You say “to-MAY-to,” they say “to-MAH-to” … however you pronounce it, a tomato can ruin the nicest fabric with an irrevocable red stain.
And if you told somebody, “I'm very annoyed because your to-may-to juice stained everything,” and that somebody responded, “Don't be ridiculous, darling, it was to-mah-to juice” … you might think that somebody is completely missing the point.
Anyway, last weekend somebody hacked into the iCloud accounts of 100 different (mostly female) celebrities in order to steal their intimate photos.
The celebrities involved were understandably outraged at this massive violation of their privacy; Kirsten Dunst was the first victim to publicly respond, with her tweeted remark “Thank you iCloud” followed by the emoji images of a slice of pizza and a pile of excrement – in other words (or, more specifically, with no words at all), saying that Apple's iCloud security is a piece of … poop.
Another actor, Mary Elizabeth Winstead, was particularly surprised because she had long-since deleted those photos – at least from her iPhone, though apparently copies remained in the Cloud for hackers to steal.
“Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked,” Winstead tweeted on Aug. 31.
But the celebrities whose privacy was invaded will be relieved to know that Apple denies there was any security “breach” where the Cloud was concerned.
Bloomberg News reported on the evening of Sept. 2 that Apple insisted that the iCloud itself has not been breached; the company released a statement saying the accounts were “compromised by a very targeted attack on user names, passwords and security questions, a practice that is all too common on the Internet.”
For what it's worth, Apple is correct: there's no evidence suggesting the iCloud itself – the various servers where Apple customers can store data without using memory space on their own computer, phone or other device – was breached. Instead, it appears that hackers broke into the compromised accounts by using a brute-force attack to crack the passwords: using software to methodically try every possible character combination until the right one is found.
But why were brute-force attacks successful against one of the largest technology companies in the world? Defending a password-protected account against brute force attacks is actually quite easy: simply implement a security protocol mandating a cutoff after a certain number of failed tries – say, if you type the incorrect password into an account five times in a row, that account is temporarily frozen, so that you must wait a certain period of time before you try typing the password again.
Not until this week, after a hundred celebrities' personal accounts were hacked, did Apple apply that simple precaution to its customers' password-protected accounts.
Meanwhile, both Apple and the FBI are investigating the hacking-which wasn't-a-breach, and Bloomberg reports that Apple is, of course, taking the matter very seriously although, in a statement, Apple denied responsibility for the security failure.
The iCloud service is a key part of Apple’s strategy to unite its iPhones, tablets and desktop computers, letting users store contacts, e-mails, photos and other personal information on external systems they can access.
Apple said in its statement today that a flaw with iCloud wasn’t responsible, nor was its “Find my iPhone” feature.
“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source,” Apple said. “Our customers’ privacy and security are of utmost importance to us.”
Apple is encouraging people with iCloud accounts to make “stronger passwords,” consisting of at least eight characters including numerals, one upper-case and one lower-case letter. However, such a password still wouldn't be enough to prevent a brute-force hack into accounts that allow unlimited tries to get the right password.