Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557268
To read all comments associated with this story, please click here.
it happens to everyone
by kristoph on Mon 1st Apr 2013 16:39 UTC
kristoph
Member since:
2006-01-01

You know last April there was a 0 day flaw in hotmail, last November there was a Gmail security flaw, did you write a 'when will Microsoft/Google get serious about security?' articles. I know you think it's ok to be biased but, really?

Security problems creep up for all companies, it's in a inescapable part of a rapid/agile software development process. The battle between security/stability and progress has been waged and progress won.

Ironically, these days, Microsoft is probably the company that spends the most of security in their consumer software and it's hampering their ability to innovate and it has not eliminated all security issues.

Apple does what everyone else does. They run automated security tests and when those tests don't cover a particular case a security lapse occurs. Although this exploit was 'dead simple' it was also not at all 'obvious' as it was not previously discovered.

Reply Score: 1

RE: it happens to everyone
by BallmerKnowsBest on Mon 1st Apr 2013 18:12 in reply to "it happens to everyone"
BallmerKnowsBest Member since:
2008-06-02

You know last April there was a 0 day flaw in hotmail, last November there was a Gmail security flaw, did you write a 'when will Microsoft/Google get serious about security?'


Fallacy ahoy: false equivalence. Not that your question would make sense anyway, since Thom wasn't the author of this article to begin with.

Of course, the difference is that those were relatively new flaws, while Apple has consistently released products with security vulnerabilities that everyone else learned how to avoid years (if not decades) ago. That, and Microsoft/Google tend to fix those issues quickly, as opposed to Apple's approach of "steadfastly deny that the problem even exists, then maybe get around to fixing it after 2-3 weeks of bad press."

I know you think it's ok to be biased but, really?


Please. Everyone knows that, coming from an iFanboy, "biased" really just means "not sufficiently-biased in favor of Apple." Not that I should be surprised, of course, since that's a standard apologetics tactic: when you can't refute the message, then attack the messenger.

Apple does what everyone else does. They run automated security tests and when those tests don't cover a particular case a security lapse occurs.


More false equivalence. If you think Apple's security is the same as "everyone else", then maybe you should look up the name "Mat Honan":

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacki...

A company with the size and resources of Apple has absolutely NO excuse for regularly releasing products with such basic, serious security failings. And it shouldn't be surprising to anyone: when you have a "technology" company with "form over function" as its guiding philosophy, those types of engineering failures are inevitable.

Although this exploit was 'dead simple' it was also not at all 'obvious' as it was not previously discovered.


Switching gears to the post-hoc fallacy? The fact the flaw wasn't discovered previously doesn't prove anything about its obviousness, it just proves that the flaw wasn't discovered previously (derp).

It's equally possible that the flaw went undiscovered because barely anyone actually uses the service. Actually, that's probably more likely, given the way that Apple's previous attempts at online services/social media were all spectacular failures.

Reply Parent Score: 5

v RE[2]: it happens to everyone
by Tony Swash on Mon 1st Apr 2013 23:01 in reply to "RE: it happens to everyone"
RE[2]: it happens to everyone
by kristoph on Mon 1st Apr 2013 23:18 in reply to "RE: it happens to everyone"
kristoph Member since:
2006-01-01

Please read again what you wrote and give it some thought. You disputed my points with absolutely no tangible support at all. You simply said they were 'false'. You reference an article that is totally unrelated to technology - which is what I was speaking about - and was a pure social engineering hack. You discounted my opinion because you claim I was a 'fanboi'.

It's weak dude. If you have a solid argument then make it, demonstrate it with facts, without insults and name calling. Your arguments will carry much more weight and people - even those that disagree with you - would give you much more respect.

I'll add that I made a point of saying that it was Microsoft who places the greatest emphasis on security and I absolutely think Google Chrome as a browser has the best security out there and gmail makes the most effort to eliminate phishing scams.

On the other hand Mac OS X has a much lowest malware infection rate (and the gap has increased now that, by default, you can't install unsigned apps) then Windows and iOS has virtually no Malware while Android is riddled with it. I understand this is because Apple simply locks down it's platforms (which many think is a bad thing) but if you bother to read what CIO's are saying their much more comfortable with Apple's security then any other for desktop/mobile use.

Anyhow I am not here to apologize for anyone, I simply think that Thom is pushing his agenda (and he has made it clear on a number of occasions he has a 'bias') and I think that's sort of lame. We don't need to bash one another to have an intelligent discussion on the merits of one platform or another. The pre-Thom OSNews was much more egalitarian, and much more respectful, and I think it sucks that that's changed.

Reply Parent Score: 2

RE: it happens to everyone
by Soulbender on Tue 2nd Apr 2013 02:32 in reply to "it happens to everyone"
Soulbender Member since:
2005-08-18

it's in a inescapable part of a rapid/agile software development process.


If security flaws are an "inescapable part" of your development process then your process is fundamentally flawed.

They run automated security tests and when those tests don't cover a particular case a security lapse occurs.


If the software was properly engineered that wouldn't automatically happen.

Although this exploit was 'dead simple' it was also not at all 'obvious' as it was not previously discovered.


The fact that it wasn't discovered before doesn't mean it's not obvious.

Reply Parent Score: 3

RE[2]: it happens to everyone
by Nelson on Tue 2nd Apr 2013 03:49 in reply to "RE: it happens to everyone"
Nelson Member since:
2005-11-29


If security flaws are an "inescapable part" of your development process then your process is fundamentally flawed.


I don't think so, it comes with the territory -- people make mistakes. Though I disagree with the OP's argument that agile is more prone to security flaws.

Its also worth noting that Apple's particular flaws, while still flaws and while they are still just a normal part of the process, are especially basic. Security is a mindset that's built into the culture of a company. If Apple is making these kind of mistakes, there's something wrong there.

Reply Parent Score: 2

RE[2]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 03:54 in reply to "RE: it happens to everyone"
Alfman Member since:
2011-01-28

Soulbender,

"If security flaws are an 'inescapable part' of your development process then your process is fundamentally flawed."

I agree with you, it's shameful that there are developers who regularly produce security holes in software. But at the same time it's sort of a biproduct of the fast and cheap development process that companies are seeking. My experience with most companies is that "security" is little more than a PR selling point and not a genuine development philosophy.


"If the software was properly engineered that wouldn't automatically happen."

I think the OP was merely explaining the situation on the ground rather than trying to justify it. If so, I think he's right. It'd be nice if things were engineered correctly in the first place, but security is rarely a priority in development and usually only gets tackled in hindsight. I agree with you it's the wrong way to do it.

Reply Parent Score: 3