Security Bugs – Blame the Hackers?
News has been all over the web the past few days about the AT&T and iPad security breach. If you haven’t heard the details, in short a group of hackers discovered a vulnerability in AT&T’s private web APIs where one could send the ICC-ID from an iPad SIM card and AT&T’s servers would send back the corresponding owner’s email address – no authentication required. Since the ICC-IDs for the iPad are somewhat predictable, it was trivial for the hackers to send in thousands of semi-random guesses and collect any email addresses that came back. Some of those addresses were for people with addresses from domains like faa.gov and us.army.mil.
The hackers claim they reported the flaw to AT&T before sending their discovery to the fine folks at Gawker. AT&T, on the other hand, was not pleased to see their security problems appear in a popular tech blog at all, and had this to say in an email to their iPad customers:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.
…
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses.
So who’s to blame for a problem like this? Is it AT&T, or do the hackers themselves deserve some of the blame for the public way they handled their disclosure? Give us your thoughts below.
Who’s at fault? I’d say its measured. The hackers shouldn’t be engaged in such activities, but is it their fault such an awful bug was found in the system? AT&T is clearly at fault at least in part, but how much of that fault is being tied to a third party item, namely the iPad?
Personally, I blame complacency. So many people have had it drilled into their head that Apple = Safe. It began with the Mac vs PC Commercials that Mac == Safe and since Apple makes both Macs, iPods, iPhones, and iPads, that the same safety would necessarily apply.
However, these are different disparate devices, and in many cases the assumptions behind that inherent safety are flawed. Macs aren’t as popular as PCs, but iPods, and iPhones for sure are more popular than a lot of other phone brands. It certainly seems that way in the press. For Macs Apple was able to keep things safe by being a bit obscure, and less used, but with more popular devices, that no longer applies, IMO.
That to me is the real problem, people get comfortable with certain expectations from certain corporations, and never question the assumption, am I safe with this product? Here’s another example, McDonalds recently ran a promotion of collectible Glasses to honor the recent Shrek movie. They’ve done such promotions in the past, and been quite profitable I imagine. (I particularly remember a group of Peanuts glasses my parents acquired when I was a child.)
People tend to trust the Golden Arches of McDonalds so the thought doesn’t occur to the consumer, and even the producer/seller of the glasses became complacent and allowed a number of these tainted glasses to be sold and then subsequently forced to be recalled when it was discovered they could have something Hazardous in the paint I believe it was.
What was the real thing to blame? Complacency on both the users, and the corporations producing the product.
Stumbled across this on Google, you have some Tremendous content keep the heat coming Thanks