Linked by Thom Holwerda on Mon 22nd Jul 2013 10:10 UTC
Apple "Apple revealed Sunday that its Developer Center suffered a lengthy outage this week following a security breach that may have compromised data, but a security researcher has provided evidence to suggest the shutdown was in response to his identification of a vulnerability." It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that's about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be "open" about this disaster in its public statement.
Permalink for comment 567783
To read all comments associated with this story, please click here.
All about Perspectives
by BlueofRainbow on Tue 23rd Jul 2013 16:10 UTC
BlueofRainbow
Member since:
2009-01-06

The tone from the comments has generally been one of sledge-hammering ibrahim Balic with the exception of a few neutral ones.

Would the same tone have been observed in the comments if the company whose security was breached and disclosed in this manner had been Microsoft rather than Apple?

We all crave for notorioty and a long standing ovation. The public statement by ibrahim Balic that the shut-down of the Apple Developer Center was in response to his identification of a vulnerability is not out of the norm for humans.

There are number of uncertain details - notably if he had provided sufficient technical details about how he did it in his first disclosure to Apple and how long he waited between this first disclosure and his going in again and gathering data to demonstrate what he disclosed was in fact possible.

Many mentioned that he should have publicly disclosed the vulnerability. I presume "publicly" implies a posting on a high tech forum focused on vulnerabilities of operating systems. This would have been the worst thing if there was no obvious applicable patch. First, this would have likely have attracted attempts to repeat the exploit on Apple owned/run servers in exponentially increasing numbers as details of the hack spread on the web. Second, there would be the downstream risk of any server connected to the web and running the same code being searched for and attacked. Who knows what personal data might have been gathered in such manner?

There are a couple of interesting snipets in the quoted text from TechCrunch:

"The hack only affected developer accounts; standard iTunes accounts were not compromised"

Hum - are there priviledge/special iTunes account and were they compromised? Since I am not an Apple Developer nor iTunes user, I can only speculate.

"Credit card data was not compromised"

Hum - OK. Then, what type of user data was compromised?

"They waited three days to alert developers because they were trying to figure out exactly what data was exposed"

Hum - Interesting. More like trying to figure out how to patch it and how to rapidly spot similar breaches in the future. Also, and pure speculation, assessing if there had been breaches before the one disclosed by ibrahim Balic which were undetected and what data might have been extracted during these breaches.

"There is no time table yet for when the Dev Center will return"

Not need for translation for this one.

Reply Score: 2