Security By Deflection

Not sure if you read the news, but some celebrities had their nudie photos stolen. Apple posted their response today, you can read it here.

It contains choice phrases such as :

“a practice that has become all too common on the Internet”

I could write entire blog posts about how that level of blame deflection is beyond patronising. I’m not going to though, because they end with this:

“To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.”

Strong passwords and two-step verification. Makes perfect sense right? Except Apple forgets to mention that there’s no such thing as two-step authentication for your iCloud photos, or even access to your iCloud account. Here’s what’s actually protected:

Then, any time you sign in to manage your Apple ID at My Apple ID or make an iTunes, App Store, or iBooks Store purchase from a new device, you’ll need to verify your identity by entering both your password and a 4-digit verification code, as shown below.

In other words, enabling two-step authentication would do nothing to ‘protect against this type of attack’. I store a lot of things in my iCloud account, and it’s also able to wipe most of the devices I use. I expect more from Apple, we all should. Here’s a specific example of why that is:

That’s right, someone can wipe an entire iPad, on an account I enabled two-step authentication on. They can also track all my devices. They can read my email. Peruse my calendar. Get all my photos. In my case as a developer they can remove all my apps from sale, or change their descriptions. I care about all those things far more than someone stealing money from my credit card. That’s the whole reason I enable two-step authentication for all my important online accounts.

I hope Apple takes this opportunity to lift their game security wise. Blaming hackers is one thing, doing more to protect us all is entirely another.