The appleid is a security nightmare anyway. I used to use an account, associated to an email I own, with a password I know, and still I can not log in, because it keeps asking the insecure "personal questions" that I never answer, because [generic privacy statement] and because I use a cryptagraphically secure password manager. As I did not save the personal questions I answered when signing up (tbh I probably just put garbage, as those are usually never asked when you know the password), and now I just cannot access it.
That's right, I own the email address and I know the password, and yet I cannot access my account. However, knowing who was my best friend when I was a teenager, or what was the name of my first pet are questions, in spite of being known by dozens of friends or acquaintances, that Apple requests as security measures needed to trust me as the owner of the acount.
Having them on the phone provides zero help, 1 year later, I still cannot access it. It's definitively lost, and I feel happy I do not have any important information stored on the apple cloud.
Phone agents don't always have to actually enter the security questions to access your account. sometimes they can simply see the answers on their screen and are able to make a judgement call. Don't trust humans, especially not humans who are incentivized to help you as quickly as possible.
Also its easier to say a word over the phone than it is to say a random string of letters numbers and symbols.
Called them again and another apple employee pointed out that as long as you can login, you can enable 2FA via iCloud (something I'm not using either). Once 2FA is enabled the security questions can be bypassed. Not sure if that required them to change a setting, but from then on you _should_ be able to change anything else, including the security questions or assign another email address or add an extra one or..
After reading this, I tried it and it didn't work. Even jumped on a call with support and they told me there is no way to turn on 2FA without the security questions (at least for my account, maybe other accounts can).
The shitty thing is you also delete your account or create a new one with the same email without knowing the security questions.
Oh well :/
Still, thanks for the hope (short-lived as it was).
The first apple support person I talked to did not know how-to recover the account this way. So it does not seem to be in the scripts.
source: lost my phone and went full panic mode when it said "unsupported" and fiddled around with it for 30 minutes on an android phone
This is one of the ways they are trying to change that.
They're happy to leave the high volume lower end to the likes of Samsung.
A friend is in a study abroad program and broke his iPhone. He bought a new one but can’t access his account because he no longer has a “trusted device” (his broken iPhone) to verify his login and since he’s overseas, can’t get the fallback SMS.
He basically has to wait until he returns.
Note that you can also set it up to call you instead of sending texts; I presume he can take calls otherwise I don’t understand why he even took a phone with him.
He tried to find a way to disable it, but it is no longer possible.
If Apple had a 2FA method where he could use another email, that would have solved the problem. Or even using an app like Authy or Google Authenticator.
He is overseas, with no global roaming, and so is unable to receive calls or texts.
He took his phone because he planned on getting a local SIM card.
Or if Apple did not force 2FA on new accounts, then this also wouldn’t have happened.
This is one of the reasons I purchased a mobile/cell number from Twilio to use as a backup for all of the websites that only support 2FA via SMS (Apple, PayPal etc.).
The 2FA code gets sent to a channel on my own private Slack workspace via a webhook . If I lose my phone I can always log into the Slack website on another device to access the code.
According to this other recent HN comment, Twilio numbers cannot be used for SMS verification. Banks and Gmail are mentioned:
"I have this problem because my main, personal number is actually a twilio number (as I built my own personal telco within twilio) and this means I cannot receive validation messages from shortcodes (like a bank)."
Yes. I wouldn't have mentioned it if it didn't work.
Here's a screenshot showing the Apple and PayPal 2FA codes I have received through Slack via Twilio...
I also don't have any accounts with banks that are stupid enough to use SMS for 2FA  so I haven't needed to use my Twilio number for that purpose.
Using SMS for Gmail 2FA doesn't make any sense when Google supports U2F.
Would you mind sharing a working source?
Twilio/Google Voice (more generally, VOIP numbers) are explicitly being blocked (because it's possible to find out what type of number it is) at a number of services, likely to combat fraud.
I've found MSFT (Azure) and AWS to be recent examples of such services. Google itself does the same.
62226 = PayPal and 51472 = Apple.
edit: Mercifully, they at least allow you to enter the 'find my iPhone' section without needing the 2FA code.
I just follow the instructions on the login page that I did not have my device with me, and just entered my Recovery Key that was given to me when I setup 2FA.
It's as simple as that.
Mind you I use a password manager and keep all my login information in it.
The newer “2 factor verification” does not have a recovery key.
Don’t attribute a seeming idiocy to something which is a clear sign of malice.
They escalated the ticket to some user department, where it promptly went nowhere. This was in October. When first dealing with this, I spent an hour on the phone with Apple. Clicking on my support ticket URL gives me the option to call them, but no way to email them back to inquire. It's a giant waste of time since Tier 1 agents go by script and cannot deviate without contacting a supervisor (whom I spoke to before).
So I guess I'm locked out of the system forever using my email address.
I guess Apple doesn't want developers to support their products.
This is IMHO a badly misconfigured WAF or possibly application config bug and not some kind of grand conspiracy to exclude certain Linux users.
Seems far more likely that Apple was facing some sort of automated attacks on this particular subdomain (with linux UAs), and a beleaguered admin used this as a quick fix.
Or, even more probably, it's a misconfiguration.
It’s likely not malicious in the sense that they want to punish Linux users. And blocking Linux for this particular site may not have been something they even wanted to do. But in general Apple has been unnecessarily hostile towards non Apple devices, and it’s not hard to believe this is a consequence of that.
Does anyone have first hand experience with a WAF that did that?
In our case, we block the impossible combos and rate-limit the ones commonly used by botnets.
Blocking based on whether the UA has "Linux" in it is just dumb, though.
Old-school non-computerized discrimination (i.e. racism) work exactly the same way.
You know what else is a terrible idea? Blocking IP ports in firewalls, or MAC based filtering, yet both of these are ubiquitous practices. Don't think something is not happening because you think is a bad idea. Other people, usually the ones in charge will often disagree.
Especially if you’re facing an attack from a common UserAgent with all the other variables changing. And the admin likely thought “Linux users don’t use this service.”
If you're behind a MITM web proxy at work, try going to Lowes.com - there's a chance you'll get blocked by their Akamai filter for putting headers back in the "wrong" (there is no wrong) way.
It's like moving SSH to another port -- it won't stop anyone who knows what they're doing, but the majority of the bots that blindly connect to port 22 on every single host that has it open will be stopped by it.
That houseowner has probably set boobytraps etc.
Here's a screenshot of the headers by that Browserling instance type:
Does this issue affect normal Linux desktop-hosted locally-operated “the standard way” browsers?
I agree it likely won't be fixed anytime soon. It probably impacts single digit (or less) percentages of their users.
While there are many others, the site below  could have been used from the Browserline instance in question to deduce header information which would have included the OS as you've requested. Someone in Apple Support could likely figure this out given that information and ability to reproduce.
Remove any character from that string and it succeeds.
dang: are you able to update the title to reflect that it's not just 'linux' being blocked?
Better to just leave it as a string you can spoof and let them pretend that it is good enough.
And of course, iTunes in Wine did not allow me to paste passwords, so I had to type in the autogenerated password. And the autogenerated answers for the "security" questions. Fun.
Google has a wall'ed-in garden
Facebook is trying to make a wall'ed-in garden
Does anyone else ever want to take out a flamethrower and just start from scratch...
Its so tiring
Services.prefs.setCharPref('general.useragent.override', 'apple spoof');
Clearly they didn't think this through.
You're assuming this was a malicious move on Apple's part, as opposed to negligence or apathy.
Can’t believe it was due to running Ubuntu. WTF!
I still vote for a filter gone awry, no need to be needlessly conspiracist.
> If I lowercase the 'L' it fails
so no, not that specific casing.
EDIT: Elsewhere in thread confirms Firefox and Chrome affected on lots of Linux.
Maybe just an oversimplified explanation, and it cares only about "X11;" and "Linux", regardless of whether they are together or not.
Probably overzealous, sure. Malicious? Doubtful.
I’ve had to do that before.