Broken Cloud

icloudTrust is a cornerstone of the Apple brand… the company that pioneered the notion of “the stuff just works”. The damage the brand has suffered this week is yet to be calculated and the “hey it’s not our fault, users should manage passwords better” statement didn’t help. All this a week to the day before 3 major new product announcements that hinge on using more of iCloud. Payments depends on iCloud, it’s hard to see how they don’t rewrite their presentations for next week to address the news this week.

What also isn’t helping is that when people dig into the details they find out that Apple implicitly acknowledged a fatal flaw in Find My iPhone, implicitly acknowledged not by talking about it but by patching it hastily. Secondly, 2 step verification doesn’t work with all elements of iCloud, like backup. Despite a lot of assertions that security is unrivaled in Apple products, the truth is turning out be be less definitive and the fact that they left a login API exposed to a brute force attack is pretty damn negligent.

Compounding matters is that Alexey Troshichev notified Apple before the breach that Find My iPhone was vulnerable (there was a killer presentation on this that was on Slideshare from Blackhat, but it has since been pulled).