Apple, FBI: YES we're, er, looking into the NAKED CELEBRITY PICS. Aren't you? The Federal Bureau of Investigation and Apple are examining the theft of a large cache of naked celebrity photos, thought by many to have been snaffled from the fruity firm's iCloud backup silos. As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton and around 100 others are thought to have been stolen …
Not wishing to pop your anti-Apple bubble, but you do actually need to set that sync up. I know, because I have such a device and have not configured the sync process. In fact, I checked all the settings and they were off by default so I didn't have to opt out either.
More facts, less mindless bleating please.
Can we stick to facts and not hyperbole? (Isn't that the job of Reg hacks?)
iDevices automatically upload stuff to the fluff automatically without user say-so just as much as Android or anything-else-a-droid does. You can turn all that auto cloud s*it on if it floats your boat, or leave it all off. (iOS photostream is, for one, an opt-in choice, not an opt-out one). Your choice of pratform is pretty much irrelevant in this context - whatever your bozophone can do in this regard, so can mine if I want it to (or not). Who cares?
This yawngasm inducing fanboi/fandroid shit is sooooo last conversation. Move along, citizens, f*ck all to see here.
@andreas koch
No, just don't take them with your phone. Use a standard digital camera and upload them straight-away to your computer and then delete them from the phone.
Even if you have no cloud sync setup on your device, scores or smart phones are lost and stolen daily, not to mention the potential for friend/parent or - much worse - child to pickup your phone and find the nudie-snaps.
I feel genuinely sorry for these people as it is a gross breach of privacy but in this day you simply must understand the if you want to use it.
There's no need to delete them from the phone if I used a standard digital camera . . . Cough. I'm sure that's not what you wanted to say.
I go by the rule that if I don't want it to be known or seen, I'll not tell or show it. Specially if it can be connected to me.
. . . and in my book putting it into any cloud as a usable file is showing. If I really, really need to back up to a cloud service, then the file is locally encrypted first and then uploaded. Encryption by the service is not acceptable as far as privacy is concerned.
But surely pics of naked celebs would not be in the celebs cloud storage but in the account of the person who took the photos.... Unless celebs give their phones to take naked photos of themselves... Which given the narcisisstic nature of some celebs is totally possible I suppose.
The way I interpret the reporting elsewhere, at least some of the photos were "professionally taken" so that is a possible leak point. Even at that, I expect the celebs have copies of them in their "private" portfolios. So where the loss of custody happened is not clear.
Also, while weak passwords are usually the culprit, remember that isn't necessarily the weakest link. Hackers might also have trawled the password reset questions, and given the obsessions with celebrities, may have cracked those instead after searching the internet for the answers.
iCloud is cloud service done right. It stores your music, photos, apps, calendars, documents and more
So if iCloud has been open to attack ANYONE could have had ANYTHING taken.
This is MUCH bigger than 100 celebs with some dodgy pics. Apple need to fess up, and not doing is is grossly irresponsible.
The real tragedy in all this is not that people have seen those celebs in the buff, but that they have done so without paying the usual fee. Hacking someone's account, or even many people's accounts, is bad enough, but infringing a celeb's copyright on their bootay is unforgiveable.
And remember, a great many Apple IDs have a home address, phone numbers and CC information all dutifully filled in from the original purchase of the device at the online store or so the app store 'just works'.
It's a disaster waiting to happen. Oh it just has. Again.
I frankly think we should have more of these disasters.
Makes ISIS, Ebola, the resurgent Recession, and the NATO-embiggening show in the ex-Soviet countryside that we need to fight because of reasonsmoneyed neocon interests look tame in comparison.
As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton, Ariana Grande
Woah, I nearly misread this as photos of decrepit. I was worried of getting older fast.
@Destroy All Monsters
Indeed, it will be a welcome distraction helping the media to continue keeping our attention from the fact that a lot of the "Little Green Men" on one east side of the Ukrainian conflict are speaking Serbian and their equivalent "Little Green Men" on the west side of the conflict are speaking Croatian and they are replaying the same conflict for the 3rd time in the last century. Score so far is 1:1, popcorn to observe the outcome of the third one. Disclaimer - I have seen some of them myself this summer taking a short stop in one of the few remaining Eu cities that still has flights to Ростов на Дону.
It has been extremely entertaining watching the Western mainstream media go to extreme length on ensuring that this "entertaining" detail is not aired in any "news". In fact they have been better at that than previously (during the Kosovo war the video footage often contained the Chechen, Syrian and Lybian "volunteers"). After all, if you air it will become clear what will be next (NATO bombing) and how long it will last (15 years and counting).
It is lovely when we have a "disaster" like that - it helps keep the attention of the sheeple from what is really happening out there. Bring it on, let's have more celebutard leaks.
@Dan 55
>And remember, a great many Apple IDs have a home address, phone numbers and CC information all dutifully filled in from the original purchase of the device at the online store or so the app store 'just works'.
As much as I like to dish Apple, you would be able to see the tel and address, the latter you can find out online, BTW, as for CC info ? Are you nuts ? you can only see the last 3 or 4 digits of the CC, just like on receipts ... ok, they could use the account to purchase stuff in the app store, but they would probably get caught doing that.
So, yeah, they might have her cell phone, what you gonna do, call her?
"Hello, this is Dan 55, I hacked into your iCloud account and got naughty pics of you ..."
"Apple does not limit the number of password entry attempts users could can make
WTF?!?"
And there ends any pretence that weak security is a Microsoft problem.
Someone, somewhere, inside Apple took a decision to effectively remove security to enable a feature. That person doesn't have any business being near technology, at any vendor, and should be looking for work more suited to their talents.
Apple does not limit the number of password entry attempts users could can make
WTF?!?
That is the case in many online services where they don't even implement rate limiting or progressive incremental retry delay on failure, but the risks with an Apple account are much bigger because it's basically SSO - one password to rule it all. /Not/ good..
"...it is not your fault if you are using bad passwords because you are celebrities, not nerds".
That's not how security works. "Nerds" may elect to use full-disk encryption or some other less-used/more-complex security, true. But *everyone* needs to use secure passwords. At least for stuff they care to keep secure. It's not a complex concept, really.
Speaking of security: Apple doesn't have brute-force mitigation in place...? Excuse me while I clean the floor before I ROFLOL... :-)
>But *everyone* needs to use secure passwords. At least for stuff they care to keep secure. It's not a complex concept, really.
Not a tricky concept, but a PITA in practice. Such is life! Some people advocate the use of password managers, though only last month The Reg reported of a security failure in a popular example of the breed.
Personally, I use the tiered approach, so might reuse the same password across low value sites (seldom-visited forums, for example) whereas email and banking sites get complicated (non-dictionary, UPPER lower case, !"£$, numbers, mixed up) passwords.
...as long as you stick to words, and use more than one.
I used a similar scheme to the one you describe, and then I read this (posted by another El Reg forum user a few months ago):
http://xkcd.com/936/
I'm not ashamed to say I was embarrassed by this revelation, and have started to apply the principles to my passwords. Unfortunately a lot of sites insist on relatively short passwords.
I just rest an older password om XXXXX and found that the "upgraded" security would not let me use anything other than alphanumeric - no special characters allowed! Since this was one of my "low risk" passwords, it is not critical, but I am glad I don't use this particular XXXXX fro anything critical.
Once you buy into the 'Apple' ecosystem you TRUST them to do it all for you. You'll never get a viral attack but you'll find your naked arse plastered all over the internet though. Unlimited number of password attempts to access iCloud? WTF! I'd rather use antivirus software and take my chances with a virus/worm attack on a Windows/Linux PC.
On the other hand, most cloud services don't have limits, or the limits are large. Some may slow down the retries if they hit a certain number, or block an IP address for a few hours. Or require email verification (probably the best method), if a certain number of attempts are made.
If they locked the account every time a few wrong attempts were registered, many users would spend much of the day re-enabling their account - okay, they would then see that they are under attack and they might change their password, or enable second factor authentication.
Brute forcing attempts are probably something most cloud services have to put up with every day. How would push email work, if your account is getting locked every 15 minutes?
There needs to be a replacement for passwords. I agree unlimited attempts is wrong, but so is simply locking the account.
There's a lot that can be done to make brute-force attacks useless before locking an account. Wait timers are good and simple. A lousy one minute delay between attempts would completely kill a brute force attack, while it would be just an inconvenience to the user. So:
0- Enforce password complexity. Should be simple when you already know everything about your user: "No, you cannot use that password because it was the name of your 3rd grade teacher's pet gerbil"... ;)
1- Start with a one second wait and double it with every failure. Cap at 128 seconds or something, to keep things sane. Else you'll very quickly effectively lock the account.
2- Lock the account only when hundreds of attempts are made in a single day or some such.
The details will vary and some fine-tuning will definitely be required based on the type of data, users, actual usage experience and whatever other attack vectors might exist (brute force attacks vs. denial of service, for example), but you see the basics. Not complex.
This should be achieved at the hardware level not the application. Would like to see your wait code that doesn't use up server resource ie. holding connections, as you can easily cause your own DOS attack and run out of resources.
So far we know that many of the photos were taken on a variety of devices, including 2010 era blackberries, android, and iOS devices.
While this could be a cloud service issue, the time frames involved as well as the diversity of devices suggest that this is much deeper than that.
A Hollywood based IT service firm go out of business recently?
Someone wanting to show some of the goods regarding those NSA nude photo exchanges snowden was talking about?
Whatever happened, I hope it doesn't devolve into platform bickering and thee we do end up getting a straight answer about it so we can learn from it.
Karl P
@karlp
However much this actually relates to Apple's iCloud, one can hope that the attention it has drawn to the password inadequacies prompts an improvement.
I am all for software/service vendors giving users choice and treating them like adults but when it comes to security in this modern age there isn't much room for compromise.
If you look at the pictures (and I'm not recommending you do), you'll see that many of them are taken in a mirror, with the smartphone clearly visible. In most of the ones I've seen, the phone was NOT an iPhone.
That doesn't rule out iCloud, of course - the slebs in question could have sent the pictures to iPhone users - but if many of these pics were taken on Android phones it's not entirely impossible that some Google+ hackery is going on as well...
Or that said users were syncing their phones with a Mac/PC with iTunes, and that itself was 'backing up' to iCloud - or a similar setup where iCloud was the last step in the line.
IE I set up a system where a user wants to show their pictures off, so they transfer the images to their computer, they work on the images on the computer, and the finished images are sync'd with iCloud so they can show them off on the tablet (as it autosyncs to the camera roll I think - I forget the details, but it worked, that's the main thing).
So they could be taking the pics with a point and shoot camera if they want, but if they end up in the default photos library, and iCloud sync is switched on, then they're vulnerable to iCloud hackery.
So someone using a Blackberry, syncing the photos to a default photo locale, which is the same place iCloud syncs from, and bosh, it's in iCloud.
Still not seen huge details on how the hack was performed - have I skim read too much? Was it really a bruteforce on the API? Seems too easy...
Steven R
This post has been deleted by its author
FBI agent A: Seen it. Seen it. Seen it. Woooo, that's a new one.
FBI agent B: That photo was uploaded two days ago. Please try to keep up with latest developments.
Seriously though. Would the FBI get involved if these were accounts of "ordinary" people that was hacked??
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
