Assessing the Impact of the Apple iPad Security Breach
Discuss Goatse Security firm possible objectives when they hacked into AT&T's Website.
Goatse Security and firms like them are on a mission to expose what they see as lies and misleading claims of companies who claim to have much greater levels of security and stability in their products than they actually do. While the accounts of the iPad incident have been dismissed as business development efforts on the part of Goatse by AT&T Chief Security Officers and the Wall Street Journal, the reality of it is Goatse and other firms like them perform a valuable service, ironically, for the companies who claim their activities are illegal (Wall Street Journal, 2010). Goatse is actually doing a series of audits on new products that may not have been completely tested before launch. Apple, who is known for having exceptional control and expertise in their new product development process, failed to coordinate and collaborate effectively with their service partner, AT&T on the launch of the iPad, and a massive security hole was found (Ante, Worthen, 2010). From this perspective, Goatse is actually doing the public a very big service as Apple would go on to sell over 1 million units in the first 28 days of the product being available (Carr, 2010). Imagine if this security breach or massive oversight on the part of Apple and AT&T had not been found. Millions of people would have their e-mail addresses compromised and have no idea, if it was not for Goatse, how it happened. They are in many ways a consumer advocate, looking to protect the public from the mediocre performance of Apple and AT&T working together. While the FBI completed a probe of the problems of lack of coordination and collaboration between Apple and AT&T the results showed that neither side had considered that pre-populating screens with e-mail addresses inside key influencer's accounts would lead to a major security breach (Ante, Worthen, 2010).
Those analysts and industry experts who are the most skeptical point to the Goatse success at hacking the AT&T site as a means for the security firm to gain new business and also underscore the value they deliver to their clients. This is may be true, yet the reason Goatse expends so much time, which is not billable and is very large in percentage to the dollars they would eventually generate from referral contracts, is because they see themselves on a mission to protect the uninformed and often too-trusting public of claims made by technology companies regarding security. AT&T and Apple, two of the largest brands in telecommunications and smartphone services and development, were humbled by the breach because it showed the new product development and launch process was not nearly as well orchestrated as Apple would have their loyal customers believe. Goatse may be demonized over it, but the fact remains without them finding this breach and releasing the results to Gawker and in effect plugging the hole immediately, literally tens of millions of consumers could have had their identities stolen (Ante, 2010). It was later discovered the entire 3G network that AT&T operates the Apple iPhones on could easily have been compromised, which would have been a goldmine for hackers and identity thieves (Shukla, 2011).
In conclusion, Goatse is being made out to be the evil one in the entire media spin on this breach, yet in reality they performed a very valuable service for AT&T and Apple. They in effect completed a thorough audit of their security policies, found them lacking, and made sure the world knew about it. Regardless of their motivations, they at least provided the information to Gawker and put tremendous pressure on AT&T and Apple to actually do what they had led the public to believe they had already done even before the launch of the iPad, which is to deliver a secure user experience (Shukla, 2011). The bottom line is Goatse sees itself as being on a mission to protect consumers, and are a group of professionals who specialize in auditing the security of websites, and now smartphones and tablets. They are on a mission to protect the public from claims of security that may in fact be massive areas of oversight, as AT&T and Apple, in their lack of coordination, show.
2. Argue for or against computer hacking as an ethical corporate strategy for computer security firms.
In arguing in favor of computer hacking as an ethical corporate strategy for computer security firms, the following several points need to be kept in mind. First, hacking is pervasive and the majority of it is originating outside the United States, including Russia, Ukraine, China and throughout Southeast Asia (Dwyer, 2009). The fact is that the best audit tools and techniques for security management of websites, smartphones, and tablet PC operating systems and platforms are evolving too rapidly to attempt to institutionalize them within a company's IT department. The security landscape is evolving so fast that it requires that external security firms concentrate on the latest threats and potential attack strategies and code, and then quickly test them out to evaluate how effective the defenses they have devised are. Without this continual and urgent development of defenses, any security company would over time become obsolete and eventually lose its technological edge. The pure speed that technologies develop with in the global security community necessitates that this approach be taken and continually refined over time (Dwyer, 2009)
Second, in arguing for the development of these advanced tools and the support of computer hacking as an ethical corporate strategy on the part of security firms, the incredibly valuable insights gained from unannounced security audits of corporate sites and accessible resources cannot be overstated (Carr, 2010). Too often corporations will carefully orchestrate their own security audits, and will also in so doing "harden" the outer areas of their systems and Internet-based communications architectures to increase the potential of passing the audit. This is in effect prepping for an audit to ensure compliance rather than truly testing the weakness of the actual system architecture to hackers (Carr, 2010). What these computer security firms do is bring the element of unpredictability and significant sophistication to their attacks, which make it extremely difficult for any corporation to anticipate and plan just for a specific type of threat. In so doing, these security firms catch areas in their hacking efforts that may have been unknown or completely overlooked on the part of the security experts inside the companies. The net result is that these companies now have even greater insight into how best they can manage threats and also being to see how rapidly changing the security landscape is. The case of the Apple iPad breach is a case in point, as the FBI investigation showed that there were significant lapses in how the workflows and security procedures would be used for the iPad launch (Ante, Worthen, 2010). Without the hacking completed by Goatse, it is very likely hackers from third world nations would have certainly found, exploited and eventually caused economic harm to Apple Pad early adopters including the influencers who received the first 100,000 units (Dwyer, 2009).
3. Discuss whether or not Gawker Media acted socially responsible when it reported the security breach before Apple and/or AT&T had responded to the public.
By virtue of the First Amendment, Gawker could do whatever it wanted with the findings. From a socially responsible position, it did do the right thing, because it forces both companies to confront a major lapse in security in the largest and most expensive new product introduction Apple had made in nearly five years (Ante, 2010). A visit to any Apple Store globally at this time showed crowds lingering around tables full of iPads, and many people lined up at cash registers to buy on. Imagine all that customer data being compromised by a hacker or for that matter an entire hacking organization potentially sponsored by a third world government, getting all that transaction data due to the breach being undiscovered. It would have been catastrophic for consumers and would have eventually killed the product if left unchecked. Gawker did the most socially responsible act of all; they made it very public and forced urgency and an apology from both Apple and AT&T. In so doing they most likely saved tens of millions of dollars for consumers of the first iPads that had been compromised.
4. As the AT&T CEO, discuss how you would respond differently to this security breach.
I would first apologize to the AT&T customers and immediately get my best security teams on it. I would also immediately begin random security audits of all AT&T online properties and sites, and write a letter to shareholders and the general public. I would publish the letter as a full page ad in the Wall Street Journal, explaining that security is critical to our ability to serve customers. I would also announce that this had…