My wife recently sent me a message on chat telling me she couldn't turn her phone off.
Of course I sent the usual "You're going to hate the obvious question," confirming that she tried holding the power button down for several seconds. She eventually confirmed it but not before telling me holding the home button did nothing first.
She said the only thing she had changed was enabling a feature where the hotspot turns on when the iPad is near. If you're curious, I think she is referring to "instant hotspot".
At first, she just couldn't get the phone to switch apps or accept input. Attempting to send a text message gave me an error on my phone, and at one point the button presses apparently put the display to sleep the wouldn't let it wake up.
I tried calling the phone (turns out that is still a feature) and she said it rang, but wouldn't let her answer the call; eventually it rolled to voicemail.
"You might have to run the battery out or try connecting it to iTunes," I said.
"I'm not home at the moment," she said. "I don't have access to iTunes."
"Try holding the home button and the power button at the same time for ten seconds," I said.
A few moments later she said, "It's showing an Apple logo."
That seemed to fix it; a forced system reboot. Or at least it's behaving for now. Was it an iOS 8 bug? Just a glitch? Whatever it was, remember there is the standard shutdown...hold the power button until you get the slider prompt to shut down...and a force reset where you hold the power button and home button until the Apple logo pops up.
Sunday, September 21, 2014
Sunday, September 7, 2014
I Was Wrong (2-Factor Edition)
You'd have had to be living under the metaphorical rock if you haven't heard about the latest celebrity nude photo scandal. There have not really been many reactions; a handful of responses were quickly standardized and echoed between the THIS IS A HORRIBLE ACT BY HORRIBLE PEOPLE group and the THEY GOT WHAT THEY DESERVED SHOW ME THE BOOBZ group.
Nuanced exploration of the issues is apparently not a strong point for for most online people.
The theft of the images is a case study of many issues. It's an invasion of privacy. Celebrity culture. What are people entitled to know or not know about public figures. Cognitive dissonance from people condemning the image sharing as theft before going back to playing a pirated game or watching stolen movies. Exploring the revelation that one of the images was taken of...and by...an underage celebrity, so are they in possessing of child pornography as well?
The list goes on but there is only one aspect I'd like to review here. When this happened there were initially several reports about the "hack." How did it happen? Was it a breach in iCloud security?
Slowly details came out. While few were reluctant to admit it, it sounded like the celebrities in question basically had crap passwords coupled with security questions that were answered with information that people could find online. The thieves guessed passwords and logged in as legitimate users to get the data.
"You dumbasses," I thought. "You're stalked by fans and paparazzi all the time. Plus having your embarrassing pictures was publicized when Scarlett Johanssen had her pictures stolen a few years back. Why the hell didn't you use 2-factor to protect your stuff?"
I've gone over 2-factor before, but in a common implementation, when an unrecognized device tries to log into your account and correctly enters a username and password a token is sent to a designated "known good" device. The service gives you a limited time to enter that token or else it rejects the attempt.
Lots of parrots will reflexively reply that it's victim-blaming to say they should have had this enabled if they didn't want their stuff stolen. There is almost a need to not acknowledge that the tools to better secure information exist and there are risks to participating in certain activities; we must maintain a victim status, that these people had absolutely no control in stopping this with reasonable forethought placed on security.
Short of not taking the pictures in the first place, this was just inevitable!
As it turns out there is a grain of truth to this. Apple has two factor authentication, much like most other big online companies. But Apples implementation is seriously, seriously flawed. It doesn't cover the method believed to have been used to get access to the photo stream and dump images as a backup.
In other words these people could have done everything "right" and still have this happen.
An article on TechCrunch states that
So I was very wrong in this case.
Oversimplified, things that can end up costing you money like purchases on iTunes would trigger notification. Apple apparently wanted to keep 2-factor as a credit card protection. Attempts to access your data? Not so protected.
I suppose I shouldn't be too surprised. Apple services have often felt disjointed at points where they should be unified, and security has the feeling of being an afterthought. I remember one instance where I was talking to someone trying to change an AppleID password, and said he couldn't remember the answers to the challenge questions.
Challenge questions? I had changed the password before...I didn't need the challenge questions. Turns out he was using the Manage My AppleID web page to change the password. When I log in to the account through iTunes, it let me change the password without the challenge questions. Inconsistency is not endearing and in my head it calls into question how they're tying all their services together.
In the end it seems Apple has really dropped the ball on security. It's one thing when the end user avoids implementing a security solution because <insert excuses that really is summed up with "It's more hassle than I want to deal with but I'll complain when something happens that these steps would have prevented">, but it's another when a company implements security in such a way that it's not only incomplete but leaves you with a false sense of security in the process.
That doesn't mean the celebrities in this incident actually had 2-factor enabled. They very well might not. It seems at least one of them bragged about their lack of tech-savvy skills. On the other hand, this incident made Apple take noticed of the incident and now may pay more than lip service to the deficiencies in their security implementation.
Nuanced exploration of the issues is apparently not a strong point for for most online people.
The theft of the images is a case study of many issues. It's an invasion of privacy. Celebrity culture. What are people entitled to know or not know about public figures. Cognitive dissonance from people condemning the image sharing as theft before going back to playing a pirated game or watching stolen movies. Exploring the revelation that one of the images was taken of...and by...an underage celebrity, so are they in possessing of child pornography as well?
The list goes on but there is only one aspect I'd like to review here. When this happened there were initially several reports about the "hack." How did it happen? Was it a breach in iCloud security?
Slowly details came out. While few were reluctant to admit it, it sounded like the celebrities in question basically had crap passwords coupled with security questions that were answered with information that people could find online. The thieves guessed passwords and logged in as legitimate users to get the data.
"You dumbasses," I thought. "You're stalked by fans and paparazzi all the time. Plus having your embarrassing pictures was publicized when Scarlett Johanssen had her pictures stolen a few years back. Why the hell didn't you use 2-factor to protect your stuff?"
I've gone over 2-factor before, but in a common implementation, when an unrecognized device tries to log into your account and correctly enters a username and password a token is sent to a designated "known good" device. The service gives you a limited time to enter that token or else it rejects the attempt.
Lots of parrots will reflexively reply that it's victim-blaming to say they should have had this enabled if they didn't want their stuff stolen. There is almost a need to not acknowledge that the tools to better secure information exist and there are risks to participating in certain activities; we must maintain a victim status, that these people had absolutely no control in stopping this with reasonable forethought placed on security.
Short of not taking the pictures in the first place, this was just inevitable!
As it turns out there is a grain of truth to this. Apple has two factor authentication, much like most other big online companies. But Apples implementation is seriously, seriously flawed. It doesn't cover the method believed to have been used to get access to the photo stream and dump images as a backup.
In other words these people could have done everything "right" and still have this happen.
An article on TechCrunch states that
- iCloud backups
- Find my phone data, and
- Documents stored in the cloud
So I was very wrong in this case.
Oversimplified, things that can end up costing you money like purchases on iTunes would trigger notification. Apple apparently wanted to keep 2-factor as a credit card protection. Attempts to access your data? Not so protected.
I suppose I shouldn't be too surprised. Apple services have often felt disjointed at points where they should be unified, and security has the feeling of being an afterthought. I remember one instance where I was talking to someone trying to change an AppleID password, and said he couldn't remember the answers to the challenge questions.
Challenge questions? I had changed the password before...I didn't need the challenge questions. Turns out he was using the Manage My AppleID web page to change the password. When I log in to the account through iTunes, it let me change the password without the challenge questions. Inconsistency is not endearing and in my head it calls into question how they're tying all their services together.
In the end it seems Apple has really dropped the ball on security. It's one thing when the end user avoids implementing a security solution because <insert excuses that really is summed up with "It's more hassle than I want to deal with but I'll complain when something happens that these steps would have prevented">, but it's another when a company implements security in such a way that it's not only incomplete but leaves you with a false sense of security in the process.
That doesn't mean the celebrities in this incident actually had 2-factor enabled. They very well might not. It seems at least one of them bragged about their lack of tech-savvy skills. On the other hand, this incident made Apple take noticed of the incident and now may pay more than lip service to the deficiencies in their security implementation.
Subscribe to:
Posts (Atom)