Researcher Takes Credit for Security Breach of Apple's Developer Center

[mdelvecchio]

Let's hope so. This Hacker-Terrorist should not only be locked up, but billed/sued for the full value of lost productivity to the American economy for whatever length of time that Apple's developer resources are unavailable.

If he's a foreigner, he should be renditioned to Guantanimo Bay and tried as an enemy combatant.

you sound like a crazy person. "Hacker-terrorist"? geeze, like we didnt have enough problems w/ the govt trying to convince everyone evil terrorists are a serious threat to your daily existence and thus worthy of giving up trillions of dollars and personal freedoms for.

 

[gotluck]

Innocent of what? Even if his intensions weren't bad what he did wasn't legal was it? Again I can't believe how many are using the ends justify the means excuse.

I'm just not seeing how this is all that different than all the other white-hat stuff that goes on. Sure he may have made some missteps, but this guy is not a calculating, malicious hacker... Why would he come forward at all if he was? He would have kept playing inside Apple's servers as long as possible.

 

[mdelvecchio]

I suppose you can rest easier now that you know apple finally locked up your information in a safe place

as opposed to just sitting there on the clothes line

how do you figure that? apple said in their post that the stuff is encrypted...thats the opposite of letting it sit out in the open free for the plundering.

----------

Well done to this man. He single handed alone has shown that apple are not the great company they think they are.
All they do is use their CURRENT popularity to bully other companies into making sure they stay at the top.

rand building a legion of loyal customers based on high quality products that break the mould has nothing at all to do w/ getting to and staying on top. riiight...

life isnt battlestar galactica, dude.

 

[Peace]

I believe he would still get a trial to establish that. This isn't the NSA we're talking about here.

He already admitted doing it including a youtube video. That's the same thing as a confession.

 

[olowott]

thats one hell of a cover up story after your awesome research

Come on, you ask the company, you gonna perform a research, you gonna be told its ok or not and if your findings should be made public or not.

 

[Robert.Walter]

I don't care if he is a white hat, a cold-footed black hat, a glory seeker or an idiot.

He has done us all a solid by getting the vulnerability highlighted and fixed.

I am an all-in Apple fanboi, but I must say Shame On Apple for not being pro-active in having the best security throughout the system.

Does no one there have an overview, to make sure that all systems are set up with triple paranoid security, better than best in class, in mind?

If apple can't proactively protect its own systems, all this "industry standard security/encryption" speak, with regard to user's devices, data, transmisdions, etc. quickly loses validity.

I was looking forward to the password manager and icloud synced keychains in ios7 and OSX 10.9, but I have to wonder if these are just adding big risk relative to some convenience because apple hasn't got its armor-plated ducks in a row.

Apple owes all of us a transparent status report about what they have fine to mitigate the current vulnerability and a roadmap for achieving industry leading security.

 

[kdarling]

It wasn't out in the open. It was protected by security. Security that someone found a way to around. You know, just like bank robbers do when they rob a bank.

What security protection are you talking about?

If this is the website vulnerability some people think it is, you just enter a custom command URL in your browser.

No password bypassing. No deeply clever TV style hacking.

Just a giant web server framework hole that was reported last February.

.

 

[shandyman]

Some of the responses in this thread are daft and absurd. Had made me laugh.

This guy, plain and simply, did it wrong. He should have worked with Apple on it, rather than be impatient and just go getting people's data.

My company hires people twice a year to try hacking out site to test security, Apple will have this done as a minimum. They would have picked this up and fixed it, like the probably other holes in years gone by. Anyone who think Apple just sit let their sites go insecure for a year or more needs to understand this. Chances are it's not a long standing bug, but one that came as part of an upgrade or something.

This guy was totally in the wrong and deserves what he gets. He's blatantly just wanting attention thinking he will have companies lining up to hire him.


Sent from my iPhone using Tapatalk 2

 

[BaldiMac]

What security are you talking about?

If this is the website vulnerability some people think it is, you just enter a custom command URL in your browser.

No security bypassing. No deeply clever hacking. Just a giant web server framework hole that was reported last February.

You say tomato...

Not sure how accessing a hole in their security is different than bypassing their security. It's all unauthorized access to a computer system.

 

[ratfink]

To everyone proclaiming this guy an evil hacker, keep in mind that many large companies now run bug bounty programs where they pay you if you find holes in their products. These companies include: Facebook, Google, Microsoft, Paypal, and possibly even Apple. Although Apple does not appear to offer monetary rewards, they do give public credit for issues found in their websites.

I've always questioned the wisdom of companies allowing testing on their production sites, especially when no registration and pre-approval is required. But this isn't exactly the black & white issue some of you are making it out to be.

 

[Exotic-Car Man]

http://www.youtube.com/watch?v=q000_EOWy80

^^ Worth a watch .... from the guy who's said it him that 'hacked' (accessed) Apple's Dev details.

It says the video is private now. Mirror?

 

[rmwebs]

lol, so any old shmuck could just go hack your systems because they didn't respond to your bug reports within 30 days? What kind of garbage is that? You do realize because of this guy's actions, Apple had to take down the site costing time and money for developers.

Think...just for a second.

If the guy HADN'T done this, someone else would have. That someone else could have been a group of hackers. Who would never tell Apple about it, and profit from our information.

Security through obscurity never, ever works. Eventually someone would have found the problem - be thankful it was someone who was happy to report it.

 

[KdParker]

It's nice that someone on the internet agrees with me, but I was actually making a different point (not quite the opposite point, but close):

People get password reset notifications all the time. Typically you have no idea how they got your user id and/or email address to initiate the password reset.

But today everyone (well, Apple developers I guess) can point to this.

However, there's no way to tell from scattered reports whether people got the info from this researcher/hacker (whatever he is) or various other means. The info is public, so there are a lot of ways this information can be harvested.

Now, if there was a sudden up-tick in password reset notifications for Apple developer accounts then we could likely put two and two together. But scattered reports don't show this.

So we don't know.

I can tell you one thing for sure: it's not all developers getting password reset messages.

But lots are too...

----------

And who's to say they don't? I'd wager they do. Any software company that deals with security for millions of users more than likely tests these things, how do you think they devise their security practices in the first place? Now whether or not the team they have is a world-class team is another topic, but you shouldn't assume that they don't have people inside Apple.

Just saying I am surprised that there team didn't catch that.

 

[BaldiMac]

If the guy HADN'T done this, someone else would have.

Maybe.

That someone else could have been a group of hackers. Who would never tell Apple about it, and profit from our information.

Or it could have been someone at Apple. Or it could have been patched before anyone found it.

Security through obscurity never, ever works.

Sure it does. That's why lots of people leave their front doors unlocked in small towns.

Eventually someone would have found the problem - be thankful it was someone who was happy to report it.

I'm always thankful random strangers "test my security" and access my private information as long as they say that they were doing it for my own good.

 

[anomie]

OK. No problem then. I'll be over tonight to break into your house. I'm not a thief. I just want to make sure your dwelling is secure.

Apples and Oranges.
Maybe you are spending to much time with computers but l will try to explain anyway:
In his house you wont find information about ten thousands of other people as you do when you hack Apple´s totally insecure servers.
Apple should thank that guy and send an apology to its developers.

 

[kdarling]

Some of the responses in this thread are daft and absurd. Had made me laugh.

Yes, it's like watching a typical mob of people with pitchforks and torches, going after whatever they do not understand.

This guy, plain and simply, did it wrong. He should have worked with Apple on it, rather than be impatient and just go getting people's data.

He was trying to work with Apple on it. He reported the bugs to Apple via the registered developer bug form.

But he can't report something he didn't test for.

Now, should he have stopped when he found the first bug variation? Perhaps that would've been wisest, but developers often get excited when chasing down a bug, and they want to find all the permutations in order to make a good report.

Non-developers wouldn't understand.

This guy was totally in the wrong and deserves what he gets. He's blatantly just wanting attention thinking he will have companies lining up to hire him.

There have been plenty of such attention getters in the past, but he doesn't come across that way.

Instead it looks like, as a non-native English speaker, he got terrified when Apple issued their statement blaming an "intruder", and didn't realize that was just their way of excusing themselves.

The upshot is this: if he gets in trouble, then fewer people are going to want to report vulnerabilities in the future.

 

[gotluck]

The upshot is this: if he gets in trouble, then fewer people are going to want to report vulnerabilities in the future.

Quoted for truth, more vulnerabilities will likely be sold to malicious parties..rather than reported to the vendor for goodwill/recognition.

 

[BaldiMac]

Apples and Oranges.
Maybe you are spending to much time with computers but l will try to explain anyway:
In his house you wont find information about ten thousands of other people as you do when you hack Apple´s totally insecure servers.
Apple should thank that guy and send an apology to its developers.

So... its okay to break into something if it holds "information about ten thousands of other people"?

He didn't have to steal the information, he could have simply reported the vulnerability. He admitted that he wanted to see how deep he could go after finding the vulnerability.

To use the house analogy, a reasonable person might point out that you left a window open. This guy went inside and made copies of some stuff in your file cabinets and posted excerpts in public.

----------

Now, should he have stopped when he found the first bug variation? Perhaps that would've been wisest, but developers often get excited when chasing down a bug, and they want to find all the permutations in order to make a good report.

Non-developers wouldn't understand.

The "I got excited, so I couldn't help exploiting a vulnerability that I discovered" defense. That's a new one for me.

Instead it looks like, as a non-native English speaker, he got terrified when Apple issued their statement blaming an "intruder", and didn't realize that was just their way of excusing themselves.

"In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon."

That doesn't really sound like someone trying to avoid responsibility.

The upshot is this: if he gets in trouble, then fewer people are going to want to report vulnerabilities in the future.

If he just reported the vulnerability, this wouldn't be an issue.

 

[ctdonath]

Let me know when you've solved the world's crime problem. Do you think you can have it done in the next 24 hours or so?

Huh?

You're the one who's defending the actions amounting to going out to commit crimes (oh, that's right, you're just stealing a few things without malice) to show crimes can be committed, then using that to justify shutting down the whole world until a permanent pervasive crime-prevention solution can be implemented.

You're very confused.

----------

if he gets in trouble, then fewer people are going to want to report vulnerabilities in the future.

Um, you might want to consult a dictionary.

"report" does not mean "exploit".

 

[linuxcooldude]

To improve security.

Thats not the "Right" way to do it and against the law. I'm sure many bank robbers tell law enforcement the same thing.

 

[jennyp]

Apple needs to take a break for messing with phones. They seem to be putting all their resources into making trivial changes to things like the screen size and the exact shape of color used for an icon.

At one time Apple's software was way ahead. They used BSD on a Mach micro kernel to build NetStep. That effort was way out in front of everything else. But in the last 10 years they just sat on top of that, they have matured it and added stuff but nothing "new", no leap forward.

It appears now that even Apple's web site designers are technically inept to allow this to happen at all. Why does't Apple have a dozen full-time engineers trying to break into their own sites. And if they do have such a team they need to be fired.

Apple needs to actually be different again.

this

 

[kdarling]

He didn't have to steal the information, he could have simply reported the vulnerability. He admitted that he wanted to see how deep he could go after finding the vulnerability.

He didn't steal the data. It showed up when he tested. That's the result of finding a vulnerability.

And of course you dig deeper when checking out a bug.

The "I got excited, so I couldn't help exploiting a vulnerability that I discovered" defense. That's a new one for me.

That's because you never filled out a bug report as a developer. Your first instinct is to box out the limits of the bug, in order to help someone else find the cause quicker.

"report" does not mean "exploit".

How did he "exploit" it?

Seriously, now I think that non-developers should not be commenting on this topic at all.

 

[asthamapheo]

he should have released the new software versions for all devices, that would have been a lot better.

 

[linuxcooldude]

Crooks don't warm you that your door is unlocked
They just take everything and sell it

This guy warned apple and they did nothing so he let himself in took a beer out of the fridge and waited for apple to come home

and now apple is angry at him

except that because of him no other real crooks will come in and steal everything

apple should be embarrassed

This guy warned apple and they did nothing

Don't see any indication he let Apple know ahead of time, just simply he let them know. No proof he was NOT a crook. Its just as likely he said that because he got caught.

 

[BaldiMac]

He didn't steal the data. It showed up when he tested. That's the result of finding a vulnerability.

That's not true. Reports are that he exploited the vulnerability and wrote a script to harvest the data.

And of course you dig deeper when checking out a bug.

If you want to do something illegal.

How did he "exploit" it?

By looking around once he got inside. And writing a script to harvest user data.

Seriously, now I think that non-developers should not be commenting on this topic at all.

Try a developer forum.