I use Apple products because they are not vulnerable to security problems <NOT>

[Webhead]

I see security as a scale. At one end of the scale, you have ultimate 100% security with zero usability. For example, I will just completely unplug. Now I'm secure --- secure because I can't actually use it. At the other end of the scale, you have ultimate usability and freedom but no security. So it then becomes up to the user to decide where they want to be on that scale and implement measures accordingly.

For example, about once a month I have a short IT segment at staff meetings to cover the basics. A couple months ago I started talking to the staff about 2 factor authentication. Of course everyone I have ever talked to about this is immediately turned off by the idea of it. On one hand, it's very secure to use it. But it's confusing for many people and so they don't use it. Personally I think it's pretty easy once you use it a bit. But most people are turned off to the idea.

As for iCloud, yes Apple dropped the ball. They can admit it or not but they really could've done more. That said, this is going to be true for every "cloud" company. It's all at risk. The problem them becomes the high value targets. Apple is a high value target and so is Jennifer Lawrence. So it was just a matter of time before something like this happened.

And yes, I agree that bank security is different than Dropbox or something. However, they are both companies that store data on servers that we as users access remotely. We rely on other people to keep our data safe. But then again, bank security doesn't get broken very often but it does get broken. Attackers find ways.

[CeeBee]

A couple months ago I started talking to the staff about 2 factor authentication. Of course everyone I have ever talked to about this is immediately turned off by the idea of it. On one hand, it's very secure to use it. But it's confusing for many people and so they don't use it. Personally I think it's pretty easy once you use it a bit. But most people are turned off to the idea.

The security of a system is as good as its weakest link.
2-factor auth won't help. Add an account locking policy and block after N attempts, implement strong passwords that don't change way too often and it's literally as good as it gets - one would literally have to know the password to get through, brute force is impractical. That's not where the breach occurs in most instances anyway.
The issue is with a user inserting an infected USB stick. Or downloading malware. That shit runs in the security context of the already authenticated user. Do they do VPN? Even 10-factor auth won't help if the client is infected and gets access.
If you want secure remote users there is a tool for making a portable Windows on a stick.

[Webhead]

The security of a system is as good as its weakest link.
2-factor auth won't help. Add an account locking policy and block after N attempts, implement strong passwords that don't change way too often and it's literally as good as it gets - one would literally have to know the password to get through, brute force is impractical. That's not where the breach occurs in most instances anyway.
The issue is with a user inserting an infected USB stick. Or downloading malware. That shit runs in the security context of the already authenticated user. Do they do VPN? Even 10-factor auth won't help if the client is infected and gets access.
If you want secure remote users there is a tool for making a portable Windows on a stick.

That's another thing. And in fact this is where Apple blew it. They allowed a brute force attack to be successful. Apple offers 2-factor authentication but it's not implemented very well. There's a number of flaws in their system. Hopefully they fix it. But as far as 2-factor auth goes, it's pretty good. Let's say a bad guy gets my un/pw, then the bad guy needs to also somehow get the account info from my phones authenticator system (SMS, Google Authenticator, etc.) With 2FA, it's not just what you know but rather what you know + what you have. I mean, it's *possible* in theory I suppose but the likelihood is so slim. I feel very secure using 2-factor. Do I still sleep with one eye open? Yes, but I feel much better with 2FA then without.

So when the service provider mitigates brute force attacks by shutting down the service after X attempts and on top of that, using 2FA along with caution, you should have a pretty good sense of security.