If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Slash Gear)   Whoopsie: anyone who knows both your e-mail address and your date of birth can hack your iTunes/iCloud account and change your password   (slashgear.com) divider line 56
    More: Sick, icloud, Apple ID, security question, safe zone, security hole  
•       •       •

2778 clicks; posted to Geek » on 22 Mar 2013 at 6:43 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



56 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2013-03-22 05:47:47 PM
if you're not evil why would you be concerned about someone hacking your iTunes?
 
2013-03-22 06:40:30 PM
I fail to see the impact to my "All Tony DeFranco, All DeTime" account on Pandora.
 
2013-03-22 06:51:02 PM
I only installed iTunes for the updates. I don't actually own any music.
 
2013-03-22 06:55:55 PM
I like iTunes so I can back up the phone to the PC.  I'd never store my songs on the cloud.  Further; why would you use the same email you use for communication with the "world" as your iTunes contact?   Those things "get their own email"..so when it arrives it filters into the right folders.
 
2013-03-22 06:56:40 PM
So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
 
2013-03-22 06:56:49 PM
I trust computers.
 
2013-03-22 06:59:09 PM
Fortunately the only place I use my real birthdate is to login at porn sites.

/And Facebook.
/but no one would think to look there.
 
2013-03-22 07:03:57 PM
Yeah, but then I can always hack in and change it back, right?
 
2013-03-22 07:09:31 PM
Yet another reason vinyl is superior to MP3s.
imageshack.us
 
2013-03-22 07:10:16 PM
At least the impact to this one is somewhat minimal, unlike the inexcusably stupid non-SSL App Store logins issue that was recently fixed.

/passwords are a broken form of security
 
2013-03-22 07:18:48 PM
Ditto for your Neopets account.
 
2013-03-22 07:20:30 PM
That's why if you use your real birthday as the answer to security questions, you are a gigantic schmuck and possibly an idiot.
 
2013-03-22 07:27:02 PM
duh, I never use my real birthday, my parents middle names, animal names are spelled wrong for the security questions, I mean go for it. Disconnected all credit cards from the account, all you can do is.... something I guess, I can always make a new account.
 
2013-03-22 07:27:28 PM
This will let people on to my iCloud? But I don't want anyone on my iCloud.
 
2013-03-22 07:36:51 PM
Well what are the odds of that?
 
2013-03-22 07:41:03 PM
This is why I don't have iTunes.

Well, one of many reasons.
 
2013-03-22 07:52:37 PM
torusXL
That's why if you use your real birthday as the answer to security questions, you are a gigantic schmuck and possibly an idiot.

Not to single you out, but this is one of the things that pisses me off about infosec. We're always so ready to blame end users for being victims, even when they do things that are completely rational and reasonable.

No, it isn't the farking user's fault when you ask them for their birthdate and they type in their birthdate instead of some weirdly constructed lie that they won't remember when they call to do a legit password reset. Its our fault as designers and implementors for creating systems that are broken and operate according to weird, unexpected, incomprehensible unwritten rules, like "don't use your birthdate when it asks for your birthdate, unless you want someone to be able to take over your account". That's nonsense. Lets start taking some responsibility for our shiatty design paradigms and faulty assumptions, instead of horking it all onto the shoulders of some lusers who aren't and don't want to be infosec professionals or even technologists, just people who want their e-mail to work.
 
2013-03-22 07:53:59 PM
Crap. Now everyone will know of my love of the Starland Vocal Band.
 
2013-03-22 07:58:43 PM
Who enters their real birthday into websites anyways?

/oh yea - basically every farker
//bet you also give out your real mothers maiden name and the street of your birth to whomever asks for it
 
2013-03-22 07:59:04 PM

torusXL: That's why if you use your real birthday as the answer to security questions, you are a gigantic schmuck and possibly an idiot.


No, it's Apple's fault for asking a stupid security question. What's even more baffling is that banks still use questions like your birthday, your pet's name, mother's maiden name, etc. There's a good chance that any dumbass could pull up all that info on Google.
 
kab
2013-03-22 07:59:29 PM
But Apple, so this is all good.
 
2013-03-22 08:21:03 PM
People still use iTunes? Why?
 
2013-03-22 08:29:44 PM

MrEricSir: torusXL: That's why if you use your real birthday as the answer to security questions, you are a gigantic schmuck and possibly an idiot.

No, it's Apple's fault for asking a stupid security question. What's even more baffling is that banks still use questions like your birthday, your pet's name, mother's maiden name, etc. There's a good chance that any dumbass could pull up all that info on Google.


No it really isn't.  Banks (and medical companies, companies that deal with credit cards, etc) have to make some attempt to validate who you are without flooding their customer service lines with calls or mining your information from public and private sources.  Plus Visa and government regulations demand it.  Apple's was the least stringent about this for the longest time and I'm surprised they got away with it for so long.
 
2013-03-22 08:30:09 PM

mrexcess: /passwords are a broken form of security


OK kids, let's set the wayback machine for the year 1998 and travel to the Java One conference. A company called Dallas Semiconductor introduced a highly tamper-resistant cryptographic processor capable of storing private certificates and generating digital signatures. This device was small enough that it could be worn on a ring, although the key-fob version was more practical. A small browser plugin enabled you to use this device with the existing 'client certificate' option of the SSL protocol, providing an easy mechanism for any website to verify that the user had the correct security token in addition to his/her password or PIN (known as "two-factor authentication").

This particular product was discontinued years ago but the concept is still valid. We have had the technology to provide secure logins for a long time. Companies just need to get off their asses and start implementing something.
 
2013-03-22 08:37:05 PM
The best password is the Enter key.
 
2013-03-22 08:39:32 PM

SacriliciousBeerSwiller: People still use iTunes? Why?


Also, who takes the time to input their real birthday? Just pick anything over 18 years ago.
Backup questions are for idiots. Write you passwords down somewhere if you're that senile.
 
2013-03-22 08:45:47 PM

gingerjet: MrEricSir: torusXL: That's why if you use your real birthday as the answer to security questions, you are a gigantic schmuck and possibly an idiot.

No, it's Apple's fault for asking a stupid security question. What's even more baffling is that banks still use questions like your birthday, your pet's name, mother's maiden name, etc. There's a good chance that any dumbass could pull up all that info on Google.

No it really isn't.  Banks (and medical companies, companies that deal with credit cards, etc) have to make some attempt to validate who you are without flooding their customer service lines with calls or mining your information from public and private sources.  Plus Visa and government regulations demand it.  Apple's was the least stringent about this for the longest time and I'm surprised they got away with it for so long.


Um, okay, but you haven't really explained why you disagree.
 
2013-03-22 09:06:41 PM

gingerjet: MrEricSir: torusXL: That's why if you use your real birthday as the answer to security questions, you are a gigantic schmuck and possibly an idiot.

No, it's Apple's fault for asking a stupid security question. What's even more baffling is that banks still use questions like your birthday, your pet's name, mother's maiden name, etc. There's a good chance that any dumbass could pull up all that info on Google.

No it really isn't.  Banks (and medical companies, companies that deal with credit cards, etc) have to make some attempt to validate who you are without flooding their customer service lines with calls or mining your information from public and private sources.  Plus Visa and government regulations demand it.  Apple's was the least stringent about this for the longest time and I'm surprised they got away with it for so long.


wow i laud u for this post
 
2013-03-22 09:09:23 PM

mrexcess: No, it isn't the farking user's fault when you ask them for their birthdate and they type in their birthdate instead of some weirdly constructed lie that they won't remember when they call to do a legit password reset. Its our fault as designers and implementors for creating systems that are broken and operate according to weird, unexpected, incomprehensible unwritten rules, like "don't use your birthdate when it asks for your birthdate, unless you want someone to be able to take over your account". That's nonsense. Lets start taking some responsibility for our shiatty design paradigms and faulty assumptions, instead of horking it all onto the shoulders of some lusers who aren't and don't want to be infosec professionals or even technologists, just people who want their e-mail to work.


Uh, no it's the users' faults for being lazy entitled pieces of shiat who expect those who worked hard to learn about technology to hold their hand, feed them, and wipe their ass.

But hey, feel free to never learn about reality and continue sitting around wishing that bad stuff wouldn't happen. No need for you to do anything about it, the magic programmers will.
 
2013-03-22 09:11:58 PM
I mean, what else would Apple ask for? If a birthday is too much for you, maybe they could ask for a random string of characters.

OH WAIT. THAT'S WHAT A PASSWORD IS. And the reason you're needing to reset it with your birthday is because you're too much of a dumbass to remember it.

There's only so much hand-holding that others can do for someone. Once past a certain point, self-responsibility is the only way to avoid bad shiat.
 
2013-03-22 09:19:47 PM

mrexcess: torusXL
That's why if you use your real birthday as the answer to security questions, you are a gigantic schmuck and possibly an idiot.

Not to single you out, but this is one of the things that pisses me off about infosec. We're always so ready to blame end users for being victims, even when they do things that are completely rational and reasonable.

No, it isn't the farking user's fault when you ask them for their birthdate and they type in their birthdate instead of some weirdly constructed lie that they won't remember when they call to do a legit password reset. Its our fault as designers and implementors for creating systems that are broken and operate according to weird, unexpected, incomprehensible unwritten rules, like "don't use your birthdate when it asks for your birthdate, unless you want someone to be able to take over your account". That's nonsense. Lets start taking some responsibility for our shiatty design paradigms and faulty assumptions, instead of horking it all onto the shoulders of some lusers who aren't and don't want to be infosec professionals or even technologists, just people who want their e-mail to work.


This. I remember I was once in the mood to make up a bunch of lies for the security questions for some random sites. Guess what happened when I visited again months later?  It becomes a laborious chore to memorize dozens of unique passwords that you must also change at regular intervals.
 
2013-03-22 09:20:24 PM

torusXL: mrexcess: No, it isn't the farking user's fault when you ask them for their birthdate and they type in their birthdate instead of some weirdly constructed lie that they won't remember when they call to do a legit password reset. Its our fault as designers and implementors for creating systems that are broken and operate according to weird, unexpected, incomprehensible unwritten rules, like "don't use your birthdate when it asks for your birthdate, unless you want someone to be able to take over your account". That's nonsense. Lets start taking some responsibility for our shiatty design paradigms and faulty assumptions, instead of horking it all onto the shoulders of some lusers who aren't and don't want to be infosec professionals or even technologists, just people who want their e-mail to work.

Uh, no it's the users' faults for being lazy entitled pieces of shiat who expect those who worked hard to learn about technology to hold their hand, feed them, and wipe their ass.

But hey, feel free to never learn about reality and continue sitting around wishing that bad stuff wouldn't happen. No need for you to do anything about it, the magic programmers will.


I see that Lumburgh told you to come into work on Saturday, and you're doing it because you're a pussy.
 
2013-03-22 10:17:26 PM

red5ish: Yet another reason vinyl is superior to MP3s.
[imageshack.us image 400x225]

yah..when are they coming out with Vinyl-dr???

 
2013-03-22 11:04:36 PM

torusXL: mrexcess: No, it isn't the farking user's fault when you ask them for their birthdate and they type in their birthdate instead of some weirdly constructed lie that they won't remember when they call to do a legit password reset. Its our fault as designers and implementors for creating systems that are broken and operate according to weird, unexpected, incomprehensible unwritten rules, like "don't use your birthdate when it asks for your birthdate, unless you want someone to be able to take over your account". That's nonsense. Lets start taking some responsibility for our shiatty design paradigms and faulty assumptions, instead of horking it all onto the shoulders of some lusers who aren't and don't want to be infosec professionals or even technologists, just people who want their e-mail to work.

Uh, no it's the users' faults for being lazy entitled pieces of shiat who expect those who worked hard to learn about technology to hold their hand, feed them, and wipe their ass.

But hey, feel free to never learn about reality and continue sitting around wishing that bad stuff wouldn't happen. No need for you to do anything about it, the magic programmers will.


So is everyone who goes to see someone who worked hard to learn medicine lazy entitled pieces of shiat?
 
2013-03-22 11:13:27 PM

rhiannon: This will let people on to my iCloud? But I don't want anyone on my iCloud.


Hey, Hey, You , You , get off my iCloud !!!!
 
2013-03-22 11:22:16 PM
You babies can whine all you want, but reality is one thing and your kiddie wishes are another.

If you closed your eyes and wandered around the desert and ended up in a viper's nest because your eyes were closed, well that sucks. Maybe the guy who put that viper's nest there is a huge dickwad who should be punished if he were caught.

But while the viper nest is there and before the culprit gets caught, in the end, you're the idiot who decided to close your eyes and wander around the desert with your dumbass in a viper's nest.

While you're at it whining about hackers taking advantage of technotards, how about you go to Afghanistan and tell terrorists to please quit murdering people? That would be just swell.

Ta-ta!
 
2013-03-23 12:08:22 AM

torusXL: You babies can whine all you want, but reality is one thing and your kiddie wishes are another.

If you closed your eyes and wandered around the desert and ended up in a viper's nest because your eyes were closed, well that sucks. Maybe the guy who put that viper's nest there is a huge dickwad who should be punished if he were caught.

But while the viper nest is there and before the culprit gets caught, in the end, you're the idiot who decided to close your eyes and wander around the desert with your dumbass in a viper's nest.

While you're at it whining about hackers taking advantage of technotards, how about you go to Afghanistan and tell terrorists to please quit murdering people? That would be just swell.

Ta-ta!


I feel dumber for reading that, thanks
 
2013-03-23 12:09:38 AM

chitownmike: torusXL: You babies can whine all you want, but reality is one thing and your kiddie wishes are another.

If you closed your eyes and wandered around the desert and ended up in a viper's nest because your eyes were closed, well that sucks. Maybe the guy who put that viper's nest there is a huge dickwad who should be punished if he were caught.

But while the viper nest is there and before the culprit gets caught, in the end, you're the idiot who decided to close your eyes and wander around the desert with your dumbass in a viper's nest.

While you're at it whining about hackers taking advantage of technotards, how about you go to Afghanistan and tell terrorists to please quit murdering people? That would be just swell.

Ta-ta!

I feel dumber for reading that, thanks


That is one dumb fark with his head in the iCloud alright.
 
2013-03-23 12:11:06 AM

torusXL: You babies can whine all you want, but reality is one thing and your kiddie wishes are another.

If you closed your eyes and wandered around the desert and ended up in a viper's nest because your eyes were closed, well that sucks. Maybe the guy who put that viper's nest there is a huge dickwad who should be punished if he were caught.

But while the viper nest is there and before the culprit gets caught, in the end, you're the idiot who decided to close your eyes and wander around the desert with your dumbass in a viper's nest.

While you're at it whining about hackers taking advantage of technotards, how about you go to Afghanistan and tell terrorists to please quit murdering people? That would be just swell.

Ta-ta!


You are disappointing.
 
2013-03-23 12:29:54 AM
Uh, no it's the users' faults for being lazy entitled pieces of shiat who expect those who worked hard to learn about technology to hold their hand, feed them, and wipe their ass.

But hey, feel free to never learn about reality and continue sitting around wishing that bad stuff wouldn't happen. No need for you to do anything about it, the magic programmers will.


No. If you're providing a web service whose security model is based around ownership of an email address, then you better be damned sure you're verifying ownership of that address for critical actions. This means sending a link in an email when someone wants to do something like reset their password, since it can reasonably be assumed that only the real owner of that email address (and the Feds) will have access to that link. From what I can gather from the article, Apple did not perform this basic check.

Anyone who has read some of my previous Fark posts knows that I'm somewhat of a fan of Apple products (the physical kind, anyway), but for a company of that stature to fail to perform basic user validation is just inexcusable.
 
2013-03-23 02:11:05 AM
Guess it's a good thing I don't have an Apple account at all.

fark iTunes in the ear.
 
2013-03-23 03:05:15 AM
No, they can't. It's impossible. I'd be willing to be my entire life savings on it.
 
2013-03-23 03:06:05 AM

untaken_name: No, they can't. It's impossible. I'd be willing to be my entire life savings on it.


bet, dammit. I guess I should preview twice.
 
2013-03-23 03:16:24 AM
ITT: 9/10 posters with their panties in such a wad they're coming out their mouths!
 
2013-03-23 03:42:31 AM
Well then its a good thing that I don't use any iCrap.
 
2013-03-23 04:14:58 AM
torusXL:
Uh, no it's the users' faults for being lazy entitled pieces of shiat who expect those who worked hard to learn about technology to hold their hand, feed them, and wipe their ass.

But hey, feel free to never learn about reality and continue sitting around wishing that bad stuff wouldn't happen. No need for you to do anything about it, the magic programmers will.


I really hope this is a troll post.  If not: most users keep their passwords as secret as they can and expect IT professionals like you to... you know, do your damn job and make systems secure. And you consistently fail, either because a proper system is apparently too difficult for a whole lot of supposedly bright people to develop, or more often because you refuse to consider the users' actual IT system needs and instead sit there like a cheeto-dust-covered asshole BOFH and complain about how your grandmother can't even be bothered to recompile her kernel, that lazy biatch.  Sheesh.
 
2013-03-23 06:06:17 AM
Ivo Shandow
This particular product was discontinued years ago but the concept is still valid. We have had the technology to provide secure logins for a long time. Companies just need to get off their asses and start implementing something.

Solid points. Look at RSA, though... "just implementing something" can backfire in a big way. Security is, despite some peoples' (often self-serving) pretensions (looking at you, torusXL), really farking hard. Even basic tasks like identification are really farking hard. That it is really farking hard is largely the reason why we age and die... our bodies are only so capable of inspecting their own contents and determining what needs to be there, and what doesn't belong. DNA replicates erroneously, and suddenly you have cancer. A virus invades your body and isn't successfully detected, suddenly you're sick. Even aging itself, natural mortality, might end up being reduceable to the difficulty of solving this problem of correctly identifying and separating out what should be there from what should not be there at a bio-scale level.

That said, there are many improvements to be made, and it's wrong to assume that the problem is insurmountable just because it is difficult.

Public key cryptography seems to be a solution to the problem RSA arrived at, which can be generalized as a leakage of escrow data. There should be no escrow data. Back when RSA tokens were the new hotness, performing real public key crypto in a small form factor was not a realistic design goal, but today we're living in a different era and the technology is ripe for it.

Everyone is talking about smart watches... this would be a fairly perfect platform for a secure two-factor system - easily usable and always present while presenting a minimal attack surface. It could talk wirelessly to your computer and smartphone when credentialing is required, require positive physical confirmation from the user, and transmit nothing OTA that might be vulnerable to replay or easy to perform analytic attacks. It might even incorporate some form of biometric two-factor of its own, although power requirements for something like that might be a bit ahead of the curve.

I'd pay a Franklin or two for a device that. If someone had the seed capital, I'd certainly be up for helping to build it.
 
2013-03-23 11:37:14 AM

mrexcess: Back when RSA tokens were the new hotness, performing real public key crypto in a small form factor was not a realistic design goal, but today we're living in a different era and the technology is ripe for it.


Over-ripe, I would say. The iButton device I linked to earlier performed real public key crypto (RSA algorithm) in a small form factor 15 years ago. It's more a question of motivation than of technology, like the fact that we are all still sending insecure email many years after PGP and S/MIME were invented. People just don't care.
 
2013-03-23 01:23:20 PM
So basically anyone that is your facebook friend.
 
2013-03-23 03:12:12 PM

WhippingBoy: Crap. Now everyone will know of my love of the Starland Vocal Band.


Starland Vocal Band? They suck!
 
Displayed 50 of 56 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report