Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Now what will Samsung do for R&D if they can't peek on iCloud data from Apple employees?
 
Too bad it already fappened.

Apple, a company notorious for knowing what's best for their customers should have had 2-step verification enabled by default.

^^^This

It's like saying that we should have checked out the terrorist background before they crashed a commercial plane into a building killing 1000's of innocent people.

Or

We should not let 9 year old girls handle UZI machine guns after accidentally killing her instructor.

The damage is already done and is irreversible. I'm just surprised that Apple let this happen in the first place. You're sitting on all this money so it's not like you don't have the resource to hire outside vendors to find weaknesses in the system.
 
"I think we have a responsibility to ratchet that up"

Or…. double down on it.

Just sayin
 
Tim Cook is a fantastic CEO this way. He has done a great job at saying "hey, we screwed up" when they have (and even if they haven't), and saying "hey, we agree, things could be better and we're going to make sure they are."

He's also clever. Apple still hasn't addressed or admitted to their initial screw up that led to all of this. Yes they fixed the multiple login attempts but have not addressed it. If they weren't going to be introducing so many shiny new products in 4 days, the press would be asking questions about that mistake. It's a gamble but how much do you wanna bet no one calls them out on their security goof this Tuesday? Tim is willing to bet all will be forgiven by then.
 
You said it was Apple's fault that the celebrities had their data stolen because 2-step verification wasn't offered in all countries.

I never said that. What are you talking about? But Apple needs to improve their security practices. That no one can question.
 
Tim Cook is a fantastic CEO this way. He has done a great job at saying "hey, we screwed up" when they have (and even if they haven't), and saying "hey, we agree, things could be better and we're going to make sure they are."

I agree Tim Cook admitting they screwed up is good but a "fantastic CEO" would foresee this and prevent it from happening before it happens. He's definately got some room to improve...
 
I want to set up 2 step authorization but can't remember my security question answers. (Well, I think I remember but it's not accepting them.) Apparently I don't have an emergency email with Apple so I have to call support. Thus, I keep putting it off. :(

Guess I was lucky in that I had such a crummy teacher I actually remembered his name when I signed up for two factor the other day, lol.
 
They should have thought this ahead before the damage is already done.
This type of poor management of sensitive data reminds me of Microsoft, ie; Damage control policy, let the bad things happen then look for ways to prevent them from happening again.

Please tell me that this response from you is because you are drunk or kidding!
 
If you somehow still think Apple's security doesn't SUCK DONKEY BALLS, see:
http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/
 
^^^This

It's like saying that we should have checked out the terrorist background before they crashed a commercial plane into a building killing 1000's of innocent people.

Or

We should not let 9 year old girls handle UZI machine guns after accidentally killing her instructor.

The damage is already done and is irreversible. I'm just surprised that Apple let this happen in the first place. You're sitting on all this money so it's not like you don't have the resource to hire outside vendors to find weaknesses in the system.

Actually, they have inside people constantly testing the system for flaws. Like a security expert in another article says, Apple is trying to balance ease of use with high security. Anyone who has worked for a company who locks down their employee computers to the point of almost making them unusable for work understands this. I have one client who can't use iTunes at work to find music for shows, even though she is the company's show director. She has to do it at home on her own computer. She's also my only client who can't share files on Dropbox with me so I have to have a special Box account just for them. It's ridiculous.
 
Last edited:
I feel really sorry for all those people who got their private stuff stolen and broadcast around the net.

But the truth is, If software companies used robust authentication system, most folks would not use them. Or complain that it is too inconvenient. So they try to find a ballance between ease of use and security.... two things that really don't go together well.

I jumped on 2 step as soon as it was available and actually forgot I had it until I wiped my device and tried to restore it.

I like it. And i am also glad Apple is expanding it.
 
I'm not a security expert, but I'm a network tech. Years ago I attended a basic security class and they stressed to never give correct answers to these personal "security" questions. Make up ridiculous answers and save them in something like 1Password. Perhaps not perfect, but it does allow for an extra layer of protection.

But here's the thing: if I've lost my pw to a site, that means I've somehow lost access to my pw manager app. Turning the security question answers into just three more "passwords," stored in the same app, doesn't solve the problem -- I won't be able to recover those, either.

I guess the fallback position is to just accept that you won't be able to recover a pw if you lose it, but that could be a real headache for certain sites/services.

Security questions do feel like a weak link, and they have always made me uncomfortable, but I can see how it can be a reasonable risk/compromise to allow a user to reset a pw via a combination of BOTH (a) knowing the answers to the questions, and (b) being able to access the recovery-link email. Heck, I've had to do it several times myself...
 
Last edited:
How?

or not have backups in the cloud (have local only), which is another option you can choose to make this sort of thing impossible.

How do you do local backups? I don't own a computer - can I backup to a thumb drive or something?
 
I don't want 2 factor authentication based on SMS messages pushed down my throat. Apple should use the same scheme Dropbox uses and allow for off-line apps to generate the token. At least give that choice. SMS doesn't work that well when traveling abroad without roaming ;)
 
Explain. Are you saying you were issued a temporary password after answering the security questions right then and there in the browser instance you were using to reset the password? Are you saying you didn't have to confirm the reset by clicking a link in a verification email they sent you?

Let me answer my own question.

http://support.apple.com/kb/HT5787

If you know the answers to your security questions

Go to My Apple ID (appleid.apple.com).
Select “Reset your password.”
Enter your Apple ID, then select Next.
Select “Answer security questions” as your authentication method. Select Next.
Select the birth date associated with your Apple ID, then select Next to begin answering your security questions.
After answering your security questions, you'll be asked to enter and confirm your new password. Select Reset Password when done.

If I had been in charge, I would have immediately drawn a huge X through that whole mess and fired the person who was stupid enough to have presented it as an option. The very first time I was ever confronted with such, I treated the security questions as additional passwords and generated them randomly with KeePass as I do all my passwords. Then if asked, I entered a fake birth date. I record all this information in the KeePass "Notes" field for the database entry. I realize most people aren't this security conscious, and they shouldn't be set up to fail.
 
He's also clever. Apple still hasn't addressed or admitted to their initial screw up that led to all of this. Yes they fixed the multiple login attempts but have not addressed it. If they weren't going to be introducing so many shiny new products in 4 days, the press would be asking questions about that mistake. It's a gamble but how much do you wanna bet no one calls them out on their security goof this Tuesday? Tim is willing to bet all will be forgiven by then.

Can't confirm what a TMZ article says but it says there's indication that at least a few of the people gave up their own log in credentials because of a phishing email they thought was from Apple. And it seems Kate Upton's photos were actually from her boyfriend's account since there were also pics and videos of other women in the stash (in one of the videos a girl actually addresses him by name so that's how they know it's his). There are a whole bunch of human mistakes at play here that could account for most of the mess.

----------

I don't want 2 factor authentication based on SMS messages pushed down my throat. Apple should use the same scheme Dropbox uses and allow for off-line apps to generate the token. At least give that choice. SMS doesn't work that well when traveling abroad without roaming ;)

Would you really be initiating a new device to your iCloud account while traveling abroad? That doesn't sound very smart.
 
Not if you enable 2-factor authentication. Then they will not be able to change your password, so they won't be able to get at your iCloud data.

Also, as the article said, Apple is also going to expand 2-factor authentication so, presumably, even if you know someone's password, you STILL won't be able to restore/slurp their iCloud backups without also having access to one of their trusted devices.

Most importantly, he points out that most of their customers CHOOSE not to use 2-factor authentication. (Which is THE CUSTOMER'S FAULT, not Apple's.) And they are going to start harassing customers to smarten up and use it.

There is nothing more Apple can do than that.

I choose not to use 2factor because every extra step is a PITA. To compensate for my astonishing lack of security awareness I don't take nudie pics.
 
I'm not a security expert, but I'm a network tech. Years ago I attended a basic security class and they stressed to never give correct answers to these personal "security" questions. Make up ridiculous answers and save them in something like 1Password. Perhaps not perfect, but it does allow for an extra layer of protection.

Although I'm sorry it happened, it's hard to feel sorry for these folks. They are extremely well-paid, and perhaps, along with their agents and PR people, they could afford to hire technology consultants?

What city were you born in?

sO3*-3h*j-H^ea-9UrI

Also, coming soon: technology consultant abuses his position to download naked pictures... If they get taken, they will find a way out. Like a caged animal in a zoo, they yearn to be free subconsciously, even having been born in captivity.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.