Jennifer Lawrence Nude Photo Leak Could Have Been Prevented With Two Factor Authentication:
Find out why apple's sloppy implementation of 2FA wouldn't actually have helped very much by reading here:
Apple apparently plans to fix this in coming weeks.
I woke up this morning and my twitter stream was on fire about a new celebrity nude photo leak. Jennifer lawrence, and up to 100 other celebrities have had their nude photographs leaked online. These were claimed to have been obtained from compromised icloud accounts. Apple does a great job of storing data, which means that the icloud data is encrypted on apple's servers and encrypted when transmitted to and from the server. The only way I can think of that this data could have been accessed is if someone learned the login credentials for the icloud accounts in question.
Of course, not storing nude photographs of yourself online is the safest way to ensure that you're not at risk for such a compromise, and most of us are pretty low profile targets for hackers. However, when it comes to security it would be foolish not to take simple precautions when possible. Services make using, sharing, and sorting data a lot easier, but it can come at the cost of privacy. For example, your phone automagically includes your location data and uploads the photographs to the cloud. This is great for sorting through photographs by location, but that data stays with the image no matter where it's sent. So for example, if you upload your photo to instagram or twitter, it could contain location data which can be read by anyone with a browser plugin.
Some have suggested an incognito camera mode which would keep pictures taken in that mode from being uploaded to the cloud. Right now that doesn't exist. Had Jennifer Lawrence simply enabled two factor authentication on her icloud account, she would have most likely avoided this whole situation.
What is Two Factor Authentication?
To enable it, you provide your phone number to the service and they send you a test message, once verified any future attempts to log in to your account from an untrusted device will require the user to enter a new code generated and sent via text message (or using an authenticator app).