Or not. He is apparently not in the US and who knows what laws might be able to go after him
Certainly he's out as a developer for breach of terms, possibly his general apple Id cancelled also. And probably just got himself in several watch lists
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Takes Credit for Security Breach of Apple's Developer Center
- Thread starter MacRumors
- Start date
- Sort by reaction score
Or not. He is apparently not in the US and who knows what laws might be able to go after him
Certainly he's out as a developer for breach of terms, possibly his general apple Id cancelled also. And probably just got himself in several watch lists
Exactly. Maybe etiquette in the "hacker community" is different from normal society, but I see many ways this "researcher" could have handled this in a much more professional manner.
Or they are, or at least as on par as current tech.
Consider that he got names and emails, things we share all the time all over the place. And nothing else
Because vulnerabilities only get addressed if they are brought to light. Now that someone has done so in a responsible manner, it is less likely that there will be a malicious breach (or, at least, it will now require more skill or tech).
-----
I retract my comment above regarding hacking in a responsible manner. As one poster put it, a responsible manner would have been to report the bugs to Apple and give them x days to respond before divulging the bug (but not acting on it.)
Last edited:
Hey, just stay in your own place, thinking its really secure etc. Just don't whine one day when you get robbed!!! Ignorance is bliss
Understandable, looks to me that there should be some sort of law for corporations to have their security tested than someone taking the liberty to do so. Isn't it illegal what this guy did? I mean, he still had access to the developer's information, although I understand it was encrypted. I just don't see how anyone has a right to do this.
The guy is an idiot and not a "researcher". Just have a look tat his Youtube video, he is celebrating his hack by showing off email addresses of other people without blurrying anything. He found a security hole, and I give him credit for that, but he's also an immature attention whore.
HobeSoundDarryl
macrumors G5
Where's all those guys who want us to buy small memory iDevices and trust storage of all of our personal files in iCloud. I usually find fault with the idea because we have greedy tollmasters (AT&T, Verizon, etc) between us consumers and iCloud but this highlights another reason that local storage of size should remain desirable (even to those with toll money to burn).
A front door, or another example used a safe, are not the same. When you start delving into analogies like this you get really weird conclusions that lead to bad occurrences or just plain understanding of what is going on.
There are some good outlining in here: Source
Not saying that all are bad, I think it is just best to shy away from them as they tend to skew true understanding of what is actually occurring.
Edit: Here is another good one.
It could be the worst technology analogy we’ve heard in years. Dean Del Mastro, a Canadian Conservative MP was trying to argue against the simple act of format shifting and decided to use an analogy to explain his point. He ended up comparing it to as if you stole a pair of shoes after you buy a pair of socks.
"It’s like going to a clothing store and buying a pair of socks, and going back and saying ‘By the way, it wasn’t socks I needed, what I really wanted was shoes, so I’m just going to take these — I’m going to ‘format shift’ from socks to shoes — and I’m not going to pay anything because it was all for my feet.’”
Source
This person is a complete moron. And will likely be charged and jailed. Half the responses in this thread are written by foolish people. If you're a security researcher you do research in a lab like every other researcher. You have servers running the target OS or application being tested. You observe how data interacts with the target, you look at source code if available, etc. this guy is a criminal plain and simple. I can almost guarantee this idiot is going to be charged. He sounds like he is very young and doesn't understand what he did was criminal and violates quite a few laws. "What I was just showing you that you have some security issues." That does not wash. Ignorance of the law is no excuse and no jury is going to buy that. He is not a paid apple security engineer, he broke into their servers and network unauthorized, cost them a good chunk of change in downtime and upgrades and software reviews and extra man hours. My advice to this kid is lawyer up! You're going to need it. You might have just ruined your life. GG!
You forgot the consequences of that...
"... and go to jail for many a year."
Lets get it straight someone doing what you suggest is not a hero helping to spot security issues and help plug them. They're a thief and criminal who should be locked up.
Breaking into a private home is a bad analogy.
This is an international corporation who is responsible for keeping its customer's information secure.
He and his employees are some of their customers. He found out that their (and everyone else's) info was NOT properly secured.
If you still need an analogy, even though none is needed, imagine you were curious if your bank's website would take database commands, even though it should not.
You are shocked to find out it does, so you try some more commands, and then send them an email advising them of the hole, with proof.
Dumb? Perhaps. Whose fault? The website owner.
Obviously he was worried from Apple's public wording, that they were going to try to lay the blame on him, and that's why he went public.
Only if you preface your comments with "I hacked you're entire system and I'm holding 100,000 employees' personal info hostage."
There really aren't good analogies for 0s and 1s. Taken in any quantity, they are all as meaningless.
I
So sorry... I didn't really mean to crash your system with my research... so sorry and I hope this didn't put any difficulty on you.. so sorry...
So sorry... I didn't really mean to crash your system with my research... so sorry and I hope this didn't put any difficulty on you.. so sorry...
lol I have one: you're a prisoner and you do the warden a favor by showing him and the entire prison, how easy it is to break out.
At least he went about it the right way, asking Apple beforehand if he could research the effectiveness of the security of their developer site and coming to an agreement before attempting anything...
Or not. But he sure wants it to sound that way.
But a hacker for hire wouldn't have released evidence on YouTube etc.
A black hat would've just kept the info and you'd only find out 3-6 months from now that everything is compromised.
Developer bug reports are for items developed by Apple. Not general feedback. So the answer you got was appropriate. As would have been ignoring you.
----------
You don't know that. In fact the site being taken off line looks a lot like they did do something
----------
He wasn't even doing that. He's the thief that tries to break in, claims he did but only to prove the locks arent strong enough and gives the police the list of names off the mailboxes. Which proves he for into the lobby but not any further
And that's why he's screwed. He didn't just "notice" a defective website, he caused various forms of damage to something which did not belong to him, AND THEN ADMITTED IT IN PUBLIC. All in all very naive behavior.
If this is how he does cyber security research, I'm glad he's not a medical researcher!
Last edited:
Agreed....
The number of people that have gotten reset notifications not initated by themselves make me believe the data was sold.
It's now known that this was a hole in Apache Struts that's been known about and patched since May. Apple chose to do nothing, and we're all supposed to be mad at this security researcher.
I hope you don't really equate your analogy with kdarlings. Not remotely the same.