The breach of journalist Mat Honan’s iCloud account raises some big, honking red flags for of us whose lives are entangled with Apple‘s ecosystem. iCloud makes a lot of Apple products “just work,†and that level of effortless functionality (plus cool design and strong marketing) is one of the major reasons for their popularity. But, now, we ask, at what risk?
Forbes.com contributor Adrian Kingsley-Hughes has done a great job covering the story this weekend, so I won’t repeat all of the details. Simply put, hackers gained access to Honan‘s iCloud account and from there also accessed his and Gizmodo’s Twitter accounts (He has worked for both Gizmodo and WIRED). Apparently, this was a “brute force†attack whose effects were magnified by the fact that Honan used the same password for both his Apple and Gmail accounts. Given time, computing power and algorithms, hackers can, in effect, try all possible combinations of a password in order to crack it. Because of the duplicate passwords, the attacker was able to changes the password to the iCloud account and then remote wipe their victim’s iPhone, iPad and MacBook Air. Ouch!
As a tech writer, Honan is a pretty high-profile target for such an attack, and Apple has a lot of explaining to do and procedures to change. But beyond the obvious steps of making your passwords as random as possible and of having different passwords for different services, how can you tell how secure the cloud services that you entrust your data to are, Apple’s or otherwise?
Cryptographer and Johns Hopkins University research professor, Matthew Green, has come up with a simple “thought experiment†to determine if a cloud service is really secure. He calls it the “mud puddle test,†which has the following steps:
- First, drop your device(s) in a mud puddle.
- Next, slip in said puddle and crack yourself on the head. When you regain consciousness you’ll be perfectly fine, but won’t for the life of you be able to recall your device passwords or keys.
- Now try to get your cloud data back.
If you can “get your cloud data back,†it means your service has failed the test.
What? Yes, that’s right, most major consumer services fail the test. Apple, in this case, has failed it spectacularly because their customer service procedures turn out to be susceptible to manipulation, as Kingsley-Hughes describes in today’s post.
This is where customer service and user experience are on a collision course with security. The credit card industry has similar problems, and in its case an “acceptable level†of fraud is just factored into the revenue equations.
But bad as breaches of credit information are, and as far-reaching as they can be, money is only a single dimension. What consumers are now storing in cloud services encompasses the whole of their digital lives. I used to think that if my hard drive died I was having an ambulatory nervous breakdown, but with the cloud equivalent, it’s a full catatonic episode.
As many have observed, login is a broken system. Until we can be identified by factors that are unique to our personhood (biometrics, etc.) that we don’t have to remember or store somewhere, these problems will persist. People have too many passwords for too many accounts. It’s all too complex for our little brains to handle. And like any situation of excess complexity, we collapse dimensions until we have a structure we can comprehend.
The problem, in this case, is that our simplifications create tunnels large enough for the trucks of hacker to drive throughâ€"with ease.
[Underlying image above by Kenneth Allen from the Geograph project collection. licensed under the Creative Commons Attribution-Share Alike 2.0 Generic license]- â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" â€" -
To keep up with Quantum of Content, please subscribe to my updates on Facebook or follow me on Twitter.
No comments:
Post a Comment