Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Exactly.

If you have a username and password to any iCloud account you can do the exact same thing this software does without the software.

Did you even understand the function of this software? :confused::rolleyes:

It's rather late in this thread you 've posting in to finally understand it, but it's high time you did I guess... :)
 
600,000 macs with flashback and doors wide open to icloud storage. No problemo.

How is it Apple's fault that 60k people were idiots and gave the trojan their admin password? That's like being mad at the deadbolt maker on your house after you hand over your keys to a burglar and they steal your stuff.

And there isn't an issue with iCloud. The information is sent over a secure connection contrary to the assumptions that many here are making. All connections to iCloud are on port 443, https which is encrypted. Once again this is an issue of the forensic software acquiring your password elsewhere.

----------

Either way, I'm sure it'll be easily found on torrent sites soon enough. If you know what you're looking for, anything is easily found on sites such as TPB.

I'm willing to bet it won't be. The forensic community doesn't share this stuff and it generally requires special software device authentication such as a HASP key. It's not the kinda software that most pirates go for so it's not bothered with. But keep telling yourself that it'll be easy to get.

----------

Having access to someone's username AND password is something that happens almost never. And this software doesn't and can't get your password remotely over the Internet.

Actually I don't fully understand the purpose of this software other than to hack a users cloud/ cellphone to get other potential passwords. You need a password for this software to even work. It's what happens after you have physical access to a users computer/cellphone that this software is ever useful.

And after walking through what this actually does I find the software to be almost vapor ware and sensationalist bordering on MR spam.

I repeat . This software does not sniff Internet packets.

You obviously have no concept of the usefulness of this type of software. Time to stop posting. For computer forensic examiners in the law enforcement community, this type of information is valuable. Once a warrant is issued, it would allow them to gain access to the suspect's iCloud account along with their iPhone.

Please just stop making assumptions as it's only leading to more users here reading the misinformation you're posting and running with it.
 
Those claiming that iCloud info is sent unencrypted are incorrect. All connections to the iCloud service are made over https (port 443) and use SSL and a secure certificate just as they would if you were doing online banking, etc. These servers include:

setup.icloud.com
p07-content.icloud.com
p07-steams.icloud.com
p07-bookmarks.icloud.com
keyvalueservice.icloud.com
p07-quota.icloud.com
p07-contacts.icloud.com
p07-ubiquity.icloud.com
aolauth.icloud.com

and all the others.
 
As far as I understand apple don't offer encrypted transfers in icloud though, and last time I heard:

Dropbox uses modern encryption methods to both transfer and store your data.

Secure Sockets Layer (SSL) and AES-256 bit encryption

Points well taken for the rest of what you are saying. :) There's also a element of fault from the users perceptive.

I completely agree about the security lapses at Apple. They can do more when it comes to patching security exploits. Flashback made it even more apparent.

But about Dropbox, I know they use SSL and AES-256 on their servers. You may know something I don't, but my assumption was that Apple did the same with iCloud backups and that the issue at hand is that the backups should be encrypted locally on the iPhone before being sent to iCloud.

As it stands, Dropbox should be vulnerable too. If someone had their Dropbox account stolen and they logged in, they should be able to download any of their files even if it's over HTTPS and even if they were encrypted on the servers with AES256. Cloud solutions like SpiderOak do the encryption on the local computer first. So even if the account name/password was stolen ... they would need the local encryption keys before the server assumes they are properly authenticated to see the data. This stops Spideroak employees and hackers, who may steal files from their servers, from seeing the data. But even then with all that encryption (2048 RSA + AES256), knowing the password of an account leaves you vulnerable no matter what. I believe with Spideroak, if you lose the local encryption keys you can still get them back with your password and use them to unlock the data. Safest way to keep the data private is to never allow regeneration of the keys, which leaves you without your data, which defeats the point of cloud backup storage.
 
Last edited:
The most damage some of the ill conceived responses in this thread will do is unecessarily alarm an average user into switching iCloud off. However when you consider the merits of the argument for and against iCloud, its much more likely those people will lose, damage their iphone or have data corruption than have their data stolen, the result being they could potentially lose data they didnt need to lose because they switched the service off - due to reading poor information from people who dont understand security protocols or spread misinformation.

Also, considering some of the ill thought responses to iCloud security, i figured i shouldnt tell people to microwave their HDD, incase they do just that. It was irresponsible of me, and i apologise. :p Im sure the Russians next door are lovely people too.
 
Shame, Shame, Shame

For shame, MacRumors. This is scaremongering, caveat-in-the-nineteenth-paragraph of the highest order.

YOU NEED THE ICLOUD USERNAME AND PASSWORD.

This is not hacking! This is accessing your own data!

Obtaining someone's password: that's "hacking", if we can call it that. Apple makes the entirely reasonable assumption that someone with your iCloud username and password is YOU. If they didn't do that, the entire concept of username/password identification is pointless.

If you couldn't access your iCloud backups with your iCloud username and password, then when you're restoring to a new device, how on earth are you supposed to identify yourself?
 
I completely agree about the security lapses at Apple. They can do more when it comes to patching security exploits. Flashback made it even more apparent.

But about Dropbox, I know they use SSL and AES-256 on their servers. You may know something I don't, but my assumption was that Apple did the same with iCloud backups and that the issue at hand is that the backups should be encrypted locally on the iPhone before being sent to iCloud.

As it stands, Dropbox should be vulnerable too. If someone had their Dropbox account stolen and they logged in, they should be able to download any of their files even if it's over HTTPS and even if they were encrypted on the servers with AES256. Cloud solutions like SpiderOak do the encryption on the local computer first. So even if the account name/password was stolen ... they would need the local encryption keys before the server assumes they are properly authenticated to see the data. This stops Spideroak employees and hackers, who may steal files from their servers, from seeing the data. But even then with all that encryption (2048 RSA + AES256), knowing the password of an account leaves you vulnerable no matter what. I believe with Spideroak, if you lose the local encryption keys you can still get them back with your password and use them to unlock the data. Safest way to keep the data private is to never allow regeneration of the keys, which leaves you without your data, which defeats the point of cloud backup storage.

Vey interesting post Mark, thanks for the heads up about spideroak as well, I ll look em up.

----------

For shame, MacRumors. This is scaremongering, caveat-in-the-nineteenth-paragraph of the highest order.

YOU NEED THE ICLOUD USERNAME AND PASSWORD.

This is not hacking! This is accessing your own data!

Obtaining someone's password: that's "hacking", if we can call it that. Apple makes the entirely reasonable assumption that someone with your iCloud username and password is YOU. If they didn't do that, the entire concept of username/password identification is pointless.

If you couldn't access your iCloud backups with your iCloud username and password, then when you're restoring to a new device, how on earth are you supposed to identify yourself?

Easy there with the cabs tiger, they have a lot of, flashback, ways to get your pass, once they have it the point is they can track you without you noticing there are no hardware keys that will ensure that only your devices can access it. Take it easy on the caps.

----------

How is it Apple's fault that 60k people were idiots and gave the trojan their admin password? That's like being mad at the deadbolt maker on your house after you hand over your keys to a burglar and they steal your stuff.

typical apple apologist. Yeah why would they hold a phone like this and short circuit it's antenna? There's nothing wrong with the iPhone antenna but we fixed in 4s but there was nothing wrong with it to begin with. Its never apples fault. There was a java vulnerability in os x hence the intrusion of the malware.

The Trojan targets a Java vulnerability on Mac OS X. The system is infected after the user is redirected to a compromised bogus site, where JavaScript code causes an applet containing an exploit to load. An executable file is saved on the local machine, which is used to download and run malicious code from a remote location. The malware also switches between various servers for optimised load balancing. Each bot is given a unique ID that is sent to the control server.[5]. The trojan, however, will only infect the user visiting the infected web page, meaning other users on the computer are not infected unless their user accounts have been infected separately, this is due to the UNIX security system.[10]
[edit]
 
This product doesn't make sense to me.

First off, you need the person's iTunes username and password in order to access their data with this software...

...but if I already had their username and password to begin with, I could already access their data in the first place. So why would I need this software?

Also, if I have the level of sophistication to get someone's iTunes username and password, I also probably have the required sophistication to get much more of their data than this software could get me, and therefore wouldn't need the software in the first place.

Makes no sense...

Addendum: It would be extremely foolish for US (or any Western) law enforcement or intelligence services to use Russian-made security software, since Russia is the number 2 spy service against us, besides China. I hope no dolts at the federal government are actually using this stuff...
 
Last edited:
What security flaws? If someone has my iCloud password they can simply restore an iPhone with my iCloud backup. And if they have physical access to my iTunes backup it means they have my computer which has all the data in iCloud anyway!

Exactly! Can't believe it took until the second page of this thread for someone to point this out.

Next scandal: It has just been revealed that if someone acquires your gmail username and password, they can view and download your emails as you receive them, in NEAR REAL TIME!!! I've been saying that email isn't secure for years, but no one listened to me!
 
But, don't you need the username and password?

"While the Apple ID and password must be known in order to access the iCloud data"

Yep. So how is this really that different than using that information on a blank phone to restore the backup and see what's there. It isn't really.

if they don't have your credentials they can't do jack.

----------

Read the next paragraph.

You mean the one that says they can get the info from your iTunes backups off your own computer.

So they have to have access to your computer.

Frankly if they have that or access to your iPhone to make a backup on their computers, you should be more worried they have those items.

----------

And they say it's trivial to get it the iTunes ID. All they need is the unencrypted local backups in iTunes.

they don't even need a local backup if the user has ever bought anything from the iTunes store. every song etc has the ID in plaintext in the 'info' for the file. But that only gets them your user name. they have to dig for your password. unless you are someone dumb enough to store it in a plain text file on the computer they have access to. or something like 1Password with a simple (or worse no) password
 
So. Let me get this straight.

If they have your username and password, they can get your info and track you... and if they don't, they can get it from your old back ups on your computer.

Why is this news?

Hell If you have the username and password for my online bank accounts, you can do the same thing AND bilk me out of every cent I have. Oh, not to mention breaking into my house and looking through my files and finding my SS card to steal my identity.

Seems like this is the on the bottom of my worry list.
 
It may not be a security flaw persay, it still needs to be fixed, period.

And how exactly are they supposed to fix it. You're so smart I'm sure you have it all figured out. You know exactly how they can fix an issue that requires your private password info or access to your actual hardware.
 
This product doesn't make sense to me.

First off, you need the person's iTunes username and password in order to access their data with this software...

...but if I already had their username and password to begin with, I could already access their data in the first place. So why would I need this software?

Also, if I have the level of sophistication to get someone's iTunes username and password, I also probably have the required sophistication to get much more of their data than this software could get me, and therefore wouldn't need the software in the first place.

Makes no sense...

Addendum: It would be extremely foolish for US (or any Western) law enforcement or intelligence services to use Russian-made security software, since Russia is the number 2 spy service against us, besides China. I hope no dolts at the federal government are actually using this stuff...

That addendum is one of the stupidest comments I have ever read on the internet (srs)
 
That addendum is one of the stupidest comments I have ever read on the internet (srs)

That's a very strong statement, considering all the junk on the internet.

Such strong, extremist, emotionally charged statements indicate a lack of reason, and indicate I hit an emotional nerve.

So, in fairness I ask: Do you have any actual objective evidence or a reasonable argument that shows that what I said was wrong? If so, I'm willing to listen.

...or do you have nothing but an emotional personal attack?

(Yet I fear I already know the answer)
 
typical apple apologist. Yeah why would they hold a phone like this and short circuit it's antenna? There's nothing wrong with the iPhone antenna but we fixed in 4s but there was nothing wrong with it to begin with. Its never apples fault. There was a java vulnerability in os x hence the intrusion of the malware.

Sorry, its a bit rude to roll out that old 'apologist' tag to someone when it appears youre intent on being alarmist and spreading misinformation.

This isnt a fault, why are you having trouble seeing that? How is the concept of a secure username and password a fault lol? Appears to me youre so intent on trying to prove a point about Apple that isnt relevent, you've actually missed the purpose of this software???

Besides that re: iPhone 4, the company took a lot of flak over that. You can call the poster above an apologist till you're blue in the face but youre beating a dead horse. Everyone knows there was a design fault, but clearly you thought we needed reminding about it 2 years later! :rolleyes: Not that it's in any way relevent.
 
That's a very strong statement, considering all the junk on the internet.

Such strong, extremist, emotionally charged statements indicate a lack of reason, and indicate I hit an emotional nerve.

So, in fairness I ask: Do you have any actual objective evidence or a reasonable argument that shows that what I said was wrong? If so, I'm willing to listen.

...or do you have nothing but an emotional personal attack?

(Yet I fear I already know the answer)

no, not an emotional personal attack. I am well aware that this software is being used by Law Enforcement in Australia.

One of the more common tools for mobile phone forensics is Cellebrite, (http://en.wikipedia.org/wiki/Cellebrite) which is headquartered in Israel.

Should law enforcement and intelligence agencies boycott software because their developers may be spying on us too? Should they continue to lack capability just because the company that developed it is headquartered in Russia?

Everyone is going crazy regarding this article, possibly one of the best troll articles I've seen on MacRumors.
 
no, not an emotional personal attack. I am well aware that this software is being used by Law Enforcement in Australia.

One of the more common tools for mobile phone forensics is Cellebrite, (http://en.wikipedia.org/wiki/Cellebrite) which is headquartered in Israel.

Should law enforcement and intelligence agencies boycott software because their developers may be spying on us too? Should they continue to lack capability just because the company that developed it is headquartered in Russia?

Everyone is going crazy regarding this article, possibly one of the best troll articles I've seen on MacRumors.

Surprising, since Australians are a pragmatic and level-headed people. I would be further surprised if any US government folks were using this software. I would hope they are exercising due caution and thoughtfulness without the hindrance of political correctness and naivety which tell us that everyone in the world is pretty much OK regardless of nationality and can basically be trusted.

The best option for these kinds of things is homegrown, that way you remove all doubt.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.