Article Navigation

Apple speaks - Relax , your homemade iCloud nudes are not at risk... (or are they?)


So the morning of The Fappening /Celebgate - a series of people lost their minds.   Half of them were busy downloading celeb nudes.  The other half of them were busy deleting saucy material off their own iPhones and trying to make damn sure they had nothing racy on the iCloud.

There's a lot of spiels going around this morning as to how the hell this whole thing could have happened.  How was Apple's iCloud compromised if it was indeed the issue - which, it kind of was. The position of 'kind of' vs the position of 'yeah totally is responsible', depends a lot on how tech nerdy you are.

Click to enlarge image of Apple's statement on the iCloud breach.
Brute Force, not a Web Reap.

There are a couple ways you can get at data on a cloud or a server.  The bad-bad-bad thing that can happen is a full web reap.  Someone gets access to the cloud/server filebase and just goes 'yoink!' and copies the whole thing.  This - is - reeeeal - bad.  Most 'secure' companies MD5-encrypt all their data and/or take some other measure that means even if a hacker gets to the files this way, their copies are useless without a decryption key - the data is just junk and you've copied a whole bunch of nothing.

The main alternative, is a targeted brute force attack. The outcome of this kind of attack is the security thinks you are the legit user, so of course you can download anything the account holder can.

The catch is, you can't brute force someone unless you know the target's username - which is why most of us on the planet are just fine (Woot! Homemade nudes here I come!).  Apple launched an investigation and has made it very clear that only select celeb accounts were compromised and these users were targeted with a brute force attack, not a web reap.  

In a brute force attack someone has to know the specific username of the user's account, then launches a program to just spam password attempts over and over again, sometimes used in conjunction with a 'sniffer' program that goes -'yep, we got this part of the password right, keep trying passwords with that letter/number combo'.  Look, all that matters is - if you don't know the person's username, you can't target the person's account.

Which begs the question... so how did the hackers get the username of those celebs to even attempt this?

There are two thoughts on this:

How did the hackers get the celeb usernames then?

This is theory one:

Social media ninjas etc

Short version, with enough snooping through a person's publicly available information, you might be able to find out their username, particularly if it's some sort of combo involving their real name and birthday.  You can also try a couple hacker tricks, like you find out their email address or something and trojan your way into their machine with that and from there you are able to make bigger inroads. It's not a terrible theory and the general 'popular' consensus is that a group of hackers in underground forums at ANONIB were already trading this stuff for aaaaaages and some tool decided to make money out of it, blowing it for them all.

But the theory I freaking love is this one doing the rounds on Reddit at the moment:

It's horny guys at the NSA...

Seems Legit.

Look, I know it sounds like rubbish - but I completely buy it.  There is now giant oversight of personal information and it's a lot easier to get the information of a celebrity if you are already working for the body that monitors all the personal electronic information of everyone in your nation, and in some instances, the world.  Let's face facts - if you're an 18-35 year old guy, employed by the NSA to monitor data and at your fingertips is the ability to look through J-Law's underwear draw in the name of national security... would you?  Annnnd if you found a couple of questionable selfies during that search and could copy them without J-Law knowing... would you?  Say you did it once.  A little while later you happen to be looking at Victoria Justice's photos and 'boom!' more questionable selfies.  The last ones didn't hurt anyone... someone walks in and looks over your shoulder, but also wants to see them and is quite willing to shut up about your misuse of government property...  if you share.  Do you share?  And with how many other people?  Now you have a partner in crime.

If you know anything about white collar crime theory you'll understand that in this area, three things need to occur:  1. motive 2. means 3. justification.  Anyone with an interest in the celeb has motive when it comes to celeb nudes and it's exactly the kind of crime that seems harmless.  From there it's just a matter of justification.  Anyone at the NSA has means.  And if you get one pic, and no one seems to get hurt - from there justification is a cake walk.  In most white collar crime, particularly in areas of fraud / taking liberties with work stuff, there is a pattern.  The pattern is one small act, followed by one more - and over time those acts turn into a massive norm of rorting the system.  Most people who get caught are often quoted saying that they thought there was nothing wrong with what they are doing.  Well, I'd put money on a bunch of lads at the NSA duck-and-covering right now.  But we'll never know, will we  :)

No comments:

Post a Comment