Steve Wozniak expressed grave concerns about the future of cloud computing Sunday in light of a former Gizmodo employee’s account being hacked.
Wozniak, 61, co-founded Apple with Steve Jobs in the 1970s. He has since joined the C.A.-based company Fusion-io and frequently lectures at tech events. The engineer recently attended a play in Washington, D.C. about Apple’s Chinese factories, and he came onstage for a post-performance discussion. Eventually the topic changed from worker conditions to cloud computing, at which point Wozniak confessed to the audience that he worries about the insecurity of Apple’s famed iCloud.
“I really worry about everything going to the cloud,” said Wozniak. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”
iCloud essentially acts a remote server responsible for synching computing devices. In other words, if a user sends information to one cloud-connected device, the cloud will intercept the information and send it to every other device connected to the cloud space.
“With the cloud, you don’t own anything. You already signed it away,” said Wozniak. “The more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”
The servers safekeeping user information are encrypted by Apple, but critics argue that hackers can still access the servers through social engineering, the act of manipulating people — in this case, Apple employees — into divulging confidential information to unauthorized persons. Once a hacker gains access to the cloud, he gains access to all of the users’ cloud-connected devices.
Such is how Mat Honan, senior writer at Wired, had his digital life destroyed by hackers earlier this week.
The former Gizmodo contributor detailed his experience being hacked and conveyed a deep regret for having so many accounts “daisy-chained together.” The hackers called AppleCare pretending to be Honan, used easily-available information as a method of identity confirmation, and, once given a temporary password, gained access to a wide array of Honan’s accounts.
“Apple tech support gave the hackers access to my iCloud account,” said Honan. “Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.”
From that single temporary password provided by the AppleCare employee, the hackers were able to remotely wipe Honan’s iPhone, iPad, and MacBook. They reset his Twitter password and used that account to gain control of Gizmodo’s own Twitter account at about the same time. Other factors were at play here, too, but it certainly emphasizes the importance of account diversification in Web security, something Apple’s iCloud by no means guarantees.
“Don’t rely on the cloud,” wrote Gizmodo editor Eric Limer after the website’s own Twitter breach. “It’s great to have online storage you can get at from all your various devices, but when the shit goes down and you’re under attack, nothing is more secure than a hard drive you can unplug and hide in a shoebox in the closet. It’s not the most convenient way to back up, but you’ll thank yourself for it.”
Apple later admitted its mistake, adding, “We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
Criminal interception of private information is one problem. Governmental interception is another thing entirely. The advent of SOPA, CISPA, ACTA, and other Web-related pieces of legislation have Internet users on high alert. Nadim Kobeissi, creator of an open source encryption chat program called Cryptocat, and other innovators were detained in the past by U.S. authorities when trying to cross the border. A larger attack against Internet freedom seems only inevitable.
For now at least, two U.S. congressmen have introduced legislation that will required government officials to obtain a probable-cause warrant before reaching into citizens’ cloud data.
Update: Apple has now confirmed to Wired that it has stopped all over-the-phone password reset requests until the system's security features are reassessed