Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Reportedly Aware of iCloud Flaw Six Months Before Hacking of Celebrity Accounts
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yeah, it just seems to me that a general sloppiness is starting to creep in, I hate to do the clichéd thing and mention Steve Jobs but he was a bit of a dictator rather than an easy going boss as Tim seems - having worked for companies with those kinds of changes it does eventually permeate through the infrastructure and attitudes can quickly switch from "We've got to nail this!" to "It'll do...".
Maybe too much effort has been put into watches, I don't know, but it seems things like "thinness" for the sake of it rather than neat design (flush camera, decent antenna breaks) are starting to creep in. People would like better battery life, no-one was asking for the iPhone to get thinner - it isn't even that ergonomically comfortable in the hand, it's almost too thin and could do with a bit more "meat" in the back to sit better in the hand rather than being gripped at the edges.
The antenna breaks were much criticised but largely forgotten now but think back to the 5, those glass windows, the keynote mentioning micron thick tolerances etc to get them flush - now we have chunky plastic that doesn't quite sit flush. It's just the little things.
Now the firmware which didn't launch with many of the advertised features working is being cocked up with updates containing frankly Schoolboy errors that most definitely can't be excused.
One, maybe two issues could certainly be forgiven but it seems there are more and more of these things, as well as those design touches that are concerning me. Things that would have been scrutinised to the nth degree in the past are being let slide - maybe signs that Apple is slowly slipping from an untouchable force in design and engineering to something a little more "Microsoft". I do hope not.
A month from now people will barely remember these three "huge nightmares". Much adieu over nothing. 
Nothing new here. Move on.
----------
Is the Tim Cook apology not enough to convince you?
----------
Is the Tim Cook apology not enough to convince you?
I guess it's easy to forget the time a .1 update (around the time of OS2?) made everyones keyboards suddenly stop working. Or when (around OS5) that an update meant SIM cards weren't being recognised, and speakers started sounding bad!! (toggling to speaker and back used it fix it IIRC!). Or when Wifi connections weren't sticking. And when they said that one of their updates was adversely effecting bettery use.
This is software, and software has bugs - especially when rolling out to millions of devices and users. Should Apple be more stringent - OF COURSE YES. But to say this is something new isn't true.
Not this again?
A lot of people tried using iBrute when this became public, but nobody was able to get it to work. The closest I've seen was one person who claimed to have "proven" that brute force worked by using "Password1" as their password and then used something "similar" to iBrute (she didn't mention what) to get trough. The reason why this "proof" reeks of you-know-what is that the #1 on the list of passwords that iBrute uses is the almost the exact same password, the only difference is that the "o" is swapped out for a "0" (doing these "clever" letter-number swaps is one of the first thing proper dictionary attacks use).
The only method I've seen proof of actually working is the one where you reset the targets' password by looking up the answers to their secret questions on Facebook and other sites. This isn't as much a weakness in Apple's systems as it is a weakness caused by the users themselves. In the IT security world they've been saying for years that there is no such thing as a system so secure it's users can't compromise it trough misuse.
So why do we still talk about iBrute? Because some 15-year-old said it worked on 4chan's /b/ board and then everyone kept repeating this ad nauseum with zero source criticism. I suppose this is just like Jeseph Goebbels (propaganda minister of the third reich) is claimed to have said: If you repeat a lie often enough, people will believe it.
A lot of people tried using iBrute when this became public, but nobody was able to get it to work. The closest I've seen was one person who claimed to have "proven" that brute force worked by using "Password1" as their password and then used something "similar" to iBrute (she didn't mention what) to get trough. The reason why this "proof" reeks of you-know-what is that the #1 on the list of passwords that iBrute uses is the almost the exact same password, the only difference is that the "o" is swapped out for a "0" (doing these "clever" letter-number swaps is one of the first thing proper dictionary attacks use).
The only method I've seen proof of actually working is the one where you reset the targets' password by looking up the answers to their secret questions on Facebook and other sites. This isn't as much a weakness in Apple's systems as it is a weakness caused by the users themselves. In the IT security world they've been saying for years that there is no such thing as a system so secure it's users can't compromise it trough misuse.
So why do we still talk about iBrute? Because some 15-year-old said it worked on 4chan's /b/ board and then everyone kept repeating this ad nauseum with zero source criticism. I suppose this is just like Jeseph Goebbels (propaganda minister of the third reich) is claimed to have said: If you repeat a lie often enough, people will believe it.
This is laughable. I have photos of myself as an infant from 1969 before digital cameras existed on iCloud. Certainly a pic from a blackberry can be on iCloud.
Yall got me crackin up!
Last edited:
Sure, she could have sent the photos to an iDevice user who sysnced those photos to iCloud, as much as she could have synced/backed up those photos to whatever service BB has in place.
But neither of those scenarios show that iCloud was 'hacked' to get those photos.
The point I'm making is that there is a presumtion of hacking - simply because iPhone is top dog. When someone is holding a Blackberry taking a photo, no presumtion is made.
Account details were phished, no-one sat at a screen 'hacking' servers and code. No one broke into servers (multiple times, over multiple months) and had free access. Information was phished - that's not about being an apologist, it's about being real. Poor passwords and security answers played a massive part in all of this.
You may be wrong.
For one, if Apple had just limited the number of wrong password attempts, they would have allowed the attacker to implement a denial-of-service attack successfully. All the attackers need to do is to make N wrong guesses repeatedly, the account would be locked, potentially preventing a legit user from accessing his account.
The right solution is to implement 2FA, which they did. But that took a few months of implementation and testing. I think they ran a test back in June or so, which was discovered by the rumor sites.
As for Barlic's claim that his research caused Apple to take down the developer site, I remember the story was someone else was ahead of him. Barlic's exploit was not used to reset external developers' accounts since Barlic only targeted Apple accounts.
Apple should know this and hence credited him with the cross site scripting report. But in the same timeframe, I remember they also credited other fixes to someone else.
As an Apple fan boy, all I can say is that Apple has been moving in this direction for some time now. Apple used to make insanely great products, now they just make insanely great quantities of whatever product Marketing can sell.
As companies grow, the pressure to perform becomes so great no one can say "we are not ready". If you do, you get a demotion, fired, or overlooked for the rest of your career. So what happens, everyone just goes along with the demands and makes sure someone else can be blamed if they go wrong.
As companies grow, the pressure to perform becomes so great no one can say "we are not ready". If you do, you get a demotion, fired, or overlooked for the rest of your career. So what happens, everyone just goes along with the demands and makes sure someone else can be blamed if they go wrong.
I'm actually happy with all these problems they are having at the moment. Maybe it will stop the fairytale attitude they've got and make them focus again. Because no matter how much I love their products, things have changed, and not always for the better.
I'm all for conspiracy theories, not because I necessarily think they are true, but they are fun. This, otoh, I don't think is that outlandish. It certainly is plausible, because it's actually a great idea from an intelligence standpoint. Bravo to the NSA if they actually did this.
Looking at some of the most used and decrypted passwords in the Adobe leak, there's one thing that is sure.
People aren't that great when it comes to protecting their own accounts and data.
TouchID is a good step to getting more people to protect that data. I hope in the long run its uses can be moved to other mediums.
Code:
# Count Ciphertext Plaintext
--------------------------------------------------------------
1. 1911938 EQ7fIpT7i/Q= 123456
2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789
3. 345834 L8qbAD3jl3jioxG6CatHBw== password
4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123
5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678
6. 130832 5djv7ZCI2ws= qwerty
7. 124253 dQi0asWPYvQ= 1234567
8. 113884 7LqYzKVeq8I= 111111
9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop
10. 82694 e6MPXQ5G6a8= 123123People aren't that great when it comes to protecting their own accounts and data.
TouchID is a good step to getting more people to protect that data. I hope in the long run its uses can be moved to other mediums.
Social engineering hackers like Kevin Mitnick would have likely had no problem at all with this method. And they wouldn't even have to pick up the phone to get the users to compromise themselves.
Isn't just famous celebs anymore, with people putting most of their lives online and in social media. The answers to these question for today younger generations are increasing just as accessible as a famous person.
Of course asking people to use harder multifactor authentication, and nonsense questions and passwords, might lock them out of their accounts for longer periods as they search for where they left the hidden password/answers.
Well, Jobs' MobileMe and iCloud were the same too. These mechanisms were there when he was still with us.
The problem was Apple did not see this as a flaw but part of the design of iCloud accounts. Implementing a lockout requires a process to reopen the lock and potentially a lot of unhappy computer-naive users with fat fingers.
True about poor passwords. But even Macrumors has the try 5 times & you're locked up rule. Even without 2 step that simple add on would have worked.
Apple wants their devices to be easy to use. That means their customers aren't going to be tech savvy & set strong PW. So when apple set up services like iCloud they need to account for that population. Banks do it, they send warnings to customers, Facebook sends notices about unfamiliar machines accessing accounts, log me in does it, even yahoo for God sakes.
Apple need to publicly address this they look BAD and very irresponsible. It is standard practice for white-hat hacker to inform companies of security flaws like this. It is also standard practice for white-hat hackers to give the company reasonable amount of time to fix it then go public with the flaw.
While I am not a expert, I would think that Apple should be able to fix this is far less than 6 months. If Apple had know able the flaw for 6 months and only fixed when it when public and the bad PR hit, that is disgraceful and Apple shouldn't be trusted for with any security critical product such as .... ApplePay.
All software has bugs, but then a companies becomes aware of a security flaws like this they need to take it seriously, lit seems Apple may not have. If this flaw had become public a week or two after Apple was made aware of it while they were working on a fix, that would have been bad luck. Six months is too long. When Windows users get a security update that is not on the second Tuesday of the month, it is usually some serious security flaw that Microsoft didn't want to want less than one month to patch.
While I am not a expert, I would think that Apple should be able to fix this is far less than 6 months. If Apple had know able the flaw for 6 months and only fixed when it when public and the bad PR hit, that is disgraceful and Apple shouldn't be trusted for with any security critical product such as .... ApplePay.
All software has bugs, but then a companies becomes aware of a security flaws like this they need to take it seriously, lit seems Apple may not have. If this flaw had become public a week or two after Apple was made aware of it while they were working on a fix, that would have been bad luck. Six months is too long. When Windows users get a security update that is not on the second Tuesday of the month, it is usually some serious security flaw that Microsoft didn't want to want less than one month to patch.
I don't get this.
Since when did this TERRIBLE direction start?
Was it right after the lacklustre Performas?
Right after the hockey puck?
Right after the Cube?
Right after the fat iPod?
Right after iTunes on the ROKR(!)
Right after Mobile Me?
Right after Antenna-gate?
Right after *insert issue*-gate?
Or was it right after any number of OS7/8/9 updates that would kill printer/scanner/modem connections. So you would have to go out and buy the latest Macworld with an OS update CD on the cover (charmed days...)
Or right after any number of iOS updates that killed keyboards, SIMs, batteries etc?
Apple have apparently been in a downward spiral of doom for the past 20 or so years.
Last edited:
Or it could be that competitors are starting their smear campaign before the holiday season.
Apple is not perfect. The 8.0.1 and streaming problem are proofs. It may be part of growing pain. But the bend gate and Barlic's claims are really off tangent.