Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 09-03-2014, 10:01 AM   #21
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
The real public fiasco, IMHO, is the fact people put compromising photos out in the cloud in the first place. What is that about?

Several years ago, I read a travel tip that recommended scanning one's passport and uploading the scan to a cloud like service such as Evernote or DropBox. Supposedly, this would help a person if she lost her passport.

But, these sites, the last time I checked, do not encrypt the data uploaded to the site. So..... this was not such a good idea.
__________________

__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 09-03-2014, 10:03 AM   #22
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,337
Apple has two step authentication for certain iCloud functions.

Quote:
Two-step verification is an additional security feature for your Apple ID that's designed to prevent anyone from accessing or using your account, even if they know your password.
It requires you to verify your identity using one of your devices before you can take any of these actions:
  • Sign in to My Apple ID to manage your account
  • Make an iTunes, App Store, or iBooks Store purchase from a new device
  • Get Apple ID related support from Apple
Frequently asked questions about two-step verification for Apple ID
__________________

__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is online now   Reply With Quote
Old 09-03-2014, 10:39 AM   #23
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,300
Quote:
Originally Posted by donheff View Post
+1. No one should be able to mount a brute force attack on any site. .... If Apple allowed an external source to pound away at an account access interface they really F'd up. If so, it is outrageous that they are blaming the victims. Lets face it, even with social engineering it is highly unlikely that attackers will guess your password and/or secret questions/answers in three attempts.
Quote:
Originally Posted by Chuckanut View Post
Interesting. I would think that any decent security system would limit the number of consecutive failed logon attempts. After, a certain number of attempts, the attacker would need to answer a security question (keep those answers weird!), use second factor authentication, or even wait for an hour or two before being able to logon again.
This seemed obvious to me as well, but then I thought about the implications. Wouldn't the real user (especially high profile people) just get locked out all the time from the false attempts? As soon as the hour re-try limit was passed, the crooks would hit it again three times.

Of course, these celebrities are idiots (unless they were looking for publicity) to put stuff they don't want in the hands of others on a cloud server with hack-able passwords and security questions. Many accomplished people may not have much sense in other areas of their lives, but still - think! Plus, you'd think young celebs would have a bit more 'internet-smarts' (the equivalent of 'street-smarts' from our times).

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 09-03-2014, 11:26 AM   #24
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,907
I think the lessoned learned (again) is that "Private" is not private and "Deleted" is not deleted no matter how nice "The Cloud" sounds.

Now I read that the hackers are from this ring that trade these violations and not just some lone hacker.

The news is a reminder why come tax time I'm happy to just download tax software to my PC and create the forms locally then use the "safety" offsite.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 09-03-2014, 11:30 AM   #25
Full time employment: Posting here.
Tailgate's Avatar
 
Join Date: Jul 2013
Location: Texas
Posts: 881
another conspiracy theory...
Attached Images
File Type: jpg 10609443_10203504677396364_9219895658966659194_n.jpg (23.4 KB, 53 views)
__________________
Tailgate is online now   Reply With Quote
Old 09-03-2014, 01:11 PM   #26
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,657
Quote:
Originally Posted by ERD50 View Post
This seemed obvious to me as well, but then I thought about the implications. Wouldn't the real user (especially high profile people) just get locked out all the time from the false attempts? As soon as the hour re-try limit was passed, the crooks would hit it again three times.


-ERD50
Yes, it has happened to me me more than a few times since I am a touch ADD and keep banging away without noticing my caps lock is on But poking around with three tries every few hours is not a dictionary or brute force attack. It might get into an account that used something truly brain-dead like "password123" but would not likely work with even a very weak normal password.

Dictionary attacks require an ability to pound the server continually with automated logon attempts -- or, (required with sensibly protected sites) pounding away at a stolen copy of the encrypted password file residing on evildoer's server. Then evildoer can logon to any of the accounts whose userIDs and passwords the attack cracks.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is online now   Reply With Quote
Old 09-03-2014, 01:18 PM   #27
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,300
Quote:
Originally Posted by donheff View Post
Yes, it has happened to me me more than a few times since I am a touch ADD and keep banging away without noticing my caps lock is on But poking around with three tries every few hours is not a dictionary or brute force attack. It might get into an account that used something truly brain-dead like "password123" but would not likely work with even a very weak normal password.

Dictionary attacks require an ability to pound the server continually with automated logon attempts -- or, (required with sensibly protected sites) pounding away at a stolen copy of the encrypted password file residing on evildoer's server. Then evildoer can logon to any of the accounts whose userIDs and passwords the attack cracks.
Except if the bad guys have accumulated many, many usernames, they can hit each three times, then move to the next and the next, and rotate back after the timeout. Day after day after day. They'll eventually get a few of them.


-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 09-03-2014, 01:24 PM   #28
Thinks s/he gets paid by the post
 
Join Date: Sep 2012
Location: Seattle
Posts: 2,907
I keep all of my private pics in a subfolder. The main folder has two candid pics of my 97 y.o. grandmother doing the cat daddy dance topless. It is somewhat like when pirates used to bury the real treasure underneath a much smaller, easier to find treasure.
__________________
Fermion is offline   Reply With Quote
Old 09-03-2014, 01:59 PM   #29
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,657
Quote:
Originally Posted by ERD50 View Post
Except if the bad guys have accumulated many, many usernames, they can hit each three times, then move to the next and the next, and rotate back after the timeout. Day after day after day. They'll eventually get a few of them.


-ERD50
Could be. I would be relieved if that is what happened at Apple. In that case we can get back to dissing the stars for posting their selfie porn with poor passwords.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is online now   Reply With Quote
Old 09-03-2014, 02:16 PM   #30
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,710
Quote:
Originally Posted by donheff View Post
Could be. I would be relieved if that is what happened at Apple. In that case we can get back to dissing the stars for posting their selfie porn with poor passwords.
The security is usually of the type where it locks out your IP for some interval of time. But it can be different implementation.
__________________
target2019 is offline   Reply With Quote
Old 09-03-2014, 07:28 PM   #31
Moderator Emeritus
 
Join Date: Oct 2007
Posts: 4,929
There is one gotcha on the use of a lockout mechanism to block brute force attacks.

The lockout mechanism is also used for selective denial of service attacks. The account of a well-known person is typically targeted, with random passwords sent frequently enough to maintain the lockout. By using a botnet to host the attack, IP-specific lockouts that would typically block a script kiddie don't stop the doorknob-rattling, and often the account gets deactivated requiring the victim to go through a 'help desk' to regain access.

I've seen this variant used on everyone from executives, to PR persons, and just folks that some 4chan 1337 d00d didn't like.

The particular channel being used to guess passwords in the Apple attack is not one I'd want to find myself locked out of after the loss/theft of equipment. That's all the detail I care to go into on this one.
__________________

__________________
M Paquette is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Trunk Leak Mystery TromboneAl Other topics 21 01-04-2011 08:07 PM
Leak from kitchen sink kaneohe Other topics 13 12-26-2010 11:25 AM
Uh Oh, plumbing leak travelover Other topics 8 07-29-2009 12:26 PM
water leak mystery Khan Other topics 22 11-22-2008 10:21 PM
car has a small fuel leak - options? WM Other topics 14 10-21-2008 09:15 AM

 

 
All times are GMT -6. The time now is 02:36 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.