Tag Archives: iPad

(Intellectual) Property is Theft?*

First of all, congratulations to Andrew Lee on his new role as CEO of ESET LLC. It’s as well that my work for AVIEN is unpaid, as otherwise he’d be my boss twice over. 😉 Reading the press release here, it includes substantial references to AVIEN and the AVIEN book, to which many AVIEN members contributed, as did Andrew and myself.

That was a very worthwhile project, but one of the less attractive aspects was the readiness of a great many people to generate and distribute pirated copies: apparently the time and effort it took us all to generate that book doesn’t deserve any recompense. In fact, I had a pirated PDF copy sitting on my desktop before my author’s (hard) copies arrived…. That wasn’t the first of my books to be pirated, let alone the only one. But it seems that the pace has picked up in recent years.

So imagine my joy on reading in the Vancouver Sun that ION Audio are about to market a device that can scan a 200-page book in 15 minutes. (Thanks to Robert Slade, my co-author on Viruses Revealed, for bringing this gem to my attention.) Well, it’s basically just a more ergonomic type of scanner, and hopefully dedicated pirates will find that having to turn all those pages by hand will still have a negative effect on their sex lives.

I don’t think there’s much doubt, though, that for every individual who has a legitimate and possibly legal reason to scan one of their books into machine-readable form (i.e. for iPad, Kindle etc.), there will be many more who will see this as a way to profit from the labour of others without asking the question “why do I have the right to assume that authors should go through the pain of writing and publishing with no right to any sort of return?”

What is really infuriating, though, is that it doesn’t seem to have occurred to ION that it is marketing rather more than a legitimate tool for honest students and educationalists. Or maybe it doesn’t care, because it can’t be used to copy ION hardware.

* http://en.wikipedia.org/wiki/Property_is_theft

David Harley CITP FBCS CISSP
AVIEN COO

NTEOTWAWKI

Given all the hype generated by the ridiculously titled Gawker Article about the so called ‘iPad’ hack, I’m somewhat reluctant to add to any more of the noise over what is really a pretty run of the mill story, but because I’m procrastinating on other jobs, I’ll write something. Warning: this story does involve the shocking exposure of people’s email addresses, said addresses getting revealed when they shouldn’t have been, and yes….er…well, no, that’s about it actually.

Indeed, Paul Ducklin of Sophos wrote a very nice article stating the rather important fact that, every time you send an email, that passes your email out on to the open internet. Of course, that’s not an excuse to have a poorly written web app that will spit out the email addresses of your partner company’s clientele at will. Partner company, I hear you cry, wasn’t this an Apple problem? Yes, indeed, this is absolutely nothing to do with Apple, it’s not an Apple problem, and it’s not a breach of Apple’s security, nor is it a breach of the iPad. In fact, it was solely down to a web application on AT&T’s website. It doesn’t even involve touching an iPad. But, but, you may splutter, isn’t this is an iPad disaster? No. Not even slightly; not once did the ‘attackers’ go near any one’s iPad. The ‘attack’ was purely a script  that sent ICCID numbers (this links a SIM card to an email address) to the AT&T application, in sequence, to see if their database had that number with an email attached – and if so, that came back. That’s right, it’s a SIM card identifier. The only ‘iPad’ part is that the ‘attackers’ spoofed the browser in the requests, to make the app think the request was coming from an iPad.

The upshot is that, as this page rightly points out (thanks to @securityninja for the link)

“There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.”

So, the correct title of that original Gawker article might have been “Badly designed AT&T web application leaks email addresses when given SIM card ID”, but that wouldn’t be “The End Of The World As We Know It”.

In a week where one ‘journalist’ writing here (thanks to @paperghost for the link) claimed that some security people confessing to being ‘hackers’ (whatever that means) “confirms our suspicions that the whole IT insecurity industry is a self-perpetuating cesspool populated by charlatans”, it might be time for the world of the media to turn that oh so critical eye on itself and ask who is really generating the hype in the information security world?

If you’re interested in keeping up with genuine Mac/Apple related security issues, a good resource is maintained here by my good friend David Harley

UPDATE: The original ‘attackers’ have published a response to the furore here. Pretty much confirms what I was saying

“There was no breach, intrusion, or penetration, by any means of the word.”

Andrew Lee
CEO AVIEN/CTO K7 Computing