/ 7 September 2014

Electronic literacy the only real defence against hacking

Electronic Literacy The Only Real Defence Against Hacking

Some have called the recent hacking of 200 celebrities’ private photographs a sex crime. Others have expressed unseemly delight at this “dream come true”. But few have focused on the real problem here: our collective failure to understand our technology.

I’m not excusing the hackers or their decision to share these private, often nude, photos publicly. The men (and they’re all men) downloading and sharing these photos are doing something fundamentally wrong. Their incessant jokes about masturbation only make it that much more nauseating.

And the people (including many women) who responded by condemning the celebrities for taking nude photos are nearly as bad. Young, beautiful people are going to take naked photos of themselves. Not only is that perfectly natural, it’s also nobody else’s business. Prudishness has no place in the 21st century, particularly not as an excuse for criminal invasion of privacy.

A lot of this kind of criticism is focused on the fact that these women “shared” or “uploaded” these photos to the internet. But this is the nub of the issue: most (if not all) of these women would not have realised they were “uploading” anything at all.

All of these photos were obtained by hacking Apple’s iCloud service. This centralised system allows users to store their documents and photos online, and to seamlessly synchronise information and settings between devices. It’s incredibly handy and makes Apple’s devices a pleasure to use.

It’s so handy, in fact, that you begin to take it for granted. Whereas before you needed to fuss around with cables to get photos from your phone to your computer (or vice versa), now they just synchronize automatically. This feature is so obviously convenient that Apple has made it the default on all new phones.

But what we quickly forget is that, even though iCloud is a private service, we are still storing those photos on the internet. In order for the synchronization to occur, there must first be centralisation.

This happens via Apple’s network of data centres scattered around the planet. This network represents a big, juicy target for hackers. Security teams at companies like Apple routinely fight off hundreds, if not thousands, of attacks each day.

But, as is so often the case, the hackers relied not on brute force or programming skills, but on fallible human beings. They obtained access to the celebrities’ accounts by either hijacking the “forgot password” system or tricking them, via email, into entering their iCloud details in a fake sign-up page (a technique known as “phishing”).

It’s tempting to lay most of the blame at Apple’s door here. They’ve never been particularly strong at online services. MobileMe, the predecessor to iCloud, was famously buggy. At a meeting with the service’s executives Steve Jobs asked “Can anyone tell me what MobileMe is supposed to do?” When one executive plucked up the courage to describe the service, Jobs shot back: “So why the fuck doesn’t it do that?”

There are certainly bugs or loopholes in some of iCloud’s systems. Resetting a password using secret questions was too easily hijacked. The system revealed unnecessary amounts of information and allowed unreasonable numbers of failed attempts. The flaws were so serious that a journalist was able to hack her own account with a $200 piece of software.

This couldn’t be worse timing for Apple, which is about to announce a whole new line of products tomorrow. To their credit, Apple executives immediately acknowledged the problems and the loopholes are already plugged.

Yet if we simply blame Apple for the fiasco, we miss the real issue: we cannot rely on any company, or any person, to protect our privacy 100% of the time. The starlets whose privacy was invaded did not deserve it, but they could have prevented it.

The answer isn’t “don’t take nude photos” – it’s “know exactly what happens to your photos when you take them”. Photo synchronisation is automatic on the iPhone. If you’re world famous you need a tame techie on retainer to educate you how to keep your data safe at all times.

This isn’t a “nice to have” anymore. Nik Cubrilovic, an online security journalist, describes in chilling detail the huge networks of hackers that scour the web for personal information that can be used for these kinds of attacks. They often sell the resulting hauls of pictures into private networks of “collectors”. 

While it would be nice to imagine that we can track down these people and destroy these networks, it’s a bit like wishing for world peace. Nor are we going to stamp out the misogyny and prudish condemnation that catalysed this controversy. We’re not even going to be able to make our cloud services unhackable because that would effectively make them unusable.

What we can do is take electronic literacy a lot more seriously than we currently do. None of the celebrities targeted in this attack are stupid. In fact some, like Jennifer Lawrence, are extremely intelligent. But intelligence is no defence against a subject you don’t care to understand.

Technology always changes more quickly than culture or human habits. The convenience and power of cloud computing make it both compelling and ubiquitous. But until we understand the risks, we will never see them coming.