AntiSec posts passwords from Apple survey server (updated 5x)
Summary: AntiSec has hacked an Apple server and has posted the login credentials for 26 admin accounts for a machine used to conduct surveys for the Cupertino computer maker.
WSJ reports that hacking group "AntiSec" (short for Anti Security) has hacked an Apple server. To prove its point, the group posted the username and password combos for 27 root and admin accounts from the users table in a mysql database on a machine apparently used to conduct surveys for the Cupertino computer maker.
Here's a list of the compromised accounts (sorry no link love). The passwords were posted in a similar fashion, immediately below it.
AntiSec is comprised of hackers from both the online vigilante group Anonymous and hackers from the now-defunct Lulz Security, according to the report.
The hackers said in a statement posted to Twitter that they had accessed Apple's systems due to a security flaw used in software used by the Cupertino, Calif.-based gadget maker and other companies. "But don't worry," the hackers said, "we are busy elsewhere."
The breached server (http://abs.apple.com/fsurvey/survey.html?l=en) appears to be one of Apple's servers for conducting technical support follow-up surveys. Here's an image from the Google cache:
Apple hasn't commented on the extent of the breach, so it's unclear whether any customer data was compromised.
Update: 9to5Mac thinks that AntiSec's Apple claim is relatively benign, noting that LulzSec claimed responsibility for breaching iCloud on June 21:
After mapping their internal network and thoroughly pillaging all of their servers, we grabbed all their source code and database passwords, which we proceeded to shift silently back to our storage deck.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Survey server's hack is good work (#AntiSec movement better be left alone
WebObjects. Get real. That thing's still around?
Isn't WO based on that <i>other</i> technology that Apple now shuns? Oh yeah, it is based on <b>Java</b> - which is also dying.
Oh, and Apple knows. They dropped WebObjects from OS X 10.6 (Snow Leopard). Go figure.
If you want to see how you avoid SQL injection look to C# with LINQ.
In PHP writing vulnerable code is unfortunately also the easiest way: String interpolation. That is why you see so many PHP sites compromised.
In Java everything is hard, so writing good or bad code takes about equal amount of work. Until you need to write more complicated queries. Then it becomes easier to just synthesize the SQL strings again. And then comes the vulnerabilities.
With LINQ (C# or VB.NET) it is *always* easier to write non-vulnerable code. Even for complex queries. LINQ erases the differences between SQL dialects, it provides strongly typed queries and it fully supports intellisense.
Time to drop those old error prone technologies and enter the 21st century.
RE: AntiSec posts passwords from Apple survey server (updated 4x)
And Apple has a technology that maps data storage to server queries also.
I wlll leave you to learn about the modern world.
Personally I found C# data access to be primitive compared to the Mac based DB dev systems I was using in the mid 80's.
LINQ looked promising as it would be like moving up to the 80's for me.
As for *ALWAYS* - I suggest you learn more technologies than the ones you read about in the mainstream IT fashion journals.
RE: AntiSec posts passwords from Apple survey server (updated 4x)
How the world looks outside the RDF
<i>And Apple has a technology that maps data storage to server queries also.</i>
Of course they do. A bloated 80'ties style mess which *also* encourage bad and vulnerable code by using strings to create queries, predicates. Which was what led to this quagmire.
Oh, and WebObjects (and Enterprise Object Framework along with it) is considered a "legacy" technology by Apple: <i>Important: The information in this document is obsolete and should not be used for new development. Links to downloads and other resources may no longer be valid.</i>
WebObjects was what DeRSSS claimed was superior. Deprecated.
Outside the RDF we have moved on. We are now using strongly typed queries and robust persistence with no coding-with-strings in sight.
DeRSSS wrote something that wasn't true?
That's weird. DeRSSS has built up a reputation of always being right when talking about how superior Apple technology is. He correctly stated that Apple invented LightPeak so I'm pretty sure he is also correct that WebObjects are superior to everything else. If Apple has deprecated WebObjects, it is only because they are releasing iWebObjects which will be EVEN BETTER!!! YEAH!!!
I did not write that 'WebObjects is superior'; however, it is superior to
WebObjects
WebObjects are still based on text queries/predicates.
What it has going for it is <i>lack</i> of string interpolation. When you have to concatenate strings to create a text query it is only marginally harder to use proper parameterized queries. But you still operate in text, and when the parameters do not suffice (like when you need the "in" operator) the temptation to just create the query in text is always there.
There's still no comparison to LINQ where you get to write concise queries, strongly typed even when e.g. joining tables/entities. No strange parameters, no strange query strings with placeholders. Just portable queries.
RE: AntiSec posts passwords from Apple survey server (updated 4x)
RE: AntiSec posts passwords from Apple survey server (updated 4x)
<br><br>As far as webobjects goes... I don't use it. The java port came out in what 2005, at which point something better, I.E. EJB was already available.
RE: AntiSec posts passwords from Apple survey server (updated 4x)
Java dying? Really? Wow, quite a statement!
RE: AntiSec posts passwords from Apple survey server (updated 4x)
RE: AntiSec posts passwords from Apple survey server (updated 4x)
<i>Enterprise java is not dying. </i>
No, it is just relegated to legacy status. Withering slowly away.
<i>Avoiding injection through LINQ or other ORM solutions is not new.</i>
Ah, but your Java ORM solutions only protect against injections in the basic scenarios. Enter a little complicated query - or even just a projection - and you are back to string mongering. Not a specific SQL dialect; but vulnerable string synthesis if you are not careful. Note how that is *avoided* using LINQ.
<i>JPA (Java Persistence API) is older than linq and provides specifications for Enterprise Java ORM solutions, and does the same thing...</i>
It does *some* of the same things. Poorly.
<i>What you've written proves that you've never used Java for SQL beyond simple JDBC.</i>
I been there with Java+Hibernate, pal. Several big projects.
<i>It's 2011 now, mature ORM solutions like Hibernate have been out for years and years now and are the norm.
</i>
Yes, it certainly is the norm, as it is quite good. Very good, indeed, when you consider the card they were delt by Java.
<i>Hibernate can do every relationship that Linq can do, plus built in transparent caching.</i>
Yeah - that is exactly it. It have *never* seen a Hibernate solution perform beyond mediocre. Hibernate absolutely <b>needs</b> caching to be tolerable. And with caching comes complexity. I've been there.
<i>I'm sorry that you're not educated on Java. Please consider learning about EJB before you make assertions that will make you look dumb to anyone who actually works with EJB.</i>
What's with the personal attacks? I have written my share of Java code and I have butted enough head with Hibernate. Enough with your insults!
<i>From my personal experience, having worked with both Linq and Hibernate fairly extensively, it's easy to write concise queries for both.</i>
Me too, and nothing beats LINQ with EF (or even NHibernate) at this time.
<i>See JPQL, it's a wholely object-based querying language that JPA will translate to parameterized SQL.</i>
You don't get it. JPQL is just *another* string based query language. No strong typing, no editor assistance and (worse) in many situations it is *still* easier to just concatenate the parameter value. And with that the injection vulnerabilities.
<i>It's still possible to write injectable C# code if you don't use Linq or prepared statements. </i>
Yes. And also if I use plain C or assembly language. But with LINQ, writing correct, non-vulnerable queries are always <i>easier</i> then writing the vulnerable version. That's the difference.
<i>Similarly it's still possible to write injectable PHP or Java without prepared statements.</i>
Yes
<i>Linq is a nice framework, but face the truth (or continue looking ignorant), ORM is not a Microsoft invention,</i>
No, Microsoft was late to the game with an ORM. LINQ is not just an ORM, though. Actually LINQ is not an ORM at all. Entity Framework which <i>uses</i> LINQ is an ORM.
Did you say you had a lot of experience with LINQ?
<i>Linq does many things that Hibernate did before it</i>
No. LINQ is language integrated query and has nothing to do with databases at all. Hibernate is all about databases. Did you say you had experience with LINQ?
<i>(hence why NHibernate, the .Net version continues to be very popular).</i>
No, NHibernate became popular because Microsoft was late to the game with an ORM (like LINQ2SQL or Entity Framework).
<i>The truth of the matter is there is no one true technology that does this, many technologies can, and do do the same thing well.</i>
The truth is that among the mainstream strongly typed languages, only C#, VB.NET has anything like expression trees necessary for allowing strongly typed queries. Some of the dynamic languages come close by cleverly using late binding, like e.g. Rubys ActiveRecord.
<i>The mark of a good developer is language agnosticism and a willingness to learn about more than one platform. </i>
Agree. You can start here:
http://msdn.microsoft.com/en-us/library/bb308959.aspx
Thanks for the authoritative and informative post
I will ignore everywhere you wrote "probably" and go around the Internet claiming the things you wrote as 100% undeniable fact. I'm not sure exactly why you wrote "probably" in so many places because it almost sounds like you don't know any of this and are simply making it up. Probably.
Troll
Are you confident enough to remove all your "probablys"?
RE: AntiSec posts passwords from Apple survey server (updated 4x)
If you don't know the definition of the word "troll", don't use it, troll.
And educate yourself about LightPeak.
Apple has much to learn about security
You have much to learn about much
Hope this shakes them up.