'4chan may be just a sysadmin who knows his way around', claims so-called expert
Plus: 'Know what hurts your brain? Googling yourself'
QoTW This week’s tech news was dominated by the online publication of naked photos of celebrities like Jennifer Lawrence, Kate Upton and Ariana Grande, which were posted online by an anonymous hacker who apparently sourced the images from Apple’s iCloud.
The pictures of 17 celebrities were posted to 4chan by the hacker, who claimed to have nude images of more than a hundred celebrities. Jennifer Lawrence’s publicist Bryna Rifkin said:
This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.
Rumours sprang up that Twitter was suspending the accounts of people who tweeted the images, which the social network refused to deny. Spokesperson Nu Wexler said:
We do not comment on individual accounts, for privacy and security reasons. Our rules outline content boundaries on the platform.
And in the next few days, both Apple and the FBI said that they were investigating the theft of the pictures.
Speculation was rife about how the apparent hacks into individuals' iCloud accounts were accomplished, with some early suggestion that a Find My iPhone app exploit had been used. The makers of the iBrute brute force password-guessing tool, hackappcom, said that the tool used the Find My iPhone API, which was not protected.
But the toolmakers pointed out that they'd only published iBrute a day before the hack, making it a pretty unlikely timeline. They said:
iBrute was published a day before the incident. It's very difficult to perform this kind of targeted attack in one day, so it's very unlikely that iBrute was used for this attack, but maybe some evil guys found the same bug and used it.
Anyway if your accounts were hacked by @hackappcom's method it also means that your passwords are crap [but] it is not your fault if you are using bad passwords because you are celebrities, not nerds.
Apple denied that there had been any compromise of its systems, saying that neither the iCloud nor Find My iPhone databases had been breached:
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.
None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find My iPhone.
The fruity firm suggested two-factor authentication to help protect iCloud accounts from brute force attacks, but the method is by no means foolproof.
And there were also those who saw the lighter side of the whole debacle:
If there was an internet in 1988 people would've stolen and leaked nude pictures of Roseanne and me and no one would've ever done it again.— Tom Arnold (@TomArnold) September 1, 2014
Apple wasn't the only one giving out less than helpful advice. An "expert" on CNN, so-called technology analyst Brett Larson, reckoned that folks could protect themselves by using dollar signs instead of "S" in the word PA$$WORD. He advised:
You absolutely have to have good passwords. You have to have passwords that aren't words ...
Like, if your password was literally "password", which is the most common password, change the "s" to a dollar sign*.
He also told the world to beware of that guy 4chan who knows how to hack things, apparently:
Presenter: Do we even know? Who is this 4chan person or website?
Larson: He may – and I'm sure we're going to be able to get some more confirmation on this as the hours and minutes go on – he may have been just a system administrator who knew his way around and how to hack things.
It seems like this was not a real big effort but was more of a "I have these usernames, I know of this loophole, this security loophole, I'm just going to run this password app and see if I can get into these people's cloud-based account".
Meanwhile, the claws are out at Wikipedia, where founder Jimmy Wales has made it clear that the encyclopaedia’s unpaid volunteer community aren’t the ones calling the shots. The community voted against the mandated implementation of a new software tool for the site, but Wales said that the group had no right to dictate any such thing. Needless to say, the volunteers weren’t happy. Veteran contributor Andreas Kolbe said:
I’ve never seen the community react like that. All deference has gone.
It all kicked off when Wales joined discussions on his talk page about the new tool. He seemed to suggest that the volunteers had won the row, confirming that the Superprotect tool order had been rescinded. But he said that the foundation was planning to gradually roll out software in future:
I have personally been frustrated in the past many times with the disastrous product roll-outs that we've seen (I am not talking about MV, but I'm sure we all remember Flagged Revisions and the Visual Editor). And I want that to change…. peace is the first step, so let's chill.
But folks did not chill: instead, things got heated, leading to this Wales outburst:
If you are not willing to participate in constructive dialog to move that forward because you are climbing the Reichstag dressed like Spiderman over MV, then you will be sorely missed. We are no longer in an era where voting to disable key software features is accepted.
This did not make contributors happy. One said:
The fight is not ‘over’ unless superprotect is abolished altogether from all Wikimedia projects. The Foundation has lost its face and the trust it once had and should therefore think about how to rebuild its reputation.
While another complained:
All this other Jimbo talk about peace is really just throwing dust in the eyes of the fools. Jimbo's peace is just pax imperia.
In government news, the UK’s culture secretary Sajid Javid has threatened Google with legislation if it doesn’t stop promoting pirate sites about legitimate ones. He told the BPI:
Search engines also have to play their part. They must step up and show willing. That’s why Vince Cable and I have written to Google, Microsoft and Yahoo, asking them to work with you to stop search results sending people to illegal sites. And let me be perfectly clear: if we don’t see real progress, we will be looking at a legislative approach.
He also said that intellectual property should not fall by the wayside in the internet world:
I know some people say the IP genie is out of the bottle and that no amount of wishing will force it back in. But I don’t agree with them. We don’t look at any other crimes and say 'It’s such a big problem that it’s not worth bothering with'. We wouldn’t stand idly by if paintings worth hundreds of millions of pounds were being stolen from the National Gallery. Copyright infringement is theft, pure and simple.
Back in hacker territory, the Lizard Squad crew has quit the game after high profile assaults on Sony, Blizzard and Twitch, as well as others. The group said on their website that they had become too busy to continue tormenting the internet with their cyber skulduggery:
We set out on our journey 2 weeks ago with the plan to cause havoc within the gaming community. Our motives varied throughout this adventure. Originally it was to see if we could evade being caught and to experience the raw thrill of anarchy, not being bound to phony laws. We've been called everything from an organized criminal 'gang' to complete assholes, really we are just a bunch of guys with too much free time.
Throughout our journey we met new people, gained new members, learned new things. People tried taking swings at us (and missed). We proved that even though we are little in this very big world, that a small group of friends who work together can cause a lot of havoc without legal repercussions. Today we will be disbanding, behind the green reptiles and other bullshit, we have lives believe it or not, things to do, people to meet.
And finally, Disney-munchkin-turned-provocative-chanteuse Miley Cyrus has said that smoking dope is not bad for you. What's bad for you, is the bloody internet. And the bloody media too.
When asked by Aussie news magazine programme Sunday Night whether her marijuana habits might be a bit tough on her thinking centre, Cyrus replied:
You know what hurts your brain? Googling yourself. You know what hurts your brain? Instagram. You know what hurts your brain? Reading comments on Facebook. You know what hurts your brain? Reading US Weekly. ®
Sponsored: Becoming a Pragmatic Security Leader