Apple firmware: Leaks, links, and locking it all down

It's not just that HomePod and iOS 11 GM firmware leaked that's problematic for Apple. It's that they could leak.

I'm genuinely more excited for Apple's September 12, 2017 special event than I have been for any event since the iPhone 6. Still, Apple has now had two leaks leading up to the event, widely expected to include the announcement of iPhone 8, iPhone 8 Plus, and iPhone X, Apple Watch LTE, and Apple TV 4K HDR. The first one was an accident. The second one, not so much.

John Gruber, writing for Daring Fireball

Again: these URLs were not discovered by guessing the URLs, or because they were published at obvious URLs prematurely. Someone who works at Apple emailed these URLs to 9to5Mac and MacRumors — possibly without even knowing just how much information could be gleaned from these builds compared to the last developer beta builds. UPDATE: Let me clarify that sentence: whoever leaked these URLs knew it would be an incredibly damaging leak, if for no other reason than that they included the IPSW image for iPhone D22. The list of URLs they leaked included every device. The least amount of heretofore unknown information that was going to come out of this leak was massive, and whoever leaked it knew that. What I'm saying is they quite possibly didn't even know just how many little things, things I won't mention here for the sake of DF readers who are trying to stay spoiler-free for Tuesday's event, were spoiled by this leak.

That person should be ashamed of themselves, and should be very worried when their phone next rings.

My understanding is the same as John's: The leak was internal and intentional. And it was incredibly damaging to the company — a company that relies on surprise as a key way to generate marketing buzz and maintain excitement in the media. It's just about impossible to believe anyone in a position to leak those links wouldn't know that.

If that's difficult to understand, just realize that, come Tuesday afternoon, instead of hearing about the announcements and the surprises, we'll be hearing about how the leaks were confirmed and, from those in the media who continually mistake cynicism for intelligence, how "boring" Apple has become.

As hard as it is to believe someone inside Apple would leak the firmware, it just as hard to believe such a leak was possible. The firmware was live on the internet, protected only through obscured URL. That means, when the URLs were leaked, anyone could access the firmware. No VPN, login credentials, or other security checks required.

It's absolutely the fault of the leaker but my guess is that the days of security through obscurity are done and Apple locks down the firmware delivery process asap.

Same with the HomePod firmware leak from last month. That leak wasn't malicious. It was the result of a mistake, at least at first. Someone copied an un-flagged version of the file to a public rather than a private directory.

It's not at all hard to believe that mistakes happen. It's still hard to believe that those kinds of mistakes can happen, though.

My guess is that Apple locks down that process asap as well, with both digital and human checks and safeguards.

I'm sure most people at Apple are too apoplectic to look for it right now, but if there's a silver lining for them in all this, that's it. Legacy has hellacious inertia and old processes don't die easily. Often, people are too busy to even stop and think about improving things that currently get the job done, even if imperfectly.

Then something like this happens, and top to bottom, everyone's will becomes bent on making sure it doesn't happen again.