Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
There's a very large difference between "at risk" vs "suffering actual harm deliberately incurred". Yeah, if not for this researcher we'd still be at risk - and still be getting work done. Thanks to him, I've been stalled for days.

When driving down a 2-lane road, you're at risk for a head-on collision. The risk remans prevalent, even though we all know it's there. This "researcher" decided to "expose the risk" by actually driving vehicles across the center line into oncoming traffic, and you're berating me for being pissed about having to swerve off the road.

That is a piss poor analogy. How about this:

You are driving down the road with many huge potholes. Some guy demonstates this by making it so obvious you have to stay of the road for a few days.

You know, black hats would've just kept your data and you'd only know later on from your credit.
 
Sounds like Apple needs to hire a better security staff because their best is obviously not good enough.

What makes you think they are not good enough? Seriously? We have some obvious idiot making claims. Whether they are true, nobody knows. If they are true, he will never in his life be able to touch US ground because there will be an arrest warrant. As far as we know, Apple's security staff made sure that all the important bits were kept safe.
 
That is a piss poor analogy. How about this:

You are driving down the road with many huge potholes. Some guy demonstates this by making it so obvious you have to stay of the road for a few days.

You know, black hats would've just kept your data and you'd only know later on from your credit.

Except in your case this is the only road for the guy to get to work and you just closed him off of several days' worth of income that he could have gotten from new apps, bug fixes, updates, etc.
 
Sounds like Apple needs to hire a better security staff because their best is obviously not good enough.
For all we know, Apple may have security researchers who are just as good at finding vulnerabilities, and they may have found and fixed one or more problems they uncovered without telling us about it.

When an outsider finds the problem and exploits it then we're much more likely to hear about it and assume Apple was asleep at the switch.
 
OK. No problem then. I'll be over tonight to break into your house. I'm not a thief. I just want to make sure your dwelling is secure.

I disagree. This is completely different. This is not a personal property, and a lot of user accounts are at risk. It's a good thing that he's forcing Apple to fix this.
 
You don't get it. Until Apple completely discloses the extent of the security breach one must assume that more than contact info was exposed. Again, where I work IT security is going ape **** over this. Until told otherwise by Apple, we consider all of our certs (mdm/provisioning/etc) to be compromised and will be revoked as soon as we get access to the portal. We also have stopped provisioning devices on our mdm platform because we do not have confirmation from Apple as to how long the security holes have been open in the dev portal and we do not know how long the certs could have potentially been compromised.

I'm comfortable with the encryption.
 
"Security researcher" Yeah, that's it. Is the guy "testing" my front door with a crowbar also a security researcher?

It is nice that he gave apple a couple of hours to respond. Classy of 'im.

It's certainly problematic to test someone else's security without their permission, and the legal system generally doesn't give you a break on that, but where in the article do you get that "he gave apple (sic) a couple of hours to respond"? There are no statements even implying that he gave them any timeline for anything, and in fact if anything the opposite is implied. He says he was waiting to hear from Apple, but then was surprised by the shutdown and Apple's statement about it.
 
There's a very large difference between "at risk" vs "suffering actual harm deliberately incurred". Yeah, if not for this researcher we'd still be at risk - and still be getting work done. Thanks to him, I've been stalled for days.

When driving down a 2-lane road, you're at risk for a head-on collision. The risk remans prevalent, even though we all know it's there. This "researcher" decided to "expose the risk" by actually driving vehicles across the center line into oncoming traffic, and you're berating me for being pissed about having to swerve off the road.

You'd be stalled now, or stalled at some future date. You take your pick.
 
Phishing scams, SPAM listings, a point of entry for digging deeper into other old records that can lead to actual private information that can be used by identity thieves, etc.

Oh please. Any developer who can't handle a phishing email shouldn't be a developer.

And besides, the law still does not deem an email address or home address (which may already be public) to constitute a security breach.
 
OK, so possibly I was exaggerating slightly, but I do find the Apple bug report experience to be quite frustrating compared to others.

Aside from it's clunky and old fashioned interface, the most frustrating thing is that is isn't possible to search and check whether an issue has already been reported. This reduces the incentive to spend a lot of time creating a high-quality, detailed bug report when it could likely just get closed as a duplicate anyway.

The more open way in which Google handles bug reporting is far superior.

On those points, I cannot argue. Apple's process is FAR from perfect, but not disastrous.
 
Suing his would be a pretty crappy PR move. Better to offer him a job. But when Apple said they'd been hacked... well, they had. They don't know if it was malicious or not. They'll do their own investigation, and if it wasn't then they'll thank him in some way (like a job perhaps) and be done with it.

Stupid, stupid, stupid. You can never, ever offer him a job. Serious customers will run away. If someone has shown that level of bad judgement, you cannot trust that person. Ever.

That said, there is a big difference between a person who can make things safe and a person who can break things.
 
And that's why he's screwed. He didn't just "notice" a defective website, he caused various forms of damage to something which did not belong to him, AND THEN ADMITTED IT IN PUBLIC. All in all very naive behavior.

What damage? He did some testing to see if the bug was real, and then he immediately reported it via the Apple Developer network.

Apparently, instead of getting back to him with "Thanks!", Apple shut down their site and blamed an "intruder", which must've scared the heck out of him.

That sure sounds like they must've checked their logs and found evidence of more than just him getting in.

I think part of this is going to turn out to be simple miscommunication. Apple got freaked out, but didn't tell him why, so he got freaked out, too.
 
The most amazing revelation with this story that is suggests someone at Apple actually reads bug reports submitted through bugreport.apple.com!

This seems completely contrary to my own experience - perhaps it's actually worth reporting bugs to Apple after all.
Actually, I think the point here is that they didn't read their bug reports fast enough. What I take from Balic's comments is that he cracked it and then reported it as a bug. Apple must have noticed the breach before reading the bug report-- they still need to take the steps they're taking, shut down, notify users, but it sounded like they didn't understand what was happening.

That said, I've had very good response to my bug reports-- often with much more back and forth than I'd expect.
True that.
It takes AGES till reports get answered and when they do, the answers are disappointing more often than not.

I asked if they can implement ZFS or develop their own file corruption aware and preventive Filesystem along with other benefits known from ZFS.
See that? 2 options I asked for.

That's not a bug report, that's discussing future product plans. Did you expect a response saying "That'll be in our next major release that ships in September."?

Let's hope so. This Hacker-Terrorist should not only be locked up, but billed/sued for the full value of lost productivity to the American economy for whatever length of time that Apple's developer resources are unavailable.

If he's a foreigner, he should be renditioned to Guantanimo Bay and tried as an enemy combatant.

It used to bother me that everybody wanted to escalate the impact of their point by relating everything to terrorism. Just now I realized that what's actually happening is that the word "terrorist" is being diluted into meaninglessness. I'm good with that.

Most likely, this guy is what he says-- a researcher who may have not structured his research properly. At worst, he's a criminal stealing data. I'm finding that, for most people, "terrorist" just means "a criminal who's name I can't pronounce".
 
What makes you think they are not good enough? Seriously? We have some obvious idiot making claims. Whether they are true, nobody knows. If they are true, he will never in his life be able to touch US ground because there will be an arrest warrant. As far as we know, Apple's security staff made sure that all the important bits were kept safe.

They aren't good enough respond to well known bugs in a timely manner. That's pretty serious.

Not even talking about unverified bug reports submitted directly to Apple. Talking about Apache's own announcements of the security holes found in Struts 2.

They either don't stay up to date on published known security vulnerabilities in the software they use in their technology stack, or they're apathetic to them, or indefensibly slow to address them. None of these options are flattering to Apple's security staff.
 
"Security researcher" Yeah, that's it. Is the guy "testing" my front door with a crowbar also a security researcher?

It is nice that he gave apple a couple of hours to respond. Classy of 'im.

For what it's worth if you knew anything about the programming and security industries, you'd know there are tens of thousands of people like this guy, who basically try to break into services, and then report the issue to the developer giving them X time to fix it before its made public.

One such example is in the Web Hosting industry. A couple of people found pretty major flaws in two server hosting packages. One of the companies fixed it within a couple of days. The other told them to get lost and didn't fix it - so they announced the flaw to the public - which is a good thing. If the developer/company doesn't care enough to secure their products (and customer data) they deserve to be hung out to dry.

It's way better that a security researcher found this flaw rather than a hacker group who would have used it to steal/sell personal details. Plus Apple would be none the wiser as they certainly wouldn't have told them about it.

Remember the Sony PSN hack outage? A security researcher had told them about the flaws BEFORE that happened and they chose to ignore him.
 
True that.
It takes AGES till reports get answered and when they do, the answers are disappointing more often than not.

I asked if they can implement ZFS or develop their own file corruption aware and preventive Filesystem along with other benefits known from ZFS.
See that? 2 options I asked for.

Their answer: ZFS is not owned by Apple.

NO ****.
Apple licenses a lot of technologies, so that statement in itself is completely moot AND ignored my second suggestion.
This is not only frustrating, it's disrespectful. Especially as I waited LITERALLY MONTHS for that reply.

**** that.

Glassed Silver:mac

So, you used a bug reporting system to ask a question instead of reporting a bug, and didn't like the answer you got to your non-bug. That's hardly a failure of the bug reporting system. It's not the right channel for that sort of inquiry.
 
Last edited by a moderator:
So we keep driving on it until it causes permanent damage instead because the owners won't fix it??

sigh, the analogy doesn't even work in this scenario. IRL, the risk is negligible. All your info is encrypted anyway, the situation could have been handled with a lot more tact.
 
The amount of people who are blindly leaping to Apple or this guys side without possibly knowing the entire story is staggering.

Also, the analogies are laughable at best.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.