funsec mailing list archives
Re: Apple's worst security breach: 114, 000 iPad owners exposed
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 13 Jun 2010 11:19:16 +1200
Joel Esler wrote:
OMG the email addresses for iPad owners were exposed!!! Oh, you mean the email addresses that these people use, on the internet all day every day?
Two little things you overlooked... First, privacy concerns in general. Yes, we all know the Zuckerberg generation believes that (online) privacy is a myth, but note that even the mighty Mark withdrew most of his, ummmm "private" images from public view on Facebook shortly after his service changed the default privacy settings that exposed said photos in the first place. Surely he didn't do it because they apparently showed that Facebook Inc is just one big booze-fest and that wouldn't look good to the schmucks Mark and his cronies (most of whom were also depicted in said photos similarly inebriated, etc) are planning on making their millions from? Surely Mark wasn't actually concerned at all about the revelation of such images? I mean, if he's not actually the head of the "you have no privacy" movement, he must be one of its best-known poster-boys... Anyway, whether you personally believe in the existence or value of online/personal/etc privacy, even the USA (the "Western" country generally believed to pay the lowest "official" care of individual privacy rights) has _some_ privacy laws, and most US corporations with a web presence at least make prominent public declarations of their token concern for privacy. For example, after a few bland introductory sentences (how uncharacteristic!) explaining that the collection of certain personally identifying information may be necessary, allows for better service provision and so, we are told "Your privacy is a priority at Apple, and we go to great lengths to protect it": http://www.apple.com/legal/privacy/ Wow -- I'm convinced! Sign me up... Maybe I'm selling Apple a bit short there? They get absolutely effusive about the importance of protecting their customers' privacy waaaaay down the page in the section titled "Our companywide commitment to your privacy": As we said, Apple takes protecting your privacy very seriously. To make sure your personal information is secure, we communicate these guidelines to Apple employees and strictly enforce privacy safeguards within the company. In addition, Apple supports industry initiatives, such as TRUSTe, to preserve privacy rights on the Internet and in all aspects of electronic commerce. Wheeeeee..... Despite the commonness of such obligatory statements, some US corporations make prominent public claims that they uphold privacy concerns very highly, establish Chief Privacy Officers and make claims such as "privacy commitments are fundamental to the way we do business every day", such as, say: http://www.att.com/privacy Regardless of how genuine you may feel either Apple's or AT&T's proclamations are about the importance of maintaining their customers' privacy, they both rather clearly failed in this case. Second, you said: Oh, you mean the email addresses that these people use, on the internet all day every day? Irrelevant. Do you not maintain a separate address (or even a collection of them) for "service registrations" and the like? Most security professionals I've either asked directly about this or with whom it's come up some way or other in conversation (admittedly not a large proportion of all such folk I know), _do_ exactly that. And at least some "more normal" folk I know (i.e. not security professionals) do this too. There are a number of reasons, but commonly having a single "well protected" (by the privacy policies of those companies they trust to share the address with) address is the reason (the other one is tracking who sell, etc addresses and these folk use a separate address for each company/entity that they share contact details with). You cannot possibly know whether the actual addresses in the registration of all iPad's for their AT&T 3G service were "addresses ... use[d] on the internet all day every day", and as it seems likely that at least some of them were "special" addresses, for which their owners were expecting the special treatment of premium corporate privacy controls (or at least such privacy controls as Apple may provide), this failure was clearly a worse failure than your joking shrug-off suggests. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Apple's worst security breach: 114, 000 iPad owners exposed Juha-Matti Laurio (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed David Harley (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dave Paris (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dave Dennis (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Nick FitzGerald (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed David Harley (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dan Kaminsky (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Randal T. Rioux (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Nick FitzGerald (Jun 12)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 13)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Rich Kulawiec (Jun 27)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Jeffrey Walton (Jun 27)
- <Possible follow-ups>
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Juha-Matti Laurio (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 10)