Story image

Why taking down Apple's Developer site was a good idea...

26 Jul 13

Over the weekend, we learned that Apple’s Developer Center was taken down due to a security vulnerability or breach on the site last Thursday July 18.

In their notice, Apple indicated that the security breach could have led to developer’s names, mailing addresses and e-mail addresses being accessed, although the company states clearly that sensitive personal information was encrypted and not accessed.

Apple is notorious for not talking about its security issues, and followed that example for the first three days of this issue by talking about the site outage as “a maintenance issue.”

But by Sunday, Apple posted an explanation of the outage and the scope of the data breach. Another thing the posting stated, which isn’t getting a lot of focus right now, is what they’re doing about it:

"In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database."

In other words, Apple has decided to accept the risks of a prolonged outage so it can mitigate the security risks, threats and breaches through a complete rebuild. In the immortal words of Ripley from Aliens, Apple decided to nuke the site from orbit because “it’s the only way to be sure.”

This is a nearly unprecedented, comprehensive response, especially since it’s not clear that there was an actual breach.

A security researcher in the United Kingdom, Ibrahim BaIiç, has come forward claiming that he found the vulnerability on the site, notified Apple and they took the site down. He further claims that he didn’t breach the systems or access data.

Regardless of whether a breach occurred, the scope of the data lost (or potentially lost) here is circumscribed. And that’s what makes Apple’s response remarkable.

The only other example we have of a company accepting an extended outage to do the right thing and rebuild is Sony’s response to the PlayStation Network hack in 2011. Sony accepted twenty-five days of downtime in that event.

But in that case, there was a demonstrated breach and a loss of 12,000 credit cards.

Sony said that their breach cost them at least $171 million (USD). A large part of that loss was due to the downtime it took for the company to rebuild its system.

Nonetheless, Sony did the right thing by accepting that downtime and there has not been a security breach since then. Sadly, Sony doesn’t get credit for that, though they should.

And so Apple security team should get credit for doing like Sony did and committing not just to patching a hole in a troubled architecture but taking the time to rebuild from the ground up to make the system more secure.

If we had more companies respond to breaches in this way, we (technology, privacy, security and cyber threats) would be much better off as an industry.

Christopher Budd - Threat Communications Manager, Trend Micro

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Hands-on review: The Logitech R500 laser presentation remote
With a clever ergonomic design, you’ll never have to glance at the device, unless you deliberately look to use the built-in laser pointer to emphasise your presentation.
Noel Leeming slapped with $200,000 fine for misrepresentation
“This prosecution related to multiple consumers in multiple locations. It was not isolated or ‘one off’ conduct.”
GCSB welcomes Inspector-General's report on intelligence warrants
Intelligence warrants can include surveillance, private communications interception, searches of physical places and things, and the seizure of communications, information and things.
Review: Should you buy the Fitbit Charge 3?
If you are new the to the world of wearables you might be wondering if Fitbit’s new offering is a good first step. Maybe I can help with that.
Hands-on review: Anki Vector is a step up in the world of AI
See how he responds if you annoy him. You can tell him if he’s been a good or bad robot and see how he reacts.
Homegrown stress relief app to be launched next year
Researchers at the University of Auckland and an Auckland-based creative agency are working together to create a ‘world first’ app that they believe will help with stress relief.
UPDATED Review: Blue Mic’s Satellite headphones are good but...
Blue has responded to what I described as an “insidious issue” of quality control - Satellite headphones deliver on sound, aesthetic, and comfort.