After I wrote about the problem with Apple’s iCloud in which photos of some celebrities were compromised and stolen from their accounts, I received a number of suggestions as to what Apple should do about it.
I’ll forget about the suggestions that are unprintable, but there were plenty of people who think Apple should do something. But not everyone is sure exactly what it is Apple should do.
Some things are obvious, including one fix that Apple has already made, which is limiting the number of password entry attempts before the account is locked down. Before the photo thefts came to light, iCloud allowed visitors to make an unlimited number of password tries. Now there’s a limit of five tries.
Other preventive measures, such as requiring two-factor authentication before changing passwords, were already available. Another measure requiring two-factor authentication before extracting photos out of iCloud wasn’t implemented despite Apple tech support’s claim that it was.
But, as Chris Preimesberger points out, some things take time, and some security enhancements for Apple devices and iCloud will be released with the next version of iOS, due this fall. As much as Apple might wish it could snap its corporate fingers and simply make it happen, the company does not have magical powers.
But that’s not to suggest that there aren’t some things that Apple and any other company that offers cloud services to the general public shouldn’t do to improve account security. A case in point comes from Craig Mathias, principal at Farpoint Group, who contends that the big thing that Apple should do is have all data be encrypted in the cloud and in transit.
Mathias pointed out that even if someone were to breach an iCloud account, they wouldn’t be able to see anything, except “a bunch of bits,” if two-factor authentication were required to access encrypted data. “With the new Mac, you must sync with iCloud,” Mathias said, “but is iCloud encrypted?”
But, the fact is, you can only take such things as encryption or two-factor authentication so far. One major reason for using iCloud or other services, such as Microsoft’s OneDrive, is that they’re an easy way to preserve data that might otherwise be lost. If you had to enter a passcode on your phone every time you wanted to save a photo to the cloud, it’s likely that far fewer people would use those services.
This may not sound like a big deal, but then think about what is probably the single biggest concern when people lose their phones these days. It’s not the inability to make calls, but the hundreds of photos that are stored on the phone and nowhere else. iCloud and OneDrive serve a primary purpose of providing storage in real time as photos are taken. This is why people use them.
Overloading Cloud Services With Security Fixes Defeats Their Purpose
In reality, Apple is meeting a very real demand from its customers in providing an easy-to-use, readily available means for storing photos on the fly. And while it could do a better job of some things, so could a lot of other companies.
“Apple is no worse than anybody else,” said Alan Zeichick, principal analyst for Camden Associates. Zeichick thinks that two-factor authentication should be set up by default, and that public cloud companies (including but not limited to Apple) should do a better job of watching for hackers by alerting subscribers about password hacking attempts, suspicious IP addresses and the like.
But customers can also take some measures to help protect themselves. For example, both Zeichick and Mathias suggest making up fictitious answers to those questions, such as your grandmother’s maiden name or the make of your first car. What matters is that someone can’t find out the answer by looking at your high school yearbook. It might also be a good idea to create an email address that exists for no other reason than being your user name for online accounts.
But, in reality, what Apple was doing is something that successful businesses do well, and that’s meeting the demands of its customers. Customers look to Apple for ease of use, and they get that. But the fact is that ease of use may include some risk.
During the time I was writing this column, I received word that one of my closest friends in this business we call technology journalism had died. Eric Lundquist has been a colleague at times, a competitor at other times and on one occasion my boss. To say that I was fortunate to have reported to him would be an understatement.
Eric Lundquist was the journalist that we all aspire to be. He was a stickler for accuracy, but he was also fair. He didn’t pull punches, but he also didn’t make unfair hits. I know from the way people spoke of him that he was highly respected throughout the technology industry, and that he will be deeply missed.
Yet Eric was more than just a colleague. Over the years, we became good friends. I was privileged to count him as one of my closest friends during the time I knew him. We traveled the world in quest of one more good story, of course. But, sometimes, our travels were just through the concourse at some faraway train station to find one more beer and one more meal. Farewell, good friend. I’m a better person and a better journalist for having known you.