Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Wall Street Journal)   Apple Says Its Developer Site Was Hacked but that no personal "sensitive" information was compromised. In other news, Apple does not consider your name, mailing address, or email address to be "sensitive"   (blogs.wsj.com) divider line 50
    More: Scary, Mac computers, electronic publishing, software developers, mobile operating system  
•       •       •

894 clicks; posted to Geek » on 23 Jul 2013 at 1:12 PM (2 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



50 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2013-07-23 11:44:38 AM  
That's not other news, that's government policy.
 
2013-07-23 11:50:05 AM  
It was hacked by a Security Researcher who did not take the information. No sensitive information was compromised, unless you're nitpicking about the word compromise.
 
2013-07-23 12:22:26 PM  
by most regulations, that's not.  Personals, yes, sensitive, no.  Now if they were talking about bank account numbers, socials, credit cards, then there'd be something to it.
 
2013-07-23 01:04:01 PM  

LasersHurt: It was hacked by a Security Researcher who did not take the information. No sensitive information was compromised, unless you're nitpicking about the word compromise.



He /did/ take the information, and has even admitted to taking it. From a different article:

"I didn't attempt to publish or share this situation with anybody else. My aim was to report bugs and collect the data for the purpose of seeing how deep I can go within this scope. I have over 100,000 users' details and Apple is informed about this. I didn't attempt to get the data first and report then, instead I have reported first."

I would say that taking encrypted sensitive data means that it was compromised, once the data has left your control you have no idea of what has or has not happened to it. You have to treat it as compromised.
 
2013-07-23 01:06:13 PM  

cannotsuggestaname: LasersHurt: It was hacked by a Security Researcher who did not take the information. No sensitive information was compromised, unless you're nitpicking about the word compromise.


He /did/ take the information, and has even admitted to taking it. From a different article:

"I didn't attempt to publish or share this situation with anybody else. My aim was to report bugs and collect the data for the purpose of seeing how deep I can go within this scope. I have over 100,000 users' details and Apple is informed about this. I didn't attempt to get the data first and report then, instead I have reported first."

I would say that taking encrypted sensitive data means that it was compromised, once the data has left your control you have no idea of what has or has not happened to it. You have to treat it as compromised.


Apologies, he DID. I presume only to destroy it, though, unless we're being VERY generous calling him a Security Researcher.
 
2013-07-23 01:14:58 PM  

cannotsuggestaname: LasersHurt: It was hacked by a Security Researcher who did not take the information. No sensitive information was compromised, unless you're nitpicking about the word compromise.


He /did/ take the information, and has even admitted to taking it. From a different article:

"I didn't attempt to publish or share this situation with anybody else. My aim was to report bugs and collect the data for the purpose of seeing how deep I can go within this scope. I have over 100,000 users' details and Apple is informed about this. I didn't attempt to get the data first and report then, instead I have reported first."

I would say that taking encrypted sensitive data means that it was compromised, once the data has left your control you have no idea of what has or has not happened to it. You have to treat it as compromised.


Err, wait, maybe he only means he has "access" to it?
 
2013-07-23 01:17:27 PM  
no, he clearly states that he collected the data. I'm not sure what he means by the last sentence, but if I had to guess I think he means he told Apple about the exploits, got no response, and then collected the data.

He is Turkish so there may be some "lost in translation" going on here, but people that have seen the data say that he has it even though it is encrypted.
 
2013-07-23 01:19:22 PM  
In other news, Apple does not consider your name, mailing address, or email address to be "sensitive"

Because what could possibly be more sensitive than three pieces of information you HAVE to give to somebody else to enable a basic level of communication with them.....

/ da fuq, subby?
 
2013-07-23 01:19:33 PM  
Saw this on twit Sunday before they made the announcement.

They were all like, must be a hack, why would you take your dev site down for days in the middle of a release?
 
2013-07-23 01:21:58 PM  

skozlaw: In other news, Apple does not consider your name, mailing address, or email address to be "sensitive"

Because what could possibly be more sensitive than three pieces of information you HAVE to give to somebody else to enable a basic level of communication with them.....

/ da fuq, subby?


I do not have to give any of those to you to have a basic level of communication.

They are however all foots in the door for social engineering.
 
2013-07-23 01:32:50 PM  

theflatline: skozlaw: In other news, Apple does not consider your name, mailing address, or email address to be "sensitive"

Because what could possibly be more sensitive than three pieces of information you HAVE to give to somebody else to enable a basic level of communication with them.....

/ da fuq, subby?

I do not have to give any of those to you to have a basic level of communication.

They are however all foots in the door for social engineering.


Data like this can also, when viewed in certain ways, say many things about where it came from.
 
2013-07-23 01:37:11 PM  
I found all kinds of sensitive information here.
nicksherman.com
 
2013-07-23 01:40:39 PM  
APPLE: This happened last *Thursday*, I read about it on Facebook on *Monday*, I got your email about it *yesterday evening*

The order of those events, and the time inbetween, needs improvement
 
2013-07-23 01:50:01 PM  

Glenford: I found all kinds of sensitive information here.
[nicksherman.com image 850x637]


Bingo. If anyone with basic google skills can find it, the information isn't sensitive.
 
2013-07-23 02:03:45 PM  
Is that why I got 7 requests to reset my apple password yesterday?

Dear Apple, every other site has a link "if you did not request this password reset click here". Maybe you should add one too?
 
2013-07-23 02:08:54 PM  

theflatline: They are however all foots in the door for social engineering.


That doesn't make any of the three pieces sensitive.
 
2013-07-23 02:20:59 PM  

skozlaw: theflatline: They are however all foots in the door for social engineering.

That doesn't make any of the three pieces sensitive.


Okay, then post yours here.
 
2013-07-23 02:23:07 PM  
This is the lamest 'security breach' ever.
 
2013-07-23 02:25:08 PM  

Yankees Team Gynecologist: skozlaw: theflatline: They are however all foots in the door for social engineering.

That doesn't make any of the three pieces sensitive.

Okay, then post yours here.


I always enjoy this type of person. "If you don't believe someone will hurt you, give me access and I'll demonstrate." Goes for everything, fraud, bad social behavior, etc. The first to start throwing this around is usually the first kind of person who would abuse it, like send you junk mail to prove a point.
 
2013-07-23 02:29:04 PM  
Ubuntu forums were hacked just a few days ago too, and they admitted the hackers got a list of emails and passwords, albeit in hashed/salted form
 
2013-07-23 02:35:42 PM  
Bloke raises hand in vid, claims: I sparked Apple dev site hack panic
'I have 100,000+ users' details ... please don't blacklist me'
http://www.theregister.co.uk/2013/07/22/im_not_a_hacker_says_apple_b l o ke/
 
2013-07-23 02:39:59 PM  

LasersHurt: I always enjoy this type of person. "If you don't believe someone will hurt you, give me access and I'll demonstrate." Goes for everything, fraud, bad social behavior, etc. The first to start throwing this around is usually the first kind of person who would abuse it, like send you junk mail to prove a point.

got nuthin'.

oi44.tinypic.com

Please tell me that at least Apple pays you to make the kind of flailing rationalizations you've made in this thread, like "He was a researcher, it's all OK!" and the fallacious strawman/ad-hominem combo in your reply to my post.
 
2013-07-23 02:50:16 PM  

Yankees Team Gynecologist: Okay, then post yours here.


Because you could use it to annoy me that makes it sensitive?

I don't think you know what sensitive information is.
 
2013-07-23 02:57:27 PM  

Yankees Team Gynecologist: .


What makes you think anything I said has anything to do with Apple?
 
2013-07-23 02:58:42 PM  

skozlaw: Yankees Team Gynecologist: Okay, then post yours here.

Because you could use it to annoy me that makes it sensitive?

I don't think you know what sensitive information is.


Personally, I couldn't/wouldn't use it for shiat.

I asked rhetorically to prove that you do know it's sensitive information and you're being intellectually dishonest about it.
 
2013-07-23 03:03:07 PM  
I have already gotten several emails asking me to verify my AppleID password.

The first one arrived prior to the announcement.
 
2013-07-23 03:03:37 PM  

Yankees Team Gynecologist: I asked rhetorically to prove that you do know it's sensitive information and you're being intellectually dishonest about it.


That was a rather dumb thing to say about three pieces of information you could obtain with a five minute phone call to your choice of any one of three different record keepers.

How sensitive it must be!
 
2013-07-23 03:07:03 PM  

LasersHurt: Yankees Team Gynecologist: .

What makes you think anything I said has anything to do with Apple?


What is TFA about? Everyone's post says something related to Apple. Yours however are noteworthy for their contorted logic.
 
2013-07-23 03:08:41 PM  
LasersHurt:
Apologies, he DID. I presume only to destroy it, though, unless we're being VERY generous calling him a Security Researcher.

Yes. Calling him a Security Researches is generous. A white-hat guy would notify Apple, wait for a response, try again if none is received, wait, then make a public announcement on a security-minded forum.

Not actually exploit the bug, gain access, and steal data.
 
2013-07-23 03:11:32 PM  

skozlaw: That was a rather dumb thing to say about three pieces of information you could obtain with a five minute phone call to your choice of any one of three different record keepers.

How sensitive it must be!


Obviously sensitive enough for you not to give it up voluntarily (and rightly so).
 
2013-07-23 03:11:48 PM  

1000 Ways to Dye: LasersHurt:
Apologies, he DID. I presume only to destroy it, though, unless we're being VERY generous calling him a Security Researcher.

Yes. Calling him a Security Researches is generous. A white-hat guy would notify Apple, wait for a response, try again if none is received, wait, then make a public announcement on a security-minded forum.

Not actually exploit the bug, gain access, and steal data.


cannotsuggestaname: I didn't attempt to get the data first and report then, instead I have reported first.


He seems to suggest that he DID, in fact, take the white-hat approach, presuming the sentence before was misleading. Taking him at his word, of course.
 
2013-07-23 03:18:16 PM  

Yankees Team Gynecologist: skozlaw: That was a rather dumb thing to say about three pieces of information you could obtain with a five minute phone call to your choice of any one of three different record keepers.

How sensitive it must be!

Obviously sensitive enough for you not to give it up voluntarily (and rightly so).


You don't wear a mouth guard daily because you don't expect to be punched in the mouth in everyday life. That doesn't mean that you shouldn't put one in your mouth when a clearly belligerent asshole wearing boxing gloves asks you to step into a boxing ring.
 
2013-07-23 03:25:13 PM  

Yankees Team Gynecologist: Obviously sensitive enough for you not to give it up voluntarily (and rightly so).to enter it into the public record where literally anybody can see it


Yea. Good argument. You keep runnin' with that one, buddy.
 
2013-07-23 03:40:58 PM  

Egoy3k: You don't wear a mouth guard daily because you don't expect to be punched in the mouth in everyday life. That doesn't mean that you shouldn't put one in your mouth when a clearly belligerent asshole wearing boxing gloves asks you to step into a boxing ring.


Articles like TFA demonstrate that there are "clearly belligerent assholes wearing boxing gloves" in all of our faces every day.

More accurately, there are people like you construing poor and intellectually dishonest analogies that fail to incorporate the real threat.

skozlaw: to enter it into the public record where literally anybody can see it

Yea. Good argument. You keep runnin' with that one, buddy.


Yet curiously you still care about when and how you release that information. That makes it sensitive.  Maybe not personal/private, but sensitive to some degree appreciated even by you.
 
2013-07-23 04:09:23 PM  

Yankees Team Gynecologist: That makes it sensitive


No, it doesn't. And you can't weasel your way out by adding meaningless phrases like "to some degree". Some people may consider their age "sensitive information to some degree", that doesn't actually make it sensitive information in any serious way.

More to the point that you're working so hard to miss, what's actually (semi) sensitive here is the knowledge that this information is relevant to a developer site user. And even then it's only "sensitive" to the extent that can be used to craft an attack specifically on these users instead of just idly fishing about for random targets.

Yankees Team Gynecologist: Maybe not personal


Actually, that's pretty much the ONLY thing it is.

If a company lost my name, address and email address to attackers, I wouldn't be terribly concerned.
 
2013-07-23 04:40:15 PM  

skozlaw: No, it doesn't. And you can't weasel your way out by adding meaningless phrases like "to some degree".


You conveniently left out the key part.   The full phrase was "to some degree appreciated even by you."  Because even you yourself care how and when that information of yours is shared or released.  Hence the hypocrisy/intellectual dishonesty.

skozlaw: I wouldn't be terribly concerned.


Speaking of weasel phrases--would you be concerned at all?  Would you prefer it didn't happen, or would it be truly neither here nor there?  I wouldn't be "terribly concerned" if someone stole 5 bucks from me, but it's still theft. There's a spectrum, just like your name/email/address is on the low end of the spectrum compared to your SSN, but it's still something as opposed to nothing.
 
2013-07-23 05:08:18 PM  
Yes, no big deal,  unless you're a professional iPhone ISV and the Developer Program is your entire business in one website.

This isn't the Playstation Network, this is some peoples' livelihood. The reason this isn't being griped about more loudly is that everyone is afraid Apple will pull their developer account for griping.
 
2013-07-23 06:33:57 PM  
cannotsuggestaname

I would say that taking encrypted sensitive data means that it was compromised

1. If it's properly encrypted, the underlying data is not compromised.
2. I don't believe the information he took was encrypted, hence the hair-splitting by Apple over sensitive and not-sensitive personal information.
 
2013-07-23 08:21:30 PM  
Reality is that it is not.  Your name, address, email address.  All public record.
 
2013-07-23 09:08:07 PM  
John Chisholm adhd dot librarian at thegmails dotcom
PO Box 40060 in your Capitol City

ahhh nooooo
I am exposed
 
2013-07-23 10:39:18 PM  

Glenford: I found all kinds of sensitive information here.
[nicksherman.com image 850x637]


Approves

starsmedia.ign.com

\hot like a 20 watt plasma rifle
 
2013-07-24 12:22:44 AM  

LasersHurt: It was hacked by a Security Researcher who did not take the information. No sensitive information was compromised, unless you're nitpicking about the word compromise.


Are you reading BGR news again? Or is it Apple Insider?
 
2013-07-24 01:20:45 AM  

Yankees Team Gynecologist: LasersHurt: I always enjoy this type of person. "If you don't believe someone will hurt you, give me access and I'll demonstrate." Goes for everything, fraud, bad social behavior, etc. The first to start throwing this around is usually the first kind of person who would abuse it, like send you junk mail to prove a point.got nuthin'.

[oi44.tinypic.com image 472x255]

Please tell me that at least Apple pays you to make the kind of flailing rationalizations you've made in this thread, like "He was a researcher, it's all OK!" and the fallacious strawman/ad-hominem combo in your reply to my post.


Don't you hate it when people use your own tactics against you?
 
2013-07-24 04:35:51 AM  

mccallcl: Yes, no big deal,  unless you're a professional iPhone ISV and the Developer Program is your entire business in one website.

This isn't the Playstation Network, this is some peoples' livelihood. The reason this isn't being griped about more loudly is that everyone is afraid Apple will pull their developer account for griping.


I am an iPhone and OS X ISV and the only gripe I have is that the site is down while they rewrite and modernize their security systems.

The info that was taken is available on my website for the world to see.
 
x23
2013-07-24 06:06:10 AM  

MadMattressMack: \hot like a 20 watt plasma rifle


you mean a phased plasma rifle in the 40 watt range. it's like people can't even be bothered with basic fact checking anymore!
 
2013-07-24 07:08:42 AM  

xaveth: LasersHurt: It was hacked by a Security Researcher who did not take the information. No sensitive information was compromised, unless you're nitpicking about the word compromise.

Are you reading BGR news again? Or is it Apple Insider?


The actual words released by the "researcher" himself?
 
2013-07-24 09:04:16 AM  

x23: a phased plasma rifle in the 40 watt range


Hey, just what you see, pal.
 
2013-07-24 10:30:51 AM  

ryarger: the only gripe I have is that the site is down


If you don't have anyone depending on you to complete a task using the resources available on the developer site, then no big deal I guess? It's not hard to imagine a situation where the developer site being down for a whole week would totally fark somebody over. I have a developer friend that needs to get his apps ready for iOS 7. He has a nine-to-five, but specifically took days off to retool his apps. He goes to download the latest SDK and the developer site's down.

He already took the time off, and doesn't have another week to burn waiting for Apple to get its shiat together. I'm sure there are other ISVs (and development teams for larger organizations) that are unable to renew their membership, download assets they need or get help from the forums. Project deliverables are slipping all over the place. Mobile development = serious business.
 
2013-07-24 12:04:37 PM  

mccallcl: then no big deal I guess


I think you misunderstand. As I said, the site being down *is* a big deal.

The "sensitive information" that was hacked? Not so much.
 
2013-07-24 12:36:04 PM  

ryarger: The "sensitive information" that was hacked? Not so much.


Even if my credit card information had been stolen, I'd rather call my bank and get a new card than call my boss and tell him my project is going to be "?" days late. The site being down is orders of magnitude more damaging than stealing any and all information I gave to Apple. The only thing that could be worse than the current state of affairs is an attacker gaining access to your Apple ID and using it to commandeer your app in iTunes Connect. There isn't really much of a difference for some developers, as they are locked out of the Store until they can renew their membership/change payment details, and are losing revenue every day.

Many people affected by this would gladly suffer identity theft if it meant the site came back up last week. The discussion about the nature of the information compromised is immaterial, as is the identity/motivations of the hacker/researcher. The site being down for any reason for a week is what everyone should be talking about, and figuring out how to protect their livelihood in the future.
 
Displayed 50 of 50 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report