Linked by Thom Holwerda on Mon 22nd Jul 2013 10:10 UTC
Apple "Apple revealed Sunday that its Developer Center suffered a lengthy outage this week following a security breach that may have compromised data, but a security researcher has provided evidence to suggest the shutdown was in response to his identification of a vulnerability." It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that's about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be "open" about this disaster in its public statement.
Thread beginning with comment 567783
To read all comments associated with this story, please click here.
All about Perspectives
by BlueofRainbow on Tue 23rd Jul 2013 16:10 UTC
BlueofRainbow
Member since:
2009-01-06

The tone from the comments has generally been one of sledge-hammering ibrahim Balic with the exception of a few neutral ones.

Would the same tone have been observed in the comments if the company whose security was breached and disclosed in this manner had been Microsoft rather than Apple?

We all crave for notorioty and a long standing ovation. The public statement by ibrahim Balic that the shut-down of the Apple Developer Center was in response to his identification of a vulnerability is not out of the norm for humans.

There are number of uncertain details - notably if he had provided sufficient technical details about how he did it in his first disclosure to Apple and how long he waited between this first disclosure and his going in again and gathering data to demonstrate what he disclosed was in fact possible.

Many mentioned that he should have publicly disclosed the vulnerability. I presume "publicly" implies a posting on a high tech forum focused on vulnerabilities of operating systems. This would have been the worst thing if there was no obvious applicable patch. First, this would have likely have attracted attempts to repeat the exploit on Apple owned/run servers in exponentially increasing numbers as details of the hack spread on the web. Second, there would be the downstream risk of any server connected to the web and running the same code being searched for and attacked. Who knows what personal data might have been gathered in such manner?

There are a couple of interesting snipets in the quoted text from TechCrunch:

"The hack only affected developer accounts; standard iTunes accounts were not compromised"

Hum - are there priviledge/special iTunes account and were they compromised? Since I am not an Apple Developer nor iTunes user, I can only speculate.

"Credit card data was not compromised"

Hum - OK. Then, what type of user data was compromised?

"They waited three days to alert developers because they were trying to figure out exactly what data was exposed"

Hum - Interesting. More like trying to figure out how to patch it and how to rapidly spot similar breaches in the future. Also, and pure speculation, assessing if there had been breaches before the one disclosed by ibrahim Balic which were undetected and what data might have been extracted during these breaches.

"There is no time table yet for when the Dev Center will return"

Not need for translation for this one.

Reply Score: 2

RE: All about Perspectives
by mkone on Tue 23rd Jul 2013 19:14 in reply to "All about Perspectives"
mkone Member since:
2006-03-14

The tone from the comments has generally been one of sledge-hammering ibrahim Balic with the exception of a few neutral ones.

Would the same tone have been observed in the comments if the company whose security was breached and disclosed in this manner had been Microsoft rather than Apple?


You are kidding right? Apple is hated here more than Microsoft ever was. Almost!

Reply Parent Score: 3

RE: All about Perspectives
by Soulbender on Wed 24th Jul 2013 07:40 in reply to "All about Perspectives"
Soulbender Member since:
2005-08-18

Would the same tone have been observed in the comments if the company whose security was breached and disclosed in this manner had been Microsoft rather than Apple?


Yes. Stealing data is not the right approach.

Many mentioned that he should have publicly disclosed the vulnerability. I presume "publicly" implies a posting on a high tech forum focused on vulnerabilities of operating systems This would have been the worst thing if there was no obvious applicable patch


No, that's the long established norm. If a company is unresponsive about a vulnerability you disclose it publicly after some time to put pressure on them and make users aware of the issue. What you don't ever do is steal massive amounts of data to prove your point.

First, this would have likely have attracted attempts to repeat the exploit on Apple owned/run servers in exponentially increasing numbers as details of the hack spread on the web.


You do know that it's possible to disclose this kind of information without actually giving exact instructions on how to do it, right?

Reply Parent Score: 3