Celebrity Photo Leak (Nothing inappropriate in here)

Shdwmage

So I was reading how these 100 female celebrities had their inappropriate photos stolen and leaked to the internet. The place where things go to live in perpetuity.

TechCrunch, as usual, is covering Apple's but saying there is no possible way that its iCloud. They even went to say far to say not to worry about it being hacked. Sophos reported that it supposedly happened through iCloud, but Apple has yet to issue a statement.

At least Jennifer Lawrence's photos were confirmed to be real by her stating she wants to prosecute whoever did this, and rightfully so.

So what are your thoughts? Do you think it was in iCloud breach, or something else?

Also, am I the only one who thinks its stupid to take nude photos on any sort of device, besides an old school polaroid camera, is stupid?

cyberguypr

'Find My iPhone' exploit may be to blame for celebrity photo hacks (update)

Shdwmage

cyberguypr wrote: »

'Find My iPhone' exploit may be to blame for celebrity photo hacks (update)

Here is the Tech Crunch Article I mentioned: Here’s What We Know So Far About The Celebrity Photo Hack | TechCrunch

philz1982

Very surprising if iCloud indeed does not have anything limiting authentication attempts.

MTciscoguy

If they want to take nude images of themselves, they deserve what they get, if they feel the need to take images, then do it with a device that is not connected and keep the storage card in a safe place, taking them on a connected devices is just asking for trouble, or perhaps publicity, who knows.

TeKniques

No confirmed hack from Apple yet? Looks like the investigation is still ongoing - had a co-worker say today that there was a brute force attack and from what I've seen that's skeptical at this point.

Not sure if I agree with the "they deserve what they get" statement. People do banking every day on mobile devices, if their private information gets stolen do "they deserve what they get"? Celebrities are high profile targets to begin with, which makes this such a bigger issue. The main issue it appears is user awareness which you find almost everywhere.

philz1982

MTciscoguy wrote: »

If they want to take nude images of themselves, they deserve what they get, if they feel the need to take images, then do it with a device that is not connected and keep the storage card in a safe place, taking them on a connected devices is just asking for trouble, or perhaps publicity, who knows.

Here is my only challenge to you, and keep in mind I do not believe ignorance should be an excuse.

I'm willing to bet that these "celebrities" did not know that images on their phone could be replicated to an iCloud account. I had to intentionally disable this capability on my phone....

Iristheangel

I wouldn't ever say someone deserves to have their privacy violated just because they took nude photos in the first place. Like TeKniques said, they're huge targets given their celebrity. Most of them probably didn't even realize that those photos were getting uploaded to the cloud when their phone was syncing. User ignorance? Maybe. But I wouldn't say that means they deserve to have their most intimate moments plastered around the internet.

That being said, I will be curious to see what comes of the investigation. If memory serves me correctly, didn't the guy who posted Scarlett Johansson's photos get 10 years in jail? Given the amount of photos and the high profile targets, I wouldn't be surprised if this guy got more time.

proprioceptive

MTciscoguy wrote: »

If they want to take nude images of themselves, they deserve what they get, if they feel the need to take images, then do it with a device that is not connected and keep the storage card in a safe place, taking them on a connected devices is just asking for trouble, or perhaps publicity, who knows.

This is a sad state of awareness. If these had been photos posted to public sources, then yes, they deserved it. Imagine that these celebrities had, in fact, taken these photos with a non-connected device and their home was then broken into. The thief then disseminates the photos on the internet. Do they deserve it then? It doesn't matter that they took these photos on their cameras or ipads or whatever. I'm sure the vast majority of these photos were taken thinking that the photos were secure. The simple fact remains that something was stolen and posted to the internet without their permission.

--chris--

1: Not surprised this happened, actually feel like it was overdue. It appears the attacker was at this for a good length of time (months?) before divulging everything.

2: Ignorance is to blame here. People use devices without understanding them all of the time, usually without harm. This is an instance where not fully understanding the device really came back to haunt these people.

And my prediction is: this is a social engineering based attack. Just a guess.

cpartin

These people didn't do anything wrong, other than being somewhat ignorant about security. You have to remember that we do tech for a living, so many things that are obvious to us are things that the average person isn't even aware that they should be concerned with.

The ScarJo guy broke into something like 50 email accounts and got nailed with multiple felonies and a 10 year sentence. I also read that one of the victims in this incident is McKayla Maroney, who just turned 18. So if any of those photos were taken before her birthday then it probably qualifies as child ****. Between that and the status and resources of the victims, whoever did this is toast.

ccnxjr

TL;DR
Celebs have unique personal privacy challenges that the ordinary citizen can simply ignore, or simply do not make an interesting enough target.

My $0.02

I'll agree it's partially an awareness issue.
And somewhat motivation, private individuals do get hacked and scammed frequently enough that banks have full time staff to respond to these incidents.
(identity theft also falls into this theme).

The info-security needs of a celebrity are SIGNIFICANTLY different from those of a less well know individual.
(Anyone else remember when Pres. Obama had his personal blackberry taken away?).
However, unlike politicians/bankers/Medical Professionals, there's no one telling these celebrities what devices and services they can and cannot trust.
Likewise, there are entire teams and organizations which impose standards on people working in those professions (HIPAA/FISMA).
However there's no complimentary service to celebrities (not that I'm aware of).
Who is going to remind a celebrity, or young celebrity, that they are now going to be targets for such activities.
Or validating the security of their personal devices.

This could be a niche industry for security pros!

Other unfair personal space invasions celebrities have is the paparazzi!
The ordinary citizen doesn't have to worry about someone taking pictures of them as they go out to fetch their mail, or having a wardrobe malfunction at the beach or forgetting to zip up their fly after using the bathroom!

TeKniques

Iristheangel wrote: »

That being said, I will be curious to see what comes of the investigation. If memory serves me correctly, didn't the guy who posted Scarlett Johansson's photos get 10 years in jail? Given the amount of photos and the high profile targets, I wouldn't be surprised if this guy got more time.

Yes, the guy in the Scarlett Johansson case got 10 years. There were a few more high profile celebrities in that case as well. I would think that whoever is identified as the attacker in this leak will get the same penalty or more without a doubt.

DevilWAH

How is it in any way the fault of the Celebrities or that they should deserve it for not understanding security or simple taking nude pics with there partners / or alone.

I don't understand every thing about a car when I buy it or drive it, but I assume the manufacture has taken care of all the details for me. All I need to do is turn the wheel and press the throttle/Break. And this is the same in 90% of the things I do. Yes as an IT geek I know a lot about security and such, but there is plenty of things I am ignorant of and like every one else I relay on what I read or am told by other people. If Icloud tells you that by setting a password it is safe, then the general public should not be expected to take a course in IT security to be able to confirm that.

They deserve it as much as you deserve your house broken in to, they did not save them in the public domain and they where taken by an illegal act. I strongly believe that every body is entitled to there private life and to do in it what ever they see fit (assuming it is legal), seeing as last time I checked taking pictures of you self was with in the law in this country, good on them for having some fun with their partners, and such a same members of the public feel they have the right to not only intrude them selves but post what they get publicly.

Now I must go and delete some pictures from Flicker just in case!!!

JDMurray

philz1982 wrote: »

Very surprising if iCloud indeed does not have anything limiting authentication attempts.

It was probably a very slow and highly targeted attack over a long duration (APT anyone?). Remembering back to the Paris Hilton voice mail hack (2005?), her VM password was the name of her well-known dog, "Tinkerbell." Doing similar research on the personal information of anyone can reveal likely authentication credentials. Also, making only a few authentication attempts over a long period of time will probably not trip any SIEM alarm thresholds, so if you've got the time eventually you've got the data too.

MTciscoguy

I have been working in computers for over 30 years and the number of these cases is simply amazing, in this day and age, it is your responsibility to know how to protect yourself, just as I do with my home, I am Proactive in protecting my privacy as well as my home and possessions, when I was in the Military and when I worked in the Pentagon in computer crimes/Intelligence, we saw what happened on a daily basis. I don't really believe they deserve it and the person(s) that did this should be punished, and the celebrates need to be proactive with their personal lives. If they don't know how, then they need to hire people that know how to protect them, it is no different than hiring a body guard. With so many reports daily of this type of activity happening, including our government doing it, there is really no excuse for not protecting yourself. Especially high profile people, there is always somebody looking for an in to expose you for something.

These companies offering cloud service, don't care about you, they care about themselves, computer theft is rampant, heck Apple and Microsoft are always doing it and have been since day one, these started this stuff many years ago. Remember locks on your door only deter the honest person, the dishonest person will find away around those locks, just as they have with these celebs..

It used to be, if you don't want anyone to read it, then don't write it, that was in the paper age, now in the electronic age, if you don't want it seen, don't take the picture, don't write the email, etc. Because there is always someone looking.

---

By the way, who ever posted this on my reputation rating:

""deserve what they get"... very ignorant viewpoint!"

No, it is not a very ignorant viewpoint, it is a very informed as well as educated viewpoint on the state of privacy these days. I don't share information on facebook, twitter, linkdin or any other service that exposes me to security risks, the computer industry has done a piss poor job of educating people on how they are exposed to risk, I don't allow html emails, I don't allow my email to auto open anything, I have not only software firewalls on my servers, I redundant hard firewalls to protect my wife's company as well as her clients.

The most important person in the world working on your security and privacy, is YOU!

Shdwmage

cpartin wrote: »

I also read that one of the victims in this incident is McKayla Maroney, who just turned 18. So if any of those photos were taken before her birthday then it probably qualifies as child ****. Between that and the status and resources of the victims, whoever did this is toast.

Yes and no to this. If she took those photos of herself, I don't think he could be charged with producing child ****, but definitely being in possession of. Why was she being an idiot and taking those photos anyhow?

Vask3n

At the end of the day I feel that you should approach any cloud service which the worst-case mindset that anything you put on there is already compromised/can be compromised, so don't put anything on there that you would not want compromised.

Edit: I also don't believe it's explicitly wrong for an adult to take nude pictures of themselves on their phone and have it synced to the cloud unless this is prohibited by the ToS. Unless the picture contains something illegal who is to say what types of pictures are OK to sync up and which ones are not? The answer is: the terms of service.

proprioceptive

MTciscoguy wrote: »

I have been working in computers for over 30 years and the number of these cases is simply amazing, in this day and age, it is your responsibility to know how to protect yourself, just as I do with my home, I am Proactive in protecting my privacy as well as my home and possessions, when I was in the Military and when I worked in the Pentagon in computer crimes/Intelligence, we saw what happened on a daily basis. I don't really believe they deserve it and the person(s) that did this should be punished, and the celebrates need to be proactive with their personal lives. If they don't know how, then they need to hire people that know how to protect them, it is no different than hiring a body guard. With so many reports daily of this type of activity happening, including our government doing it, there is really no excuse for not protecting yourself. Especially high profile people, there is always somebody looking for an in to expose you for something.

These companies offering cloud service, don't care about you, they care about themselves, computer theft is rampant, heck Apple and Microsoft are always doing it and have been since day one, these started this stuff many years ago. Remember locks on your door only deter the honest person, the dishonest person will find away around those locks, just as they have with these celebs..

It used to be, if you don't want anyone to read it, then don't write it, that was in the paper age, now in the electronic age, if you don't want it seen, don't take the picture, don't write the email, etc. Because there is always someone looking.

---

By the way, who ever posted this on my reputation rating:

""deserve what they get"... very ignorant viewpoint!"

No, it is not a very ignorant viewpoint, it is a very informed as well as educated viewpoint on the state of privacy these days. I don't share information on facebook, twitter, linkdin or any other service that exposes me to security risks, the computer industry has done a piss poor job of educating people on how they are exposed to risk, I don't allow html emails, I don't allow my email to auto open anything, I have not only software firewalls on my servers, I redundant hard firewalls to protect my wife's company as well as her clients.

The most important person in the world working on your security and privacy, is YOU!

I went ahead and highlighted the contradiction for you. You can't really say that they deserve it, then say you don't really believe they deserve it, and then defend your comment about deserving it without losing a bit of credibility on your end.

tkerber

I'm actually surprised by how much victim shaming I've seen on not only these forums, but others as well and across the media. Obviously most of us IT people are savvy enough to know some of the dangers of cloud storage and the 'digital world'. But the common every day folks do not and celebrities are certainly no exception.

Now I don't take X rated photographs on my phone. However, I've noticed that if I don't manually turn off cloud sync--everything that's on my phone automatically goes right into the cloud linked to my account. So I manually disabled that and I've also stored most of my photos on my computer locally and delete old photos as needed. Not everyone does this and not everyone even knows how to do these things.

I like DevilWAHs point that he makes about cars.. I'm not a mechanic and I would hope that the manufacturer would do everything they can to ensure the consumer is safe.

I for one think Jennifer Lawrence is one of the few Hollywood stars that is a genuinely respectable person and it's kind of sad to see that her personal photos got thrown all over the internet because of a security breach.

tpatt100

If I forget to lock my front door it doesn't mean I deserve to have my home broken into. If I lock my door and there was an undisclosed or unknown defect with the lock that somebody exploits still doesn't make it my fault if somebody utilizes the defect to gain entry to my home.

There is a fundamental expected level of privacy people assume they have and companies that want to succeed should do their best to protect as well as explain as much as they can in their terms of service details.

I am not big on victim blaming because some celebrity's nude photos were accessed without their permission because I really don't think it's a big deal what somebody takes a picture of. Exploiting access to an online service without the owner's consent to me is the same as breaking in a window to gain access to their camera using regular physical film.

I think companies should do the best they can to secure their networks and the best defense I can think of is to prosecute people who break the law to access content without the owner's consent if it is even possible depending on the laws of the country or countries involved.

tpatt100

Yeah when Apple released iCloud photo sync and family members were sharing iCloud accounts because they didn't know any better I am sure there were some early awkward moments out there when photos from different devices were being synced......

JDMurray

Apple sez, "It wasn't us; it was them customers!"

Apple - Press Info - Apple Media Advisory

aftereffector

I'm not surprised. Social engineering and a little brute force have opened up more information systems than I can count.

MTciscoguy

proprioceptive wrote: »

I went ahead and highlighted the contradiction for you. You can't really say that they deserve it, then say you don't really believe they deserve it, and then defend your comment about deserving it without losing a bit of credibility on your end.

At my point in life, I could care less about my credibility, I am already retired, been doing this for a long time and really don't need your help pointing out my short comings.

proprioceptive

MTciscoguy wrote: »

At my point in life, I could care less about my credibility, I am already retired, been doing this for a long time and really don't need your help pointing out my short comings.

Well, since your "very informed as well as educated viewpoint," on the matter denotes otherwise, I suppose I'll leave you with this...

How much more "could" you care less?

OfWolfAndMan

Coming from a mindset of someone working in the DoD sector, I would see this as a major no no. However, these are celebrities we're talking about. They're more concerned with putting on an act, spreading their falsely manifested personality, and instilling a distorted persona in the generations to come. I'm pretty sure a good portion of people outside of the IT sector (Or Secretaries) have told me the only thing they know how to do with a phone is make calls, check Facebook, or play Candy Crush. People don't care about information security. They were never educated on why you should be protecting your info and how it can not only ruin your identity (i.e. SSN), but also how it can ruin (Or enhance ) your street cred (Some nudes). Since this issue seems to be recurring a little more often in the world of Hollywood, it may be time (Eventually. Those reflexes are a little slow) to give them a few pointers on how to keep their information (And disappointing nudes everyone had high expectations for) more safe and retain a little more consciousness towards things that are more important (Which does not include extending a narcissistic personality type)

the_Grinch

"Caveat emptor" - Let the buyer beware

Obviously no one deserves for this to happen, but when you're high profile and have basically unlimited funds you should be able to stay ahead of such things. I've never quite understood peoples obsession with sending naked pictures to others. It never ends well and you can find unlimited number of stories pointing to that fact.

My biggest issue with cases that involve celebrities is that it shows the injustice in our justice system. I had a friend who, rightly or wrongly, was being harassed online. Fake profiles being setup, signed up for dating websites, and all the normal harassment that goes with these types of things. While I don't blame law enforcement (given limited resources and technical expertise) they wouldn't lift a finger to help my friend. Now if you're a celebrity suddenly the FBI jumps in and gets involved. I am sure there are tons of females who get exploited in such fashion, where is the quick and expensive justice for them?

If I was anyone of note I wouldn't even carry a phone. You'd merely have my assistant's number and would reach me that way.

Iristheangel

I just have to say that I'm really impressed by the majority of you in this thread that didn't victim shame. Honestly, I feel really bad for Jennifer Lawrence. From what I've read in the past, she suffered from some major depression before she started in acting and that sort of helped her get over it. Not that I know the lady but she seems like a genuine human being based on the random stuff I've seen. Sure, there were some preventative measures that could have been taken but no one deserves to have their privacy violated like this and their most intimate moments blasted on the internet.

@The_Grinch - Yes, you are right. Celebrities and people who are well off do have a different justice system than the rest of us. There definitely is injustice in that. That being said, I hope that the person who did this and anyone else who harasses random women like your friend end up in jail.

the_Grinch

In my friend's case it all eventually stopped and she has been fine. In this case there is no doubt that they will find the culprit(s). Having worked on a few digital investigations there is always a trail to be followed. Something high profile like this has to have an arrest(s) because it's one of those cases where if nothing comes of it then it looks poorly on the agencies and investigators involved.

I think society as a whole is moving towards not blaming the victims. Part of this is due to the amount of times this has happened. The other part is the fact that thinking anyone would want this to happen is foolish. I think the biggest help to this has been Erin Andrews. There you had a case where it was completely based on the craziness of the stalker. Also, her legal team came up with a very good plan on how to handle the situation and those victims of this current case would be wise to follow the same course of action.

JDMurray

So much for my APT explanation--it looks like pure brute (iBrute) force may have done the trick.

Does anyone know how Apple's Find My iPhone service works? How does it locate the login name used by an iCloud subscriber? I have a really hard time believing that no one at Apple conceived of this service being used for account hacking.

And why is no one railing against 4chan and Reddit? Do we just expect this sort of thing from those communities and give them a pass?