If you don't want any naked pix
of yourself (celebrity or not) on the internet, just don't take any.
There, fixed.
The Federal Bureau of Investigation and Apple are examining the theft of a large cache of naked celebrity photos, thought by many to have been snaffled from the fruity firm's iCloud backup silos. As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton and around 100 others are thought to have been stolen …
Not wishing to pop your anti-Apple bubble, but you do actually need to set that sync up. I know, because I have such a device and have not configured the sync process. In fact, I checked all the settings and they were off by default so I didn't have to opt out either.
More facts, less mindless bleating please.
Can we stick to facts and not hyperbole? (Isn't that the job of Reg hacks?)
iDevices automatically upload stuff to the fluff automatically without user say-so just as much as Android or anything-else-a-droid does. You can turn all that auto cloud s*it on if it floats your boat, or leave it all off. (iOS photostream is, for one, an opt-in choice, not an opt-out one). Your choice of pratform is pretty much irrelevant in this context - whatever your bozophone can do in this regard, so can mine if I want it to (or not). Who cares?
This yawngasm inducing fanboi/fandroid shit is sooooo last conversation. Move along, citizens, f*ck all to see here.
@andreas koch
No, just don't take them with your phone. Use a standard digital camera and upload them straight-away to your computer and then delete them from the phone.
Even if you have no cloud sync setup on your device, scores or smart phones are lost and stolen daily, not to mention the potential for friend/parent or - much worse - child to pickup your phone and find the nudie-snaps.
I feel genuinely sorry for these people as it is a gross breach of privacy but in this day you simply must understand the if you want to use it.
There's no need to delete them from the phone if I used a standard digital camera . . . Cough. I'm sure that's not what you wanted to say.
I go by the rule that if I don't want it to be known or seen, I'll not tell or show it. Specially if it can be connected to me.
. . . and in my book putting it into any cloud as a usable file is showing. If I really, really need to back up to a cloud service, then the file is locally encrypted first and then uploaded. Encryption by the service is not acceptable as far as privacy is concerned.
But surely pics of naked celebs would not be in the celebs cloud storage but in the account of the person who took the photos.... Unless celebs give their phones to take naked photos of themselves... Which given the narcisisstic nature of some celebs is totally possible I suppose.
The way I interpret the reporting elsewhere, at least some of the photos were "professionally taken" so that is a possible leak point. Even at that, I expect the celebs have copies of them in their "private" portfolios. So where the loss of custody happened is not clear.
Also, while weak passwords are usually the culprit, remember that isn't necessarily the weakest link. Hackers might also have trawled the password reset questions, and given the obsessions with celebrities, may have cracked those instead after searching the internet for the answers.
iCloud is cloud service done right. It stores your music, photos, apps, calendars, documents and more
So if iCloud has been open to attack ANYONE could have had ANYTHING taken.
This is MUCH bigger than 100 celebs with some dodgy pics. Apple need to fess up, and not doing is is grossly irresponsible.
The real tragedy in all this is not that people have seen those celebs in the buff, but that they have done so without paying the usual fee. Hacking someone's account, or even many people's accounts, is bad enough, but infringing a celeb's copyright on their bootay is unforgiveable.
And remember, a great many Apple IDs have a home address, phone numbers and CC information all dutifully filled in from the original purchase of the device at the online store or so the app store 'just works'.
It's a disaster waiting to happen. Oh it just has. Again.
I frankly think we should have more of these disasters.
Makes ISIS, Ebola, the resurgent Recession, and the NATO-embiggening show in the ex-Soviet countryside that we need to fight because of reasonsmoneyed neocon interests look tame in comparison.
As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton, Ariana Grande
Woah, I nearly misread this as photos of decrepit. I was worried of getting older fast.
@Destroy All Monsters
Indeed, it will be a welcome distraction helping the media to continue keeping our attention from the fact that a lot of the "Little Green Men" on one east side of the Ukrainian conflict are speaking Serbian and their equivalent "Little Green Men" on the west side of the conflict are speaking Croatian and they are replaying the same conflict for the 3rd time in the last century. Score so far is 1:1, popcorn to observe the outcome of the third one. Disclaimer - I have seen some of them myself this summer taking a short stop in one of the few remaining Eu cities that still has flights to Ростов на Дону.
It has been extremely entertaining watching the Western mainstream media go to extreme length on ensuring that this "entertaining" detail is not aired in any "news". In fact they have been better at that than previously (during the Kosovo war the video footage often contained the Chechen, Syrian and Lybian "volunteers"). After all, if you air it will become clear what will be next (NATO bombing) and how long it will last (15 years and counting).
It is lovely when we have a "disaster" like that - it helps keep the attention of the sheeple from what is really happening out there. Bring it on, let's have more celebutard leaks.
@Dan 55
>And remember, a great many Apple IDs have a home address, phone numbers and CC information all dutifully filled in from the original purchase of the device at the online store or so the app store 'just works'.
As much as I like to dish Apple, you would be able to see the tel and address, the latter you can find out online, BTW, as for CC info ? Are you nuts ? you can only see the last 3 or 4 digits of the CC, just like on receipts ... ok, they could use the account to purchase stuff in the app store, but they would probably get caught doing that.
So, yeah, they might have her cell phone, what you gonna do, call her?
"Hello, this is Dan 55, I hacked into your iCloud account and got naughty pics of you ..."
"Apple does not limit the number of password entry attempts users could can make
WTF?!?"
And there ends any pretence that weak security is a Microsoft problem.
Someone, somewhere, inside Apple took a decision to effectively remove security to enable a feature. That person doesn't have any business being near technology, at any vendor, and should be looking for work more suited to their talents.
Apple does not limit the number of password entry attempts users could can make
WTF?!?
That is the case in many online services where they don't even implement rate limiting or progressive incremental retry delay on failure, but the risks with an Apple account are much bigger because it's basically SSO - one password to rule it all. /Not/ good..
"...it is not your fault if you are using bad passwords because you are celebrities, not nerds".
That's not how security works. "Nerds" may elect to use full-disk encryption or some other less-used/more-complex security, true. But *everyone* needs to use secure passwords. At least for stuff they care to keep secure. It's not a complex concept, really.
Speaking of security: Apple doesn't have brute-force mitigation in place...? Excuse me while I clean the floor before I ROFLOL... :-)
>But *everyone* needs to use secure passwords. At least for stuff they care to keep secure. It's not a complex concept, really.
Not a tricky concept, but a PITA in practice. Such is life! Some people advocate the use of password managers, though only last month The Reg reported of a security failure in a popular example of the breed.
Personally, I use the tiered approach, so might reuse the same password across low value sites (seldom-visited forums, for example) whereas email and banking sites get complicated (non-dictionary, UPPER lower case, !"£$, numbers, mixed up) passwords.
...as long as you stick to words, and use more than one.
I used a similar scheme to the one you describe, and then I read this (posted by another El Reg forum user a few months ago):
http://xkcd.com/936/
I'm not ashamed to say I was embarrassed by this revelation, and have started to apply the principles to my passwords. Unfortunately a lot of sites insist on relatively short passwords.
I just rest an older password om XXXXX and found that the "upgraded" security would not let me use anything other than alphanumeric - no special characters allowed! Since this was one of my "low risk" passwords, it is not critical, but I am glad I don't use this particular XXXXX fro anything critical.
Once you buy into the 'Apple' ecosystem you TRUST them to do it all for you. You'll never get a viral attack but you'll find your naked arse plastered all over the internet though. Unlimited number of password attempts to access iCloud? WTF! I'd rather use antivirus software and take my chances with a virus/worm attack on a Windows/Linux PC.
On the other hand, most cloud services don't have limits, or the limits are large. Some may slow down the retries if they hit a certain number, or block an IP address for a few hours. Or require email verification (probably the best method), if a certain number of attempts are made.
If they locked the account every time a few wrong attempts were registered, many users would spend much of the day re-enabling their account - okay, they would then see that they are under attack and they might change their password, or enable second factor authentication.
Brute forcing attempts are probably something most cloud services have to put up with every day. How would push email work, if your account is getting locked every 15 minutes?
There needs to be a replacement for passwords. I agree unlimited attempts is wrong, but so is simply locking the account.
There's a lot that can be done to make brute-force attacks useless before locking an account. Wait timers are good and simple. A lousy one minute delay between attempts would completely kill a brute force attack, while it would be just an inconvenience to the user. So:
0- Enforce password complexity. Should be simple when you already know everything about your user: "No, you cannot use that password because it was the name of your 3rd grade teacher's pet gerbil"... ;)
1- Start with a one second wait and double it with every failure. Cap at 128 seconds or something, to keep things sane. Else you'll very quickly effectively lock the account.
2- Lock the account only when hundreds of attempts are made in a single day or some such.
The details will vary and some fine-tuning will definitely be required based on the type of data, users, actual usage experience and whatever other attack vectors might exist (brute force attacks vs. denial of service, for example), but you see the basics. Not complex.
This should be achieved at the hardware level not the application. Would like to see your wait code that doesn't use up server resource ie. holding connections, as you can easily cause your own DOS attack and run out of resources.
So far we know that many of the photos were taken on a variety of devices, including 2010 era blackberries, android, and iOS devices.
While this could be a cloud service issue, the time frames involved as well as the diversity of devices suggest that this is much deeper than that.
A Hollywood based IT service firm go out of business recently?
Someone wanting to show some of the goods regarding those NSA nude photo exchanges snowden was talking about?
Whatever happened, I hope it doesn't devolve into platform bickering and thee we do end up getting a straight answer about it so we can learn from it.
Karl P
@karlp
However much this actually relates to Apple's iCloud, one can hope that the attention it has drawn to the password inadequacies prompts an improvement.
I am all for software/service vendors giving users choice and treating them like adults but when it comes to security in this modern age there isn't much room for compromise.
If you look at the pictures (and I'm not recommending you do), you'll see that many of them are taken in a mirror, with the smartphone clearly visible. In most of the ones I've seen, the phone was NOT an iPhone.
That doesn't rule out iCloud, of course - the slebs in question could have sent the pictures to iPhone users - but if many of these pics were taken on Android phones it's not entirely impossible that some Google+ hackery is going on as well...
Or that said users were syncing their phones with a Mac/PC with iTunes, and that itself was 'backing up' to iCloud - or a similar setup where iCloud was the last step in the line.
IE I set up a system where a user wants to show their pictures off, so they transfer the images to their computer, they work on the images on the computer, and the finished images are sync'd with iCloud so they can show them off on the tablet (as it autosyncs to the camera roll I think - I forget the details, but it worked, that's the main thing).
So they could be taking the pics with a point and shoot camera if they want, but if they end up in the default photos library, and iCloud sync is switched on, then they're vulnerable to iCloud hackery.
So someone using a Blackberry, syncing the photos to a default photo locale, which is the same place iCloud syncs from, and bosh, it's in iCloud.
Still not seen huge details on how the hack was performed - have I skim read too much? Was it really a bruteforce on the API? Seems too easy...
Steven R
This post has been deleted by its author
FBI agent A: Seen it. Seen it. Seen it. Woooo, that's a new one.
FBI agent B: That photo was uploaded two days ago. Please try to keep up with latest developments.
Seriously though. Would the FBI get involved if these were accounts of "ordinary" people that was hacked??
One of the most grievously annoying things about all these cloud services is how pushy they are. Install DropBox and it helpfully assumes you want to upload photos by default - I was caught out and had to disable it. I'm sure iCloud is just as pushy with new iPhones.
And since none of these services see fit to allow the end user to encrypt the data before uploading it means that anyone can log in from another computer and steal everything that is there. A computer literate person might understand the risks and nuances of cloud storage but clearly a lot of people including celebs do not.
So it'll be interested to see where the sueballs land. I am expecting Apple will find itself on the receiving end of a lawsuit from some of those affected if it transpires that a) it didn't delete pictures when it should have, b) it didn't ask the user about their cloud sharing options in every circumstance, c) the cloud sharing options were defaulted to an unsafe setting d) the option to disable the sharing was buried in the settings or accompanied by scary vague warnings to discourage changing it e) the service was inadequately protected.
Apple had better hope the leak was from somewhere else.
OK, so assume you've brute forced the targets username and password, log into iCloud.com and... there's no access to the photo stream or device filesystems.
No problem!, just set up one of your devices to sync with their account details, and voila! a flurry of modal alerts are sent to every device attached to your targets account warning them that a new device has just signed in to their account. All these celebs ignored those alerts?
" All these celebs ignored those alerts?"
Almost certainly, yes.
As do very many people when they get a message on their smart-phone thingy because so many different things send you alerts all the time you get used to just clicking them all off. That is one of the problems - the systems are set up by (and for) relatively tech savvy people and that leaves a lot of room for less aware people to get ripped off.
In one sense, that is how Apple have been so successful - keeping a walled garden around their hard/software has removed the need for many people to get down and dirty with their devices. But it puts a lot of trust in the supplier and leaves people very unaware of what is really going on under the hood.
There is a screenshot doing the rounds of someone explaining that what was released and how it was gathered.
No tech details but there is a small group of people who hack and share amongst themselves, only way to get into the group is to buy in with fresh photos.
Seems one member decided he was bored and could make a few quid of the pictures.
Authenticity of claims not confirmed, but they do fit with the range of ages to the pictures and how so many were gathered.
I love the way the media have gone for the titillating aspect of this (ie 'slebs showing tits) and largely ignored the more serious aspect of the story. Namely that using Find My iPhone, the hackers could easily have located the 'slebs and done things to them, maybe even killed them.
So - long time-frame, multiple devices, multiple O/S and quite a small group of prime clickbait.
1. was it a "free WiFi" access point at the Emmy or Oscar awards ?
2. someone in the NSA cloud monitoring team just got his prize swag stash onto a USB stick and out of the building ?
3. it really was that simple password vulnerability on the "find my iPhone app" plus said celebs moving photos from other sources to their icloud (or getting them sent from people with other devices) ?
4. a cynical attempt to either sell a security service or discredit Apple ?
just my very non comprehensive list, any better suspects ? but please remember "Investigating or commenting on any high profile leak is like trying to hug a hedgehog, the harder you try the more pricks you encounter" and I'm just the first....
But a large number of data breaches are inside jobs.. wouldn't surprise me if it was some System Admin just trying to get his rocks off and then decided to take a copy home with him! I've had this on our internal network, staff Sync up their phones and wham, suddenly they've dumped all their private pictures onto the network.. accessible to anybody with admin privileges.
But I'm a nice guy.. I warn staff when this happens. Right after I copy them off... for umm evidence!
Seriously, what normal person takes naked pictures of themselves anyway? let alone puts them on a network storage service, even if it is meant to be private.
There's only one reason celebs are taking naked pictrures of themselves and putting it where it is likely to get hacked... its because there is no such thing as bad publicity, especially when backed up with fake moral outrage.
Newsflash people: They WANT the pics to get hacked and the media and the more lame-brained amongst us keep feeding right into it.
if there's no such thing as bad publicity, perhaps these celebs use a non-effective password intentionally. The idea being, their account will be broken into, the pictures grabbed and published. They can then scream "don't look at those"... and everyone will go look at them. Or maybe not but something just smells bad about this whole thing whether it's intentional, a PR ploiy that ran amok, or absolutely rotten iCloud security.
I'm 95% certain these celebutards wanted their nudies leaked in order to get their Q Rating up, because in Hollywood, "All publicity is good publicity". They don't have any problem appearing nude before a camera with two dozen grips and lighting technicians staring. Tell me you've never heard of the casting couch where "stars" (lol) have to sleep with old men who run the studios and then - Voila! - she's the star of a movie.
What's the difference between Hollywood and the porn industry down the street? Not a whole lot.
The FBI and the Secret Service (not the drunk johns) can determine the IP Adress in a matter of a few hours. So unless someone is arrested today and ends up doing hard time, this is all a big publicity stunt concocted by attention hungry "starlets" who want to get on the front page. It's all bs.
I visited those links to view the pics but not as for porn purposes.
I went to rate them in the mere fact on how valid/fake they were.
I would say that 95% of the pictures there are all real.
Sadly the one with the girl showing off her bum looks more like a medical condition.
She should get that looked at. Seriously!!