And then you're pretty much screwed right there, regardless.

I wouldn't bet on that. Apple should be passing credentials over SSL. However, given that the username is the same as your email address, it's not impossible for people to find that out.

Well.... no. They allowed an indefinite number of guesses, or an unlimited number of guesses, but not an infinite number of guesses. It may seem like I'm just being picky with word choice, but it they allowed an infinite number of guesses (somehow) then all of their accounts would be compromised. By allowing an unlimited number of guesses, they only open the door for a given account to be compromised after some kind of investment of time. The investment of time required depends on the quality of the password.

So if your password is extremely weak, then it might possibly get compromised by a general attack-- trying known user accounts with a small dictionary of passwords. If your password is pretty weak, then it might be compromised by a targeted attack on your specific account. If your password is extremely strong, then a brute force attack is unfeasible.

I hadn't heard this exactly, but Apple's public statement did include a mention of security questions. Their statement was pretty vague. They say that there was "a very targeted attack on user names, passwords and security questions".

Still, that's not really an exploit of iCloud's service. If they chose security questions that someone could find the answer to, I wouldn't consider that an iCloud exploit. I do think that the use of security questions should be reevaluated, but they're a pretty standard practice these days. Even if someone forces a reset of your password, under normal circumstances you should notice that the password has changed the next time you log in.

Part of the problem is that these things are being reported badly by the press. A study shows some minor correlation between coffee drinkers and... let's say... people who suffer from heart disease. The news the next day is, "Coffee causes heart attacks".

Another part of the problem is, for a while, we apparently didn't even bother to study things scientifically. Research would show a correlation between being overweight and heart disease, and that was pretty valid. But then the assumption was made: If you want less fat on your body, you should have less fat in your diet. Since you have to eat something, replace meat with bread. Since you want food to taste good, replace fat with sugar. Or replace fat with vegetable products, because vegetables are healthier than meat, right?

Except that we hadn't really studied that stuff. It turns out, the bread and sugar and transfats are probably worse than having some level of meat and fat in your diet.

Finally, the fact is that we have a hard time studying diet. It's rare that you see anything resembling a controlled study, and you certainly don't see controlled studies going over long periods of time. We can't just gather up a couple thousand random people and give them a highly controlled diet for 20 years to see how their bodies respond.

I don't think it was even that simple. I didn't read the article in detail because it seemed dumb, but the author seemed to be talking about spoofing a trusted destination for WiFi iPhone backups.

So if you set up your iPhone to sync over WiFi, and if you connect to a compromised WiFi network, and *if* that network has a machine that manages to spoof the computer that you sync your iPhone to, the iPhone will sync to that computer instead, which might sync sensitive information.

That's a very special set of conditions, and it's not clear how you would spoof the computer that's serving as a sync destination.

First, I don't think that it's known that the accounts were compromised with iBrute. People made the connection because the leak happened shortly after iBrute was announced, but there have been many suggestions that the photos had been acquired months or years before that. That makes it pretty unlikely that the accounts were accessed using iBrute. And Apple seems to deny that the accounts were accessed by exploiting "Find My iPhone".

Second, their comment about "bad passwords" is valid regardless, and would be valid even if the passwords had been accessed through brute force attacks. Brute force attack mitigation is specifically helpful in protecting accounts with weak passwords. If your password is strong enough, a brute force attack should still take a prohibitively long time to succeed.

From what I've been reading, it seems most likely that only some of these photos came from compromised iCloud accounts, and those accounts were probably not compromised due to an exploit of iCloud's service. There was just a news story about 5 million Gmail passwords being leaked, but it doesn't seem that it was from a exploit of Google's services either. Most likely, they were all acquired by phishing, or other non-technical attacks.

I skimmed the article, so I may have missed something, but the attacks that they're talking about generally entail having physical access to the phone, offline access to the phone's backup, phishing for passwords, or WiFi man-in-the-middle attacks *if* you can manage to spoof a computer that the iPhone trusts.

Which is to say, these aren't tremendous vulnerabilities on Apple's part. An attacker might be able to pull off a brute-force attack on your encrypted password-protected iPhone backup if they have an offline copy, if the password is weak. Well golly! Everyone better stop using their iPhone right away.

That dumb people breed like bacteria? Last time I checked that was still in effect.

If intelligence was hereditary, it should be trivial to point to a family of increasingly intelligent people who should reach their pinnacle about today.

Just after Sarah Palin had me convinced it's some kind of hair growth medium...

So you're ... dirt?

That's not true.

I'm sure lots of people would be like, "Of course he's not watching movies on his own surface. How on earth would he have a movie on his own skin? But maybe he's watching movies on his iPad. Duh!"