Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

Jennifer Lawrence, best supporting actress nominee for her role in "American Hustle," arrives at the 86th Academy Awards in Hollywood, California March 2, 2014


On Sunday, hundreds of revealing photos of celebrities were stolen and shared around the world on the Internet. Apple, which is preparing to launch a new iPhone next week, says it was the result of targeted attacks on accounts storing personal data and not a direct breach of its systems. Regardless of how it happened, the hacking underscores the risks for all who use smartphones to store sensitive material, from photos to health-care records.

Early indications are that the massive theft of private information was the result of a targeted attack on the accounts of various celebrities. But so far, Apple Inc. has released very little information on the technical details behind the incident. The hack also comes at a time when security researchers are raising serious questions about the robustness of the company's cloud security.

Last Saturday, two researchers named Andrey Belenko and Alexey Troshichev gave a presentation at a computer security conference called Defcon Russia. Independently, each man had discovered a different weakness in Apple's technology infrastructure.

Story continues below advertisement

The first issue is related to an Apple service called iCloud Keychain. The Keychain is essentially a storage locker for a host of sensitive user data, including usernames, passwords and credit-card information. It is used to keep this information synchronized across multiple devices (for example, a user's iPhone, iPad and Mac computer). When users first set up a Keychain account, they are asked to create a security code. The code allows them to connect the Keychain to more devices in the future. However, that code, by default, is set by Apple as a simple four-digit number, making it relatively easy to crack using a method called brute force. Essentially, a brute-force attack is a relatively unsophisticated strategy in which malicious actors simply try every conceivable password combination until they find the right one. Using even a modestly powerful computer, a hacker could very quickly try every one of the 10,000 possible four-digit combinations of the default iCloud security code.

"The default choice of four digits is, in my opinion, not sufficient," said Mr. Belenko, a senior security engineer with the computer security firm viaForensics. "If iCloud is compromised, it can be brute-forced."

Usually, brute-force attacks are easily thwarted because most systems will lock a user out if they enter too many incorrect passwords. However, the researchers discovered another flaw in the Apple infrastructure that makes such attacks possible. An iCloud service called Find My iPhone, Mr. Troshichev found, has no limits on how many times a user may guess a password, making it a prime target for a brute-force attack.

It is likely that whoever is responsible for the massive iCloud hack took advantage of one or both of these security weaknesses. On Monday, Apple scrambled to fix the Find My iPhone vulnerability, but the company has denied the hacking incident is related to the issue.

"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on usernames, passwords and security questions, a practice that has become all too common on the Internet," the company said in a statement on Tuesday. "None of the cases we have investigated has resulted from any breach in any of Apple's systems, including iCloud or Find My iPhone."

Apple did not specifically explain what the company considers to be a breach of its system, and whether a brute-force attack would meet that definition. It is also unclear which of the cases Apple has already investigated, and which remain. An Apple spokeswoman did not respond to a request for comment on Tuesday.

What is the cloud?

Story continues below advertisement

When software developers say "the cloud," they really mean computers full of data that users can access from anywhere using an Internet connection. In effect, the cloud is marketing shorthand for the reality that a lot of computing activity now happens in third-party data centres instead of an individual user's phone or desktop computer.

In recent years, the cloud has become one of the biggest and most lucrative branches of the technology industry. The research firm IDC reports that IT spending by companies on cloud services reached nearly $50-billion in 2013, and could rise to more than $107-billion by 2017. Tech heavyweights such as Microsoft Corp., Google Inc. and Inc. have spent billions trying to gain a foothold in the cloud market, and the massive database company SAP recently invested in a cloud-services data centre in the Toronto area.

Cloud customers range from massive corporations to individual users. Netflix Inc., for instance, doesn't own much of its server infrastructure and instead relies on a part of called Amazon Web Services (AWS). AWS is one of many companies that builds and operates many, many rooms filled with banks of powerful, Internet-connected computers to host things such as movies, TV shows, your shopping history and even software tools you can access without having to download anything on your personal machine.

Even if they don't know it, many regular consumers use cloud services every day. Google's Gmail is cloud-based e-mail, and even "ephemeral" photo-sharing services such as SnapChat host images in the cloud. Most mobile phone software, from music streaming apps to Instagram, will keep user data in the cloud. Many users also rely on the cloud for tasks such as data backup or large-file sharing online (using services such as Apple Inc.'s iCloud, Dropbox and Microsoft's OneDrive).

Privacy and the law

There is no doubt that the large-scale theft of personal information constitutes a violation of the law. In the U.S., the FBI has confirmed it is looking into the case, but offered few details. Apple also said in a statement that it is working with law enforcement to try to identify the people responsible for the breach.

Story continues below advertisement

Because it appears someone broke into many celebrity users' accounts and stole personal information (much of it in the form of nude photos), the illegality of the act is not in dispute. However, in most cases involving the collection and dissemination of compromising personal photos, the victims are not celebrities, and the law is far from clear.

In recent years, a cottage industry of illicitly shared photos has cropped up under the moniker "revenge porn" – the premise being that an aggrieved partner looks to enact "revenge" by making private photos of their former partner available for all to see on the Internet. In the U.S., the extent to which such acts can be prosecuted varies wildly from jurisdiction to jurisdiction, depending on who took the photo, where the person who disseminated it lives, and myriad other factors. In some states, revenge porn is effectively not classified as a crime.

In Canada, the federal government recently tried to crack down on revenge porn with Bill C-13, the Protecting Canadians from Online Crime Act. The bill would make it a crime, punishable by up to five years in jail, to distribute, sell or make available an intimate image without the consent of the person depicted in that image. However that bill has faced resistance in part because it also includes a host of proposed measures that would give authorities greater online surveillance powers.

In the case of the iCloud hack, there is no doubt about illegality, but technical issues might still prevent the hackers from facing justice. It is not yet clear where in the world the hackers reside, and what methods they used to conceal their identities. And despite efforts to combat the dissemination of the stolen images, they have cropped up in many corners of the Web. A spokesperson for Jennifer Lawrence, one of the celebrities whose personal information was stolen, said in a statement that authorities would prosecute anyone who posted the photos online. But given the sheer number of people who have already done so, such a task may prove difficult.

What is 4Chan?

It is, depending on whom you ask, the Internet's Wild West or its open sewer – a simple message board that has become, over the past decade, infamous for its chaotic influence on the Web.

Story continues below advertisement

Founded primarily as a forum for fans of Japanese animation, 4Chan has grown to encompass virtually every conversation topic under the sun. The site itself has often been criticized for posting offensive and arguably illegal content, but is largely a destination for such content because of its deliberately lax registration rules. In effect, virtually anyone can post on the site without registering any information, making 4Chan almost totally anonymous. Partially as a result, the site has built a dedicated and massive following.

The iCloud hacking incident is hardly the first time a sensational and likely illegal act made its digital debut on 4Chan. In 2008, a 4Chan user managed to hack into the private e-mail account of Sarah Palin, who was the Republican vice-presidential candidate at the time. Users of the site have also been the subject of numerous investigations and arrests relating to everything from child pornography to school shooting threats.

Report an error Editorial code of conduct
Tickers mentioned in this story
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies