Hacker News new | past | comments | ask | show | jobs | submit login
Notes on the Celebrity Data Theft (nikcub.com)
366 points by nikcub on Sept 2, 2014 | hide | past | favorite | 274 comments

I wrote this in the other thread on the leak before it died:

> Even if the leaks result from one at a time social engineering, it still really calls into question the practical security of the cloud. I doubt it's much harder to steal, e.g. confidential business documents from executives' cloud accounts than it is to steal pictures from celebrities' cloud accounts.

> If I were a big organization with confidential information, I'd really be thinking hard about my cloud policies and my BYOD policies right now. The policy at my previous employer (we handled a lot of extremely sensitive information), was pretty draconian: data never leaves a company desktop, laptop, or blackberry.

The fact that the users may be the biggest security leak is more alarming than it is relieving. Software bugs can be fixed. Getting users to follow proper security practices is much harder. And frankly, it doesn't help that the industry is actively user hostile. I gmail my passwords to myself because every site has different password rules and force me to change my passwords too often.

Dude. 1Password. Switching to using it for everything was one of the single smartest things I did this year.

I agree with you about the wider industry problem, but for your own personal use just start using a password manager. Just do it.

1Password and last pass are pretty awesome. Some people don't want to use a 3rd party and for those, I suggest KeePass databases at the very least.

I have all my two-factor reset keys in KeePassX at home and all normal passwords in last pass.

I actually lost a two factor code for Linode when I lost my phone with the Google authenticator app on it and having those reset codes in KeePassX was a life saver.

I've seen this argument come up before and I don't understand it. Why do you trust KeePass more than 1Password? In both cases you are sharing the datafile however you'd like (Dropbox, thumbdrive, etc...). The primary difference is if you have access to the source code or not.

If KeePass purposefully injected a vulnerability, it would just be that dev/project that would fail. If 1Password were to do the same, that company and all the people that work for it would go down. I'd personally see this as more of a reason to trust 1Password over KeePass.

The primary argument is that the code is open and you can audit it, but in reality that doesn't really happen unless there is a real drive to do it (like we saw recently with TrueCrypt).

I trust/distrust both about the same amount. But 1Password has more resources behind it so they are doing more to try and secure the data within the encrypted store.

Well, Keepass is free as in beer too, so from a licensing perspective, that's a factor (mainly for adoption) though, 1Password is a totally affordable and solid investment for 99%+ of folks on this board).

Free allows much more organic adoption - I can recommend a friend to use KeePass without worrying a bit that he doesn't think 1Password is a good investment. I can mandate it for my team at work without having to get it expensed.

Free as in beer is a reason to be more distrustful of the software. Sure it's more convenient, but this seems to be an area where it's really worth investing money in getting the more reliable solution.

Are you by chance a purchasing manager for a large corporation? Do you feel that signing a $100K-$1M Oracle contract is worth it because "if MySQL or PostgreSQL were worth something, then they would charge you for it?"

Thanks for the straw man and entirely manufactured quote. We're talking about paying $50 for software that manages your passwords for everything, not paying hundreds of thousands to millions of dollars.

> Free as in beer is a reason to be more distrustful of the software.

> this seems to be an area where it's really worth investing money in getting the more reliable solution.

You're stating that "Free as in Beer" == "Less Reliable" and the fact that something costs money implies with 100% accuracy that it is reliable. Neither of these are true. Arguing that I'm bringing up a strawman because I said "Free vs. Millions of Dollars" instead of "Free vs. $50" is beside the point.

I am not saying either. I'm saying "Free as in beer" is not a reason to trust software in this particular field, i.e. the field of security software where one error can undermine the whole point of the software and expose your secret data to the world.

And I never even came close to saying that "something costs money implies with 100% accuracy that it is reliable". You are once again making up words to put in my mouth.

The fact is, a lot of people still believe the "open source == more eyeballs" myth, even though that is a myth. Open source does not equate to reliability. And when it comes to software that requires this much trust, a company built around a product is more inherently trustworthy than open source, as the entire company is on the line with their product (and the livelihood of all their employees), whereas with the open source product only the reputation of the author(s) is at stake.

Please note that, once again, I am not saying this is a "100% accurate" indicator of reliability. There are many factors at play. One important factor would be whether the software in question has ever undergone a security audit. Another would be whether there's proper documentation on the encryption (i.e. 1Password's file format is completely documented, both so third party software can use it if need be, and so the security of the file format can be vetted). A third would be the involvement of anyone who is already previously known to be an expert in the field. Etc.

Edit: Come on guys, please stop drive-by downvoting. If you disagree, comment!

Why do you assume paid software is more reliable?

See this other comment I just posted: https://news.ycombinator.com/item?id=8264450

Wow, Hacker News really hates the idea of paying a reasonable amount of money for important software?

Edit: And hates being told they hate it. How meta. If you disagree, please leave a comment. Drive-by downvoting does not help anyone.

IMHO, the license is not really the big question for this type of software. The most important thing is the competence of the team(s) who wrote and audited the software.

Exactly. I love open source software and use (and contribute to) it all the time, but the sad fact is that, despite the "many eyeballs" claim, most open source software is very rarely audited. I am willing to believe that KeePass is in fact implemented well and safe to use, but I don't actually know anything about the developer(s) behind it, don't know anything about the future development of the software (will it still be the same developers? Will new unknown people start contributing? etc), and pretty much the only thing that the developer(s) stand to lose by screwing up is reputation.

On the other hand, AgileBits (makers of 1Password) is a company, with actual money on the line (in addition to reputation) serving as an assurance that the product will not only continue to be developed, but will remain secure.

If KeePass screws up, some reputation is lost, people may switch to another product, and the developer(s) can just move on to working on other software if KeePass can't be salvaged. If AgileBits screws up, not only is reputation lost, but so are paying customers, depending on the severity the entire company might go belly-up (e.g. if 1Password is compromised heavily enough that it can't be trusted anymore), a lot of people are suddenly out of a job, etc. Basically, there's a lot more at stake for AgileBits, which makes it much easier to trust that not only are they going to do their job right, but they're also going to have processes in place to ensure a build never gets released externally that doesn't pass QA, etc.

And don't forget that as a paying customer of AgileBits, I can get support from them for any problem I might be having. Open source projects don't typically employ support personnel, and generally rely on the community to try and provide whatever support they can.


Ultimately, this comes down to the fact that this is a specialized class of software, where one breach can mean irreparable damage as the attacker now has access to your passwords for everything. For that kind of software, I really want the backing of a company, with a significant amount to lose, rather than just some unknown collection of open source developers.

Which is to say, for nearly any other class of software, I'm much more inclined to judge it based on its merits, and open source has a lot of advantages. But this isn't any other class of software.

Won't complain FOSS/OSS has its drawbacks, but everything has two sides.

I might be a strange case, but I just have this feeling "real" companies spend their $$$ on meetings in Bahamas and Ferraris, while FOSS/OSS would be more open to security audits/etc.

A company with money on the line can (also) easily be shut down or aquired. I imagine a FOSS/OSS team would be demanding more guarantees for the future of the project, while "in it for the money" companies would take the check and not give a damn if it was shut down the same day.

"Real" companies often seem to push releases/features (prematurely?) to attract new customers. That the new features pass review/QA doesn't necessarily mean they are implemented right (goto fail?). In addition FOSS/OSS have public bug trackers, I'd rather know there are x number of bugs labeled "security" in my os, than not beeing told at all.

Support can (should?) be where open source make money, there are lots of FOSS/OSS projects out there offering paid support/installations/sass.

And the unknown collection of open source developers _may_ be a much better collection of security specialists/coders than in the "real" company. As most of FOSS/OSS is done voluntarily you don't have to pay huge paychecks for top of the line expertise.

Bottom line, I trust Debian (& co) and Mozilla. I don't trust Microsoft, Apple and Google.

This is 100% biased as to what I think. I understand that this is a two sided issue, and fully understand people who think like you sketched out. I'm just not one of those people :P

Why do you assume every KeePass user is storing their passwords on a server somewhere? I would never send my password file over a network, and I don't consider USB storage "sharing."

The password file itself is an encrypted DB. Unless you choose a weak password for that, it's pretty secure.

The more tightly you control copies of your password DB file, the less vulnerable you are if somebody "purposefully injected a vulnerability" in the software as parent suggests, that's the only reason I brought it up.

My concern is that 1Password could shut down at any time and stop being supported, and I may lose access to all my passwords. KeePass is open source, so even if the current maintainer quits, it's likely that others in the community will step up to continue maintaining it. If absolutely necessary, I can edit the source code myself.

That's not how 1Password works. All passwords for 1Password are stored locally in an AES encrypted file. They never see, touch, or have any control over your passwords on their end. Even if they suddenly shut down tomorrow, all your passwords would still be accessible unless you chose to delete the application and have zero backups to restore from.

They even have an export function to dump the passwords (unencrypted) into a plain text or CSV file, so you can easily migrate the data to a new manager if needed.

You are 100% correct.

To add to this all syncing on 1Password is done using 3rd party vendors.

You can use dropbox, iCloud, Google Drive, etc to do the actual syncing of the encrypted files.

I still don't see the benefits of 1Password from a cost perspective, regardless of a trust perspective.

I can spend $40-80 and buy a bunch of 1Password license packages, or I can use KeePass and place the database in my Dropbox folder. Yes, 1Password has a more aesthetic interface, but otherwise it basically does the exact same thing.

IMO, the big question is: Who do you trust more when it comes to cryptography and security engineering? The 1Password developers or the KeePass developers?

No true. I sync using BT Sync and it works fine. It's just not interpreted with 1Password like Dropbox is.

> dropbox, iCloud, Google Drive, etc

Point being the sync is platform agnostic. The etcetera covers BT Sync.

I use Dropbox, but my password for Dropbox itself is stored inside 1Password. The escape hatch is that the 1Password sync folder is shared publicly, and the URL is copied to a slip of paper in my wallet.

Why would you ever expose the sync folder publicly?

Just keep a copy on a local computer with Dropbox if need be.

Because I only have one computer and no mobile devices— therefore I only have one copy of the password database, and I need the password database to access Dropbox.

The sync folder is encrypted—is there some risk I'm not seeing?

Personally, I don't believe in leaving something like a password database exposed. That's akin to leaving a safe in the street. While someone might not be able to get in right away, why make it easier?

For you, I would just keep a copy elsewhere (friends computer etc.) or just get an additional device (mobile or otherwise).

Not only that but the format of the file is fully documented, so even if they were to shut down tomorrow and the application itself self-destruct, someone can still write a new app to decrypt the password "keychain" without much difficulty.

I was just offering it as a suggestion. Some people like to keep things on their own computers (or servers) and keepass offers that. I use Lastpass, which is hosted and I trust them with my passwords. I simply use keepassx to store two factor reset codes. I do this because if I store my reset codes in the same system as my passwords, then it's not very two-factor anymore, is it?

I completely understand. When people ask me which they should use, I outline the pros/cons of Keepass, LastPass, and 1Password. If you want password management for free, KeePass rocks. If you want to pay, it's definitely a tossup between LastPass and 1Password. I think they are all awesome tools.

This is an aside, but your comment reminded me to check why I've never even considered using 1Password and happily pay for LastPass.

A brief visit to their website later and I remembered: 1Password doesn't have Linux support. It's a shame; it looks really nice and I don't mind paying for good software.

Agreed. Keepass + A fileshare service to sync your database to all devices is heavenly.

are there any known vulnerabilities for 1Password?

I currently use PasswordSafe which is clunky as hell but generally works OK.

I checked the 1Password site and it seems like a bit of a bait and switch. Download links without any mention of a price or trial anywhere on the product pages until you create a vault and see a License link in the menus. Then $50+ and another $10 for the mobile app.

I'm sure it's worth it, but I'd much rather they spell out their pricing up front.

They have a 'store' link [1] right in their header with all the pricing. They could maybe be a little more upfront about it, but it's not really a bait and switch. Also, the prices do seem fairly reasonable for what it does.

The only thing holding me back has been not having great mobile access (as far as I can tell) on Safari on iOS. Looks like iOS 8 will change that.

[1] https://agilebits.com/store

I think they purposely avoid putting a "Buy" link on their product page because they want to get people started before revealing that the software costs money (and a lot of money for a password safe).

IMO it's not far off the equivalent of how tourist trap restaurants in Europe put out bread on the table (something provided for free in many restaurants) and then charge you if you touch any. FWIW, that's considered pretty slimy behaviour.

I've used 1Password for years, and password access in Safari on iOS has indeed been a pain point, but still been manageable. iOS 8 will make it much nicer, with the 1Password extension.

Installed! I guess I knew I should use a password manager, but the analysis paralysis of figuring out which one to use is crippling. I just want someone to tell me what to do!

Another happy 1Password user here. I've been using it for probably about 18 months now and I can never go back to manual account management. It took a bit of upfront time investment to migrate all my existing accounts into the tool but once that was done, it's been a pretty seamless experience overall.

There's browser add-ons you can use to auto-populate your login details that work well for most login forms with mostly no or minimal configuration required. It can get a little annoying when the login form has a CAPTCHA or some other non-standard requirement, but generally all that means is a few extra clicks. When creating new account details, configurable (e.g. length, allowed characters, etc.) password generation is built in.

You can keep your encrypted data store file on a cloud service for syncing between devices, should you wish. Which brings me to the 1Password mobile apps, which allow you to take your details mobile.

Probably the greatest friction point I've encountered has been when I'm on a foreign computer that doesn't have any of my 1Password support tools installed on it. In this case I usually just pull out my phone, navigate to the login details I need and enter them manually. But I take this as a small price to pay for markedly greater peace of mind.

I really can't recommend using a password manager enough. If 1Password is not it for you, then use some other password manager. But just use one.

For everyone suffering from analysis paralysis: KeepassX, KeepassDroid, and KeepassWhateverYourPlataform.

It's not my favorite manager by any dimension, except for portability... but portability is just killer for it.

There was a reddit thread that reviews a bunch of password managers out there: http://www.reddit.com/r/apple/comments/1psfmt/1password_vs_l...

>Dude. 1Password.

Password managers only protect against certain kinds of attack. Many cloud services do not or can not properly encrypt their users' data, so having a strong password won't help in the event that your cloud provider's datacenter gets rooted.

You can't, but if you use a password manager, you can actually use different passwords on every service.

And you can use stronger passwords (if the service permits), thus if they only lost the passwords datbased (assuming it's hashed) you are still safe.

No because say your cloud provider recycle your hard drive to another client with a bad password, then the attacker not only can access the data of the other client but can run a file recovery tool and get some of your files.

Most providers don't erase disks properly. Takes too much time.

AFAIK most providers who don't erase disk get them destroyed. At least in EU.

Don't use Password managers because someone can always root a server and unerase deleted files.

Logic. Win.

I think the main point is that while no platform is 100% safe, you can help alleviate the issue by reducing risk (in the case of the original commentor, they were emailing passwords to themselves).

Of course there are limits to any measure of security, but 1password does a great job in helping people manage themselves.

Personally, it's helped me a lot in just keeping my various usernames/user accounts organized (I sign up for just about anything).

Sure, but it'll stop rayiner from gmailing passwords to himself.

It "eliminates" one attack vector.

While I think using password managers with random passwords is far better than sharing the same password between every account, I've never really gotten comfortable with storing passwords in a file on my computer.

What I'd really like is a password manager hardware dongle of some kind, like the Bitcoin Trezor wallet.

It doesn't matter. If you have malware lurking in your computer it will just snarf your passwords from the wire and then you're owned all the same. If you use some sort of auth signing system, the request can just be intercepted and modified on the fly.[0] The Trezor is next to useless even for bitcoin for this very reason. Sure they can't steal your money directly, but just replacing the addresses you see and send to accomplishes exactly the same thing. If your platform isn't trusted, no amount if smart crypto or hardware dongles can make it safe.[1]

[0]: The rebuttal for this will be signing every request with details of it with a hardware dongle, but would you want to do this for every action in your email client? If the answer is "no", you're owned. Ultimate security is unusable, and doesn't really solve anything outside of the most astute of professional users. Just writing this post I would need 4 signatures, one to log in, one to post, one to fix a typo, and yet another to add this footnote. Would I be able to handle that? No way, I'm far too lazy for that.

[1]: The issue is that perfect compromise is impossible to detect. I can be reasonably confident on a heavily sandboxed device like an iPhone that there's little in the way of malware that would affect me. The downside being that I have no tools or methods of analysis if I thought it was compromised. There's no such confidence on the computers I use on a daily basis. I've always thought we have confirmation bias with malicious software. We only notice the dumb stuff while the smart goes unnoticed.

Doesn't the TREZOR show you the address you're sending from/to as well as the amounts? That would be pretty easy to double-check.

Double check it against what information source? The malicious software has altered the one shown on both devices. They will of course match, but not with the one you're actually meant to be paying to.[0][1]

[0]: http://www.reddit.com/r/Bitcoin/comments/23sjle/chrome_exten....

[1]: http://www.reddit.com/r/Bitcoin/comments/1vrium/a_google_chr...

For passwords you're right, but at least it prevents theft of every password all at once.

For Bitcoin hardware wallets like Trezor, IIRC they either do or will support BIP-70 "Payment Protocol" payment requests that are signed with an X.509 cert, allowing you to verify the request on the dongle's screen.

Nothing stops a threat from just lying and waiting for you to expose a large number of passwords. Having one stolen doesn't raise red flags in itself.

I don't think signed addresses will be particularly effective. With the sort of key stores we have now, it seems pretty plausible that a bad actor to get a certificate that would pass on the Trezor device. It raises the barrier of entry a little though.

It should be just as effective as HTTPS is. Of course whether that's effective enough depends on who you ask. Yes, rogue/compromised CAs are occasionally a problem, but it generally works pretty well.

It doesn't hold up to SSL stripping very well. As we are working under the assumption of a compromised host, the absence of a signature on the Trezor when you don't expect one wouldn't raise any suspicion. The omnipotent host malware can remove all references to the payment request being signed from the payment gateway before the user sees it.

This is eventually going to be solved to a large degree by things like FIDO Universal 2-Factor dongles or whatever they evolve into over the next few years.

It'll basically push specialized requirements to the hardware dongle (ie deciding whether it's enough to confirm user registration/authorization with the touch of a buttom, or whether it needs to be with a 4 digit pin, or even with biometrics like voice or fingerprint or iris scan). The test device in the following presentation video only uses a button press to confirm user intent, but it could have arbitrary requirements, making the protocol usable for both trivial website logins to online banking to eventually perhaps even a replacement for defense department CACs.

Here's a good fairly in-depth video presentation of what the FIDO Alliance is working on (there are functional test devices, and a functional test branch of Chrome that works with them):


This is the future we all need, and if the timelines are correct, it will be released this year, so very soon. Note that Apple should be releasing NFC soon, so it would probably work with this. Everyone wants to stop phishing, as Apple knows very well, and this is the solution. Apple will hopefully jump on board after what just happened. Nudge, nudge.

If the dongle sends cleartext passwords to the computer then the passwords may still be captured. If the dongle sends one-time passwords then it's basically a Yubikey.

I find myself suggesting this to people often, but I'm excited about the Mooltipass[0], an offline password keeper crowd developed on Hackaday. Hope to get one when they've ironed out the bugs and finally move to random passwords.

[0] http://hackaday.io/project/86-Mooltipass

Agreed! At first I figured that if I could save one piece of information for each dollar I had spent on the software, it would be worth my money.

By day two of using 1Password I had 70 entries, and was blown away at how much peace of mind I had. There were seventy things I never needed to _worry_ about forgetting. It was like my brain was holding onto each of those and now I felt more able to just focus on working, it's insane how since I didn't know any better I waited years to finally try it.

Second thing I did, buy a copy for my cousin for his birthday! Hope he has a great year with more brainspace for ideas and less spent trying not to forget things :)

I got screwed by a password manager that got deleted during upgrading a hard drive. Never again

1Password lets you store your (encrypted) password keychain on Dropbox to sync across devices.

You didn't get screwed by a password manager, you got screwed by a bad backup policy..

Sorry to be pedantic - and I feel your pain for losing your data - but there you go..

It was definitely my stupid fault but the fact is that it introduced a bunch of fragility and less control into password management for me and wasn't a great solution. But it seems increasingly clear to me these days that internet-connected devices are simply unsuitable for anything which requires privacy in any case.

You really want to ensure that you've got backups / copies of your password safe.

It also _probably_ means having these online somewhere. You're relying on strong crypto (and a really good base password) to protect you here.

That's more or less why I use LastPass. Same concept, only decrypts client-side, but is automatically preserved across machines and hardware failure.

I use Lastpass. I just logged in online and can see all my passwords so it doesn't seem terribly secure. I there was key-logging malware on my machine it could have got my master password and hence all my passwords off Lastpass. It seems handy for all the crap passwords but I would not want to rely on it for anything that lets people nick money. Unless I'm missing something...

LastPass uses your master password to decrypt your key store clientside. What's stored on their servers is an encrypted blob to which they don't have the key. It is an actual zero-knowledge system.

If there was key-logging software on your machine, you're pooched any way you slice it (since such malware can just snarf decrypted keystores out of memory anyhow). However, with LastPass you can use Google Authenticator or a Yubikey or similar to enforce second-factor logins, so that even if you have malware on your machine, there is a drastically-smaller window in which to attack you.

On the upside, you get phishing protection (LP won't fill passwords for sites that don't actually match the site that you've saved passwords against), password duplication detection and strength auditing, notifications of when your passwords may have been compromised by major breaches, secure transport of passwords to other people, and transparent synchronization across devices. It's quite good.

My problem is that 1Password et al are curing symptoms, not solving causes.

Personal infosec hasn't evolved quick enough to match the technology it depends on. Sure we're comfortable with 12 character, 3 month rotation passwords, but the average 'civilian'? Probably doesn't even have a passcode on their phone despite the massive personal security risk they're carrying around with them.

We need to educate and/or provide easier authentication.

No, no I am not comfortable with 12 character, 3 month rotating passwords. 12 character, ok, but only if the damn thing isn't going to change all of the time. I have a hard enough time remembering my passwords for the computers at work that rotate every three months. You start making it necessary to do that for all of the sites I use on the Internet, and I'll lose access to pretty much every service. Not a workable solution! At least not without a password manager...

Why not just extend the 12-char password you are comfortable with using a random 4-character-ish suffix that you change every three months? It doesn't take long to learn a new set of 4 characters.

12 character? Please! ;-)

(Most of mine are markedly longer.)

Though I'll admit to being a tad less aggressive on the rotation than I ought to be.

A lot of sites don't allow more than 12 chars. Of the top of my head, Nintendo's rewards scheme has a limit on the number of characters, it lets you use more but actually truncates the password to 12 or so. Some sites truncate it on the sly then say "incorrect username or password!" when you enter your stored 16+ character password.

Other sites silently break if you use characters outside A-Za-z0-9. e.g. you set a password with } or @ in it, then can't log back in again.

Ebay wouldn't let me paste a password into the password field recently, I had to type it out, and the keepassx "autotype" feature was thwarted by their focus-altering javascript code on the form. I also think they silently dropped special characters - I know it took me 4 or 5 password reset emails to get the new stored pw to stick.

Paypal requires that you enter a credit card number to change the password, so rotating it is tricky if you don't have the card on hand. I'm undecided if this is good or bad, since this sort of 2 factor makes it harder for someone to hijack your account.

There are a lot of ways that sites try and make life hard if you are doing things the right way and using a pw manager. It feels like there's this big conspiracy driving us to use the same "Monkey123" password everywhere.

Oh, I know. God do I ever know.

I use a password generator. My defaults are _long_. But the nice thing is that I can pass it most constraint rules reasonably readily to create a valid password if I need to fit another use-case.

I don't use Ebay, but that sounds particularly annoying. Conversation on G+ suggests that the copy/paste defeat is to combat copy/paste exploits elsewhere, though by that point you might as well declare game over anyhow.

I'm definitely _not_ using "Monkey123" everywhere. But a lot of sites get a perfectly cromulent password ... and a mailinator.com email address (also randomly generated). I never use the same tokens twice (mostly registration-required but no real utility / long-term state storage).

I started using Mitro, recently for the same thing.

I had been slowly working on a system which would store pseudo-randomly generated salts and store one for each individual domain. It would detect which site I was entering my password into, take the relevant salt and digest it against the password I had entered - sending a stupidly long, digested passwords to the sites which would allow for it. The password itself would never leave my computer. Progress was slow, though, and other projects took priority.

With Mitro, I've done a similar thing by pseudo-randomly generating 64-character base64 strings to store as the passwords for my accounts.

> I had been slowly working on a system...

If you're still interested in this type of system, PasswordMaker has been around for quite a while and does essentially the same thing:


Couldn't agree more: I look at the max allowed number of characters on website X and I ask 1Password to generate a password of that length with whatever complexity the website allows (so preferably numbers and symbols if allowed).

Or a text file or spreadsheet containing passwords, in a TrueCrypt container (I still trust it).

Yep, I do the same. Master truecrypt container on a USB stick that just contains a text file with all my logons.

Then whenever I change that file I backup the truecypt container to Spideroak so I'm not hosed if I my stick gets lost/broken/stolen.

That is completely unusable on mobile.

As someone who consistently needs my passwords on the go, a password manager is really the best way to go.

Do you have to trust that the password manager doesn't upload the passwords? I trust TrueCrypt since it isn't specifically for passwords.

Don't you run the risk of getting the text file or spreadsheet cached to the temp directory?

Good point. I doubt Notepad caches anything on a different drive, but Excel would if auto-save is enabled.

What if you're not on your computer and you want to check something on gmail, or facebook, or airbnb, etc...

They have a mobile version that syncs your passwords across devices. I use the iOS app frequently.

Yeah but still, if you don't have a smartphone, or you don't have your mobile, or you can't use your mobile (different country, no wifi). You're pretty much kicked out of your own accounts.

aka 1PointOfFailure. Having spent several years maintaining and repairing computer systems for corporate and professional clients, I can tell you from experience that it is trivially easy to social engineer someone's credentials out of them.

AKA 1FailureToUnderstandTheThreatVector, the common antisecurity argument of lazy or pedantic people. A password manager is not defending against a social engineering attack (how could it?), it's defending against Joe's Blog getting knocked over and your re-used password on Wells Fargo being disclosed.

Your comment is a really lame excuse for not using a password manager and is quite a bit of FUD; there is no technical solution to a social engineering attack, so it's a clever way out as an excuse to avoid doing something difficult. You are not the first person to try it on me. You also sound like you're making the case for social engineering control of their machine, at which point what does the password manager matter? You have physical. Game over.

I have this conversation regarding self-signed certificates and MD5 hashing as well. "But they don't authenticate," or "but MD5 is insecure!" Yep, I know. Do you understand the threat vector for my usage of either? You sure?

Just use one. Seriously.

I'm at a loss as to what benefit I'm supposed to gain by using one. I don't reuse passwords for anything that actually needs to be secure, though I reuse a few for sites that make me create a password even though I don't care about whether those accounts are secure or not. I dpn't see why I should adopt a password manager just because other people don't practice good password security.

How do you remember all of your passwords?

I'm currently having a failure of imagination here, but how would you social engineer a password manager?

The tricks I'm thinking of involve fooling the user into thinking a site is something it's not or guessing some sort of personal information. But with a separate application the former seems unlikely and the latter is stopped if you use a scheme such as diceware (https://en.wikipedia.org/wiki/Diceware). I understand that naive, theoretical musings on security are no match for experience, so how would you break that set up?

By getting the user to give me control of it, same as if the user was moving everything to a new computer. You don't have to do this via a website; you use a website to create a problem and then make yourself available to fix it.

Not that I'm into this sort of thing, but I've had a few people attempt to co-opt me into criminal activity in the past so I wouldn't be at all surprised to read about such attacks.

Stupid question but what happens if you forget the master password or someone steals it?

>1Password creates your data file using the password you provided when you first launched the application. This password is not kept anywhere and it is never logged. Furthermore, there is no “back door” mechanism to recover your data or password. This approach is very important in order to be able to say that 1Password keeps your data safe and secure. However, because of it, once your password is forgotten, there is nothing we can do to help you recover it.


I have my master password written on a piece of paper that is stored in a safe location, mostly so my wife can access my information if anything ever happened to me, but it also works as a backup if I ever forget my master password for some reason.

Then you have to reset every password and start over.

Looks like they still don't have a native Linux client though.

Well, my point was more that I do want a single password storage solution across the board. I use Linux, Windows, OSX, and Android regularly. I tried 1Password in the past but dropped it as it didn't have a Linux client. I now use KeePass as I can sync my DB across all my devices.

I'm sure it is useful, except for when 1Password attacks take place.

1Password is not a cloud service.

I didn't say anything about how it is implemented. It is software, there is always a way to attack it.

True, but afaik it has the option to use dropbox for device syncing

> data never leaves a company desktop, laptop, or blackberry.

That's not all that draconian. Data never leaves the servers, full stop. (Other than for back-up purposes and those had better be encrypted.)

Seconded. Corporate network only as the place from where company managed clients are allowed to access production network, where the data stays. Even when someone manages to steal all the electronics from the office, he still doesn't get any data/source code/whatever. Easier said than done though.

And you're still going to have to do a lot of work to prevent exfiltration from the servers other than for backup-purposes and track your back-ups and who has access to them.

You are so right on the money. We used to see hacking into celebrities' gmail inboxes, social accounts, dropbox stores - all through social engineering. We now see hacking into icloud. Next we will see hacking into gdrive, onedrive or some samsung cloud - if enough celebrities start using Android or Winphone. The pattern is the same, so is the weakest point - the actual user. Maybe it's time to educate people more instead of writing more security software.

  I'd really be thinking hard about my cloud policies
A lot of social engineering attacks involve things like security question password reset, lost second factor reset, lost access to backup e-mail/phone, and things like that.

Don't most enterprise cloud offerings dispense with things like that, because users can visit a helpdesk in person?

I think this points to the inherent weaknesses in the concept of "username/password". Why do we still have this paradigm? It worked in the 80s, but I think there needs to be a new paradigm in place today. Ideally you'd want a system like public key authentication, with some bio-marker used for identity management.

> The policy at my previous employer (we handled a lot of extremely sensitive information), was pretty draconian: data never leaves a company desktop, laptop, or blackberry.

Really? And how do these devices inter-communicate if data never leaves from anywhere to anywhere?

Burying a laptop to the ground would make it safe enough to keep out the bad guys.

> Burying a laptop to the ground would make it safe enough to keep out the bad guys.

That will just drive the bad guys underground.

You can use citrix or terminal services so the sensitive data never leaves the servers.

Couldn't someone just screenshot the citrix or terminal services session while the user is using it?

Sure, but that only gets you one screen of a sensitive document, and is a lot harder to do inconspicuously than to surreptitiously look at a file that a user saved to his personal laptop's desktop with the filename "Details of Unannounced IPO.doc."

While I am complete appalled by the data breach and hope that similar things never happens to anyone again

I would like to propose a purely thought experiment:

The hacker reported sold the nude photos of Jennifer lawrence for a mere sum of $130 using bitcoin.

If we apply game theory here, these kind of data is very difficult to monetize. If you sell one copy of the data, it is then immediately distributed online for free. Although, nude photos of celebs are arguably very valuable.

The question is: What is the ideal path for these people to maximize profits?

I think the better alternative would have been a kick starter type model where the attacker will only release photos if reaches a funding goal (let's say $50k). The attacker might release less revealing photos to build interests in the goal funding.

I often hear about decentralized kickstarter models with bitcoin (mutlsig; or ANYONE_CAN_PAY hash type). But I always thought of them as gimmicky. This is actually a use case for it.

So going beyond, celeb photo breach, this similar model should be applied to many more scenarios. ie.

1. you have a valuable asset,

2. but it loses value immediately after the first distribution

3. so you must capture all of the value at distribution


Anyone can pay: https://bitcoin.org/en/developer-guide#term-sighash-anyoneca...

While I don't actually have any solid grasp of the code that would be required, I imagine it would be possible to release 1 image to show that one does indeed have a collection of "valuable" photos. Once trust has been established that the person probably does indeed have additional photos, people will be more willing to submit bitcoin.

You overwrite each pixel of each photo with black. You assign every photo a bitcoin address and perhaps give a name describing its content (something kinky, obviously). Each photo has a set amount the person is asking for its release. As bitcoin is sent to each photo's address, more and more pixels are revealed, as a percentage of the remaining bitcoin price.

You can go further by making the first few photos far cheaper the next (potentially more sultry) photos, creating an exponential pricing system that will likely benefit the hacker. Trust is increased as a low cost photos are revealed, demand for more revealing photos increases as trust increases.


As noted by ______1, the hacker did something similar by censoring the photos and offering to uncensor for bitcoin. The difference here is that people sending bitcoin have no guarantee that the photos will actually be released once the bitcoin is sent. They don't have any guarantee that the posted bitcoin address is not an imposter, and the real address is elsewhere. They don't even have a guarantee that the hacker was already caught, thereby wasting their bitcoin. That system is lacking in trust. A dynamic system described above would help mitigate that problem (even though the hacker could reblack-out each photo and tell them to start again, but that would completely demolish any future trust, although it would hardly be considered "stealing" since the percentage paid of each photo was already released).

That's an interesting twist on it; "unlocking" (unblocking) the pixel one at a time. Almost like a perverted Million Dollar Homepage of yesteryear.

I believe that this applies to many products using digital distribution that meet the following:

1. The asset takes requires a significant amount of resources.

2. The asset will require all resources in order to distribute.

3. No further resources are required after distribution.

Music, books, art, and even software that does not require updates would fall into this category.

See, for example, perhaps, this album from the Wu Tang Clan:


That's a very interesting read, and I'll have to give some thought to the implications therein.

I was originally thinking of something more along the lines of Radiohead's In Rainbows, released online for a donation, but may combined with a kickstarter-like fundraising effort to pay the upfront costs.


Probably this example is more accurately described as the 'ransom model'.

An almost Dawkins-esque level of tone-deafness.

Dawkins-esque, sure. But I wouldn't call it tone-deaf. You just have to realize that some people like talking about events at the meta-level instead of focusing solely on object-level details.

It's important to not think about certain hypotheticals out loud, so that you can signal what kind of person you are.

Only someone who knows the market can maximize the profit. These pictures would make a lot of money at the hand of specific low/high (depend on the view) magazines, on someone would wanna destroy JLaw's reputation or as ransom... How much money would JLaw pay for the original files?

However, how many people do you think can answer the above questions??

It's like when someone steals a huge pile of jewelery. He steals it, but he needs the mob to sell it... Otherwise he can't monetize.

A bit of a tangent, but it's worth noting that the amount JLaw should rationally be prepared to pay for the original files is zero. If you pay a ransom in a situation like that, all that will happen is a) the guy will take the money and then sell the pictures anyway, and b) you set a precedent that you can be blackmailed, which means the next blackmailer might come up with something worse than some rectangles of RGB pixels.

This is exactly what happened though. A BitCoin address was posted, and the leaker was taking "donations" with the promise of delivering more pictures, showing proof that he had more by showing partial screenshots of them.

This would also facilitate committing to assurance contracts via bitcoin.


Paparazzi have no problem selling exclusive photos.

Because those photos are not stolen and they own the copyright.

Hut those are not stolen. It's much harder to get a good price for stolen goods because there is no demand from legitimate buyers, in this case large publishers.

Fair enough but that wasn't the thesis of the OP which related to the "first" copy.


> Preventing the oracles from colluding to prematurely release the keys, or not release the keys at all, is a harder problem.

No, the harder problem is knowing the "encrypted" data is something other than a directory of the sellers favorite goat-porn. A cut and choose proof could be used, but non-interactive ones require a lot of samples to have good security... and revealing a lot of sample images is something the seller doesn't want to do here.

To put that in concrete terms: Say I claim have a million nudes of Elmo which you'd like to purchase. I give you an encrypted copy of them. You pick some number at random, and I reveal the keys. You decrypt and get find all of them to be fine examples of the promised images of Elmo in all Elmo's glory. You are now convinced that it is likely that the rest of the images are similar— since your selection was uniform you can use simple combinitorics to how likely I would have been to get away with various levels of fraud. "That tickles"

To make this protocol non-interactive with a fiat-shamir transform— I hash the encrypted pictures and use the hash to select which ones I reveal. This requires many more examples to achieve security because I could have been secretly grinding one of the images until the hash picked the few passing examples I had. (There are, however, ways too boost the security by inserting an expensive process— like giving away Bitcoins— into the inner loop).

It's likely not reasonable for a collection of just a few dozen images, even with strengthening, however.

For machine decidable things— say a DRM master key— other approaches are possible (https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment) but since no one is likely to turn up a program that decides nudes of one celebrity vs another, about the best you could do is a non-interactive cut and choose selective reveal over _pixels_, and use compressed sensing techniques to build low res images to decide if the rest of the pixels are worth paying for. If you're happy with that, then at least theoretically, the ZKCP approach lets you pay for the keys for the rest of the pixels with no risk of being stood up and no third parties.

I use strong passwords generated by 1Password for everything.. except for iCloud. There I have an idiot password.

Why? Because freaking iPhone asks for that when I want to download something from App Store. How do you guys handle that?

I don't get Apple's password based security at all. The stupid question/answer thing they forced everyone to do was just crazy.

You have a physical device in your possession. Apple don't seem to have heard about two factor auth. If the only company on the planet that obsessively ties consumer hardware and software into a single cohesive product can't get their shit together the future worries me.

It should be the default (with an opt out for access from non-apple devices) for every Apple service to authenticate with the device as well as the password. Anyone who steals your Apple login but not your phone should have zero chance of accessing your data.

They've had two-step authentication since March of 2013: http://support.apple.com/kb/ht5570

Except the article seems to be saying that Apple's two-factor auth isn't required to access iCloud backups and that it only protects account details, payment methods, etc.

Adding two-factor gets rid of the security questions and would have prevented them from getting the password though.

Only available in certain countries though. Mine being one that isn't yet available (Finland).

Their FAQ says it's available in Finland

Don't use an "idiot" password, use a long password.. Good passwords aren't complex, they're LONG..

"this is a really dumb password" is probably actually a really good password. ;-)

And also, your "problem" is simply your decision to trade security for convenience.

You need to weigh the risks vs. reward and make the choice for yourself. If something goes wrong, at least you'll know why.

The problem is to tap all of that into your phone, every time iOS decides it desperately needs it again, with just stars instead of letters. That's annoying.

I've got a fairly long iCloud password with upper and lower case letters, numbers, and symbols. After four or so years of typing it on iOS devices, I have the muscle memory to type is extremely fast without thinking about it. In fact, to figure out the actual characters of the password, I have to visually reconstruct the physical typing that I do from muscle memory.

It's a pain, but really not that bad. You tweet from your phone (or use email/SMS/whatever else). 20 characters is manageable and secure, as long as it's randomly generated.

If it's randomly generated, it's impossible to remember to fill in on your phone. Unless you have it on a piece of paper in your wallet.

Really? I remember quite a few four-word (xkcd-style) random passphrases.

Bingo. I'm actually thinking of diceware.

20 chars: bu-Y6Bx(94ijk1Y5$kWx

Long passwords (aka the xkcd scheme) aren't secure anymore - https://www.schneier.com/blog/archives/2014/03/choosing_secu...

The only good passwords are ones that stay well away from dictionary words..

Bruce Schneier clearly misunderstood the xkcd scheme.

In fact, the Schneier method for generating passwords is probably worse than the xkcd method because a significant percentage of the people who try to use his method will choose a password with low entropy such as "wtpotusio2fampu" (We The People of he United States...) or "igmhaohcr" (I'm gonna make him an offer he can't refuse).

All I have to do is crawl the internet and calculate, say, the top 5 million n-grams. The resulting 5 million candidate passwords would be far more likely to match a typical Schneier-based password than a corresponding list of 5 million candidate passwords designed to match an xkcd-based password.

The simple rule is this: Don't let users choose a password. They suck at it.

Six really random words -- not a sentence -- gives you pretty good security.

Six words chosen from this list http://world.std.com/~reinhold/diceware.wordlist.asc truly at random gives you almost 80 bits of entropy. And six random words are easier to remember than 16 totally random letters.

EDIT seriously, 221073919720733357899776 is a really big search space. If you have a computer that can search a billion per second, it's going to take 1000 computers 1000 years to catalog just 14% of the search space.

The Schneier article is puzzling; the security of the diceware/XKCD scheme doesn't rely on the word list being secret, just on the words from the list being chosen randomly. 4 words randomly chosen from a list of 5000 provide about 49 bits of entropy when the list of words is fully known.

Against an attacker who knows exactly how you chose your password, it's (roughly) the same level of security as a 14-digit numeric code, or an 8 letter case-sensitive alphanumeric code. It's just supposed to be easier to remember.

His point is that using actual, grammatically correct, sentences is not the same as using several random words. As your mobile keyboard autocomplete well knows, after a certain word there are words more probable than others.

How many people use this kind of approach, I don't know. Schneier seems to focus on "three random letters" kind of attacker.

A good password is one that's not known or readily knowable.

There are archives of know passwords -- millions of them. These should be rejected on any online service.

There are tools for guessing passwords. Any password which falls into any of he likely-to-be-guessed divisions should _also_ be rejected.

Dictionary words _could_ work in a sufficiently large namespace. But that's pretty iffy.

You can use a different password for purchasing apps, and a different password (Apple ID) for your iCloud data.

This goes for Game Center as well. You can use a different one for your mean, nasty, trash talking Gamer persona.

Apple doesn't always make this clear, and I see a lot of people confused about this, but this is an option.

Another login that can use a different Apple ID is Find My iDevice.

OK I must be dumb today, but I can't figure out how to do this and Google isn't helping me either - can you describe, or point me to a link, on how to set this up? Thanks!

I think it's that you can use different Apple IDs for each of these things.

First, create a new Apple ID.

If you want to use this for your App Store account, go into Settings then "iTunes & App Store", and sign out of the previous account. Log in using then different (new) Apple ID.

If you want to use this for your iCloud account, go into your iDevice's Settings, then iCloud, then "Delete Account". It will delete the iCloud data on your phone, but it should still be available on iCloud servers, and any other device hooked up to that account. I haven't looked into how to transfer data from one iCloud into another.

I've memorized a non-idiot password I use solely for iCloud.

lastpass on android has the ability to insert your passwords into app login forms (via a custom keyboard / accessibility API, I think). I don't know if the same is true on iOS

No, but there's hope it'll be supported under iOS8's app extensions and custom keyboards. It does have it's built-in browser for now.

I've been using a scheme that involve easy to type password, like: qwertyuioplkjhgfdsa/ qazcdetgbmju / rtyujhgfvbnm (if you 're wondering how to memorize those password, looks at the QWERTY keyboard). Combining with number and capitalization, I feel pretty good about my odd of surviving the brute force/ dictionary attack. But I can't quite quality the exact amount of combinations for those schemes. Can anyone tell me why this would potentially be a bad idea?

I don't think it will necessarily work because some cracker has just probably added that to their personal dictionary(if they didn't before). It might work if you add 3.14159627 to it or a number/symbol set of your choice. I guess length is fairly key as well.

You should look at some wordlists. A lot of qwerty / qazwsx / asdf combinations appear.

I have 1Password for iPhone and copy the generated password from there every time I need it. Certainly a pain but worth it. In the end, it doesn't take that long: 1Password is on my home screen, the Apple login is favorited and I can type my master password fairly fast. The most annoying part really is switching between apps.

I also have my phone set up for iOS not to ask for the password for 5 or 15 minutes (can't remember the exact option) after I entered it.


Yeah, how about the first time? I mean, I do not buy apps all the time, maybe once a week. And I'd have my battery dead or something like that in between those attempts.

So, I never had a chance to just hold my thumb on the home button and go my way.

I have this problem all the time. My current process is to:

1. open the App store but don't click on anything 2. hit home button 3. launch keepass client 4. navigate to apple account entry 5. copy password 6. double tap home button to bring up multitasking menu 7. tap app store 8. click install 9. paste password

It feels really stupid doing it, but you can get pretty quick at it. I can't wait for my next iPhone upgrade with touchid.

This is really easy. You have one good password for 1pass, and one good password for iCloud.

If you can manage to memorize one, you can memorize two.

My real problem with this is writing the password with numbers, punctuation and stuff on a mobile keyboard. Feels like surgery even if I'd memorize it.

I use 1P on my laptop most of the time so it's not a huge deal. Everything else on the iPhone just remembers credentials.

I know I can force myself to use a great password for iCloud but my point is that most of the time, I'd go for an idiot password rather than forcing myself. Just like most people.

that little voice in your head that is screaming "i hate this" is your problem. It really is not a big deal to type a password, and even to type it a few times, just try to have a more zen attitude about it. It's how passwords work, stop trying to figure out how to defeat your own password, it's doing what it's supposed to do.

This may help, some special characters dump the keyboard back to the primary keyboard, so create a password that is letters, then numbers/specials, then the ' character, then more letters.

for example, pass2'word would only require you to hit the alt-keyboard switch once.

A good password doesn't need all that stuff. Just use something of sufficient length. A sentence, for example.

Check out PasswordPilot on jailbroken devices :)

The thing that bugs me is that you could have good password practices. But if you're having a party, having a fun time (and lets face it, people are going to do shit...), and one of your friends is snapping photos of you, and they have bad password practices, then you are kind of screwed. People don't typically make friends on the basis of: do you have good password practices.

Information my friends have is something I've had to accept letting go.

I once resisted signing up to Viber because it required that I upload my entire address book. However, I found out how many of my friends are already on Viber, which means the likelihood that Viber didn't already have someone's contact information was very low. It also meant Viber already had all of my contact information.

Another scenario is Facebook's tagging. Even if I don't confirm all (or any) of my friends' tags on my face, the fact that they manually tagged the face as mine likely counts a lot for FB, so that battle is already lost.

OTOH, if you're a celebrity at a party, and you "do shit" and someone takes a picture of it, the horse has pretty much already left the barn as to whether that picture is going to show up on reddit and it's just a question of when...

Yup. And that very reason is why many people don't have social networking accounts. You can control what you share, but you can't control what your friends share.

How not having a social networking account helps with that? Not only you still can't control what your friends (that is, the real-life ones) share, now you're the last to know if they share something about you.

Perfect example is Facebook. You don't have to be on it for them to know your phone number. If 2 of your friends have the "Share your Contacts with Facebook" option turned on, chances are Facebook has your phone number/whatever else your friends store on their friend about you.

Or: you've got good password practices, but you send content to someone who doesn't. Or they do. Or their friends do ...

When you realize that celebrity nudes are only the tip ("just the tip") of this iceberg, the real implications start sinking in.

The groups trading in info were also targeting exes and other associates, possibly businesspeople, politicians, and others, and the information in question isn't merely skin pics but _anything_ that was on those accounts.

Or you can use two-factor and strong passwords everywhere, but if your spouse is still using "letmein" on every account, you're gonna have a bad day soon.

> Password reset is answering the date of birth and security question challenges (often easy to break using publicly available data – birthdays and favorite sports teams, etc. are often not secrets)

I really dislike this trend of "personal questions" to reset your password. The first car I owned or where I'd like to retire is easily obtained information. When are websites going to stop doing this?

I answer these questions using passwords generated from 1Password. So basically I have 4+ passwords per sites that use these questions. Very annoying.

What about just using a basic cipher for your questions? It is what I do. So if the question is "What was your first car?"

Answer could be: Ford

Instead it is Enqc or droF or Gpse

Well like many such website "security" practices, if you know why they're bad, they are no longer a problem for you. But normal people don't know why security questions are a stupid idea, so when an otherwise reputable website (like an e-mail provider) asks you for your first car or favourite toy, they assume it's how things are supposed to be on the Internet.

I'm moving to nonsense and random answers stored in Lastpass but what I had been doing is just answering them as if I were one of my friends. I have a dozen friends where I know most of those answers.

So if I'm understanding this from a technical perspective, the real story is that this is/has been going on for quite some time, and there's an entire ecosystem devoted to it. The general public rarely ever sees behind the curtain, but somebody got greedy in this case and we ended up in a race to the bottom.

If true, interesting that such a layered economic structure can exist without much press or public comment -- until something like this happens.

Fascinating. Makes you wonder what percent of the total activity these 100+ celebrity invasions represent.

Well the fact that JenLaw's photos went for the extremely huge amount of $130 suggests that either there's a lot more of it out there, or that the guy who stole them couldn't fence them (per [0] thread).

Anyway, you summed up the take-away from the article perfectly. Since this seems to be going on for some time, I wonder how the whole ecosystem kept coordinating this well so far, that it's the first time we hear about such big (but still lousy one) defection.

[0] - https://news.ycombinator.com/item?id=8260233

Yeah, there's some hard-to-accept math in that story.

If JenLaw's photos were worth $130 or so, that means that any photos that any of us have are associated with a market value. And it ain't that much.

Well, that our photos have a price tag is kind of obvious. Everything has one. But I'm very surprised by the amounts we're talking about. I'd expect JenLaw to be extorted for hundreds of thousands of dollars, or at least those photos going for many $k (and THB, some other celebs have much worse photos/videos in this leak). So them going for $130 implies that either celeb sex tapes are really common/cheap in the darknet, or we have no frikkin' clue what's going on out there.

Anonymous extortion threatening to release something that is trivial to copy is not going to work, because there is nothing to guarantee more money will be requested next week, or that the material will not be released later.

As far as selling it, the price cannot be very high, because nobody has that much to gain from being the first with the pictures. It's illegal material after all, so magazines can get in trouble for buying it. Put it in a shady, for-pay site, and with it being illegal material and all, it'd be in a torrent in minutes, so how many times will you really sell it?

If it was, say, a presidential candidate doing hard drugs and cheating on his wife with a man, then maybe you could say that the opposition would be willing to pay for the pictures to be released, regardless of how they were obtained: There'd be millions at stake. A naked actress? not so much.

Well.. this is a black market with no ability to self-regulate. So, the prices are going to be incredibly low compared to their everyday value; to be a bit crude, these are crackhead prices.

That sounds about right. There are a lot of photos out there, so the individual value is small.

Why is nobody talking about password reset questions?

I hate those so much. They lock me out of my accounts more often than they help. I always enter bogus answers because I think I'll never need to use the feature, then I run into a situation like:

"Resetting your password via email? Ok, you also have to answer these security questions that you entered 'akjhdhksdfsdf' into when you made your account!"


"You've logged in from a new computer! Please try to remember what you thought your favorite band was 4 years ago. You have 3 tries remaining."

Shit people, if you want me to write this stuff down, at least tell me when I'm creating my account that you basically expect me to have 4 passwords.

1Password can store those for you as well.

As can an encrypted text file or a post-it note under your desk. It's still a stupid security anti-pattern.

As can KeePass.

Google dropped them.

We no longer support security questions as a way to access your account.


It seems attackers used them somehow:

"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone."



Hopefully the idiots who call themselves security experts will stop making me answer "what's my mother's maiden name".

If they really want to make it safe, one easy option would be to make the question arbitrary. Of course then average people will have no idea what to put it there.

Of course, don't put "What is Love?" with the trivial answer...

> Hopefully the idiots who call themselves security experts will stop making me answer "what's my mother's maiden name".

This is done by developers, not security experts. If security experts had their way, it would be equally bad but for the right reasons, ie client-side certificates or smart cards.

Calling them idiots is also wrong. Its a bad solution to a hard problem, but it works and scales and users have been trained to expect it.

I'm not sure if it's completely fair, but everytime I see "security questions" I can't help think: "Oh, it's an American site".

Silly "security" questions about mothers, dogs and favorite teachers seems to be cultural to the US (and maybe Canada), why is that?

Having moved to the US from the UK it's really noticeable how poor security culture is here in general. Plenty of things are secured by "the last 4 digits of your social security number", utility companies operate mainly on your address, very limited support for chip and pin (credit cards are still all signature based, and no one ever checks the signature).

The whole "mother's maiden name" thing is pretty popular in US banks. I'd wager this is where it came from.

Then again, you are talking about a country where the only thing people need to steal your identity is your ... social security number. Brilliant.

Stealing the social security number in Denmark is just as bad and possible easier than in the US. If you know a persons birthday and gender you have at least a 1 in 500 chance of simply guessing the last four digits.

That's exactly not the point. The point is that it shouldn't matter that other people know your SSN. What effect does it have in Denmark when other people know your SSN?

Good question, it's about time they were dropped entirely from anyone who claims to be protecting anything of value.

Choice quote:

To reiterate what the main bugs are that are being exploited here, roughly in order of popularity / effectiveness:

Password reset (secret questions / answers)

Phishing email

Password recovery (email account hacked)

Social engineering / RAT install / authentication keys

Note: Not weak passwords.

Here's a question: How did the attacker get the usernames of the celebrities? Those aren't exactly public info (unless they used the same name as their Instagram account or something).

The article discusses this very point in some detail (see especially point 7 about iCloud email testing).

I use a Yubikey with a generated key.

This is only half of my password; the first part is a password I can remember easily with numbers and letters, the second is the generated key.

This means that even I don't really know my password and if someone found my Yubikey then it's useless to them without the other half that only I know.

(I do have a printout in a safe place of the key and also a backup Yubikey)

I use this password for my computer as well as my 1password vault which is generally filled with randomly generated keys for each website.

Might sound a bit overkill but if you can; why not?

Same here on halfsies, I use YubiKey Static + 2FA http://www.yubico.com/products/yubikey-hardware/lastpass-yub... plus a Password card https://www.passwordcard.org/en both for 1Password and LastPass

I like 2FA on LastPass but the UX is better on 1Password

For files like my Tiddlywiki http://tiddlywiki.com/, I like Minilock https://minilock.io/ with BTsync https://github.com/tuxpoldo/btsync-deb

i admit i'm lazy and have less secure login creds in my Tiddlywiki but at least it has some crypto https://crypto.stanford.edu/sjcl/

That sounds secure, but help me understand: Is it the same password everywhere? How do you manage the different passwords for different services? How do you enter your password to login on an ipad, or on your phone?

My biggest problem with the Apple's password policy is that I'm required to enter it periodically on an ipad or iphone - meaning I can't keep it lastpass and that complex alphanumeric passwords are even harder to enter.

My iOS accounts are, unfortunately limited to a password that I can remember but I use one with numbers and letters and a mixture of uppercase and lowercase characters.

Most of my website passwords are generated keys; each different - all stored within 1password, should there be an issue at any point (doubtful) I can always go through the "forgot password" features on any given website to reset it to something temporarily that I can use easily.

What's the advantage to this over simply using 1password?

It's mainly for my laptop to be honest but as it's just a tap away why not secure my 1password vault more securely at the same time?

I also run software on my MacBook Pro so that when I pull the Yubikey it automatically engages the screensaver which in turn requires the password to disable.

Just to give OP a heads up: the article's font is rendering terribly in Windows Chrome.

I dropped the font, didn't realize it was so bad until somebody emailed me. Saw a screenshot, yikes.

I've noticed this with my own websites. Fonts consistently look great in FF and IE but terrible in Chrome. What can be done to fix this?

Turn of the DPI scaling in Windows.


Google around for the actual steps.

I'd rather not do a fix like that; I want to notice if sites I code have the issue.

I agree, but until Google gets the fix in you can have no way of knowing what it will look like because it all depends on the hardware and how it has been scaled.

I only came across this because my daughter's new laptop with an HD screen made Chrome look awful and I didn't understand why since it looked good everywhere else.

Use Firefox? Chrome has bad font rendering consistently, it's nothing you've done.

Try increasing font size to 110% in this case.

yep, i kept reading, but the font made it painfull

Isn't showing partially blacked out private photos still a violation of privacy? If the author of this post really wants to be white hat, he should modify the image (above 14) to obscure the non-blacked out part of the photo with a different color. I'm unfamiliar with that celebrity in the picture but if I was familiar with her work, it would feel creepy to look at it.

thanks - fixed. didn't notice I picked the wrong image out when uploading.

The average user does not know much about security. They trust Apple's brand more than they trust their friends (with secrets and health apps) and they will now likely stop using many services rather than step up security.

What is interesting is that the perception among normal people I heard speak about this is that all of iCloud has been breached, i.e. everyone's photos are in the hands of hackers and they only released the pics of celebs.

The reality is of course likely that an attacker was able to hack one phone which among photos hosted contacts and mail addresses of other celebs and from there on they got their hand on more accounts to directly target.

Anyway, my point is that to average consumers it does not mean that they need to use stronger security or that they would understand about targeted attacks. They will believe Apple has been breached and they will think more before creating private selfies or putting health data onto their until now so trusted companions.

  > 6. iCloud is the most popular target because Picture Roll backups are enabled
  > by default and iPhone is a popular platform. Windows Phone backups are
  > available on all devices but are disabled by default (it is frequently enabled,
  > although I couldn’t find a statistic) while Android backup is provided by
  > third party applications (some of which are targets).
Fragmentation, for the (security) win! </sarcasm>

Not really, of course. The big win (shared by Windows Phone) is simply not turning on the security-sensitive cloud service by default. That being said, it is worth noting that enabling/encouraging third-party service competition can create an extra hurdle by discouraging cloud-service monocultures.

Does Android really not provide an auto upload of snapped pictures to the cloud? I was under the impression that they did this way before iCloud even came up. First it was to Picasa or some place, then to the google+ place somewhere.

Either way, I don't even remember if the iCloud upload was default or not. When it was introduced I took an interest to find out how to deactivate that in case it was enabled by default. Don't remember if it was. All I know is, it is disabled on my device and it'll stay that way because I really didn't want to use this.

> Does Android really not provide an auto upload of snapped pictures to the cloud? I was under the impression that they did this way before iCloud even came up. First it was to Picasa or some place, then to the google+ place somewhere.

When you sign into Google+ or Dropbox (among others), you are presented with a screen where you can enable photo uploads to those cloud accounts.

Dropbox does it for you. Plus you get a free 50GB dropbox account with many Android devices, so the incentive is there.

I think the cloud has proven to be untrustable. One must assume that any data on any public cloud service (including email, photo libraries, documents, mobile device backups, etc.) will become public, and use the cloud with that mentality.

Reddit should not be listed among the sites hosting the stolen images, as reddit does not support image uploads. Imgur is the primary site hosting the stolen images in that case.

Are we still unable to move past this pedantic hosting-vs-linking nitpicking? It's like you willfully ignore how content discovery works on the Internet.

Just to be pedantic: By the same logic, Google is also grossly hosting tonnes of illegal material.

Google doesn't have moderators posting messages like "uh-oh your illegal content is being taken down. Here's a list of other places to post it." Meanwhile, Reddit has precisely that. Warning: link to NSFW board, though this post isn't itself NSFW.


In which the mods write: "On another note: please use other hosting sites besides imgur.com. We have a large list of whitelisted domains listed here that you should be uploading to besides imgur. Do not put all of your eggs in one basket."

The differentiation is knowledge & intent. Nobody types in random photo GUIDs after the imgur url to find content, just like nobody generates SHA-1 hashes hoping to find valid magnet links. Users follow a route of links through search engines and content aggregators to find what they're looking for. Look, I know it's easy to take this whole issue to ridiculous logical extremes[0], but the argument that you don't have culpability by hosting links is really, really weak.

To head off the probable route this discussion will take, linking to Google or Reddit as a whole does not incur the same culpability as those sites do by linking directly to the material, as finding the offending link requires additional knowledge. If you linked to Reddit along with instructions like "go to <subreddit> and click the third-highest link for the week" then it would incur culpability as it's functionally identical to linking to the content directly.

[0] http://en.wikipedia.org/wiki/Illegal_number

I'm merely attempting to correct the author's libelous statement about reddit. Reddit has never hosted any stolen photos, period.

Imgur revealed earlier this year that they have similar image detection built into their back end. Despite the ease with which they could use this to automatically sweep 99.9% of the Jennifer Lawrence photos off of their site the instant they're uploaded and shadowban the uploaders, and despite the fact that every one of their 12+ employees knew about this leak the instant it happened and also knew that their own site would probably be one of the two most actively used to spread the images around the world, half of the Jennifer Lawrence albums I checked there still have all images intact. One album has over 30,000 views and has existed for two days. Why haven't they activated their similar image detection algorithm in this case? At best, this is neglect bordering on malice.

The damage Imgur does by actually hosting these stolen images and dragging their feet for as long as possible when responding to DMCA takedown requests has nothing whatsoever to do with a text-only discussion thread on reddit. The author should correct this accusation and lay the blame where it belongs.

There's pedantry and there's basic factual accuracy. It's like hosting and discovery are different concepts on the Internet.

Reddit's the same site with the dedicated subreddit called "/r/thefappening", right? That Reddit? I'm not seeing how they get a completely free pass here, it's like saying UNIX doesn't store file data under file names, but under inodes. Perhaps pedantically correct, but completely missing the point.

You would have a point, but having just scanned the text, I couldn't find anywhere that it says the images are hosted on Reddit. It says they were "posted to Reddit" which is ambiguous at worst, very far from the allegation you are making.

The text says the stolen images "appeared" on reddit, which reads as an accusation that reddit users or admins were directly embedding the stolen images in pages on reddit itself via CSS or the <img> tag.

The text also repeatedly clumps reddit together with 4chan and anon-ib, with the implication being that they are all sites capable of accepting direct image uploads.

What allegation do you feel I've made?

I'm wondering if simple GeoIP check can prevent lots of intrusion attempts - if the user consistently logs in from one location and then suddenly tries to log in with the wrong password from the distant one, that's the red flag that warrants temporary account lockout at least.

I swear Apple did this to me repeatedly last year while I was travelling for a month. I could never purchase apps.

One problem with this is VPNs. I regularly VPN (both to my house and via a service like Private Internet Access) so my location can change quit a bit.

problem #1: GeoIP isn't accurate enough

problem #2: Travel becomes more of a pain because your apps/phone stop working.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact