The "don't take naked pics if you don't want them online" argument is the "she was wearing a short skirt" of the web. Ugh.
— Lena Dunham (@lenadunham) September 1, 2014
Unlike Cole, I think this is pretty close to right. These celebrities who had their cloud data leaked were young people in long-distance relationships. I was young once, and I was in a LDR, and if we had smartphones, you’d be damn sure that we’d have been sending naked pictures back and forth. As far as I’m concerned, that’s natural and expected behavior for people in those kinds of relationships.
So, I’m not looking at this as some failure of self-control, but rather a failure of security at Apple, and a general failure of the cloud providers to give users a clear picture of what they’re storing online from their phones.
This breach appears different from other recent celebrity “hacks” in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims’ cloud accounts, the attacker basically bashed in the front door—and Apple didn’t find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple’s cloud in the first place. Even Apple’s two-factor authentication would not have helped, if the attack was the one now being investigated.
Because Apple and other devices automatically upload so much to the cloud, by default—including full phone backups, which, if an account is compromised, could be downloaded by an attacker onto another device—these personal cloud services are particularly dangerous. Their usability in terms of content management is poor at best—does anybody really know what’s sitting in Apple’s or Google’s data stores from their phones? This, combined with ongoing threats like carefully-crafted phishing attacks and large-volume password cracking, makes it especially hard to protect mobile data in a world where everything on your phone is already on the Internet, protected only by your login credentials.
I have a Google device, and the rest of my family has Apple devices. Apple pushes cloud backup harder than Google, and from what I can tell, Apple’s cloud backup is less predictable than Google’s, but both of them don’t have a real clear way to opt certain pictures or videos out of the cloud. Google has an “incognito mode” on its Chrome browser – what’s needed here is an “incognito mode” for pictures and videos. Images taken in this mode would stay only on the device, and only be sent to places the phone owner sends them. If some jilted lover releases a picture to the Internet, we can blame the judgment of the person who sent the picture to an undeserving asshole. But when some hacker can get at pictures that were never meant to be anywhere other than someone’s personal device, then the blame for that should rest squarely with Apple.
cleek
people simply need to recognize and acknowledge one little truth: “the cloud” = “someone else’s computer”
when you take a picture, ask yourself “would i put that picture on someone else’s computer?” if the answer is No, then you shouldn’t put that picture on ‘the cloud’.
David Fud
Can anyone explain why two factor authentication would not have prevented this? It is specifically mentioned and I use that with a cloud backup service I use. If it is correct that 2FA wouldn’t have helped, I need to rethink what I am doing.
ruemara
1. Exactly. 2. If you don’t know there’s a cloud backup, you can’t make a decision that you don’t want it on someone else’s computer.
@David Fud: because the nature of the hack wasn’t about stealing identity, it was essentially just breaking down a door and grabbing things.
bbleh
Yeah, this really seems to come down to what expectation of privacy is reasonable, aka assumption of risk.
Is it reasonable to expect 100% security when you store in the cloud? No, and the prevalence of news about hacking and data loss would undermine any claim to that effect, I think.
Is it reasonable to expect 0% security? Again I think no, based on advertisers’ claims and the existence of multiple verification steps, which again I think would undermine any such defense, no matter what the fine print may say.
So where is the balance point? Personally, I never send anything — print document, email, text, image, ANYTHING — that I want to remain “completely secure.” Documents and data persist and are accessible to other people by one means or another, full stop. If I want it private, I say it in person. If I want it almost-for-sure private, I might say it over the phone, or even via IM. But otherwise, it’s a risk.
Bobby B.
Same as with the internet. Either you surrender your soul to God (The Corporation) or do without the internet. I am a member of the First Holy Church of Teeth-Grinding Impotent Rage. Wherever two are gathered in my name…
Robert Sneddon
There is a common delusion most Western folks have today, an expectation of privacy. There is no privacy, not any more if someone, anyone is willing to put a bit of effort into invading your personal or data space. The NSA may have a budget of billions to do this to persons of interest but “Tristan”, the reputed 15 year old boy living with his parents and supposed perpetrator of the Big data Leak Du Jour did it on a whim in his spare time, and there are thousands if not millions who are doing the same thing, because they can. People in the public eye have lived with paparazzi for centuries and have either grown a thick skin, hired professional security or become recluses since there’s no way to stop the intrusions, not even using the law.
This “failure” by Apple is the way the iCloud operation is meant to work, to preserve data if a customer’s Apple device got lost and the only copy of that data was in its memory. There’s also the sync feature where someone can look up their selfies on any Apple device they own, a Big Thing used to sell connected-cloud data storage to people. Expecting perfect privacy while broadcasting such images across the internet for your own convenience is, well, optimistic.
chopper
@cleek:
indeed. even your phone isn’t the smartest place to keep them. phones get lost or stolen all the bloody time. that doesn’t mean ‘don’t take those sort of pictures’.
BGinCHI
When you look up “First World Problems” in the dictionary, this should be the entry.
constitutional mistermix
@cleek: Yeah, but I hope you’ll agree that the UX on putting stuff into the cloud from a smartphone needs some work.
@chopper: The countermeasure is remote wipe and having a passcode on the phone. Not perfect, but at least you know you phone was stolen, unlike your cloud data.
am
There is no need to try to reduce this to either slut-shaming or personal failings of people whose photos were leaked, and trying to do that isn’t going to go anywhere.
If someone snail mailed polaroids of themselves to someone else through USPS, they would have every expectation of privacy, too. But envelopes break and even if they don’t you have to assume that rarely bad people make it through the hiring process. This isn’t victim blaming, this is just how I approach things in order to safeguard myself from bad people
Things *I* don’t know about the circumstances are whether this was an inside job at iCloud (administrative tools are usually much more powerful than external apis), whether it really was a hack of Apple per se (maybe they used the same passwords as other services, and those other service were hacked), or what Apple’s ‘delete’ policy is.
As other people have said, data lives a long time for a lot of reasons (what if a pedophile had deleted pictures of abuse? then cloud providers have to deal with the Nancy Graces of the world..). But everyone should be aware that delete can be as simple as setting a ‘deleted’ flag in a database. Even at a filesystem level it can just be unlinking an inode and all the bits can still be present. Data can be on backups, hard drives taken out of rotation… don’t rely on things being deleted.
Steppan
@cleek:
So if someone hacks another website and steals your bank account info, because you bought something online once, you were stupid for ever purchasing anything online because your CC number is now out there somewhere?
cleek
i had a pass code on my iPhone until last week, when my phone stopped letting me enter the pass code every 3rd or 4th time i tried to use the phone. it would just lock up.
so, no more pass code.
different-church-lady
Stop trusting the fucking Cloud. What is so hard about this?
JGabriel
OT, but The Washington Post has announced a new publisher:
So WaPo will now be run by the Reagan-era political operative who co-founded Politico – because we all know how objective news outlets become when run by Republican political operatives (cf. Fox News).
On the other hand, editorially, I’m not entirely sure that anyone will notice the change.
SarahT
@BGinCHI: BINGO
C.V. Danes
The cloud is a public commons, and I would not post anything there that I care gets stolen or misappropriated. No matter how secure the lock, there’s always someone out there who can pick it.
different-church-lady
@Steppan:
Yes.
Unfortunately the entire world is now stupid, and we have no choice but to go along with it.
cleek
@Steppan:
the CC company will eat the loss and send me a new card. happens about once every 12 months to me, or to my wife. it’s a price everybody involved is willing to pay.
there’s no such recourse if your nudie pics get leaked.
the only thing i put on ‘the cloud’ are notes that i write to myself. i use Google Docs as a notepad. but nothing important goes there, nothing incriminating or potentially embarrassing. only reminders, sketches, ideas.
Pharniel
@swiftonsecurity (or if you prefer the long form Infosec Taylor Swift) has been all over this.
It’s perfect for Balloon Juicers as it has the right amount of cynical jaunty wit combined with enough actual information.
different-church-lady
Not if you don’t have a cloud account in the first place.
Steppan
@cleek:
Yeah, the CC company or bank has recourse, but it’s the same logic, and it ultimately boils down to “something bad could happen, don’t do anything!”.
Saw it phrased pretty well I think somewhere else (responding to more direct “it’s their fault” accusations than here, mind):
People are reacting like the celebrities are on the same level as someone who dives into the ocean wearing a beef wetsuit and then acts all surprised when he gets attacked by a shark, but I think they’re more like a pedestrian who has the right of way at a traffic signal being surprised when he’s struck by someone running the red light. Yeah, you know when you step out into the street you might get hit by a car, but under certain circumstances you just don’t expect it, and you certainly wouldn’t blame the pedestrian rather than the light-runner.
boatboy_srq
@cleek: Us Olds remember when the same equation was used to describe all the Interwebz, including AOH#ll/Faceplant/MyFace/Twitterpate/sTumbld.
OTOH, in this age of aphrodisiac-and-floorwax-in-one tech gadgetry (it’s a phone! it’s a GPS! It’s a camera! it’s a Thumb! [see Hitchhiker’s Guide to the Galaxy]), it’s difficult to wag a finger at folks who get caught up in the shininess of it all. Dunham’s right that this isn’t hacking – it’s a sex offense – and treating it as the original posters’ fault doesn’t help as much as we’d like. “Don’t post stuff that could be embarrassing” isn’t far removed from “don’t wear that short skirt and those heels”. We really need to find good language to encourage caution without shaming the folks who don’t abide by the advice.
This is also why I shudder slightly when businesses (including my employers/clients) talk about “moving to the cloud”. Your own security may be sh!tty, but at least it’s yours, and when it gets blown through like the tissue it is you can at least make substantial changes – even if it’s only replacing Kleenex with Brawny. What do you do when your provider’s security gets similarly hacked? There are three choices, none of them good: 1) work with the provider for better security (ha!), change providers (more of the same) or bring the functions back in-house (and go back where you started).
John Cole +0
A.) I never said they shouldn’t take pics. I said, quite clearly:
“I still don’t know why anyone would run around with nude selfies of themselves on the phone or stored to the cloud, but the fact that people did try to delete them should mute the musings of fatheads like me. ”
B.) I don’t think it is being a prude to note that celebrities are going to be at heightened risk for this sort of thing happening, and should be smarter.
C.) Before you fucking distort what I said in B.) as you have my original post, explain to me how these statements are mutually exclusive:
“Having nude selfies hacked and published is an egregious violation of privacy.”
“The hackers should be found and punished.”
“Keeping nude selfies on your phone or stored on the cloud is insecure and considering how many other phones have been hacked in the past few years, you probably should realize that the only way to keep your privacy completely is to not store them on your phone or on the cloud. ScarJo and Blake Lively say HI!”
“Ignorance of what the cloud is is no excuse. Maybe you should think about where you are storing sensitive information.”
“Having nude selfies published against your will is not the same thing as being raped. Traumatic and horrifying, yes. Rape? No.”
D.) If Lena Dunham is the standard by which we define prudishness, most everyone in the country (with the exceptions of porn stars, the naked cowboy, most of the people at Burning Man, and my freshman roommate who would take off all his clothes and streak every time he got drunk) is by comparison a prude.
Seriously. Find some other target to use in your war on straw. I’m not the fucking enemy- I’m sure if you wandered outside this sanctuary to reddit or 4 chan or Gawker, there are people saying actual offensive things, and you won’t need to lie about what I am saying.
And were I to bother with a rebuttal post, I would title it:
“Mistermix- Don’t Be Such An Asshole- There’s Enough Wrong Here That You Don’t need to Distort and Make Shit Up.”
Nothing I have said is remotely controversial, and while you are entitled to your own opinions, you are not entitled to make up my opinion.
Flame away.
chopper
@cleek:
right. and if your card had no fraud prevention of any sort, it would be really stupid to buy shit online with it.
John Cole +0
@cleek:
Sexist prude. Why do you hate women?
different-church-lady
Gee, I wonder whatever happened with that Ferguson thing everyone used to talk about.
cleek
@Steppan:
not quite. it’s not “don’t do anything, it’s “be aware of what you’re actually doing”.
if you’re cool with putting incriminating or embarrassing stuff under someone else’s control, go for it.
i’m opting out.
@John Cole +0:
Sexist prude. Why do you hate women?
bad upbringing, probably
C.V. Danes
@Robert Sneddon:
The expectation may be a delusion, but the right to privacy is very real and necessary for a democracy. By ceding the right to privacy, people are also ceding the right to freely associate without the prying eyes of the government or others.
Steppan
Though really, any question of the intelligence of the decisions involved aside, holy crap this should be an incredibly embarrassing security breach for Apple. But they’ll get more slack than Google and waaay more slack than Microsoft would for the same problem, because Apple.
chopper
@Steppan:
no, that’s not it at all. the ‘something bad’ in regards to using your CC number online is a relatively minor inconvenience. you don’t lose any money, and you have to get a new card. it isn’t like having naked pictures of yourself all over the internet.
different-church-lady
@cleek:
Corollary: be aware of the level of risk and act appropriately.
Every credit card purchase puts you at risk. So maybe don’t use your credit card for every fuckin’ three dollar purchase at the convenience store because you’re too damn lazy to go to the bank every once in a while and get some cash.
John Cole +0
The other thing that pisses me off about this fucking preposterous straw man MM has built is the short skirt thing- like I even remotely suggested they had it coming. Anyone who thinks I intimated that can show me where or toss off.
Robert Sneddon
@Steppan: Microsoft’s and Amazon’s and Google’s own cloudy-woudy offerings are probably as secure or insecure as Apple’s iCloud, it’s just the Cupertino Glass Doughnut’s turn in the spotlight since it was celebrities with iPhones who got exposed this time. Convenient to use or sorta-secure, choose one and only one.
chopper
@different-church-lady:
exactly. the whole thing is weighing varying levels of security with varying levels of risk. there only real ‘underlying logic’ to it is ‘the bigger the risk to you, the more secure the interaction should be’.
Cacti
The hackers who did this shouldn’t be punished.
Information wants to be free, man.
constitutional mistermix
@John Cole +0:
I like your title, run with it.
OzarkHillbilly
I started out in the same camp as Cole, but after thinking about it I am far more sympathetic to the persons so abused. Can anyone tell me where I can see the naked pics of JL so I can affirm my outrage? (too soon? OK OK, I’ll take off my snarksexist hat). Seriously, this is one of those things that just shouldn’t be. A person has the right to choose who they share their body with, nobody else does.
Mike in NC
@JGabriel: WaPo continues to circle the drain. Film at 11.
Violet
@John Cole +0:
@John Cole +0:
I thought mistermix wrote this post. Not AL.
Mandalay
@John Cole +0:
AL???
cleek
a truly cautious person would not use any currently-available cellphone at all.
C.V. Danes
@Steppan: Exactly. People who use Microsoft products have no illusion that technology will always work, because the BSOD is only ever one bad driver install away at any given time. People pay the price premium for Apple products because they just work (mostly) without having to deal with the notoriously painful setup issues that MS folks have had to deal with. It would be most embarrassing for Apple, but folks who have a vested interested in their Apple gear would just say: How is this different than Microsoft? To which my response would be: what are you paying your price premium for, then?
Belafon
@different-church-lady: Some wingers are now trying to come up with evidence to say that Browns friend was also attacking the cop. Something about how he had a bracelet that turned up missing later. Because, as we know, the cop had a real tendency to let people go that attacked him.
Trying to smear the star witness.
Jerzy Russian
@Violet: Anne Laurie wrote a lengthy comment to Mr. Cole’s post from last night, and I assume Mr. Cole was talking about that.
Sanjuro
I show my age here, but when I was young there was still such a thing as a Party Line telephone service. Two or more separate households shared one telephone line and telephone number. When the phone rang it may be for me or one of the other parties. Also you could just pick up the phone to make a call and hear a conversation already in progress between other parties on the line. Consequently you had to be DISCREET about conversations because you never knew if somebody was listening in or not.
Although today there is more security involved in point to point voice/data communication and security of data storage, it is pretty obvious from the daily/weekly/monthly reports of security breaches that 100 percent secure data is not a reality and that NO ONE should fully trust that any data stored online is secure from being hacked and abused. Some things you cannot control (financial transactions) and some things you can (personal pics). So you need to either not upload data/sensitive pics that can/will be hacked or you need to encrypt each and every one before sending it to the cloud. Even then encrypted data/pics can be hacked.
OzarkHillbilly
@John Cole +0: Uhhh John? Anne didn’t write this post.
Belafon
@Mandalay: I guess it sounded like an AL post. Even the owner forgets to check who wrote the article.
Violet
@Jerzy Russian: I know she did but mistermix wrote this post and Cole didn’t mention him. I’m confused.
John Cole +0
@constitutional mistermix: God damnit. Apologies to AL. She emailed me the same thing last night and I thought it was her posting this. I should have known better.
That’s also what I get for reading this website on my ipad and not paying attention author names.
Punchy
OT: This needs a front page discussion. Oh my. Holy shit. While it’s all man bites dog, I cant believe they’d be so blunt about it.
Waynski
@Steppan:
This. I’m a helluva lot more worried about that. Although, my wife and I occasionally go to the nude beach, so the nudity thing is no big deal to me. I wouldn’t care if someone spread a nude picture of me across the Intertubes. I doubt it would get very many clicks, but my financial information is another story. The wife and I were victims of identity theft once. You really want to feel naked. Have that stuff happen to you. You have to protect people’s privacy. Period.
cleek
@John Cole +0:
beatings for everybody, then!
i’ll fetch the cat-o-9
John Cole +0
@Mandalay: @Violet: @Belafon: Guilty as charged. She emailed me this link last night and I thought this was a continuation.
Jade
John Cole is a rock star. A movie star is reading everything he writes and responding breathlessly. GO JOHN WITH YOUR BAD SELF. You are no longer man meat for the political crowd only.
Marcelo
It’s more than just a violation of privacy to me. The attitude behind the leak is one of having defeated someone, having invaded their personal private space and stolen something that isn’t meant for us.
This article in Esquire sums it up the absolute best for me: http://www.esquire.com/blogs/news/its-not-just-a-piece-of-her-body
Choice quote – “The titillation factor doesn’t come in her saying yes to the actual intended recipient of the photo, but because we know she’s tacitly saying no to us, and yet we’ve beaten her. We’ve beaten her.”
Howard Beale IV
@Steppan: There’s another lesson here as well: “Convenience has a cost-especially when its used for security.”
Jerzy Russian
@Punchy: Christ, what an asshole (the billionaire and not the Pope).
kc
@John Cole +0:
Sorry, I think you’re in the wrong here. All that “I’m not slut-shaming, BUT blah blah.” Not a whole lot of difference from “I’m not a ______, BUT” type staetments.
Violet
@John Cole +0: No worries.
John Cole +0
I also let my hatred of Lena Dunham trigger me. I feel the same way about the show Girls that I do about Mad Men- why would anyone voluntarily spend any time watching these uniformly awful people.
constitutional mistermix
@Violet: Yeah, I wrote it.
@John Cole +0: Serious response: Calling you a “prude” was an attempt at ribbing you that obviously fell flat.
On this: “I still don’t know why anyone would run around with nude selfies of themselves on the phone or stored to the cloud”
I do understand why people would have these pictures on their phone — they’re in LDRs and people in LDRs send each other sexually explicit communication. I think, as you pointed out, having them in a cloud was probably them thinking they deleted something but they didn’t.
On the rape stuff, I agree with you that a flat comparison of rape to this is way overwrought, but Dunham’s tweet, which used an analogy that is often used when discussing rape victims, had some truth in it.
That’s it. Not trying to call you a bad, bad man, sexist, misogynist, or anything else.
kc
@John Cole +0:
Look, he did it again.
kc
@John Cole +0:
You said that too? What an asshole statement.
Roger Moore
@cleek:
Except that isn’t enough. As the article points out, the system is deliberately designed to make it difficult to use selectively. That’s especially true if you try to share the data selectively, since you’re creating additional records on the cloud in ways you may not have realized. Your suggestion undermines the basic utility of the system, since it means you can’t actually use your iPhone as a communications device for anything remotely sensitive. We clearly need better security than “don’t actually use your device for its intended purpose because it isn’t secure”.
kc
Really? I didn’t know that. I thought you had to opt in and pay for cloud storage.
I have assumed that if I took a picture on my iphone and didn’t upload it, text it, or email it, the only place it’s stored is on my iphone. So that’s not the case?
bemused
@Sanjuro:
Ha, I remember those party lines too.They existed into the early 70’s in rural areas as I recall. Another party could and did jump to tell you to get off, he/she needs the phone. Weird when I think back. It was like your neighbors were listening in from another room in your home.
Steppan
@Roger Moore:
Exactly right. The companies having their shit actually be secure (especially to something as crude as a brute attack) seems like a reasonable expectation of use to me. Obviously you want to be at least a little more deliberate for something like nude pictures, but also when you delete something on a service, it’s kind of the company’s responsibility to delete it.
John Cole +0
@kc:
I don’t know how it is slut shaming to acknowledge the real world and that it is not a perfect place. Your chances of having naked pictures of you posted on the internet is closer to zero if you don’t have them on the cloud or on your phone.
This reminds me of the brouhaha the other day when a bunch of people got mad because some college kids made a nail polish that would change color if the user was exposed to a date rape drug. The line of reasoning was that it shouldn’t be up to women to HAVE to do this and that forcing women to do use this kind of nail polish is subjugating them. And I can understand the argument.
Now here comes your but- But I don’t understand why this is necessarily a bad thing. Sure, women should not have to fear being drugged and raped, but the sad fact is that they are, so I don’t see why anything that can keep someone from going through that kind of horror or trauma is a bad thing. Why does everything have to be either/or?
constitutional mistermix
@kc:
Both Google and Apple make you sign in with a Google/Apple account when you set up your phone. That account is where “cloud” data is stored. Apple is very aggressive about storing pictures from your device in that cloud. It is absolutely possible to have stuff go into the cloud that you didn’t expect.
CONGRATULATIONS!
Android does the same thing – the extent of which, I do not know, just as the extent to which Apple does it, nobody really knows either. But I have stuff showing up in my phone that I put up originally on the cloud and vice versa.
The entire “voluntary intelligence” gathering system by Apple, Google, and Facebook is lethally flawed and people really need to stop using it until these companies make user privacy a first priority, not the last.
Eric U.
I find comparisons to rape to be somewhat problematic. Unless it involves rape, then it’s ok. Sorta like white people talking about race, I’ve come to the conclusion that I have a somewhat limited understanding of these subjects and I’m not going to contribute much to the conversation. Even though I was sexually assaulted as a child.
John Cole +0
@kc: Don’t have a cloud account is the easiest solution, but that is not possible for everyone. And even as simple as Apple is on some things, the cloud can be a clusterfuck for new users. if for no other reason, every iphone user should follow this list just to preserve battery life. We talked about this in another thread, and it is true- you can seriuosly watch your battery drain in real time with all the notifications and crap going on in the background.
Sanjuro
@bemused:
Ha. Yes indeed it was weird. I always mentally pictured a ghost room that they lived in.
cleek
@Roger Moore:
Settings / iCloud / Photos
i agree Apple is aggressive about turning this stuff on.
Roger Moore
@Steppan:
You actually have a lot more protection in that case. If your personal information gets stolen, it’s at least possible to get your money replaced, card and bank account information changed, and put a lock on your credit. You can be made financially whole again, even though it comes at the cost of considerable hassle. OTOH, if other kinds of private information get leaked (e.g. nude selfies) it’s impossible to get them back under control; they’ll be out there for as long as people want to keep them.
JPL
Apple needs to get it’s shit together. If they falsely advertised a right to privacy, then they need to get their butts sued. Now let me go check my facebook account. (btw the only facebook acct. that I have is one under a dummy name.)
kc
@constitutional mistermix:
Well, thanks. I honestly didn’t know that. I suspect many thousands of other people don’t know it.
Shit, if my 1700 cat pictures are in the cloud, then you’d think my iphone wouldn’t be out of storage space . . .
John Cole +0
@kc: Do you disagree? Is it really crazy to note that in the world we live in that celebrities and famous people are at heightened security risks? Should we tell the Secret Service to stand down, then? Should all celebrities fire their bodyguards?
Have you ever heard the term paparazzi? Ever heard the name Princess Diana. Ever been to TMZ or Perez Hilton?
You’re just looking for something to be pissed off about.
John Cole +0
@cleek: I think the only thing I have turned on is find my iphone, which, amusingly enough, is rumored to be the exploit that led to this latest hack.
Mnemosyne
@Marcelo:
That’s a really good essay. This paragraph stood out for me, too:
There’s always been a theory that the thrill of movies and photography (and later television) is that you get to anonymously spy on people in their intimate moments, and I suspect that dynamic may be at work here as well.
Elizabelle
@JGabriel:
Saw that. Hope it gets its own thread later.
Politico is everything that is wrong about journalism. How very sad.
Randy Khan
@JGabriel: Traditionally, the publisher has nothing to say about editorial matters at a newspaper. The publisher is responsible for the business side – buying the paper, negotiating with unions, selling ads, etc.
In reality, there’s bleedover, and it’s more common today than it used to be. Most of it, though, has to do with whether advertisers are going to be mad about coverage than anything else. The publisher does not write editorials.
Meanwhile, if I were worrying about something, it would be that he was a founder of Politico.
kc
@John Cole +0:
Well, at least I’m not blinded by hatred of Lena Dunham. :)
kc
@JGabriel:
Oh, great.
Mnemosyne
@John Cole +0:
It’s because our society, justice system, and juries treat it as an either/or. Rape and sexual assault are the only crimes I can think of where the behavior of the victim decides the verdict, not the behavior of the accused criminal. How often do you hear about a burglar getting found “not guilty” because the victim couldn’t prove that s/he didn’t voluntarily give the burglar their big-screen TV?
bemused
@Sanjuro:
Our fellow party liners were not too intrusive and didn’t eavesdrop. However, it could be extremely annoying if you had a busybody with an obsession to be first with the latest gossip on the grapevine.
John Cole +0
@constitutional mistermix: I’m even angrier with you than I was when I thought Al wrote it, because at least I thought while she was wrong, she firmly believed it.
You’re just fucking with me.
And I think I need to rethink trigger warnings, because Lena Dunham just sets me off.
C.V. Danes
@CONGRATULATIONS!:
A good place to start would be encrypting the information in such a way such that even they could not access the data. However, NSA paranoia being what it is, who are you going to trust to do the encryption that the NSA hasn’t already broken?
Helen
@John Cole +0:
This. The people on her show are awful. They’re all a bunch of WATBs.
That Lena Dunham is considered a feminist is insulting to all of the true feminists who came before her. Boo Hoo Hoo; all those 20 somethings on her show have it sooooo bad. No. Really. They don’t.
She sets back women’s causes 25 years. Or she would if she had any real power.
Roger Moore
@Steppan:
The only way we’re going to have anything remotely resembling real security is if there’s an easy way of encrypting stuff before it gets uploaded to the cloud. If the cloud provider can’t read your backup, they can’t leak your pictures to anyone else. If your email is encrypted before it’s sent, it doesn’t do the NSA much good to intercept it (assuming they haven’t backdoored the public key algorithm you’re using). Mozilla is the one place I know of that’s doing this approximately right; they keep your browser profile on their server, but it’s encrypted first so you’re the only one who should be able to read it. The big downside is that doing things that way opens you up to loss of data failures; if you forget your password, there’s nobody out there who can help you recover your data.
John Cole +0
@bemused: Are party lines the same thing as the phone calls advertised during Friday Night Videos on NBC in the middle to late 80’s on a Friday night where you could call and talk to LIVE HOT GIRLS?
askew
It turns out that a lot of the photos were stolen from the boyfriend/ex-boyfriend’s cloud not the women’s cloud. I am curious if that will shift any of the victim blaming that is going on. The blame should fall completely on Apple and the hackers, but there has been plenty of blame put on the female victims. But, if the men are the ones who didn’t secure/delete the photos properly, does that mean the women will stop getting blamed unfairly?
may
On the question of Apple storing photos in the cloud: If you don’t want photos in the cloud, but you have an apple id and use the e-mail, calendar, bookmarks, etc., just turn off the switch for keeping photos in the cloud. Then after any major upgrade be sure to turn it off again… that is the sneaky part. Plus, not storing photos in the cloud makes the storage needs small enough that one doesn’t need to buy a lot of storage.
Roger Moore
@cleek:
Turning off cloud storage doesn’t help you if you send the picture using Apple’s messenger service, creating another copy of it on their servers. It might have helped in this specific case (which sounds like it was about compromised cloud backups) but it doesn’t help in the general case of somebody hacking Apple’s servers. The only way that works is if Apple doesn’t know what’s on their own servers, so that anything they leak is just a bunch of encrypted gibberish. It would still be useful to somebody who wanted to run traffic analysis on it to see who you’re talking to, but the bulk of the information would still be unusable.
Mnemosyne
@askew:
You’re adorable. :-) Sadly, the answer is “no.”
CONGRATULATIONS!
@C.V. Danes: I don’t worry about the NSA, because it’s kind of a given they’ll have a backdoor into everything. It’s everyone else that’s the problem.
I worry about /btards posting my selfies to 4chan, where they will probably be mistaken for pictures of a manatee.
Rafer Janders
@John Cole +0:
Because “hey, it’s the real world and it’s not a perfect place” is often the reasoning used by police and prosecutors not to pursue sexual assault and rape cases, and by judges and juries not to convict in them.
And your chance of getting sexually assaulted is closer to zero if you don’t go outside….
Sorry, but this is still putting the onus on the victim of the theft, rather than on the thief. If someone breaks into my house and steals my TV, money and jewelry, I won’t have to hear a chorus of “don’t keep anything at your house that you don’t want stolen.” Why should it be otherwise in this case?
Roger Moore
@C.V. Danes:
I think you’re letting perfection be the enemy of good enough. If you accept that NSA will be able to crack whatever encryption you use, you also have to accept that they can trivially access whatever you’re doing now, so it isn’t a serious concern. Meanwhile, adopting encryption that only NSA (and similarly capable spy agencies) can crack should reduce the danger from random putzes like the ones who carried out this attack. That seems like a big enough improvement to be worth doing.
Mandalay
@Marcelo: That Esquire article was good, but the first post in the comments section was even better:
It’s impossible to take Esquire (or Huffington Post, etc.) seriously on issues like this while they also constantly drool and obsess over raised nipples and side boob shots.
EdinNJ
What annoys me about all this is the normalizing of taking nude pictures to share with others. Maybe I’m old (certainly not a prude) but while this is a disgusting invasion of privacy, you cannot just dismiss that we live in a different world today where so many think it is perfectly reasonable/almost expected behavior to take these photos. I certainly am raising my children (13 and 12), to never do this, not that they won’t eventually ignore me. But there is always a risk, because no relationship is ever permanent, and once you share these, you lose ownership and control of the photos.
cleek
@Roger Moore:
very true.
once you give a copy of your secret stuff to someone else, you should probably assume there’s an increased chance it’s not going to stay secret. sucks, but that’s something everybody learns just about the same time they learn what the word “secret” means.
this is exactly why Snapchat was invented.
Roger Moore
@askew:
It may change which victims get blamed, or not, since blaming the women for taking the pictures in the first place is so attractive. Fortunately for Apple, it won’t succeed in directing attention to the incompetent security that really needs attention.
Violet
@John Cole +0:
Any idea why that is? She bugs me too but I haven’t been able to quite figure out why.
Tommy
Lets come full circle to the title of this post. I do not know the world I post a nude pic of myself. I am not a prude. Pretty out there from a sexual POV. But I do it behind closed doors.
Rafer Janders
@EdinNJ:
Eventually? Sure, if by eventually you mean within two to three years.
bemused
@John Cole +0:
NBC really does that? I didn’t notice. I thought it was just on cable. Times have changed! When it was just network channels, they would sign off before midnight or so, iirc, with High Flight.
constitutional mistermix
@John Cole +0: Lena Dunham is not worth getting pissed about.
Bob Munck
I use a cloud provider named SpiderOak that stores everything in a strongly-encrypted form using state-of-the-art encoding. What really makes it safe, however, is that the encryption keys are stored only on my computers; they are never on any SpiderOak equipment. (Encryption and decryption are done by my processors.)
I may be “storing my data on somebody else’s computer,” but it’s inside a strong safe that they can’t open.
Obviously the encryption keys for the cloud data are stored in encrypted form on my computers. The password/key for that is long and complicated and a pain to enter, but I don’t have to do it often. The bottom line is that I feel safe, and I’ve published papers and been granted patents in the field of computer security, so I would know.
Violet
@askew:
No the blaming argument will just focus on “You shouldn’t take naked pictures and send them to people! Stupid slut!”
cleek
@John Cole +0:
i let it store my contacts and calendar and the FidnMyPhone thing, but nothing else.
and i do all my backups to my desktop.
and then those backups are encrypted and stored at work.
bemused
@John Cole +0:
I glanced over the mid 80’s timing. Maybe in your area but it sure didn’t happen in mine then. I’m pretty sure I would remember something like that especially when I was up with babies late at night all the time watching tv.
different-church-lady
@Roger Moore:
Which is one of many reasons why I don’t fucking use it.
Christ, when did not buying snake oil become rocket science?
Mandalay
@cleek:
An article on Saturday stated that SnapChat is valued at $10 billion, even though it hasn’t produced a dime of revenue. I suspect the valuation is way higher now.
constitutional mistermix
@Tommy:
The point is these people did not post a pic of themselves, they took nude pics of themselves to send to intimates and those pics were exposed by hackers since they were auto backed up to the cloud.
different-church-lady
@John Cole +0:
Because my need to condemn slut shaming trumps others peoples’ need to not get date raped. Don’t you understand anything about self-centeredness in the 21st century?
Lee
@Rafer Janders:
I assume then that you leave your door wide open when you leave the house & you never lock your car doors.
Helen
@EdinNJ:
I agree (and I’m old too!)
I just do not see this as blaming the victim as much as their failure to assert control.
The people who were hacked had TOTAL control over whether or not their naked pictures got stolen. They could have exercised that control by not putting their pictures on the cloud. They could have exercised that control by not taking the pictures in the first place. The chose to abrogate that control by doing so.
It is not their fault that they got hacked. It is their fault that they put the pics on the cloud. Which brings us back to “the world is not a perfect place.” No it is not. But the victims could have made their own world just a little more perfect by not making the pictures public. And yes the cloud is public. That’s just part of our imperfect world.
rikyrah
IF you are a celebrity and think you have any privacy in today’s age..
you are a fool.
Cole is not a prude.
Doc Sportello
@JPL: This is key. You can have multiple email accounts on your iPhone, but your AppleID (which must be an email address) shouldn’t be used for anything but communication with Apple. Yes, [email protected] looks good, but it’s too transparent. Come up something different so a hacker needs to guess both your ID and your password.
And a robust password manager will help, too. The hacker did a brute-force attack using the 500 most common passwords.
different-church-lady
@constitutional mistermix:
This is quite wrong. I had my iPhone for a month before I had an Apple account. Now that I have an Apple account I still do not have any iCloud capacities or accounts.
Dick Dastardly
How did Jennifer Lawrence get a great big load of goo all over her face while having a long distance relationship? I’m sure the guy who she was having it with would like to know too.
Steppan
@Helen:
It’s their fault they had a reasonable expectation of a secure service?
The cloud is *not* public. Apple sucks at security (hardcore).
If your definition of “total control” means “the only way you have total control is to not do it at all” it doesn’t apply any more.
different-church-lady
@kc:
It’s a good thing most people don’t know it, because it’s wrong.
Tommy
@constitutional mistermix: Kind of my point. The Internet is public. Anything you do on it is about to be found. I don’t think that is right but just a fact.
Rafer Janders
@Lee:
Actually, in the small town that I live in on weekends that’s exactly what I do — the house and car doors are not usually kept locked, just as is true for virtually of my neighbors.
And if someoene broke in, it would be the thief’s fault, not ours.
Steppan
@Tommy:
“is about to be found” via the digital equivalent of breaking into your house and taking your shit.
lonesomerobot
So it’s obviously all been said already. But as a parent of a daughter growing up in today’s narcissistic, cameras everywhere society, we’re teaching our child to have enough respect for herself to know that a nude picture is not required, and never has been, for a healthy relationship. Furthermore, the moment it’s digital, assume that it belongs to everyone, whether or not that’s the way it’s supposed to work. Anything can be hacked. ANYTHING.
Also, about this ‘prude’ business: I had a few long distance relationships when I was growing up, and never once did it occur to me to either send nude pictures, or request them. So I guess I must be a prude. And here all along I just thought I had been taught to respect myself and the people I dated.
But really, the notion that we just accept nude selfies as normal behavior, because, “that’s the way things are now,” I find to be nonsense. Parenting is hard enough without idiotic fuckburgers running around pushing this nonsense. It’s a case of giving in as a society to the lowest common denominator.
And, seriously: Lena Dunham? Sheesh.
Chyron HR
@Dick Dastardly:
TCP/IP.
different-church-lady
@Mnemosyne:
cough-trayvon-martin-coughcough
Keith G
Lean Dunham is quite over the top on this.
The “she was wearing a short skirt” comment is the type of discussion stopper most often employed by those unwilling or unable to advanced a reasoned and nuanced discussion.
@Mnemosyne:
Huh?
Have you been following the concerns that many have about the events in Ferguson and many other similar police shootings.
I do feel that the predictable results of the reckless storing of embarrassing digital content should not be compared to rape. Ill-conceived behavior can have unfortunate consequences. I feel for the embarrassment of these and other such folks suffer.
@askew:
I wouldn’t and don’t blame the women. The hacker is the criminally liable culprit.
Risk is attached to many behaviors in life. Posing naked for pictures assumes a certain level of risk. If the pictures are digitally taken and stored in a place that is web-connected, the risk shoots up. And so on.
The celebrities that are central to this story participated in an behavior that many regular folks do as well, but many more do not because of the risks involved – because of possible consequences. Meanwhile for some, it is the very risk involved that makes this behavior a …compelling choice.
These celebrities who had their cloud data leaked do own some of the responsibility for this embarrassing episode which will blow over rather quickly with no loss of earnings, I assume.
Tommy
@Steppan: I would not do it. You would not do it I bet. But people will. So you need to understand this. Act according
different-church-lady
@Rafer Janders: Yes, it would be the theif’s fault. And I guaran-fucking-tee you you’d still feel like an idiot.
different-church-lady
@Keith G:
Why anyone gives a shit about what she thinks is beyond me.
Steppan
@Tommy:
But this constantly comes back down to “don’t do it in the first place because you should have known better,” which is effectively victim-blaming again (or only a step removed).
I know there are vulnerability and huge privacy/security issues all over the Internet. Yet nearly every time this line has been used – the Internet is, in practice, unprivate – that’s where the discussion stops. Dead end. Therefore, they should have known better. I would be a lot more okay with this if it kept going to “and this is not okay, not how it should be, privacy should be a realistic expectation” or “well, it’s only the case sometimes, and lots of times it’s preventable, Apple really dropped the ball here.”
But nope. They should have known better, don’t go outside.
Kay
@EdinNJ:
We have regular juvenile photo-texting prosecutions.
I don’t know if this will help, but tell them it can be a huge deal for them if they’re caught, and if they’re passing the pictures around in a school they always get caught. They seem to believe the adults in school can’t hear or see them.
A ton of them don’t know it can be such a serious charge, with all the sex offender potential. They really, really don’t want to get caught up in this. The sex offender laws aren’t rational. They’ll eventually be modified, but it takes a long time to swing the other way when we go on one of these herd-like panics re: children.
They are children, so they can charged with disseminating their own image.
askew
@Tommy:
Except the women didn’t put the pictures on the internet. In some cases, they were pulled from the boyfriend/husband’s cloud backup on the internet. Not the woman’s. Not sure how she can be blamed for that.
different-church-lady
@askew:
The hackers committed a crime.
The “female victims” had poor judgement.
WHAT IS SO FUCKING HARD ABOUT UNDERSTANDING THAT BOTH OF THESE THINGS CAN BE TRUE AT THE SAME TIME?
I’m sorry. I’m in a very big, ugly mood this morning.
cleek
@Rafer Janders:
why do banks have better security than donut shops?
Doc Sportello
The photos were encrypted, but the hacker got the password. Here’s a link to what is (most things) and is not (mail, notes) encrypted in the iCloud.
RedKitten
I think that a lot of people really do NOT realize that the photos taken on their phones are automatically backed up. And I think that this was very much the case here for many of these women. So how about we stop berating them for that? They took pictures with their phones, sent them to their loved ones, and then deleted the goddamned pictures. Any non-techy person would easily think that that was the end of it. So how about we cut them some slack, okay?
Besides, it’s pretty telling when in this thread and the last one, we’re seeing an AWFUL lot of comments about how these women were so stupid to take nude photos/use technology/trust technology that they may not have fully understood. But we’re not seeing too many fucking comments expressing disgust towards the hackers or discussing the culture in our society that enables men to think that they have every goddamned right to see a woman’s body, whether she wills it or no.
ShadeTail
And thus we see the perfect case-in-point of my main argument against cloud storage: it means that *MY* data is being kept by someone else, who may or may not actually care about good security and may still suck at it even if they do care. I always turn off cloud storage for my devices whenever I can, because I refuse to not take personal responsibility for what I do. Screw the cloud storage assholes, I don’t trust them one bit.
Oh, and a strong ditto to RedKitten immediately above. Even if someone is careless enough to leave stuff like this laying around where it can be stolen by someone, that doesn’t mean it’s their fault it was stolen. The thief could have chosen not to do that, but went ahead anyway.
Tommy
@Steppan: I am so not victim blaming. I hate this is the case. As an adult to an adult we should be able to do whatever the hell we want. Not put on public display. But I stand my comment you put shit on the Internet it might very well become public.
different-church-lady
OK, let me see if I can explain it to you big brains in small words:
a) Some people are shitty.
b) Other people are clueless.
c) group a has an easier time preying on group b than non-group b.
d) “don’t be in group b” is smart advice.
e) observing the truth of (d) does not negate (a)
different-church-lady
I also kinda want to know when it became, “Oh, yeah, everyone’s got nudes of themselves on their phones, it’s just what we do now.”
cleek
@RedKitten:
it seems like a given, to me. is there anyone willing to stand up for the hackers? if not, there’s not much of a discussion to be had about them. dude broke the law, and presumably will be punished. and, this kind of thing happens all the time, literally. the only reason we’re talking about this event is the celebrity angle.
Roger Moore
@Doc Sportello:
The problem is that the data is encrypted by Apple, and they will helpfully decrypt it for you if you provide the right password. IOW, the encryption did precisely nothing to defend against a password guessing attack, and Apple had a system that let hackers brute force the passwords by guessing an unlimited number of times without locking the accounts or generating any kind of warning. That’s a basic security flaw that goes against decades of experience.
John Cole +0
Re: Snapchat
Can’t you just hit prt sc/cmd shift 3/power button & siri button and defeat the whole thing just like that?
Doc Sportello
@Roger Moore: Agreed.
Also goes to show the need to have a robust and unique password for each individual web site. It’s not obvious how to protect yourself from these kind of situations, but it’s fairly easy to do so. (And make sure the recipient of these works of art is doing the same.)
Keith G
@different-church-lady:
Nor does observing the truth of (d) negate (b)
Many of us who worked in public sector jobs in the boom-boom days of the (public) internet, late 90s+, saw colleagues go down in flames because of digital personal content that was made public due to carelessness and/or evil intent.
Note: I was lucky.
Roger Moore
@different-church-lady:
When phones got cameras. Seriously, people have been taking nude pictures of themselves and their lovers for about as long as they’ve been able to develop the pictures themselves; if you talk to people who worked at photo developing places, you’ll discover that plenty of people took nude pictures even when somebody else was going to be developing them. That people would start taking nudes with digital cameras and camera phones was obvious to anyone who knows anything about photography.
FWIW, I don’t think everyone has nude pictures on their phones. Some of us are prudes, some don’t think they’re good subjects for nudes, and others don’t have anyone they want to share with. But it’s totally unsurprising that a lot of people would use their camera phones to take and share nude pictures, since that’s what people have been doing with other kinds of cameras since the 19th Century.
Roger Moore
@Doc Sportello:
Actually, it goes to show the need to switch to a better system than human created and remembered passwords as authentication tokens. Many people routinely deal with dozens of web sites that need passwords, some of which they will only deal with occasionally. It’s beyond the skill of ordinary human memory to remember that many robust and unique passwords for that long, even if we were capable of creating robust and unique passwords in the first place. There needs to be a better way.
Walker
As I have said on these threads several times:
I am a big fan of Apple. I think they understand computing as a consumer device and get a lot of things right that Google does not.
However, Apple is absolutely incompetent when it comes to the cloud. They are so incompetent that they have proved over and over again that they do not even understand how to hire the right people for cloud.
Paul in KY
@EdinNJ: If that ever happens to them, you’ll have some good ‘I told you so-ing’ you can do. So, there’s that…
Sir Laffs-a-Lot
I agree 100% with mistermix. This is the old Steven Jobs ‘we decide what’s best for you and control your life through youir devices we control”. Which should never have been permitted to happen sand which needs to end. Now.
Paul in KY
@different-church-lady: That you know of!
Doc Sportello
@Roger Moore: And that way is a password manager.
I’ve used 1Password for years (other people prefer other programs, some of them free) and have ridiculously long and complicated passwords for each of the 200+ sites where I have an account. I can’t remember any of them, so I have the password manager do it for me.
I also use two factor authorization for all important accounts. And I’m familiar with the known limitations of the cloud services I use. Evernote has has no encryption. DropBox is encrypted, but its employees have access to the raw files. 1Password has access to nothing.
It’s not perfect, and the NSA can still do whatever it wants, but it’s pretty safe, pretty cheap and pretty easy to set up.
Paul in KY
@Rafer Janders: I think you’re a bit naïve. It is the thief’s fault (in both cases), but a few quick precautions will save a shitton of headache if reality bites you in the ass someday.
flukebucket
When you expect no privacy then you will never be disappointed.
Paul in KY
@Steppan: I think it’s usually implied that this is hindsight for the future.
We find/judge the thief, but in the future, you do A, B, C so those creepy bastards can’t do that to you anymore (unless you want the creepy bastards to do that).
Paul in KY
@RedKitten: The creepy hackers should be prosecuted to the fullest extent of the law. They are POSes.
GHayduke (formerly lojasmo)
@cleek:
Cleek gets it in one. Anything on your phone, or a computer connected to the internet is not secure.
gvg
Let’s start with an opinion that the internet, businesses that use the internet, modern devices that are new and use the internet need more regulation. there is very flawed security in all kinds of ways. The fact that people are saying there is no privacy anymore means that we need to do something and what we need to do is laws that enforce some kind of standard security expectation on all levels.
At one time there were no food safety laws or standards. At one time banks weren’t really regulated. Yes we have regressed in recent decades but still compared to way back, things are much more regualated. We expect cars to be safe and bad things happen to companies when they aren’t. Water is regulated. These all started with no regulation and we had to invent laws and processes to deal. We invented traffic laws and still update them as needed. We decide on electricity standards and different countries have different standards. Radio waves are regulated, shared and sold.
I guess the self encryption is one thing that should be standard? Perhaps the cloud needs to be outlawed? Restricted? Require companies to make it easier to opt out? I am not a computer expert. I try to keep up but in this thread alone there are several who claim expertise who are contradicting each other. How am I supposed to know who to believe and where is a list of all the other dangers and what to do about them? Because there seems to be an endless supply of things that might happen…people can’t hide under the covers.
It seems to me the devices make it to hard for non experts to control. they do all kinds of sneaky things we don’t even guess at. Maybe they should just be required to be a better fairer safer design in the first place?
I know we also need safer credit cards. What else? Because it’s the whole picture, not just one company or device or action.
We got to this place by accident. Maybe we just need to figure out where we want to be. I imagine that there would be a chorus of screams that it’s not possible, not fair, inconvient etc. Maybe it’s just to bad companies we need a change and once it’s done I predict it will calm down and people will get used to it and start businesses that do things like safely store passwords or whatever it turns out makes the new world easier.
Expecting me to become an expert is a waste of hope. Most people have different expertise’s and busy lives. We try not to be stupid but this is just overwelming. There is always something new. I am not a chemist but I still expect my food to all be safe. The internet just needs improving in safety.
Steppan
@Paul in KY:
I think it *should* be but frequently isn’t, and since the logic is also used often by those who think it’s the victim’s responsibility/slutty sluts being sluts/whatever, it’s an important distinction to make.
Marcelo
@Mandalay: It’s a fair point you’re making. I would argue 2 things in response:
1) The message of the piece is quality regardless of the source. Maybe you shouldn’t take Esquire seriously because there’s all that stuff, but that’s different than the question of whether what they’re saying is a valid point. It’s a valid point whether it comes from Esquire, Feminist Frequency, or Rand Paul.
2) The author’s whole point is that the stuff in Esquire magazine is packaged and presented with the consent of the models/actresses involved, and that it’s different than private photos. The whole point of the private photo reveal isn’t just the boobs, it’s that they’ve defeated the person’s attempts to hide what they don’t want to show you – they’ve gone beyond the packaged Esquire presentations of the very same boobs. The fact that these photos are intimate – they’re not for you, they’re for whoever they were privately sent to – and yet you still get to see them, THAT’S the rub. So the fact that the author is making this distinction means that when you compare the criticism of the private photos with the material Esquire normally puts out, they’re apples and oranges. One is something the model wanted you to see, the other isn’t.
kc
@Keith G:
I love how you say “I don’t blame the women” and then immediately proceed to blame the women.
Paul in KY
@Steppan: Fair enough.
askew
@kc:
Exactly.
WereBear
@Doc Sportello: That’s the solution I came up with. I use Password Wallet on my iTouch, and it’s worth every penny of its small price.
Mnemosyne
@Keith G:
I did not realize that the people who stole these photos were members of law enforcement, who most judges and juries consider to be above the law. Do you have a link?
In other words, it was all the victims’ own fault for being stupid. But you’re not blaming the victim because shut up, that’s why.
Bobby Thomson
@Punchy: Better not let Langone know what that Jesus cat said about rich people.
LAC
@kc: just keep this in the back of your pocket when he goes on a dystopian “Big Brother 1984” rant when snowflake snowden news floats into our consciousness and fear of theoretical exposure of dudebro emails to the evil NSA in order to drone us happens.
Doc Sportello
The Unofficial Apple Weblog just published a piece on the limitations of Apple’s two-factor authorization. Shorter version: it’s real good at protecting your credit card; not so hot at protecting pictures and bookmarks.
LAC
@Mnemosyne just keep this in the back of your pocket when he goes on a dystopian “Big Brother 1984″ rant when snowflake snowden news floats into our consciousness and fear of theoretical exposure of dudebro emails to the evil NSA in order to drone us happens.
Mnemosyne
@Keith G:
Oh, well, I’m glad to see you —
Uh, dude. Right there? Those three paragraphs above? That’s where you blamed the victims. It’s becoming kind of a tic by now: I don’t blame the victims, but it’s their own fault. Guh?
And the amount of money they make has nothing to do with it, either.
p
I was in a film called “slipstream” that starred luke askew (“cool hand luke”) that won “best Canadian film/best photography/best director” in 1973 (predating the genies).
there was a brief long shot of the leads (luke and I) walking a horse, nude, thru a lea.
in 1978 I had a brief scene as a stripper in a film called “but all in good taste”.
it was a most curious thing when, in 2004, I googled my name and found it linked to numerous porn sites.
funny,too. I am white haired now, not “brunette”, but my breasts are still “small but perky”, just 2 feet lower than they used to be.
Mnemosyne
@different-church-lady:
And yet you were somehow able to figure out that Martin was not, in fact, to blame for his own murder. Why are you having such a hard time extending the same courtesy to celebrities who had their photos stolen?
Joe Bauers
A young woman who chooses to go to a frat party and get blackout drunk *should* be able to have the same expectation of not being raped as a young man who chooses to go to the same party and get blackout drunk. If she does get raped, the person who did it *should* be punished and her choice to attend the party and drink that much *shouldn’t* matter either legally or extra-legally.
Since life doesn’t always go as it should, I’m still going to counsel my daughters to not go to parties and get out of control drunk, even as I teach my son to not rape.
Both/and, not either/or. Applies here too.
Robert Sneddon
@Doc Sportello: So if someone breaks into your 1Password wallet they get all your accounts and passwords in one convenient easy-to-carry lump. Like I said upstream, convenient or secure, you gotta choose.
One of the online password wallet systems went bust overnight recently, stranding its users who didn’t have local copies of their wallets and leaving them unable to access their accounts on various internet websites. What fun…
Mnemosyne
@different-church-lady:
So when do you get around to berating Group A for their behavior rather than berating Group B for being clueless and telling Group B that you would never be as stupid as they were?
That’s what bugs me about this — people hand-wave away Group A (because everyone knows they’re assholes, amirite?) and focuses all of their ire on Group B for being so stupid as to be exploited by Group A. Could we maybe spend 10 minute talking about what assholes Group A are and how to minimize their assholery, or is it always and forever up to the victims to stop being victimized?
Lee
@Rafer Janders:
But during the week you lock your doors. Funny how that works.
Like others in this thread have pointed out, if you have private photos of yourself, then you should lock your doors.
It is as simple as that.
Roger Moore
@Doc Sportello:
The one thing I would definitely want is the ability to export all my passwords. I would be terrified that the program will stop being developed and all my passwords would be locked up and inaccessible.
Keith G
@Mnemosyne:
Here, let me type slowly for you:
You stated:
Rape and sexual assault are the only crimes I can think of where the behavior of the victim decides the verdict, not the behavior of the accused criminal
Many of use feel that Darren Wilson should be charged with a crime. If the grand jury no bills him, or if indeed he is brought to trial and found innocent, it might be the case that the supposed behavior of the victim decided the verdict, not the behavior of the accused criminal. At least, that is what many of us fear – that the defense will put Brown’s behavior on trial.
The above is a simple contra example of your quote that I blocked up there.
::Typing even slower now::
Sometimes one can contribute to an unfortunate outcome without being the focus of “blame”.
The other night in our neighborhood, a person was killed as she was legally walked down the side of a very busy yet poorly lit road. She had other, safer, routes but this was the most direct path. Many of us avoid walking or jogging down that stretch since there is no sidewalk.
The driver who was not paying enough attention (and possibly driving faster than the speed limit) is to blame, as it seems that the woman was not on the road bed when struck. Again, she is not to blame. She did make a regrettable choice that put her safety in more jeopardy than many others feel is acceptable. She is not around to tell us why saving about 400 yards of walking was worth the risk.
Sometimes one can contribute to an unfortunate outcome without being the focus of “blame”.
different-church-lady
@Mnemosyne:
I believe calling someone shitty used to count as a pejorative. Not sure when that changed.
Rafer Janders
@Lee:
No, during the week I live in a large apartment building in the city where the doors lock automatically.
PJ
@Rafer Janders: Because there is no real security on the internet. The appropriate analogy to a burglary situation would not be “don’t keep your stuff in your house”, but rather, “don’t keep your door unlocked when you’re not at home and, if you live in the city on the first floor, put bars on your windows.” The bad guys are the burglars, but taking these simple precautions reduces the likelihood of burglary.
I wish we lived in a world where people would respect other people’s rights, but that ain’t the case. I lived a long time in DC, and whenever I locked my car, I had to make sure there was absolutely nothing visible in the interior – even a penny or a paper bag full of trash would be enough to entice a crackhead to break my window (which cost about $200 to replace, plus time off from work). Was it blaming the victim when I strongly advised visitors to also not leave anything visible in their cars? The fact was, there was no effective security on the streets and if you had a car, you had to expect this was going to happen.
Lee
@Rafer Janders:
So you leave your door to your apartment completely open when you leave?
chopper
@askew:
from a security standpoint, what’s actually worse than having this sort of information on your own phone or cloud account is letting someone else have it on/in theirs.
Roger Moore
@gvg:
This. IMO, the biggest difference between a liberal and a conservative is how we respond when we discover that the world is an awful place. A conservative says, “Good thing it’s nasty to other people; sucks to be them.”, while a liberal says, “We need to do something about this so the world sucks less.” It’s all well and good to recognize that online security sucks and people need to take steps to protect themselves, but we need to take the next step and improve the bad situation so that it sucks less. That means finding and prosecuting the attackers to the full extent of the law. It also means holding Apple accountable for their poor security practices and generally making companies liable when they do such a bad job of protecting their customers’ data.
different-church-lady
@Sir Laffs-a-Lot: Good for you, you’ve confirmed your biases. I suppose the fact that Steve Jobs did NOT in fact decide that I must have an iCloud account doesn’t really change things for you, does it?
FridayNext
I once had a co-worker who was mugged 3 times in one year. After listening sympathetically for a few minutes he said something like “but this ATM is so convenient.” At which point I asked him what he meant and it turned out he was mugged three times at the same ATM in the middle of the night. (midnight-ish) At which point I asked a couple of question like, why not go to another ATM (one in a better neighborhood or better lit or more traffic) or why not plan ahead so you don’t need cash in the middle of the night? At which point I was denounced for blaming the victim. He claimed he should be as safe using that ATM whenever he felt like it as any other ATM at any other time. To which I replied “you’re right. You should. But you can’t.” Not and minimize your chances of being mugged and maximizing your chances of keeping your $100. (Oh yeah, that was another thing I asked. Why not just take out $20 to get you to the morning when you can visit a safer ATM in the light of day. Again, I was blaming the victim.)
The discussion spread to the rest of our office and we were split down the middle between people who thought asking someone to change their behavior to minimize being a victim was blaming said victim and those of us who thought that it was possible to assign all blame and fault to the perpetrator (which we all agreed was the case) WHILE AT THE SAME TIME behaving with all due diligence to minimize the chances of being a victim in either a crime or an accident.
We talked past each other for about an hour and as far as I am concerned people on either side of that divide are still talking past each other 20 years later. (You people certainly are.) It seems to me there should be a reasonable conversation to be had about exactly what behaviors we are willing to alter to maximize our safety from crime and injury, and which are such an imposition on our person hood and citizenship that even merely discussing it is an outrage. But I have yet to see three people in a room at once who were capable of having that conversation.
ETA: I have no opinion about the nude selfies. Given my “simple” (aka dumb) phone (and the fact that I am, and have always been fat and ugly) it’s just never something I have ever pondered.
different-church-lady
@Rafer Janders:
Well, la DEE freakin’ da for you!
Did I mention I was in a mood today?
Mnemosyne
@Keith G:
Ah, so when Trayvon Martin was called a “thug” and accused of attacking George Zimmermann with a sidewalk, he wasn’t being blamed, he just contributed to his own unfortunate outcome.
When Michael Brown refused to get onto the sidewalk after being ordered to do so, people didn’t blame him for his own death, they were just pointing out how he contributed to his own unfortunate outcome.
And if the driver is let off with no penalty, that will be acceptable to you, right? After all, she put her own safety in jeopardy, so why should he face any penalty for her mistakes?
Mnemosyne
@different-church-lady:
So one sentence about how shitty it is to steal people’s photos is equal to paragraphs about how stupid people were to take those photos in the first place?
Doc Sportello
@Robert Sneddon: My vault is stored in Dropbox, but you’d have to figure out the name of the user account. Plus the password. Then you’d have to hack into the 1Password vault itself.
It’s possible, but highly improbable. Brute-force hacking would take millions of years.
1Password and Dropbox then allow me to keep my vault on my phone, iPad and computers (as well as in the cloud). I’d have to lose all of them to lose access to my passwords. And I’m not dependent on either of 1Password or Dropbox staying in business.
There is no perfect security system when going on-line, and yes, there are trade-offs between convenience and security. But with very little work, you can build some strong defenses and still scoot around the web pretty freely.
different-church-lady
@Roger Moore:
And a consumer electronics executive says “We need to do something to make it suck easier and faster!”
Roger Moore
@different-church-lady:
One word of criticism for the perpetrators, many paragraphs for the victims, but you still have a hard time understanding why people think you’re blaming the victims.
different-church-lady
@Mnemosyne: Look, just give me a quota that will satisfy you ratio requirements and I’ll fill it up with verbiage.
Or you could move on with your life. I don’t care either way.
PJ
@cleek: There seems to be a large enough community of people who use the internet who think that anything hackable should be hacked and distributed – these are the “information just wants to be free, man” crowd, who gladly violate copyright and right of privacy.
different-church-lady
@Roger Moore: Hey, I got an idea: why don’t you go back and count the fucking words in MY posts and calculate out the ratios and then figure out the difference between me and people who are not me and then fuck off.
You don’t even have to do it in that order.
PJ
@askew: If someone leaves their bike unlocked on the street, and it gets stolen, is it blaming the victim to tell them, “Well, this probably wouldn’t have happened if you’d locked your bike.”?
Roger Moore
@different-church-lady:
They say, “How can we turn this into a profit center.”
Mandalay
@Marcelo:
I completely disagree – the context in which a message is delivered is inherently part of the message, where the context consists of the credibility of the author, and the forum used for delivering the message.
Now the author of the Esquire article may have impeccable credentials. but look at the image Esquire chose to use to open his article, and also the image used to open another of his articles which he links to. The scantily clad women are part of the message being delivered, even though I am sure that the author would much prefer that they weren’t there. So while the author’s article was good, but it would have automatically been better – more credible – if it had appeared in (say) The Atlantic or the New Yorker.
And Rand Paul certainly had some worthwhile observations on Ferguson that were relayed in credible forums such as the NYT. But what about the credibility of the messenger? Was his primary concern for the treatment of minorities by the police, or the militarization of the police? Well, perhaps he cares about those things, but it seems more plausible that Paul’s real motivation for his message was the reduction of government (by demilitarizing the police). While Paul’s message was appealing we shouldn’t ignore his motivation for delivering that message.
Messages don’t exist in splendid isolation; context really matters.
different-church-lady
@PJ:
The problem, of course, is that we don’t have a physical world analogy for a bunch of digital marketeers saying, “You can have a virtual version of your house everywhere you go!” There’s a seduction going on.
PJ
@Mnemosyne: So what’s your plan to reduce the assholery on the internet? It seems like the internet, due to its built-in anonymity and ability to copy and distribute copy files to millions, encourages and amplifies behaviors that people would be ashamed to demonstrate in broad daylight.
stonetools
See, I can keep two things in my head:
1. I can blame the hackers.
2.I can think the victims should take extra care to secure their nude selfies.
@Mnemosyne:
Er, wrong. Saying the victims should be more careful is NOT blaming the victim-it’s pointing out a fact.
Well, OK. These hackers are scum. They’re perverts. They’re the lowest form of life known to man. Hanging is too good for them.
Now that we have called them names, guess what? They’re still going to do what they do, and people are going to still have to take precautions. You’re not going to scold them into stopping their aholery.
different-church-lady
Here’s another attempt: the place where the criminal circle and the naive circle overlap on the Venn diagram is where the real shit goes down.
Apparently telling people not to hang out in latter circle is now politically incorrect.
Keith G
@Mnemosyne: I think that somewhere in your idea salad of decoy argumentation were four questions. I will address them.
1. Not sensible or relevant I think…I am still trying to unpack this.
2. I do not know what those “people” were getting at. Maybe you should ask them.
3. No.
4. If the driver violated laws governing the safe operation of a motor vehicle, and that violation killed someone , that is a very serious offense that should be prosecuted. Such a conviction will have zero chance of bringing that woman back to life.
I bet her family can both be mad at the driver and wish that the woman had chosen a safer route.
Doc Sportello
@Roger Moore: They’re exportable as csv or txt files.
Disclaimer: Not affiliated with the company. Just like it’s products.
stonetools
Iphone owner here. Photo backup is NOT turned on by default. You have to turn on Icloud back up and you have to turn on Photo Stream-Apple’s photo sharing solution. You can find their support page here . It’s quite clear about what happens when Photo Stream is enabled. (reading-it’s fundamental). Its also clear about how to delete photos that you don’t want in iCloud.
Again, if you want to do nude selfies-great. But understand what you are doing.
PJ
@different-church-lady: Right. Most people don’t want to have to think about how their computers and phones work (I certainly don’t), they just want them to work. Where I grew up, it was safe to leave you car unlocked, and it was certainly safe to leave stuff in it overnight; after I moved to the city, it took a couple of auto break-ins and being laughed at by the police (“Why did you leave anything in your car?”) for me to change my behavior. For most people, the internet is only about 20 years old, and they are encouraged by the tech industry to use it without thinking. At the same time, other people see the internet as an opportunity to illegally take and distribute whatever they want with impunity. It will take some strong public outcry to change these behaviors.
Mnemosyne
@PJ:
This right here. And apparently we’re supposed to just accept the actions of those bad actors and do our best to protect ourselves without demanding that the companies who hold our information protect it better. Why aren’t we demanding that companies that hold our information keep it protected? How about making US credit card companies switch to those cool PIN-based credit cards they have in Europe to cut down on fraud? How about making Apple liable when hackers exploit holes in their security and steal peoples’ private information?
But, nope, we can’t talk about any of that because we have to spend all of our time lecturing the victims about how stupid they were to trust the internet and brag about how much smarter we are than them. We can only talk about personal prevention and never, ever talk about what the companies using our information should be required to do in order to protect that information.
Mnemosyne
@PJ:
And, of course, they left without taking a police report because you shouldn’t have been so stupid, right?
Lee
@PJ: That lesson is apparently lost on half of the commenters here.
Mnemosyne
@stonetools:
Hey, here’s a crazy thought — maybe the companies who hold all of our information can take precautions, too! Maybe they can be held liable if their security fails and their customers’ information is stolen! I know, it’s insane to think that maybe private corporations should have a responsibility towards their customers that includes not allowing their customers’ information to be stolen from them, but it just might help, and it would probably help a lot more than exhorting tens of millions of people to rely on themselves for protection against thieves.
PJ
@Mnemosyne: I think a serious legal effort needs to be made to get tech corporations to take security more seriously (including civil liability) and for law enforcement to address these problems criminally. But I also think there are inherent structural flaws in the internet (anonymity, copying of files) which encourage bad behavior by users, and trying to introduce notions of morality or ethics regarding hacking and illegal distribution only induces lulz.
different-church-lady
@Mnemosyne: In other words, you’re incapable of comprehending a world where both those things actually do happen.
stonetools
@PJ:
Public outcry-and some legislation making this illegal and imposing stiff penalties. Of course the dudebros will call this tyranny.
Rafer Janders
@PJ:
Yes.
That is, in fact, blaming the victim. Because the mere fact that a bike is left unlocked should not be an invitation to theft. Anymore than, say, a woman wearing a nice necklace out in public is an invitation to rip it off her neck. And if you then told her “well, this probably wouldn’t have happened if you hadn’t worn such a nice necklace”, that would also be blaming the victim.
PJ
@Mnemosyne: I actually got a police report the first couple of times, until I realized I was never going to reach my deductible, and stopped bothering the police altogether (which, of course, is one reason why they didn’t take auto break-ins seriously, but there were much bigger crime issues they couldn’t handle either, and I saw no reason to fight with the sea, so I let it slide after that.)
Mnemosyne
@PJ:
As I said yesterday, the lulz for me were that the same Reddit dudebros who were outraged that the NSA might be hacking into their emails were all, Moar illegal boobie pictures, please! Apparently it’s good for people to hack into Jennifer Lawrence’s personal account, but bad and evil for people to hack into those Reddit dudebros’ accounts.
But you’re probably right that none of them will ever see the hypocrisy in their position. They’ll probably make the But it doesn’t matter if it happens to a celebrity! argument that we’ve seen in these very threads.
Eolirin
I think it bears repeating that this specific attack should not have been possible, and that Apple has a *lot* to answer for.
Brute Force attacks have been in use since before there was the web. You just do not build an access point to a cloud service that doesn’t lock itself down after just a handful of access attempts. That’s a kind of oversight that hasn’t been excusable since the 90s.
So yeah, any cloud stored information is at risk to an extent (though really so is everything – stolen computers and phones are a big source of leaks too), but this is the equivalent of putting a deposit into a bank and the bank leaving the vault doors open and the cameras off, and having one security guard at the front of the building with the back doors wide open; I doubt anyone making an anti cloud argument would be saying the same thing if the leaks were the result of photos in a safety deposit box being stolen, or wouldn’t be blaming the bank for having utterly stupid security protocols in the above example.
That a hack of this nature occurred signals either gross incompetence or serious negligence on the part of Apple.
different-church-lady
@Rafer Janders: Maybe we should all let our kids play in busy streets too. Because what ought to be will keep us safe from what is.
Mnemosyne
@different-church-lady:
Show me when the successful lawsuit happens against Apple for allowing this breach of privacy. I think it’s going to be a long wait.
Heck, show me a past lawsuit where users successfully sued a company for not properly protecting their information. Right now, as far as the law is concerned, Apple can tell all of its users to go pound sand if there’s a security breach. They won’t do that because it’s bad publicity, but they won’t face any legal penalties for this.
different-church-lady
@PJ:
The biggest structural flaw that encourages bad behavior is not in the technology — it’s in the marketing.
stonetools
@Mnemosyne:
You do understand that Apple made it easy NOT to post any photos to iCloud that you didn’t want posted there, right? You had to take affirmative steps to have your photos posted to iCloud.What’s more, even if you had it set up so the photos were posted,you could have deleted any photos you didn’t want in iCloud.
Moreover, you could also have set a long, complex password that was not one of the commonly used passwords that every hacker knows.If you are posting nude selfies to your iCloud account, then maybe you might want to be careful about securing that account, and not just trusting that things will work out and that everybody will be gentlemen.
It’s not about blaming the victim: it’s about ascribing agency to adults.
chopper
@Mnemosyne:
that’s what happened when my wife left the car unlocked in NYC and my shit got stoled.
chopper
@Rafer Janders:
it is not, and it should never be. yet it happens. and if your kid came home telling you they left their bike out unlocked on a busy sidewalk downtown and it was stolen, i guarantee you at some point you’d bring up the fact that they probably should have locked it.
Steppan
@stonetools:
At least one of the sets of photos had been user-deleted already
different-church-lady
@Mnemosyne: Apple took precautions. They fucked up and their precautions failed.
Part of Apple’s product line is seduction. “Use our servers to magically make all your trivia instantly available on all these Apple devices at once.” It’s a devil’s bargain, with usually relatively low consequences for losing. I’m sure there’s paragraphs of legal jargon that insulate them from their own fuck ups.
From a moral standpoint I’d like to see them stop doing the seduction. If a court case can be made for negligence can be made I’d be all for it. But it’s not going to solve the larger problem of people falling for the next seduction. There will never be an entirely safe way of releasing sensitive data into the larger world. There will always be better mice following the better mousetraps.
In my view iCloud and Bitcoin are part of the same category, in different degrees. You have to be an idiot to “trust” either one with stuff that really counts.
Doc Sportello
@Eolirin: Apple says “none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
They’re blaming “a very targeted attack on user names, passwords and security questions.”
Still unclear as to what steps, if any, were used to deter a brute force attack.
Security questions are a pet peeve for me, as many of them can be answered via Facebook or some good internet sleuthing. Consider providing fake, gibberish answers, and storing them someplace secure (like a good password manager). Again, not perfect, but pretty strong.
stonetools
@Steppan:
Then Apple or whoever would be on the hook if that were true.
Eolirin
@stonetools: If you’re going to tell people that they should use strong passwords, which is sound advice as a general thing, you also have to tell Apple that they shouldn’t have blindingly obvious security faults in their systems and that they should be adopting processes to avoid having blindingly obvious security faults in their systems.
Apple has a responsibility to maintain the security of their systems, just like an individual has a responsibility to good security practices.
Heliopause
No, the issue is that we’ve trained an entire generation to think nothing of storing absolutely anything, whether it be nude photos, bank statements, drunken reveries, idiotic poetry you wrote in high school, or whatever, on someone else’s server. This is primarily an issue of propaganda.
chopper
@stonetools:
OTOH, someone upthread pointed out that in at least one case it was a boyfriend/whatever whose account was hacked. could be that he was told to delete the stuff by the subject of the pics and didn’t and is now all ‘oh yeah, i totes deleted them! apple must have fucked up!’.
or apple could be doing a shitty job deleting things from the cloud. just coming up with another theory.
Omnes Omnibus (the first of his name)
Irrespective of the quality of the decision making process that led to the pictures being taken or stored on the cloud, those images were the personal property of the who owned them. They had a right to share or not share them as they chose. A right to delete them and expect that they were deleted. The images were theirs. The images were then stolen. Speculation about and advice to these (mostly) young women about how different actions might have had different results doesn’t really matter because they behaved at worst foolishly. The people who stole the images behaved criminally. There is a big difference.
@Dick Dastardly: What a nice comment. You seem like a lovely person.
Suzanne
Even talking about security, which is important, misses the point: this is a failure of patriarchy even more than a fuck-up by Apple.
I am of the opinion that men have the responsibility to correct sexism, just as white people have to sacrifice to correct racism.
So, dudes, what have you done to make the world better for women today? Hint: “advising” me what to do with my phone and/or my data is not making the world better for women.
stonetools
@different-church-lady:
i’d like Apple to be held to account if they did wrong too. But what do you want? Should Apple put in big red letters:
DO NOT POSE NUDE SELFIES TO YOUR ICLOUD ACCOUNT BECAUSE THEY COULD GET HACKED?
It seems that for some people nothing else would be sufficent.
stonetools
@Eolirin:
And I hope JLaw and others sue Apple’s $$es off if this were true. We’ll see if this is the case. I suspect operator error here, though. But we’ll see.
Roger Moore
@Mnemosyne:
They won’t say it so crudely, but that will be the message. It will be made quietly by their lawyers and written in the form of their contract limiting liability and requiring all disputed to be settled by arbitration, but pounding sand will absolutely be the underlying message.
Keith G
@stonetools:
Ah…These, among many others, are the words of stooges of the patriarchy
Repent!!!
/sarcasm (just in case….)
Lee
@Rafer Janders: So you do leave your door wide open when you leave your apartment.
different-church-lady
@stonetools: I’d like to answer that question seriously, but I’m not sure it’s possible without going down the rabbit hole. It’s linked to too many other issues: is corporate morality possible? Where does the home end and public begin? Who owns data on the internet? Etc. etc.
IMO, it would be nice if there was enough cynicism in the world where people just rejected “The Cloud” as a good idea. But too many people are fascinated by their gadgets and discretion has become something only old fogies value, so I don’t see the problem ending any time soon.
chopper
@stonetools:
a lot of places have been enforcing stronger password security, which is great. so you can’t choose some bullshit easy-to-break password but are required to throw in some extra crap.
tho the whole ‘get your password via these security questions’ like what town were you born in? and what was your first pet’s name? is fucking laughable. isn’t that how that dude hacked sarah palin’s email way back when?
Randy Khan
@kc: You do have to affirmatively decide to use iCloud when you set up your iPhone. It’s a yes/no question.
Apple has released a statement: Apple says
It’s pretty clear that Apple doesn’t think it was a problem with iCloud’s basic design or that access was achieved through the reported “Find my iPhone” vulnerability. Reading between the lines, it sounds like the targeted celebs probably had lousy passwords (which is hardly a celebrity-specific problem).
There’s a fair argument that Apple should protect people from themselves by forcing them to use more secure passwords (and, honestly, mine isn’t so hot), although there are limits even to that. Either way, even if it was bad passwords, the fault still lies with the person who cracked them, not with the targets.
different-church-lady
@chopper:
I had one where I ran out of options that applied to me. I got two, and then the rest of the questions were things like, “What is your sister’s name?” I don’t have a sister. I finally picked a question at random and answered it, “These are idiotic questions”
Roger Moore
@stonetools:
Substantial monetary damages would be a good start.
different-church-lady
@Roger Moore: BANKSTERS!
Randy Khan
@chopper: I have to admit that I wonder who picks the security questions. My favorite hack on that (in the old, positive sense) is the people who give extremely wrong answers: “Where were you born?” “Rover” “What was the name of your first pet?” “Pi R squared”).
Roger Moore
@stonetools:
We know there are substantial flaws in Apple’s security, or at least there were. There was a recent presentation at which somebody showed that Apple allowed attackers to guess passwords an unlimited number of times without taking any steps to lock the account or, apparently, set up any flags that would make Apple security take a look at what was happening to the account. They claim to have fixed the flaw since it was published, but there was enough time for somebody to try this hack in the meantime.
PJ
@Suzanne: That advice about what to do (or not to do) with your personal files is applicable to anyone who uses the internet, whether you are a man, a woman, or a dog. If someone is made aware about the lack of security for their personal files, how is that unhelpful?
As to making the world a better place for women, it seems to me that is the responsibility of everyone (I would also note that probably half of the people who were responsible for raising the hackers at issue were women). The tech industry is overwhelmingly male, and the hacker/reddit/anonymous crowd also seems to be overwhelmingly male, with a general lack of respect for anyone who isn’t part of their group (e.g., women). They celebrate their insularity and lack of empathy. How do you think we can reach these people and get them to change their attitudes and behavior (outside of law enforcement)?
John Cole +0
@Roger Moore:
Halle Berry received a 500k bonus for going topless in Swordfish. How much money would Jennifer Lawrence or one of the other’s have made had they negotiated for their first nude on film? Damages doesn’t seem like that crazy of an idea.
Suzanne
@PJ: Because the overarching problem is disrespect for women. Talking about the insecurity of data is rearranging the deck chairs on the Titanic.
The first thing to do, in this case, is to bring the wrath of God on the guilty parties. It’s a serious crime and should be treated as such. And men who are in a position to have any sort of influence over other men or boys need to step up and let them know that women, as people, do not exist for their sexual gratification. This needs to start from the minute you’re first slapped on the back, because patriarchy sure does.
Once again, this is a social system that exists for the benefit of men, and women just get branded as bossy bitches when they try to deal with it, so men should do it.
Suzanne
@PJ: Not to mention, I think that if society shuns the perpetrators as disgusting, criminal freaks, we could start to send the message that this is disgusting, criminal, freakish behavior.
But I expect plenty of backslaps, cheers, and above all, DISTRACTIONS—making this once again about what WOMEN have to do within patriarchy.
Keith G
On one of the related issues:
I have some hardware (for now) that makes dealing with iTunes necessary. I know that Apple is supposed to be the shit for hardware, but iTunes has been a bane to my existence for nine years. They seriously cannot develop useful software that is intuitively useful and non-glitchy…well…less glitchy.
Every time Apple comes out with a new version of iTunes, I hold my breath as I poke around to see what damage has been done. Usually it takes several patches and/or work arounds to iron out the wrinkles.
On a continuum of trustworthy locations to store important data, I would put Apple farther away from the good side than some other well known names. I just don’t think that they have given as much thought or care to this as have others.
gwangung
@different-church-lady:
Somebody suggested using a deliberately wrong answer that you can remember (or keep on a password program like 1Password).
stonetools
@Roger Moore:
Sez Apple:
So the security flaws you referenced were not the cause of the privacy violation.Seems weak passwords and security questions were the problem.Maybe we we should introduce JLaw and others to “correct horse battery staple”, etc.Or maybe speak of other options vfor conveying such pictures:CDs, flash drives, and the US Post Office.
PJ
@Suzanne: I think talking about insecurity of data is more like deciding whether to buy a ticket on a ship which, despite the advertisement, is highly vulnerable to icebergs (and there are a lot of icebergs out there) or to just stay at home. The internet is insecure, but people treat it as if all their information were protected.
@Suzanne: No one is saying “this is what women have to do” – it’s what everyone has to do, or should at least think about. All kinds of personal information gets hacked, but in this instance it’s personal photos.
The issue of disrespect to women is a distinct and much more pervasive problem. Part of the problem with shunning the perpetrators of hacking violations like this is that they are anonymous (+1 for the internet) and also that they get off on being considered “disgusting, criminal freaks.” Shaming or scolding just isn’t going to work unless it is in public, but anonymity makes that impossible.
stonetools
@Suzanne:
Everyone agrees that these hackers are scum. You seem to believe that if only we condemn these guys enough, they’ll turn into gentlemen. I’m afraid you are wrong about that. They’re going to keep doing what they’re doing.
What we have to do is:
1.catch and punish them (hard to do).
2.protect ourselves from them (easier, but still hard).
Suzanne
@PJ: @stonetools: If these guys were really, REALLY treated like scum, and they lost their friends and their jobs and their girlfriends, I don’t know that these chumps would be different. But other guys would. This is the problem: you’re looking at this as an isolated thing. It is not. It is one example of what women go through in this society each and every day.
This behavior happens because there is incentive. Financial, or social. Those incentives exist because of patriarchy, because of lack of respect for the humanity of women.
Shaming and scolding SHOULD be public, when someone says or does something that causes harm to an equitable society.
Dudes mansplaining about what women should do with their data, when what they should be doing is TELLING EVERY DUDE THEY KNOW THAT THEY ARE ASSHOLES IF THEY LOOK AT THESE IMAGES.
Roger Moore
@John Cole +0:
I was thinking more about the emotional distress, bad publicity, etc. that the victims had suffered than economic consequences. That way is also more helpful to Jane Doe, who has no chance of landing a Hollywood role, topless or not, when her account is hacked.
Doc Sportello
“Christopher Chaney, a “Hollywood hacker” who infiltrated email accounts and leaked nude photos of celebrities and other women, has been sentenced to 10 years in prison, the AP reports. Chaney was caught three years after he began efforts to illegally gain access to private accounts and photos, and broke into accounts belonging to Hollywood notables including Christina Aguilera, Mila Kunis, and Scarlett Johansson — prosecutors said that he accessed more than 50 email accounts between November 2010 and October 2011. Prosecutors recommended a nearly six-year sentence for Chaney plus $150,000 in damages, but the court landed on a harsher penalty, opting to lock him away for a decade.”
Verge
Bob Munck
@cleek:
Donut shops have more cops.
Roger Moore
@stonetools:
They absolutely were. The security flaw was that Apple let people guess passwords an unlimited number of times without locking the account. That’s what the part about “very targeted attack on user names, passwords and security questions” means. And that is absolutely terrible security practice on Apple’s part.
Anyone who cares about security has known for decades that you should limit the number of times somebody is allowed to try entering their password precisely because giving them unlimited chances lets attackers brute force guess weak passwords. Limiting the number of guesses, either by straight locking the account or by imposing a wait after a number of failed attempts, is absolutely standard practice. Smart security people who use the imposed wait approach will also send a warning to human sysadmins after some number of incorrect guesses. That kind of thing could have prevented the attack.
stonetools
@Roger Moore:
Apple specifically said that the Find my Iphone security flaw was not the one exploited in the this case. And that was the one that allowed the unlimited guesses.
Doc Sportello
Assuming the Find My iPhone exploit wasn’t used, I’m very curious as to how this happened.
If password were reset using security questions, then the user would have known about it immediately if two-force authentication were used. If it weren’t, the user would be locked out the next time she used her device. (This is, in part, how Mat Honan learned about his hacking.)
If the passwords were just awful, they could have guessed and then not changed, allowing continued access to the account. I believe that, after three or five attempts, Apple would have asked the hacker if he had forgotten the password and wanted to reset it. Then there need to be some time lag before the next attempt (or else the user would be locked out). Assuming five wrong guesses per day, it would have taken a little over three months to try to the 500 most used passwords. Doable, but time consuming.
Rafer Janders
It appears to be that iOS devices are automatically opted-in to Apple’s Camera Roll feature, which uploads all photos to Apple’s iCloud backup service. As a result, many users are likely using this service without realizing it and a result, do not understand the associated security and privacy risks
https://www.aclu.org/blog/technology-and-liberty/lessons-celebrity-icloud-photo-breach
Suzanne
I can’t help but think about the Michael Brown case w/r/t this. Often when we hear about a famous case of police brutality, we read these heartbreaking essays by black parents about how they tell their sons how to behave around the police. And they rightly point out how this is fucked up, but they want to protect their kids anyway, so they advise them to be almost ludicrously deferential.
But it is almost always underscored by the fact that this is a shitty state of affairs, and that sometimes, there is no way to live your life the way you want to without bring fucked with, deference or no. And I would hope that AT LEAST AMONG LIBERALS AND PEOPLE THAT READ THIS BLOG, they shouldn’t have to, and 200 comments about how their deference wasn’t exactly the right flavor would be condemned as supporting a racist social structure rather than fostering a society in which they have genuine equality.
Instead, we have tech dudes dissecting ad infinitum which specific “mistakes” women made, rather than discussing how to dismantle a patriarchal social structure that literally makes me afraid every time I go outside.
Thanks, y’all.
Mnemosyne
@different-church-lady:
And now Apple should be held legally liable for that fuckup, just the same as they would be held legally liable if someone slipped and fell in their store. But that’s never going to happen, because people would rather scold internet users than hold the companies that provide internet services to account.
MomSense
@Suzanne:
Thank you!
stonetools
@Rafer Janders:
Frankly, Im not sure about that. The default is that the phone does NOT back up to iCloud. You have to enable iCloud backup.
I’m going with what Apple says for now, which is that the violation was not done through an iCloud security flaw, but by exploiting weak passwords and security questions.
One issue here is why would Apple allow for the possibility of weak passwords? It should design the system so as not to accept weak passwords.
That said, I do online banking and my password is as strong as an 8-digit code can be, and my Visa account has still been hacked.
stonetools
@Mnemosyne:
oh, I think JLaw and friends can hire the legal talent to hold Apple accountable. That’s what matters, not who scolds who on the Internet.
Doc Sportello
@Mnemosyne:
Legally, this is probably a non-starter. I would suspect the user agreement (which no one reads) presents the risk of a breach and has the user acknowledge it. I don’t know for sure, as I gave up reading user agreements a long time ago, and simply assumed I’m screwed.
As others have noted, nothing is truly secured ]when you’re online. Ed Snowden and others employ an air gap. They have one computer which is never connected to the internet — no updates, nothing — and they do all their work on that. They then transfer their work to a computer which is online and transfer their work from there. Their original computer remains immune — kind of a boy in the plastic bubble set-up.
The transfer was usually done by a UBS thumb drive, but there have reports of firmware malware which cannot be removed by reformatting the disk. So I assume they’e using a non-UBS alternative.
If you’re connected to the internet, you’re at risk. Systems can have robust security, but there are always ways to circumvent them. (See Mat Honan’s article on how he, a writer for Wired, got hacked.)
I don’t rely on Apple for security. I like their products and recommend them to friends. But I also explain to my friends where the (known) security weaknesses lie, and how to cope with them.
Internet security is not a Ford Pinto, where a $10 shield would prevent the gas tank from exploding. It’s enormously complex, and (generally) the vendors take care of the weaknesses they see. Some are better than identifying those weaknesses than others. But even if a vendor’s software were security-perfect, it would incorporate or involve other software, such as OpenSSL, which was vulnerable to the Heartbleed attack.
As online activity will always be vulnerable — and more so, as we increasingly rely on wifi in lieu of ethane cable — we are behooved to protect ourselves. The good news is that you can do — not perfectly — but cheaply, quickly and with a low level of inconvenience.
We all have things we’d like to consider to be private. There are steps we can take to help keep them that way. Curse the darkness, etc.
different-church-lady
@Mnemosyne: All those words against the cloud company, and no condemnation of the thieves?
See, two can play that game.
PJ
@different-church-lady: C’mon, someone has to scold the internet commenters for not scolding the cloud companies and the hackers in the proper word ratio. Anyone who suggests precautions against the ills of this world is just supporting the patriarchy.
chopper
@PJ:
I must admit I sometimes discuss issues in the wrong order, according to some. I’m working on it.
Doc Sportello
Daring Fireball points to this piece by Nik Cubrilovic, who did the most extensive research I’ve seen on how the photos were stolen.
Sample:
Hackers use “use the target data [obtained from Facebook, etc.] to retrieve passwords or authentication keys. There are numerous methods here and most have tutorials available online. The most common are RATs, phishing, password recovery and password reset. RATs are simply remote access tools that the user is either tricked into installing via private messages or in an email (link or an attachment) or that someone close to the target will install on their phone or computer with physical access. Phishing is sending the target an email with a password reminder or reset that tricks the user into entering their password into a site or form the attacker controls. Password reminder is gaining access to the users email account (again using secret questions or another technique) and then having a reminder link sent to access the cloud storage. Password reset is answering the date of birth and security question challenges (often easy to break using publicly available data – birthdays and favorite sports teams, etc. are often not secrets).”
And:
“There is no software that users will ever be able to install or upgrade that will make them completely secure. The responsibility is on both vendors and users. Users need to be aware of good password practices (unique passwords, long, passphrases) as well as the basics of anonymity and security (more on this in another post – attempting to tl;dr security tips in a few, small and simple to understand points)”
Mnemosyne
@different-church-lady:
If you really, really want me to, I’ll be more than happy to re-hash everything I said yesterday about the thieves and the misogynistic society that provides cover for them. It’s probably about 5,000 words — do you have time for all of the links?
Mnemosyne
@Doc Sportello:
You realize that this kind of learned helplessness is part of the problem, right? Why are we not allowed to demand that the companies who take our money protect our private information and pay a cash penalty when they fail? Why were people not allowed to sue Target when Target’s security breach affected millions of their customers?
We can change things. But corporations don’t want to have to change, and people are willing to let them slide because they think it won’t happen to them … until it does.
different-church-lady
@Mnemosyne: No need, I’m sure you’ll say it all again eventually.
Mnemosyne
@different-church-lady:
I wouldn’t bet against it.
Doc Sportello
My learned helplessness takes the form of assuming responsibility for my own online security.
Apple — and Google, and Facebook — offer internet services for free. No one pays for them, and no one is obliged to use them. (And part of the way I manage my o\line security is by not using Facebook, and by using Google sparingly. BTW — check out DuckDuckGo as a search engine. Very good, and no tracking.)
Others may well decide to forego Apple and use other services. No problem there at all — we all manage risk in our own ways.
My point, though, is that you can’t rely on a provider for security. I think it’s Bruce Schneier who said security is not a product, it’s a process. I think few people are aware of this. Our devices allow us an incredible view onto the entire world (and more), but it also allows the entire world into our devices, where our most sensitive and important information resides.
Apple actually does a decent job at suggesting what constitutes a good password:
“Your password must have a minimum of 8 characters, not contain more than 3 consecutive identical characters, and include a number, an uppercase letter, and a lowercase letter. [It also cannot be identical to the account ID, a common password or one used within the year.
You can also add extra characters and punctuation marks to make your password even stronger. Using a strong password is the most important thing you can do to help keep your account secure.”
I’d like to see the length requirement kicked up (mine is 26), but otherwise the advise is solid. And I know Apple doesn’t want to require longer passwords, as people will complain that it’s inconvenient. There’s always a trade off between security and convenience, and if it becomes too inconvenient, then people will sidestep security completely. Supposedly more than half of all cell phones users don’t even use a four-digit passcode to unlock.
I encourage you to check out the Nik Cubrilovic piece. Those of us who aren’t celebrities are unlikely to be victims of these kinds of coordinated attacks, but this shows what a bunch of very clever people can do to you if you’re online. And we’re all online.
hilts
Louis C.K. nails it once again with these comments about cloud computing
http://www.huffingtonpost.com/2014/09/02/louis-ck-cloud-technology_n_5752370.html
Omnes Omnibus (the first of his name)
@Doc Sportello: I think that part of the problem in this thread is that two basic conversations are happening; one about the invasion of privacy and the theft and how it related to sexism and a variety of other problems and another about security and convenience. Where these subthreads cross, it creates opportunities for misunderstanding.
Doc Sportello
@Omnes Omnibus (the first of his name): Agreed. I only spoke to the part where I felt I had something new/helpful to offer.
different-church-lady
@hilts: Of course he did. Louis CK is right about everything.
kc
@different-church-lady:
For example, Anthony Cumia.
Oh, wait.
Paul in KY
@Rafer Janders: I look at it as counseling the victim on what to do to avoid repeat victimization (which I assume they want to do).
MBunge
This isn’t about privacy. This is about being able to recognize reality.
Mike
MBunge
@Mnemosyne: Why are we not allowed to demand that the companies who take our money protect our private information and pay a cash penalty when they fail? Why were people not allowed to sue Target when Target’s security breach affected millions of their customers?
Are you willing to pay a lot more and have it become a lot more difficult to purchase things with credit?
That’s the trade off.
Mike
Doc Sportello
More from Wired:
“If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool [EPPB], the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.”
Dan
A few points, not all of which go in the same direction:
1. There is a difference between this case and the typical rape victim blaming situation: In most rape cases, the perpetrator claims consent and argues that because of that consent there was no crime. Same thing in the Michael Brown/Trayvon Martin cases. Smearing the victim as a “thug” (or “slut” in the rape context) is supposed to show that the perpetrator is blameless and that the victim is actually the bad guy.
That’s pretty different from a property crime situation. Nobody seems to argue that stealing an unlocked bicycle is not a crime or that leaving your bicycle unlocked makes you a bad person. There may be tut-tutting, and police may not pursue the matter very hard, but that’s different from saying that no crime occurred.
So discussions of victim behavior may be wrong in this context, but if they are wrong they are wrong in a pretty different and less pernicious way that in the rape context.
2. In spite of 1, if you were a victim of this crime it would be pretty obnoxious to see your victimization discussed exclusively as an object lesson for others. This suggests that there is some room for what you might call politeness, or simple human decency, in how and where one discusses supposed mistakes by the victim.
3. Victim blaming is a real and very ugly phenomenon, particularly in the rape/shooting cases mentioned in 1 above. But there is a different phenomenon that also goes on in these kinds of cases that is a lot less evil and deserves to be distinguished. When a person reads a story they tend to identify with one of the participants. That participant becomes “them” in the story – the subject – and other participants become more like objects. When reading a story in this way, which everyone naturally does I would argue, people tend to focus on the agency of the subject, not the object. They focus on what they would have done if they were in the subject’s shoes.
To see an example of this read any discussion of a sporting event on a site focused on one team and then read a discussion of the same event on the opposing teams site. Nearly always, Team A’s site will focus on how Team A’s players won the game or blew it, and Team B’s site will focus on the reverse. I.e., Team A (“Pitching wins it”), Team B (“Our offense fails to produce”).
In crime stories, this same phenomenon can lead to focusing on the victim’s behavior without necessarily believing that the perpetrator should not be punished – if you identify with the victim and see yourself in his/her shoes, you are going to think about what choices the victim could have made differently. The perpetrator, on the other hand, is objectified and his/her choices are not considered in the same way. This is wrongheaded thinking because obviously both victim and perpetrator are human beings capable of making choices, and there is nothing wrong with pointing that out. But it is pretty different from the victim-blaming behavior in rape cases, where people are pretty obviously imagining themselves in the shoes of the perpetrator.
In short, it is reasonable to discuss how, where and to what extent victim’s behavior should be discussed in certain contexts, but collapsing all discussions of victim’s behavior with the very specific sort of victim blaming that happens in rape and certain shooting cases is not right.
No One of Consequence
“When you make something digital, it is, *by definition*, no longer secure nor is it reliably secure-able.” – NOoC
“Locks only keep honest people out.” – NOoC’s father
– NOoC