Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

New Details Emerge on Security Researcher Potentially Responsible for Dev Center Outage

4TheLoveOfTech said:
What's your app? I'll be sure not to buy it if that's how you treat someone trying to make your product better.

A simple thank you would have been appropriate. I've posted numerous bugs on many mobile apps and PC apps and have always received an email reply.

Those are the apps that I buy the full version and support the developer if I'm currently on the free version.
Click to expand...

not in the app store. I work for a software company. The programs have well over 10k of users and a lot of bug reports. Support handles most of the issue.

You have to keep in mind the user base if I had a personal app in the App store chances are the user base would be small enough that I could handle doing that personal touch but when you get to the point of a lot of users you get hit with a lot of bug reports and most of fall under the category of exactly the same. I am much farther removed from the customers. There just is not enough time to deal with contacting the users, add more features, fix/test bugs ect.
The personal touch of telling the users bug report falls away.

Apple this could fall under they get hit by 1000's a day of bug reports. Vast majority will be duplicates, and Not a bug. This is not counting the useless reports. All of this has to be sorted threw, duplicated, ranked and then put in its place in the cue to be fixed. It started getting cost prohibitive to add the personal touch.
 
MegamanX said:
not in the app store. I work for a software company. The programs have well over 10k of users and a lot of bug reports. Support handles most of the issue.

You have to keep in mind the user base if I had a personal app in the App store chances are the user base would be small enough that I could handle doing that personal touch but when you get to the point of a lot of users you get hit with a lot of bug reports and most of fall under the category of exactly the same. I am much farther removed from the customers. There just is not enough time to deal with contacting the users, add more features, fix/test bugs ect.
The personal touch of telling the users bug report falls away.

Apple this could fall under they get hit by 1000's a day of bug reports. Vast majority will be duplicates, and Not a bug. This is not counting the useless reports. All of this has to be sorted threw, duplicated, ranked and then put in its place in the cue to be fixed. It started getting cost prohibitive to add the personal touch.
Click to expand...

So in other words you are a programmer for a company. That's not even remotely related to the situation this guy was in when he reported the issue, gave his email address and warned Apple of the multiple vulnerabilities.

Just seems like an odd way to handle it the week (now day) before Apple is reporting numbers and will be on the conference call afterwards.

It also seems odd that CNN is going to talk with this guy before Apple does, regardless if you feel his intents were good or bad.
 
Zyphras said:
The difference between Apple's developer portal and a house is a house is very personal private property, and it effects you at a very personal level. Accessing details from a developer portal is absolutely nothing like this. You could claim that it is a sort of breaking and entering. But it is an exaggeration to compare it directly to a house.

The fundamental issue with this metaphor is, accessing impersonal information on thousands of people is not comparable to having one's personal home-space invaded.

A better example would be if somebody discovered issues with a certain type of lock that is widely used on front doors of houses.

----------



Please continue making personal judgements, I'm not disputing your right to do that. All I'm saying is, it's not helpful to use distortions to make arguments seem bullet-proof.
Click to expand...
Of course one is more personal than the other, but that's at least part of the point behind the metaphor, to make it more human and understanding to underscore the issue.
 
C DM said:
Of course one is more personal than the other, but that's at least part of the point behind the metaphor, to make it more human and understanding to underscore the issue.
Click to expand...

I am a registered developer. My basic identifying information may have potentially been downloaded. I don't feel my privacy or my property have been violated or damaged, respectively, and to suggest so is ridiculous. This is why the home break-in comparison is ridiculous. My property has not been damaged, my personal space has not been violated.

If you must insist on the home metaphor (which is totally unnecessary), the best that you can say is that a bomb was detonated and it broke some people's windows. To equate what happened with the actual invasion and damage of one's property and personal space wilfully by an individual is ridiculous, that's my fundamental point.

Here's a simple thought experiment: you have a straight choice between what happened with the developer portal happening and an individual breaking and entering into your home, which would you choose?
 
Last edited:
macsrcool1234 said:
He should have given Apple more time before resorting to doing this. At least a week to respond, it's a large company.
Click to expand...

Right.... :rolleyes:

Apple was one of the worst security laggards until fairly recently, since they had the attitude that security issues were a Windows' problem.

It may well have been the case that there was a security breach by one or more different entities, which was spotlighted by Ibrahim Balic. This may explain the shutdown, which most likely has nothing to do with Balic himself.

Apple should probably clarify this, even if it means a bit of egg on its face. At least it would show that it can handle these things in a professional manner.
 
Zyphras said:
I am a registered developer. My basic identifying information may have potentially been downloaded. I don't feel my privacy or my property have been violated or damaged, respectively, and to suggest so is ridiculous. This is why the home break-in comparison is ridiculous. My property has not been damaged, my personal space has not been violated.

If you must insist on the home metaphor (which is totally unnecessary), the best that you can say is that a bomb was detonated and it broke some people's windows. To equate what happened with the actual invasion and damage of one's property and personal space wilfully by an individual is ridiculous, that's my fundamental point.

Here's a simple thought experiment: you have a straight choice between what happened with the developer portal happening and an individual breaking and entering into your home, which would you choose?
Click to expand...
The metaphor isn't really about you, but more about Apple--it's their servers that were broken into and their data that was stolen (the fact that the data was about others, and there are additional privacy concerns in play, just makes it that much worse).

Again, of course one is different than the other on more than just minor technicalities, but, again, that's the point of the metaphor--it's not there for comparison, it's there to convey the point in different more understandable terms (even if somewhat hard-hitting, simply because they are more personal, so to say). Maybe that one particularly goes a bit too far in that respect, but it's still not just plain horrible or silly. I actually brought up a somewhat similar but less hard-hitting one in relation to a bank (which is also not the same of course), which might be somewhat better, at least in that respect.

In any case, we can nitpick all of this to death, as any metaphor can be as none of them are exact (otherwise they wouldn't be metaphors).
 
C DM said:
The metaphor isn't really about you, but more about Apple--it's their servers that were broken into and their data that was stolen (the fact that the data was about others, and there are additional privacy concerns in play, just makes it that much worse)....
Click to expand...

It's quite a bit different. Apple has certain duties to safeguard certain information.

If someone identifies a weakness and informs Apple, Apple should react promptly to fix the vulnerability and mitigate the dissemination of such information. Because if Apple does remove the vulnerability promptly, someone else might exploit it for illicit purposes.
 
Lol....

I can't help feeling this would be the like providing your bank with security breaches, and show them the proof, and actually "expect to get away wth it"

I guess its like admitting to the problem... Either way, any company would deemed this as a hacker, r breach, despite in all good faith you were just trying to "help them out".

That's how i understood this..

If true, then actually when you re-think.. It's kinda stupid he did it in the first place.
 
If he was doing it for attention then he succeeded, if he was doing it to further a career then he has just shot himself in the foot by making himself pretty much unemployable in any kind of security role. No one wants an attention seeking a loose cannon like this around in a role involving security. He is probably also now on watch lists too so I wouldn't try going to the US any time soon if I were him.
 
Tubebaum said:
This is actually worrisome because I did receive an email about having my password reset several times. I was hoping it had to do with this guy and his benevolent bug discovery but clearly there is another culprit at hand...
Click to expand...

If you got several resets, could it be a panicked user trying to reset his/her password accidentally using the wrong email address? There will be a ton of people trying resets about now. A few of these are likely to make a silly mistake.

If it was somebody fishing, I would have thought one attempt would be enough to demonstrate that there's no benefit to be gained by it.

----------
macUser2007 said:
It's quite a bit different. Apple has certain duties to safeguard certain information.

If someone identifies a weakness and informs Apple, Apple should react promptly to fix the vulnerability and mitigate the dissemination of such information. Because if Apple does remove the vulnerability promptly, someone else might exploit it for illicit purposes.
Click to expand...

At what point do you envisage them thoroughly testing the code fixes to check they are not making things worse?

A security researcher, as this idiot claimed to be, would know that security is difficult enough without some amateur imposing deadlines in periods of days or hours. Apple's only reasonable course of action was to shut down the service until a properly tested solution is in place.
 
mw360 said:
A security researcher, as this idiot claimed to be, would know that security is difficult enough without some amateur imposing deadlines in periods of days or hours. Apple's only reasonable course of action was to shut down the service until a properly tested solution is in place.
Click to expand...

let me add that an idiot "of course of action" would be disconnecting all the cables from the server immediatly
 
In the past 24 hours, I have received 3 emails from apple, for resetting my apple ID...wtf
 
BvizioN said:
Oh please, enough with that BS! You know that is next to impossible for Apple or any other company to be 100% protected from hackers.
Click to expand...

That's not what I said. He submitted his findings to Apple, they didn't do anything, so he went public.

I did NOT in ANY ****ING WAY imply Apple's security should or could be 100% perfect.

----------
chrono1081 said:
I don't think you quite realize how security breaches work. He gave apple only a few hours, they probably didn't even get to his request in that time.

He went public immediately after. Real life is not like the movies, you need to find out how much data someone had access to before releasing a statement which takes time. Apple did it pretty quickly IMO.

Releasing something saying "WE GOT HACKED" without knowing anything about it is not only a PR disaster, but its not the right way to do things because people will want answers and you won't be able to give it to them without knowing what the hacker got ahold of.
Click to expand...

They didn't have to release anything, all they had to do was reply to his email or call him and let him know they were taking it seriously.

You're right, real life isn't like the movies. In the movies, people would think Apple was a perfect company, able to do no harm. It would have millions of fanatical customers who buy every item no matter how minor the upgrade.


.......oh wait.
 
kdarling said:
Going as deep as possible is exactly what most developers reporting a bug do, in an attempt to be helpful.
Click to expand...

I don't know if I would consider getting 1000 accounts any more deep than getting 5 if they were all retrieved in exactly the same way.
 
He absolutely should have given more time for Apple to review and respond to his information. Posting the YouTube video and not blurring out data was a douche move that suggests he has the capacity to be malicious. He wanted to "show" Apple and instead he just released the information in a video for anyone to see. If he really wanted to show Apple and thus let Apple fix this issue, then he needed to give them a bit more time. One business day should have sufficed, in my opinion.

I question why he felt the need to post the video. It makes me think he's just a hacker who found something and wanted everyone to know about it asap. His so-called courtesy message to Apple was just for show and he likely believed that would keep him out of trouble. There was no reason for him to save any data. None at all.
 
Rogifan said:
Why should we trust this guy?
Click to expand...

Why should anyone be trusted? When most everyone in our government lies and when most every CEO of every company misleads... I think the "trust" of one guy is fairly irrelevant.

What is relevant is, if he's paid $125k/yr by Apple to be a Sr. SW Engineer, he could have stopped these bugs internally and paved himself a very successful and lucrative career.

Let me ask you this: If you were smart enough to come up with these issues and no one was listening to you, what would you do? Doubt emailing tcook@:apple: would even work!

----------
GoCubsGo said:
He absolutely should have given more time for Apple to review and respond to his information. Posting the YouTube video and not blurring out data was a douche move that suggests he has the capacity to be malicious.

I question why he felt the need to post the video. It makes me think he's just a hacker who found something and wanted everyone to know about it asap. His so-called courtesy message to Apple was just for show and he likely believed that would keep him out of trouble. There was no reason for him to save any data. None at all.
Click to expand...

Most extremely intelligent people don't always have social skills or make judgement calls at the same level of intelligence. These individuals need to be managed effectively, like most talented engineers.
 
Tech198 said:
Lol....

I can't help feeling this would be the like providing your bank with security breaches, and show them the proof, and actually "expect to get away wth it"

I guess its like admitting to the problem... Either way, any company would deemed this as a hacker, r breach, despite in all good faith you were just trying to "help them out".

That's how i understood this..

If true, then actually when you re-think.. It's kinda stupid he did it in the first place.
Click to expand...

Thing is the banks more then likely have much better security. Those IT people are beyond paranoid and they go insanely over board to respond to a minor issue.

Apple on the other hand has been shown to be very lax, slow to respond and generally do not do anything until it goes public.
 
MegamanX said:
Thing is the banks more then likely have much better security. Those IT people are beyond paranoid and they go insanely over board to respond to a minor issue.
Click to expand...

Not sure I trust banks to have good security. My bank has been known to call me from a blocked number and ask me security questions so I can prove I'm me.
 
unlinked said:
Not sure I trust banks to have good security. My bank has been known to call me from a blocked number and ask me security questions so I can prove I'm me.
Click to expand...

That is not the IT guys side where that hole is. They have no control over stupid tellers or policies like that.

The block number part is insane and using that all the time would really make me consider going to a different bank.
 
It's pretty well known to anyone that deals with security researchers that you respond to them ASAP if you don't want the information going public before you have a chance to fix it. What this guy did is really benign. Another, more damaging, common practice after a long period of no response would be to release the details of the exploit publicly. That usually gets companies off their ass.
 
Konrad9 said:
That's not what I said. He submitted his findings to Apple, they didn't do anything, so he went public.
Click to expand...

What? No.

He went public because Apple DID do something. They blamed an "intruder" for the shutdown. That's what scared him into going public, in case they were talking about him. (And we still don't know if it WAS about him at all.)

If it was because of him, then too bad the bug reviewers and the server people weren't in communication, so they'd have known what happened and possibly moved slower.

Or maybe not. Maybe it wouldn't have mattered when or how the bugs were found. The upshot is that the holes needed fixing before someone less friendly took advantage of them.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back