I cannot access the Mac Developer resources this morning.
With a company as advannced as Apple, I would expect them to be able to roll out web updates
seamlessly.
I don't like being out in the cold.
I want to download the Mavericks Beta.
The problem is when you think you have been hacked you cannot trust anything. You have to burn down your whole enviroment, and rebuild. This can take a LONG time. I bet the server guys have been putting in some amazing hours.
Then not only do they have to prove that the enviroment is back up, but they also have to test and patch the way the hacker (or researcher) got in.
I just talked to Apple developer support on the phone and they said that they don't have any time frame. I asked them to please change the word "soon" to somehting else, I told them that this is quite insulting. I believe that this is something that they can manage.
I told them that this is quite insulting
Don't take it personally 😉
Apple doesn't have any idea because they are waiting on the vendor, who also has no idea, if for no other reason than they are prohibited from making claims that may turn out to be false - things will recover when they recover. The verbiage 'soon' is crafted by the legal teams who could care less if someone feels insulted, sorry. The legal teams only allow public-facing verbiage that speaks in generalities in these types of situations.That text is just boilerplate and not intended to reflect any sort of reality, responsibility or reaction to anything but a legal position. Little else matters to Apple right now.
K T wrote:
Whenever the dev centers come back, I'd expect Apple to force devs to change their password(s) first thing. The process should be straightforward and for anyone wishing to act now, please see this User Tip:
Passwords are handled by the AppleID servers. Those servers were not involved. The hacker in question was able to do something to circumvent those authentication servers and query the stale copy of developer data that Apple keeps (or probably kept, past tense) on the developer site. If you have ever changed your Apple ID before, you would have noticed that you had to manually contact Apple developer support to get it to recognize your new e-mail address.
Everything else, including certificates, is encrypted.
If anyone has bothered to watch the video (which seems to be gone now), you would see that he used some web service, authorized with his own Apple ID, and included a hashkey that was able to return information about other developers.
What Apple has to do now is strip out that stale copy of developer information and do that interaction correctly, the way it should have been done in the first place. Instead of keeping a stale copy, the developer systems will have to interact more with the AppleID servers to query a developer's current e-mail address. Considering that Apple recently rolled out two-factor authentication, that is going to take some work.
Perhaps - we'll see if a password or ID change is mandated when it all comes back. Right now, I'm advocating better safe than sorry 🙂
Good point too about the recent move to two-factor authentication.
K T wrote:
Perhaps - we'll see if a password or ID change is mandated when it all comes back. Right now, I'm advocating better safe than sorry 🙂
When it all comes back, that may be necessary. But I stronly advise that people wait for Apple's instructions before changing any passwords. There is some nebulous linkage between the developer site and AppleIDs that is in the process of being changed at this very minute. If anyone starts mucking around with developer AppleIDs right now, I suspect they will need additional support later on to get their accounts working again.
As annoying as it is for all developers to be waiting on Apple, it is much more annoying to be a lone developer waiting on Apple's support.
All sound points, except that if the IDs are involved and are used across iTunes, etc. there is may be more harm in waiting when it can be done now. I'd rather deal with bringing up one facet later than risking them all now. Each dev needs to decide for themselves if they want to sit on the fence and wait or be proactive and defend now.
Even if the IDs aren't _directly_ know to have been compromised, I'd expect pw resets to be part of Apple's eventual risk management posture overall.
If Apple is indeed going to tie the developers' portal to the AppleID servers and get rid of a stale copy, then changing the password shouldn't pose any problem even if an upgrade is currently going on - it should only be a matter of code, not of data.
What you should do though is probably to check your iTunes purchase history to make sure nobody purchased a copy of Angry Birds or Lady Gaga using your account.
This is a question that could be answered rather easily by Apple.
A million plus developers changing their passwords an extra time,
in the middle of all this either helps or hurts their effort.
Douglas
I'd prefer to think of it as spreading the changes out rather than everyone trying to reset at once later when/if a notice hits.
And if changing your Apple ID pw will bring down the house, there are bigger issues - best to know now while things are in flux than have false starts spead out over time. If it was an issue now, Apple would say so.
While that's true, it's a toss up. Do it now and take a chance of headaches or wait and do it a little while after the site is back up.
Unfortunately, this attack opens up phishing opportunities. Somebody can phish about resetting a password and there'll be some number of takers.
Before this incedent, whith escalated in Apple updating and upgrading thier security, rumores was about iOS 7 Beta 4 would be relised today. Yeap., checking air update all the day...
Cult of Mac wrote an article about Ibrahim Balic. Apparently the security flaw had something to do with the iAd network.
And here is his Twitter if anyone wants to send him a msg telling him, because of him, some Devs are losing $ because their Apps cant be downloaded, because they cant renew their membership, but then again, it brings me back to why wait until the last day to renew your membership ??
But im sure he is happy for his 15 mins of fame as every tech site/blog wants to chat with him now.
Anyways Ibrahim Balic = @ibrahimbalic
Video is here now - http://d.pr/fCmB
Poor bloke didnt sleep for 5 days after reporting it to Apple because he didnt get a reply from them, or T-Shirts or Caps or any presents at all, like he did from FB LMFAO
Interestingly enough, if you are a Mac developer, over the air updates to Mavericks are available today.
Why is the Apple Mac Developer portal down, and for how long?
