You’re Reacting to Celebgate Wrong

David Pogue
Yahoo Tech
September 3, 2014

(Jennifer Lawrence. Photo: AP)

Oh, my word. Hey, Internet people: How about keeping your heads on?

Ever since somebody released nude photos of female movie stars this week, the wild overreactions have been clogging the Interwebs. Most of the hysteria runs along one of a few lines, and a lot of it is plain wrong. Here’s what I mean:

“Apple was hacked! The hackers exploited a flaw in iCloud security!”
Actually, no. There’s no evidence that anyone got to the photos through a security flaw. By all accounts, including Apple’s, somebody guessed the celebrities’ passwords, probably by guessing the answers to their security questions (see below).

It might just as easily have happened to Google, Microsoft, Yahoo, or anyone. In fact, experts say that some photos did come from other services, not just iCloud.

Read more: All our Celebgate coverage

“Those movie stars were asking for it! Why would they put naked pictures online?”
Maybe it’s none of our business where people decide to store their private data. It’s supposed to be private. They were told that the storage was secure.

“Turn off your iCloud account. Never put anything online!”
That’s goofy advice. Internet services are useful. They save us time and hassle. They keep all our gadgets and computers — calendars, address books, email — conveniently synchronized.

Shut them off? OK, fine. And then never leave the house again, because you might get hit by lightning.

Now, if you’re a celebrity, especially a beautiful young actress, you should be concerned by the photo hacks this week, and you definitely should review your accounts and make sure you are protecting them with all of the tools available.

If you’re anyone else — well, with all due respect to your ego, hackers probably have very little interest in your naked photos. So before you go ripping the Internet cables out of your walls, pause to consider the actual odds of anyone bothering to hack your photo accounts.

“It’s our fault. We’re idiots! Our passwords are easy to guess!”
If your password is 123456 or password1, then yes; it is too easy to guess.

But guess what? That’s not what happened to the movie stars. That’s not what happened to Mat Honan, the Wired magazine writer who was hacked in 2012. It’s not even what happened to me, when my iCloud account was briefly taken over last year.

In the cases of Mat and me and probably the movie stars, the “hacking” consisted of guessing the answers to the security questions.

See, each company — Apple, Google, whoever — needs some way to let you reset your password if you forget it. (A lot of people forget their passwords. A lot. And no wonder; nobody could possibly remember hundreds of different, complex, long, patternless passwords, like the security experts exhort us to create.)

So to reset your password, you’re supposed to answer some security questions — life facts only you would know — on the Internet service’s website.

Unfortunately, for a teenage hacker with nothing but time, there are ways to figure out the answers to those questions, especially for public figures.

As I recall, my security questions at the time I was hacked were: “What’s the best car you ever owned?” (I had once blogged about how much I loved my Prius.) “Where were you on January 1, 2000?” (A party — where else?) “What’s your mother’s maiden name?” (Not very hard to look up, really.)

Sarah Palin’s hackers found out her birthday from her Wikipedia page. Paris Hilton’s needed only her dog’s name. Scarlett Johansson and singer Christina Aguilera got hacked the same way.

If you truly want to avoid getting hacked the way the movie stars did, that’s the weak link. That’s the part you should beef up.

Once I reset my own iCloud account credentials, a security expert advised me to answer the security questions with nonsense answers. “What’s your dream job?” “Steel-belted radials.” That kind of thing. Nobody’s going to find those answers in some Entertainment Weekly interview.

“These clueless morons should have turned on two-factor authentication!”
I’ve read that two-factor authentication would have spared Jennifer Lawrence and her colleagues their current headaches.

But it wouldn’t have.

Two-factor authentication works something like this: If you try to access your online account from a new phone or computer, your password isn’t enough; the service texts a special code to your cellphone. You can’t proceed until you enter that code, too.

Obviously, hackers can’t see what’s on your phone, so they’re stopped in their tracks, even if they know your password.

Now, you should turn on two-factor authentication; it provides a lot of security with very little inconvenience. 

However, it would not have helped the celebrities. The two-factor thing protects your account when you log in — at iCloud.com, for example. But it does not protect your online iCloud backup, which your iTunes program accesses when you want to restore an empty phone from your backup.

To restore a phone from your online backup, all you need is the account email address and password. And, as you now know, you can get that password by figuring out the answers to a couple of security questions.

The bad guys didn’t even have to buy a blank iPhone. They just needed a program like Elcomsoft Phone Password Breaker ($80), which simulates an iPhone and lets you restore it from an iCloud backup. They could have downloaded the celebrities’ backups into this software, and presto: They’d have all their photos, even deleted ones, and a lot more.

So. The moral of the nude movie-star photos scandal is not “iCloud is dangerous” or “The Internet should be shut down” or “The victims brought this on themselves.”

The moral is: “If you’re a famous person, you have to be unusually careful in choosing what to post online — and how to protect it.”

For the rest of us — well, let’s keep our heads on.

You can email David Pogue here.