Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does Apple Need To Get Serious About Security?

Posted by Soulskill on from the apple-a-day-keeps-the-hackers-away dept.

An anonymous reader writes "An article at The Verge makes the case that Apple's development of its cloud services hasn't been accompanied by the necessary effort to ramp up security to match users' increasing levels of risk. As evidence, they use a recent (and very simple) security hole that allowed anyone to reset an Apple ID password with just a user's email address and birth date. Apple's initial response failed to fully stop the exploit, and then it took several days for them to fix the issue. 'A server-side attack on Apple's cloud could get customers' credit card numbers and addresses, device backups with their encryption keys — as well as contacts and Apple IDs — anonymously and in bulk. Those systems may be defended like a castle, but bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone. There's nothing sexy about securing these systems. None of them contribute directly to Apple's bottom line. And when it came to securing a business netting it an estimated $2 billion each year, Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe.' The article also points out that many other cloud service providers have detailed privacy and security policies, and actively participate in developing best practices, whereas Apple's procedures are shrouded in the company's typical secrecy. The article comes alongside reports of a way for people to DDoS other users' iMessage box."

6 of 84 comments (clear)

  1. Apple will get serious when you do. by rtfa-troll · · Score: 5, Insightful

    Apple needs to get serious at the moment that it's customers care or at the moment someone put's legal liability on them and not a minute earlier. Given that the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model, I don't think that's going to happen some time soon.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  2. Re:The more a phone is Cracked by Chris+Mattern · · Score: 4, Insightful

    Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.

  3. how many security issues has apple had? by alen · · Score: 4, Insightful

    compared to everyone else?

    that journalist was one case. the article mentioned a lot of scary things, but no one has done any of it yet. and some of these services have been around for almost 2 years.

    1. Re:how many security issues has apple had? by jbolden · · Score: 3, Insightful

      Actually Microsoft NT started with a capability based system, not a permissions system which is vastly vastly more secure. The problem they realized very quickly was that end users couldn't handle capabilities, and their application ecosystem wasn't compatible with it. Internet Explorer being an serious example because at that point it was the default shell. So end users ended up granting almost unlimited capabilities to most applications. At that point Microsoft began introducing permissions...

      I'd say Microsoft's NT problems are a classic example of different parts of Microsoft fundamentally disagreeing about objectives, like security vs. backwards compatibility.

      ____

      Apple's initially had overlapping permissions systems: the BSD based one, the NeXT based one and the various applications one from the mess that was OpenStep's security. They had to introduce a fourth one for connectivity to Microsoft networks. They've unified them somewhat and added 2 more security modules based on capabilities but they had a tremendous mess.

      _____

      Arguably:
      Microsoft started further ahead but couldn't handle the conflicts between competing interests.
      Apple had a total mess but made better compromises.

      That is the opposite of what you were claiming.

  4. Bullshit by Anonymous Coward · · Score: 3, Insightful

    Every single one of these "possible attacks" exists in nothing more than the submitters mind.

    "bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone"

    None of these things are possible. FaceTime and iMessage are encrypted end-to-end. iTunes updates are signed. If you want to know how they work, buy a fucking disassembler. Until then, don't spout off bullshit, it just makes you sound like an ignoramus.

  5. No Need to Worry by Trip6 · · Score: 3, Insightful

    Apple will be irrelevant soon.

    --
    I hate being bipolar; it's awesome!