General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsApple should be sued over the data leak
Data security is their responsibility. They made the app with a security fault.
NYC_SKP
(68,644 posts)Apple gear is already expensive enough.
TDale313
(7,820 posts)They'll donate any settlement/judgement. And frankly, I'm not too fussed about Apple or Apple's insurance company's bottom line. Apple products are expensive cause the market will bear it, not cause they cost that much to make. *if* they screwed up and it caused this breach (big if) then they should pay. No one, not even rich young starlets, deserves to be violated in this fashion.
NYC_SKP
(68,644 posts)Apple has gone too far, IMO, in making my data LESS secure.
Automatically enabling iCloud, for example.
Updates that make changes without due notice, and other crappy things.
TDale313
(7,820 posts)This hit some powerful people. Whether because their forced to or because they understand it would be wise for them to do so, I would hope this makes Apple reexamine security for their systems/devices. I don't know if there was fault on their part, but one would think they'd be frantically looking to see how this could be avoided in the future.
TDale313
(7,820 posts)No idea if it'd be successful, but some of those impacted have the resources and contacts to fight back on this.
jakeXT
(10,575 posts)Read more: http://www.businessinsider.com/apple-statement-on-celebrity-hacking-2014-9
ann---
(1,933 posts)blaming the victim? Apple was hacked - they didn't do the hacking.
PeaceNikki
(27,985 posts)That's why. They weren't the victims, their customers were.
That's very basic security design. Limiting the number of password attempts is data security 101.
Erich Bloodaxe BSN
(14,733 posts)That's totally bush league.
PoliticAverse
(26,366 posts)cascadiance
(19,537 posts)The problem is that if you don't design security questions, etc. to get access to an account to take in to account that some people have very public lives where many of those security question answers are publicly available, then you have a flawed system. I know that Yahoo revised a lot their methodology for retrieving forgotten passwords after that, to avoid such circumstances and ensure that whether a person's personal life is well known or not, that the procedures for getting in to an account where someone has forgotten a password is secure.
I won't go in to details on flaws like these in general, but there are other ways that sometimes corporate systems have problems with security of data internally and otherwise that needs revamping, as I've seen it at times and helped fix some of those holes myself, but often times, the fundamental design still should be changed to make it better. That is the problem when you also get companies too big with oligopoly power, where they don't worry as much about this sort of problem when someone's account gets jeopardized and calls them out in public if they know what's happened, since often times, people don't have another option to go to in the marketplaces we have these days and their experiences get lost in the ethers.
ann---
(1,933 posts)never states unequivocally in writing, anywhere, that everything on icloud is totally safe.
PeaceNikki
(27,985 posts)Including the many you deleted and/or had hidden.
I suspect you're not really concerned for the victims. But it's cute that you're concerned for Apple.
liberalmuse
(18,672 posts)I told someone that iCloud was extremely secure.
Erich Bloodaxe BSN
(14,733 posts)The statement they've put out is that individual accounts were hacked, not that there is a 'security fault' in an app.
Did you find something that suggests otherwise?
Yavin4
(35,453 posts)Also, data is automatically saved there. It's their responsibility to secure data.
If I put my money in a bank, and the bank gets robbed, I still get my money back.
jberryhill
(62,444 posts)There's a reason for that.
You contract for whatever the heck they give you.
And in big un-missable print it says, "tough shit."
Blue_Tires
(55,445 posts)absolving them from responsibility...
ann---
(1,933 posts)storage is secure but individual accounts' passwords, is not.
They also give a way to make it more secure.
This, from the icloud site, is for those who think taking pictures on an iphone ends there.
My Photo Stream
Your photos everywhere. In a flash.
When you take a photo on an iOS device or import one from your digital camera, iCloud automatically pushes it to all your iOS devices, iPhoto or Aperture on your Mac, and the Pictures library on your PC. To conserve storage space, the photo stream on your iPhone, iPad, and iPod touch holds only your newest 1000 photos. Photos are stored for 30 days, so you have time to delete any you dont want or save the ones you do. On your Mac, every picture from your photo stream is downloaded right to your photo library.
elias49
(4,259 posts)Didn't get it back and no-one's in jail.
phil89
(1,043 posts)I'm sure the A list celebrities will be just fine without people taking up their causes.
Xithras
(16,191 posts)The problem with account lockouts is that they only work on low value targets. With high value targets (user accounts belonging to the rich and famous, for example), it's pretty much a given that their accounts will be under constant bombardment from blackhats and other interested parties looking to get in. Nobody is going to brute force your grandmothers iCloud account because she's old, and boring, and the odds that her account will contain anything remotely interesting is somewhere around zero. Actors like Jennifer Lawrence, on the other hand, are potentially high value targets and their accounts are worth spending an extended amount of time trying to infiltrate. Distributed infiltration networks can spend months brute forcing a single account, and it's considered worthwhile by the hackers because nearly anything they pull from the accounts are going to have some sort of value (and remember, these leaks were initially released by a group looking for financial gain, and not script kiddie thrillseekers).
The problem here is simple. Lockouts are generally only beneficial to those with a low probability of being hacked. Individuals with a high probability of being hacked would find these services unusable if lockouts were in place, because their accounts would be in a constant locked state. This would have the impact of effectively banning high profile individuals from using these services. It would also have the effect of granting third party groups a new Denial of Service vector against these accounts. Don't like what Jennifer Lawrence is posting on Twitter? Fine, just bang on their login page with a junk password until her account is locked out. Want to keep Jennifer Lawrence off Twitter forever? Just write a script to keep banging on it over and over again, to keep the account in a constant lockout state. Want to break Jennifer Lawrence's iPhone because you're a weirdo who likes to annoy famous people? Just do the same thing to her iCloud account.
All security is a compromise, and there are good reasons why lockouts aren't widely used nowadays. I work for a company that writes custom enterprise software for clients around the world, and we do security consulting for a number of tech companies around the Bay Area (including a few you've probably heard of). Account lockouts aren't a security solution that we even consider. It's an outdated and amateurish security concept that often creates more headaches that it solves. We once had an educational services client that used lockouts on its distance education portal...which was removed after students discovered that they could lock instructors and other students out of the system entirely simply by writing some lockout scripts. Students were using that trick to force tests to be rescheduled and to extend homework deadlines (Don't have your homework done on time? Lock the entire class out to force the instructor to either fail the entire class or assign a new deadline!)
If you want to secure web services, the solution is to move away from our archaic username/password model and instead use multi-factor authentication, biometrics or some other form of user authentication that can present a reasonable challenge to a modern blackhat. iCloud actually does support two factor authentication, and any iDevice user who really cares about their security should be using it today. None of the actors hacked in the recent attacks would have been victimized if they'd had two-factor authentication enabled. Most people do not have it turned on, and simply rely on the default low security username/password model.
Until the Internet collectively decides that it's time to boot single factor authentication for good, this sort of thing is going to keep happening. Lockouts won't solve anything.
Yavin4
(35,453 posts)Of course, lockouts are not the ideal, and I never said that it was. Update your reading comprehension skills. When you offer no protection at all, then that is a major failure.
Also, you stated:
Apple did not offer any security AT ALL, and therefore, should be held liable.
Xithras
(16,191 posts)Apple did indeed offer security. It sucked, but they are under no legal obligation to offer security at all. They could have allowed any random person to browse any of those files without any sort of authentication, and as long as they weren't marketing the service as "secure", then they haven't assumed any legal liability. If you choose to use the service, you are choosing to accept the product as-is (and the as-is statement is ubiquitous in just about every software license in existence).
Apple didn't market their iCloud as having top notch multi-factor authentication, so they can't be sued for failing to offer it (well, you can sue, but you'll be laughed out of court, and under California law you may just find yourself paying Apple's legal fees to boot).
Apple marketed the product as using standard, single factor username/password authentication. That authentication worked exactly the way it was advertised and designed. The fact that it's a crappy form of authentication isn't that relevant legally, because the users accepted it when they clicked I Agree on the licensing page.
As to the lockout: Where I work, we'd seriously question the skillset of any software architect who proposed adding a lockout to a login screen in an application we were proposing to a client. It's not that they are "better than nothing". It's that they actually provide exploit tools and make applications unusable for the people who ARE being targeted, without offering benefit to those who aren't. Because the point of security is to protect users, and not to chase them away, lockouts are counterproductive and useless. If someone is trying to hack Jennifer Lawrences account, telling Jennifer Lawrence that she is not allowed to use the service anymore is not an acceptable solution. Creating a situation where an external user can potentially deny access to hundreds or thousands of users in a coordinated lockout attack is also unacceptable. It is NOT a tool that professional software security architects employ nowadays.
Yavin4
(35,453 posts)And for the last time, I am not, nor have I argued, that a lockout screen is the be-all-end-all solution to data security. I just said that allowing for brute force attacks through scripts violates basic data security. Should it have been more intricate than a lockout? FUCK YES. It should have been!
As for suing Apple, if they didn't care about data security nor feared a lawsuit, then why are they investigating the leak?
Logical
(22,457 posts)TransitJohn
(6,932 posts)have taken responsibility for security themselves, and furthermore agreed to arbitration to keep any action out of court. People just click shit and don't read.