Over the long US holiday weekend several celebrities had their privacy violated and less than desirable photos were shared of them around the web. The mainstream media has made a spectacle out of it by either shaming the celebrities for daring to live their lives as they want, or Apple for doing something. ((Or perhaps, for the lack of doing something.))
The truth of the matter is far more complex, and we have yet to get the clearest picture. There are though a few things we can take away from this which I think are worth repeating.
One: Shame
It doesn’t matter if the stolen pictures were of landscapes or boobs, it was still theft and the only person to blame is the person who did the theft. Not the victim.
If your house is broken into you, don’t call Schlage and get pissed at them because the lock on your door was bypassed — you call the cops and they go after the person who broke in (not you, not Schlage).
And, FYI, almost all door locks can be picked relatively easily by those experienced in it. Not as easy as shown in movies though, that’s just stupid.
There were the people who crowed over how hot the photos were (what a novel observation, you original thinker, you). There were the people who bragged about jerking off to the photos (wow buddy, real accomplishment there. Did you wipe your dick with your rocket science degree before or after you posted that status update on Facebook?) And then there were the people who said she deserved it for carrying around naked photos of herself.
Whoa.
Whoa whoa fuckity whoa.
The take away of this first point is that the victims of this crime are not to be blamed in any way, shape, or form. If you read someone saying otherwise then you know said person is an idiot and must never be read again. Because fuck the people who say stupid shit like that.
Commonsense is using good passwords, not “living your life with moral purity”.
Two: Cloud
The next culprit is ‘the cloud’ that ominous thing that amusingly confuses the shit out of mainstream media. I’ve seen tons of posts about how to turn off cloud functions and “protect” yourself in light of this leak.
All of this is stupid.
If you turn off ‘the cloud’ then you lose (at least):
- Syncing between devices
- Easy sharing/commenting
- Backups
The latter of which will come back to bite you in the ass at some point. A better, more nuanced approach is to assume that all data is being stored in a server somewhere out of your control, and further, that said data is not 100% secure.
Nothing is 100% secure.
So if you want to, and who cares if you do, take nude photos you might want to use a tool that makes sure your data does not leave your device, and perhaps is secured and encrypted. So real cameras are out (why they don’t have encrypted storage yet is beyond me), but certain apps can help.
Diskreet is one such app which uses local, encrypted, storage to keep private photos. It goes the extra mile by requiring a two key system, where you input your passcode and your partner inputs their passcode before anything is viewable. It’s not foolproof, but there are a great many apps out there designed for this very purpose.
It’s not just iCloud either, as Christina Warren points out:
And although iCloud seems to be a common thread, some of the photographs stolen have metadata from Android devices. There is also some suspicion that at least one Dropbox account could be involved.
Dropbox. What do you have in your Dropbox?
So if you are going to take photos, or do anything, of this nature just make sure you do it in the right app. That’s not at all the same as avoiding the cloud — avoiding the cloud is just silly.
Three: Two Factor
Another angle is using two factor authentication, where you enter in your password and then get an one-time security code to verify it is you. With iCloud however, as Guillaume Ross notes this likely wouldn’t have mattered:
That being said, the feature is not called iCloud Two-Step verification, and while the password and usernames are used on both services, Apple’s 2FA is not used on iCloud.
It’s only actually used to manage your Apple ID. And so, given what we think we know, two factor authentication wouldn’t have done shit to stop an attack like this. This is the one point of blame I hold on Apple — that there is not a more secure means to verify identity before restoring backups.
But again, it’s not Apple’s fault that someone stole the data — just as it is not Schlage’s that your lock was picked.
Four: Practical
Security, and being secure, on the web is really hard and supremely annoying most of the time. That said, I really like Nik Cibrilovic’s thoughts on how to be more private:
In terms of staying secure the most obvious solutions are to pick a better password, set your security answers to long random strings and enable two-factor authentication. Further it is a good idea to ring-fence your email – use one email address that remains private for sensitive accounts such as your online banking, cloud storage etc. and then a separate account for communications whose address is made public. There is no privacy mode in phones and they lump together all your data and metadata in one large bucket, and the only solution if you wish to retain a more private or more anonymous profile is to run a separate phone with the account on there belonging to an alias. There is a reason why drug dealers carry multiple phones, it tends to work in terms of segregating your real identity.
I hadn’t heard of ring-fenced emails before, but it seems like a really smart and obvious idea. Excuse me for the next month while I implement that.
Yeah, a month, and now you know why hackers have an easy time: good security is hard, confusing, tedious, and annoying.
And thus, security is where we have the greatest overhead to innovate.