funsec mailing list archives
Re: Apple's worst security breach: 114, 000 iPad owners exposed
From: Joel Esler <joel.esler () me com>
Date: Sun, 13 Jun 2010 11:05:29 -0400
Another long winded rant. Bad part is, neither one of your points had anything to do with the topic at hand and what I was trying to say. First, it's quite obvious that you dislike Apple. Of which I don't care. I am a consumer of their products and an unpaid spokesperson of their user experience. Your points on Apple had nothing to do with the fact that someone was able to enumerate email addresses of ipad owners. This is clearly a screw up on AT&T's part, but it will change nothing. It won't cause Apple to "go to another carrier" as some have suggested. My other point which you tried to debunk, I guess, was all was exposed was email addresses. In the grand scheme of things, I might have been a lot worse, but it wasn't, so thank God this time. Next time people may not get so lucky. Do "all people" use an alternate email address to register things? Obviously not. Do I maintain one? Sure, but the people on this list aren't normal users of the Internet, are we? And really, from the overarching balloon in the sky, what's the point in doing so? You can create and dump an email address at will. Now on to the Facebook portion of your email: Right, Facebook sucks. -- Joel Esler Sent from my iPhone On Jun 12, 2010, at 7:19 PM, Nick FitzGerald <nick@virus- l.demon.co.uk> wrote:
Joel Esler wrote:OMG the email addresses for iPad owners were exposed!!! Oh, you mean the email addresses that these people use, on the internet all day every day?Two little things you overlooked... First, privacy concerns in general. Yes, we all know the Zuckerberg generation believes that (online) privacy is a myth, but note that even the mighty Mark withdrew most of his, ummmm "private" images from public view on Facebook shortly after his service changed the default privacy settings that exposed said photos in the first place. Surely he didn't do it because they apparently showed that Facebook Inc is just one big booze-fest and that wouldn't look good to the schmucks Mark and his cronies (most of whom were also depicted in said photos similarly inebriated, etc) are planning on making their millions from? Surely Mark wasn't actually concerned at all about the revelation of such images? I mean, if he's not actually the head of the "you have no privacy" movement, he must be one of its best-known poster-boys... Anyway, whether you personally believe in the existence or value of online/personal/etc privacy, even the USA (the "Western" country generally believed to pay the lowest "official" care of individual privacy rights) has _some_ privacy laws, and most US corporations with a web presence at least make prominent public declarations of their token concern for privacy. For example, after a few bland introductory sentences (how uncharacteristic!) explaining that the collection of certain personally identifying information may be necessary, allows for better service provision and so, we are told "Your privacy is a priority at Apple, and we go to great lengths to protect it": http://www.apple.com/legal/privacy/ Wow -- I'm convinced! Sign me up... Maybe I'm selling Apple a bit short there? They get absolutely effusive about the importance of protecting their customers' privacy waaaaay down the page in the section titled "Our companywide commitment to your privacy": As we said, Apple takes protecting your privacy very seriously. To make sure your personal information is secure, we communicate these guidelines to Apple employees and strictly enforce privacy safeguards within the company. In addition, Apple supports industry initiatives, such as TRUSTe, to preserve privacy rights on the Internet and in all aspects of electronic commerce. Wheeeeee..... Despite the commonness of such obligatory statements, some US corporations make prominent public claims that they uphold privacy concerns very highly, establish Chief Privacy Officers and make claims such as "privacy commitments are fundamental to the way we do business every day", such as, say: http://www.att.com/privacy Regardless of how genuine you may feel either Apple's or AT&T's proclamations are about the importance of maintaining their customers' privacy, they both rather clearly failed in this case. Second, you said: Oh, you mean the email addresses that these people use, on the internet all day every day? Irrelevant. Do you not maintain a separate address (or even a collection of them) for "service registrations" and the like? Most security professionals I've either asked directly about this or with whom it's come up some way or other in conversation (admittedly not a large proportion of all such folk I know), _do_ exactly that. And at least some "more normal" folk I know (i.e. not security professionals) do this too. There are a number of reasons, but commonly having a single "well protected" (by the privacy policies of those companies they trust to share the address with) address is the reason (the other one is tracking who sell, etc addresses and these folk use a separate address for each company/entity that they share contact details with). You cannot possibly know whether the actual addresses in the registration of all iPad's for their AT&T 3G service were "addresses ... use[d] on the internet all day every day", and as it seems likely that at least some of them were "special" addresses, for which their owners were expecting the special treatment of premium corporate privacy controls (or at least such privacy controls as Apple may provide), this failure was clearly a worse failure than your joking shrug-off suggests. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Apple's worst security breach: 114, 000 iPad owners exposed, (continued)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed David Harley (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dave Paris (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dave Dennis (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Nick FitzGerald (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed David Harley (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dan Kaminsky (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Randal T. Rioux (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Nick FitzGerald (Jun 12)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 13)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Rich Kulawiec (Jun 27)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Jeffrey Walton (Jun 27)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 10)