Stephen Withers
Monday, 25 August 2008 14:44
Opinion and Analysis
Page 2 of 3
I have no argument with the facts of the case, but what puzzles me is the way proponents are carrying on as if Apple was way out of line with industry practice.
Every ISP I'm familiar with does much the same thing. Subscribers' web spaces are accessed through URLs that contain their user names. Examples include www.users.bigpond.net.au/<username> and members.optusnet.com.au/<username>.
The difference is that the corresponding pages are only created when a subscriber actually starts using the web space provided, whereas the iDisk pages are automatically created for every MobileMe.
So while a brute-force attack will eventually yield a complete list of MobileMe usernames and therefore email addresses, it'll be out of date by the time you've finished compiling it - if you live that long. And if you use a dictionary-based attack, there's no guarantee you'll collect every address.
The point is that 1000 guaranteed genuine email addresses are worth the same whether they represent one percent of the provider's customers, 0.1 percent, or 0.00001 percent. Yes, 2000 guaranteed addresses are presumably worth more than 1000, but not because they represent a bigger proportion of the users of any particular mail service.
