Re: Apple's worst security breach: 114, 000 iPad owners exposed

[Nick FitzGerald <nick () virus-l demon co uk>]

Joel Esler wrote:

> OMG the email addresses for iPad owners were exposed!!!
>
> Oh, you mean the email addresses that these people use, on the internet
> all day every day?  

Two little things you overlooked...

First, privacy concerns in general.  Yes, we all know the Zuckerberg 
generation believes that (online) privacy is a myth, but note that even 
the mighty Mark withdrew most of his, ummmm "private" images from 
public view on Facebook shortly after his service changed the default 
privacy settings that exposed said photos in the first place.  Surely 
he didn't do it because they apparently showed that Facebook Inc is 
just one big booze-fest and that wouldn't look good to the schmucks 
Mark and his cronies (most of whom were also depicted in said photos 
similarly inebriated, etc) are planning on making their millions from? 
Surely Mark wasn't actually concerned at all about the revelation of 
such images?  I mean, if he's not actually the head of the "you have no 
privacy" movement, he must be one of its best-known poster-boys...

Anyway, whether you personally believe in the existence or value of 
online/personal/etc privacy, even the USA (the "Western" country 
generally believed to pay the lowest "official" care of individual 
privacy rights) has _some_ privacy laws, and most US corporations with 
a web presence at least make prominent public declarations of their 
token concern for privacy.  For example, after a few bland introductory 
sentences (how uncharacteristic!) explaining that the collection of 
certain personally identifying information may be necessary, allows for 
better service provision and so, we are told "Your privacy is a 
priority at Apple, and we go to great lengths to protect it":

   http://www.apple.com/legal/privacy/

Wow -- I'm convinced!  Sign me up...

Maybe I'm selling Apple a bit short there?  They get absolutely 
effusive about the importance of protecting their customers' privacy 
waaaaay down the page in the section titled "Our companywide commitment 
to your privacy":

   As we said, Apple takes protecting your privacy very seriously. To
   make sure your personal information is secure, we communicate these
   guidelines to Apple employees and strictly enforce privacy
   safeguards within the company. In addition, Apple supports industry
   initiatives, such as TRUSTe, to preserve privacy rights on the
   Internet and in all aspects of electronic commerce.

Wheeeeee.....

Despite the commonness of such obligatory statements, some US 
corporations make prominent public claims that they uphold privacy 
concerns very highly, establish Chief Privacy Officers and make claims 
such as "privacy commitments are fundamental to the way we do business 
every day", such as, say:

   http://www.att.com/privacy

Regardless of how genuine you may feel either Apple's or AT&T's 
proclamations are about the importance of maintaining their customers' 
privacy, they both rather clearly failed in this case.

Second, you said:

   Oh, you mean the email addresses that these people use, on the
   internet all day every day?

Irrelevant.

Do you not maintain a separate address (or even a collection of them) 
for "service registrations" and the like?

Most security professionals I've either asked directly about this or 
with whom it's come up some way or other in conversation (admittedly 
not a large proportion of all such folk I know), _do_ exactly that.  
And at least some "more normal" folk I know (i.e. not security 
professionals) do this too.  There are a number of reasons, but 
commonly having a single "well protected" (by the privacy policies of 
those companies they trust to share the address with) address is the 
reason (the other one is tracking who sell, etc addresses and these 
folk use a separate address for each company/entity that they share 
contact details with).

You cannot possibly know whether the actual addresses in the 
registration of all iPad's for their AT&T 3G service were "addresses 
... use[d] on the internet all day every day", and as it seems likely 
that at least some of them were "special" addresses, for which their 
owners were expecting the special treatment of premium corporate 
privacy controls (or at least such privacy controls as Apple may 
provide), this failure was clearly a worse failure than your joking 
shrug-off suggests.



Regards,

Nick FitzGerald


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.