Jennifer Lawrence, Rihanna, 98 other celebs' nude photos leaked online

Yes, there is something called ethical hacking. I have been paid by a sites owner to attempt to breach their own security. A security issue exposed is a security issue closed. As far as the rest of this thread. 4chan is a .onion site. While the act is deplorable and in some jurisdictions illegal guys will unfortunately be guys. Once something like this surfaces in a darknet such as Onion land it is just a matter of time before it makes it to the clearnet.

 

There is and I understand this isn't it. I don't defend what they did, but the end result will be that people will practice better security. Many of those people would have ignored the risk previously.

 

It occures to me that control over such photo's is not the issue. With the internet being fully integrated into smartphones any photo is like a click away from Facebook or the like. Best choice to eliminate problems like this is to avoid compromising photography of any sort.

 

The Verge has a comprehensive story stream on this incident.
http://www.theverge.com/2014/9/2/60...eaks-nude-photos-of-more-than-100-celebrities

 

Everyone forgets too easily.
Remember 2010?

"The security breach in a Web service used by Apple's new iPad 3G that was revealed this week suggested the potential stakes involved. Victims included not only thousands of ordinary consumers but also powerful figures in government -- including White House Chief of Staff Rahm Emanuel and New York City Mayor Michael R. Bloomberg -- and the military. Government agencies and companies whose employees' information was exposed were scrambling Friday to determine whether that data could have been used to help hackers track the movements of or get access to documents and e-mails of subscribers..
. . .
The fact that a hobbyist was, in hours, so easily able get access to information that Apple and AT&T, two of the country's most respected corporations, vowed to keep private and anonymous has jolted law enforcement officials, regulators and consumers, who had not made security for mobile devices a priority."

http://www.washingtonpost.com/wp-dyn/content/article/2010/06/11/AR2010061106239.html

 

Avoidance, wherever possible, is certainly the best approach. Do you really NEED to take sexy nude pics? The vast majority of people would, or should, answer no. However, what about:

• Pics taken for health reasons, such as monitoring the progress of a skin condition or whatever?
• Pics taken for insurance purposes, which could reveal items of value in your home?
• Pics taken for repair purposes, which could reveal details of a security system?
• Pics taken for business reasons, which could reveal sensitive info that competitors and others shouldn't have access to?
• Pics which reveal information about your patterns and locations, which could reveal information that burglars, stalkers, paparazzi could take advantage of?

These types of pictures are far less optional and far more common. At least some of them could... if they fell into the wrong hands... end up being more damaging to someone than sexy time pics.

 

You make some good points I'm sure a lot of people don't think about.

The response I keep seeing is don't take the pics. Obviously people are going to do that. I wouldn't but people will do what they do. The thing they need to keep in mind is if you take ANY pics you don't want to share with the whole world, don't store them online. The sad thing is once they call this exploit fixed, people will go right back to doing it again. It amazes me the risks people will take for the sake of convenience.

 

I doubt it.

More probable that most people do not understand the risks. The companies that offer online storage advertise these services in way that make seem that the services are extremely secure and the risk of data breach is close to nonexistent.

 

@Tipsy

I think it is worse then people not understanding the risk. I am seeing a disturbing trend that people do not care about the risk. Look at what people put up on Facebook. Look at Mark Zuckerberg's idiotic now famous quote that "... people have gotten really comfortable not only sharing information and different kinds, but more openly and with different people". Privacy is no longer a "social norm." The infamous statement from Nazi Joseph Geobbles and George Orwell's book 1984 “You have nothing to fear, if you have nothing to hide” is being used by the power structure to train and propagandize the world at large to believe that anyone who needs privacy or anonymity must be guilty of something sinister of felonious. I could blather on and on about this, but I think the point is made.

 

They didn't have to release nude pictures of people to expose a security flaw. They could have released other data to make their point. I think it was a bad judgement call on the actors part to store sensitive data in the cloud to begin with. I don't think they have a good understanding of data security, and now they are paying for it. I think Apple is going to be found at least partially liable in the end, and have to pay a large sum of money to the victims.

 

You don't have to have an understanding of security to realize that if you put something on the internet (even the cloud) that it could become compromised. Once any given item is out of your physical control others can access it.

 

Apparently they did not know the risk, or they were hoping someone would hack Apple icloud so they could sue Apple. I'm going to go with option #1 since many of them were already being payed well in their profession. It appears they placed blind trust in an apple service, and now they are paying the price in embarrassment.

 

Actually, from what I've read, many of them (feelings of violation aside) are considering this like "all publicity is good publicity". Regarding the cloud backup aspect, providers are rather stuck. If they don't backup by default, they'll be overwhelmed by support tickets about lost data. The fundamental problem is that most providers didn't focus enough on security while developing cloud systems.

 

Yes, many on the supplier side will oppose anything which might increase their support requests, which might cause potential customers to abort a sign-up process, etc.

I recall seeing one developer firmly arguing against "delete" features which are immediate. They felt that "delete" should involve an N week or month delay, just in case a user changed their mind. Others pointed out how confirmation dialogs and/or a buried "choose how you want delete to work (default is delayed)" setting would provide sufficient protection against that. However, the developer remained focused on the mere possibility that someone... even someone who had jumped through multiple hoops and assumed full responsibility for their actions in every way and who would be highly unlikely to ever do so... could delete something, then want it back, and ultimately generate a support request. I also vaguely recall one blog post about a company's decision making process regarding signup. Through A/B testing they justified eliminating one trivial but important security question step, eliminating a requirement that passwords contain at least one special character, and eliminating useful feedback on legal password characters and strength. With pride they shared how their final design would increase signups by half of a percent or whatever it was. It was all a numbers game, and their choices were poor ones for security.

Due to those and various other profit focused design decisions, we have less security/privacy than technology would allow for and it requires more work to hold on to what we do have. Game over when everything is cloud.

 

How I Hacked My Own iCloud Account, for Just $200
http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/

 

They did have to release them. Nobody would have taken this seriously otherwise. As for the rest of your statement, I absolutely agree.

 

Never trusted any cloud and never will.

 

What the hacker(s) did is certainly unethical and I would not condone such actions. However, in hindsight, This type of activity seems a natural and logical response when companies do not employ bug bounty programs and willingly choose to ignore warnings about vulnerabilities within their software and threats to their assets. Hypothetically, if you knew the people of Pompeii would be destroyed would you not attempt to warn them of the disaster? What if they willingly choose to ignore those warnings? Would you stand-by and keep pleading the same case or do something extreme that would force mass evacuation? In this context, if you knew a super massive earthquake was going to happen that would level large buildings and no one believed you. Would you not report a bomb in the building to expedite mass evacuation? Why would we not expect the same response when dealing with online threats? People are going to do one of four things: (1) report the problem, be ignored, and watch it happen, (2) report the problem only when monetarily compensation is offered, (3) stand-by and do nothing to warn people, (4) take action into their own hands to force people's inaction to become action. Is it illegal, certainly. But should it really be frowned upon when a company willingly chooses inaction? Even if you went back and sued the company for damages, some damages are long-lasting and irreversible like identity theft, the exposure of compromising photos, videos, etc. which damage your integrity. In this particular case, the content stolen was ear marked for redistribution which makes hits a flat out crime. But I wonder how many times this has happened where companies were honestly warned in advanced and did nothing to prevent it. Perhaps these types of wake-up calls are exactly what companies need to turn inaction into action. Just look how effective the wikieleaks and Snowden leaks have been in bring media attention to an ongoing and often ignored problem. Secondly, the incompetence of users to protect their personal data and to willfully share it with third-parties is not a valid excuse for blaming companies like Apple, Google, etc. A company is welcome to host a service that stores your personal data and to some extent under the law protect that information. But we've had more than enough lessons in account creation, password management, etc. that users honestly don't have any more excuses save the fact that mobile phones, tablets, etc. invite users to share information that normally would be stored on separate portable drives or in a locked folder. At the end of the day you can't fix stupid and stupid has the power to foil even the best laid plans. Companies can only do so much from their end anyways. Some people need to burn themselves from time to time before they start using common sense.

 

It is dumb to say this will be the wake-up call that makes a difference.

We see big wake-up calls routine now. One after another.
Target stores in US just few months back.
I post reminder already here about AT&T & Apple security embarassment involving White House and US military and celebs from 3 or 4 years back.
US Veterans Department has several cases of losing laptops or flash drives or other data with millions of peoples' personal id data.
It happens again and again.

Is it not obvious that the people who have the powers to make significant changes toward fixing the problems do not care?

 

@Tipsy. You are asking a complicated question. The problem has not been that they don't care, the problem has been the banks and the credit card companies have failed to come to terms. Target was phenomenally huge and put fire on the new "chip and pin" technology. If the reports are right chip and pin credit cards will start appearing in your mail sometime after 2016 a month prior to your expiration date. For the doom and gloomers, the US was the first country to come out with credit and debit cards. What this means is United States was behind in technology when the European nations adopted secure cards at a much lower cost then a security based change over would cost. The facts as they stand now is it's finally happening.

 

Originally plastic money was touted as being safer than cash. If you were robbed, you could cancel or freeze the cards. In reality, the exact opposite has proven true. Plastic made it possible for any coward behind a keyboard to rob you. At least physical robbery took a bit of guts or courage. I find it impossible to believe that they didn't see this coming. The real reasons for the push to plastic are
1, Making sure that the companies that issue these cards get a piece of all of your expenditures, and opportunities to add fees for whatever suits them.
2, Providing an easy way to keep tract of what you do with your money.
Unless you have to consistently borrow against plastic to meet your daily expenses, there's no good reason to use plastic. The price of that convenience is too high. If you need to constantly purchase on credit, you're just digging the hole deeper.

 

Noone, I couldn't agree with you more with regard to the security model you mention. While cash is secure the problem with not having credit or debit cards is some transactions require a credit or debit card. For instance have you attempted to rent a car without one? We also live in uncertain times. The economy is abysmal. Credit can also be used as a extraordinarily poor bail out in case of job loss. None of us like it but thems the facts.

 

@Tipsy: I don't have much hope that corporations will truly wake up to what needs to be done. But the wake up call isn't for them. It's for the users that rely on these third-parties to manage the money, to manage their data, etc. As harsh as this may sound, users need these kind of things to happen more often before they realize the cost of relying on third-parties to store their data is too high. Just like users realize the cost of losing their data when they forget to back-up and back-up often. I'm not saying I condone intentionally targeting users, but sometimes seeing these types of breaches in the media and seeing the personnel connection is sufficient for some folks to learn. For the rest, well you can't fix stupid and even if you tried, stupid will find a way. My biggest complaint is that the media recycles the same security advice to users and blow up stories that really aren't that big a deal.

@noone_particular: I'm fortunate enough to have been lived after that realization was made. I pay strictly with cash at most places, and I'd agree that the push for plastic is certainly money driven. What aren't we charged a fee for these days? Some banks charge fees to withdraw you money by phone, others charge fees each time you use your plastics. The only exception where I've used cards is when shopping with prepaid visa cards during black friday and christmas sales. I usually spend the card single purchase.