Don’t listen to the nonsense Apple spouts in its latest press release, as it seeks cover from the fallout of ‘The Fappeninig’ (the massive leak of explicit celebrity photographs from the iCloud service):
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone”
How they can try to face this out with claims that their systems are not breached is absurd. If thousands of intimate photos being disseminated across the web without the legitimate users knowledge or authorisation is NOT a ‘breach’, then what on Earth is?
The fact that the users could have been unknowingly complicit in the theft by using weak or obvious passwords may be true, but the fact remains that Apple’s default options allowed those passwords in the first place. Their system failed the basic security check of authentication – yes the password used was correct, but it was not entered by the authorised person who setup the account. It also failed on a second front: non-repudiation – i.e. the system did not confirm who did what, or when, in the face of the authentication failure, and it did not let the legitimate users know that something had been removed or copied.
As a user, either on a personal level or as a business entity, we must accept one core fact of life: the cloud is NEVER safe, secure, or impenetrable. It is wearying to see continual claims from industry that this is the case, but you must remember that companies are only seeking at least one of two things from you when they provide online services of any nature (and if they can get both – bonus!):
- Your cash. If your cloud requirements are a paid-for service, the beaming sales executive will direct you to sumptuous piles of policy documents, technical white papers, and ‘industry-standard’ claims of impenetrability. These are all worthless, and I have personally seen some of the supposedly best-of-breed cloud providers undone despite having ticked all of these boxes. The 100% faultless application of these systems and processes is impossible – and you should never believe anyone who tells you it is.
- Your life. If you are utilising a not-for-cash service, then you are the product, and your photos are rapidly becoming the de-facto key to your life. Remember that most photos taken in modern devices are tagged with geo-location information, so just accessing the metadata of the pictures is enough to know where you go, how often you go there, and how long you spend there. Couple this with the cloud ‘back-up service’ from your device that contains text messages, social media posts, and emails, and you effectively lay-bear your life to anyone wanting to punch through that puny password check your provider uses to secure them (akin to using a lolly stick to bar the gates to a castle in preparation for a siege).
Apple of course are not the only offenders, and they may not even be the worst, but they are jumping on a bandwagon that the industry set in motion to serve itself rather than consumers.
If you doubt my argument, just look at the recent history of social media & technology development – it is overwhelmingly photo & location driven. Facebook, in the past four years, has acquired technology companies including Instagram (photo sharing), Lightbox.com (photo sharing) Face.com (face recognition), Gowalla (location based services), and Divvyshot (photo management). Apple has acquired Snappy Labs (photography software), WiFiSlam (indoor geo location), IMSense (High Dynamic Range photography), and at least 9 mapping companies since 2009. Google is the daddy of them all, splashing cash on acquiring around 166 companies since 2001 including Waze (GPS software), Nik (GPS), Viewdle (face recognition), Benavio (social prediction), Talaria (cloud computing), Meebo (instant messaging), and Invite Media (advertising).
These of course are in addition to what they develop in-house.
So as you see there is a massive industry leveraging photographic, geo-locating, cloud-based, technology into devices that are permanently in our possession, constantly internet connected, and configured to easily send all of that information back to centralised servers. And all of this is protected with low-security password technologies that were outdated a decade ago, and which these massive companies have spent barely a dollar improving. Why? Because it is not in their interest for you to have secure, inaccessible online content. They want to continue to trawl your content for marketable intelligence, they want to make it simple for millions of users to add more content to the cloud every day by default, and they are more interested in making a buck than in making your online life truly private.
In the midst of this Fappening debacle there is a rightful narrative about the criminal actions of the hacker who stole these women’s data in the first place. Yet as Silicon Valley rushes to engage with the Federal investigation, they should reconsider their role. If you enable the actions of a thief by being lax in your preventative measures, does that make you any better?