Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
soperj 7 days ago

[flagged]

puglr 7 days ago | parent | next [-]

Odd that you would omit the part of the text you quoted that contradicts the impression your partial quote creates.

> The images were initially believed to have been obtained via a breach of Apple's cloud services suite iCloud, or a security issue in the iCloud API which allowed them to make unlimited attempts at guessing victims' passwords. Apple claimed in a press release that access was gained via spear phishing attacks.

I also found it notable that the source for the above unlimited password guessing password guessing is an Apple press release that states no such thing.

Also interesting was that all sources in that article suggesting anything about unlimited attempts describe to an app or script (unclear which) called iDar, which the only source to actual name iDar claims that it reports success 100% of the time, regardless of its actual success in guessing the password.

I've no love for Apple. Maybe it's true. But the evidence presented in this wiki article is weak.

some_random 7 days ago | parent | prev | next [-]

Either you didn't read the page you linked or are deliberately lying, the API issue is speculation we know now that it was predominantly spearphishing.

All from the same article:

>"Apple claimed in a press release that access was gained via spear phishing attacks."

> "Apple later reported that the victims' iCloud account information was obtained using "a very targeted attack on user names, passwords and security questions", such as phishing and brute-force attack guessing."

>"Court documents from 2014 indicated that one user created a fake email account called "appleprivacysecurity" to ask celebrities for security information."

>"During the investigation, it was found that Collins phished by sending e-mails to the victims that looked like they had been sent by Apple or Google, warning the victims that their accounts might be compromised and asking for their account details. The victims would enter their passwords, and Collins gained access to their accounts, downloading e-mails and iCloud backups."

>"In August 2016, 28-year-old Edward Majerczyk of Chicago, agreed to plead guilty to a similar phishing scheme, although authorities believe he worked independently and he was not accused of selling the images or posting them online."

>"Garofano's attorney said he had been led into the phishing scheme by criminals."

>"Through a phishing expedition[further explanation needed], he hacked more than 200 people"

All of the other methods of compromise are speculation, what has been unambiguously proven in a court of law over and over again was phishing.

GeekyBear 7 days ago | parent | prev | next [-]

It's a little embarrassing that people are still pushing that particular conspiracy theory a decade after it was debunked.

Not only was "Celebgate" the consequence of a standard phishing attack, but we know from court records that a larger number of Google accounts were breached than Apple accounts.

> A Pennsylvania court has sentenced a man to 18 months in jail for hacking into the accounts of celebrities and stealing nude photos and videos.

Collins tricked his victims - including actresses Jennifer Lawrence, Kate Upton, Scarlett Johansson, and Kirsten Dunst - by sending emails appearing be from Google or Apple.

Collins accessed at least 50 iCloud accounts and 72 Gmail accounts.

https://www.bbc.com/news/technology-37796986

bee_rider 7 days ago | parent | prev | next [-]

That was a pretty big screw-up. But, it was more than a decade ago.

mort96 7 days ago | parent | prev | next [-]

That's unfortunate, but your passwords should be such that it would take an attacker millions of years to guess the password through HTTP requests.

soperj 7 days ago | parent [-]

That's a little bit Victim Blamey.

mort96 7 days ago | parent [-]

Security unfortunately relies on users doing things at least somewhat right.

ffsm8 7 days ago | parent | prev [-]

They were also active participants in prism...

https://en.m.wikipedia.org/wiki/PRISM

What they actually do is a moderate effort to keep app developers from accessing user data. Which is definitely good!

Though the reason for this likely more about keeping the customer relationship with apple then actually protecting the privacy of users, but it's a nicely marketable side effect - and that's definitely a good thing for the users, too!

jm4 7 days ago | parent [-]

Anybody who was anybody back then was an active participant in PRISM. There are no good guys and bad guys when it comes to that. There are businesses that get to keep doing business by doing what the government tells them to do, there are ones that shut down (Lavabit), and there are ones that don't have enough going on to be on the radar for a project like PRISM.

sylos 7 days ago | parent | next [-]

I think that just makes them all bad guys? Just because everybody was doing it doesn't make it ok, let alone when it's something as bad as prism.

viridian 7 days ago | parent | prev | next [-]

This is like saying there are no good guys or bad guys in the mafia, because the good guys all got taken out early on.

What you are then left with are bad guys.

raincole 7 days ago | parent | prev | next [-]

When China does that they're the bad guys. When the US does that there are no good guys or bad guys.

fragmede 7 days ago | parent | prev [-]

Also, Qwest Communications.

But at the end of the day, you gotta be able to sleep with yourself and I have no idea what I'd choose if I were a CEO. Everyone lost their jobs. He did wrong outside of PRISM, so it's hard to say. I'm not him and I already don't sleep well at night.