The Hype of the Headline

I came across an article on the Washington Post website that had a headline that caught my eye. It read, "Apple's iPad security breach reveals vulnerability of mobile devices".

In it, it talks about the many vulnerability problems that are inherent within mobile devices and the history of security incidents with the Mobile Safari app and other security issues with iPhone OS.

This article is all over the place, making up a headline with lies (what else would you call a statement that wasn't true), just to use the word iPad to get eyeballs.

Let's start with what's wrong:

1. The Headline - The Apple iPad security itself was not breached. Plain and simple the issue had to do with page on AT&T's website that was of poor technical design that allowed information to be exposed without verification of the authenticity of the user. There was no form of security on the page where the user had to verify they were an iPad 3G user or if their e-mail address was in AT&T's database of users. The issue wouldn't be a problem for iPad users who did not own the 3G version. If the issue was the iPad OS or the iPad itself, why did AT&T have to fix their website? While the author of the article did state that the flaw was not in the iPad, but in AT&T's website, the headline is wrong and leads the reader to the wrong conclusion. I'll bring this point up again several times.



2. Use of wireless security experts - As mentioned above, the incident had nothing to do with wireless security. It has to do with website application security. Whoever wrote this application on AT&T's website allowed the data to be exposed. Wireless or not, this information is in AT&T's databases, and this web application allowed it to be exposed.



3. Point the fingers in the right direction - In the article, Apple is faulted for not keeping this PII secure. Um, Apple wasn't storing it. AT&T was storing it. How is that Apple's fault? It's articles like this that place blame where it does not belong, and makes it Apple's problem for data that wasn't secured by a wireless provider? I would love the author, who has no visible qualifications in the technology world, other than being a technology reporter on the financial staff of the Washington Post, explain to me how this makes sense.



4. Talk about the right subject matter - Mobile security flaws? Again, not relevant in this incident. No data was intercepted during the transmission between mobile device to AT&T. No exploit was used on the device itself to expose this flaw on AT&T's website. So how is mobile security relevant in this incident?



5. Cyber threat? Really? - How is this a cyber threat? Is it a cyber threat because the names exposed were of high authority? I've seen exploits that did much worse but they were not cyber threats investigated by the FBI. Okay, this is actually part of the story, and is relevant...somewhat. But the FBI deeming this a cyber threat is hyperbole.



6. iPhone OS security history - Again, how is this relevant? The story shouldn't be about Apple. The story should be about how AT&T didn't secure its web application. Apple is being dragged into this as a bystander because it generates eyeballs to the story and the website.



7. Giving Goatse too much credit - Goatse is a white-hat "security group", but credible security groups do not reveal this information to media without notifying the offending party, which they didn't do. The author fails to mention that Escher Auernheimer of Goatse Security failed to disclose this information to AT&T nor Apple before revealing it to the media. How does a "professional" organization act in such a manner? Simply put, they get paid to keep their mouths shut. They have paying clients, and they probably keep their security flaws close to the chest, but since neither AT&T nor Apple are paying clients of Goatse, that just simply means they feel like they have no moral or ethical obligation to keep this information private. Since they're not much more than hired guns, what is to prevent them from being hired by an AT&T or Apple competitor to analyze AT&T's website for flaws as a means of generating bad PR for either company. The only way they're "security experts" is if they have credibility, and by the unprofessional way they handled this incident, they have no credibility with me. This is not an AT&T cover-up...no one committed a felony, other than possibly Goatse.

This article is entertainment, because I'm left laughing at it's in accuracies.