Sorry, not that epic. Yes, multiple steps were required but the biggest issue in security once again was the human element.
Epic would be finding the flaws in SSL/TLS that allows you to generate a valid cert for any domain (Moxie Marlinspike) or a bug in DNS that is such cause for concern that people have to upgrade their infrastructure (Dan Kaminsky) or intercepting GSM calls (Chris Paget) while making the device believe it is on a legitimate network.
This hack came down to social engineering and using flaws in two companies verification systems. That isn't epic. People have been calling companies and people on the phone for decades and having them hand over information without proper identification/verification. The guys stuff got remote erased, well damn, the system worked as it was supposed to work ... other than that the right person wasn't at the controls ... remote wipe worked as expected.
Yes, changes have to be made, and yes security and verification of identity has to be made more secure when there is a lot at stake, but this hack was by no means epic.
I think the description of it as epic refers to the amount and nature of the damage done, not the technical accomplishment. We expect that someone might be able to hack our online accounts, but that they could hack our online accounts and then use that to reach into our homes to nuke data off of our hard drives is different.
Perhaps Apple need to reword their warning message[1] to scare people away from enabling it. The only indication that user is going to enable Remote Wipe is a little "erase a lost Mac" text, which I guess most people will just ignore it.
I think the title "Epic Hack" is justified. Not epic in terms of the skills and technologies used to pull it off but epic in terms of the impact on the hackee. Whether you gain access to someone's apartment by rappelling from the roof, disabling the electronic alarm system, and picking the lock on the balcony door or merely by using social engineering on the building supervisor the result is the same.
I think that denigrating the significance of these "low sophistication" attacks is fundamentally the same error as venerating the importance of single-points of technological complexity independent of the end-to-end security of a system. It makes it easier to change the response from "oh crap, we got hacked so hard!" to "well, we just got socially engineered, ANYBODY can do that, no big deal". Social engineering is going to remain firmly in the "epic hack" category for the foreseeable future, even in a future age of quantum computers, synthetic consciousness, and ubiquitous use of one-time-pad encryption.
Sorry, not that epic. Yes, multiple steps were required but the biggest issue in security once again was the human element.
Epic would be finding the flaws in SSL/TLS that allows you to generate a valid cert for any domain (Moxie Marlinspike) or a bug in DNS that is such cause for concern that people have to upgrade their infrastructure (Dan Kaminsky) or intercepting GSM calls (Chris Paget) while making the device believe it is on a legitimate network.
This hack came down to social engineering and using flaws in two companies verification systems. That isn't epic. People have been calling companies and people on the phone for decades and having them hand over information without proper identification/verification. The guys stuff got remote erased, well damn, the system worked as it was supposed to work ... other than that the right person wasn't at the controls ... remote wipe worked as expected.
Yes, changes have to be made, and yes security and verification of identity has to be made more secure when there is a lot at stake, but this hack was by no means epic.