posted by Doyle
Apple’s iTunes Store was compromised–it seems for the first time, at least that was made public in a big way–a few days ago when about 400 accounts were compromised by a fraudulent scheme selling bogus merchandise for high prices.
Big deal, right? Four hundred users out of millions. Could be worse. Far worse.
It is. Far worse, that is.
The biggest issue here, which I believe has been under-reported by the media, is the fact that the House of Steve (Jobs) was compromised. We’ve come to expect behavior like this on the Wild Public Interwebz. I mean, gosh, it’s crazy out there. Phishing schemes. Viruses. Porn. But Apple protects us from all that.
Do we give up a freedom or two in the process? Sure, sure. But hey, I’ll give up Flash if you protect me from all the bad people and the evil they wish to do. Got your App rejected? Hey, it’s for the greater good. After all, as Spock said in one of the Star Trek movies, “the needs of the many outweigh the needs of the few.”
OK. Hey, I’m an Apple Fanboy. I’ll bite (and I do over and over again). But guess what? The bad people got in to our party. They caused problems. They stole things. They turned the iTunes Store into a seedy place where you have to worry about the worst among us.
What is this… Google?
Four hundred people. Forty-eight hours. One bad file.
But a crack in the facade–and that’s the bigger picture.
Millions of people (me and my company among them) pay millions of dollars for Apple products. We rationalize and explain the higher up-front costs with lower overall cost of ownership thanks to superior security and ease-of-use. I can demonstrate that my company saves money by spending more on Apple. I’ve got spreadsheets to prove it.
But there was a crack in the dam a few days ago. A chink in the armor. Superman bled, even if only a little. The numbers don’t make this a big story. The ratios, in fact, make it an insignificant one–at first glance. What makes it an under-covered and significant incident is the fact that someone got into a world in which we allow sometimes draconian oversight in exchange for a clean, well-lighted place. A few days ago, the wolf came right through the door, sat down and ate porridge. Not what we signed up for.
To be clear: one bad Apple doesn’t ruin the entire barrel, but I hope that Apple is recognizing the potential floodgate that could be opening. Their reaction was swift and seems to be very good, but if they begin to need to react in such a manner regularly, what makes this walled world so different from the wild–and less expensive and less stylish–online jungle many of us Apple fans think we’ve abandoned.
I’ll be watching. Carefully.
3 responses so far ↓
1 John // Jul 8, 2010 at 4:51 pm
No system, in the world, is secure (with the exception of a system that is not connected to a network, and which physical access is an impossibility.)
The reason this is a non-story is – as you point out – the fact that a few hundred accounts at max were compromised, and the fact that Apple upon recognizing what happened took swift action to correct it. In other words, Apple did exactly what any responsible organization who takes security seriously would and should do.
This doesn’t mean that Apple products are insecure, or that there’s a chink in the armor that didn’t exist before. Apple products are still fairly secure – especially when compared to competing products. That has more to do with the underpinnings of the operating systems that power these devices than anything apple specifically did.
iTunes, and even MobileMe, are platforms that deliver digital content via the internet. With any such platform there are always vulnerabilities. What separates good service providers from bad is that good providers will generally know about these issues and be working to correct them (and will put mitigating controls in place to reduce the impact). Even doing that, sometimes something slips through that wasn’t anticipated. It happens.
This post – perhaps unintentionally – really comes across as sensationalist fear-mongering.
my $0.02.
(to provide some of my background: I work in information security for a large software as a service company, and application security is one of my primary areas of focus).
2 Doyle // Jul 8, 2010 at 7:08 pm
John:
Thanks for stopping by, and mostly, for taking the time to provide a thoughtful comment.
I agree with most of what you’ve pointed out (no system is perfect, etc.). My point wasn’t that Apple got hacked, so run screaming–again, I have to say I’m a Fanboy. My point remains this: no one else hangs so much of their selling point on a platform as broad as Apple–e.g., not just an anti-virus program, but a complete OS–as nearly perfectly safe.
You and I know that no system is 100 percent and we make our decisions based on that knowledge. Personally, I believe Apple is more secure than a Wintel system, or at least it has been for me and for my company. But what about my Aunt Sally in Scottsbluff? She just knows that she saw those cute “I’m a Mac, and I’m a PC” commercials on Jay Leno and the poor PC had a virus but the Mac was fine. A higher level of technical expertise allows us to understand the context. The average consumer takes such a message as a simple statement of fact.
And again, even us Apple fans understand the trade-offs. I’d really like, for example, a Google Voice app on my iPhone. Apple, for whatever reason, won’t approve one. But that’s part of the trade-off I’m accepting. There may be things I miss out on, but in exchange I can generally trust what I find in that environment, and I’m OK with that. And that’s my point: lose that trust to a large degree, and will consumers still feel like the trade-off is a good thing?
This is the first “hack” of the iTunes store that I’ve heard about. So, my point remains: chink in the armor, but a chink nevertheless. I hope they nip it here, and I did see they advertised for a director of security for the iTunes Store. That’s why I noted their response was very good, in my opinion.
So, do I suggest dropping your iTunes account? Not at all. However, if a walled garden with lots of restrictions like iTunes, and Apple in general, can’t offer Ma and Pa Online the experience their marketing communication infers, it could be very bad for Apple.
But overall, I’m with you. It happens. It will happen to everyone. If this is a pretty much a rare occurrence and Apple shuts it down, great. That’s what I hope. However, given that this happened in the Garden of Steve at all, I think it’s worth watching, not from an alarmist or paranoid standpoint, but from the standpoint of can the largest computer company (by market cap) in the world fulfill the stake they’ve put in the ground? I think so, and I hope so.
I’m just watching with interest.
3 gabe // Jul 9, 2010 at 1:59 am
I think that the concept of hacking a "secure" site, product, or server has always intrigued hackers and now a days… scammers. Hacking used to be something that was publicly displayed or used for amusement… free long distance calling, gaining access and changing records of an un-liked public figure or something etc. Now, it has turned into a way to scam people and businesses out of money and personal information, all while staying under the radar for as long as possible. Its kinda scary… Apple has the best hackers on their side, but it was only a matter of time before something like this happened. I think that the security side of Apple products and services are… secure, but its the individual accounts that can be targeted… I bet you cant guess what my password is….. P*******1
(to provide some of my background: I have seen Hackers like 7 times… "Hack the Planet!")
You must log in to post a comment.