or Connect
AppleInsider › Forums › General › General Discussion › Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'
New Posts  All Forums:Forum Nav:

Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage' - Page 3

post #81 of 121
Quote:
Originally Posted by Tallest Skil View Post


Shut up with the FUD, please.
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.

 

All you did was answer the very first two words of my response... you in no way addressed my entire post. taking two words out of context from someone's response is utterly useless.

post #82 of 121
Quote:
Originally Posted by Tallest Skil View Post

Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.

 

True, it's already in a corporation's best interests to take feedback seriously.

 

If you reported a data leak that could be fixed, and later on someone was damaged by such a leak, the information holder could be liable.

 

(Depends on the damage.  Recently, a class action lawsuit against LinkedIn, for an info breach of millions of passwords, was thrown out because there was no proof of actual id theft as a result.)

post #83 of 121
Quote:
Originally Posted by KDarling View Post

 

If you reported a data leak that could be fixed, and later on someone was damaged by such a leak, the information holder could be liable.

You can only be held liable if you describe how to access the data leak, i.e. how you broke in. Just stating that there is an information leak does not make you liable.

post #84 of 121
Quote:
Originally Posted by Stromos View Post

You must be one of those people that when a company compromises data you protect the company.

Do you have any sort of rebuttal to any of the points I've made? Or would you just like clarification thereon?

Apple has a responsibility to our data. There is no reason for any company to be legally forced to waste money responding to any Tom, Dick, or Harry who thinks there's a flaw in security. Apple already has a venue for reporting flaws in security, and if the flaw is outlined properly (and exists), they will take steps to manage it on their own.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #85 of 121
Actual "Security Researchers" contract their services to a company in advance. They do not hack a site and THEN tell the company. Nice try bozo.
post #86 of 121
Quote:
Originally Posted by Tallest Skil View Post


Apple already has a venue for reporting flaws in security, and if the flaw is outlined properly (and exists), they will take steps to manage it on their own.

According to Balic, he said he followed the instructions on how to properly outline and identify the flaws in security and Apple vilified him, claiming he is a hacker and all. remember, the video came out after Apple's statements, after he followed the appropriate steps, after he found the flaws. He did everything right up until Apple's response to his actions.

post #87 of 121
"He did everything right up until Apple's response to his actions."

Everything except contract with them to test their security. Legitimate security researchers do not hack and then claim hero status after the fact.
post #88 of 121
There are only 2 options:

(1) Good guy finds vulnerability

(2) Bad guy finds vulnerability

Those who attack guy #1 are ensuring that guy #2 will win the day + get your info, and victimize you.
post #89 of 121
Quote:
Originally Posted by mscientist View Post

"He did everything right up until Apple's response to his actions."

Everything except contract with them to test their security. Legitimate security researchers do not hack and then claim hero status after the fact.

 

Who ever said he was acting in a security researcher status. He was just tinkering and found the leak using his own credentials and explored a bit further and noticed it was database-wide. That could have happened to any of us. All this situation says to me is that if I EVER find a flaw in a system, to keep my mouth shut. because if i tell Apple or whoever the leak is coming from, there is a chance that not only the company will vilify me, but hundreds or thousands of people on the internet that don't know anything about the situation... i.e. most of the people i've talked to today.

post #90 of 121
Quote:
Originally Posted by ukjb View Post

That is not a very fair analogy.

 

Think of it this way.

 

You put all your money into a bank. You don't know it, but that bank isn't very secure.


Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?

 

a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)

b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.

 

c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.

 

Why is that not a perfectly apt analogy? Someone engaged in activities using resources or facilities they had no authority to. In the process they deprived someone of their property, and/or exercised control over information that had some form of value the the rightful owner which was diminished by the accessing.

 

 

Bear in mind, the theft of money or goods is a discrete event, but misappropriation of private information that can be used for ongoing harm to personal, professional or financial interests is in a whole other scope entirely. Also, stealing from a bank with a weak lock is no more legal than stealing from a bank with a strong one - even if it's just some of the money in the vault you steal.
 
You're biasing the presentation of your scenarios with an interesting choice of wording. Scenario 'A' is just involving "someone" doing the deed, but scenarios 'B' and 'C' feature "security analysts". What qualifies them as such? Is it just the mere fact that they want to be labeled thus? If the bank, or some other authorized body, isn't making the request for these attempts, then they ['security analysts'] are just out to exercise their will and impose their sense of morality/justice/whatever on the banks and their customers - or maybe they're simply out for the attention. Regardless, they're not acting in a professional, moral or legal capacity any more than the 'evil' person in scenario 'A'.
 
In all three of your scenarios, theft has occurred - someone in each of these has been illicitly deprived of some measure of their money. So all three scenarios involve theft (even if it's only 'a little' theft in the latter two), and none of those scenarios are actually desirable at all. The only difference is in the scope or magnitude of the theft.
 
For the first scenario we have straight theft. Not much to say there. Obviously we don't want that. That's why many organizations regularly perform security audits and even hire professionals to stage attempts to pick their locks.
 
Let's explore the other hypotheticals though.
 
In the second scenario, we have theft (albeit a smaller one), and the bank now knows about it … but wait, maybe the bank already knew about it, was in the process of developing and deploying a solution, but it hadn't been completed yet. The 'analyst' may have known this if they'd been authorized to make the attempt, but they weren't, they just decided to satisfy their own desire to "see how deep they could go". Now the self-righteous 'analyst' is peeved that the bank isn't making a public show of it and giving them their attention (because frankly it would disrupt business to do so, and they're already working on it, and they don;t want to open themselves up to more headaches). Since we've already established that the 'analyst' is more interested in pursuing what <they> decide is the best/right/moral/whatever course of action, the peeved 'analyst' then invariably jumps into the third scenario and they publicize the weakness in the banks' locks. Now not only do skilled professionals in the lock-picking industry know of the weakness (the ones who already knew about the weakness, by the way), but amateur lick-picks and every nit-wit with access to youtube thinks the bank is ripe for easy picking. The bank is inundated with theft attempts, most of which are failed, as they're executed by people without the requisite skill to successfully do so, but they're time-consuming to deal with none the less. However, the bank now has to spend additional time and resources dealing with both the negative publicity as well as the extra security load - making it even harder and more expensive to implement the upgrades to the locks.
 
But really, I like scenario "D" - Some putz stumbles across a broken lock, wanders into the vault, pockets as much cash as they can carry and then runs. The bank realizes there's an irregularity, performs an internal audit (which may have taken several days) then when they're satisfied they understand what happened, even if if they don't yet know the exact details of how, they notify their customers of a breach. The would-be thief catches wind of this and tries to cover his ass by posting a youtube video claiming he was just trying to let the bank know there was a potential problem by stealing that money. In the mean time, he's spent at least some of the stolen money (or disseminated some of the private information - something that can't be undone, like spending the cash), but still claiming that he's really not a bad guy at all and was doing it all for altruistic purposes. … Sound familiar?
post #91 of 121
Quote:
Originally Posted by ukjb View Post

 

Who ever said he was acting in a security researcher status. He was just tinkering and found the leak using his own credentials and explored a bit further and noticed it was database-wide. That could have happened to any of us. All this situation says to me is that if I EVER find a flaw in a system, to keep my mouth shut. because if i tell Apple or whoever the leak is coming from, there is a chance that not only the company will vilify me, but hundreds or thousands of people on the internet that don't know anything about the situation... i.e. most of the people i've talked to today.

 

He did. He said as much. He claimed "I am not a hacker, I do security research". He explicitly claims he was doing penetration testing. He claims he was seeing "just how deep he could go". He didn't just stumble across something, he deliberately went hunting for vulnerabilities. There is no legitimate "security researcher status". You're either working on a system with authorization to do so, or you're not. You can't claim you're "doing research" as a legitimate defense against engaging in unauthorized activity.

 

Let's ignore all that though and assume he was just "tinkering", that in and of itself constitutes an illicit access - he wasn't authorized to be "tinkering", only to be using the systems in the prescribed manner. But let's ignore that too, let's suppose he just, by mere happenstance, stumbled on what he considered a problem, instead of stopping at that point, you claim he took it upon himself to deliberately explore it further, to satisfy his own desire or agenda, not at the request of Apple, yet another instance of an unauthorized access. So yes, it "could have happened to any of us" ... if any of us went hunting for problems in places we were not supposed to be.

 

What happened was that this person made a deliberate choice to engage in his "security research" and he didn't have a right to. There was no accident here, it was his choice to probe the system. It's not vilification. There's no slander involved. He even admits it. Besides, Apple didn't call him out - <he> made a public statement, Apple just said that "...an intruder attempted to secure personal information of our registered developers from our developer website.".

post #92 of 121
So let's see: HE TOOK THE DATA. And folks who didn't get phishing emails before from those Apple ids are now getting them.

I know what *I* would do with this 'security researcher'.... hint: NOT give him a job.
post #93 of 121
It's not necessary to put a black or white label on this guy. He did this the wrong way, so therefore he should be treated the same as a malicious criminal? No. There are shades of gray. He may be a non-malicious hacker, and he found a real flaw that a malicious hacker could have exploited, which is now being fixed. Apparently, a positive outcome.

I'm not in the make-an-example-of-him crowd, because I can think of a lot of a lot of worse people and organizations that need prosecuting and they're all more powerful and dangerous than this guy.
post #94 of 121
Quote:
Originally Posted by Magic_Al View Post

It's not necessary to put a black or white label on this guy. He did this the wrong way, so therefore he should be treated the same as a malicious criminal? No. There are shades of gray. He may be a non-malicious hacker, and he found a real flaw that a malicious hacker could have exploited, which is now being fixed. Apparently, a positive outcome.

I'm not in the make-an-example-of-him crowd, because I can think of a lot of a lot of worse people and organizations that need prosecuting and they're all more powerful and dangerous than this guy.

For me, it's not about malice, it's about ignorance. By indulging in his own agenda (whether altruistic or not) without authorization, and without knowing what the results would be, he opens up the door for all manner of potentially damaging side-effects (not the least of which has already surfaced, in the form of the registered Apple developer phishing attempts). This doesn't affect just him. At the very least it affects both Apple, and every single developer registered with Apple (of which I am one). He made a decision that affects all of us, and he didn't ask us if the potential benefits outweigh the costs.

post #95 of 121
If he did report it, his intentions were probably not bad, although accessing a computer with permission is a crime in the US. Posting on YouTube was a big mistake and makes some form of prosecution more likely.

I doubt he had criminal intent, but definitely had poor judgement.
post #96 of 121
Quote:
Originally Posted by Eriamjh View Post

One cannot rob a bank to expose weaknesses, return the money, and claim one intended no harm.  A crime is a crime.  I'm not saying what this researcher did actually broke any laws, but unauthorized access to a computer system is illegal in a lot of places.

Apple is horrible at responding to weakness emails.  They seem to only fix bugs when they are already exploited.  This guy is like Snowden, in a way.

That's an absurd comparison. Apple is not the federal government.

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #97 of 121
Quote:
Originally Posted by ulfoaf View Post

If he did report it, his intentions were probably not bad, although accessing a computer with permission is a crime in the US. Posting on YouTube was a big mistake and makes some form of prosecution more likely.

I doubt he had criminal intent, but definitely had poor judgement.

Regardless, the penalties for this kind of crime have been drastically increased. He may end up in federal prison for a long, long time.

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #98 of 121
Quote:
Originally Posted by SpamSandwich View Post


That's an absurd comparison. Apple is not the federal government.

But they have more cash than the Feds....

post #99 of 121
Quote:
Originally Posted by GoodGrief View Post

For me, it's not about malice, it's about ignorance. By indulging in his own agenda (whether altruistic or not) without authorization, and without knowing what the results would be, he opens up the door for all manner of potentially damaging side-effects (not the least of which has already surfaced, in the form of the registered Apple developer phishing attempts). 

 

Why are you blaming the phishing attacks on him?   He said he hadn't shared any info with anyone else.

 

Quote:
This doesn't affect just him. At the very least it affects both Apple, and every single developer registered with Apple (of which I am one). He made a decision that affects all of us, and he didn't ask us if the potential benefits outweigh the costs.

 

He officially reported some data leaks to Apple via his developer account.

 

Everything that happened to the website after that was Apple's doing.

post #100 of 121
Quote:
Originally Posted by KDarling View Post

 

Why are you blaming the phishing attacks on him?   He said he hadn't shared any info with anyone else.

 

First off, his word on that isn't really worth a damn, since we already know he went and published some of the names. You may be willing to take his word on that, but many of us won't - and for good reason. As for the phishing attempts, if I were a betting man, I'd wager there are probably opportunist third parties exploiting the heightened awareness of a security hole (which wouldn't be as much the case if he hadn't gone public), hoping for someone to be careless and slip up. Also, there's no reason to believe that he isn't responsible for at least some of them, given that:

 

A) He claims he harvested over 100,000 sets of account data. Unnecessary, a single record he wasn't supposed to have access to would've been a sufficient proof-of-concept, and the 73 records he claims were Apple employee's were certainly more than enough, so the extra 100K had to have some purpose.

 

B) He also claims he was deliberately probing to see "how deep he could go". It actually follows that he would be trying to engineer the passwords from any end-users he had data for, so he could "go deeper" into the systems that weren't compromised.

 

 

Quote:
Originally Posted by KDarling View Post

 

He officially reported some data leaks to Apple via his developer account.

 

Everything that happened to the website after that was Apple's doing.

 

Again, all I have on that is <his> word on whether it was reported to Apple. Apple's statement is that "...an intruder attempted to secure personal information of our registered developers from our developer website.". There's no mention of anything along the lines of "we were notified of a potential security breach". I may have little reason to take the statements of a PR department from <any> company at face value, but I have absolutely <zero> reason to believe this person - especially when he's claiming responsibility for deliberately putting my personal information at risk. From what I see (reading between the lines, as it were), this is someone caught with his hand in the cookie jar trying to do damage control (albeit in a really dumb way).

 

What happened to the developer portal after this? As far as I know, it was taken offline to guarantee no additional compromises occurred. That likely wouldn't have happened if this individual hadn't taken the actions he did. Given Apple's historical behavior, if he had simply quietly notified them, they would've done a slow and considered rollout of a fix when it would least affect the uptime of the services that developers are relying on for their business. So are you serious with the assertion that it's "Apple's doing"? Since everyone else is on the analogy train, I'll hop on too:

 

That's like saying it's a victims fault for bleeding all over the floor when someone else shot them. What happened was a reaction to an attack.

post #101 of 121
Quote:
Originally Posted by Tallest Skil View Post

Did you miss the part where Apple wasn't actually hacked?

That's right TS. It was just security research 1oyvey.gif


Edited by hentaiboy - 7/22/13 at 4:52pm
Shut up and go away, you useless, pathetic FUDmonger - Tallest Skil
Reply
Shut up and go away, you useless, pathetic FUDmonger - Tallest Skil
Reply
post #102 of 121
lame all I can say is lame.

...it you can think IT, together we can build IT...

Reply

...it you can think IT, together we can build IT...

Reply
post #103 of 121
Quote:
Originally Posted by GoodGrief View Post

Again, all I have on that is <his> word on whether it was reported to Apple.

 

 

It was.

 

A list of his bug reports... including this one, #14488816, have already been pasted on the internet.

 

Quote:

Apple's statement is that "...an intruder attempted to secure personal information of our registered developers from our developer website.". There's no mention of anything along the lines of "we were notified of a potential security breach".

 

Exactly.  If his vulnerability report(s) were the cause of the website shutdown, then Apple should've simply said that they were made aware of a problem.

 

Instead, they said "intruder".  So either a) he wasn't the cause at all,  or b) he was and Apple scared him for no good reason, or c) after his report they looked at the logs and discovered that someone else had also found the bug and downloaded data.

post #104 of 121
If he were a actual researcher on this
1) asked apple if he could notifying the test
2) did as was he did on a test breach as directed by apple
3)Given information to apple about it, not announce the info online about it
4)had no proof of the info as of now.
post #105 of 121
Quote:
Originally Posted by charlituna View Post

When they use term 'sensitive' they refer to information someone can't easily get by another means
People give out their email addresses all the time. Unlike say your password, credit card info etc
Such as if you're a cat person or a dog person.
post #106 of 121
Quote:
Originally Posted by KDarling View Post

 

It was.

 

A list of his bug reports... including this one, #14488816, have already been pasted on the internet.


Exactly.  If his vulnerability report(s) were the cause of the website shutdown, then Apple should've simply said that they were made aware of a problem.

 

Instead, they said "intruder".  So either a) he wasn't the cause at all,  or b) he was and Apple scared him for no good reason, or c) after his report they looked at the logs and discovered that someone else had also found the bug and downloaded data.

 

 

Again, this is on <his> word. As far as I know, this list is one <he> published, which shows nothing even remotely close to proof. Give me 10 minutes and I can whip up some markup to mimic the bug reporter page with some fanciful bugs and take a screenshot - that doesn't make it legit. The Apple dev bugbase won't let me search bugs submitted by another developer - only bugs I've submitted. Maybe I'm unique in my access rights there, but this means I still have no reason to trust his word.

 

Exactly, they said "intruder", which in the absence of any other information, means they <detected> the breach, not that they were notified of a vulnerability thorough proper or expected channels. According to his own statements, it was a grand total of 4 (four) hours between his attack and him supposedly submitting a bug report (which would be one of thousands submitted on any given day), and the time the portal was shut down. That jives with the scenario where Apple detected the attack, not a response to a bug report, which one can't reasonably expect to have been even seen by anyone at Apple in that timeframe, much less verified.

 

So:

 

a) Is irrelevant, as he's made the claim that he <did> illicitly obtain over 100,000 user records he had no right to take. It's possible he wasn't the <only> cause, but the unauthorized access of 100,000+ user records was most certainly a contributing factor. Apple never singled him out as the attacker that prompted the shutdown, he made the assertion that he believed it was him. However, given what little information we do have - from this person - the timeline makes it a logical conclusion to draw that it was in fact his attack that was what prompted the shutdown. Although even if it wasn't, that's still meaningless in the context of my previous posts, as he does admit he engaged in the activity that had the potentially for damaging effects for all of Apples' developers, as well as Apple, and he did it without right or authority. That is my major gripe with this situation. I can't access the dev portal for device provisioning as a result of this shutdown - that negatively impacts <my> business.

 

b) Is nonsense. Apple didn't do anything to him (that we know of). All apple did was to lock down the site in response to an unknown security breach in order to prevent further unauthorized access - a reasonable and prudent measure. According to his own statements, he got scared when the portal was shut down and Apple notified developers of a breach, and he believed he was responsible. He admits he knew his actions would put him in potential legal trouble, and he posted the statements and video to try to mitigate the problem before it blew up in his face (too much). Apple had nothing to do with him being "scared". That was his own irresponsible behavior. That said, and this is just opinion, I don't believe being scared prompted his response, I believe his public statements were for the sole purpose of garnering attention for himself.

 

c) Does nothing to mitigate his responsibility for his actions, as (once again) he <admitted> he took [copied] over 100,000 user records for which he had no legitimate claim to. It's still possible someone else made a concurrent attack and breached the system, but we're talking about this character and his actions which he lays claim to.

post #107 of 121
Quote:
Originally Posted by GoodGrief View Post

He did. He said as much. He claimed "I am not a hacker, I do security research". He explicitly claims he was doing penetration testing. He claims he was seeing "just how deep he could go". He didn't just stumble across something, he deliberately went hunting for vulnerabilities. There is no legitimate "security researcher status". You're either working on a system with authorization to do so, or you're not. You can't claim you're "doing research" as a legitimate defense against engaging in unauthorized activity.

Let's ignore all that though and assume he was just "tinkering", that in and of itself constitutes an illicit access - he wasn't authorized to be "tinkering", only to be using the systems in the prescribed manner. But let's ignore that too, let's suppose he just, by mere happenstance, stumbled on what he considered a problem, instead of stopping at that point, you claim he took it upon himself to deliberately explore it further, to satisfy his own desire or agenda, not at the request of Apple, yet another instance of an unauthorized access. So yes, it "could have happened to any of us" ... if any of us went hunting for problems in places we were not supposed to be.

What happened was that this person made a deliberate choice to engage in his "security research" and he didn't have a right to. There was no accident here, it was his choice to probe the system. It's not vilification. There's no slander involved. He even admits it. Besides, Apple didn't call him out - made a public statement, Apple just said that "...an intruder attempted to secure personal information of our registered developers from our developer website.".

He compromised their system illegally and cost them and developers real money and time as a result. I guarantee he won't be receiving the Medal of Honor.

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #108 of 121
Quote:

 

Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.  

 

Therefore, either:

 

- he was trying to reset people's passwords and thus lying about his "white hat"

- he was lying about not passing the information on to someone else

- there is a third party that just happened to do the same trick within the same time period (unlikely)

 

Or random password resets from people who've forgotten their username, have your email address and are trying to get your apple ID are actually very common and it is just that the suggestion this might be related to the shutdown caused developers who normally delete them to start discussing it incase it's related. If that hapens you suddenly 'see' a pattern which was always there but never discussed. I must get a couple of month, normally when I get one I get three or four at the same time (possibly because the idiot who really has forgotten his username keeps wondering why his reset mail never comes and keeps trying, possibly because my email is on another hack list and they try 'em all a few times.). 

 

Not saying he wasn't lying, not saying he didn't distribute the info and I sure wish, having reported this to apply, he sat on his hands for more than a few days so they could read his bug report and address it before launching in to make a name for himself. Good that the vulnerability is being fixed, would have preferred it if Apple had been able to fix it quietly without having all their devs offline for coming close to a week. 

post #109 of 121
Quote:
Originally Posted by SpamSandwich View Post


He compromised their system illegally and cost them and developers real money and time as a result.

 

He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability.  Apple are responsible for developers and their own loss of money and time.

censored

Reply

censored

Reply
post #110 of 121
Quote:
Originally Posted by Crowley View Post

 

He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability.  Apple are responsible for developers and their own loss of money and time.

That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.

post #111 of 121

"the phishing emails are timed to well not to be connected"

 

What?

post #112 of 121
Quote:
Originally Posted by GTR View Post

Sue him.

 

No ifs, ands, or buts.

Yeah right, put a load of money in the pockets of overpaid lawyers, probably a lot more than any damage this guy has done. Either way you lose, but you stand to lose a lot more in the legal system.

post #113 of 121
Quote:
Originally Posted by GoodGrief View Post

That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.

 

The response was a necessary reaction to a large vulnerability, no matter who found it first.

 

However, better that it happened with someone like him, rather than someone who would've downloaded and sold millions of records to spammers and phishers.

 

Of course, this all assumes that it was his actions that triggered Apple's response.

post #114 of 121
Quote:
Originally Posted by GoodGrief View Post

That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.

 

Unnecessary to point out that the door was open?  If my neighbour knocked to point that out to me I'd thank them, rather than shout at them for pointing it out.  And it's my fault for leaving it open in the first place.  If my business, or my partners' business suffers because I left it open then that's my fault, not the neighbours.

 

Absurd apologism.

censored

Reply

censored

Reply
post #115 of 121
Quote:
Originally Posted by Crowley View Post

 

He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability.  Apple are responsible for developers and their own loss of money and time.

 

 

Quote:
Originally Posted by Crowley View Post

 

Unnecessary to point out that the door was open?  If my neighbour knocked to point that out to me I'd thank them, rather than shout at them for pointing it out.  And it's my fault for leaving it open in the first place.  If my business, or my partners' business suffers because I left it open then that's my fault, not the neighbours.

 

Absurd apologism.

 

Ok, more bad analogies. I'll play too:
 
It would be a more accurate analogy to say not that you left a door open, but rather you left one unlocked. Your neighbor didn't innocently notice anything just wandering by, they deliberately tried all the doors and windows in your house to see if any were unlocked. Finding one unlocked, they walked in and took a number of things, including some things belonging to a house-guest you happen to be hosting at the time. Your neighbor didn't point anything out to you, they left a tiny note under your doormat 'just to let you know how deep into your house they could go'. Mind you, you didn't even see the note (why would you be checking under your doormat when you just found you'd been robbed). You didn't yell at your neighbor, you didn't even know who stole from you. You locked up the house and called the police - of course, now your guests can't get their things out, as the police have cordoned off your house to perform a forensic investigation.
 
So now, whose fault do you think it is that your guest can't get their things? Yours for reacting in a responsible manner to an intrusion, or the neighbors who unlawfully entered your house and took things without your permission or knowledge?
 
I'll say it again, blaming a victim for the results of the actions of a perpetrator's wrongdoing against them is unequivocally absurd.

Edited by GoodGrief - 7/24/13 at 5:27pm
post #116 of 121

Analogies are not needed.  The situation is simple.

 

Apple promised to keep their customers' information secure.  That inherently includes protecting info on their servers from unauthorized access of any kind, whether good or bad intentioned.

 

Apple, like other companies before it, failed to do what they promised.

 

The real victims are their customers.

post #117 of 121
Quote:
Originally Posted by GoodGrief View Post

So now, whose fault do you think it is that your guest can't get their things? Yours for reacting in a responsible manner to an intrusion, or the neighbors who unlawfully entered your house and took things without your permission or knowledge?

 
I'll say it again, blaming a victim for the results of the actions of a perpetrator's wrongdoing against them is unequivocally absurd.

 

I'm not actually blaming either for the downtime, I don't think the hacker/security researcher did anything particularly wrong, and Apple's response has been proportional and shows good diligence.

 

However, the situation would not have arisen if there weren't security issues with the Apple service.  That's Apple's fault, definitely.

 

 

Since you've taken the analogy (which wasn't really an analogy so much as a choice of phrasing) to such lengths I'll add that if you had were the owner of the house and I left my property in your house, then I damn well expect you to keep the windows and doors locked.  

censored

Reply

censored

Reply
post #118 of 121
Quote:
Originally Posted by KDarling View Post

Analogies are not needed.  The situation is simple.

 

Apple promised to keep their customers' information secure.  That inherently includes protecting info on their servers from unauthorized access of any kind, whether good or bad intentioned.

 

Apple, like other companies before it, failed to do what they promised.

 

The real victims are their customers.

 

 

I agree that Apple (like other companies in comparable positions) has a responsibility to keep to their promise here. However, that promise (and a small army of corporate lawyers make sure the semantics of their offer and terms are explicit on this point) is to take all reasonable measures to prevent unauthorized access. The nature of the beast (if you'll pardon the colloquialism) makes guaranteeing this in absolute terms impossible in practice. One can only make assurances of a 'best effort'.

 

Quote:
Originally Posted by Crowley View Post

 

I'm not actually blaming either for the downtime, I don't think the hacker/security researcher did anything particularly wrong, and Apple's response has been proportional and shows good diligence.

 

However, the situation would not have arisen if there weren't security issues with the Apple service.  That's Apple's fault, definitely.

 

 

Since you've taken the analogy (which wasn't really an analogy so much as a choice of phrasing) to such lengths I'll add that if you had were the owner of the house and I left my property in your house, then I damn well expect you to keep the windows and doors locked.  

 

 

That smacks somewhat of backpedalling to me, as your assertion that "Apple are responsible for developers and their own loss of money and time." sounds like an assignment of blame to me. 
 
I must also disagree with the assertion that this person did nothing wrong. He knowingly violated a system he had no authorization to. He misappropriated data he had no right to. To further add to his list of transgressions, he publicized some of that misbegotten data with the full knowledge that the data was intended for private use only (and certainly not for his use in any way). He, by definition, did wrong. And this is what I take exception to in this case; this person made the unilateral decision that could (and did) ultimately affect hundreds of thousands of developers (myself included), without permission from any of them. He decided what was best for everyone else - and that wasn't his right. He satisfied his own need to probe the system, for his own agenda, and he did it irresponsibly and across public networks (unless someone can show he had a private hardline from Turkey to Apple's servers), which exposes the data he shouldn't have had in the first place to further potential compromise. His claimed intent - good, bad or otherwise is irrelevant. The ends do not necessarily justify the means. As the old saying goes: "The road to hell is paved with good intentions".
 
Your choice of phrasing "Apple's response has been proportional and shows good diligence" is important here too. Because this was an unauthorized intrusion of unknown dimensions (as opposed to a controlled penetration test done with Apple's knowledge beforehand). The response, by necessity, had to assume the worst-case breach, where it might not have needed to otherwise.
 
I've seen no evidence yet that Apple was negligent in their responsibility to take <reasonable> measures to safeguard the data in their stewardship. If anyone can produce that evidence, then I'll absolutely concede the point, and agree that Apple shares the fault for results. That said, it negates none of the responsibility this other party has for his actions.
 
I may be verbose, but I'm not clear on what 'lengths' I've taken your analogy to, other than to attempt to make the comparison more accurate in it's representation of the topic at hand. If I've misrepresented or appear to have misunderstood something you've asserted, then I'm always open to edification. So, dipping one last time into the analogy well - (to my knowledge) the lock was not unlocked as a result of the negligence or failure to act on Apple's part, but rather as a result of the supposedly secure mechanism itself failing (think: rusted and broken tumblers).
post #119 of 121
Quote:
Originally Posted by GoodGrief View Post

That smacks somewhat of backpedalling to me, as your assertion that "Apple are responsible for developers and their own loss of money and time." sounds like an assignment of blame to me. 

 

It was meant more as a removal of blame from the hacker/researcher.  He didn't take the system down, the discovery of a security vulnerability did.  Apple were responsible for the security vulnerability.  I don't think that equates to blaming Apple for the system being down either, while security vulnerabilities are never welcome they are a fact of life, and it is good that Apple is taking it seriously and beefing up their system.  So Apple can be criticised for there being a security vulnerability in the first place, but can be commended for their response.

 

Quote:
Originally Posted by GoodGrief View Post

I must also disagree with the assertion that this person did nothing wrong. He knowingly violated a system he had no authorization to. He misappropriated data he had no right to. To further add to his list of transgressions, he publicized some of that misbegotten data with the full knowledge that the data was intended for private use only (and certainly not for his use in any way). He, by definition, did wrong. And this is what I take exception to in this case; this person made the unilateral decision that could (and did) ultimately affect hundreds of thousands of developers (myself included), without permission from any of them. He decided what was best for everyone else - and that wasn't his right. He satisfied his own need to probe the system, for his own agenda, and he did it irresponsibly and across public networks (unless someone can show he had a private hardline from Turkey to Apple's servers), which exposes the data he shouldn't have had in the first place to further potential compromise. His claimed intent - good, bad or otherwise is irrelevant. The ends do not necessarily justify the means. As the old saying goes: "The road to hell is paved with good intentions".

 

 

What are the ends, a week or so without a developer resource?  Is that really going to affect anyone so terribly?  I don't mean to trivialise it, I'm sure some people are feeling very put out right now, and stress levels may be rising, but in the grand scheme of things, it's not much of an issue.  If he hadn't done this then maybe that security vulnerability would be exploited by someone with malicious intent, someone who might have gone "deeper" and got much more damaging data.  I think the end definitely justify the means, and we're a long way from hell.

 

Quote:
Originally Posted by GoodGrief View Post

Your choice of phrasing "Apple's response has been proportional and shows good diligence" is important here too. Because this was an unauthorized intrusion of unknown dimensions (as opposed to a controlled penetration test done with Apple's knowledge beforehand). The response, by necessity, had to assume the worst-case breach, where it might not have needed to otherwise.

 

Apple history in this regard isn't great, they've been criticised for sitting on security vulnerabilities for months without making any moves towards a fix.  I believe I read that this issue was reported using the proper channels to no result.  So the response in your alternative scenario could have been the feared worse-case breach, which would have caused a much greater paralysation of the services.  Conjecture I know, but you're doing the same.

 

 


Quote:
Originally Posted by GoodGrief View Post

I've seen no evidence yet that Apple was negligent in their responsibility to take <reasonable> measures to safeguard the data in their stewardship. If anyone can produce that evidence, then I'll absolutely concede the point, and agree that Apple shares the fault for results. That said, it negates none of the responsibility this other party has for his actions.

 

I don't think anyone expects Apple to be able to withstand prolonged military-grade cyber attacks.  A hacker though?  Operating alone?  That suggests they weren't up to scratch.

 

 

Quote:
Originally Posted by GoodGrief View Post

I may be verbose, but I'm not clear on what 'lengths' I've taken your analogy to, other than to attempt to make the comparison more accurate in it's representation of the topic at hand. If I've misrepresented or appear to have misunderstood something you've asserted, then I'm always open to edification. So, dipping one last time into the analogy well - (to my knowledge) the lock was not unlocked as a result of the negligence or failure to act on Apple's part, but rather as a result of the supposedly secure mechanism itself failing (think: rusted and broken tumblers).

 

I didn't make an analogy, I used a metaphor.  There's a difference.  You extrapolated that into a tortured analogy, that's the lengths.  No "accuracy" was ever intended or implied, it was just a metaphor, like when I say that clouds are like soldiers marching to war - point out the differences between clouds and soldiers as much as you want, but you're wasting your time because I don't actually think clouds are literally like soldiers marching to war.

 

I'd rather drop the painful linguistic exercises and focus on the facts.

censored

Reply

censored

Reply
post #120 of 121

I think we all agree that the entire situation was mishandled, from the way the developer did things, to Apple apparently being behind on security updates, but that the final outcome should be a stronger, better website.

 

Plus... I bet that somewhere in Apple there is a person who had warned his bosses for a long time about security, and finally got to say, "I told you so" and get his fifteen minutes of fame.

 

I do have to add, that it's amazing how hard it is to not to resort to analogies.  We all felt the pull to do so, yet analogies always miss.  (Especially car analogies.  There needs to be the equivalent of a Godwin's Law about those. lol)

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Researcher admits to hacking Apple's developer site, says he meant no 'harm or damage'