macOS Keychain Security Flaw Discovered by Researcher, but Details Not Shared With Apple Over Bug Bounty Protest

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 6, 2019.

  1. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #226
    What in my response talked about ethics? Or the environment? I was talking about making people want to put money into the Apple ecosystem because they have good feelings about it.
     
  2. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #227
    And I asked whether you would be for it:
    "Assuming for a second the forgone income would not be compensated for by more satisfied customers buying more Apple products."

    You also said:
    Which clearly implies that if their profits are high enough they can afford to offer better services without their profits getting too low. In other words, you implied that you would be in favour of lower profits for the benefit of the customers.
     
  3. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #228
    If it wasn't going to make customers happier, leading to more money, then I don't know. But we are at the point where the goal is getting more money from each customer for the long run. And sometimes that means doing things to make the Apple ecosystem more sticky.

    I find most Apple stockholders to be incredibly short sighted, though.
     
  4. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #229
    Yes...name a company better at executing their initiatives.

    You people are amazing. It doesn’t mean Apple does no wrong, but as a for profit business, Apple is the envy of all.
    --- Post Merged, Feb 9, 2019 ---
    We are far longer sighted. The people that haven’t owned the stock for a decade are the ones clamoring for Tim Cook to be gone or laughing because the stock doesn’t trade at a new high every day. Shareholders have to think rationally because we actually have real money invested.

    Contrary to many, I actually have to know the story, the numbers, the competition, how satisfied are customers, and cut through the noise. If I don’t, I lose money.
     
  5. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #230
    Now who's being pedantic? It doesn't matter if you're the first one using the term. You're vilifying Apple as a "faceless corporation" who "hoards cash" and criticizing their pricing, claiming they're "bending people over", as if they're forcing people to spend money. They could charge $40,000 for an iPhone 4, or $4,000 per month for 1GB of iCloud storage, and it would still be up to consumers to decide if those products and services are worth the price being asked. It's obvious that Apple's prices are acceptable to billions of people, because they keep buying their products, enough to give Apple hundreds of billions in profits. Apple doesn't need to apologize for being more successful than other companies. I buy Apple products because they meet my needs better than competitive products, at prices that I consider to be reasonable. When they stop doing that, I'll buy from someone else.
     
  6. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #231
    I'm more surprised at your whole "appeal to authority" schtick.
     
  7. macfacts macrumors 68030

    macfacts

    Joined:
    Oct 7, 2012
    Location:
    Cybertron
    #232
    Seems like it is apple acting unprofessionaly and dangerously. When most tech companies have bug bounties and apple doesn't have one for mac os, that seems unprofessional. Like apple is some small operation that can't afford it.

    If apple was a bank, they would have zero security guards. Costs too much.
     
  8. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #233
    Apple is the best at making money, so why wouldn't they be the authority on it?

    I don't need any other evidence. Apple has done it year after year and until that changes, they are the best at it. So you questioning their Mac strategy is probably incorrect. They have more data than you AND are winning, so why would you be right?

    You're conflating wanting something with it being good business. You assume the unknown (to you) number of people they are upsetting is somehow a negative to their business.

    Never forget this is a business. Apple was burned in China because they screwed up and it showed quite clearly in the numbers. Mac, no.
     
  9. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #234
    Okay. It's obvious to me that Apple could tell you the sky was purple and you wouldn't bother questioning anything.
     
  10. Baymowe335 Suspended

    Joined:
    Oct 6, 2017
    #235
    I question things that need questioning, like China in their most recent quarter.

    The Mac is a smaller (for Apple) business that is doing quite well, posting 9% growth. A new Mac every year or features you think are important won’t always translate to data.

    All I’m saying is Apple has all the data they need to validate the strategy and the data I have shows it’s working on some level.

    It always could be better, but you guys act like you know how to manage Apple and Apple doesn’t.
     
  11. KevinN206 macrumors regular

    Joined:
    Jan 18, 2009
    #236
    If that's the case, then Apple has no incentive to provide a bounty program whether he reports it or not. He might as well kept quiet and let the nefarious hackers find the bug.
    --- Post Merged, Feb 9, 2019 ---
    A bug like this is not necessarily nasty. It becomes nasty when a bug in Safari allows remote code execution which then exploit the Keychain bug.
    --- Post Merged, Feb 9, 2019 ---
    You don't need physical access if you can exploit a remote execution bug in Safari which can then deploy the Keychain bug. The browsers Safari, Chrome, Edge, Firefox, etc... are full of bugs and many of them are critical RCE.
    --- Post Merged, Feb 9, 2019 ---
    Geez kinda like the "right thing to do" was to deny^100 until irrefutable data is provided.

    Antennagate
    Bendgate
    Touch Disease
    Batterygate (secret throttling)

    Did I miss anything else?
    --- Post Merged, Feb 9, 2019 ---
    He's asking Apple to have a bounty program for MacOS like Google (Chrome OS and Android) and Microsoft (Windows). It's a far better approach for Apple than hiring a person permanently full-time. No need to pay them $150,000+ every year.
    --- Post Merged, Feb 10, 2019 ---
    It's not that difficult to take a guess. A proper bounty program offer security researchers huge incentives to find defects. No bounty program = no incentives = "no" bugs = macOS is pretty safe, right? It's rather ironic that Apple is all about security "We designed macOS with advanced technologies that work together to constantly monitor, encrypt, update — and ultimately keep your Mac safer." and yet they have no incentives for responsible disclosures.

    Guy: You have a bug in Keychain.
    Apple: Sure let's have it. Thx for your time.
    Guy: You should offer a bounty program.
    Apple: No
    Guy: Okay, you can have your employees find it.
    Apple: Sure
    Guy: Fine

    Apple has no obligation to offer a bounty program, but Apple is hypocritical to its customers on security. It's hard to believe that Apple being the wealthiest company in the world, doesn't have a bounty program for macOS that provide fair incentives to the responsible hackers.
     
  12. alexhardaker macrumors regular

    Joined:
    Sep 12, 2014
    #237
    Like he’s starving to death because Apple won’t pay him...
     
  13. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #238
    You got me. Since he isn't starving, he should do work for free.
     
  14. alexhardaker macrumors regular

    Joined:
    Sep 12, 2014
    #239
    Is he starving? We don’t know that. Do you really think that the Apple bug he found is the only one he’s found? He’ll do the same for other companies and their OSs. They have a bounty program. Use those. He should tell Apple about it. It was his choice to sit there and find a bug in macOS, knowing Apple don’t offer a program. Do the right thing and tell them about it. No none wants their data etc being at risk. Ask them to start a bounty program. Simple
     
  15. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #240
    Yes. Ask them nicely. That's how billion dollar corporations work, you asking nicely. Are you being serious?
     
  16. alexhardaker macrumors regular

    Joined:
    Sep 12, 2014
    #241
    Nicely? Pressure them in a different way I meant.
     
  17. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #242
    This is the best pressure a person has.
     
  18. alexhardaker macrumors regular

    Joined:
    Sep 12, 2014
    #243
    Still wrong to do
     
  19. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #244
    I disagree. It's likely the only way anyone can get Apple to change. Otherwise they've proven they don't care as much about macOS.
     

Share This Page