Archive for September 1, 2014

Monday, September 1, 2014 [Tweets] [Favorites]

Dropbox Cuts Prices, Increases Storage, Adds Pro Features

Casey Newton:

Today Dropbox announced a revamped version of its paid offering for individuals, called Dropbox Pro, that costs $9.99 a month for 1 terabyte of storage. Previously, $9.99 got you just 100 gigabytes; storage maxed out at 500GB, which cost a whopping $500 a year.

Dropbox:

Simple collaboration is one of the reasons people choose Dropbox Pro, but we’ve heard you ask for more ways to protect the stuff you share. That’s why we’re bringing new sharing controls to Dropbox Pro.

Adam C. Engst:

Dropbox has also rejiggered its Packrat unlimited version history feature. For free accounts, Dropbox maintains all older versions and deleted files for only 30 days, but in the past, Dropbox Pro users could pay an extra $39 per year for Packrat, which maintained all older versions and deleted files indefinitely. Dropbox has now renamed Packrat to Extended Version History and set it to preserve only 1 year of older versions and deleted files. The price of Extended Version History for Dropbox Pro users remains $39 per year, and existing Dropbox Pro users with Packrat can opt in to keep unlimited version history before 1 November 2014. (Dropbox for Business users continue to have unlimited version history.)

Anand Goes to Apple

Anand Lal Shimpi:

On April 26, 1997, armed with very little actual knowledge, I began to share what I had with the world on a little Geocities site named Anand’s Hardware Tech Page. Most of what I knew was wrong or poorly understood, but I was 14 years old at the time. Little did I know that I had nearly two decades ahead of me to fill in the blanks. I liked the idea of sharing knowledge online and the thought of building a resource where everyone who was interested in tech could find something helpful.

[…]

But after 17.5 years of digging, testing, analyzing and writing about the most interesting stuff in tech, it’s time for a change. This will be the last thing I write on AnandTech as I am officially retiring from the tech publishing world.

Enidigm (June 2014):

Benchmarkgate was I think their term to describe the persistent, repeated and deliberate cheating of benchmarks by several smart phone manufacturers, by inserting code that looked for a benchmark and then gave the phone 100% access to the cores, pushing all power savings aside. Only Motorola and Apple seemed to not cheat, Samsung was the worst. One can only speculate how this affected their access to smart phone developers.

John Paczkowski:

An Apple rep confirmed that the company was hiring Shimpi, but wouldn’t provide any other details.

Mike Beasley:

Earlier this year AnandTech’s Brian Klug also left the site for a role at Apple with a focus on building mobile processors for the company’s iOS lineup.

I’m not sure what this will mean for AnandTech, but it’s good that Apple continues to be able to hire top talent.

Vlad Savov:

Shimpi’s departure note on AnandTech states that the site’s editorial staff has been expanded over the course of this year to prepare for his absence.

Ryan Smith:

Having read AnandTech for 15 years and having worked for Anand for almost 10 of those years, it was until recently hard to imagine reading AnandTech and not seeing articles by Anand, or to be writing for AnandTech but not be writing for Anand himself. Anand has been a constant in the tech world both as a source of news an analysis for us all, and as a mentor to me. These days I can happily say I was wrong about not being able to match wits with The Boss, and now I am going to get to put that to the test.

Late to Launch

Dr. Drang:

Earlier this month I learned what I was missing. After building an overly complicated set of scripts for adding common entries to my work diary, I learned how much simpler a set of LCP actions would be. I now have a color-coded group of actions for all my common diary entries.

I was also late to using Launch Center Pro (App Store), and I use it in a similar way, only with OmniFocus instead of Drafts. I started using it when OmniFocus 2 for iPhone initially did not support TextExpander touch. It does now, but I found that I prefer Launch Center Pro’s buttons to typing abbreviations that the iPhone’s keyboard always seems to auto-correct away from what I actually typed.

I really like Launch Center Pro’s functionality, but editing actions is a pain. The URL text field is narrow, you have to manually percent-encode everything, and there is no undo history or version control like if I were editing scripts on my Mac.

BBEdit Codeless Language Module for Swift

Curt Clifton:

Keyword, comment, and string highlighting work. Top-level classes, structs, enums, functions, and extensions are indexed and can be folded. Because of limitations in the matching power of codeless language modules, nested declarations are not indexed and are not fold-able.

The basics seem to work well. It doesn’t handle access control keywords yet. A full language module would probably be necessary to handle overloaded methods well.

Understanding Apple’s Mastery of the Media

Mark Gurman:

Apple’s public relations (PR) department is probably the best in the world — certainly more impressive at shaping and controlling the discussion of its products than any other technology company. Before customers get their first chance to see or touch a new Apple product, the company has carefully orchestrated almost every one of its public appearances: controlled leaks and advance briefings for favored writers, an invite-only media debut, and a special early review process for a group of pre-screened, known-positive writers. Nothing is left to chance, and in the rare case where Apple doesn’t control the initial message, it remedies that by using proxies to deliver carefully crafted, off-the-record responses.

[…]

Two months in the making, this article is the product of over a dozen interviews with journalists, bloggers, and PR professionals, including many who have worked at Apple.

and:

Apple’s PR team isn’t above quietly spreading negative press about competitors. For instance, when a publication “has written something negative about Android, [Apple PR] would send those stories around,” telling writers something like “that’s how we feel.” As just one example, Apple PR sent this email to two 9to5Mac reporters earlier this week, attempting to underscore an Android app’s failures.

Apple Patches “Find My iPhone” Exploit

Arik Hesseldahl:

Apple said Monday it was “actively investigating” the violation of several of its iCloud accounts, in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.

Owen Williams:

Users on Twitter were able to use the tool from GitHub — which was published for two days before being shared to Hacker News — to access their own accounts before it seems Apple patched the hole today. The owner of the tool noticed it was patched at 3:20am PT.

Adrian Kingsley-Hughes:

The code exploited a vulnerability with the Find My iPhone sign in page that allowed hackers to flood the site with password attempts without being locked out. By employing bruteforcing techniques, hackers could use this to guess the password used to protect the account.

James Cook:

So was Apple’s Find My iPhone vulnerability to blame for the iCloud hack? The speech that outlined the vulnerability took place at the Def Con conference in Russia on Aug. 30, leaving potential hackers only a small period of time to exploit the vulnerability, unless they were already aware of the brute force exploit. Evidence suggests that the leaked celebrity photos were gathered over a period of weeks, or even years, instead of a quick one-day attack, meaning that there may be a completely different vulnerability in iCloud that has yet to be discovered.

These days, an Apple ID is the key to a lot more than just photos.

Update (2014-09-02): Apple (via Mark Gurman and Jacob Kastrenakes):

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.

It sounds like the Find My iPhone bug was real, just not used for this particular incident. It’s not clear whether the passwords were guessed or whether the accounts were compromised via Apple’s support staff through security questions or social engineering.

Nik Cubrilovic:

What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).

[…]

In reviewing months worth of forum posts, image board posts, private emails, replies for requests for services, etc. nowhere was the FindMyPhone API brute force technique (revealed publicly and exploited in iBrute) mentioned. This doesn’t mean that it wasn’t used privately by the hackers – but judging by the skill levels involved, the mentions and tutorials around other techniques and some of the bragged about success rates with social engineering, recovery, resets, rats and phishing – it appears that such techniques were not necessary or never discovered.

[…]

Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. […] It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.

[…]

Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups.

Rich Mogull:

Apple did patch the vulnerability on 1 September, limiting the damage, although we don’t know how long the vulnerability existed and how widespread abuse may have been before the tool was released.

But based on Apple’s statement, the iBrute tool or some other direct attack on iCloud or Find My iPhone was not the source of the celebrity photo theft. That statement, however, was carefully constructed in case conflicting information later emerges in the investigation.

Update (2014-09-03): Russell Ivanovic:

I could write entire blog posts about how that level of blame deflection is beyond patronising.

[…]

Strong passwords and two-step verification. Makes perfect sense right? Except Apple forgets to mention that there’s no such thing as two-step authentication for your iCloud photos, or even access to your iCloud account.

Update (2014-09-05): Christina Warren:

For just $200, and a little bit of luck, I was able to successfully crack my own iCloud password and use EPPB to download my entire iCloud backup from my iPhone. For $400, I could have successfully pulled in my iCloud data without a password and with less than 60 seconds of access to a Mac or Windows computer where I was logged into iCloud.

[…]

Apple’s two-factor implementation does not protect your data, it only protects your payment information.

[…]

What makes this even worse is that Apple is encouraging users to use “strong passwords and two-step verification.” That’s all well and good, but in this case, two-step verification wouldn’t have mattered. If someone can get physical or remote access to a computer that uses iCloud or successfully convince a user to click on a phishing email for iTunes and get a password, an iCloud backup can be downloaded remotely, two-factor verification or not.

[…]

If Apple won’t encrypt iCloud backups (which it should), at the very least, it should make the authentication token stored on Windows or OS X encrypted — or at least not stored in plaintext. I can give Apple a pass on a lot of aspects of security, but this is just amateur hour.

It looks like that’s not correct; the authentication token is stored in the keychain.

Update (2014-09-06): Daisuke Wakabayashi:

In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities’ iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords.

Update (2014-09-08): Eric Slivka:

As noted by Letem světem Applem and confirmed by MacRumors, Apple has already begun sending out alert emails when iCloud accounts are accessed via web browsers. The alerts are being sent out even if the specific browser has been used previously to access iCloud, but this is presumably a one-time measure that will not be repeated for future logins with that combination of browser and machine.

Update (2016-03-16): Mariella Moon:

In his plea deal, Collins admitted to executing a phishing scheme to obtain celebs’ usernames and passwords from November 2012 to September 2014. Once he got access to their accounts, he searched for and stole explicit images. In some cases, he even downloaded people’s entire iCloud backups.

Update (2018-10-24): Mikey Campbell:

According to court documents, Brannan, a former teacher at Lee-Davis High School, gained unauthorized access to iCloud backups, personal photographs and other data by answering email account security questions using information gleaned from Facebook.

Brannan also used typical phishing schemes to obtain username and password information for target accounts. Specifically, email messages resembling legitimate correspondence from Apple security personnel were sent to victims in a bid to gain access to their internet accounts.

Unlike previous “Celebgate” hackers who relied mainly on first-party tools and internet clients to access target iCloud accounts, Brannan also utilized third-party products from Elcomsoft. The specialized forensics software was employed to download entire iCloud accounts from Apple servers, which were subsequently combed through for private photographs and video, including nude photos.