Apple Developer Website Update
Apple Developer Website Update
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
222 comments
[ 3.4 ms ] story [ 258 ms ] threadAnd the site was down, so it was clear something was going on.
It is also extremely transparent in the sense that people were wondering this exact thing even earlier today, and now received a response detailing that this is an extremely severe breach, as opposed to something else. What more do you want on a Sunday?
And announcing it just because people have started to speculate is damage control, not taking responsibility.
It's possible it took them a few days to figure out exactly what was taken and waited until they had as much info as possible to make a statement. I doubt Apple would be following blogs during a situation like this with someone making the decision: "oh, people have started to speculate about what's happening - I think we should make a statement."
And 'taking responsibility' means solving the problem. They have told us what they are dealing with. What more do you want from them?
I'm also disappointed that it took them 72 hours to tell us anything, and that the update doesn't even have a timeline for when the site may be back. "Soon" is meaningless.
It's our data, we should have the right to know what happened to it.
Basically, once the problem was serious enough that they felt like they needed to take the site down, I'm pretty sure they knew which machines had been accessed (or at least may have been accessed). They knew that some of those machines had developer's personal information. They could have posted as much up front, rather than waiting 3 days to do so.
No, they likely took the portal down as soon as they knew there was a breach. Highly unlikely they left it up while they investigated, and it takes time to figure out what happened and how much information was taken.
What motivation would there be to wait anyways?
They still haven't said anything about how much had been taken.
My point is they knew how much could have been taken. They knew what machines were at risk; hence taking them down. If those machines that were at risk had sensitive personal information, they should have notified the people affected right away, not three days later.
Taking the site down, with no indication of why, and waiting three days to tell people that their personal information may be at risk (and remember, the possibly compromised information includes credit card numbers, as there are a number of things you need to pay for in your developer account) is just crazy.
You should be upfront and transparent when the breach first occurs. Of course you don't know exactly what has been compromised; but they are still being plenty vague even three days later. If they had posted three days ago what they posted today, it would be a lot more reassuring.
Companies are people. And all the relevant parties involved in handling this may not be accessible to make a decision as quickly as needs to be done. Or at least quickly enough to satisfy all people.
Do you feel you suffered any harm in particular by the delay of three days?
What I would love is an update whenever they suspect an intruder has accessed sensitive information. Many websites like Dropbox and last.fm do have a server status where they tell us if they have any planned maintenance or just general status of the server. Why can't Apple and the rest of the big companies do that?
Also, Apple first said it was just regular maintenance. I'm just confused as to why they said that instead of telling us the truth.
But, in their defense it may take days to ascertain what exactly happened.
Once a system is compromised it's nearly impossible to trust anything about it. Auditing the logs, and reviewing the code, crypto, and the mix of platforms they're using (see https://news.ycombinator.com/item?id=6078854) in order to understand what data could be accessed and fix all vulnerabilities is not an easy task.
The PlayStation store was not down for such a long time without reason.
For the website to show these details (and it does, in part, use these details in the interface) it must be able to decrypt these on the web applications side. Ergo the keys for decryption must also be on the server or derived from the users passwords, both of which make the use of encryption a fairly worthless venture.
ED: As another commenter mentioned in an earlier thread, lots of other AppleID facing applications are gone as well ( https://ecommerce.apple.com/ ), so it would be interesting to find out how far this all goes. The websites don't seem that far disconnected from the information in iCloud.
Your post is pure speculation and depends heavily on what Apple means by 'sensitive'. I'm guessing that Apple means your CC numbers, certs, shared keys, etc.
Possibly also your support tickets, your bank numbers, etc.
As for how encryption works, I'd suggest Applied Cryptography by Scheiner. I think there's a problem in that book about Bob keeping speculative posts to Alice secret from Eve. After reading that book, I'd suggest applying for a job at Apple to give you first hand knowledge of what they're actually doing and then you could make an informed judgement about what may or may not have been exposed.
Apple's email essentially says, "we don't think they have the key, but..." And a complete investigation, along with changes to the system and an opportunity for users to change data as soon as possible under the new system, is the right way to go about it.
https://twitter.com/chockenberry/status/358310019537715200
WWDR is all about evangelising the platform to a technical audience. Of course it belongs in marketing and not engineering i.e. it involves road shows, presentations, reach out activities etc. Not everyone that is technical are developers remember.
They've already been down a few days and haven't said when they'll be back up so it's impossible to know yet how long it'll take.
I know there are people here who probably have been in the start-up space for all of their working life, but never underestimate how piss poor architecture can be at big companies.
I would place a large amount of money that every single person here who has done a stint at a large corporation has a horror story about terrible, awful architecture, outdated practices, and shoddy insecure software. And yes, that includes companies like Facebook, Google, etc.
... or simply a cut-down version they know how to run.
"Mhh, what did that old cron job do, again?"
"I don't know; it was written by Mike, he left 3 years ago."
"oh ok, so not important then."
<12 hours later>
"OMG OUR DB EXPLODED AGAIN! That script was clearly essential! Can you rewrite it??"
"Er, I've looked at it: 2000 LOC of obscure Perl. Gonna take a while..."
Most of their web apps are WebObjects/Java apps. Sure some of them would be classed as legacy but it is hardly different from most other enterprise companies. And their systems are completely separate from each other e.g. iTunes, Apple Online Store, ID auth, Developer Portal.
As a developer I'd still be concerned if I lost such data when encrypted - so I understand - but what measures can be put in place so that as a developer/site owner you're without uncertainty that the encrypted data will never be encrypted by the attacker (eg, would take trillions of years).
I wonder where the CRL for the dev certificates is -- we might see an update to it soon.
Now, how do you use that information to compromise iOS devices? You probably won't be able to get it in the App Store, and the iOS devices won't install from anywhere else. You could make an Ad Hoc distribution package, but for that you need to know the UDID of each device and convince your victim to download the rogue app from somewhere other than the App Store.
So (again, assuming no revocation), you could set up a web based alternative app store, or re-sign cracked apps/games, or just enjoy being able to run code on your own devices (and distribute to others without going through the app store) without maintaining the $99/year subscription, or you could start linking/redirecting unsuspecting web browsing users to install malicious apps (would only need 1 confirm click)
I understand this must be a very challenging situation for them to deal with, and I appreciate the notification. As I'm sure many developers feel, I'd like to know more details, but I'm sure these will come in due course.
This is the worlds most cashed-up corporation. They could buy entire countries, yet they made a conscious choice not to update their server software or hire more competent sys-admins.
There shouldn't be a way for them to gain marketing wins out of this. There should be a law requiring notification when personal information is compromised.
It's entirely possible that this is a massive oversight by Apple and they've been extremely negligent in their security policies.
It's equally possible that there's some bug (that either you or I could easily have made the mistake of introducing) that's resulted in this being possible.
Let's calm things down, give it a few days, and then evaluate. Nobody can make an immediate judgement about the exact causes of problems like this. If you're making judgements at this point, you really have no idea whether you're being accurate or not.
And yes, if it turns out to be negligence on Apple's part, I'll be very angry. But let's wait and see.
Well, you're very much mistaken. It's not about a security breach at all. If you read carefully, you'll notice it's merely about a "security threat".
:)
We can see that they did their job correctly by the overwhelming amount of details they provided us with.
This shouldn't happen.
When my 4yr old tells me he did something "wrong" without any prompting (eg. "Dad, I broke your phone"), I'm impressed because he didn't have to out himself, but did so because it was the right thing to do.
Large corporations rarely think in terms of right and wrong... they have a duty to their shareholders, and nobody else. As far as their shareholders are concerned, they shouldn't release damaging information unless not doing so could potentially negatively impact profits down the line. So when Apple tells you they messed up, they're only doing so because they're worried you might find out some other way, which would be worse for them. They aren't doing it out of the kindness of their hearts.
Now if there were a law requiring the disclosure of incidents such as this when personal information is compromised, then Apple wouldn't have a choice in the matter, and they wouldn't be able to fool people like you into thinking they're awesome when they just lost your data through negligence.
> It's entirely possible that this is a massive oversight by Apple and they've been extremely negligent in their security policies.
They just said they'll be updating their software. Why would they do that if they didn't think that that would make the data safer. It's pretty much an admission that they chose not to update the software earlier ie. someone made a decision to use outdated software.
"It took them 3 days to tell us something happened. Obviously this means they would have kept it secret if it were at all possible."
It takes time to figure out what happened in a breach. That doesn't mean that Apple is some evil company trying to hide the fact that there was a breach.
> That doesn't mean that Apple is some evil company trying to hide the fact that there was a breach.
I never said that they were trying to hide anything. Again, did you even read my comment?
> Obviously this means they would have kept it secret if it were at all possible.
Well yes, that is logical. A corporation would keep such a thing secret if they had a guarantee that there was no other way people could find out. There are good people working at Apple, but they are not Apple. A corporation doesn't have morals. It will not damage itself and threaten profits just for fuzzy feelings, any more than it will drop the price of the iPhone 6 to $20 because that would be a good thing for the poor.
Do you believe this is unique to corporations? Would "real people" always do the right thing even if they had a guarantee nobody would e able to tell?
I doubt you'll need to get angry - because if it's negligence, you/we won't be told.
(b) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.
> Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed.
Edit: and seriously, what does this "updating our server software, and rebuilding our entire database" mean?
my WAG: paving systems; reinstalling the server OS; updating packages; restoring db from known clean backup; replaying logs/binlogs that are known clean?
That would be my guess.
Ha, what a joke, I can't help laughing at that.
With so many third-party Apple developers drinking the kool-aid, and dreaming of becoming rich, I'm not surprised Apple treat them like fools.
Just yesterday on Twitter, some developers were speculating that the site was taken down to be updated with new SDKs for exciting new features and product lines.
Apple is great a lot of things but I don't think even their most ardent fans would argue that transparency is one of them.
So they can't rule out the possibility that sensitive personal information, which cannot be accessed, has been accessed. Got it.
Apparently our intelligence, which cannot be insulted, has been insulted.
I would imagine that for most of the people signed up, it wouldn't be that hard to track down their name and email just from knowing the name of their app.
So yeah, developer's names, addresses and emails are not secrets by any means. Why would anyone buy an app from someone they had no means of identifying?
Not necessarily, if you're using a payment gateway that supports token billing...
So now if something needs to kick off a billing process the frontend sends a signal using a defined service method (preferably something so simple that it is secure) and then the backend goes off and decrypts the data followed by doing the actual processing required.
If the frontend and backend are on two seperate networks, and the frontend is only allowed to talk over TCP/IP port 5930 for example to the backend, now you have reduced your attack surface tremendously while making customer data more secure.
You sent messages to add or charge our client’s credit cards from the front end - on the ultra-simple protocol, to the 1 (!) open network service on the backend. And that’s all the input it took from the network.
If something more complex was needed someone with much higher permissions than I went to the server room and typed into the terminal. Which really minimized attack surface.
The major drawback would be the same as the benefit. Since you can't know your users' CC numbers, you also can't make recurring charges.
Pipe-dream solution to that -- you should be able to get a token from your payment provider that authorizes you and only you to charge the CC. Should that token leak, you barely even need to revoke it. It can't be used by anyone else, because you need both the token and your company's api secret to charge anything, and even then, all they can do is send (easily refundable) money to your account.
If such a provider could also SMS you on your chosen # to confirm the purchase then the system would be secure!
This is untrue. The magnetic stripe contains significantly more data than what is printed on the card and much of that Discretionary Data (DD) is used during authorization of 'card-present' transactions.
That's not true >"charges from a new vendor would need the code". Online credit card transactions only require a credit card number, expiry month & expiry year. The verification code is optional and is used as a fraud check / deterrent. Payments with an invalid verification code are highly suspicious. Therefore, when Apple (or any merchant) asks for the verification code initially, it passes the initial fraud tests and the card is stored as a "verified card" (or perhaps, only verified cards are stored). Further charges are then most probably legitimate (since it passed the previous fraud check).
If they know that credit card information was not affected, they should say that. E.g. "Sensitive personal information (such as credit card data) was encrypted and cannot be accessed, ..."
It's reasonable to suppose that 'sensitive' includes credit card information, but as it stands it's something we have to interpret.
I'd suggest we all check our credit/debit card statements more often over the coming days, just to be sure. =)
Apple is not a startup. They were ranked 6th in Fortune 500 for 2013. They are going to be rehearsed, political, and vague with their descriptions. Were you actually expecting them to release a postmortem on their blog with a link to the GitHub repo with the fix?
One of the hopes for the notion of startups searching / optimizing in these kinds of niche spaces (transparency, communication on a more personal / no-bullshit level, whatnot) might be that these kinds of optimizations will hopefully change what is to be expected from IT businesses in general (at least in terms of communication and so on.) One can at least hope..
Also, this isn't a postmortem (yes, we may never see one, it is premature to comment on that _now_)
This is most likely just me being too paranoid and literal, of course. =) In general I'm not too disappointed with how they've handled this - it could've been far worse.
It’s also important to note that the hacker did not get access to any app code or even the servers where the app information was stored. The hacker also did not get access to any credit card information.
The only thing that the hacker could have gotten access to was the names, email addresses and mailing addresses of the developers. At this point, Apple doesn’t know if the hacker even managed to see that information. Worst case, that is all the information they would have seen, according to Apple."
http://www.loopinsight.com/2013/07/21/apple-comments-on-deve...
If a patent troller wants to find out who is behind an app, they would go through the legal system and use a subpoena.
Literally no reason whatsoever for them to hack a website to get it.
http://i.imgur.com/PNMZrtn.png
http://9to5mac.com/2013/07/21/apple-explains-developer-cente...
http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev...
http://allthingsd.com/20130721/apple-developer-center-was-ha...
1) The site was down since Thursday, not yesterday. 2) You can't "overhaul" and expect to deploy "soon", so wtf are you doing apple? 3) "Soon" is not a timeline, at least not in the real world. 4) What info got owned? What could be effected?
Starting at 7am, I received an Apple ID password reset request every 4 hours and 19 minutes, ending last night at midnight.
This Apple ID is also the login for my personal developer account (several years old). My developers IDs used for work never received a password reset request.
If you search Google, people are all the time receiving password reset emails going back years, even repeated ones.
Email addresses are in the clear all the time, and I've never heard of them being considered sensitive before. You should assume everyone has your email address.
But these things are complex, and it takes time (i.e. a few days) to fully and properly evaluate what has happened and what information leaks/security breaches have occurred.
Let's give this a reasonable amount of time, and only then pass judgement on their handling of the case.
I don't want to appear like an Apple apologist - and maybe it is a serious fault on their side. But in fairness I do think it's reasonable we give them time to evaluate & respond appropriately.