or Connect
AppleInsider › Forums › Mobile › iPad › Hackers fire back at AT&T, say all iPads at risk to Safari hole
New Posts  All Forums:Forum Nav:

Hackers fire back at AT&T, say all iPads at risk to Safari hole

post #1 of 58
Thread Starter 
Disgruntled at having been characterized as 'malicious' by AT&T, the group of hackers who exploited a hole in the wireless operator's website last week have fired back by accusing both AT&T and Apple of acting irresponsibly in regard to iPad security.

In a blog post Monday, Goatse Security attested that its manipulation of an AT&T web server that spit out the email addresses of over 114,000 iPad 3G subscribers -- including many top government and corporate officials -- was done as a public service, objecting allegations in AT&T's apology to customers that it acted "maliciously" and went to "great efforts" to perform the hack.

"AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said. "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by […] some other criminal organization or government."

"[The] finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails," it added.

Escher Auernheimer, a member of Goatse Security, said the group disclosed the data it extruded from AT&T's server to just one journalist and then destroyed the original copy. He went on to accuse AT&T of dragging its feet on alerting customers and being dishonest bout the potential for harm.

"Post-patch, disclosure should be immediate– within the hour," he wrote. "Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."

Separately, Auernheimer took both Apple and AT&T to task for failing correct and alert users to a semantic integer overflow exploit in Safari for the iPad that it discovered and publicized back in March.

"It was patched on Apple’s desktop Safari but has yet to be patched on the iPad," he said. "This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables."

A more detailed explanation of the hack posted by Goatse's explains how Safari on the iPad fails to block off access to some nonexistent ports which fall outside the 65536 different values representable in a number of 16 binary digits, also known as a 'short' integer.



Once implemented, the hack can reportedly allow hackers to steal someone else's email identity, reflash network devices with firmware, or trick Safari into doing "pretty much anything on any TCP port and not have any current IDS/IPS in existence be any wiser for it."

"The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure," Auernheimer said. "People in critical positions have a right to completely understand the scope of vulnerability immediately."
post #2 of 58
Are the Feds still looking at these guys? They're so tough ragging on AT&T and Apple. I'd be impressed if they'd "fire back" at the FBI.
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #3 of 58
". . .likely be exploited by [] some other criminal organization or government."

This is the only part of the article I disagree with. There's no difference between a criminal organization and government. Separate terms implies a distiction where none exists.



post #4 of 58
is this applicable on iphone safari as well? i am not clear whether short integer overflow is the same problem as that by att. can any one clarify it?
post #5 of 58
Oh wow, idiots with scripts they downloaded from a 'hacking' toolkit.

These morons are only out for publicity, they'll keep saying whatever garbage they can pull out of their butts to stay in the news. Gizmodo is highlighting these retards to try and give Apple a black eye. What's amazing is that it took a whole team of these idiots to come up with this, haven't they heard that Google is harvesting wifi data on a global level? Kind of pathetic as a hack, but then again, I'm sure pathetic and goatse go hand in hand... maybe they should try and hack their way into a date with a real live person? I've heard that severe acute cases of virginitus can cause one to do these types of things.

I've got the same skills without any hacker script kit... Just send me your ATM cards and I'll match them to my database of PINs that I 'accessed' through a security hole.
3758
2269
1173
0348
2142
6785
1234
0000
It's that genius. If only I had the amount of time that Goatse's team can dedicate to watch a script randomly generate numbers.
post #6 of 58
Quote:
Originally Posted by AppleInsider View Post

"AT&T had plenty of time to inform the public before our disclosure. It was not done," the group said. "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by [] some other criminal organization or government."

...

"Post-patch, disclosure should be immediate within the hour," he wrote. "Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."

In other words...

"You AT&T people! We did this iPad FUD attack, and you didn't immediately turn around and amplify our FUD!"

Where's the part where this security company explains why they didn't report the problem directly to AT&T?

Personally, I find it extremely suspicious that this company is using Gawker as their FUD distribution network. I hope the FBI expands their investigation to determine whether this data breach problem is part of Gawker's petulant vengeance thing.
post #7 of 58
Quote:
Originally Posted by anakin1992 View Post

is this applicable on iphone safari as well? i am not clear whether short integer overflow is the same problem as that by att. can any one clarify it?

Yep, it still seems applicable to the iphone, ipod and ipad version of safari. Currently only Safari desktop version was patched.

Quote:
List of Webkit-based browsers found to be affected:

* OS X Safari
* iPhone/iPod Safari
* iPad Safari (confirmed with iPad Simulator in SDK 3.2 beta 4 w/ XCode 3.2.2)
* Arora
* iCab
* OmniWeb
* Stainless

The only Webkit-based browser found to not be vulnerable:

* Google Chrome

cf. http://encyclopediadramatica.com/Safari_XPS_Attack
post #8 of 58
Quote:
Originally Posted by TalkinMan View Post

In other words...
I hope the FBI expands their investigation to determine whether this data breach problem is part of Gawker's petulant vengeance thing.

you meant:

1: gizmodo's iphone4 exposure?
2: ryan tate's heated email exchange with steve job who disparaged ryan as a useless snob?
3: steve job's disparage on web bloggers vs traditional media?
post #9 of 58
Quote:
Originally Posted by TalkinMan View Post

In other words...

"You AT&T people! We did this iPad FUD attack, and you didn't immediately turn around and amplify our FUD!"

Where's the part where this security company explains why they didn't report the problem directly to AT&T?

Personally, I find it extremely suspicious that this company is using Gawker as their FUD distribution network. I hope the FBI expands their investigation to determine whether this data breach problem is part of Gawker's petulant vengeance thing.

Anything even remotely associated with Gawker is suspect for me now.
post #10 of 58
Quote:
Originally Posted by anakin1992 View Post

you meant:

1: gizmodo's iphone4 exposure?
2: ryan tate's heated email exchange with steve job who disparaged ryan as a useless snob?
3: steve job's disparage on web bloggers vs traditional media?

I'm never going on to gawker or any of their websites, after what they did to the poor apple engineer who lost the phone. That being said, I think this thing is getting blown out of proportion.
post #11 of 58
Quote:
Originally Posted by AppleInsider View Post

Escher Auernheimer, a member of Goatse Security, said the group disclosed the data it extruded from AT&T's server to just one journalist and then destroyed the original copy. He went on to accuse AT&T of dragging its feet on alerting customers and being dishonest bout the potential for harm.

Can anybody explain why Goatse Security felt compelled to actually provide the data to a journalist? There was already a story there without actually providing the data (that they acknowledge as private).

By sending the private data out like that, they could no longer vouch for its security. (Wouldn't this be a fairly big no-no if this were a REAL security organization?)

Thompson
post #12 of 58
This reminds me of an article I was reading on Dagens Nyheter (Daily News) a couple days back. There was a motorist in Sweden that was pissed off about cyclists on the roads, so when one got in his way in the middle of a roundabout he he rammed him off the road. When asked by the police if he felt he did anything wrong he said, "If he didn't want to get hit by a car he shouldn't have been on the road."

This seems to be the same justification these people used ... AT&T was doing something we don't like and that we consider reckless so we're going to hit them with our car (metaphorically speaking).
post #13 of 58
Seriously, everyone saying how all the blogs are so anti-Apple these days is getting really irritating. Sounds like Sarah Palin whining about the “mainstream media.” Are the blogs perfectly unbiased? Probably not; they’re blogs after all. But they aren’t anywhere close to being bad enough that one would have completely avoid them. Sometimes it’s good to read views that oppose your own.

Quote:
Originally Posted by blursd View Post

This seems to be the same justification these people used ... AT&T was doing something we don't like and that we consider reckless so we're going to hit them with our car (metaphorically speaking).

If Goatse Security had gone on to maliciously use the email addresses, then yeah, your analogy might be correct. However, they simply proved a problem existed and then reported it. It would be similar to the Sweden driver taking a picture of the cyclists crowding the road and giving it to the local newspaper, rather than him ramming a cyclist.

P.S. If that anecdote is true, then seriously Mr. Driver, just chill out - why risk seriously hurting another person? At least the cyclist isn’t contributing to our lovely dependence on oil. I know cyclists get annoying, but man, maybe if we all did it more our obesity rate wouldn’t be an astounding 1/3.

/rant
post #14 of 58
Quote:
Originally Posted by thompr View Post

Can anybody explain why Goatse Security felt compelled to actually provide the data to a journalist?

At the Gawker article they explained that they first notified AT&T, and waited until after the hole was closed before talking with the reporter. As noted in this article, they had hoped AT&T would do right by Apple's customers and let them know of this security breach, but AT&T chose not to inform Apple's customers in a timely manner so Goatse did it for them.
post #15 of 58
The only "hole" in this case are the hackers.

Just buy a vowel and add "A".
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
post #16 of 58
I mean seriously. Apple will be very secure after these guys get finished with them.
post #17 of 58
Quote:
Originally Posted by justflybob View Post

The only "hole" in this case are the hackers.

Just buy a vowel and add "A".

You mean buy a vowel and add two ss's?
Hard-Core.
Reply
Hard-Core.
Reply
post #18 of 58
Quote:
Originally Posted by RationalTroll View Post

At the Gawker article they explained that they first notified AT&T, and waited until after the hole was closed before talking with the reporter. As noted in this article, they had hoped AT&T would do right by Apple's customers and let them know of this security breach, but AT&T chose not to inform Apple's customers in a timely manner so Goatse did it for them.

That still doesn't justify them illegally getting people's personal information and illegally distributing it to others. ATT didn't need to tell anyone, if no information was harvested. Anyone can have a security hole? Whenever you are putting your information you are always at risk on the internet. However, leaking it to customers would've been wrong because now you have let other criminals know about the hole. Had they known emails were harvested from the get go they would've let people know.
post #19 of 58
Quote:
Originally Posted by Planet Blue View Post

P.S. [...] At least the cyclist isnt contributing to our lovely dependence on oil. [...]

chances are they are riding on tires made with some amount of petroleum product, however small that might be, relatively speaking. and how many tires does one go through in a year?

... and the asphalt they ride on has some crude oil component.

... how much oil was used to manufacture and deliver the bicycle?

so i get the gist of your statement, but it's not absolutely true.

i'm just sayin'
post #20 of 58
Too many coincidences here. Goatse Security, who claims that their penetration of the AT&T website is an act of protecting American national security for the sake of "their country," decides to use a French web address for their website. Goatse Security just happens to decide to give an exclusive story to Ryan, who has had an email run-in with Steve Jobs, at Valleywag, a blog owned by Gawker Media, who is in litigation with the police and Apple over the alleged purchase of a stolen prototype of the iPhone 4. Goatse Security, of course, says they received no compensation from Gawker Media for this exclusive story, but they give Ryan a full list of the emails recovered from their penetration of the AT&T website "to prove that they were successful." Valleywag just happens to decide to run the story in a way that blames Apple, rather than AT&T, for the security problem. Goatse Security just happens to decide not to inform AT&T, but to make sure that "someone tipped them off."

Guess it isn't a coincidence that the FBI chose to investigate Gawker's involvement in this situation.
post #21 of 58
Quote:
Originally Posted by AdonisSMU View Post

That still doesn't justify them illegally getting people's personal information and illegally distributing it to others. ATT didn't need to tell anyone, if no information was harvested. Anyone can have a security hole? Whenever you are putting your information you are always at risk on the internet. However, leaking it to customers would've been wrong because now you have let other criminals know about the hole. Had they known emails were harvested from the get go they would've let people know.

Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed. Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.
post #22 of 58
Quote:
Originally Posted by commun5 View Post

Goatse Security just happens to decide not to inform AT&T, but to make sure that "someone tipped them off."

Goatse has claimed that they did indeed contact AT&T before going to the press, which is how the hole was closed before Goatse contacted the reporter.
post #23 of 58
Quote:
Originally Posted by Planet Blue View Post

Seriously, everyone saying how all the blogs are so anti-Apple these days is getting really irritating. Sounds like Sarah Palin whining about the mainstream media. Are the blogs perfectly unbiased? Probably not; theyre blogs after all. But they arent anywhere close to being bad enough that one would have completely avoid them. Sometimes its good to read views that oppose your own.



If Goatse Security had gone on to maliciously use the email addresses, then yeah, your analogy might be correct. However, they simply proved a problem existed and then reported it. It would be similar to the Sweden driver taking a picture of the cyclists crowding the road and giving it to the local newspaper, rather than him ramming a cyclist.

P.S. If that anecdote is true, then seriously Mr. Driver, just chill out - why risk seriously hurting another person? At least the cyclist isnt contributing to our lovely dependence on oil. I know cyclists get annoying, but man, maybe if we all did it more our obesity rate wouldnt be an astounding 1/3.

/rant


Uhm, no it was more the like the person that hit the bike started yelling look what the bike did, it hit my car and the bike fell over on its own...
post #24 of 58
Oh no the FBI is involved! All hail pigs that can fly! It's the "H" word!
post #25 of 58
Quote:
Originally Posted by RationalTroll View Post

Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed. Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.

Of course they are saying that so they can avoid getting into legal trouble with the feds. If they really had the people's best interest at heart they would've just let ATT know about it and had them fix it and moved on to something else....rather than harvesting the information they got by the leak. Who knows they may have gotten other information that they didn't disclose. They are only out for their own best interests not to help the American people.

There should have never been any data to destroy or distribute in the first place. The reason you don't get any data is so that if someone's data is out there you aren't on the hook when something goes wrong. Now we know they illegally cracked into ATT's database and got information out by their own admission to the tune of 114,000 people and who knows how many others information was stolen that they aren't telling us. So anyone who really could've benefited or gotten the information for devious uses now has a cover.

I think ATT should keep milking the fee security tips while they can.
post #26 of 58
Quote:
Originally Posted by AdonisSMU View Post

Of course they are saying that so they can avoid getting into legal trouble with the feds.

Has anyone made a claim to the contrary?
post #27 of 58
Quote:
Originally Posted by TalkinMan View Post

In other words...

"You AT&T people! We did this iPad FUD attack, and you didn't immediately turn around and amplify our FUD!"

Where's the part where this security company explains why they didn't report the problem directly to AT&T?

Actually they say they did. Way back in March in fact. And Apple didn't fix this issue, which hasn't been proven as an issue at all, on the ipad/iphone

In fact. from the sounds of it, there's two different things going on, which they didn't show as connection.

One is this weird hole that allows folks to run stuff on your computer. And the other is them hacking ATT's activation server and using a program to generate a bunch of potential IP and look up the associated email address. They don't really state that they used the hole somehow to do this, if that is the case.

Quote:
Personally, I find it extremely suspicious that this company is using Gawker as their FUD distribution network.

Gawker will take anything they can spin into anti-Apple talk

Quote:
Originally Posted by Planet Blue View Post

Seriously, everyone saying how all the blogs are so anti-Apple these days is getting really irritating.

It has been rather exaggerated.

In fact there are really only 2 anti-Apple blogs. the rest is just some commentators on the blogs being anti-Apple
The two actual blogs are Engadget, which has always been less than thrilled with Apple (or at least the 'fanboi' side of Apple). And Gawker. Gawker just seems like more because they run several departments and 3 of them (Gawker, Gizmodo and Valleywag) all mention Apple and lately a lot. Funny thing is that they used to be more praising. Or at least closer to neutral. Then they screwed themselves with Valleywags attempted tablet stunt and Gizmodo's actual phone one and are trying to bite back with the total snark. Which isn't going to help them much in the end since they set themselves up for this whole thing by bragging about what they did. If they had really stopped to think they would have planned better and not run their mouths quite so much

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #28 of 58
Quote:
Originally Posted by Sensi View Post

Yep, it still seems applicable to the iphone, ipod and ipad version of safari. Currently only Safari desktop version was patched.


cf. http://encyclopediadramatica.com/Safari_XPS_Attack

Which is it?

You rightly state Safari 5/4.1 are fixed and then include it in your list. The list doesn't even bother to cite version numbers for the other webkit based browsers as well. I don't even think some of the browsers listed [and those not listed like Shiira] have been updated for at least 9 months. Who knows if they are still focused on their solution?
post #29 of 58
Quote:
Originally Posted by RationalTroll View Post

At the Gawker article they explained that they first notified AT&T, and waited until after the hole was closed before talking with the reporter. As noted in this article, they had hoped AT&T would do right by Apple's customers and let them know of this security breach, but AT&T chose not to inform Apple's customers in a timely manner so Goatse did it for them.

You did not answer my question.

As far as I can see, there was no reason to actually send the collected data to a reporter. They could just as easily have described the breach and the data (but not sent it out). This is true regardless of the relative timing of other events.

Thompson
post #30 of 58
Quote:
Originally Posted by RationalTroll View Post

Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed.

First of all, you still haven't answered the question of why Goatse sent the data to the reporter. If their objective was as benevolent as they say, they could have achieved that without sending out the data.

Quote:
Originally Posted by RationalTroll View Post

Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.

Remind me never to confide in you if you think that telling just one other person (a reporter, no less!) couldn't possibly do any harm.

Thompson
post #31 of 58
.....
post #32 of 58
Quote:
Originally Posted by RationalTroll View Post

Goatse has claimed that they did indeed contact AT&T before going to the press, which is how the hole was closed before Goatse contacted the reporter.

From the Goatse Security public letter, security.goatse.fr/on-disclosure-ethics:

"We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as nice guy as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it."
post #33 of 58
Geez - aren't we all on top of stuff like this by now? Yet another wannabe set of script-kiddies pwns a 'ploit (see how kewlziam usin' web-speak ) and pulls some emails from a less-secured ATT server. Phones companies are some of the most hacked sources for data via networking exploits and backdoor hacks and we're shocked and surprised.

The script-kiddies, publish their exploits to a notoriously skanky snark site, and then looked shocked and amazed when someone takes them more seriously than they intended.

Look at the profile of the hit:

They target what is one of the least secured services for ATT - the activation server for (the Apple iPads and) the New York/East Coast region - where else to have a chance to harvest some potentially high profile data?

They pull out of their little kit "101 Scriptz So You Can Be A Kewlz Biatchin' Hackerz Too" bag one of dozens of known scripts that generate sequences and set it to run and SOO-PRIZE, SOO-PRIZE, SOO-PRIZE, they harvest a whole bunch of Ipad owner emails for the New York area. Why iPads - because it is topping the media hits right now of course, and well since they are going to take this to Gawker anyway it makes perfect sense.

They claim to have notified ATT (you know like the guy who "found" the prototype iPhone tried to contact Apple) and then when they claim ATT didn't publically "fess-up" to the breach decided to leak it to embarass them. Oh, and then throw in some random other exploit as well just for good measure - remember we need to implicate Apple in this too - beyond the iPad exploit targets.

Then a round of "neener-neener-neener", media frenzy Goatse get all kinds of publicity and ATT publishes their "apology" A little more "neener-neener-neener" from Goatse (WE ARE LEGIT HACKERZ OF THE LIGHT) to keep the media circus going, etc. Repeat as needed until the desired effect is achieved.

Maybe they had a potential customer they needed to impress - maybe they needed beer money and Gawker was happy to provide. It.Doesn't.Matter.

Voila! They have their instant fame and maybe a happy client. Or beer money. Looking at their website I'm inclined to think beer and well, other things, but hey they got exactly what they were driving for - media exposure. No one NO ONE hacks like that as a public service - they do this for the publicity - to charm a potential client, to massage egos, get some web-cred, or just piss in someone's wheaties. End of story.

Now back to your regularly scheduled rants.
post #34 of 58
Quote:
Originally Posted by kyle172 View Post

Oh no the FBI is involved! All hail pigs that can fly! It's the "H" word!

Seriously. Back on your meds or get your cat off the friggin' keyboard!!
post #35 of 58
Hmmm, other than one likely offensive post, I didn't notice anyone realizing the offensive origin behind the "Goatse" name.
post #36 of 58
Quote:
Originally Posted by JeffDM View Post

Hmmm, other than one likely offensive post, I didn't notice anyone realizing the offensive origin behind the "Goatse" name.

where the various interesting associations were called out here? Priceless dude - they are the very epitome of self-righteous do-gooders. NOT.
post #37 of 58
Quote:
Originally Posted by masternav View Post

where the various interesting associations were called out here? Priceless dude - they are the very epitome of self-righteous do-gooders. NOT.

Which thread was that again? I don't remember dealing with other AT&T hack threads, I did find what you're talking about, no memory of dealing with that thread.
post #38 of 58
Quote:
Originally Posted by thompr View Post

First of all, you still haven't answered the question of why Goatse sent the data to the reporter. If their objective was as benevolent as they say, they could have achieved that without sending out the data.

Have you considered asking them?

I've presume nothing about their intentions, and have described only their actions.


Quote:
Remind me never to confide in you if you think that telling just one other person (a reporter, no less!) couldn't possibly do any harm.

I don't know you so the likelihood is slim that would ever come into question. Besides, please note that I've made no claims about either the ethics or the legality of Goatse's actions. There's no shortage of such opinions here. What seemed lacking here was a few details reported elsewhere but apparently missed by some here, which I've provided.

The oddest thing about the devolution of this discussion is the presumption that there are only two sides here, and that the line is drawn between AT&T vs Goatse. Like most of life, this situation is rife with subtle complexity which obviates such simplistic reductionism.

If the law says what Goatse did is illegal, then it's illegal. There is no opinion there, and the courts will decide the matter so we needn't bother.

More interesting to me here is Apple's partner, AT&T, and the complex relationship so many Apple fans have with it.

If you read enough of these boards you understand that AT&T has earned a fair amount of ill will among the posters here for everything from their insufficient infrastructure investment to their bait-n-switch pricing. Indeed, a good many of Apple's most ardent fans here have pretty much demanded in these pages that Apple stop being exclusive with this vendor who appears to be coasting on that privilege.

With this security exposure, one would think people would be even more up in arms against AT&T. Goaste's a separate matter; this security hole was an architectural decision, a very poor one, and had been in place for many months before Goatse stumbled across it.

This leaves us with two stark realizations:

1. We have no way of knowing how many others have had access to even more data for far longer. As the author quoted at slashdot today noted, this info can be used to track an individual to the nearest cell tower, and may be used to spoof accounts. Affected customers include members of the US Dept of State, the presidential administration, the Dept. of Defense, and some very high-level corporate executives. Read the slashdot article, and think about it.

2. Since this was such a very poor architectural decision, how many other similarly poor decisions comprise the rest of AT&T's infrastructure?

As we ponder those two sides of this, consider how AT&T responded: First, they made no effort to notify the affected customers until more than a week after they were given private notification of the exploit.

Then when they finally issued their mea culpa letters today, those letters noted only that the email addresses were compromised, and made no mention of the more severe possibilities as noted in the slashdot article.

Whether AT&T didn't include discuss those implications because they don't have the experience to realize them, or because they do but are willfully concealing them, neither speaks well for the company.

Those who truly support Apple will demand a better choice of business partner. AT&T is simply not up to Apple's standards.
post #39 of 58
Quote:
Originally Posted by commun5 View Post

From the Goatse Security public letter, security.goatse.fr/on-disclosure-ethics:

"We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as nice guy as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it."

Yes, I stand corrected on that technicality: Goatse did not contact AT&T directly, but did make sure they were contacted privately about the matter long before it was public.

Thank you for making my point even clearer: AT&T had advance notice and did not notify affected customers in a timely manner.
post #40 of 58
Quote:
Originally Posted by mdriftmeyer View Post

Which is it?

You rightly state Safari 5/4.1 are fixed and then include it in your list. The list doesn't even bother to cite version numbers for the other webkit based browsers as well. I don't even think some of the browsers listed [and those not listed like Shiira] have been updated for at least 9 months. Who knows if they are still focused on their solution?

I am just quoting a list of browsers affected at the initial disclosure of the flaw (back in march), to answer the question asking if the ipad version of safari was also affected. I read somewhere else -sorry I have no link- that the only version of safari already patched was the desktop one, the others remaining as I speak still unpatched.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPad
  • Hackers fire back at AT&T, say all iPads at risk to Safari hole
AppleInsider › Forums › Mobile › iPad › Hackers fire back at AT&T, say all iPads at risk to Safari hole