It's actually encouraging IMO to see them doing something before tomorrow's keynote. But there is more work do to do. As I said in a thread a couple days ago,it doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name from Ancestry.com, or your birthdate and favorite sports team from Facebook. Don't get me wrong, this is better than nothing, but it's not "fixed" yet. If someone has hacked your iCloud account, it stands to reason that they can probably delete the notification email before you ever see it.
I can never be fully "fixed", as long as password are involved. The user has to take some accountability and responsibility. If you have security questions for which the answers are publically available, thats your own damn fault. Also, the ore obstacles you create for logging in, and for resetting a password, the more inconvenience that causes users- its not as simple as adding as much security as possible, you have to look at how it affects scenarios where users have lost their passwords, etc. I'm sure it happens thousands of times a day and clogs up Apple support lines. Trust me, I know. I get emails every single day of people "forgetting" their passwords, even though I'd already sent it to them 10 times. People are fucking stupid and careless, and you have to keep that in mind. Being locked out of one's own account is a real common problem.
Apple is on the right track with Touch ID, and ahead of everyone else in this regard. It will only get more precise and robust, and eventually, for most people a password should only be used as an emergency failsafe, not as primary login method.
SO,
AFTER the hacker logs into your iCloud account, (and now having access to your iCloud emails)
they just wait for the email to arrive in your iCloud inbox, and delete it.
Did I get this right, or am I mistaken?
My iCloud account is not the same email as the supplied apple email. I don't and have never used the supplied email.
I just tried it, and it sent the notification to my Primary email (as defined in the Apple ID settings), which is a gmail account in my case, though I suspect lots of people would have the me.com primary, then a separate backup. Would be good to send to both.
Apple is on the right track with Touch ID, and ahead of everyone else in this regard. It will only get more precise and robust, and eventually, for most people a password should only be used as an emergency failsafe, not as primary login method.
Well, that's nice, but even then still has the problem that the crackers will attack the weaker failsafe than the stronger 'front door'.
I get so many security warnings now, like when I restore one of my many iOS devices that causes a cascade of notifications on the other devices, that I pretty much have to ignore them all. That's the problem with security warnings. If you send too many, people are simply annoyed by them. If someone ever did try to hack an account, it would be lost among all the other BS notifications. When was the last time you actually paid attention to a car alarm?
This is an excellent point.
I recall when we used to make fun of Microsoft for this type of intrusiveness (I am forgetting the version of Windows OS that drove users nuts with regular deny/allow intrusions -- it was spoofed in the Mac v. PC ads).
I'd much rather get an email after there have been like 10 failed attempts to access my account - regardless of which way it happened (web, OS X, iOS, whatever). That way I know if someone is trying to brute force my account.
I liked what another user had suggested. A page/site that lists all the devices and the geo location of them that accessed or have access to my Apple ID. That's not a privacy problem because it should be all of YOUR devices anyway.
I could be very wrong, but that seems pretty easy to implement. Something like how they show every device that's connected to the AirPort Extreme.
Seems like you would be better off getting a notification on your iOS devices that someone had just logged into your iCloud account from the web, vs. an email to an IMAP account (or Gmail, for those so inclined) that could easily be deleted.
Still not perfect, but IMO it would be far more likely to alert the actual account owner to a potential problem.
Great minds think alike. When I said notifications, I meant push notifications.
Also, to make it less intrusive, Apple can have users assign a "primary device" such as an iPhone. A push notification can be shot out to the primary device whenever there is a sign-on attempt to the iCloud happens, if it outside the immediate area of the primary device. If no primary device is selected, then send a push notification after x number of failed attempts.
I've been waiting two decades for a whitelisted email service that would replace SMTP.
lol. I had my first email address in 1994. After I learnt about inner working of the SMTP protocol, I had been questioning "why" ever since. But email clients had been supporting digital signatures forever. I don't understand why it is not widely used or publicized like the web-counterpart.
Celebs who claim to use Android are nothing but paid, lying shills!
Hard to fault most of that statement, but to be fair Levine could have paid lying shills who do many of his tweets.
That said, most celebrity endorsements are exaggerated, at best. Tiger Woods taking home random ladies in a Buick? It's more part of the costume, and the agents set it all up.
I can believe Morgan Freeman chatting it up with Siri though.
I recall when we used to make fun of Microsoft for this type of intrusiveness (I am forgetting the version of Windows OS that drove users nuts with regular deny/allow intrusions -- it was spoofed in the Mac v. PC ads).
Last week google sent me several emails, saying that my account was accessed illegally, but the only evidence they seemed to use was the access came from a location not near me. They cited the DNS number and that number was associated with another city. But when I looked at the list of locations, I realised that they had only identified the nearest ISP that served the request. So one was 50 miles away, some were much closer and one just happened to be 200 miles away. It was the last one that they flagged. But it could just have been the way the request was routed.
Comments
It's a start.
It's actually encouraging IMO to see them doing something before tomorrow's keynote. But there is more work do to do. As I said in a thread a couple days ago,it doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name from Ancestry.com, or your birthdate and favorite sports team from Facebook. Don't get me wrong, this is better than nothing, but it's not "fixed" yet. If someone has hacked your iCloud account, it stands to reason that they can probably delete the notification email before you ever see it.
I can never be fully "fixed", as long as password are involved. The user has to take some accountability and responsibility. If you have security questions for which the answers are publically available, thats your own damn fault. Also, the ore obstacles you create for logging in, and for resetting a password, the more inconvenience that causes users- its not as simple as adding as much security as possible, you have to look at how it affects scenarios where users have lost their passwords, etc. I'm sure it happens thousands of times a day and clogs up Apple support lines. Trust me, I know. I get emails every single day of people "forgetting" their passwords, even though I'd already sent it to them 10 times. People are fucking stupid and careless, and you have to keep that in mind. Being locked out of one's own account is a real common problem.
Apple is on the right track with Touch ID, and ahead of everyone else in this regard. It will only get more precise and robust, and eventually, for most people a password should only be used as an emergency failsafe, not as primary login method.
My iCloud account is not the same email as the supplied apple email. I don't and have never used the supplied email.
I just tried it, and it sent the notification to my Primary email (as defined in the Apple ID settings), which is a gmail account in my case, though I suspect lots of people would have the me.com primary, then a separate backup. Would be good to send to both.
Apple is on the right track with Touch ID, and ahead of everyone else in this regard. It will only get more precise and robust, and eventually, for most people a password should only be used as an emergency failsafe, not as primary login method.
Well, that's nice, but even then still has the problem that the crackers will attack the weaker failsafe than the stronger 'front door'.
I get so many security warnings now, like when I restore one of my many iOS devices that causes a cascade of notifications on the other devices, that I pretty much have to ignore them all. That's the problem with security warnings. If you send too many, people are simply annoyed by them. If someone ever did try to hack an account, it would be lost among all the other BS notifications. When was the last time you actually paid attention to a car alarm?
This is an excellent point.
I recall when we used to make fun of Microsoft for this type of intrusiveness (I am forgetting the version of Windows OS that drove users nuts with regular deny/allow intrusions -- it was spoofed in the Mac v. PC ads).
So do I, and I did, but was sat watching the wrong email account so don't know how long it took.
I liked what another user had suggested. A page/site that lists all the devices and the geo location of them that accessed or have access to my Apple ID. That's not a privacy problem because it should be all of YOUR devices anyway.
I could be very wrong, but that seems pretty easy to implement. Something like how they show every device that's connected to the AirPort Extreme.
If finally cam in about 1/2 hour later. SO I guess, everyone gets the message, regardless of 2-step authentication.
Great minds think alike.
Seems like you would be better off getting a notification on your iOS devices that someone had just logged into your iCloud account from the web, vs. an email to an IMAP account (or Gmail, for those so inclined) that could easily be deleted.
Still not perfect, but IMO it would be far more likely to alert the actual account owner to a potential problem.
Also, to make it less intrusive, Apple can have users assign a "primary device" such as an iPhone. A push notification can be shot out to the primary device whenever there is a sign-on attempt to the iCloud happens, if it outside the immediate area of the primary device. If no primary device is selected, then send a push notification after x number of failed attempts.
I've been waiting two decades for a whitelisted email service that would replace SMTP.
Celebs who claim to use Android are nothing but paid, lying shills!
Hard to fault most of that statement, but to be fair Levine could have paid lying shills who do many of his tweets.
That said, most celebrity endorsements are exaggerated, at best. Tiger Woods taking home random ladies in a Buick? It's more part of the costume, and the agents set it all up.
I can believe Morgan Freeman chatting it up with Siri though.
Windows Vista.
hi, i really indeed your feedback and your help, i lose my iphone 5 and how to tries ???
<edited>
TS: good point below. I was going to report, but probably is legit loss.
This’ll help.