
Notes on the Celebrity Data Theft - nikcub
https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
======
rayiner
I wrote this in the other thread on the leak before it died:

> Even if the leaks result from one at a time social engineering, it still
> really calls into question the practical security of the cloud. I doubt it's
> much harder to steal, e.g. confidential business documents from executives'
> cloud accounts than it is to steal pictures from celebrities' cloud
> accounts.

> If I were a big organization with confidential information, I'd really be
> thinking hard about my cloud policies and my BYOD policies right now. The
> policy at my previous employer (we handled a lot of extremely sensitive
> information), was pretty draconian: data never leaves a company desktop,
> laptop, or blackberry.

The fact that the users may be the biggest security leak is more alarming than
it is relieving. Software bugs can be fixed. Getting users to follow proper
security practices is much harder. And frankly, it doesn't help that the
industry is actively user hostile. I gmail my passwords to myself because
every site has different password rules and force me to change my passwords
too often.

~~~
harryh
Dude. 1Password. Switching to using it for everything was one of the single
smartest things I did this year.

I agree with you about the wider industry problem, but for your own personal
use just start using a password manager. Just do it.

~~~
vhost-
1Password and last pass are pretty awesome. Some people don't want to use a
3rd party and for those, I suggest KeePass databases at the very least.

I have all my two-factor reset keys in KeePassX at home and all normal
passwords in last pass.

I actually lost a two factor code for Linode when I lost my phone with the
Google authenticator app on it and having those reset codes in KeePassX was a
life saver.

~~~
kyrra
I've seen this argument come up before and I don't understand it. Why do you
trust KeePass more than 1Password? In both cases you are sharing the datafile
however you'd like (Dropbox, thumbdrive, etc...). The primary difference is if
you have access to the source code or not.

If KeePass purposefully injected a vulnerability, it would just be that
dev/project that would fail. If 1Password were to do the same, that company
and all the people that work for it would go down. I'd personally see this as
more of a reason to trust 1Password over KeePass.

The primary argument is that the code is open and you can audit it, but in
reality that doesn't really happen unless there is a real drive to do it (like
we saw recently with TrueCrypt).

I trust/distrust both about the same amount. But 1Password has more resources
behind it so they are doing more to try and secure the data within the
encrypted store.

~~~
r00fus
Well, Keepass is free as in beer too, so from a licensing perspective, that's
a factor (mainly for adoption) though, 1Password is a totally affordable and
solid investment for 99%+ of folks on this board).

Free allows much more organic adoption - I can recommend a friend to use
KeePass without worrying a bit that he doesn't think 1Password is a good
investment. I can mandate it for my team at work without having to get it
expensed.

~~~
eridius
Free as in beer is a reason to be more distrustful of the software. Sure it's
more convenient, but this seems to be an area where it's really worth
investing money in getting the more reliable solution.

~~~
pyre
Are you by chance a purchasing manager for a large corporation? Do you feel
that signing a $100K-$1M Oracle contract is worth it because "if MySQL or
PostgreSQL were worth something, then they would charge you for it?"

~~~
eridius
Thanks for the straw man and entirely manufactured quote. We're talking about
paying $50 for software that manages your passwords for everything, not paying
hundreds of thousands to millions of dollars.

~~~
pyre
> Free as in beer is a reason to be more distrustful of the software.

> this seems to be an area where it's really worth investing money in getting
> the more reliable solution.

You're stating that "Free as in Beer" == "Less Reliable" and the fact that
something costs money _implies with 100% accuracy_ that it is reliable.
Neither of these are true. Arguing that I'm bringing up a strawman because I
said "Free vs. Millions of Dollars" instead of "Free vs. $50" is beside the
point.

~~~
eridius
I am not saying either. I'm saying "Free as in beer" is not a reason to trust
software in _this particular field_ , i.e. the field of security software
where one error can undermine the whole point of the software and expose your
secret data to the world.

And I never even came close to saying that "something costs money implies with
100% accuracy that it is reliable". You are once again making up words to put
in my mouth.

The fact is, a lot of people still believe the "open source == more eyeballs"
myth, even though that _is_ a myth. Open source does not equate to
reliability. And when it comes to software that requires this much trust, a
company built around a product is more inherently trustworthy than open
source, as the entire company is on the line with their product (and the
livelihood of all their employees), whereas with the open source product only
the reputation of the author(s) is at stake.

Please note that, once again, I am _not_ saying this is a "100% accurate"
indicator of reliability. There are many factors at play. One important factor
would be whether the software in question has ever undergone a security audit.
Another would be whether there's proper documentation on the encryption (i.e.
1Password's file format is completely documented, both so third party software
can use it if need be, and so the security of the file format can be vetted).
A third would be the involvement of anyone who is already previously known to
be an expert in the field. Etc.

Edit: Come on guys, please stop drive-by downvoting. If you disagree,
_comment_!

------
karlick88
While I am complete appalled by the data breach and hope that similar things
never happens to anyone again

I would like to propose a purely thought experiment:

The hacker reported sold the nude photos of Jennifer lawrence for a mere sum
of $130 using bitcoin.

If we apply game theory here, these kind of data is very difficult to
monetize. If you sell one copy of the data, it is then immediately distributed
online for free. Although, nude photos of celebs are arguably very valuable.

The question is: What is the ideal path for these people to maximize profits?

I think the better alternative would have been a kick starter type model where
the attacker will only release photos if reaches a funding goal (let's say
$50k). The attacker might release less revealing photos to build interests in
the goal funding.

I often hear about decentralized kickstarter models with bitcoin (mutlsig; or
ANYONE_CAN_PAY hash type). But I always thought of them as gimmicky. This is
actually a use case for it.

So going beyond, celeb photo breach, this similar model should be applied to
many more scenarios. ie.

1\. you have a valuable asset,

2\. but it loses value immediately after the first distribution

3\. so you must capture all of the value at distribution

Note:

Anyone can pay: [https://bitcoin.org/en/developer-guide#term-sighash-
anyoneca...](https://bitcoin.org/en/developer-guide#term-sighash-anyonecanpay)

~~~
MattyRad
While I don't actually have any solid grasp of the code that would be
required, I imagine it would be possible to release 1 image to show that one
does indeed have a collection of "valuable" photos. Once trust has been
established that the person probably does indeed have additional photos,
people will be more willing to submit bitcoin.

You overwrite each pixel of each photo with black. You assign every photo a
bitcoin address and perhaps give a name describing its content (something
kinky, obviously). Each photo has a set amount the person is asking for its
release. As bitcoin is sent to each photo's address, more and more pixels are
revealed, as a percentage of the remaining bitcoin price.

You can go further by making the first few photos far cheaper the next
(potentially more sultry) photos, creating an exponential pricing system that
will likely benefit the hacker. Trust is increased as a low cost photos are
revealed, demand for more revealing photos increases as trust increases.

Thoughts?

~~~
MattyRad
As noted by ______1, the hacker did something similar by censoring the photos
and offering to uncensor for bitcoin. The difference here is that people
sending bitcoin have no guarantee that the photos will actually be released
once the bitcoin is sent. They don't have any guarantee that the posted
bitcoin address is not an imposter, and the real address is elsewhere. They
don't even have a guarantee that the hacker was already caught, thereby
wasting their bitcoin. That system is lacking in trust. A dynamic system
described above would help mitigate that problem (even though the hacker could
reblack-out each photo and tell them to start again, but that would completely
demolish any future trust, although it would hardly be considered "stealing"
since the percentage paid of each photo was already released).

------
eknkc
I use strong passwords generated by 1Password for everything.. except for
iCloud. There I have an idiot password.

Why? Because freaking iPhone asks for that when I want to download something
from App Store. How do you guys handle that?

~~~
sbarre
Don't use an "idiot" password, use a long password.. Good passwords aren't
complex, they're LONG..

"this is a really dumb password" is probably actually a really good password.
;-)

And also, your "problem" is simply your decision to trade security for
convenience.

You need to weigh the risks vs. reward and make the choice for yourself. If
something goes wrong, at least you'll know why.

~~~
sytringy05
Long passwords (aka the xkcd scheme) aren't secure anymore -
[https://www.schneier.com/blog/archives/2014/03/choosing_secu...](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html)

The only good passwords are ones that stay well away from dictionary words..

~~~
prutschman
The Schneier article is puzzling; the security of the diceware/XKCD scheme
doesn't rely on the word list being secret, just on the words from the list
being chosen randomly. 4 words randomly chosen from a list of 5000 provide
about 49 bits of entropy _when the list of words is fully known_.

Against an attacker who knows exactly how you chose your password, it's
(roughly) the same level of security as a 14-digit numeric code, or an 8
letter case-sensitive alphanumeric code. It's just supposed to be easier to
remember.

~~~
Thimothy
His point is that using actual, grammatically correct, sentences is not the
same as using several random words. As your mobile keyboard autocomplete well
knows, after a certain word there are words more probable than others.

How many people use this kind of approach, I don't know. Schneier seems to
focus on "three random letters" kind of attacker.

------
lambdasquirrel
The thing that bugs me is that you could have good password practices. But if
you're having a party, having a fun time (and lets face it, people are going
to do shit...), and _one of your friends_ is snapping photos of you, and they
have bad password practices, then you are kind of screwed. People don't
typically make friends on the basis of: do you have good password practices.

~~~
ddrmaxgt37
Yup. And that very reason is why many people don't have social networking
accounts. You can control what you share, but you can't control what your
friends share.

~~~
TeMPOraL
How not having a social networking account helps with that? Not only you still
can't control what your friends (that is, the real-life ones) share, now
you're the last to know if they share something about you.

~~~
DevoAKA
Perfect example is Facebook. You don't have to be on it for them to know your
phone number. If 2 of your friends have the "Share your Contacts with
Facebook" option turned on, chances are Facebook has your phone
number/whatever else your friends store on their friend about you.

------
city41
> Password reset is answering the date of birth and security question
> challenges (often easy to break using publicly available data – birthdays
> and favorite sports teams, etc. are often not secrets)

I really dislike this trend of "personal questions" to reset your password.
The first car I owned or where I'd like to retire is easily obtained
information. When are websites going to stop doing this?

I answer these questions using passwords generated from 1Password. So
basically I have 4+ passwords per sites that use these questions. Very
annoying.

~~~
shampine
What about just using a basic cipher for your questions? It is what I do. So
if the question is "What was your first car?"

Answer could be: Ford

Instead it is Enqc or droF or Gpse

~~~
TeMPOraL
Well like many such website "security" practices, if you know why they're bad,
they are no longer a problem for you. But normal people don't know why
security questions are a stupid idea, so when an otherwise reputable website
(like an e-mail provider) asks you for your first car or favourite toy, they
assume it's how things are supposed to be on the Internet.

------
DanielBMarkham
So if I'm understanding this from a technical perspective, the real story is
that this is/has been going on for quite some time, and there's an entire
ecosystem devoted to it. The general public rarely ever sees behind the
curtain, but somebody got greedy in this case and we ended up in a race to the
bottom.

If true, interesting that such a layered economic structure can exist without
much press or public comment -- until something like this happens.

Fascinating. Makes you wonder what percent of the total activity these 100+
celebrity invasions represent.

~~~
TeMPOraL
Well the fact that JenLaw's photos went for the extremely huge amount of $130
suggests that either there's _a lot_ more of it out there, or that the guy who
stole them couldn't fence them (per [0] thread).

Anyway, you summed up the take-away from the article perfectly. Since this
seems to be going on for some time, I wonder how the whole ecosystem kept
coordinating this well so far, that it's the first time we hear about such big
(but still lousy one) defection.

[0] -
[https://news.ycombinator.com/item?id=8260233](https://news.ycombinator.com/item?id=8260233)

~~~
DanielBMarkham
Yeah, there's some hard-to-accept math in that story.

If JenLaw's photos were worth $130 or so, that means that any photos that any
of us have are associated with a market value. And it ain't that much.

~~~
TeMPOraL
Well, that our photos have a price tag is kind of obvious. Everything has one.
But I'm very surprised by the amounts we're talking about. I'd expect JenLaw
to be extorted for hundreds of thousands of dollars, or at least those photos
going for many $k (and THB, some other celebs have much worse photos/videos in
this leak). So them going for $130 implies that either celeb sex tapes are
really common/cheap in the darknet, or _we have no frikkin ' clue what's going
on out there_.

~~~
hibikir
Anonymous extortion threatening to release something that is trivial to copy
is not going to work, because there is nothing to guarantee more money will be
requested next week, or that the material will not be released later.

As far as selling it, the price cannot be very high, because nobody has that
much to gain from being the first with the pictures. It's illegal material
after all, so magazines can get in trouble for buying it. Put it in a shady,
for-pay site, and with it being illegal material and all, it'd be in a torrent
in minutes, so how many times will you really sell it?

If it was, say, a presidential candidate doing hard drugs and cheating on his
wife with a man, then maybe you could say that the opposition would be willing
to pay for the pictures to be released, regardless of how they were obtained:
There'd be millions at stake. A naked actress? not so much.

------
nodata
Why is nobody talking about password reset questions?

~~~
mrweasel
I'm not sure if it's completely fair, but everytime I see "security questions"
I can't help think: "Oh, it's an American site".

Silly "security" questions about mothers, dogs and favorite teachers seems to
be cultural to the US (and maybe Canada), why is that?

~~~
scrollaway
The whole "mother's maiden name" thing is pretty popular in US banks. I'd
wager this is where it came from.

Then again, you are talking about a country where the only thing people need
to steal your identity is your ... social security number. Brilliant.

~~~
mrweasel
Stealing the social security number in Denmark is just as bad and possible
easier than in the US. If you know a persons birthday and gender you have at
least a 1 in 500 chance of simply guessing the last four digits.

~~~
roel_v
That's exactly not the point. The point is that _it shouldn 't matter_ that
other people know your SSN. What effect does it have in Denmark when other
people know your SSN?

------
abalone
Choice quote:

 _To reiterate what the main bugs are that are being exploited here, roughly
in order of popularity / effectiveness:_

 _Password reset (secret questions / answers)_

 _Phishing email_

 _Password recovery (email account hacked)_

 _Social engineering / RAT install / authentication keys_

Note: Not weak passwords.

~~~
parliament32
Here's a question: How did the attacker get the usernames of the celebrities?
Those aren't exactly public info (unless they used the same name as their
Instagram account or something).

~~~
abalone
The article discusses this very point in some detail (see especially point 7
about iCloud email testing).

------
theDustRoom
I use a Yubikey with a generated key.

This is only half of my password; the first part is a password I can remember
easily with numbers and letters, the second is the generated key.

This means that even I don't _really_ know my password and if someone found my
Yubikey then it's useless to them without the other half that only I know.

(I do have a printout in a safe place of the key and also a backup Yubikey)

I use this password for my computer as well as my 1password vault which is
generally filled with randomly generated keys for each website.

Might sound a bit overkill but if you can; why not?

~~~
amvp
That sounds secure, but help me understand: Is it the same password
everywhere? How do you manage the different passwords for different services?
How do you enter your password to login on an ipad, or on your phone?

My biggest problem with the Apple's password policy is that I'm required to
enter it periodically on an ipad or iphone - meaning I can't keep it lastpass
and that complex alphanumeric passwords are even harder to enter.

~~~
theDustRoom
My iOS accounts are, unfortunately limited to a password that I can remember
but I use one with numbers and letters and a mixture of uppercase and
lowercase characters.

Most of my website passwords are generated keys; each different - all stored
within 1password, should there be an issue at any point (doubtful) I can
always go through the "forgot password" features on any given website to reset
it to something temporarily that I can use easily.

------
elwell
Just to give OP a heads up: the article's font is rendering terribly in
Windows Chrome.

~~~
DonaldH
I've noticed this with my own websites. Fonts consistently look great in FF
and IE but terrible in Chrome. What can be done to fix this?

~~~
coffeedrinker
Turn of the DPI scaling in Windows.

[http://support.microsoft.com/kb/2900023](http://support.microsoft.com/kb/2900023)

Google around for the actual steps.

~~~
elwell
I'd rather not do a fix like that; I want to notice if sites I code have the
issue.

~~~
coffeedrinker
I agree, but until Google gets the fix in you can have no way of knowing what
it will look like because it all depends on the hardware and how it has been
scaled.

I only came across this because my daughter's new laptop with an HD screen
made Chrome look awful and I didn't understand why since it looked good
everywhere else.

------
shouldbeworking
Isn't showing partially blacked out private photos still a violation of
privacy? If the author of this post really wants to be white hat, he should
modify the image (above 14) to obscure the non-blacked out part of the photo
with a different color. I'm unfamiliar with that celebrity in the picture but
if I was familiar with her work, it would feel creepy to look at it.

~~~
nikcub
thanks - fixed. didn't notice I picked the wrong image out when uploading.

------
julianpye
The average user does not know much about security. They trust Apple's brand
more than they trust their friends (with secrets and health apps) and they
will now likely stop using many services rather than step up security.

What is interesting is that the perception among normal people I heard speak
about this is that all of iCloud has been breached, i.e. everyone's photos are
in the hands of hackers and they only released the pics of celebs.

The reality is of course likely that an attacker was able to hack one phone
which among photos hosted contacts and mail addresses of other celebs and from
there on they got their hand on more accounts to directly target.

Anyway, my point is that to average consumers it does not mean that they need
to use stronger security or that they would understand about targeted attacks.
They will believe Apple has been breached and they will think more before
creating private selfies or putting health data onto their until now so
trusted companions.

------
fpgeek

      > 6. iCloud is the most popular target because Picture Roll backups are enabled
      > by default and iPhone is a popular platform. Windows Phone backups are
      > available on all devices but are disabled by default (it is frequently enabled,
      > although I couldn’t find a statistic) while Android backup is provided by
      > third party applications (some of which are targets).
    

Fragmentation, for the (security) win! </sarcasm>

Not really, of course. The big win (shared by Windows Phone) is simply _not
turning on the security-sensitive cloud service by default_. That being said,
it is worth noting that enabling/encouraging third-party service competition
can create an extra hurdle by discouraging cloud-service monocultures.

~~~
yaeger
Does Android really not provide an auto upload of snapped pictures to the
cloud? I was under the impression that they did this way before iCloud even
came up. First it was to Picasa or some place, then to the google+ place
somewhere.

Either way, I don't even remember if the iCloud upload was default or not.
When it was introduced I took an interest to find out how to deactivate that
in case it was enabled by default. Don't remember if it was. All I know is, it
is disabled on my device and it'll stay that way because I really didn't want
to use this.

~~~
king_jester
> Does Android really not provide an auto upload of snapped pictures to the
> cloud? I was under the impression that they did this way before iCloud even
> came up. First it was to Picasa or some place, then to the google+ place
> somewhere.

When you sign into Google+ or Dropbox (among others), you are presented with a
screen where you can enable photo uploads to those cloud accounts.

------
ams6110
I think the cloud has proven to be untrustable. One must assume that any data
on any public cloud service (including email, photo libraries, documents,
mobile device backups, etc.) will become public, and use the cloud with that
mentality.

------
stevenh
Reddit should not be listed among the sites hosting the stolen images, as
reddit does not support image uploads. Imgur is the primary site hosting the
stolen images in that case.

~~~
ahelwer
Are we still unable to move past this pedantic hosting-vs-linking nitpicking?
It's like you willfully ignore how content discovery works on the Internet.

~~~
Systemic33
Just to be pedantic: By the same logic, Google is also grossly hosting tonnes
of illegal material.

~~~
blatherard
Google doesn't have moderators posting messages like "uh-oh your illegal
content is being taken down. Here's a list of other places to post it."
Meanwhile, Reddit has precisely that. Warning: link to NSFW board, though this
post isn't itself NSFW.

[http://www.reddit.com/r/TheFappening/comments/2fa2a1/meta_ef...](http://www.reddit.com/r/TheFappening/comments/2fa2a1/meta_effective_immediately_any/)

In which the mods write: "On another note: please use other hosting sites
besides imgur.com. We have a large list of whitelisted domains listed here
that you should be uploading to besides imgur. Do not put all of your eggs in
one basket."

------
uladzislau
I'm wondering if simple GeoIP check can prevent lots of intrusion attempts -
if the user consistently logs in from one location and then suddenly tries to
log in with the wrong password from the distant one, that's the red flag that
warrants temporary account lockout at least.

~~~
treyp
problem #1: GeoIP isn't accurate enough

~~~
rtkwe
problem #2: Travel becomes more of a pain because your apps/phone stop
working.

------
api
Read the comments to this blog post. The misogynistic mouth breathers are out
in full force as usual.

~~~
TeMPOraL
Just wait for the misandristic crowd to show up, as they always do. I'm just
starting to see first articles in my Facebook feed trying to spin this
celebrity leak into women oppression problem.

~~~
api
Both groups certainly exist, but one is larger than the other by a few orders
of magnitude.

~~~
TeMPOraL
(disclaimer: not meaning to start any kind of flame-war)

To be honest, the one I perceive (as a straight, white, middle-class, educated
male) larger is the misandristic one. As a person who strives to be good and
helpful to every human being equally, regardless of race, gender, orientation
or whatever, I get everyday on the Internet and I get flooded by articles and
comments saying that everything I do or think is misogynistic, wrong and
overprivileged.

Honestly, I think that (and I never thought I'll say something like that ever)
UrbanDictionary's definition of "social justice" sums it up perfectly:

 _Promoting tolerance, freedom, and equality for all people regardless of
race, sex, orientation, national origin, handicap, etc... except for white,
straight, cisgendered males. Fuck those guys, they 're overprivileged no
matter what. "In the name of social justice, check your privilege."_

(
[http://www.urbandictionary.com/define.php?term=social+justic...](http://www.urbandictionary.com/define.php?term=social+justice)
)

I'm not saying the world is fair to women or minorities, it's sure as hell
not. But SJWs are overplaying it by _many orders of magnitude_.

In my opinion, the reason this leak contains only women celebrities has
nothing to do with misogyny, and everything to do with the reason why
celebrity magazines are focused on women-celebrities, why most porn is
targeting males, why most women dress in various cuts and colours while for a
man just a suit will do, etc. Not saying it's good or bad, it's just how the
culture evolved - but the point is, _there 's nothing new/important to see
here_.

Also, to risk being accused of victim blaiming, et al., when you become a
celebrity - be it an actor, a model or a politician, you implicitly accept
that all your life becomes a public matter and is subject to scrutiny by
random actors. And to be honest, I think that those celebrities actually would
agree with me on that. See, it's not the victims that are making a big scandal
out of this leak, it's the media and the general public, who are doing it "in
their defense".

~~~
mwfunk
Regardless of the truth or falsehood of what you're saying, no good (for you
or anyone else) will come of making this one of your personal crusades, which
it sounds like it is. There are far nobler causes than standing up to SJWs you
feel have crossed some line of hypocrisy, and you are much more likely to be a
force for harm than good in the world as a result.

~~~
vanwesson
SJWs are not beyond criticism, nor should they be:

[http://studentaffairsfeature.com/ten-counterproductive-
behav...](http://studentaffairsfeature.com/ten-counterproductive-behaviors-of-
social-justice-educators/)

------
brador
Icloud hacking was mentioned and everyone has jumped on it. Many cell
transmissions are unencrypted. MITM attacks should not be thrown out as a
possibility. Malware is also a vector, including apps.

~~~
GVIrish
One of the victims stated the pictures were from several years ago. Unless the
hacker was extraordinarily patient and persistent, I have to think a MITM
attack on a cell tower is unlikely. More likely a cloud service (email, social
media, storage) of some sort was compromised.

~~~
brador
Another possibility is purchasing an old phone from Ebay and extracting
deleted files. Or a local mac/pc/phone repair shop pulling the data during a
repair. Then theres the nsa/border sec vector too.

Photos uploaded to a mac or pc could also be malwared or malicious apps.
Theres the ex/friends/family as possible weak points too.

Plus we have no idea how long these photos have been traded within that
private group.

What i'm saying is there are lots of ways this could be done and we shouldn't
get so hung up on the icloud idea.

------
ksec
Why doesn't platform maker like Google, Microsoft and Apple have their
Password manager and forces the usage of it?

