Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Agreed....

The number of people that have gotten reset notifications not initated by themselves make me believe the data was sold.

It's nice that someone on the internet agrees with me, but I was actually making a different point (not quite the opposite point, but close):

People get password reset notifications all the time. Typically you have no idea how they got your user id and/or email address to initiate the password reset.

But today everyone (well, Apple developers I guess) can point to this.

However, there's no way to tell from scattered reports whether people got the info from this researcher/hacker (whatever he is) or various other means. The info is public, so there are a lot of ways this information can be harvested.

Now, if there was a sudden up-tick in password reset notifications for Apple developer accounts then we could likely put two and two together. But scattered reports don't show this.

So we don't know.

I can tell you one thing for sure: it's not all developers getting password reset messages.
 
He should be prepared to get sued by any single app developer.
Apple shut down their developer site, and Apple was responsible for the fact that the site was insecure in the first place. This guy just revealed the security issues. Obviously it would be unreasonable to hold him responsible for the fact that the site is down.

In the meantime, let's hope Apple gets the developer center back up ASAP, I need to provision some devices!
 
oh my bad, sorry for wrong information

thats why apple didnt seed new beta and new DP, too bad , maybe next monday
 
It's good that he is helping to highlight flaws but is there not a less havoc wreaking way of doing so?

For all we know he could have reported it to Apple a month ago, in which case he's perfectly entitled to confirm that a flaw exists, and demonstrate it in use (30 days is generally considered the norm for posting vulnerabilities within the security industry).
 
For all we know he could have reported it to Apple a month ago, in which case he's perfectly entitled to confirm that a flaw exists, and demonstrate it in use (30 days is generally considered the norm for posting vulnerabilities within the security industry).

lol, so any old shmuck could just go hack your systems because they didn't respond to your bug reports within 30 days? What kind of garbage is that? You do realize because of this guy's actions, Apple had to take down the site costing time and money for developers.
 
Let's hope so. This Hacker-Terrorist should not only be locked up, but billed/sued for the full value of lost productivity to the American economy for whatever length of time that Apple's developer resources are unavailable.

If he's a foreigner, he should be renditioned to Guantanimo Bay and tried as an enemy combatant.


Terrorist? How did you come to that conclusion?
 
That is a piss poor analogy. How about this:

You are driving down the road with many huge potholes. Some guy demonstates this by making it so obvious you have to stay of the road for a few days.

1. Insult analogy
2. Set up unrelated scenario
3. ???
4. Declare superiority

Huh?
 
No malace was intended? How can you say that for sure?

Not sure about you, but you second point sounds like a threat.

2) he reported the bugs and asked Apple if he should stop doing this (ie research).

no, it wasn't a threat... maybe because of the I wrote it; the guy actually wrote something like ... 'and asked if I am putting them in any difficulty so that I can give a break to my research'.

I can not say no malice is intended... but if there was malice he wouldn't have gone through all the trouble to identify himself, etc.

The more scary part is that there could have been malicious real hackers that realized this vulnerability (and exploiting it) well before this guy ever discovered it.
 
Perhaps he sent a simple command first to see if he could get his own info... and did.

The next natural thing for a database person to do, is use a wildcard request. Bam! 100,000+ responses before he could stop it.

That's all Andrew Auernheimer did, and all he got were email addresses and SIM card identifiers. And, unlike Balic, Auernheimer posted redacted data. He's still serving a 41 month sentence in a federal prison.
 
Even doing as.....

a proof-of-concept, I can envision scenarios where this "hacking" would be unlawful and prosecuted. Will take some time before the "security expert" in cuestion start to milk out or brag " I brought down Apple´s developer corner"? And loable, as is per se, to report bugs, this kind of activity is not seeked by Apple. Or by any person, for that case.....So I am torn in this issue: Applaud the technical prowess to do this but seems to me no rigth to do it. I will look forward to hear more about how this case develops, the countermeasures Apple will take, more data released by the expert and yes, the Developer Center back on line....:eek: :(


:):apple:
 
Perhaps he sent a simple command first to see if he could get his own info... and did.

The next natural thing for a database person to do, is use a wildcard request. Bam! 100,000+ responses before he could stop it.

--

In any case, we don't yet know what his email to Apple said. Maybe he did just give the example command.

None of which changes my point. There was no need for him to access the data at all.

A front door, or another example used a safe, are not the same. When you start delving into analogies like this you get really weird conclusions that lead to bad occurrences or just plain understanding of what is going on.

There are some good outlining in here: Source

Not saying that all are bad, I think it is just best to shy away from them as they tend to skew true understanding of what is actually occurring.

Edit: Here is another good one.

It could be the worst technology analogy we’ve heard in years. Dean Del Mastro, a Canadian Conservative MP was trying to argue against the simple act of format shifting and decided to use an analogy to explain his point. He ended up comparing it to as if you stole a pair of shoes after you buy a pair of socks.

"It’s like going to a clothing store and buying a pair of socks, and going back and saying ‘By the way, it wasn’t socks I needed, what I really wanted was shoes, so I’m just going to take these — I’m going to ‘format shift’ from socks to shoes — and I’m not going to pay anything because it was all for my feet.’”

Source

None of which explains why this specific analogy is bad.

Breaking into a private home is a bad analogy.

This is an international corporation who is responsible for keeping its customer's information secure.

He and his employees are some of their customers. He found out that their (and everyone else's) info was NOT properly secured.

It's an analogy. Not an exact analog.

If you still need an analogy, even though none is needed, imagine you were curious if your bank's website would take database commands, even though it should not.

That's hardly an analogy. That's the exact same situation with a different company.

You are shocked to find out it does, so you try some more commands, and then send them an email advising them of the hole, with proof.

Dumb? Perhaps. Whose fault? The website owner.

Kind of like it's a bank owner's fault if they accidentally leave the safe open. Doesn't change the fact that if someone enters the building after hours by bypassing the alarm and takes some money, they're still robbing the bank.

Obviously he was worried from Apple's public wording, that they were going to try to lay the blame on him, and that's why he went public.

Because he did something illegal? Shocking.

Because Apple oNLY cares if the break in is made public. They don't care if data are stolen and no one finds out. The do care about their public image.

Again, all he had to do was go public with his exploit after giving Apple time to respond. He did not have to steal data.
 
Last edited:
Security researchers don't typically download 100k user accounts. There's no need to do that to prove his claims. Very suspicious. And Apple has no way to know that he has not or will not use these 100k developer accounts to his own profit. If he actually is above-board, he's put himself in an incredibly bad situation.
 
Not sure that this is how security works. There is no such thing as 100% full proof security. Security can always be improved because there will always be a way to breach it. So may as well focus on prosecuting anyone who steals information in the name of research.

I didn't say there was a way to make it 100% or that I expected it from them. I'm saying this guy is clearly doing things the right way, he proved it could be done. There's no proof he is doing this for personal gain, or fame, or anything other than to show Apple they had a flaw in their security.

Fanboys like you are overreacting and need to calm your faces. If this was Samsung or Microsoft you'd be laughing at this, and saying the guy deserved a medal. But since he pointed out a flaw in the greatest company of all time, he's evil and needs to die.
 
Agreed....

The number of people that have gotten reset notifications not initated by themselves make me believe the data was sold.

That should not tell you anything. It would be bad practice for security not to reset them all on just the off chance it was taken. Not sold but just a chance anyone touch it. If Apple was not doing it then that would be even a larger issue. On security you ALWAY and I mean ALWAYS error on the side of caution.
 
Kind of like it's a bank owner's fault if they accidentally leave the safe open. Doesn't change the fact that if someone enters the building after hours by bypassing the alarm, their still robbing the bank.

See, he's not robbing anything. The best analogy would be like a bank leaving a ledger book with all their customer's names, social security numbers, names, and credit card info out behind the counter where anyone could grab it. Some good samaritan sees the that the bank is being kinda lax about securing their important information, reaches over to grab it, then says "hey, you need to be a little more careful about this stuff".

It's true. He didn't have to reach over and grab it. Doing so might be considered tresspass if you look at it right. But it's kind of a good thing he did decide to do it, because what would've happened if someone who's intentions were a little less pure decided to do the same thing?
 
That's all Andrew Auernheimer did, and all he got were email addresses and SIM card identifiers. And, unlike Balic, Auernheimer posted redacted data. He's still serving a 41 month sentence in a federal prison.

I don't disagree, but I believe in the case of Auernheimer, he notified the press (Gawker) first before ATT. I'm not sure about the details, but this allows others to exploited the vulnerability.

This guy kept his silence only notifying Apple... and eventually came forward because his was distraught that he was labelled a hacker and might be in trouble. This was after Apple brought the site down.

.
 
He should get jail time. You don't just go around without permission doing security penetration tests.

lol it's hard to get a job these days, have to get a resume somehow :cool:

The story about Auernheimer is sad...

If white-hats aren't around, there will only be black-hats. Is that what we want?
 
See, he's not robbing anything.

Wow. Nobody said he was robbing anything. It's an analogy!

The best analogy would be like a bank leaving a ledger book with all their customer's names, social security numbers, names, and credit card info out behind the counter where anyone could grab it. Some good samaritan sees the that the bank is being kinda lax about securing their important information, reaches over to grab it, then says "hey, you need to be a little more careful about this stuff".

It's true. He didn't have to reach over and grab it. Doing so might be considered tresspass if you look at it right. But it's kind of a good thing he did decide to do it, because what would've happened if someone who's intentions were a little less pure decided to do the same thing?

It wasn't out in the open. It was protected by security. Security that someone found a way to around. You know, just like bank robbers do when they rob a bank.

He wasn't some random good Samaritan who happened to notice a problem. He was specifically probing for security holes.
 
As part of improving security, Apple could just hire someone to 'test' for security holes. Honestly, I am surprised they don't have a team of people for that purpose alone.

And who's to say they don't? I'd wager they do. Any software company that deals with security for millions of users more than likely tests these things, how do you think they devise their security practices in the first place? Now whether or not the team they have is a world-class team is another topic, but you shouldn't assume that they don't have people inside Apple.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.