Apple Says No Personal Data Was Compromised in Australian Teenager Hacking Incident

[I7guy]

You got amnesia or what?

Didn't apple intentionally throttle cpu so your older phones become slower.

You don't need to answer. You going to toe the apple line and say it is done because of battery blah blah....when no other phones needed to do that

My dear sir, throwing around an insult is all of the proof one needs to know you can't back up your statement. Power management is intentionally slowing down the phones as auto-brightness is intentionally crippling the screen. So I got it, no proof as I first said.

 

[mib1800]

My dear sir, throwing around an insult is all of the proof one needs to know you can't back up your statement. Power management is intentionally slowing down the phones as auto-brightness is intentionally crippling the screen. So I got it, no proof as I first said.

My dear sir, it is a miracle. The iOS has become sentient. It is has a mind of its own and it is intentionally slowing down the cpu.

 

[I7guy]

My dear sir, it is a miracle. The iOS has become sentient. It is has a mind of its own and it is intentionally slowing down the cpu.

Well Android does have similar features, one of them are called auto-slowdown. When you don't feel like working fast you can set the lag factor through the settings interface. Or you can set it to auto-mode and it guesses when you don't want to work or play hard and slows/lags auto-magically.

 

[Mr. Heckles]

I'm fairly savvy and always hover my cursor on the link before I click on it. On IOS I'm not really worries as there are no or few zero day security vulnerabilities on IOS. I also never type in my userid and password from a link on the internet. No major company does that type of design in 2018, the ones that do are the malicious ones.

No, no major company? This attack works with all, yes all 2 step authentication (SMS and using a time based one time password using an authenticator app like google). Phishing attacks are so successful because of human error that google requires all employees to use U2F (security key).

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

 

[I7guy]

No, no major company? This attack works with all, yes all 2 step authentication (SMS and using a time based one time password using an authenticator app like google). Phishing attacks are so successful because of human error that google requires all employees to use U2F (security key).

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

The article you cited, does not contradict the premise of my assertion that major companies; e.g. JP Morgan Chase, do not send emails to users asking them to log into their accounts from a link embedded within the email.

I was not referring to internal network penetration behind the corporate firewall. Nor did I say that corporate employees were not subject to phishing attacks.

 

[Mr. Heckles]

The article you cited, does not contradict the premise of my assertion that major companies; e.g. JP Morgan Chase, do not send emails to users asking them to log into their accounts from a link embedded within the email.

I was not referring to internal network penetration behind the corporate firewall. Nor did I say that corporate employees were not subject to phishing attacks.

You realized that’s the point of a phishing attacks? And yes, Chase can send an email, it’s one of the options to get the 2nd factor (SMS, email, or a phone call). I know this for a fact because I have Chase bank.

 

[Jsameds]

I'm sure those celebs whose lives changed forever would disagree with you. This company couldn't care less for anyone's privacy over their profit margins. Disgusting.

Apple wasn’t hacked, their account details were phished.

 

[I7guy]

You realized that’s the point of a phishing attacks? And yes, Chase can send an email, it’s one of the options to get the 2nd factor (SMS, email, or a phone call). I know this for a fact because I have Chase bank.

Well then chase is doing things that go against good security practices. Citibank for example does not do that. You go to their website and retrieve your password from the website. I did say, that I, hover over the link to verify the website. If the link does not read "chase.com" I don't click on it.

 

[tooltalk]

Give the child a job for Apple when he gets out of jail, lol.

I think he's too young to go to jail. Besides, he's probably just one of many who penetrated Apple's insecure systems. Why work for Apple when he probably can get much better paying jobs elsewhere as a security expert.

 

[sracer]

Apple wasn’t hacked, their account details were phished.

Where in the article did it say that?

 

[Mr. Heckles]

Well then chase is doing things that go against good security practices. Citibank for example does not do that. You go to their website and retrieve your password from the website. I did say, that I, hover over the link to verify the website. If the link does not read "chase.com" I don't click on it.

CitiBank doesn’t have anything. They are even worse than Chase.

https://twofactorauth.org/#banking

 

[I7guy]

CitiBank doesn’t have anything. They are even worse than Chase.

https://twofactorauth.org/#banking

Citibank doesn’t send links in its email, so by definition it has more than chase.

And this is now way off from the thread subject.

 

[alphaod]

According to this article: https://bgr.com/2018/08/16/apple-servers-hacked-teen-sensitive-data-year/

Apple was able to access his computer's serial number. How is this possible?

Probably just the MAC Address.

 

[Mr. Heckles]

Citibank doesn’t send links in its email, so by definition it has more than chase.

And this is now way off from the thread subject.

Yes it’s off subject a little. But I promise they send emails as a form of recovery, they all do. And citybank has less than Chase, it doesn’t have ANY form of s step verification/authentication at all. There for by definition, it’s less secure.

With Chase I either get a 9 digit code sent to me either by SMS, email, or a phone call. The reason these are less secured than a time based one time passwords, an attacker can hijack a person SIM card or even hack the person email account. An authenticator is far batter than text or email.

 

[Marekul]

No, it was 100% the user fault, that happens with phishing attacks. 2FA is not 100% immune to phishing attacks either.

https://techcrunch.com/2018/05/10/hacker-kevin-mitnick-shows-how-to-bypass-2fa/

Nothing is 100%, and no one said so. it’s all about making it as hard as possible. And they failed
[doublepost=1534609553][/doublepost]

Compared to google building said regime their own search engine, talk about hypocrisies.

At least google removed the “Don’t be evil” from their logos and has no CEO running around virtue signaling and telling everyone privacy is a basic human right and tolerance is their main drive. And then isn’t that the what they nowadays like to call “whataboutism”? Did I say google is any better?

 

[sdf]

Sounds like this kid is a bit of genius, maybe he should be given a job at Apple instead of a prison sentence. Just saying

Smart people are not hard to find. Smart and ethical people are a lot harder.

He should no more get a job for hacking servers than stealing personal effects from a car dealership should get a person a job at that dealership selling cars.

 

[Jsameds]

Where in the article did it say that?

https://en.m.wikipedia.org/wiki/ICloud_leaks_of_celebrity_photos

 

[code-m]

Just Apple security’s pride was compromised. Ya know, because they were hacked by a child.

I believe this is Apple trying to save face on this issue, I mean if this teenager did not do any harm then why a trial, etc. Apple and many other companies have bug bounties for white hat hackers with a reward. If this teenager likes Apple and was poking around and got in, and copied 90GB of secure data only to prove the vulnerability. Did he report it, if so then it is not a crime, if he did then it is a crime, if he was going to and got stopped by the authorities that is a grey area.

Something about this story does not add up, that is all I am saying. One does not go to trial, etc for nothing.

 

[I7guy]

I believe this is Apple trying to save face on this issue, I mean if this teenager did not do any harm then why a trial, etc. Apple and many other companies have bug bounties for white hat hackers with a reward. If this teenager likes Apple and was poking around and got in, and copied 90GB of secure data only to prove the vulnerability. Did he report it, if so then it is not a crime, if he did then it is a crime, if he was going to and got stopped by the authorities that is a grey area.

Something about this story does not add up, that is all I am saying. One does not go to trial, etc for nothing.

Hacking into corporate systems and reporting it, is not the same as hacking into government systems and downloaded data. If he reported it without downloading, he probably would have received a bounty. But downloading 90 gig of data probably makes it a criminal offense.

 

[code-m]

Hacking into corporate systems and reporting it, is not the same as hacking into government systems and downloaded data. If he reported it without downloading, he probably would have received a bounty. But downloading 90 gig of data probably makes it a criminal offense.

However Apple says nothing was compromised. Are we receiving contradictory information. I am not here to take sides, just want to understand what happened. Am I to believe the court or Apple.

If this individual download 90GB of secure data, I userstand that there are people in either camps sayings he is smart and others not so, however at the end of the day did he know that downloading data would be seen as a crime, or was he just being a teenager to brag about it to his friends or whatever community he hangout in. Maybe trying to prove a point to a big corporation. I am not saying what he did was right or wrong, I am saying if this individual knows if crossing that line would be seen as wrong or not. It is all about intent, did he do this knowing very well that it is wrong and to profit from it, or did he do it out of curiosity and to brag to his peers that he is able to do so by saying Apples security is weak.

That is what I am trying to understand in all of this.

 

[I7guy]

However Apple says nothing was compromised. Are we receiving contradictory information. I am not here to take sides, just want to understand what happened. Am I to believe the court or Apple.

If this individual download 90GB of secure data, I userstand that there are people in either camps sayings he is smart and others not so, however at the end of the day did he know that downloading data would be seen as a crime, or was he just being a teenager to brag about it to his friends or whatever community he hangout in. Maybe trying to prove a point to a big corporation. I am not saying what he did was right or wrong, I am saying if this individual knows if crossing that line would be seen as wrong or not. It is all about intent, did he do this knowing very well that it is wrong and to profit from it, or did he do it out of curiosity and to brag to his peers that he is able to do so by saying Apples security is weak.

That is what I am trying to understand in all of this.

It doesn’t matter what was in the data, that he downloaded data instead of just reporting the security hole is what (probably) makes this a criminal offense.

If you go into a bank with a gun and demand money but somehow escape without cash, is it still a crime?

 

[code-m]

It doesn’t matter what was in the data, that he downloaded data instead of just reporting the security hole is what (probably) makes this a criminal offense.

If you go into a bank with a gun and demand money but somehow escape without cash, is it still a crime?

Bad analogy, this may be more accurate.

If you went into a bank and no one is around, no gun just some tools to crack open the safe (or just the combination was really simple for anyone to guess), you walk-in take a handful of coins and walk out, close the safe behind you and leave the vacant bank. Is this a crime, no one got hurt, other than the banks price, some coins stolen without forcing or threatening the owner of those coins.

Now you inform your friends, hey that bank that claims to have a state of the art security system, well that is not the case and here is the evidence to prove what I am saying (shows coins).

Now the bank finds out, claims nothing of value got stolen, their pride gets damaged as their are called out on their state of the art security system as investors and clients question their security and reliability of this bank.

The authorities go after you for taking a few coins, trial you and say yes you did it, while the bigger problem here is that the bank did not have a safe and secure vault to being with. So rather than the bank improve its security their run after someone who proved them wrong. The correct measure would be, hey thank you for exposing a weakness in our system, if you are willing to provide the data (coins) back to us, no trail, jail time and we are willing to employee you for our security team. Now if this indivdual said not, then trial and jail time.

Again I do not know all the details, I am hearing contradictory information.

 

[I7guy]

Bad analogy, this may be more accurate.

If you went into a bank and no one is around, no gun just some tools to crack open the safe (or just the combination was really simple for anyone to guess), you walk-in take a handful of coins and walk out, close the safe behind you and leave the vacant bank. Is this a crime, no one got hurt, other than the banks price, some coins stolen without forcing or threatening the owner of those coins.

Now you inform your friends, hey that bank that claims to have a state of the art security system, well that is not the case and here is the evidence to prove what I am saying (shows coins).

Now the bank finds out, claims nothing of value got stolen, their pride gets damaged as their are called out on their state of the art security system as investors and clients question their security and reliability of this bank.

The authorities go after you for taking a few coins, trial you and say yes you did it, while the bigger problem here is that the bank did not have a safe and secure vault to being with. So rather than the bank improve its security their run after someone who proved them wrong. The correct measure would be, hey thank you for exposing a weakness in our system, if you are willing to provide the data (coins) back to us, no trail, jail time and we are willing to employee you for our security team. Now if this indivdual said not, then trial and jail time.

Again I do not know all the details, I am hearing contradictory information.

Yes to the bank analogy. There is no wiggle room, breaking and entering. Whether jail time ensues is up to the legal system, but said person will be charged with a crime.

I don’t know how contradictory it could be downloading 90 gig of data could be. That is what makes this a more serious crime. It doesn’t matter even if he downloaded a folder called “Tim cooks favorite jokes”. It’s not any less of a criminal offense.

 

[sracer]

https://en.m.wikipedia.org/wiki/ICloud_leaks_of_celebrity_photos

Oops. My mistake. I thought you were referring to the article in this thread.

 

[CarlJ]

Oops. My mistake. I thought you were referring to the article in this thread.

He was replying specifically to someone who said, "I'm sure those celebs whose lives changed forever would disagree with you", and was quite on point in his reply (as that's a sensationalist accusation by someone who either doesn't know, or doesn't care, that they're 100% wrong), but there are possible technical reasons why you might not have seen the original quote and thought it was a standalone comment.