NYC police are already "legally" detaining and searching citizens without warrant or probable cause. A precedent has been set.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
ElcomSoft's Phone Forensics Software Offers Near Real-Time Access to iCloud Backups
- Thread starter MacRumors
- Start date
- Sort by reaction score
NYC police are already "legally" detaining and searching citizens without warrant or probable cause. A precedent has been set.
Considering that there are a limited number of mobile phone forensics products, major ones of which are XRY (Sweden), Elcomsoft (Russia) and Cellebrite/UFED (Israel), do the USA have a home grown Mobile Forensics Software?
The NSA and other US intelligence services probably have products much more sophisticated than anything commercially available, such as those you mentioned.
Not really, the next few months will tell. But right now there is a lot of things cops can do without a warrant until congress (useless) or Supreme Court (divided like the country) decide to rule on it.
Oh of course, I didn't mean to imply that it's hard to find a iTunes user ID. They are easily found in songs and iOS apps. People can easily mine for iTunes usernames at torrent trackers or those forums that help you find pirated iOS apps.
Don't get me started with the whole password .txt files. I've seen a few friends of mine that have an unprotected Word document labeled Passwords.docx on the freaking desktop on a computer with autologin enabled!! I haven't seen these people use password managers yet even though I've told them about it. But knowing them, they probably wouldn't put a password on it.
One day I dream of my cloud being on my home server at home and having an unlimited wireless data for all my devices with gigabit speeds.
This has nothing to do with Apple, its all about the Laws or lack of them. For most people nothing on their iCloud will cause them any problems but for some it could and I am sure those same people know better. This software is out there because governments want them so they don't have to go to court and get warrants. Should be interesting to see how far Govt. goes in the coming years. UK had some news about 1000 government agents snooping on people data without reason or authority.
How about requiring authentication that an iOS device is the one requesting the data?
You can use UDIDs to verify it's an iOS device, maybe even MAC Address. and pair those with a specific, unknown User Agent string. bam.
Umm... not so much, actually ...
I mean yes, such things are out there and have been out there for a long time. If you're a hacker, you can make money wearing a "white hat" or a "black hat". There's no difference between these people at the end of the day, except who they chose to take money from for their hacking skills or knowledge.
The "white hat" crowd likes to sell their tools to law enforcement for big $'s, and claim they're taking the "high road" compared to the other hackers trying to steal your data for personal gain.
But don't fool yourself into thinking the guys selling this stuff won't ever let their secrets leak out to their "black hat" buddies out there. These people share many of the same online discussion forums and such. Not just "anyone" will have access to the tools, but the people who matter will -- the ones who have the skill and motivation to hack you and misuse your data for profit!
The old "If you aren't doing anything wrong, you have nothing to worry about!" line is laughably cliche... Who decides when you're doing something wrong? Is it just YOU, or is it the people in power? On tonight's news, I just heard about a police officer who is finally being investigated because he pulled over a female neighbor he had some kind of personal grudge with, charging her with having an expired license (despite it not actually being expired), plus apparently planting a crack pipe in her car and arresting her on the drug paraphernalia charge. She probably thought SHE had nothing to worry about either, until someone in power decided she was due some punishment ....
I mean yes, such things are out there and have been out there for a long time. If you're a hacker, you can make money wearing a "white hat" or a "black hat". There's no difference between these people at the end of the day, except who they chose to take money from for their hacking skills or knowledge.
The "white hat" crowd likes to sell their tools to law enforcement for big $'s, and claim they're taking the "high road" compared to the other hackers trying to steal your data for personal gain.
But don't fool yourself into thinking the guys selling this stuff won't ever let their secrets leak out to their "black hat" buddies out there. These people share many of the same online discussion forums and such. Not just "anyone" will have access to the tools, but the people who matter will -- the ones who have the skill and motivation to hack you and misuse your data for profit!
The old "If you aren't doing anything wrong, you have nothing to worry about!" line is laughably cliche... Who decides when you're doing something wrong? Is it just YOU, or is it the people in power? On tonight's news, I just heard about a police officer who is finally being investigated because he pulled over a female neighbor he had some kind of personal grudge with, charging her with having an expired license (despite it not actually being expired), plus apparently planting a crack pipe in her car and arresting her on the drug paraphernalia charge. She probably thought SHE had nothing to worry about either, until someone in power decided she was due some punishment ....
Considering that a case just recently went to the Supreme Court on whether or not cops could stick a gps tracker to your car without a warrant, I think people SHOULD be concerned about their rights being violated.
According to arstechnica, from their inquiry months ago, iCloud uses SSL encryption on all iCloud data transfers.
Cloud Storage-WOW
Cloud storage is a joke and provides no real benefit to the enterprise.
It's not a viable solution for disaster recovery as long as the recovery plan you have implemented is sound.
I can guarantee my customer data will never be compromised. Why? Because I refuse to expose it to the internet. The internet is inherently insecure. Also, there are too many dependancies involved in the transfer of data between you and the Cloud.
I was recently part a conversation between the president of a cloud storage provider, me and my CEO, (I am the CTO). What surprised me the most is she actually believed the hogwash she was spouting. I have been with this company for over 14 years and not a day goes by that I don't develop something new. She told us her engineers could replicate our system in a matter of days. I wanted to slap her silly. She had no idea what functions our proprietary systems performed. It would take a team of 10 30 -45 days just to complete the discovery phase on one of our 5 systems. She also stated that the data we uploaded would be 100% safe. Now, I wanted to kick her!
I have done the research. It would take 18-24 months and hundreds of thousands of dollars to move to the cloud, without any real benefit. It would take 7-9 years to recoup the cost of reducing our infrastructure. "Another must have feature of the cloud", (REDUCED INFRASTRUCTURE).
Would any of you really trust sensitive data to a third party who is solely providing this service to produce revenue?
Cloud storage is a joke and provides no real benefit to the enterprise.
It's not a viable solution for disaster recovery as long as the recovery plan you have implemented is sound.
I can guarantee my customer data will never be compromised. Why? Because I refuse to expose it to the internet. The internet is inherently insecure. Also, there are too many dependancies involved in the transfer of data between you and the Cloud.
I was recently part a conversation between the president of a cloud storage provider, me and my CEO, (I am the CTO). What surprised me the most is she actually believed the hogwash she was spouting. I have been with this company for over 14 years and not a day goes by that I don't develop something new. She told us her engineers could replicate our system in a matter of days. I wanted to slap her silly. She had no idea what functions our proprietary systems performed. It would take a team of 10 30 -45 days just to complete the discovery phase on one of our 5 systems. She also stated that the data we uploaded would be 100% safe. Now, I wanted to kick her!
I have done the research. It would take 18-24 months and hundreds of thousands of dollars to move to the cloud, without any real benefit. It would take 7-9 years to recoup the cost of reducing our infrastructure. "Another must have feature of the cloud", (REDUCED INFRASTRUCTURE).
Would any of you really trust sensitive data to a third party who is solely providing this service to produce revenue?
The impression I get is it basically allows someone to view all the data in an iCloud account on a pc. Simply makes it easier to go through and in legal cases look for evidence.
As you noted this software does no hacking of any kind. If simply downloads an iCloud account when a valid username and password are supplied and output it to a usable format on a pc.
So "the internet" is the only way data can get compromised? Interesting.
In theory, wouldn't someone whose livelihood depends entirely on a specific task be more encouraged to perform it well? ;-)
You are doing exactly that for quite some years already. Just think hard and it will come to you.
Your government is on the client list over at Elcomsoft. As are most other governments. Including mine.
Peace said:
Much of the information in iCloud is easy to read. Calendar, contacts, photo's. However, the backup of your phone includes hard to decode stuff, like your call history and text messages. The software decodes this, and makes it usable for law enforcement purposes.
Last edited:
If they have your password...
As stated they need your username and password or access to an unencrypted backup on your machine to extract the username and password from. This is not exactly a problem at Apple. Theoretically they could force everyone to encrypt their local backups, but then you create a customer service issue. One strange thing is that I believe that Apple clears out passwords on unencrypted backups for mail, does this policy not extend to iCloud?
A policy more people should adopt is disk encryption. Running Lion and a Seagate Momenus XT hard drive there is no noticeable performance hit on my Macbook Pro even with full disk encryption.
As stated they need your username and password or access to an unencrypted backup on your machine to extract the username and password from. This is not exactly a problem at Apple. Theoretically they could force everyone to encrypt their local backups, but then you create a customer service issue. One strange thing is that I believe that Apple clears out passwords on unencrypted backups for mail, does this policy not extend to iCloud?
A policy more people should adopt is disk encryption. Running Lion and a Seagate Momenus XT hard drive there is no noticeable performance hit on my Macbook Pro even with full disk encryption.
C
champ01
Guest
Tell that to the people how are in jail and didn't do anything wrong.
Talking fear into people minds so its easier to give up your rights. People like you make me sick.
You still believe in your government/your country that killed how many people?
Ever heard about the patriot act, NSA warrantless wiretapping, amnesty for collaborators of illegal surveillance?
...AND have an American-sounding name, AND are not in the wrong place at the wrong time, AND do not take part in any government-critical demonstrations, etc.,
You're talking as if you weren't living in a country that has started wars based on absolutely nothing, executed innocent people, abducted and tortured foreign citizens based on a similar-sounding name, and operated prisons on foreign soil where prisoners get neither a lawyer nor a trial.
Oh please, not the "think of the children" argument.
Last edited:
While it's not exactly a "security flaw" that someone can get your iCloud data with your user name and password, maybe Apple could be a bit more pro-active and send an e-mail when a new device accesses your iCloud account (they already detect when a new device is used to purchase stuff from iTunes and make you put your CVV in again).
If they did this, you'd know if someone had gained access and could then change your password.
If they did this, you'd know if someone had gained access and could then change your password.
Dude, they need to know the username+password in order to get in!!
That software seems pretty pointless to me tbh...
And also, shouldn't it be illegal?
The article says "more and more people use that kind of software to acquire user information" etc etc, isn't that illegal..?