Someone who works for Apple — someone who is probably a lot like you and me — is having a really shitty night. So, I am sending good luck vibes towards Cupertino right now.
The store was in read-only mode to prep for the new iPhones so the sales loss is already accounted for.
As a side note (and speculation), as compared with other online stores, I don't think the Apple store has the same risks as the other stores (the fact you don't buy the Mac directly from Apple doesn't really affect their revenue).
I don't think the impact is that severe. If you're planning on buying an Apple, and you visit apple.com and it's not up, then you wait until it's back up.
Consistent downtime can damage a brand, but this is just a hiccup.
I've seen this same style of error message before. It's the AkamaiGhost CDN. (Look at the Server: header in the response.)
I suppose you could say the server has given up the ghost...
Googling "AkamaiGhost 403" shows that other sites have experienced the same problems with them before in the past, so I wouldn't particularly blame Apple for this.
I've seen this error before from other sites and it seems to be generated by Akamai rather than the apple.com origin. Does anyone with Akamai experience know under what conditions this message would be returned? Did someone at apple accidentally ACL off the planet?
This happens when a company uses Akamai's security product and you violate the security policy in place. It's basically a WAF. The big issue is it takes 45 minutes for changes to propagate through Akamai's network. So, you make a mistake and it takes fix time + 45 minutes to resolve.
I posted my comment before to the wrong commenter, but: I'm interested in their References -- it looks like each hit is a new hash, so they store that so they can refer to it. I don't know much about this side of stuff so it'll be interesting to know why they do that, or what the upside is of doing it that way...
Akamai does indeed give unique reference codes for errors like these. There's a management interface where you can look up more info on what happened for each code, but in my experience lookup time is proportional to the time since the error happened.
Apple is using Akamai's cloud security service called Kona. They (Apple or their Kona team) pushed a bad config up and now that they know it's a bad config they are pushing a fix-- but it takes 45 minutes to replicate out to all the Akamai edge servers.
I think it's Kona because the 403 Access Denied and the Akamai ref number. Also, I use the same service and always live in fear of something like this happening and taking 45 minutes to undo. There is a staging option...
I still wonder why large companies continue to rely on third-party CDN's like this. It's hardly rocket science to operate a global network of reverse proxy cache servers, particularly when you only have to do it for your own network (i.e. no customer issues).
Ryans-iMac:~ ryan$ whois microsoft.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
MICROSOFT.COM.ARE.GODDAMN.PIGFUCKERS.NET.NS-NOT-IN-SERVICE.COM
MICROSOFT.COM.CAN.GO.FUCK.ITSELF.AT.SECZY.COM
MICROSOFT.COM.EENGURRA.COM
MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
MICROSOFT.COM.HAS.A.PRESENT.COMING.FROM.HUGHESMISSILES.COM
MICROSOFT.COM.IS.A.MESS.TIMPORTER.CO.UK
MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET
MICROSOFT.COM.IS.IN.BED.WITH.CURTYV.COM
MICROSOFT.COM.IS.NICE.WHEN.TOASTED.COMKAL.NET
MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
MICROSOFT.COM.IS.NOT.YEPPA.ORG
MICROSOFT.COM.LIVES.AT.SHAUNEWING.COM
MICROSOFT.COM.LOVES.ME.KOSMAL.NET
MICROSOFT.COM.MAKES.RICKARD.DRINK.SAMBUCA.0800CARRENTAL.COM
MICROSOFT.COM.MATCHES.THIS.STRING.AT.KEYSIGNERS.COM
MICROSOFT.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.SHOULD.INSTALL-GENTOO.NET
MICROSOFT.COM.SOFTWARE.IS.NOT.USED.AT.REG.RU
MICROSOFT.COM.WAREZ.AT.TOPLIST.GULLI.COM
MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET
MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET
MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
MICROSOFT.COM.ZZZZZZ.MORE.DETAILS.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.ZZZZZZZ.LOLLERSKATES.RENDRAG.NET
MICROSOFT.COM.ZZZZZZZZZZZZZZZZZZ.IM.ELITE.WANNABE.TOO.WWW.PLUS613.NET
MICROSOFT.COM.ZZZZZZZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
MICROSOFT.COM.ZZZZZZZZZZZZZZZZZZZZ.LOLLERSKATES.RENDRAG.NET
MICROSOFT.COM.ZZZZZZZZZZZZZZZZZZZZZZ.IS.A.GREAT.COMPANY.ITREBAL.COM
MICROSOFT.COM
I was curious how this works, so I followed instructions from a reply below to retrieve an 'authentic' WHOIS reply for the real domain: use 'WHOIS domain apple.com'. However, this led to another 'spoofed' result [1].
From what I gather [2], WHOIS often matches sub-domains before top-level-domains, making it easy for someone to create a sub-domain such as 'microsoft.foobar.com' with false records that will populate before the actual domain.
It seems that using the following WHOIS query returns registrar information for Microsoft.com, though it requires sifting through the 'spoofed' results: 'WHOIS =Microsoft.com' [3]. You'll have to wade to the bottom of the results.
This is because whois just searches for domains that start with the given argument by default. Try google.com, same result. What you actually want is `whois "domain apple.com"`.
Nope. foo.bar.example.com is set by example.com, not foo.bar, right? Someone simply bought a domain name then published records which would trick people in a fairly narrow range between "doesn't know what Whois is" and "works with DNS for a living."
Crap, now I can't stare at pictures of the 6s, wondering if it will be 6s-ful... #applepunsfordays
On a more serious note, it seems strange they wouldn't have failover environments for just such occasions... Maybe @Too is on to something, and this is a new way for big companies to drive traffic to their sites prior to a big launch. Genius.
Apple usually takes their store down prior to a big event (iPhone 6s pre-orders).
This is the first major event since they integrated the store into their regular website (rather than having the store.apple.com subdomain) Clearly, this is a mistake as they are deploying all the new pre-ordering pages for the iPhone 6s.
When Steve Jobs invented the computer, he envisioned a device which was accessible to anyone, a device to empower revolutionary magical thinking about the possibilities of access. But he also knew the limits of the networks developed by the establishment gray box technology industry and sought to imbue those networks with communication that would speak different, in a way they would understand. Along with Sir Jony Ive, he reinvented the "Access Denied" page by removing the skeuomorphic constraints, distilling them into a flat "Access Denied" message which spoke to everyone, empowering their engagement with their restricted access to unlock unlimited creative potential.
It makes my Sauce Labs tests on iOS devices fail, and I bet other people's fail as well.
I think the simulators usually try to load apple.com for some reason before the page under test, so it might just be selenium waiting forever for apple.com to load.
I'm interested in their References -- it looks like each hit is a new hash, so they store that so they can refer to it. I don't know much about this side of stuff so it'll be interesting to know why they do that, or what the upside is.
zzzzz, just another pr stunt to pretend the demand is high. Just like hiring actors to stand in line outside the apple store every now and then. Or some sysadmin accidentally forgot to click enter somewhere. Nothing to see, move along.
Godspeed, Apple friends! ️