Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Takes Credit for Security Breach of Apple's Developer Center
- Thread starter MacRumors
- Start date
- Sort by reaction score
maybe you're correct, but I suppose many hackers just want to sell out to a big corporation or government and a way to do that is create a major bang
No, I'm saying the question of this man's morality or innocence is a preposterously trivial question that barely warrants any discussion outside of a philosophy discussion board.
Apple completely ignored a security flaw they knew about months ago.
When a storage company loses your property due to their poor security practices, do you get angry at the burglar? No, you get angry with the storage company you are paying.
I agree...
1) the guy does security research and transparently identified himself on the public FB's 'Whitehat' list.
2) he reported the bugs and asked Apple if he should stop doing this (ie research). Although he maybe should have given Apple more time to respond.
3) it was only after lack of response did he go deeper (which maybe wasn't too wise)
4) he reported back his findings to Apple, and did not tell the public of the existence of the bugs or his findings. Keeping a log of his actions, evidence and communications with Apple.
5) he went public, distraught that Apple said their site got 'hacked' (which is true); just in case Apple goes after him.
I don't think Apple is handling it strangely though. In Apple's view, data went out of the company into unauthorized hands (even though no malice was intended), so they have to report it that way.
.
Actually, I would be angry at both the business for not taking precautions, and the burglar because he/she committed a crime and stole my stuff......
Or spend the rest of his life living in a Russian airport terminal, or in Hong Kong or Venezuela or Samsunglandia -- where the long arm of Apple Legal cannot touch him!
What's the big deal about a name and email address?
Under most state data breach statutes, that information does not even count as "personal information" and does not trigger notification obligations.
The only piece of info that really matters is a social security number and/or credit card numbers.
And credit card numbers are worse for the credit card company than the consumer. Since you can easily dispute fraudulent card charges.
The term "security breach" is thrown around way too easily.
Under most state data breach statutes, that information does not even count as "personal information" and does not trigger notification obligations.
The only piece of info that really matters is a social security number and/or credit card numbers.
And credit card numbers are worse for the credit card company than the consumer. Since you can easily dispute fraudulent card charges.
The term "security breach" is thrown around way too easily.
Well quite. Even if his intentions were honorable, how can he be sure he hasn't leaked any of Apple's data himself? Is his own system secure?
No malace was intended? How can you say that for sure?
Not sure about you, but you second point sounds like a threat.
2) he reported the bugs and asked Apple if he should stop doing this (ie research).
See my post above: what is there to leak. Name; mailing address and email adress?
Those pieces of info are not a "security breach" as defined under the law. Now Apple may have its own server issues, but as to the individual developers, that stuff is harmless.
Obviously there are some differences, but I believe (and I'm not the OP) that it is accurate in the ways that count.
What the guy did, and correct me if I'm wrong, is equivalent to the following:
1. Walked around your house attempting to pick all your locks
2. Found a lock he could pick
3. Picked the lock, walked inside, took an item as "proof"
4. Left a note saying he was able to do so.
1&2 do not equate to illegal if we knock out the physical act of trespassing. And 4 is what he did right. It's #3 that I'd call too far and illegal.
I've been around the internet since the beginning, and was a CS student at a small uni with IT that was constantly trying to play catch up. I'm stumbled into my fair share of databases. Do you know what I did when I stumbled into databases I knew I shouldn't have access to? I backed the @#$% up and digitally walked away. I did not proceed to copy the database in portion or its entirety.
Even if you accidentally stumble through an unlocked door and end up in a place you know you shouldn't be, you don't take something as proof that you did it. You immediately turn around and call/write later if you so choose.
Put a purely digital way, what he did was take information that wasn't perfectly secure, and made it LESS secure by copying it and placing it godknowswhere.
And which of the two angers is likely to have the most immediate practical effect on your security?
They haven't responded because their lawyers will have told them not to. Now they will sue him for costing Apple and possibly the developers money (ironically by showing them how they could lose money from being hacked).
It's good that he is helping to highlight flaws but is there not a less havoc wreaking way of doing so?
Suing his would be a pretty crappy PR move. Better to offer him a job. But when Apple said they'd been hacked... well, they had. They don't know if it was malicious or not. They'll do their own investigation, and if it wasn't then they'll thank him in some way (like a job perhaps) and be done with it.
This guy was an idiot. Bug fixes are NOT instant, someone with more intelligence would give Apple more than a few hours to respond. It probably took a few hours just to get to his report.
Phishing scams, SPAM listings, a point of entry for digging deeper into other old records that can lead to actual private information that can be used by identity thieves, etc.
You don't get it. Until Apple completely discloses the extent of the security breach one must assume that more than contact info was exposed. Again, where I work IT security is going ape **** over this. Until told otherwise by Apple, we consider all of our certs (mdm/provisioning/etc) to be compromised and will be revoked as soon as we get access to the portal. We also have stopped provisioning devices on our mdm platform because we do not have confirmation from Apple as to how long the security holes have been open in the dev portal and we do not know how long the certs could have potentially been compromised.
Anyone getting beta 4 ? i checked for update but nothing
They usually release updates at 10AM so if not now then not today
They won't release it while the dev site is down. Although they can still most likely do Over the air updates they will want people to be able to access the supporting documents like the release notes.
Seriously, guys, you sound like you don't even know what the word analogy means, certainly not the purpose of them. Gnomepatrol, neither does your source, that first link lists a bunch of things which aren't even analogies. More akin to poetic license than actual analogy.
You can search, I have made many posts about horrible analogies on this forum and decried many for wasting time attempting to make them. But this one is actually quite acceptable.
Sounds like Apple needs to hire a better security staff because their best is obviously not good enough.
There's a very large difference between "at risk" vs "suffering actual harm deliberately incurred". Yeah, if not for this researcher we'd still be at risk - and still be getting work done. Thanks to him, I've been stalled for days.
When driving down a 2-lane road, you're at risk for a head-on collision. The risk remans prevalent, even though we all know it's there. This "researcher" decided to "expose the risk" by actually driving vehicles across the center line into oncoming traffic, and you're berating me for being pissed about having to swerve off the road.
Not sure that this is how security works. There is no such thing as 100% full proof security. Security can always be improved because there will always be a way to breach it. So may as well focus on prosecuting anyone who steals information in the name of research.