Re: Apple's worst security breach: 114, 000 iPad owners exposed

[Joel Esler <joel.esler () me com>]

Another long winded rant. Bad part is, neither one of your points had  
anything to do with the topic at hand and what I was trying to say.

First, it's quite obvious that you dislike Apple. Of which I don't  
care. I am a consumer of their products and an unpaid spokesperson of  
their user experience. Your points on Apple had nothing to do with the  
fact that someone was able to enumerate email addresses of ipad  
owners.  This is clearly a screw up on AT&T's part, but it will change  
nothing. It won't cause Apple to "go to another carrier" as some have  
suggested.

My other point which you tried to debunk, I guess, was all was exposed  
was email addresses.

In the grand scheme of things, I might have been a lot worse, but it  
wasn't, so thank God this time. Next time people may not get so lucky.  
Do "all people" use an alternate email address to register things?   
Obviously not.

Do I maintain one? Sure, but the people on this list aren't normal  
users of the Internet, are we?  And really, from the overarching  
balloon in the sky, what's the point in doing so?  You can create and  
dump an email address at will.

Now on to the Facebook portion of your email:

Right, Facebook sucks.

--
Joel Esler
Sent from my iPhone

On Jun 12, 2010, at 7:19 PM, Nick FitzGerald <nick@virus- 
l.demon.co.uk> wrote:

> Joel Esler wrote:
>
> > OMG the email addresses for iPad owners were exposed!!!
> >
> > Oh, you mean the email addresses that these people use, on the  
> > internet
> > all day every day?
>
> Two little things you overlooked...
>
> First, privacy concerns in general.  Yes, we all know the Zuckerberg
> generation believes that (online) privacy is a myth, but note that  
> even
> the mighty Mark withdrew most of his, ummmm "private" images from
> public view on Facebook shortly after his service changed the default
> privacy settings that exposed said photos in the first place.  Surely
> he didn't do it because they apparently showed that Facebook Inc is
> just one big booze-fest and that wouldn't look good to the schmucks
> Mark and his cronies (most of whom were also depicted in said photos
> similarly inebriated, etc) are planning on making their millions from?
> Surely Mark wasn't actually concerned at all about the revelation of
> such images?  I mean, if he's not actually the head of the "you have  
> no
> privacy" movement, he must be one of its best-known poster-boys...
>
> Anyway, whether you personally believe in the existence or value of
> online/personal/etc privacy, even the USA (the "Western" country
> generally believed to pay the lowest "official" care of individual
> privacy rights) has _some_ privacy laws, and most US corporations with
> a web presence at least make prominent public declarations of their
> token concern for privacy.  For example, after a few bland  
> introductory
> sentences (how uncharacteristic!) explaining that the collection of
> certain personally identifying information may be necessary, allows  
> for
> better service provision and so, we are told "Your privacy is a
> priority at Apple, and we go to great lengths to protect it":
>
>   http://www.apple.com/legal/privacy/
>
> Wow -- I'm convinced!  Sign me up...
>
> Maybe I'm selling Apple a bit short there?  They get absolutely
> effusive about the importance of protecting their customers' privacy
> waaaaay down the page in the section titled "Our companywide  
> commitment
> to your privacy":
>
>   As we said, Apple takes protecting your privacy very seriously. To
>   make sure your personal information is secure, we communicate these
>   guidelines to Apple employees and strictly enforce privacy
>   safeguards within the company. In addition, Apple supports industry
>   initiatives, such as TRUSTe, to preserve privacy rights on the
>   Internet and in all aspects of electronic commerce.
>
> Wheeeeee.....
>
> Despite the commonness of such obligatory statements, some US
> corporations make prominent public claims that they uphold privacy
> concerns very highly, establish Chief Privacy Officers and make claims
> such as "privacy commitments are fundamental to the way we do business
> every day", such as, say:
>
>   http://www.att.com/privacy
>
> Regardless of how genuine you may feel either Apple's or AT&T's
> proclamations are about the importance of maintaining their customers'
> privacy, they both rather clearly failed in this case.
>
> Second, you said:
>
>   Oh, you mean the email addresses that these people use, on the
>   internet all day every day?
>
> Irrelevant.
>
> Do you not maintain a separate address (or even a collection of them)
> for "service registrations" and the like?
>
> Most security professionals I've either asked directly about this or
> with whom it's come up some way or other in conversation (admittedly
> not a large proportion of all such folk I know), _do_ exactly that.
> And at least some "more normal" folk I know (i.e. not security
> professionals) do this too.  There are a number of reasons, but
> commonly having a single "well protected" (by the privacy policies of
> those companies they trust to share the address with) address is the
> reason (the other one is tracking who sell, etc addresses and these
> folk use a separate address for each company/entity that they share
> contact details with).
>
> You cannot possibly know whether the actual addresses in the
> registration of all iPad's for their AT&T 3G service were "addresses
> ... use[d] on the internet all day every day", and as it seems likely
> that at least some of them were "special" addresses, for which their
> owners were expecting the special treatment of premium corporate
> privacy controls (or at least such privacy controls as Apple may
> provide), this failure was clearly a worse failure than your joking
> shrug-off suggests.
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.