Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New Details Emerge on Security Researcher Potentially Responsible for Dev Center Outage
- Thread starter MacRumors
- Start date
- Sort by reaction score
Going as deep as possible is exactly what most developers reporting a bug do, in an attempt to be helpful.
Eh? He didn't show how to do it.
It sounds like he was scared that Apple might blame him for their goof.
What on earth are you talking about? Resorting to what?
He officially and privately reported the data leaks to Apple, same as he had reported previous bugs. In (what he thought was a) response to his bug report, Apple shut down their website.
Days later, Apple finally posts a note blaming an intruder. He thought they meant him, although it's quite possible that his bug report actually clued them into a much larger problem.
And he still hasn't given any details on the data leak mechanics.
His only goof was showing some names in his video, but heck, even Apple claims those are not sensitive private details.
So he reports a bug 6 days ago (including 2 days of weekend) and instead of letting them fix it he runs to the media for attention????
Got it.
SMH.
Got it.
SMH.
How dare you use reason and some facts about this instance, we should be hanging this obvious terrorist hacker by his balls and sentencing him to death.
If you think that last bit was a bit over the top, you would be shocked with what people said about this guy in the initial article. The loyalty takes some people way too far sometimes.
He reports the vulnerability to Apple and gets no reply and Apple chooses to shut down the Developer Center and still hasn't contacted him.
SMH
With a vast number of potential reasons why, there's no good time for this to occur. Given the current attention on various security breaches this is just one more. Unfortunately it's Apple, yet I hate to see anyone suffer the damage these cause. As with any breach we quite likely will never hear the truth.
The "breaking into house" metaphor is silly. A better example is finding, for example, a hidden way into a bank's records. But that's silly too because it's not a bank, or a house. These metaphors are stupid and don't serve the truth, just personal judgements.
Why is it silly? It's not the same, sure, but it still demonstrates the point well enough to make it.
Yeah ... You notice a bank with its door open at night, you notify that bank, and the next night when the door is still opened you decide to go in and take some money, then you send some of that money back to the bank to show them what you were able to do, the bank then quickly closes for some time to figure out what exactly happened, what lead to it, what needs to be changed, etc., but you are the one who has been wronged somehow or should be a hero for how you went about it all? ... Yeah
I believe the bank would have called me if I contacted them.
It does seem like the reasonable thing to do when someone tells you that you have a vulnerability that is putting their users (customer's) at risk.
The guy still hasn't heard from Apple and now he's doing an interview with CNN. Anyway you want to look at it Apple doesn't look good given the information currently available.
Apple handled it wrong and the CNN interview isn't going to do Apple any good considering their history of staying silent.
Who knows if this guy is the only one that has found all of the problems he did.
Who knows how many hackers have already accessed and copied information?
Apple should have informed the Developers the day they were notified and not almost 4 days later.
Apple Failure on the way they handled the situation on pretty much every level.
I'm just glad when they had the last iTunes hack where all you needed was a email address and a Birthday to reset your password giving full access to your account that I deleted my Credit Card info I had on file with them.
Can't hack our system my Ass.
Edit. It will be very interesting to see how Tim Cook handles this in tomorrow's conference call after they report their numbers for the quarter.
Last edited:
Yet another terribly reply.
----------
None of that justifies or excuses exploiting the issue though (perhaps beyond what was necessary for the original discovery), and that's a bigger part of it all.
Not when "going deep" means "download 100k user accounts". That's not probing deeper, that's just a kid in a candy store. Downloading 1 account would have been enough to verify the bug exists.
The point is, detailing the nature of the attack publicly before Apple had a chance to address the security issue is not behaving responsible and in a white hat manner.
Yes, he probably should've stopped at one account, but it's totally normal for developers to write scripts to figure out the depth of a bug that they're going to report.
It's also doubtful that he knew he'd get so many. In fact, I'd bet that if hadn't set an arbitrary limit, he'd have gotten all of the accounts.
Where did you get that idea? He did no such thing.
- He submitted a private bug report to Apple.
- Apple, perhaps because of his report... or perhaps not, shut down their website shortly thereafter.
- Apple said nothing for days. Nor did he.
- Finally they posted a note that an intruder caused them to rewrite their website.
- This scared him into going public, yet he STILL didn't give any details of how to do it.
I mean, was he smart? No. But was he evil? Not even close.
some times you do not need to if 1 the bug report was good, 2 they were able to replicated it. Could be as soon as they knew they could easily replicated they shut it down. They do not need any farther information. I have done entire bug fixes on what I work on with nothing more than the bug report because it was written well and told me how to easily replicated it.
Nope. Often time it is just tied into the next release. There is nothing public about it. Heck a lot of the bugs get lumped under the the term "and minor bug fixes" No reference to what the bugs even were.
The difference between Apple's developer portal and a house is a house is very personal private property, and it effects you at a very personal level. Accessing details from a developer portal is absolutely nothing like this. You could claim that it is a sort of breaking and entering. But it is an exaggeration to compare it directly to a house.
The fundamental issue with this metaphor is, accessing impersonal information on thousands of people is not comparable to having one's personal home-space invaded.
A better example would be if somebody discovered issues with a certain type of lock that is widely used on front doors of houses.
----------
Oh. Umm … sorry for giving my personal judgement on a forum?
Please continue making personal judgements, I'm not disputing your right to do that. All I'm saying is, it's not helpful to use distortions to make arguments seem bullet-proof.
What's your app? I'll be sure not to buy it if that's how you treat someone trying to make your product better.
A simple thank you would have been appropriate. I've posted numerous bugs on many mobile apps and PC apps and have always received an email reply.
Those are the apps that I buy the full version and support the developer if I'm currently on the free version.