James Butler's Blog

Apple: Bad, AT&T: Stupid

June 10, 2010 13:09

From Gawker.com (paragraph sequence is mine):

"According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed.

"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.

"Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. This is particularly the case given that U.S. iPad 3G customers have no choice in mobile carriers — AT&T has an exclusive lock, at least for now. Given the lock-in and the tight coupling of the iPad with AT&T's cellular data network, Apple has a pronounced responsibility to patrol the network vendors it chooses to align and share customer data with."

And I agree.

It may have been a bad script on AT&T's website that provided entry, but it was Apple's business decisions that put the data at unnecessary risk.

We have seen an increase in these "group guilt" situations in the past several years. It seems to be less of a intentional effort than the result of mergers and the reduction in the provider pool. These larger conglomerates are trying to provide oversight to a fractured set of production cells, built on the remnants of the smaller companies that were gobbled up. Different company value systems, different methodologies, different levels of accountability within the conglomerate ... all contribute to a system wherein consistently high quality output becomes more and more difficult to obtain.

In the design world, the pressure to reduce the bottom line goes up, and the acceptable value level goes down.

In the manufacturing world, the error levels go up, and morale levels often go down ... not across the board, but in waves flowing through different sectors like a comb through hair.

Was it an ethical violation to have suffered a security breach like Apple/AT&T have?

In my humble opinion ...

 - YES it was an ethical violation on the part of Apple and
 - NO it was not a violation on the part of AT&T.

Apple made business and programming decisions that placed sensitive customer data in a worst-case security environment. There is precedent for this type of data harvesting, and forcing the use of an email address as a credential is like forcing the use of a social security or credit card number as a credential. (You probably see the latter every month ... most likely, your credit card account number shown on your statement is your credit card number!) While an email address is not a doorway to your cash, it is personal information that could easily be used for evil.

I can't think of any scenario where an email address might be the preferred string to use for validation, when all of its risks and benefits are evaluated, together. I can only determine that Apple's decisions were driven by their bottom line. Here's why I think that:

Using the same credentials for hardware activation and access service account identification and holding such data in the cloud allows them to minimize the instances of the numerous validation processes required for roaming and the expense involved with both the additional bandwidth required for those processes and the costs of bouncing their authentication weirdnesses through dozens of pipe vendors.

The question, "Is this the iPad that is authorized to use this account?" can only be answered by tying the hardware id to the service account id, and the conversations between the systems that hold that data while roaming is expensive ... unless it's the same system, and it's maintained by the service provider in the cloud.

Please note that cellphones use similar technology all the time ... it's even required in order to function with certain types of networks, so the decision to use the SIM validation methodology is not what is in question, here. Cellphone providers don't tie your email address to your phone's account validation processes and then make access to that data available via the Internet.

In this case, I think that Apple's decision to use the single provider and then to employ this credentialing methodology that uses the email address as an identifier is an intentional violation of their customers' trust in them to only gather data from them as absolutely needed and to keep that data secured in a reasonable manner. To force the use of the email address to simply ACTIVATE the iPad in the first place and to then offer that data linked to the iPad's (removable) hardware unique identifier for use by their sole service provider in an Internet-facing application was seriously irresponsible and singularly arrogant, at best.

I'm going with "unethical."

AT&T, on the other hand, simply demonstrated a level of incompetence in the design, execution and oversight of the application that contained sensitive data. Basic credentialing security practices demand much greater insulation from the Internet and the use of tokens instead of raw data to validate separately-stored credentials.

It's not an ethical violation to suck at some things. 

Comments

 

Add comment
 authimage
 
Accessible and Valid XHTML 1.0 Strict and CSS
Powered by LifeType - Design by BalearWeb