Why taking down Apple’s Developer site was a good idea…

closeThis article could be out of date, as it was published 1 year 2 months 10 days ago.

Over the weekend, we learned that Apple’s Developer Center was taken down due to a security vulnerability or breach on the site last Thursday July 18.

In their notice, Apple indicated that the security breach could have led to developer’s names, mailing addresses and e-mail addresses being accessed, although the company states clearly that sensitive personal information was encrypted and not accessed.

Apple is notorious for not talking about its security issues, and followed that example for the first three days of this issue by talking about the site outage as “a maintenance issue.”

But by Sunday, Apple posted an explanation of the outage and the scope of the data breach. Another thing the posting stated, which isn’t getting a lot of focus right now, is what they’re doing about it:

“In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database.”

In other words, Apple has decided to accept the risks of a prolonged outage so it can mitigate the security risks, threats and breaches through a complete rebuild. In the immortal words of Ripley from Aliens, Apple decided to nuke the site from orbit because “it’s the only way to be sure.”

This is a nearly unprecedented, comprehensive response, especially since it’s not clear that there was an actual breach.

A security researcher in the United Kingdom, Ibrahim BaIiç, has come forward claiming that he found the vulnerability on the site, notified Apple and they took the site down. He further claims that he didn’t breach the systems or access data.

Regardless of whether a breach occurred, the scope of the data lost (or potentially lost) here is circumscribed. And that’s what makes Apple’s response remarkable.

The only other example we have of a company accepting an extended outage to do the right thing and rebuild is Sony’s response to the PlayStation Network hack in 2011. Sony accepted twenty-five days of downtime in that event.

But in that case, there was a demonstrated breach and a loss of 12,000 credit cards.

Sony said that their breach cost them at least $171 million (USD). A large part of that loss was due to the downtime it took for the company to rebuild its system.

Nonetheless, Sony did the right thing by accepting that downtime and there has not been a security breach since then. Sadly, Sony doesn’t get credit for that, though they should.

And so Apple security team should get credit for doing like Sony did and committing not just to patching a hole in a troubled architecture but taking the time to rebuild from the ground up to make the system more secure.

If we had more companies respond to breaches in this way, we (technology, privacy, security and cyber threats) would be much better off as an industry.

Christopher Budd – Threat Communications Manager, Trend Micro

Follow Us
on Google+

Review: Sony Xperia Z2

NetGuide Smartphones are all about compromise these days. Fitting a hi-res screen, camera and huge battery into increasingly lighter handsets isn’t easy, and usually, something has to give.   Read More →

Review: LifeTrak C410 Fitness tracker

NetGuide The C410 is a fitness tracker first and a watch second. Because of this it not only tells the time, but also tracks almost everything a fitness nut would need to know.
Amongst the many stats tracked are Steps. Calories are measured too as are distances covered. There’s a sleep tracking function, plus heart rate monitoring.   Read More →

Android App Review: Writing Prompts

NetGuide Writing Prompts is one of those obviously-named apps that gives you exactly what the name suggests and nothing more. If you want some help getting started with your creative writing, then the Writing Prompts app might be able to help.   Read More →