That iCloud security issue with the leaked celebrity photos

Apple’s initial investigation revealed that the attack was a targeted one.

What this means in simple english is that iCloud itself, was not compromised in any way.  What it does mean is a much larger issue with online account security in general.  Targeted attacks are possible due to the use of weak passwords, weak security question/answers, using the same weak passwords on multiple accounts, etc.

I’ve seen some security questions for example which no company should ever really have on their default list (like “what is your mother/grandmother’s maiden last name?”).  The reason I say it should not be on this list, is that this question, is often times used in many credit check databases.  The way that I deal with security questions and answers is something only known to me for example.  Heck, I don’t even use my real date of birth or phone number for most sites.

This (online account security) has NEVER been an easy issue to solve though.  Complex passwords means it isn’t easy to remember a lot of passwords on multiple sites; it’s why many use simple permutations.  When I used to work full time in IT, information security was still in this nebulous phase (what I mean is the organizational structure and what that position if any, encompassed in terms of responsibilities and reporting structure).  The use of complex passwords by users simply meant that many had that yellow post-it note with their password stuck somewhere on their monitor (defeating the purpose).

There is software (on both desktop and mobile devices) which attempt to create a vault of secure passwords that one can use to autofill logins.  OS X has for the longest time, had a built-in password management system known as the Keychain (this wikipedia entry has all the relevant detail).  I personally wouldn’t call it the most secure password management system since many including myself, have it set to automatically unlock with my main OS X login.  With OS X 10.9 (Mavericks) , iCloud Keychain was introduced (it takes the Keychain and moves it into the cloud such that it can be synced and used across multiple Apple devices).

While there are software solutions, none are perfect and there are no standards when it comes to the overall management of online account data security; that aspect is left up for each company to deal with on their own.  The Target security breach for example was much deeper than the company originally thought when they investigated further 

There is big money involved when it comes to the whole issue of identity/information theft because any large scale security breach can allow a large amount of personal information to be leaked.  Small bits and pieces of information alone may not look like much of a problem; the real damage comes when more of those pieces are fit together to form a better profile of you.  Identification theft can take as little as your SSN (in the US), date of birth, your mothers maiden last name.  And that is where social networking can pile on because of the amount of personal information that many are willing to give out for free.

I posted earlier in this blog about how I maintained an anonymous online profile for many years using a variety of pseudonyms.  Similarly, I mentioned how I purposely fed certain information unique to each site (like Google, Facebook, and Linkedin for example) to see exactly who is selling what pieces of my information.  There are ways to manage what public information (from government sources for example) can be linked back to you but that goes beyond the scope of this blog post and requires long term management/curation.

One of my friends, doesn’t even show up in public records (not even as a family member of the household he grew up in) because he never got his state drivers license and moved/worked overseas after completing college on the mainland.  It also helps to have the same name as your father which was enough to confuse a lot of earlier databases.  But this is going way off the subject matter.

When a retailer or any company that you’ve done any business with using a debit or credit card has had an in-depth security breach, that allows even more personal information including account information to be used for nefarious purposes including targeted attacks like the one that happened to some celebrities.  Some of these folks leave a long trail (Google+, Facebook and Twitter with their verified account system.  That’s a two way street because verified accounts mean that you know that is the real persons account.  It also means that any personal information posted for public consumption there, can be utilized as yet another data point.

It also isn’t about simply saying “then don’t take nude photos of yourself/someone else” where it manages to get online somehow (like via a cloud sync or in many other cases, knowingly uploaded and secured via that sites, privacy system).  Digital data is still property; it’s just that its concept is so nebulous because the lack of physicality like having an actual DVD for example.  But there is a whole new generation whose lives are intertwined with the online component/digital lifestyle (social networking now is just an extension).  It’s why something like a GoPro is so popular.  It’s just that the online component, is subject to far more hacking attempts compared to someone trying to force entry into your actual physical domicile.  And when someone steals digital information, it’s often times hard to notice until much later (this compared to say if someone stole your actual smartphone).

In cases like this though, it’s not uncommon to find people asking “why would anyone take naked pictures/videos of themselves?“.  That really isn’t simple to answer because it could be anything like initial fascination with the naked selfie to the fact that some folks like to document every part of their life including their private moments.  And it’s not for me to judge others on that basis either.  Flirting though (and the extremes to which it can go) is well, human nature.  It’s why messaging software like Snapchat and Wickr exists (ephemeral/self-destructing messaging).  The latter goes to the most extreme since everything is encrypted and no copies are saved anywhere (images sent via Snapchat are unencrypted which means there is the possibility for middle-of-the-man interception or unencrypted pieces remaining on Snapchat’s servers).

Another example I like to use is this Japanese one; it’s incredibly difficult for someone to sneak a photo/video of you bathing at home.  It’s much more easier for that to happen if you use a public facility e.g. being cases of extreme voyeurism such as those cases in Japan of onsen (hot spring) resorts or other more egregious cases of female sento (public bath) bathers (or in some cases, workers) who are paid to take a hidden video camera into the facility).  I use this as an example because nudity when it comes to public (same sex) bathing isn’t an issue in Japan.  I’m going to go off on a tangent for a bit to make a point as to the above italicized question.

The Japanese even have a phrase for this; hadaka no tsukiai which translates roughly to naked communion/skinship. Basically all barriers are broken down and it’s a time to relax/enjoy each others company.  This is primarily same sex bathing (mixed or konyoku onsen is not as common but do exist).  Close friends often times snap some shots but keep those to themselves/amongst their circle.  The other unwritten rule is to not take shots of strangers.  Males tend to be freer when posting butt shots of themselves even online (it’s consider comedic).  Females tend to keep those amongst close girl friends (though there are always exceptions) but they do the bare butt thing as well because one of my friends thought it would be funny to send a photo of themselves from the back, bare butt naked at an onsen while pointing up at the sky (a common joke pose).  They knew me/trusted me well enough to not share the pics sent (and I never have/nor will).

The point is that while within the personal/private space context, there is this seemingly openness with nudity in the public bathing context, it doesn’t mean that it is okay for complete strangers taking photos/videos freely with the intention of it becoming publicly available.  There are rules of etiquette  (usually unwritten) which most normal people abide by on their own.  Unfortunately, there are always exceptions (like the example I gave above with extreme voyeurism/paying someone to use a hidden camera) as well as accidental leaks with these private moments where some folks accidentally upload them by mistake.  Others lose their phone which ends up in the wrong hands where the contents get uploaded for public dissemination.

The key thing I’m getting at is that technology allows for both innocent/private moment captures meant for a very specific audience versus being used as tools by those whose moral compass is lacking/can be bought to where it’s not surprising that ones personal moments can be made widely public like this in an act that some might consider victim shaming.  But the actual story goes even further than this for the iCloud “leak”.

In the IT security circles, darknets are rather common.  Everything from piracy of software to trading stolen personal information.  In this particular case, I’m referring to very small niche networks of people who collect accidentally leaked media (images/videos) of celebs.  If this is hard to understand, look at regular collectors who collect say obscure coinage or stamps within those respective circles.  Jump on eBay and look at collectibles in general to get an idea of the breadth/niche of collectors.  Some folks just happen to have this thing for nude celebs.  The traders were just trading media like how one might trade some players baseball trading card for another.

And according to some security researchers, this particular iCloud leak was not a singular large hit…. what it was has been accidental image/video leaks over time with them traded via this underground dark network.  The actual forensic evidence is bearing that out because while many images have EXIF data showing that they were taking with an iPhone, there are also other images that have EXIF data from other manufacturers.  If this were a complete iCloud leak or even targeted iCloud account hacks, those images/videos would likely not even be on that iCloud account.

I also don’t mean to imply that it’s not out of the realm of possibility that they happened to take that media on another device, uploaded it to something like Dropbox, used Dropbox to import that media into the iPhone’s camera roll, and then have that data synced to iCloud.  But given the context of selfies, that doesn’t make any real sense at all.

The real damage came when someone outside those trading circle darknets decided to package up what existed, and post them on a large image board like 4chan (the same thing happens often on the large Japanese bulletin board 2channel of both celebs and regular people).  But there was no singular large file dump that is normally associated with a massive breach by one person or an organized group.

But even though the forensic evidence is showing that iCloud accounts weren’t brute force hacked and that this media leak wasn’t a singular event, Apple is doing the responsible thing in not trying to argue the above, and instead responding they’ll further increase security.  The general media would castigate them for trying to explain the actual facts.  Remember,  the mass media cares more about sensationalism and bare minimum accurate/factual reporting because trying to detail the facts about darknets is not as interesting a headline as “massive iCloud leak of nude celebrity photos”.

And this is all going to be the downside to the miniaturization of technology; where those normal looking glasses could actually have a set of camera lens (look at how tiny the front facing cameras on most smart devices are and the quality they are capable of) on them that is wirelessly communicating to what waterproof mobile device and video recording everything.  The mobility and connectivity of modern day devices allows them to now go into places that their predecessors were normally off limits to (think of the old SLR’s or handheld video cams).  It also allows us to document every moment as well to where it is easy to forget that privacy is only as good as the security that is in place (some of which is the users responsibility).  That’s why I’m not keen on wearable camera glasses as I’d probably be one of those folks who accidentally forgets to turn off the camera while I’m taking a piss…. (now live streaming [pun intended] – piss cam).