Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: SquidSquid.com |
| ICPP Pre-Trial Settlement Scam »
April 26, 2010
Punishing Security Breaches
The editor of the Freakonomics blog asked me to write about this topic. The idea was that they would get several opinions, and publish them all. They spiked the story, but I already wrote my piece. So here it is.
In deciding what to do with Gray Powell, the Apple employee who accidentally left a secret prototype 4G iPhone in a California bar, Apple needs to figure out how much of the problem is due to an employee not following the rules, and how much of the problem is due to unclear, unrealistic, or just plain bad rules.
If Powell sneaked the phone out of the Apple building in a flagrant violation of the rules -- maybe he wanted to show it to a friend -- he should be disciplined, perhaps even fired. Some military installations have rules like that. If someone wants to take something classified out of a top secret military compound, he might have to secrete it on his person and deliberately sneak it past a guard who searches briefcases and purses. He might be committing a crime by doing so, by the way. Apple isn't the military, of course, but if their corporate security policy is that strict, it may very well have rules like that. And the only way to ensure rules are followed is by enforcing them, and that means severe disciplinary action against those who bypass the rules.
Even if Powell had authorization to take the phone out of Apple's labs -- presumably someone has to test drive the new toys sooner or later -- the corporate rules might have required him to pay attention to it at all times. We've all heard of military attachés who carry briefcases chained to their wrists. It's an extreme example, but demonstrates how a security policy can allow for objects to move around town -- or around the world -- without getting lost. Apple almost certainly doesn't have a policy as rigid as that, but its policy might explicitly prohibit Powell from taking that phone into a bar, putting it down on a counter, and participating in a beer tasting. Again, if Apple's rules and Powell's violation were both that clear, Apple should enforce them.
On the other hand, if Apple doesn't have clear-cut rules, if Powell wasn't prohibited from taking the phone out of his office, if engineers routinely ignore or bypass security rules and -- as long as nothing bad happens -- no one complains, then Apple needs to understand that the system is more to blame than the individual. Most corporate security policies have this sort of problem. Security is important, but it's quickly jettisoned when there's an important job to be done. A common example is passwords: people aren't supposed to share them, unless it's really important and they have to. Another example is guest accounts. And doors that are supposed to remain locked but rarely are. People routinely bypass security policies if they get in the way, and if no one complains, those policies are effectively meaningless.
Apple's unfortunately public security breach has given the company an opportunity to examine its policies and figure out how much of the problem is Powell and how much of it is the system he's a part of. Apple needs to fix its security problem, but only after it figures out where the problem is.
Posted on April 26, 2010 at 7:20 AM
• 71 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"So I hear the manager of the new Apple Store in Nome Alaska is this guy named Powell."
That's a variant of a standard Army (and government) joke about what happens to people who screw up badly, but not in such a way as to generate "real" disciplinary action.
Come on, do you really believe this was accidental? For years now Apple products "leak" shortly before they are officially presented. And each time media give Apple free advertising by commenting on the product, its features or Apple culture as such.
This "leak" was planted and freakonomics as well as you have fallen for Apples public relations strategy. That's all to say on the issue.
Let's not forget the CYA aspect. He might have been instructed to test drive the phone, while being prohibited to take it out of office. In this case, his boss would be at fault, who might try to hush the whole incident.
A remember a case, when i was at the army, when one guy accidentally fired his gun while on guard, shooting through the roof. During the disciplimary action, it was found out that he was not supposed to be on guard, because of some medical condition. Then immediatley, the superiors (who would therefore be blamed on putting him on guard) declered the incident non existing.
So, if rules are instructed to be broken, incidents might be covered.
I think it's fortunate it was an engineer in the US who lost the phone, whatever the consequences are, they'll be less severe than Danyong Sun felt he confronted when he lost his Apple in China.
I agree - this is almost certainly an Apple PR stunt. Let's not be naive about their 'alternative' media strategy. Look at the 9 months of free publicity the ipad got just fueled by rumors.
So far, at least, it appears that Gray Powell still works for Apple. On the other hand, an unnamed engineer who showed a prototype 3g iPad to apple co-founder Steve Wozniak has been fired. This is despite the fact that Powell's loss of the iPhone prototype caused a huge stir, while showing off the iPad to the Woz hasn't had any negative consequences for Apple. However, it was evidently a violation of rules prohibiting the engineer from taking the iPad out of a secure area at Apple. Powell certainly acted stupidly when he left the phone sitting on the barstool, but it seems like he allowed to have it out and about with him.
Got me thinking about security zones and rules.
Different, more stringent, sub-sets of rules may be developed not only for different phsyical spaces like we do for SCIFs but for different business units or projects. (especially in multi and transnational corporations)
The IP value of a new Apple product is higher than other products. It should get higher assurance levels and thier corresponding controls.
But with many different requirements it can be confusing on an individual which rules apply when. Especially the rarely used rules, for some, like overseas travel and laptop and other digital equipment.
This comes down squarely on training which I hold has to be done more often than annually. I've seen no studies on it yet but my untested belief is that at 9 months people start to forget their IA briefings. Given that most training is set of normalized risks unconnected to the users world -- this is unsurprising. The training is often seen as a "We told them we bust their ass if they broke this rule. They broke it -- Now we're busting." This is kinda setting up the employee for failure. Especially since most organizations I've dealt with don't want to "waste" a productive hour of everyone's time a year.
An alternative, or supplement, training could be event driven or context. One client, who values the confidentiality of their corporate directory, tells the user every time they open it "For company use only. Not to be released outside of corporation."
Overseas travel is often accompanied by a travel brief from the security officer. As is access to special access programs. But not often enough.
Technology, especially gps aware technology, has some advantages here on the human. The phone, if it wasn't supposed to be out of the lab could wake up, check it's gps co-ords and ask the user what's going on. "I've very important Dave. Should I be out of the lab?" Cite the relevant policy OR if very out of bounds call for someone to rescue it. An extraordinary measure, yes, but may be necessary in some cases.
The "transferred to Nome, AK" trick only works for the military, since they have the person for a fixed time commitment. There is a limit to how much an employer can change aspects of an employees job without him quitting or the employer running afoul of some employment laws.
God can we stop advertising for Apple.
Who cares if it is real or not, journalists should have a little more spine and not turn into Apple marketing drones.
Back when the original iPhone was still a rumour, a certain Apple employee was at a party and steadfastly refusing to answer questions.
Eventually, it was teased out of them that they did have a prototype device of some kind in their pocket, but weren't allowed to show it to people.
At that point, one of the other partygoers thought to call the Apple employee... who promptly answered a mysterious prototype device, the front face of which was almost entirely touch-screen.
As it happens, everybody at that party was moderately discreet; I don't know how much trouble there would have been if anyone had gone to the press with photos.
The only new information I could see in this article was that some military staff are not actually human:
"If someone wants to take something classified out of a top secret military compound, he might have to secrete it on his person"
Note that mammals are not appropriately constructed to secrete information-rich messages.
@Frank Ch. Eigler "mammals are not appropriately constructed "
Marsupials are a security risk.
Another thing to consider... the "finder" of this prototype may have been a little more active in its procurement than has been assumed.
Maybe he knew it was a special phone, and the engineer was specifically targeted. That's at least as likely as the PR-stunt conspiracy theories. (fact: new Apple products are "news")
Or maybe he was just a "common" phone thief who realized what he lifted wasn't a common phone, and figured out a way to make it pay.
I'll guess they wouldn't have camoflaged the 4G if they hadn't planned on letting it breath.
Re: "Note that mammals are not appropriately constructed to secrete information-rich messages."
We'll just ignore the approximately 750 megabytes of information in some common secretions.
"This 'leak' was planted and freakonomics as well as you have fallen for Apples public relations strategy."
I have to admit that I did not think of that possibility.
I don't know how plausible it is, though. Leaving your cellphone in a bar isn't anything close to a reliable way to get information about it on Gizmodo. It was a bunch of lucky coincidences that got it there.
@"I have to admit that I did not think of that possibility. I don't know how plausible it is, though. Leaving your cellphone in a bar isn't anything close to a reliable way to get information about it on Gizmodo. It was a bunch of lucky coincidences that got it there."
That was part of my thoughts, along with the fact that it was quite an accusation to make against someone.
I doubt Gray Powell is happy about the PR, this was a definite CLE* for him.
*Career Limiting Event
Bruce: This was, almost 100% certain, NOT an Apple PR stunt. Apple is notoriously secretive, including not using focus groups or similar before a product is released.
EG, if it was a PR stunt, apple would NOT be getting the police involved, as that could hugely backfire on Apple.
You probably didn't think of it because that is not how Apple plays the game. They know the value of keeping things as mysterious as possible, and getting people worked up about their events where they finally reveal things. They don't go around leaking everything beforehand, that's not the kind of attention they like. They want to reveal things on their own terms.
If Powell is not fired, it will definitely lead me to believe that Apple either does not have policies in place for this kind of thing, or, they really don't 'mind' the publicity.
I'd like to stay this was PR stunt, satisfies my need for conspiracy theories.
But the reality is Apple is secretive not to keep its good idea away from the competition. It is to keep it away from the public so they will continue to buy old product until the new introduction.
New iphone will be introduced in June? Availability July. We are talking a couple months of inventory. Of course that isn't really Apple's problem -- AT&T and the other carriers have already paid for them. But Apple doesn't want AT&T to discount the 3GS down to 99....
It could be that Powell's pocket was picked.
If the $5000 reward were advertised in advance, that would explain the whole affair.
There is no way this is a PR stunt. First the device has not been submitted to the FCC. boing! I worked the iPad launch and Apple is still DOD3 on all release of info. The release comes BEFORE FCC gets it because once it goes there all the docs on it are public.
It happened each and every time. Remember the Air Book? The iPhone, most recently the iPad. A few weeks before the big presentation something leaks. Steve Jobs has not presented a surprise in several years. And each and every time the whole media sphere online and offline guesses and second guesses and hypes the company.
And regarding the method of this leak: Why do you believe the story at all? If it is a publicity stunt, we need no engineer, no German beer, no top secret iPhone left behind. We only need a middle man who claims to have found it and sells it to the highest bidder.
"If Powell is not fired, it will definitely lead me to believe that Apple either does not have policies in place for this kind of thing..."
Not necessarily. Wired makes an interesting and important point http://www.wired.com/epicenter/2010/04/... While Apple will summarily fire an engineer who knowingly violates his NDA (by showing the Woz the iPad), company culture might not support termination for a mistake or accident (misplacing a 4G being tested out in the world). Here's wishing that's true...
Briefcases attached to the wrist are only in James Bond movies. They are attached around the stomach, an arm is too easy to cut...
Drunk people taking photos in stroboscopic light is one of the major use cases for modern mobile phones. If Apple wasn't allowing their engineers to test in these circumstances, the consequences of failure (having to recall a million phones) would be much greater than the consequences of a slightly early leak of a phone that everybody knew must be coming sooner or later.
For example; if you hold down the shutter button for longer than normal there's an overflow bug caused by too much variance in the lighting conditions which causes the eeprom to get overwritten. (read comp.risks for more suggestions)
If Powell does get punished, it's more likely as a scapegoat for some manager who's responsible for handing out a phone too early than for any proper reason.
Once again Bruce: clear and concise. Please expand your repertoire to include "securing a 14 year old boy." I need all the help I can get. (No, not that definition of "securing," the other one. Good grief, why would I possibly want more than one?)
"In deciding what to do with Gray Powell, the Apple employee who accidentally left a secret prototype 4G iPhone in a California bar,"
Isn't being the subject of a Dilbert cartoon punishment enough?
>company culture might not support termination for a mistake or accident
It also doesn't do much for moral among other engineers. "Smith I want you to test this prototype" - "but if I lose it I will be fired, so I'm not going to touch it"
I worked in a consultancy where they introduced a NSFW web rule. But we were researching consumer products so if any of the sites we went to had the ad for that adult online quest game - we could be fired.
The result was we just emailed all web site urls to IT for approval and then did nothing for the rest of the day until it was authorized.
The policy lasted about 4hours.
Breach or not, this is to Apples advantage. Yet, there are risks, including the potential for competition seeing unlocked portions of the iPhone, customers seeing a ‘glitchy’ device and assuming the finished product will be the same, and other risks. However, I think the great PR is itself worth all of the risks.
Assuming this is not a PR stunt (which, personally, I doubt it is):
I don't see how this could be the fault of Apple's policies. It is obvious that when you have sensitive, prototype technology that you carry about with you that you are not supposed to lose it. The only question is if you should not lose it under penalty of a reprimand or under penalty of a meat grinder.
The guy was incredibly stupid. He took it to a bar, got hammered, and left it behind. Yes, mistakes happen, but you can't put yourself into an easily compromisable situation and blame the company for what you do. The company should not have to assume that its employees are morons.
You have an obligation to protect the technology the company gives you, not an obligation to drink beer. This was just a violation of common sense.
The issue here isn't necessarily whether this was a flagrant or accidental action which would then determine the severity of the punishment. Unless security policies are aligned with HR practices to punish and/or terminate employees, this is all just rhetoric. I've seen too many cases where policies call for disciplinary action, to include termination of employment, for policy violations but unless HR is willing to carry out those actions then this is all water cooler fodder.
Security software companies can't do some errors, but human being can do mistakes.
One common way of work in security software is carefully choosing the methods to avoid errors, like review a lot the work, testing testing and testing.
The problem here are methods, if you have a risk when deploying a prototype hardware in public, you can't think that the human being will not do any error, because this error is part of this process.
Don't blame only the employee, Apple know that are risks involved in this process.
Recently apple fired an employee because he, when the ipad was being launched, let Steve Wosniak ( The Apple I and II computer creator ) to take a look at on an iPad prototype.
Here we have two ways of dealing with security leaks, in the first (iPhone leak) recognizing the employee negligence as a minor one, and in the latest, probably sending to Wosniak a message that he is not a welcomed guy in apple, because the fired employee probably know that Wosniak is a very trusted guy, he did not show the prototype for any anyone, but for a guy that he know that will not deploy any possible information to apple outsiders.
In the first dealing with an employee negligence, in the second dealing with a minor information leak to a trusted outsider.
I can interpret these two ways of dealing as a clear message to wosniak from jobs, I don't like you and I have the power.
There's a widespread practice in the IT community called "dogfooding". It causes the folks who work on an exciting new gizmo to use said gizmo in their everyday life. It makes sure that the people who work on the gizmo don't have unrealistic concepts of the user, the usage environment, and the usability of the gizmo.
If "getting lost" wasn't a use case before, we sure know it is now. Do we really think that this iPhone is an exotic one-off? It looks like the first batch of units that got handed out for dogfooding. Sure, there was a risk of a leak, other folks were sure to see it. However, it looks like a "normal iPhone" from a distance. This is where the risk vs leak tradeoff is made by the manager, and the devices are handed out. As others have said, a leak has a certain upside. Not knowing that a device is real-world usable before you make 100K of them has a huge downside.
Good Morning ... but, I digress. [FedEx commercial]
Hey, at least it wasn't a woman that "lost" an apple this time, Eve is still living that one down - talk about draconian results - look at us, relegated to learning things, now, well, through a device called an Apple. You all think Steve was in on that one too?
Apple's rules are as granular as their OS document permissions are on the Operating System they sell - make sense to you? It does to me.
As far as a PR stunt, they're more imaginative than this incident could possibly be.
Steve Jobs can reply to an email and it generates stories in the news cycle.
Why would apple fake loosing an iPhone prototype to get press? They don't have to go to extremes to get into the news.
Apple would do best to find and blame a fault in their security procedures, a.k.a. blame-the-system.
Their security procedures are meant as a deterrent, so at some point they have to enforce them to prove that they are willing to do so. On the other hand, this breach was largely to their advantage - PR-wise. No money lost, no competitors in sight, it would be overly heavy-handed to punish the guy. Thus, they find a fault in the system, blame it, reprimand him, and everybody (in Apple) wins.
given the controls and security that apple places on every aspect of design engineering manufacture and distribution i'm kind of conspiracy suspicuous
try this on for size
so a junior engineer drops the protype phone - clearly disguised to be in public -at a bar where there happens to be someone who knows enough to make a phonecall to gizmodo - not the inquirer - not the LA times - not google - and certainly not apple - but gizmodo
i'm not sure of the exact words from the gizmodo blog at this moment and please correct me if i am wrong but i seem to remember that this individual who called was savvy enough to figure out that it might be something special - a disguised 4g phone - in a bar - so on top of knowing who to call our caller was a student or savant of industrial design
the timing is really interesting
apples 3g iphone is imbedded culturally - and it has solidly migrated to secondary tiers, heck its finally on telus here yay - the new generation of clone touch screens are just picking up much needed momentum after a solid period of iphone supremacy -the new android has just shown up looking to kick ass and take names in a next gen top tier way - and it will -
and then some schmuck engineer just happens to lose a next gen test iphone in a bar -
i mean holy cow - how much leveraged buzz went out with this - virtually hand in hand with the ipad release -
for me as a conspiracy guy theres a lot of synchronicity that generated a lot - and i do mean a lot -of marketing synergy for apple -with the ad bill paid by everyone else -including gizmodo
rationally - if i am just being ridiculous here - and it was a simple set of errors in human judgement from management to field tester then its simple - apple has to suck it up and fix whats wrong in their engineering test stream - perhaps stopping just short of stapling the device to the tester - but here outside its difficult to assess blame with knowing their internal process or the perview of the now famous mr powell
but look at all the buzz - just because some junior engineer left a phone in a bar
Umm, maybe, just maybe, someone with a bit of human sensitivity was involved.
First off, I don't buy this as a deliberate leak - too many variables to control. But if I were in Apple marketing, what would be worse: getting some free publicity or sacking someone for getting too much beer ON HIS BIRTHDAY? The backlash would be greater than keeping him on, and one thing's for sure: he is going to be the safest pair of hands from now - that mistake will not happen again.
So, my theory is that the risk of bad publicity would outweigh keeping the guy on.
Rumors and photos routinely leak from Apple prior to an announcement. You could argue that's part of official strategy, but I really doubt it. People are eager for information about Apple products anyway, and leaking information to reporters anonymously when you're not supposed to is not exactly unprecedented. That kind of hype is good.
Hpwever, giving the actual device to Gizmodo to be dissected is *not* beneficial to Apple. They got to see all the new hardware features and the new design, so it's very unlikely that Steve Jobs will be able to pull any major surprises out of his hat during the announcement in a couple months.
You now have people, even Apple fans, talking about how the new stuff is pretty much expected, even though there are some huge changes compared to the 3GS. That's not how they want information to get out. They want to be able to show off the front-facing camera as a revolutionary feature, not a ho-hum inevitability.
And that's exactly how it's being discussed. Even though very few smartphones actually have such a camera. None of the Android phones have one, I believe. If it's a PR stunt, it's been a massive failure.
[Unless security policies are aligned with HR practices to punish and/or terminate employees, this is all just rhetoric. I've seen too many cases where policies call for disciplinary action, to include termination of employment, for policy violations but unless HR is willing to carry out those actions then this is all water cooler fodder.]
I used to work for a DOD contractor. We were told (and told and told...) that on security violation resulted in written reprimand, the second in time off w/o pay and the third was loss of clearance for 5 years. However, nobody was ever punished in the time I was there.
Some of us said that the only way to ensure that policy was followed would be a public hanging (everybody at the site would be invited to watch the transgressor escorted off the site). Never happened...
The title made me think of the security as sale techniques we see around Microsoft shops. There's been a 'security is toeing the line' mantra for a while. Policies, real or imagined, are used to hunt down and remove applications that were using 'dangerous' protocols like IMAPS. (Dangerous to letting them establish lock-in, that is) The same policies are used to harass and beleaguer individuals into accepting the products.
Once you have an Apple prototype gadget that is very covered by the NDAs, it's your responsibility. It should not even be in a bar. It's your responsibility 24 7 until it's handed back certifiedly to the company.
I'm amazed to find that guy still employed, as I've seen others getting fired for less.
There were many people assuming that "Apple would never allow a prototype to be carried out of the company." The truth is, at some point, you have to take the toys out of the lab and test them in the real world. It is very likely that Powell had permission to be using the new iPhone out in public for testing.
This is not the first time that an Apple prototype has been seen in the wild. Long before Jobs stood up on stage and pulled an iPhone out of his pocket, revealing it to the world, a number of the iPhone prototypes were spotted in use in various cafes and bars around Cupertino. The difference was, no one left their phone on a stool or table. And this is certainly not the first time in history that an engineer from any company hasn't dropped a prototype accidentally in public.
I doubt this was a publicity stunt. It is too early — too many months ahead of the public release of product — for such a move on the marketing department of any company, as the buzz will pretty much be gone from any such fracas by the time the product actually goes to market. To get maximum effect, you would want to cause such a leak no more than five or six weeks before a product launch. Certainly not twelve to fourteen weeks.
This strikes me as merely a severely stupid mistake on the part of a junior engineer. In most companies, this is good cause for termination unless the employee is considered of good value and productivity to the company. At the least, he may find himself on probation for a while, or never be allowed to be part of the outside testing phase ever again. It might also delay any future advancement in the company. It certainly does lessen his value as an employee and may cost him the next time the company needs to decide who to let go should layoffs be deemed necessary.
My hope is that the silver lining in this story will be that Apple will think a lot more seriously about phone theft and recovery services.
The only thing I'm really curious about is the remote disable functionality that purportedly bricked the thing the next day.
I sure hope it's only on the prototypes. Something tells me that's a pipe dream though.
@Shane: The remote disable functionality is vital for business use. People have lost their phones before, and people will continue to do so, if not with as much publicity as this incident. If they're business phones, with business information on them, there has to be a way to wipe them remotely.
This doesn't mean the functionality is enabled by default in personal phones, but it might be something to ask about.
"Apple needs to fix its security problem, but only after it figures out where the problem is."
Isn't the first step to determine if there *is* a security problem? the knee-jerk response is 'hell yes!', but this may be an opportunity for Apple to pull their collective head out of their collective orifice.
@Frank Ch. Eigler:
The English language contains two identically-pronounced transitive verbs both spelled "secrete", with different meanings.
If Powell was testing the new iPhone, then surely it is harder to forget said toy! The whole situation seems like it is easy to take beta toys out of Apple and walk around.
1. The phone was disguised using effort and resources that would point toward deliberate corporate prototype disguise for use in public.
2. People lose phones (we just do).
3. Given Apple are focused on iPad, they are probably not ready to release the next iPhone any time soon.
If these things are true then it's Apple's risk management strategy at fault.
Assuming that this damages Apple. For instance people will now wait for the next generation phone and Apple may still have large stocks of the current model to move.
It's interesting that no-one has pointed out one simple security measure that the engineer could have taken to secure the software on the phone, but apparently did not.
It sounds like the Apple engineer didn't have any PIN or password unlock code on the device, because the person who found it was able to poke around the device until Apple remotely deactivated it. If the thief had been a bit smarter at espionage, they could've taken pictures of any new UI screens, inspected the settings screens for ideas on new hardware functionality, etc.
Fortunately for Apple, the person who took the phone from the bar didn't think to document and leak the new functionality when they had the opportunity to do so.
I've been working on smartphone platforms since 2005 (first at Danger, now at Google), so I've had to deal with this exact scenario (carrying around prototype devices and OS builds for testing purposes) on numerous occasions, and it certainly requires one to be very careful. Generally speaking, most people don't take a close look at other people's phones, and it looks like this prototype was well disguised, but a sharp observer could have noticed things like a higher-res screen if the user isn't discreet when using it in public.
Personally, I wouldn't have taken a prototype device out for a night of drinking, but losing a phone is something that can happen to anyone, even without alcohol. Taking a prototype device, or even a regular work phone with confidential business data on it (emails, corporate address book, calendars, etc.), outside of the office without setting a PIN code to unlock it? That's a really bad idea for *anyone* who cares about their job.
You guys might be great security experts BUT you'all have absolutely no idea how to develop great products like the iPhone.
Bottom line is that it is impossible to debug / innovate this type of product in a Lab. A lab environment will only show you functionality and never improved usability. iPhone's attraction is usability
Obviousness and usability only comes from real world deployment, which means putting new products in the hands of real people 24/7. the product must become an integral part of their every day lives. In this way the minor annoyances, (such as insanely deep menus, to access common functions) and clumsy functionality become a major pain in the *** and consequently get fixed before the end customer ever sees the product in its initial form.
Unfortunately with this product development reality Apple needs to accept that S*** happens. Maybe they need to add functionality that locks the phone when it is not close to a Bluetooth/RFID tag (this is simple to do) but certainly impacts battery life...
Or Adak, Nome is actually closer to civilization.
I'm with RSaunders and Robert on this. It seems like a form of beta testing or "dogfooding" was going on and, as Robert said, shit happened. This is actually a normal eventuality with beta testing because one of the goals is to identify troubling situations that developers can prevent or support teams will have to fix later. This is a common threat and a good remote wipe feature is the countermeasure to reduce its risk. So, unauthorized users would see the hardware and have a short time to tinker with the software, but then "poof" and it's gone. In any case, the loss should have been an anticipated risk and its accidental nature during a beta test shouldn't be punished severely, maybe not at all.
On the other hand, firing the guy who talked to Woz was entirely appropriate. He had intent, the intent violated a rigorous security policy, and fairness requires that he doesn't get a break just because it was Woz. So, they sent the right message by firing him. Well, as far as extremely secretive organizations go...
I can't speak for Apple, but I know Nokia basically has a classification system for prototypes. The rules primarily depend on whether the prototype is published or unpublished. When unpublished prototypes leave the office, they're supposed to be kept out of public view and transported securely. My ex transported some unpublished prototypes internationally once, and he was even instructed to request a private room if the security screeners wanted to open his carry-on luggage. If the iPhone in question was an unpublished prototype, it seems odd to me that it would be actively used it in public.
Let's improve the rule:
- fine vendors 10% of their annual revenues for any extra vulnerability after 5 have been found during the same year.
Then, the world would save a lot of time and money because 'security' tools, as well as patching would mostly be pointless.
Of course, this policy would only be efficient if the rule of law was applied to those who can afford to buy governments (and routinely do it).
Another day in wonderland...
At least Gary gets a trip to Germany flying business class and enjoy for German beer.
Adak is nice. There's two girls there and everyone knows them.
The recent: "Police Seize Gear From Gizmodo iPhone Blogger" is astounding.
What felony might he have committed?
"The warrant, issued by a Superior Court judge in San Mateo County, said the computers and other devices may have been used to commit a felony. Steve Wagstaffe, spokesman for the San Mateo County District Attorney's office, confirmed the warrant's authenticity."
At one level how is this different from sheltering a stray dog or cat and blogging about it. Or paying someone for images of the dog and cat so you can blog on it.
I don't know if this is really a PR stunt by Apple, so it's up to you to decide whether it's mere coincidence that this story happened on the same day that the HTC "Droid Incredible" (i.e. Verizon superphone and supposed chunk of awsum) was announced.
I think that it would be awesome if Steve Jobs had Gray Powell get up on stage at the WWDC keynote for some reason. It would be amusing to see them make a good joke out of this in the end.
And Whiskers.. "What felony might he have committed?" - grand larceny, receipt of stolen goods, trafficking in trade secrets, etc. It's California. There are a whole BUNCH of laws that laypeople generally know nothing about.
@Whiskers: IANAL, but it looks like CA penal code considers it to be grand theft if the property taken is of a value exceeding $400. Then there are a bunch of exceptions involving stolen dogs, avocados, gold dust, bovine carcasses, and other sorts of Wild West thievery that doesn't seem to apply here. http://codes.lp.findlaw.com/cacode/PEN/3/1/13/5/...
I can pretty much guarantee that Apple paid over $400 for the prototype because pre-release hardware is produced in limited quantities, so a phone that lists for $500 and contains maybe $200 worth of parts, likely costs Apple $2000 or $3000 apiece for a limited production run of a few hundred or a few thousand devices.
The question is whether Apple will go forward and press charges, given that putting a public price tag on an unreleased device is not in their best interests vis-a-vis tipping off the competition (and I work for the competition, so I sympathize with their hard choices here). Probably the best thing from Apple's perspective is to try to let the story die a natural death as quickly as possible.
@EH: I am certain that this wasn't any sort of PR stunt. This is a big "man bites dog" story precisely because Apple is usually so good at not letting prototypes slip out of their hands, and this was clearly either an accident or an intentional act of thievery by the person who "found" it. At the end of the day, engineers are human beings, not military cyborgs. People make mistakes, and this was definitely a goof.
Apple was very very lucky here for two reasons: 1) they had already announced the new features in iPhone OS 4.0 and shipped the developer SDK, so the new OS wasn't a story, and 2) whoever found the device apparently didn't try to steal any other information from it regarding device capabilities or Apple confidential news before it was remotely locked.
As I wrote last night, I'm a little surprised that Apple apparently didn't require everyone to have a PIN lock on their devices. When I tested Sidekick prototypes in the field, I never locked them myself, so I'm not speaking from a position of smugness, but rather as someone who was lucky and careful enough to not lose or misplace any devices in my possession. The reason I'm a little surprised about Apple is that the numeric keypad PIN lock is so easy to unlock on a touch-screen device like the iPhone, as compared to the old Sidekicks with no touchscreen, that it's really not a burden for everyone to enable at least that level of security on every phone, personal or work. There's simply too much valuable data there (both personal and corporate) to leave completely unprotected.
As much as I dislike Microsoft (and I worked for them for a year after they acquired Danger and assigned us to work on "Kin" before I quit, so I have no great love for them, from personal experience!), there is one very good security thing that they do with Microsoft Exchange, which is that the mail administrator can require phones to conform to various policies (such as requiring a PIN or even an alphanumeric password of a certain length, requiring the phone to wipe itself after a certain number of incorrect PIN attempts, requiring the phone to store email with hardware-based encryption, etc.), and these are mandatory for products that claim Exchange support (including iPhone and Android devices) in order to inter-operate with the latest versions of Exchange Server.
What's interesting to me is when you have a company like Apple that uses its own non-Microsoft email servers and protocols that may not implement the kind of finegrained security policies that require things like PIN unlock on all devices. I'm also curious whether Exchange admins actually turn on this feature in the real world, or if users are too resistant to being required to set a PIN lock.
In this case Apple was very lucky, but I think this is a cautionary tale for all companies with employees using devices in public with sensitive data, and the trade-offs between security and convenience, and not just a story about a prerelease phone. If it had been an ordinary corporate BlackBerry (or iPhone), imagine what kind of data could have been taken and the public would never have known what was stolen (and maybe not the company, if the thief returned the phone before it was noticed missing).
Sorry for the length: I'm just happy to have something security-related to contribute to *the* Bruce Schneier's blog.
The phone was clearly meant to be taken out of the Apple campus. That's why it was camouflaged in a case to look like the current phone so anyone seeing it in use would not suspect anything. And if you know any Apple engineers you'd know they are told to take phones and the like with them but NOT let anyone examine it. If this employee was pickpocketed that would be one thing, but not letting anyone examine it seems to imply not leaving it sitting on a table or barstool. This was poor judgement. Because it would be a PR flap they won't fire him, but when his next job review comes up you can bet he will get the lowest marks, and Apple (like many tech employers) fires the bottom few percent each year.
“Apple needs to fix its security problem.”
The whole problem with total Security is that it's not. As soon as a device is built, even more when it walks out of a room with a Faraday cage around it, it is exposed to loss.
Apple obviously decided beforehand that they were managing the risk of loss (mitigating possible harm by camouflaging the device), and that those risks were consistent with the benefit of widespread field testing.
Just because my house didn't burn last year doesn't mean I was an idiot to have fire insurance. Even for Apple, there are some things outside of its control. I'm glad that our corporate risk manager is able to see the risk/benefit balance better than the many absolutists here.
as far as we can tell, that guy is still employed and security is NOt really the issue here. Apple has not publicly said anything and NOT really the issue - rather the issue is what happened next.
If you slide into a booth and you find a phone, a wallet or as my friend once did, find a set of keys to to a Ferrari - what do you do? 95% of the people gives it to a hostess or the bartender and they toss it into a lost and found box.
What does this guy do? Hang onto it - plays with it hoping to get a reward from this guy - then realizes quickly it's a prototype so the gears starts spinning in his head - and leaves the BAR with it - I believe you could call this theft. He takes quick photos and sends it to two tech blog sites - they post them but probably ask him for proof it's real - then you have to guess whether Gizmodo induced him to make an offer or he came up with it himself ...
Of course to CYA, Gizmodo either tells him to or this guy is a moron and calls AppleCare to report the phone. Yea, if I find a wallet in Macy's, I'll send an email to macys.com ...
Good points all. At a retail store I worked for, we took great pains to protect any gear customers accidentally left behind. Any other action was considered stealing or misappropriating others' property, as long as they reclaimed it during week one. ;)
As far as the police raid goes, here's a gedankenexperiment.
Commit a felony, like say paying $5K to somebody for somebody else's property. (I think that qualifies as a felony in most states.) Use that property for your own commercial purposes, which may include further violations of the law, and which also may include damaging the property. Now, blog about it in a big, public way.
Do you think it possible that the police may take this as not only probable cause for warrants, but also a professional affront?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.