Jeremy W. Sherman

stay a while, and listen

Intruder Alert

The Apple developer center has been down since Thursday. The only information available from Apple was a “we’ll be back soon, and we’re not yanking any apps” reassurance. Thought maybe to check the dev forums? Those were down too, with roughly the same message.

Finally, Sunday evening, Apple revealed, by email and by updating the holding page at the iOS Dev Center, that they yanked their entire system down after

an intruder attempted to secure personal information of our registered developers from our developer website.

Well, that doesn’t sound good, does it? It gets better!

Sensitive personal information was encrypted and cannot be accessed –

Whoah there, Apple, I'ma let you finish, but cannot be accessed? Then how were you accessing it? Plainly it can be.

How hard it is for a cracker to access will depend on how it was encrypted. Apple have seen fit to reassure us that it was “encrypted”, as if all should be forgiven at the merest mention of “encryption”. Wave the magic encryption wand, and presto-changeo, insta-secure!

So, don’t worry, security fairies are at work. Just a slight slip-up:

we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed.

Wow, so a good chunk of what you’d need to open conversations with people’s banks, or credit card companies, or talk your way through most any phone tree. This is great info for social engineering and phishing. Someone could use this info to impersonate you and convince one of your friends or relatives to reveal some information they’d rather not share with strangers.

In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

Waiting three days to tell everyone is a real class move. Phishers and impersonators have a three-day head-start on you. Enjoy!

Now, why would they need to stop the world, yank everything down, and beaver away for three days? It sounds like it took them about this long to figure out what even happened. Who knows how long the actual intrusion occurred and lasted before they noticed it happened on Thursday.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database

I’m not clear how they can make a threat vanish by any means. Apple can make changes to better defend against a threat, but there will still be someone out there who wants developers' credit card info, billing info, home address, phone, email – whatever personally identifiable information they can get their hands on, they’ll take.

So it’s great they’re fixing things. Somehow. Maybe. We still have no idea what actually happened, for all Apple rushed to shower us with transparency.

But it sounds like they got caught with their pants down, and are now trying to fix years of neglecting the server-side of their developer-facing services. Technical debt bites hard.

Keep an eye on your credit card and bank statements, and put your friends and family on guard for any funny business from someone claiming to be you. I hope we learn more details of this debacle soon, and I wish good luck to the poor folk at Apple who have been rousted from their beds and whip-cracked through the weekend.