However, it seems that Apple’s procedures had not been improved during the two-and-a-half-week period between the two incidents. I’m not taking their word very seriously at this point. Also, the promise to get back to me about their log files detailing my account’s usage? 30 days on since their initial call, I’ve heard exactly zip from Apple.
]]>The account continues to get password reset requests, but as people have pointed out, those are harmless unless someone at Apple overrides the procedure manually. Also, to those who asked: my security question and answer are a meaningless challenge/response pair — there is no chance that someone guessed the answer.
]]>Please include the line below in follow-up emails for this request.
Follow-up: [redacted]
Re: ADC account
Dear Mr Karppinen,
Thank you for contacting the Apple Developer Connection regarding your ADC membership account.
Please accept our apology for the delayed response.
In reviewing your information, I have found the following account:
Marko Karppinen
MK&C
Email address: [redacted]@mac.com
ADC Premier Membership
ADC Member number: [redacted]
Apple ID: [redacted]@mac.com
Last Login Date: 04 Jul 2008Please know that I updated your email address for you to: marko.[redacted]@yahoo.com.
Furthermore, the password for your ADC account has been reset. You will receive two additional emails from Apple. One will contain your login account name, the other will contain your new temporary login password.
Once you have logged in with the temporary password, you will be presented with a “Password Expired” page. Enter the temporary password as the “old password” and select and enter a new personal password of your choice as the “new password”.
After you have logged in, please take a moment to review the information in your account profile to ensure the information is up to date.
Please know that it is possible to reset your password yourself online. We have included this process below:
1) Go to the Member Site at http://connect.apple.com.
2) Enter your Apple ID and select the “Forgot Password” button.
3) Enter your Date of Birth.
4) Choose your password reset option.—The easiest option is to have your temporary password emailed to the email address listed on your ADC account. You also have the option to reset your password online by answering the challenge question you chose when you created your ADC account.
I hope this information is useful to you. Please let me know if you have any questions or need further assistance.
Best regards,
[redacted]
Apple Developer Connection
Worldwide Developer RelationsInquiry from marko regarding Reset Password
Email address: [redacted]@mac.com
Region: Europeam forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com
Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:
am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com
To which Apple reacted by doing the only reasonable thing – saying Sir, Yes Sir! and handing my account over. Here's the email I just sent Apple:
Dear ADC,
You have reset my password based on a request by someone other than me. Rather than checking if the requester was actually me by comparing the information in their personal profile, you have allowed a third party access my Apple ID for no reason whatsoever.
I tried to log in today and saw that my password had been changed, and the email address associated with my account changed to "marko.[redacted]@yahoo.com".
Apparently based on a single-line email inquiry, you have allowed a third party access to:
- My personal details
- My personal email
- All the files stored on my iDisk
- Everything I've synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
- My credit card details as stored in my Apple Store profile
- My iTunes Music Store Account
- My ADC Premier membership, including the software seed key and other assets
- The iPhone Developer Program's Program Portal, including details of our development teamFrankly, this makes me so angry that I can't see straight. Did it not occur to you at all that someone at "marko.[redacted]@yahoo.com" was not actually me? For example, because the names didn't match?
Can you even begin to appreciate the amount of work I need to do to re-secure all the information that you have compromised? How do you propose to restore confidence that I, or indeed anyone, should ever store anything confidential on your systems again?
With best regards,
Marko Karppinen
Update: A few hours after posting this, a team lead from Apple Developer Connection's European support organization called me, apologized for the mess, and assured me that they don't normally operate this way. He promised to find out if Apple can determine, based on their logs, where and how my Apple ID was used in between the password reset and myself discovering all this about 12 hours later. I know that my .Mac mail was accessed, but luckily I don't use it for anything other than ADC-related communications. In fact, I'd be home free if it wasn't for .Mac Sync and some old, unencrypted backups on my iDisk (I've since then smartened up and my backups are now encrypted). I hope the logs will allow Apple to confirm that these services were not accessed by the third party.
Update 2: So it's soon 48 hours after the password reset, but no further contact from Apple. Perhaps I should let them know that, so far, 65 000 people have seen this and many might be wondering how Apple will end up handling the case?
Update 3: How Apple replied to the password reset request and other clarifications.
]]>- (void)attentionClassDumpUser:(id)fp8
reverseEngineeringThisClassAndCallingPrivateMethodsIsFun ButMayLeadToCompleteAndIrrevocableDataLoss:(id)fp12
atTheVeryLeastItWillCauseUnexpectedBehaviourForOtherApplications:(id)fp16
youHaveBeenWarnedAgainstDoingSo:(id)fp20;
Indeed. But the question is… what does it do?
]]>Next, at the March 6 special event and the iPhone SDK, Apple started referring to iPhone's operating system as the iPhone OS. This seemed like a smart choice to me — the distinction between OS X and Mac OS X was probably lost on all but the nerdiest of Mac fans.
But now, with today's press release about the WWDC keynote, the names have seemingly changed again. Throughout the release, Apple consistently refers to OS X Leopard and OS X iPhone.
Speculate away.
]]>We're calling the site an alpha for the time being, but there are no known issues. Sign up and let us know what you think!
]]>An issue exists in the validation of certificates. A man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted. This could allow user credentials or other information to be collected. This update addresses the issue through improved validation of certificates. Credit to Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C for reporting this issue.
This generic language often used in vulnerability descriptions doesn’t really drive home the impact of the issue. To start, I’d change “may be able” to “is able” and “could allow” to “allows”. This vulnerability is exploitable every time. Here’s a real world example:
Scary? Yeah. If you’re still on Tiger or Panther, install the software update immediately. If you can’t, at least click the SSL icon on all sites you navigate to — the certificate details will not be right if you are being spoofed. For more info, keep checking the DHS’s National Vulnerability Database for their take on the issue (not online yet).
]]>Further, you certify that you will not transfer or export any product, process or service that is the direct product of any Apple pre-release software and that final testing will be done with any finished product that will be released to the mass market. [emphasis ours]
So, yes, a couple more days before the free Leopard update for Knox. We’re very far in its development, but only got the final Leopard DVDs today. Please bear with us as we work to bring this update to you.
]]>