or Connect
AppleInsider › Forums › General › General Discussion › Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'
New Posts  All Forums:Forum Nav:

Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage' - Page 2

post #41 of 121
So if someone breaks in to my house and then says they were only doing it to see how secure my house was (or prove how insecure it was) that's OK? Nonsense. And I'd want them in jail.
post #42 of 121
Welcome to prison.
post #43 of 121
Quote:
Originally Posted by Rogifan View Post

So if someone breaks in to my house and then says they were only doing it to see how secure my house was (or prove how insecure it was) that's OK? Nonsense. And I'd want them in jail.

That is not a very fair analogy.

 

Think of it this way.

 

You put all your money into a bank. You don't know it, but that bank isn't very secure.


Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?

 

a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)

b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.

 

c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.

post #44 of 121
Quote:
Originally Posted by KDarling View Post

3)  Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency"  (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).

Except they won't, because every single company does the exact same thing.
Quote:
Originally Posted by TBell View Post

Yes, because I am sure the amount Apple can receive from him in relation to its attorney fees are worthwhile. 

So all petty theft, for example, should be legalized, huh? What kind of nonsense statement is this? 1oyvey.gif

Doesn't matter how much "money they can get from him". He's going to jail. He receives punishment for doing something illegal. It's pretty darn simple.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #45 of 121
Quote:
Originally Posted by iaeen View Post


Being considered ethical by a small subset of the population does not make an action ethical and it certainly does not have any effect on its legality. The simple fact is that he broke into a private security system without authorization, and should therefore be punished regardless of his intent.

If I find a burglar in my house, I'm going to shoot him. There is no question of intent; he has crossed the line in invading my personal space.

Also, I find your screen name offensive and hope your account gets banned.


This broken thinking is why companies like Apple/Sony/Evernote/etc get away with murder of your personal information.  The house analogy is just flat wrong.  This isn't a house that's your responsibility to protect, it's a treasure of YOUR information being held by a third party.  This is like a bank full of security deposit boxes in a vault with the door left open.  The bank could close the vault door but they don't really care because they are not liable if the contents inside are taken they just might get some bad publicity.  You have a box in there and you know the door is open. You tell the bank the door is open and they don't care.

 

Option One:

You tell the media that the door is open and one of two things happens.  Either the bank paints you as a criminal and bans you from the bank forever, or the bank denies the door is open and no one is going to check for fear that the bank will go after them for looking into it.

 

Option Two:

You take some boxes belonging to bank employees and tell them to close the door.  What should happen is the bank finally cares and closes the door. Problem solved.  What the bank (Apple) is doing is instead crying that someone took their things and going after the person.

 

This is pretty much technology security in a nut shell.  For all of you that want this guy in prison for trying to do the right thing I hope you know you aren't closing the vault door you are just making sure that the person who finally walks in is going to rob you all blind.  Frankly, at that point you deserve it because you didn't want people to point out the problems you just wanted to assume the bank wasn't careless...

post #46 of 121
"How deep he could go" is what his cellmate in prison will tell him.

Sorry, you can't break into a place just for "research". Can I "research" how to break into a bank vault? Thought so. What a dummy he is.
post #47 of 121
Good 'ol white hats!
post #48 of 121
Quote:
Originally Posted by rydewnd2 View Post

If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?

Apple should hire him.

post #49 of 121
Quote:
Originally Posted by KDarling View Post

...

3)  Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency"  (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).

 

I thought Apple was pretty clear that no "user" personal information was taken, but that the names, addresses, and personal email of the developers was taken.  

 

I think this guy is highly suspicious anyway.  Either that or he may have nothing to do with it and it's just a coincidence.  

 

The things that seem clear to me about him:

 

- he's an egomaniac (the video, the attitude etc.)

- he deliberately exposed personal information in the video, while saying that he would never disclose personal information.  

 

Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.  

 

Therefore, either:

 

- he was trying to reset people's passwords and thus lying about his "white hat"

- he was lying about not passing the information on to someone else

- there is a third party that just happened to do the same trick within the same time period (unlikely)

 

If I was Apple, even if this guy was saying he was a white hat, the fact that I was getting reports of password reset attempts would make me do exactly the same thing that they ultimately did.  Even if they believed the guy and even if they weren't getting password reset attempts, they should still have shut down the system as they did, but perhaps not used the language they did.  So at the end of the day if Apple is "wrong" it's only in the language they used to describe the guy.  

 

It seems far more likely to me that they aren't wrong though and did the only thing they could/should do.  

post #50 of 121

Because of this asshole, the dev site is down and beta 4 not release so far.
Suing him and closing his business will teach him and a few years in prison.

post #51 of 121
Quote:
Originally Posted by Gazoobee View Post

judging by his statement has severe communication difficulties (ESL?) to boot.
Quote:
Originally Posted by blackbook View Post

I assumed English wasn't his first language...

That's the simple view, his incredibly bad grammar and sentence construction, but when you put that together with the questionable ethics of his revealing several full names un-blurred (including women) in that self-promoting video, the smugness of his pose in the picture, his making off with thousands of identities and the logic flaws in his explanations of his actions, the dude reeks of dubiousness.

Such a character's account of his dealings with anyone let alone Apple cannot be believed. And Apple's extreme actions appear to indicate a shakedown attempt was made.

A little education is indeed a dangerous thing.
Edited by airmanchairman - 7/22/13 at 8:06am
post #52 of 121
Quote:
Originally Posted by applecansuckmyd View Post

All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, ...

 

Except based on what we know so far, it would appear he violated several of the rules of "white hat" hacking.  

post #53 of 121
Quote:
Originally Posted by waldobushman View Post

He did Apple a valuable service. Good for him. Better him than the NSA.

err, your alternative does not follow.

 

Better him than the organized crime syndicate  would be a better example.

 

Unless your use of Apple's Dev Sites exposes who you talk to, how you spend your time in your bedroom, or passwords to your how to bomb US landmarks websites, the NSA is pretty much a non-threat at the moment.

 

He did do apple a valuable service.  However, he did not do it professionally.  He sought self promotion and some vindication by posting it online.  Good Pentesting (pentesting for good) is like good science.   You discover something, you find a professional to validate your findings, you both go to the source with independent findings, and if they reject your findings, then you must release it to the public as part of the public good.  If Apple says, 'interesting... please embargo your release until we fix it' and they fix it within a couple months, you sit on it... if 6 months, then you have to consider the public good, and release it with the conversations with Apple.  The 2-5 month window is the ethical ambiguity.

 

As for 'intruder' vs 'professional'  An uninvited guest into your house, is an intruder.  An invited guest who wanders into the basement during a dinner party is one that violates 'the terms of agreement' for the dinner party, and is 'unwelcome.'   A Professional would knock on the door, state that he suspects a weakness that is putting all your guests at risk, asks permission to 'test' the house, and asks for permission to enter the basement.  If he is a security expert, he starts at the top, and asks for a 'get out of jail free card' prior to the beginning of the test.

 

The fact he feels he's doing the public a service is mitigating, but his methods of setting up the test and exposing the details to the public shows he's at best a novice with skills, and at worst, a grey hat, that wants to build public cred, as he couldn't find any 'real value' (something he could sell to the highest bidder), and therefore wanted to publicize his capabilitie.

post #54 of 121
Quote:
Originally Posted by barthrh View Post

 

Stupid non-English-speaking Turks. I'm sure that your fluency in Turkish would teach him a thing or two!

 

I don't care if he is a Turk or whatever, I was just pointing out his obvious communication difficulties.  

The determination of whether he did anything wrong or not will most likely involve exactly what he communicated to Apple.  His job/career may hinge on it in fact. 

post #55 of 121
Quote:
Originally Posted by Stromos View Post


... The house analogy is just flat wrong.  This isn't a house that's your responsibility to protect, it's a treasure of YOUR information being held by a third party.  This is like a bank full of security deposit boxes in a vault with the door left open.  The bank could close the vault door but they don't really care because they are not liable if the contents inside are taken they just might get some bad publicity.  You have a box in there and you know the door is open. You tell the bank the door is open and they don't care....

 

This is completely inaccurate (at least in most countries).  The bank in this analogy *does* have a direct responsibility to protect your information/goods.  

 

To get away from the bank analogy, most information protection and privacy laws around the world are explicitly based on the fact that once you have someone's personal information it's your responsibility to keep it, and to keep it safe for the duration of the time you have it.  Any third party holding someone else's information has this responsibility.  You can be sent to jail if you violate these laws and people are quite regularly.  All I can say is if it isn't this way in the USA, then that's seriously "last century" thinking. 

post #56 of 121
Quote:
Originally Posted by ukjb View Post

That is not a very fair analogy.

Think of it this way.

You put all your money into a bank. You don't know it, but that bank isn't very secure.


Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?

a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)


b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.

c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.
Yes it is. Just because someone exposes a security flaw doesn't make the way they went about exposing it right, or legal. If he was concerned about Apple's security why didn't he contact them about it and offer up his services rather than hacking the site and after the fact telling Apple (and the world) that he did it. Seems this is someone who is just looking for attention (or a job) than someone who is really concerned about Apple developer/users security. Sorry, but I don't think the ends justify the means.
post #57 of 121
Quote:
Originally Posted by GTR View Post

Sue him.

 

No ifs, ands, or buts.

What are the damages?

censored

Reply

censored

Reply
post #58 of 121
Quote:
Originally Posted by applecansuckmyd View Post

All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.

I disagree, penetration testing is most often something that is contracted out or requested.  Penetration testing by the public is just hacking with an official sounding name.

post #59 of 121
Quote:
Originally Posted by Gazoobee View Post

 

This is completely inaccurate (at least in most countries).  The bank in this analogy *does* have a direct responsibility to protect your information/goods.  

 

To get away from the bank analogy, most information protection and privacy laws around the world are explicitly based on the fact that once you have someone's personal information it's your responsibility to keep it, and to keep it safe for the duration of the time you have it.  Any third party holding someone else's information has this responsibility.  You can be sent to jail if you violate these laws and people are quite regularly.  All I can say is if it isn't this way in the USA, then that's seriously "last century" thinking. 

 

He never said the bank doesn't have a direct responsibility to protect your information goods... but you want to get away from this analogy, why? it is much better than the house burglary analogy in that a third party is involved. whether they have a duty to protect yourself or not is of no importance... *of course* they have the "duty" to protect your stuff. the question is do you vilify the person shedding the light that the bank is not doing a good job at its security or the bank itself for leaving your valuables in a situation where they can easily (easier than other banks) be stolen?

post #60 of 121
Quote:
Originally Posted by Rogifan View Post


Yes it is. Just because someone exposes a security flaw doesn't make the way they went about exposing it right, or legal. If he was concerned about Apple's security why didn't he contact them about it and offer up his services rather than hacking the site and after the fact telling Apple (and the world) that he did it. Seems this is someone who is just looking for attention (or a job) than someone who is really concerned about Apple developer/users security. Sorry, but I don't think the ends justify the means.

you didn't answer my question... which of those three scenarios would you prefer to happen. a non-answer is just skirting the question. you know which is the right to choose, but you are so quick to vilify the gentleman which ultimately caused no harm and ultimately forces apple's hand to fix the situation in a timely manner. If you don't think the ends justify the means then you have no idea how security/publicity go hand in hand... i covered this in scenario (b).. did you read it? if he were to tell apple what he did or how to do it. they would have covered it up so they could take their time to fix it. while the vulnerability still exists.

also you completely disregard the fact that he didn't steal anything directly from you but from someone who is guarding your information. that is not a house break-in but a bank-robbery. if my analogy is no good, yours is worse... just think about it with an unbiased attitude. that's all i ask

post #61 of 121
Quote:
Originally Posted by TBell View Post

Yes, because I am sure the amount Apple can receive from him in relation to its attorney fees are worthwhile. 

"Little" companies/people sue big ones in the hopes of getting a boatload of $$ in damages.  The big ones sue others to "punish" and set an example for others in an attempt to prevent similar occurrences from happening again.  A substantial judgement against this guy would likely never get paid, but hang over him forever.

 

And given the size of Apple's legal department I suspect the incremental cost of causing this guy legal hell is negligible anyway.

post #62 of 121
Quote:
Originally Posted by airmanchairman View Post

... revealing several full names un-blurred (including women) ....

 

*gasp* I've never seen a woman's name before.  /s.

 

What is the relevance of "including women"?  How can you be sure they were women (or men)?  For example, we learned last week that "Robert Galbraith" = J.K. Rowling.

post #63 of 121

It's not his responsibility to point out Apple's flaws by hacking their servers. The correct approach would be to speak with Apple first and let them handle it. If they don't want to fix it it's their problem. If he gets prosecuted, it's his fault.

post #64 of 121
While I appreciate a contrite attitude on the part of those that do wrong, the lawyer in me cringes at reading public apologies that are tantamount to a full confession.
post #65 of 121
While I appreciate a contrite attitude on the part of those that do wrong, the lawyer in me cringes at reading public apologies that are tantamount to a full confession.
post #66 of 121
Quote:
Originally Posted by bdkennedy1 View Post

It's not his responsibility to point out Apple's flaws by hacking their servers. The correct approach would be to speak with Apple first and let them handle it. If they don't want to fix it it's their problem. If he gets prosecuted, it's his fault.


Let me correct that for you. If they don't want to fix it it's YOUR problem because it's YOUR information.

post #67 of 121
A big shrug about what the hacker did. I for one am proud to be an Apple developer. Go ahead and show my name any time you want. Apple forced us to use our e-mail address as our developer IDs some time ago so no big secrets were exposed there either. I was kind of hoping mine would show up in that video.

I am not happy that we now know more about what is going on from this hacker's youtube video than from Apple itself. Apple should have come clean immediately when they took the Apple developer site down and not waited days to tell us. I was checking the site many times a day in hopes it would come back so I could access the developer forums, sample code and other resources. I am not really surprised that the Apple developer site was hacked. I am actually surprised that it took this long to be noticed by a casual hacker. As the hacker said in the video, it appears to have been actively leaking user info which is what made the hacker look a bit deeper.
post #68 of 121
PEN testing without authorization and proper documentation is wrong and should not be just blown off. This is serious and it shouldn’t be down played because he wanted to "TEST" without authorization to proceed.
Mac Book Pro (late 2008), Power Mac G5(upgraded to Intel Hackintosh), new iPad 64GB 4G LTE, iPad Mini, iPhone 5.
Reply
Mac Book Pro (late 2008), Power Mac G5(upgraded to Intel Hackintosh), new iPad 64GB 4G LTE, iPad Mini, iPhone 5.
Reply
post #69 of 121
Quote:
Originally Posted by donw35 View Post

PEN testing without authorization and proper documentation is wrong and should not be just blown off. This is serious and it shouldn’t be down played because he wanted to "TEST" without authorization to proceed.


Then there needs to be laws in place that if someone thinks a vulnerability is present that Apple is required to have a third party test and when it's all said and done share the results with the public. I am tired of the protections these companies are getting for having lousy security.  You're right PEN testing shouldn't be allowed without authorization, but it should be required.

post #70 of 121
Quote:
Originally Posted by Stromos View Post

Then there needs to be laws in place that if someone thinks a vulnerability is present that Apple is required to have a third party test and when it's all said and done share the results with the public.

Abject nonsense. That's the easiest way to bankrupt any company.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #71 of 121
Quote:
Originally Posted by Tallest Skil View Post


Abject nonsense. That's the easiest way to bankrupt any company.


Then make it once every six months. At the end of they day if these companies can't handle personal information there needs to be intervention.  Apple certainly has the money do have been doing PEN testing and fixed this long ago. They just didn't want to spend the money to protect us. How many times do we have to have a Sony/Evernote/Apple before either there is some new laws or the punishments are so severe that companies get their act together out of fear.

post #72 of 121
Quote:
Originally Posted by Tallest Skil View Post


Abject nonsense. That's the easiest way to bankrupt any company.

How so? There is absolutely no form of checks and balances for a company that is maintaining my information in their records. Others have said that they are responsible for protecting that data, but there is not one single law or rule that says how much effort has to go into protecting my data. Legally speaking, if it is password protected, it is secure, but we all know that just applying a password is not the extent to which our data needs to be protected.

 

SOME sort of law needs to be in place to call out companies when we suspect there might be a security flaw in a system protecting my data. Arguing otherwise is just as you said, "abject nonsense."

post #73 of 121
Somehow I don't think they're going to send him an iTunes gift certificate as a token of thanks.
post #74 of 121
Deep Porpoise... didn't they do proto-heavy metal in the 70s?
post #75 of 121
Quote:
Originally Posted by GrangerFX View Post

...  I am not really surprised that the Apple developer site was hacked. I am actually surprised that it took this long to be noticed by a casual hacker. As the hacker said in the video, it appears to have been actively leaking user info which is what made the hacker look a bit deeper.

 

Yep, although I'm not sure he should even be called a "hacker", unless he did more than we know.

 

Right now, it looks like he's just a programmer who tried out a recently discovered server bug to see if his own info came back, and was surprised to find out that it did.  Then he must have tried other request combinations and tons of records came back.  Not smart, but certainly a natural reaction.

 

His video shows that he then reported the security hole to Apple via a developer bug report.  

 

He probably expected a reply like "Thanks for the info.  Please keep it quiet while we fix the bug", which would be reassuring.  It doesn't sound like that happened.  Instead, when Apple immediately took down their site and wrote that it was because of an "intruder", he got worried that someone at Apple was going to try to lay blame on him, so he went public.

 

As he said in his video comment:

 

"This is definitely not an hack attack. I have reported all the bugs I have found to the company and waited for approval. I am being accused of hacking but I have not given any harm to the system and i did not wanted to damage."

 

Yes, he didn't handle it very well, but as you pointed out, neither did Apple.  

post #76 of 121
Something I am surprised has not come up yet, is that Apple may not have brought down the site because of this guy alone. As a Network Admin, if I get a report of a breach by a White Hat, the first thing I do is check the logs to see if anyone else tried the same thing. If I find that, I would shut down the site too. If I do not, then it is a business decision of which is worst, the risk of a Black Hat while I fix it, or the cost of being down.

Based on Apple's reaction I am guessing that 1) they found other suspicious activity 2) This guy is not telling the whole story or 3) combination of the two
post #77 of 121
Quote:
Originally Posted by AJMonline View Post

Something I am surprised has not come up yet, is that Apple may not have brought down the site because of this guy alone.  s a Network Admin, if I get a report of a breach by a White Hat, the first thing I do is check the logs to see if anyone else tried the same thing.

 

Yes, the reaction seems awfully big for one bug report to cause it... although to be fair, security is a huge issue these days and perhaps that's their new policy.

post #78 of 121
Quote:
Originally Posted by Stromos View Post

Apple certainly has the money do have been doing PEN testing and fixed this long ago. They just didn't want to spend the money to protect us.

Shut up with the FUD, please.
Quote:
Originally Posted by ukjb View Post

How so?

"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
Quote:
SOME sort of law needs to be in place to call out companies when we suspect there might be a security flaw in a system protecting my data.

Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #79 of 121
Quote:
Originally Posted by Tallest Skil View Post


Shut up with the FUD, please.
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.


You must be one of those people that when a company compromises data you protect the company.

post #80 of 121
Quote:
Originally Posted by Gazoobee View Post

 

I thought Apple was pretty clear that no "user" personal information was taken, but that the names, addresses, and personal email of the developers was taken.  

 

I think this guy is highly suspicious anyway.  Either that or he may have nothing to do with it and it's just a coincidence.  

 

The things that seem clear to me about him:

 

- he's an egomaniac (the video, the attitude etc.)

- he deliberately exposed personal information in the video, while saying that he would never disclose personal information.  

 

Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.  

 

Therefore, either:

 

- he was trying to reset people's passwords and thus lying about his "white hat"

- he was lying about not passing the information on to someone else

- there is a third party that just happened to do the same trick within the same time period (unlikely)

 

If I was Apple, even if this guy was saying he was a white hat, the fact that I was getting reports of password reset attempts would make me do exactly the same thing that they ultimately did.  Even if they believed the guy and even if they weren't getting password reset attempts, they should still have shut down the system as they did, but perhaps not used the language they did.  So at the end of the day if Apple is "wrong" it's only in the language they used to describe the guy.  

 

It seems far more likely to me that they aren't wrong though and did the only thing they could/should do.  

 

 

Yeah, I got a reset password email this morning.  I thought it was just some phishing message, but I think it was real.  I didn't click the link, but went to Apple.com and did change my password--just in case.   Then I saw this story, so then it all came together.  No, this "whitehat" is a douche who got caught and now he's backpeddling, trying to avoid jail.  

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'