There's a very large difference between "at risk" vs "suffering actual harm deliberately incurred". Yeah, if not for this researcher we'd still be at risk - and still be getting work done. Thanks to him, I've been stalled for days.
When driving down a 2-lane road, you're at risk for a head-on collision. The risk remans prevalent, even though we all know it's there. This "researcher" decided to "expose the risk" by actually driving vehicles across the center line into oncoming traffic, and you're berating me for being pissed about having to swerve off the road.
Sounds like Apple needs to hire a better security staff because their best is obviously not good enough.
That is a piss poor analogy. How about this:
You are driving down the road with many huge potholes. Some guy demonstates this by making it so obvious you have to stay of the road for a few days.
You know, black hats would've just kept your data and you'd only know later on from your credit.
For all we know, Apple may have security researchers who are just as good at finding vulnerabilities, and they may have found and fixed one or more problems they uncovered without telling us about it.Sounds like Apple needs to hire a better security staff because their best is obviously not good enough.
Except un your case this si the only road for the guy to get to work
To improve security.
OK. No problem then. I'll be over tonight to break into your house. I'm not a thief. I just want to make sure your dwelling is secure.
You don't get it. Until Apple completely discloses the extent of the security breach one must assume that more than contact info was exposed. Again, where I work IT security is going ape **** over this. Until told otherwise by Apple, we consider all of our certs (mdm/provisioning/etc) to be compromised and will be revoked as soon as we get access to the portal. We also have stopped provisioning devices on our mdm platform because we do not have confirmation from Apple as to how long the security holes have been open in the dev portal and we do not know how long the certs could have potentially been compromised.
I disagree. This is completely different. This is not a personal property, and a lot of user accounts are at risk. It's a good thing that he's forcing Apple to fix this.
"Security researcher" Yeah, that's it. Is the guy "testing" my front door with a crowbar also a security researcher?
It is nice that he gave apple a couple of hours to respond. Classy of 'im.
There's a very large difference between "at risk" vs "suffering actual harm deliberately incurred". Yeah, if not for this researcher we'd still be at risk - and still be getting work done. Thanks to him, I've been stalled for days.
When driving down a 2-lane road, you're at risk for a head-on collision. The risk remans prevalent, even though we all know it's there. This "researcher" decided to "expose the risk" by actually driving vehicles across the center line into oncoming traffic, and you're berating me for being pissed about having to swerve off the road.
Phishing scams, SPAM listings, a point of entry for digging deeper into other old records that can lead to actual private information that can be used by identity thieves, etc.
OK, so possibly I was exaggerating slightly, but I do find the Apple bug report experience to be quite frustrating compared to others.
Aside from it's clunky and old fashioned interface, the most frustrating thing is that is isn't possible to search and check whether an issue has already been reported. This reduces the incentive to spend a lot of time creating a high-quality, detailed bug report when it could likely just get closed as a duplicate anyway.
The more open way in which Google handles bug reporting is far superior.
Suing his would be a pretty crappy PR move. Better to offer him a job. But when Apple said they'd been hacked... well, they had. They don't know if it was malicious or not. They'll do their own investigation, and if it wasn't then they'll thank him in some way (like a job perhaps) and be done with it.
And that's why he's screwed. He didn't just "notice" a defective website, he caused various forms of damage to something which did not belong to him, AND THEN ADMITTED IT IN PUBLIC. All in all very naive behavior.
Actually, I think the point here is that they didn't read their bug reports fast enough. What I take from Balic's comments is that he cracked it and then reported it as a bug. Apple must have noticed the breach before reading the bug report-- they still need to take the steps they're taking, shut down, notify users, but it sounded like they didn't understand what was happening.The most amazing revelation with this story that is suggests someone at Apple actually reads bug reports submitted through bugreport.apple.com!
This seems completely contrary to my own experience - perhaps it's actually worth reporting bugs to Apple after all.
True that.
It takes AGES till reports get answered and when they do, the answers are disappointing more often than not.
I asked if they can implement ZFS or develop their own file corruption aware and preventive Filesystem along with other benefits known from ZFS.
See that? 2 options I asked for.
Let's hope so. This Hacker-Terrorist should not only be locked up, but billed/sued for the full value of lost productivity to the American economy for whatever length of time that Apple's developer resources are unavailable.
If he's a foreigner, he should be renditioned to Guantanimo Bay and tried as an enemy combatant.
What makes you think they are not good enough? Seriously? We have some obvious idiot making claims. Whether they are true, nobody knows. If they are true, he will never in his life be able to touch US ground because there will be an arrest warrant. As far as we know, Apple's security staff made sure that all the important bits were kept safe.
"Security researcher" Yeah, that's it. Is the guy "testing" my front door with a crowbar also a security researcher?
It is nice that he gave apple a couple of hours to respond. Classy of 'im.
True that.
It takes AGES till reports get answered and when they do, the answers are disappointing more often than not.
I asked if they can implement ZFS or develop their own file corruption aware and preventive Filesystem along with other benefits known from ZFS.
See that? 2 options I asked for.
Their answer: ZFS is not owned by Apple.
NO ****.
Apple licenses a lot of technologies, so that statement in itself is completely moot AND ignored my second suggestion.
This is not only frustrating, it's disrespectful. Especially as I waited LITERALLY MONTHS for that reply.
**** that.
Glassed Silver:mac
So we keep driving on it until it causes permanent damage instead because the owners won't fix it??
This is now my favorite curse!I hope he steps on a lego one night!!!!!!!![]()