The catch-22 with Apple security

A long, rocky relationship with Apple products and tech support culminates with a tangled up Apple ID -- and a yearning for Linux

The catch-22 with Apple security

I recently started a new job, which I love. However, since I’m working for a San Francisco startup, of course my work computer is a MacBook Pro.

Most people would be very happy about that. But I’ve been using Linux as my primary desktop platform since, like, 2008, so a Mac is an adjustment for me. There are worse possibilities -- at least I don’t have to deal with Outlook or Windows. Also, there are plenty of people to help me with this painful transition.

My ripe relationship with Apple

I've had Macs in the past. When I worked for another startup, JBoss, I was the sole PowerBook person.

At the time, in the dark ages of the early part of this millennium, I was traveling around the world giving presentations. Most of humanity, having freshly crawled out of caves, used those awful video projectors instead of big-screen TVs. At the time the PowerBook connected to more of those items than Windows did. (You don’t want to know what you had to do for Linux’s X Windows to connect.)

Yet far from being one of the contented masses, I always had Apple-specific issues. The company decided to hold all Java developers hostage for an OS upgrade right when I needed the new JDK most. The power coupling used to rip out of the motherboard because it was near a modem, which created a weak point in the case. Later Apple moved the weak point to the CD drive, which was under my wrist while typing, so the drive would jam.

Then there were the batteries that swelled up and broke the keyboard. There were screens that had lots of dead pixels and bright spots that annoyed me, not to mention the power cord that kept shorting out, which had to be replaced for $85.

Apple’s response each time was that it was somehow my fault. Eventually, I’d end up buying a new laptop -- before the bad press would make Apple fix the flaw for the more patient people. My annoyance grew. Finally, the last straw: That infernal “beg for attention” format of the Apple Store and the “pay to not stand around all day when the hardware is borked” AppleCare fee.

I went back to Dell and my beloved Linux. The laptop isn't as shiny, but Dell comes to you when it breaks.

Me and my Apple ID

Anyhow, I’m back in Mac. Central to Apple’s surveillance of me is the Apple ID. This is my identity to FaceTime, Find My Mac, and all of the tools I use to interact with the new center of my computing existence, Apple. Google used to be my center. Now I must pray to the ghost of Steve Jobs and kiss the feet of his successor, who has blocked me on Twitter.

I tried using my email address with my new work computer. I didn’t remember the password I used back then. No problem, I could use email validation or my birthday. I tried my birthday because it's faster, but it didn’t work -- odd, but maybe I fat-fingered it or my ex-wife put in her birthday at some point. No matter, I used email verification and changed the password.

Apple and various software on my new Mac kept calling me a female name. I thought that was odd, so I logged in to and figured I’d change my birthday. Now it wanted to verify my favorite elementary school teacher’s name and favorite band in high school. I wouldn’t have picked either of those because, duh, I reference music in my blog too much. I was also a terrible student, preferring the library to the classroom and asking too many questions. Apple rejected both.

I called Apple support. There, I talked to J, who was incredibly helpful and did everything he possibly could with the broken system, but I was at the mercy of a certain "A" from Canada. We tried to change the security questions, but those sent a verification code to “A***’s iPod Touch.” After a few other attempts, we determined this wasn’t actually my Apple ID account.

As it turns out, I still had an Apple ID from a time before Apple demanded email addresses. Unfortunately, four years ago, when Apple began asking for them, you didn’t need to verify the email address. So a young lady ("A," as noted above) with the same last name as me and a different first name used my Gmail address as her Apple ID but didn’t validate it.

Apple Support and I tried several different ways to let me recover my email address, but finally, I found A’s number on her Apple ID account and texted her. Someone else answered and promised to ask A to look into this. This took four hours. Apple kindly offered me free accessories once we were done.

Invalidated credentials

Apple’s often lauded security has been evolutionary -- and often a series of “oops, we’ll fix that” moves. Unfortunately, this goes to show you that failing to follow basic security patterns (like, is this really your email address?) allowed another person to inadvertently compromise my security.

When Apple “fixed” the problem, it still had an unvalidated credential it had grandfathered in. This allowed me to compromise A’s security. In this case, no one was malicious. But I don’t want to deal with yet another email address.

What Apple should have done was to treat everyone’s not-yet-validated Apple ID email addresses as suspect -- and made people validate them or change them to a validated address. An unvalidated credential is an unvalidated credential.

Which brings us to the moral of our story: Validate credentials! (Also: Linux is easier to use than iOS, and Google is my preferred surveillance and security authority.) If a credential proves invalid, don’t simply change the process, invalidate the credential, and force it to be validated before it's used or even associated. Failing to do this not only compromises the security of the person with the invalid credential but possibly the security of the person it belongs to as well.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform