You can probably keep your shirt on until they solve this, yes? As the FBI is now involved, they aren't about to divulge information which will allow the perp(s) to cover their trail.
While this may or may not be true, it doesn't excuse Apple from not having rate-limited iCloud login attempts:
+1 Absolutely... rate-limited and # of attempts are all part of the solution. On the other hand, as suspected by many on this forum, it was not a system wide attack. They went after specific people.
Almost as if this was orchestrated a few days before Apple’s announced event. Makes you wonder.
I am Certain this will be corrected on the national tv news, local tv new, Yahoo news, Google news, etc. immediately. /s
They'll try, of course. But the news organizations are riddled with talking heads and incompetents.
sflagel wrote: »
what there isn't, is a proper secure system that does not require the memory of an elephant and/or the geekiness of an MIT engineer.
I think they're more generally about how to set up and use one's iOS device.
Apple offers a variety of workshops, including how to better use many of their specific apps, like iPhoto, iMovie, Numbers, Pages.
They also have a workshop that specifically is about iCloud. Perhaps more people and celebrities should pay a visit to that one.
Even if it allowed brute force attack, if there was no SUCCESSFUL attempt, then I would agree that they were NOT breached. It doesn't sound like that's how the hackers figured out the passwords. I doubt the hackers even KNEW about that.
It's not a breach if the vulnerability wasn't exploited to gain access to the accounts. Apple said, "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone." One definition of "breach" is, "an infraction or violation, as of a law, trust, faith, or promise." IMO, allowing a brute force attack on passwords clearly represents a "breach", because it's one of the fundamental things to guard against, an item of trust and faith. They specifically mentioned "Find my iPhone," the service documented to have the vulnerability, and it's hard to believe they would defend it if its vulnerability is what enabled the attack. Note that they're not denying the existence of breaches, as you claimed, just that none of the cases they've looked at was the result of a breach.
Now if it should turn out they're using weasel words, this will look really terrible when the truth comes out, and I'm sure it will come out. It would have been a lot better IMO for them to have acknowledged the vulnerability they just fixed and say whether or not it was a factor, all in plain, unambiguous language.
ivince wrote: »
It just strikes me as worrying that if a small subset of society (celebrity) can be hacked, and these targeted individuals all had poor passwords and/or security questions, then a lot of people can be hacked there by rendering iCloud unsafe for a lot of people by virtue of their own idiocy.
Surely iCloud needs an extra security measure, like a unique alpha numeric pin or something, or something that can't be retrieved or searched for by a hacker. Basically to act as an extra measure for people that don't care about their password or questions being rubbish.
apple ][ wrote: »
Sure, I wouldn't have any objections if Apple implements even stronger security, especially since they are going to be rolling out their new payment system.
I've seen some folks who seem offended with the notion that they should secure their devices. It's strange. I suppose if you have been fortunate and never experienced crime for yourself (theft, mugging, whatever) you believe you cannot be affected by crime. One's experiences inform one's decision making.
What a pain.
tallest skil wrote: »
I’d also love to be able to write MY OWN QUESTIONS.
Just so you'll know, I neither wrote nor quoted what you attributed to me.
SpamSandwich wrote: »
What a pain. :)
I've always treated the main password and typical three security questions as:
Password 1: (main password)
Password 2: (security questions)
They're all generated by Keepass, and I typically use long random passwords and shorter random sekrit ansers.