a genuine, bona-fide
Electrified, six-inch iPhone 6 Plus.
What'd I say?

iPhone 6 Plus!
What's it called?
iPhone 6 Plus!
That's right! iPhone 6 Plus!

iPhone 6 Plus.
iPhone 6 Plus.
iPhone 6 Plus.

I saw those leaks they had me wowed.
We've made some changes to iCloud.
Is there a chance the phone could bend?
Not on your life, my hipster friend.

What about us brain-dead slobs?
You'll just worship Mr. Jobs.
What's the point of that huge bezel?
Just more space for fans to revel.

16 gigs is too little space.
Pay the upcharge to keep pace.
I swear this phone's your only choice,
Throw up your hands and raise your voice.

iPhone 6 Plus!
What's it called?
iPhone 6 Plus!
Once again.
iPhone 6 Plus!

But iOS is still shitty and broken.
Sorry, Slashdot, the mob has spoken.

iPhone 6 Plus!
iPhone 6 Plus!
iPhone 6 Plus!
iPhone 6 Plus!

iPho, d'oh!

Re:Monorail

Pretty good.

What's it like being a homophobe?

Re:Monorail

This is fantastic. You sir, win the internet.

And ... ?

The Fappening had nothing to do with brute force attacks and everything to do with security questions answered with publicly available information.

Re:And ... ?

[DaHat]

And you know this how?

You may be right.... but unless you've got some specific evidence you are speculating just as much as any explicit pointing to this vulnerability as the exploit used in the hack.

Re:And ... ?

And you know this how?

They don't. It's just knee jerk Apple defense.

Hire a security expert

[myid]

I wish Apple would hire a security expert, and have him/her work directly for Eddy Que.

Re:Hire a security expert

Apple products are secure through pixie dust and iTardery. There is no need for stoopid security experts.

iBrute + EPPB Police Tool = mimicks iOS device

See

http://www.wired.com/2014/09/eppb-icloud/

Ibrahim Balic...

[grouchomarxist]

Ibrahim Balic is the researcher who in the past claimed to have been responsible for uncovering a flaw that brought down Apple's Dev Center. As it turned out, he uncovered a lesser problem around the time a more significant flaw was exploited. It seems that he is a bit of an attention seeker, so I would take anything that comes from him with a grain of salt.

I can't find the exact links that cover the older story, but here are some related ones:
http://www.cultofmac.com/24151...
http://9to5mac.com/2013/08/20/...
http://venturebeat.com/2013/07...

I stumbled on this one a while ago

[EmperorOfCanada]

I was helping someone with their forgotten iCloud password and we tried a few dozen variations. My incorrect guess was that instead of telling me to go to hell that it was playing some odd game such as letting me try passwords by ignoring me to waste my time.

It simply never occurred to me that this was a gianormous security hole staring me in the face. What exactly is happening at Apple, there is Bentgazi, iOS 8 killing iPhone 4s and iPhone 5, iOS 8.0.1 killing iPhone 6, apparently a last minute screen switch away from sapphire, plus many subtle other things such as it doesn't seem like they are using liquid steel in their cases, and the whole U2 spam crap, which it turns out they wrote a massive cheque to U2 for. Then there is the collective yawn over the iWatch. But worst of all is the total lack of a substantially new product in years. Basically the business model at apple has been to steamroll all their older product lines with something mind-boggling. But they seem to have stalled. iPhone sales are awesome but if you look at the history of all of Apples previous products they basically had their day in the sun and then were eclipsed by the latest and greatest apple product. iMacs, iPods, iPod touches, Nanos, iPhones, iPads, and now the iWatch. I think that the iWatch will end up sitting alongside the Apple TV, not eclipsing anything.

Re:I stumbled on this one a while ago

[shrik3]

Ok, I'll bite. What, to you, counts as a "substantially new product" from - say - Samsung, HTC, Nokia or any other mobile manufacturer?

Please exclude any devices that have only bigger X and faster Y and more Z, since that's not substantially new.

Re:I stumbled on this one a while ago

[Bing+Tsher+E]

So you are saying Apple is equivalent to those companies you named? Many of us agree.

Re:I stumbled on this one a while ago

[EmperorOfCanada]

By substantially new I mean something like the difference between an iPod and an iPhone, that was a huge leap which was actually derided at the time; the general opinion was that apple should stick to music and leave the phones to the big boys like Motorola. My basic point is that each Apple product has faded after a great new leap came out. The macbook business is still huge but pales in comparison to the iPhone business as is the iPod business. So assuming that iPhones will slowly fade at some point, what is going to replace them. Or is apple planning on the iPhone not fading and has no desire for a new product. This would be a huge change from their successful pattern.

Denial of service

[dutchwhizzman]

How easy is it to lock someone's account and access to all of their data in the cloud, by simply throwing 5 bad logon attempts at their account name? How would you feel if someone were to do that every hour, using a botnet, forcing you to go to an apple store, show your ID and have your finger print scanned just to unlock your account?

Yes, this may be slightly exaggerating the situation, but simply locking someone's account because someone else made 5 attempts to log on to it isn't going to work in practice. You'd be having to deal with oodles of users that got locked out of their stuff and tarpitting only slows the brute force attempts down.

Re:Denial of service

tarpitting only slows the brute force attempts down

Pretty effectively though - limiting to say 5 attempts in a minute (more than reasonable for a human user) can reduce the brute-force times to years for a single password. More than enough to defeat that method. Brute forcing needs to allow thousands of guesses per second to be practical.

Dictionary-based attempts are harder of course since you need fewer guesses, although it won't work on strong passwords. Likely that's what actually was done.

Yes, brute force.

2e4 attempts is pretty good when you are dealing with humans who use real and common words for passwords. Then consider we have hundreds of thousands or millions of accounts (1e6). Then consider my botnet with tens of thousands of computers (2e4). Then we have ~4e14 attempts. That is brute force.
I run denyhosts and have it set to deny IP addresses after _4_ attempts. That stops brute force attacks. 2e4 does not.

Lies

NO! The Apple PR team said that this was not caused by a security vulnerability and that it was a targeted attack and that every day users of iCloud have nothing at risk.

Oh, wait. I guess what they said was accurate but basically a bunch of nonsense PR speak.

More like 2 characters long

[tomxor]

Given that in most systems allowed characters are number and letters with case sensitivity you only get this far:

alphanumeric:
36^2 = 1296
36^3 = 46656
so you only get 2

case sensitive alphanumeric:
62^2 = 3844
62^2 = 238328 also only 2

Not that it matters because like others say you would use this to do a brute force with a dictionary attack, this is still generally termed as brute force though.

Different marketing

[phorm]

While they have their flagship products (Galaxy S? for Samsung), those vendors also sell multiple different models targeting multiple market segments, so one thing they've got going is that they've got phones at a lot of different price/feature points.
If you're talking about Samsung: NFC, Infrared, water resistance/proof, tap, screen mirroring standards, wireless charging (yes, Apple has NFC too but it's also a year later).

I believe somebody (Song?) was looking into cool tech like 3d/spatial scanning etc.

For features that aren't new but make the phone attractive: user removable battery, SD card slot (so you don't need to buy a new phone to upgrade).

The thing is, Apple was once known for bringing new features that really stood out. The one thing in recent phones I'd say makes the iPhone attractive is the fingerprint-authentication, (though I get similar functionality with a tethered smartwatch). For stuff like NFC, payments, and larger screen sizes they're actually playing catch-up.
The new iOS is actually slower in many cases and certainly no better on batteries, while Android L is set to boost battery life and performance (caveat: may not work on 32-bit phones from my current readings).

Different marketing

a year later?

NFC is in my Galaxy Nexus bought in 2012

RTFA

[Plumpaquatsch]

"While the exploit Balic says he reported to Apple shares a stark resemblance to the exploit allegedly used in the so-called "Celebgate" hack, it is currently unclear if they are the same vulnerability."

Not even directly said in the article, only in the screenshots of the emails: "Same issue consists with other companies too", "found the same issue with Google "

Kinda....

[pcwhalen]

"Banking is protected by law, any lost money will be reimbursed."

The controlling federal laws are the Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA)( (15 U.S.C. 1693 et seq.). If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions.

However, unlike credit cards, if someone makes unauthorized use of your debit or ATM card and if you do not learn of the transactions and report them after 2 business days but less than 60 calendar days after your statement is sent to you, you are liable for $500. After 60 days, “All the money taken from your ATM/debit card account, and possibly more; for example, money in accounts linked to your debit account.”

http://www.consumer.ftc.gov/ar...

"Cars and houses have insurance."

Yes, but there are deductibles to pay, hundreds if not thousands of dollars before the insurance company begins to reimburse the insured.

Civilians do not understand what /. readers know: internet security is illusory. That's why we have encryption. It's not that they don't have "a bloody clue." They are not computer literate, don't know what an IP address is and couldn't tell you why a denial of service attack is bad.

Civilians have been told the internet is a safe place to buy things, send images by email and store payment data and the like. They believe it. Those people did what are in retrospect foolish things, merely because believed what they were told.

The only way to never see yourself naked on the internet is to never take nude photos. Period. After that, it's just a matter of percentage of chance. Not fair or right, but true.

Good job

[iampublishers]

yeah it's good job for hacker, can unlock account icloud to many actrees BOX Office and we can see the picture. if some people can cracking icloud how about another feature from apple?