The Fappening - NSFW

Question for Nett, Scootah, Binary, and whoever else knows their shit.

(First,
1. I accidentally got super drunk on wine and am dumber than usual right now.
2. I don't know enough about this topic to even use the proper terminology or ask intelligent questions. Or whatever. Fuck you guys.)

Are there crazy good hackers* out there who could do this sort of thing and leave no traces behind? Lots of people are saying that they/he/she hacked iCloud. In theory, could someone do that without getting caught, or is anybody pretty much fucked if the FBI (or whoever) decides they want to figure out who you are?

(*For lack of a better term. See #1 and 2.)


Quite related, but also not related at all: Nett (or others I mentioned), how much shit could you stir up if you went full cowboy and really tried? Are there rockstars out there who could fully bring down big companies/organizations, or is that just in the movies?

 

Yes, but to understand why that's probably not what happened you need to understand how the economics and pragmatic realities of the IT security industry work.

First? IT security is a lucrative industry. There's fuck off money in it. If you have the legit skills that enterprise IT recruiters chase for banks, big businesses, government, etc - you can almost certainly get a decent income in the 6 figure range doing completely legit work. But if you go full blackhat like the guy releasing these pics? You probably screw yourself out of a bunch of career options and you risk doing time. Why the fuck would you leak photos of some celebrity and try and chase bitcoin donations at the risk of your career and years worth of six figure income?

If you have those kind of skills, the willingness to go blackhat and do it for money? Why would you dick around with this kind of petty bullshit? It's much more lucrative to do industrial espionage shit - or stuff like hackmailing (taking over some businesses servers, then extorting them, often done in the pretense of being a security researcher who's observed malware taking over your system and offering to fix it for a fee. Most people pay for the IT guy to fix their shit and are grateful for the luck in having someone contact them right as they started having problems. There's a bunch of other stuff that malicious skilled coders can do if they want to play evil lines that pay way better than this bullshit.

Third, getting away with this kind of shit if there's a federal authority motivated to chase you (which with something like the fappening there's fucking going to be) is possible, but it's difficult if you're based inside a western first world country, especially if it's an english speaking one that's tied into all the international treaties and being America's bitch politically. Even if you're in some third world country or some legal void space where you might not get extradited - it requires a LOT of very detailed and careful planning and implementation to really do it in a way that's going to fuck up people who can go and kick doors and arrange for international authority groups to kick doors and seize hardware as part of their investigations. And you have to hope that the nest of VPN's and anonymizer services that you use are all honest about their methods and that you haven't fucked up your plan anywhere - otherwise you're going to leave a trail by accident and this guy is looking at doing legit time as a warning to others.

Fourth - A big, well funded and well run IT shop like Apple takes security pretty seriously. Chances are you're only getting through their security with a zero day - an exploit or an entrance method that is presently unknown to the security industry. Finding those is difficult, time consuming and often lucrative. Security researchers who find zero days for a living usually make a pretty good living selling them, either to people who know how to make real money off the exploit, or people who produce software and want to close their vulnerabilities. The people who find zero days usually would have the skills to do a blackhat thing like this, and maybe the skills to not get caught, probably wouldn't - because it's pocket change money compared to their business, which they'd fuck over if they get caught - and they know how the best security plans usually end up getting caught out by something some IT guy didn't think of.

Coming all the way back around - what I suspect probably happened, is that someone either socially engineered their way through using spear phishing, or got crazy lucky while phishing some apple guy - or is an ex apple employee who knew a way through. Disgruntled former staff are always prime candidates for this kind of shit. Phishing is where you send out fake emails or other fake information requests to solicit someone into breaking security protocols and giving you a password. That shit is pretty traceable if you've got the feds seriously after you and the media pressure to nail the baddy that comes with celebrity shit like this. Also, eventually everyone is going to join the dots that they have fucking IOS devices and if celebrity icloud accounts were hacked, maybe their birthday blowjob photos are going to leak onto the internets as well.

The less probable alternative, but I consider next most likely - is that some mickey mouse douchebag with just enough skill to follow the mailinglists has spotted some zero day advisory on some security forum somewhere. Someone has mentioned in the conversation that it impacts apple and Icloud. Apple have been a bit slow to respond to the advisory and while they were waiting for a change window or evaluating the change procedure and roll back steps or something - the kid or whoever made the hack will have probably absolutely maxed his talent as a hacker to get in a door that somebody else told him was open, and get content out. There's no fucking way someone with the chops to cover their tracks properly actually does this kind of shit and then tries to monetize it with bitcoin donations for publishing the pictures.

You do get occasional cryptoanrachists who are usually massively autistic virgins who believe that information can be free who might do this kind of shit and have legit skills. Those dudes are usually tied to lulzsec or anon hacking groups or something though - it's out of profile for them to try and milk the data release for money or specifically target female celebrities. They'd have gone after a bigger score and released it under a the world has a right to know that you're a whore sort of crazy agenda.

But the sum of factors for this? My call is that there's no way the person who got the data actually knows what they're doing enough to get away with it. And honestly, industry willingness to participate in the douchebag hunt massively decreases the ability to get away with shit. Normally big industry groups are pretty reluctant to participate with policing - it's expensive and a pain in the ass and most nerds are at least a little bit wary of police states. But this particular hack? Reddit has policed a LOT of content down. Imgur has pulled a lot of content down - more aggressively than they really need to for their legal requirements so probably they're actively looking into the issue. Twitter have been big in shutting shit down. It all speaks of an issue that the industry has taken a dim view of - and that means a lot more cooperation with the cops when they're chasing the hacker.

For me personally? Blackhat shit isn't my thing. I'm good at building systems that are difficult to hack and well secured using other people's tools and best practices. I'm good at knowing how shit works. But actually going after shit like this isn't my area of expertise. I've done penetration testing commercially before and I'm OK at it - but mostly I only do it as procedural stuff - check out all the obvious shit and tick the boxes. I'm decent/pretty good at social engineering and I've talked my way into a lot of shit in the past - but getting away with that shit is really hard if you actually do any serious damage or make any serious coin off of it. I certainly know enough about past employers and clients that I could go fuck up their shit if I wanted too - but that's basically just like being a former janitor who still has a copy of the keys - there's no badassery to it. One time, I did hack a DEA webserver. I was talking to a buddy online about security shit and I'd just found a zero day (by dumb luck, the only one I've ever found) in a web service that we were both using. I told him about this thing and what it could do and he wanted me to check to see if his servers were vulnerable so gave me an IP address to try it out. I tried it, totally worked. Then he told me that he was working at the DEA, which was especially confusing since his username on the forum we met was 420guyDC or something... Once he convinced me he was serious, I fucking near crapped myself.

 

The real victims here are all the regular girls who are just trying to post some tit pics.

And all the guys who saw that list and have to juggle searching IMDB and trying to masturbate. It's a tough life.

 

(Ok, more disclaimers: 1. I'm less drunk, but 2. I'm way more high. Ok.)

Very interesting stuff. I'm curious about the people who have the skills to pull off this type of thing properly. Like you said though, anyone with that level of legitimate expertise probably isn't going to pull something like this in order to make a few dozen grand off of bitcoin payments.

But the people who do have those skills - the top 1% or .01% or whatever - what's life like for them? They have their six figure jobs doing this shit professionally, but then in their spare time is the entire world's information an open book for them? If they're just fucking around for fun, and have no intention of releasing anything to the public, could they cruise around looking at people's private photos/info all they wanted without drawing attention to themselves? ...Do they?

 

I asked myself, after looking at some of the pictures, "why don't I feel guilty?"

Two reasons came to mind:
1. You don't take photos of your gaping crotch, in lingerie or in a sexual position unless you want them to be seen. Granted, you want to be very selective of who sees them, but if security was an issue, you could use a film camera and destroy them after. This was a ticking time bomb for a lot of these women....kind of like a sexual manifesto to be released after you need the boost. This shit would bother me if it ever happened to Lt. Fiance and I, thus those photos don't exist. Those that do are never transferred through internet.

2. These are women whose stock in trade is their beauty. They capitalize on it (very well, in some cases) and this is the ultimate expression of that. These photos demonstrate a power previously unheard of by most people. "Broke the internet" indeed. I doubt very seriously that anyone's photos here will cause them to suffer, certainly not professionally. There's the phenomenon of distributed guilt (millions have seen them, one more won't hurt), but also the idea that this is an accepted risk of celebrity. As has been stated, these women would likely do this for money as part of acting in a role, so what's the big deal?

With that said, I also find it weird that the photos I find sexy are them in lingerie. It's weird, but I think naked these women are not as confident. They are ready to rock a bathing suit or skimpy clothes and maintain their confidence. Naked, it seems to evaporate for some reason. I'm not saying they are not beautiful, they clearly are, but naked the fantasy or the mystique of celebrity is gone. Especially with low quality phone selfies. Maybe I'm accustomed to seeing porn, where the naked body is prepared for photography, but in looking at this, I find myself going..."yeah, and....? Why is this special?"

 

I agree, but I think the concept of privacy on the internet is slightly invalidated anyway. The point I was trying to make is that some of these photos were destined to be "leaked" in a publicity stunt.

 

I gotta disagree on both points.

As the people above me have said, the fact that somebody is a celebrity doesn't invalidate their right to privacy. This is not Rihanna going out half naked and putting it on Instagram -- if they want to do that, obviously people are going to leer at the pictures. These were clearly sent to particular people, no different than the pics people on this board send, or if you want to go different about it, no different from bank information.

There's no way I'm holding celebrities to that kind of standard of digital scrutiny.

As to the second point, sure they make a living partially because they're attractive (though for JLaw and others, it's mostly not that). But even you said it -- there are millions of pics of equally attractive people freely and willingly given. Hell, you could search gonewild and find 50 with no sweat. The point here is partially a kind of embarrassment. A "nah-nah" to the pretty lady who seems popular. Which is fucked up and sad.

What's even sadder is that these were probably taken to make a dude happy, then leaked by another dude to the furious masturbation of other dudes.

 

I am very conflicted this morning, because I agree this is a huge violation of their privacy and I am upset that I was playing Bioshock Infinite last night when most of the links in this thread were still active. Like my weird lizard brain is justifying that it was okay to look on the links posted here, but I feel wrong actually searching for the links otherwise.

And I'm sorry, but if you've used the "if you didn't want the pictures leaked you shouldn't have taken them argument" then you're the same kind of asshole that says "if she didn't want to get raped she shouldn't have dressed that way."

 

How many people do you know who own a film camera? Have you never had iCloud backup a photo that you thought you'd deleted and then not find it until months later? And if you transfer your argument to 'you don't dress up in sexy sexy lingerie and pose in a sexy position unless you want to be fucked' without seeing the incredibly apparent argument that your style of dress and your desire to be fucked, doesn't provide any indication of who you want to be fucked by.'

I'm not casting stones. I've looked at the pictures. I'm as much of a voyeuristic asshole as anyone. But that argument really doesn't fly.

Honestly, I don't think any of the damage that's happened to these women is particularly increased by the fact that we as individuals are looking at the photos. But are we part of the problem? Fucking of course we are. These women make their living off their image and their talent. For many of them, appearing topless, or naked is something that they'll only do at a substantial price - because it impacts the markets they can work with (the christian south and family/youth markets are huge dollar markets, and they don't like sluts). More importantly, first nude appearances are a premium billable item. They're often done as part of strategic marketing decisions for careers. This unauthorized release? It's going to cost some of these girls serious coin. More importantly? Many of those photos were probably taken in extremely personal moments, for people who mean something to the people in the photos. They were meant to be intimate and never shared. Even if those girls were super comfortable having their tits shown to the world, and don't care about the money they just lost? The invasion of that intimacy is a fucking big deal. Many more of those photos are poorly lit and without makeup - At least some of those girls, I fucking promise you have major dysphoria and anxiety about their appearance - it's really fucking common with celebrities and at the root of so many of the eating disorders and addiction problems that happen so much. Those photos being shown in public is going to be fucking traumatic. I think Kaley Cuoco for example is fucking gorgeous, but the photos of her that have leaked aren't photos she ever would have wanted published - even if she was a porn star.

 

This is also probably the biggest release of non-airbrushed celebrity photos since airbrushing technology was developed. Heck, most of these are taken without makeup, either.

 

One more thing that I'm not sure has been mentioned. Even though it gets drilled into people's heads and all, A LOT of people use passwords that are easily guessed or easily cracked. Example, we implement a policy where I work that requires users to use a password of at least 8 characters and all of the following: Capital letter, lowercase, number, symbol. We tell them not to use a dictionary word, but that's not enforced as of now. We implemented the policy and after a period of time, I pulled the hashes and ran them through a cracker. I had around 75-80% of the passwords in less than a day (around 900-1000 of 1200 users).

How? Because people have so many passwords so they tend to choose things they can remember. So back to the above, yeah you have to use at least 1 of all the characters, but Saturday#1 fulfills the requirements. And using password crackers today that password will be cracked quickly. So will S4turd4y#1. The software used has become so advanced that you can provide it a dictionary list (list of words) and it will add the numbers/symbols to the front and/or back. It will also substitute '4' for 'a' and '3' for 'e', etc. Not all at once, but it will make a few passes and anything like that will generally get found.

Also, people tend to use the same password for more than one thing. So chances are if I get one of your passes, there's a good chance I can find that one used somewhere else. And maybe that somewhere else is an email account. And then maybe you use that email address for another account somewhere else that has another password. So I can request a change to that email, etc.

So use strong passwords.

Also, interestingly enough, this little ibrute cracker was apparently just released and it's rumored that it might have been used for some of these leaks. Note: it's already been patched.

https://github.com/hackappcom/ibrute

 

This is probably just my conspiracy theory mind at work but with Apple getting ready to announce a new iphone in the next week, does the timing of this strike anyone as odd? This almost feels more like some new form of industrial espionage coordinated in a way to attack Apple itself. As some of the software security gurus of the board have already said, this is career suicide to an individual who gets involved in an action like this and doesn't make a whole lot of sense.

As it is a holiday weekend, depending on public reactions starting tomorrow from the mainstream media and those exposed, it could be interesting to see what effect there is on iphone sales and Apple's stock. It just seems that a rival competitor or hedge fund playing the short-side of Apple's stock would have far more to gain from this than an individual would.