All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.
Being considered ethical by a small subset of the population does not make an action ethical and it certainly does not have any effect on its legality. The simple fact is that he broke into a private security system without authorization, and should therefore be punished regardless of his intent.
If I find a burglar in my house, I'm going to shoot him. There is no question of intent; he has crossed the line in invading my personal space.
Also, I find your screen name offensive and hope your account gets banned.
OK but these are all just his claims at this point, right? Has Apple confirmed any of this?
It's doubtful that Apple will ever confirm much, especially since that would only highlight that it's possible that many such intrusions could have taken place without being noticed.
That is, if he was able to inject SQL or OGNL into a web request and get this info, others will have tried and succeeded as well.
So Apple will want to simply put this behind them as soon as possible.
--
As to how it's possible in the first, place, well every major corporation runs third party testing software these days just to look for stuff like this. If you find a problem, you have to fix it or get a security waiver.
Part of the problem is that IT groups tend to install updates rather slowly, because they have to test so many related applications. Plus, you never know what new vulnerabilities the update has.
It's like, damned if you do, and damned if you don't.
Therefore website frameworks can easily be a year or more out of date, and it takes something like this to push everyone into action. It's also why it takes so long to fix. Everything has to be tested, and that can normally take weeks in the best case. Here, they have to accelerate that process.
Been there, done that. I am sympathetic towards the pain that Apple's IT group is going through right now.
So if someone breaks in to my house and then says they were only doing it to see how secure my house was (or prove how insecure it was) that's OK? Nonsense. And I'd want them in jail.
So if someone breaks in to my house and then says they were only doing it to see how secure my house was (or prove how insecure it was) that's OK? Nonsense. And I'd want them in jail.
That is not a very fair analogy.
Think of it this way.
You put all your money into a bank. You don't know it, but that bank isn't very secure.
Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?
a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)
b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.
c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.
3) Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency" (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).
Except they won't, because every single company does the exact same thing.
Yes, because I am sure the amount Apple can receive from him in relation to its attorney fees are worthwhile.
So all petty theft, for example, should be legalized, huh? What kind of nonsense statement is this? :no:
Doesn't matter how much "money they can get from him". He's going to jail. He receives punishment for doing something illegal. It's pretty darn simple.
Being considered ethical by a small subset of the population does not make an action ethical and it certainly does not have any effect on its legality. The simple fact is that he broke into a private security system without authorization, and should therefore be punished regardless of his intent.
If I find a burglar in my house, I'm going to shoot him. There is no question of intent; he has crossed the line in invading my personal space.
Also, I find your screen name offensive and hope your account gets banned.
This broken thinking is why companies like Apple/Sony/Evernote/etc get away with murder of your personal information. The house analogy is just flat wrong. This isn't a house that's your responsibility to protect, it's a treasure of YOUR information being held by a third party. This is like a bank full of security deposit boxes in a vault with the door left open. The bank could close the vault door but they don't really care because they are not liable if the contents inside are taken they just might get some bad publicity. You have a box in there and you know the door is open. You tell the bank the door is open and they don't care.
Option One:
You tell the media that the door is open and one of two things happens. Either the bank paints you as a criminal and bans you from the bank forever, or the bank denies the door is open and no one is going to check for fear that the bank will go after them for looking into it.
Option Two:
You take some boxes belonging to bank employees and tell them to close the door. What should happen is the bank finally cares and closes the door. Problem solved. What the bank (Apple) is doing is instead crying that someone took their things and going after the person.
This is pretty much technology security in a nut shell. For all of you that want this guy in prison for trying to do the right thing I hope you know you aren't closing the vault door you are just making sure that the person who finally walks in is going to rob you all blind. Frankly, at that point you deserve it because you didn't want people to point out the problems you just wanted to assume the bank wasn't careless...
All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.
If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?
3) Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency" (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).
I thought Apple was pretty clear that no "user" personal information was taken, but that the names, addresses, and personal email of the developers was taken.
I think this guy is highly suspicious anyway. Either that or he may have nothing to do with it and it's just a coincidence.
The things that seem clear to me about him:
- he's an egomaniac (the video, the attitude etc.)
- he deliberately exposed personal information in the video, while saying that he would never disclose personal information.
Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.
Therefore, either:
- he was trying to reset people's passwords and thus lying about his "white hat"
- he was lying about not passing the information on to someone else
- there is a third party that just happened to do the same trick within the same time period (unlikely)
If I was Apple, even if this guy was saying he was a white hat, the fact that I was getting reports of password reset attempts would make me do exactly the same thing that they ultimately did. Even if they believed the guy and even if they weren't getting password reset attempts, they should still have shut down the system as they did, but perhaps not used the language they did. So at the end of the day if Apple is "wrong" it's only in the language they used to describe the guy.
It seems far more likely to me that they aren't wrong though and did the only thing they could/should do.
That's the simple view, his incredibly bad grammar and sentence construction, but when you put that together with the questionable ethics of his revealing several full names un-blurred (including women) in that self-promoting video, the smugness of his pose in the picture, his making off with thousands of identities and the logic flaws in his explanations of his actions, the dude reeks of dubiousness.
Such a character's account of his dealings with anyone let alone Apple cannot be believed. And Apple's extreme actions appear to indicate a shakedown attempt was made.
All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, ...
Except based on what we know so far, it would appear he violated several of the rules of "white hat" hacking.
He did Apple a valuable service. Good for him. Better him than the NSA.
err, your alternative does not follow.
Better him than the organized crime syndicate would be a better example.
Unless your use of Apple's Dev Sites exposes who you talk to, how you spend your time in your bedroom, or passwords to your how to bomb US landmarks websites, the NSA is pretty much a non-threat at the moment.
He did do apple a valuable service. However, he did not do it professionally. He sought self promotion and some vindication by posting it online. Good Pentesting (pentesting for good) is like good science. You discover something, you find a professional to validate your findings, you both go to the source with independent findings, and if they reject your findings, then you must release it to the public as part of the public good. If Apple says, 'interesting... please embargo your release until we fix it' and they fix it within a couple months, you sit on it... if 6 months, then you have to consider the public good, and release it with the conversations with Apple. The 2-5 month window is the ethical ambiguity.
As for 'intruder' vs 'professional' An uninvited guest into your house, is an intruder. An invited guest who wanders into the basement during a dinner party is one that violates 'the terms of agreement' for the dinner party, and is 'unwelcome.' A Professional would knock on the door, state that he suspects a weakness that is putting all your guests at risk, asks permission to 'test' the house, and asks for permission to enter the basement. If he is a security expert, he starts at the top, and asks for a 'get out of jail free card' prior to the beginning of the test.
The fact he feels he's doing the public a service is mitigating, but his methods of setting up the test and exposing the details to the public shows he's at best a novice with skills, and at worst, a grey hat, that wants to build public cred, as he couldn't find any 'real value' (something he could sell to the highest bidder), and therefore wanted to publicize his capabilitie.
Stupid non-English-speaking Turks. I'm sure that your fluency in Turkish would teach him a thing or two!
I don't care if he is a Turk or whatever, I was just pointing out his obvious communication difficulties.
The determination of whether he did anything wrong or not will most likely involve exactly what he communicated to Apple. His job/career may hinge on it in fact.
... The house analogy is just flat wrong. This isn't a house that's your responsibility to protect, it's a treasure of YOUR information being held by a third party. This is like a bank full of security deposit boxes in a vault with the door left open. The bank could close the vault door but they don't really care because they are not liable if the contents inside are taken they just might get some bad publicity. You have a box in there and you know the door is open. You tell the bank the door is open and they don't care....
This is completely inaccurate (at least in most countries). The bank in this analogy *does* have a direct responsibility to protect your information/goods.
To get away from the bank analogy, most information protection and privacy laws around the world are explicitly based on the fact that once you have someone's personal information it's your responsibility to keep it, and to keep it safe for the duration of the time you have it. Any third party holding someone else's information has this responsibility. You can be sent to jail if you violate these laws and people are quite regularly. All I can say is if it isn't this way in the USA, then that's seriously "last century" thinking.
You put all your money into a bank. You don't know it, but that bank isn't very secure.
Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?
a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)
b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.
c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.
Yes it is. Just because someone exposes a security flaw doesn't make the way they went about exposing it right, or legal. If he was concerned about Apple's security why didn't he contact them about it and offer up his services rather than hacking the site and after the fact telling Apple (and the world) that he did it. Seems this is someone who is just looking for attention (or a job) than someone who is really concerned about Apple developer/users security. Sorry, but I don't think the ends justify the means.
Comments
Being considered ethical by a small subset of the population does not make an action ethical and it certainly does not have any effect on its legality. The simple fact is that he broke into a private security system without authorization, and should therefore be punished regardless of his intent.
If I find a burglar in my house, I'm going to shoot him. There is no question of intent; he has crossed the line in invading my personal space.
Also, I find your screen name offensive and hope your account gets banned.
Quote:
Originally Posted by Rogifan
OK but these are all just his claims at this point, right? Has Apple confirmed any of this?
It's doubtful that Apple will ever confirm much, especially since that would only highlight that it's possible that many such intrusions could have taken place without being noticed.
That is, if he was able to inject SQL or OGNL into a web request and get this info, others will have tried and succeeded as well.
So Apple will want to simply put this behind them as soon as possible.
--
As to how it's possible in the first, place, well every major corporation runs third party testing software these days just to look for stuff like this. If you find a problem, you have to fix it or get a security waiver.
Part of the problem is that IT groups tend to install updates rather slowly, because they have to test so many related applications. Plus, you never know what new vulnerabilities the update has.
It's like, damned if you do, and damned if you don't.
Therefore website frameworks can easily be a year or more out of date, and it takes something like this to push everyone into action. It's also why it takes so long to fix. Everything has to be tested, and that can normally take weeks in the best case. Here, they have to accelerate that process.
Been there, done that. I am sympathetic towards the pain that Apple's IT group is going through right now.
Quote:
Originally Posted by Rogifan
So if someone breaks in to my house and then says they were only doing it to see how secure my house was (or prove how insecure it was) that's OK? Nonsense. And I'd want them in jail.
That is not a very fair analogy.
Think of it this way.
You put all your money into a bank. You don't know it, but that bank isn't very secure.
Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?
a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)
b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.
c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.
Except they won't, because every single company does the exact same thing.
So all petty theft, for example, should be legalized, huh? What kind of nonsense statement is this? :no:
Doesn't matter how much "money they can get from him". He's going to jail. He receives punishment for doing something illegal. It's pretty darn simple.
Quote:
Originally Posted by iaeen
Being considered ethical by a small subset of the population does not make an action ethical and it certainly does not have any effect on its legality. The simple fact is that he broke into a private security system without authorization, and should therefore be punished regardless of his intent.
If I find a burglar in my house, I'm going to shoot him. There is no question of intent; he has crossed the line in invading my personal space.
Also, I find your screen name offensive and hope your account gets banned.
This broken thinking is why companies like Apple/Sony/Evernote/etc get away with murder of your personal information. The house analogy is just flat wrong. This isn't a house that's your responsibility to protect, it's a treasure of YOUR information being held by a third party. This is like a bank full of security deposit boxes in a vault with the door left open. The bank could close the vault door but they don't really care because they are not liable if the contents inside are taken they just might get some bad publicity. You have a box in there and you know the door is open. You tell the bank the door is open and they don't care.
Option One:
You tell the media that the door is open and one of two things happens. Either the bank paints you as a criminal and bans you from the bank forever, or the bank denies the door is open and no one is going to check for fear that the bank will go after them for looking into it.
Option Two:
You take some boxes belonging to bank employees and tell them to close the door. What should happen is the bank finally cares and closes the door. Problem solved. What the bank (Apple) is doing is instead crying that someone took their things and going after the person.
This is pretty much technology security in a nut shell. For all of you that want this guy in prison for trying to do the right thing I hope you know you aren't closing the vault door you are just making sure that the person who finally walks in is going to rob you all blind. Frankly, at that point you deserve it because you didn't want people to point out the problems you just wanted to assume the bank wasn't careless...
Sorry, you can't break into a place just for "research". Can I "research" how to break into a bank vault? Thought so. What a dummy he is.
Quote:
Originally Posted by applecansuckmyd
All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.
It's raining idiots today.
That should be one of AI's taglines. Have 'em cycle randomly at the top of every page.
Quote:
Originally Posted by rydewnd2
If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?
Apple should hire him.
Quote:
Originally Posted by KDarling
...
3) Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency" (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).
I thought Apple was pretty clear that no "user" personal information was taken, but that the names, addresses, and personal email of the developers was taken.
I think this guy is highly suspicious anyway. Either that or he may have nothing to do with it and it's just a coincidence.
The things that seem clear to me about him:
- he's an egomaniac (the video, the attitude etc.)
- he deliberately exposed personal information in the video, while saying that he would never disclose personal information.
Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.
Therefore, either:
- he was trying to reset people's passwords and thus lying about his "white hat"
- he was lying about not passing the information on to someone else
- there is a third party that just happened to do the same trick within the same time period (unlikely)
If I was Apple, even if this guy was saying he was a white hat, the fact that I was getting reports of password reset attempts would make me do exactly the same thing that they ultimately did. Even if they believed the guy and even if they weren't getting password reset attempts, they should still have shut down the system as they did, but perhaps not used the language they did. So at the end of the day if Apple is "wrong" it's only in the language they used to describe the guy.
It seems far more likely to me that they aren't wrong though and did the only thing they could/should do.
Because of this asshole, the dev site is down and beta 4 not release so far.
Suing him and closing his business will teach him and a few years in prison.
Originally Posted by Gazoobee View Post
judging by his statement has severe communication difficulties (ESL?) to boot.
That's the simple view, his incredibly bad grammar and sentence construction, but when you put that together with the questionable ethics of his revealing several full names un-blurred (including women) in that self-promoting video, the smugness of his pose in the picture, his making off with thousands of identities and the logic flaws in his explanations of his actions, the dude reeks of dubiousness.
Such a character's account of his dealings with anyone let alone Apple cannot be believed. And Apple's extreme actions appear to indicate a shakedown attempt was made.
A little education is indeed a dangerous thing.
Quote:
Originally Posted by applecansuckmyd
All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, ...
Except based on what we know so far, it would appear he violated several of the rules of "white hat" hacking.
Quote:
Originally Posted by waldobushman
He did Apple a valuable service. Good for him. Better him than the NSA.
err, your alternative does not follow.
Better him than the organized crime syndicate would be a better example.
Unless your use of Apple's Dev Sites exposes who you talk to, how you spend your time in your bedroom, or passwords to your how to bomb US landmarks websites, the NSA is pretty much a non-threat at the moment.
He did do apple a valuable service. However, he did not do it professionally. He sought self promotion and some vindication by posting it online. Good Pentesting (pentesting for good) is like good science. You discover something, you find a professional to validate your findings, you both go to the source with independent findings, and if they reject your findings, then you must release it to the public as part of the public good. If Apple says, 'interesting... please embargo your release until we fix it' and they fix it within a couple months, you sit on it... if 6 months, then you have to consider the public good, and release it with the conversations with Apple. The 2-5 month window is the ethical ambiguity.
As for 'intruder' vs 'professional' An uninvited guest into your house, is an intruder. An invited guest who wanders into the basement during a dinner party is one that violates 'the terms of agreement' for the dinner party, and is 'unwelcome.' A Professional would knock on the door, state that he suspects a weakness that is putting all your guests at risk, asks permission to 'test' the house, and asks for permission to enter the basement. If he is a security expert, he starts at the top, and asks for a 'get out of jail free card' prior to the beginning of the test.
The fact he feels he's doing the public a service is mitigating, but his methods of setting up the test and exposing the details to the public shows he's at best a novice with skills, and at worst, a grey hat, that wants to build public cred, as he couldn't find any 'real value' (something he could sell to the highest bidder), and therefore wanted to publicize his capabilitie.
Quote:
Originally Posted by barthrh
Stupid non-English-speaking Turks. I'm sure that your fluency in Turkish would teach him a thing or two!
I don't care if he is a Turk or whatever, I was just pointing out his obvious communication difficulties.
The determination of whether he did anything wrong or not will most likely involve exactly what he communicated to Apple. His job/career may hinge on it in fact.
Quote:
Originally Posted by Stromos
... The house analogy is just flat wrong. This isn't a house that's your responsibility to protect, it's a treasure of YOUR information being held by a third party. This is like a bank full of security deposit boxes in a vault with the door left open. The bank could close the vault door but they don't really care because they are not liable if the contents inside are taken they just might get some bad publicity. You have a box in there and you know the door is open. You tell the bank the door is open and they don't care....
This is completely inaccurate (at least in most countries). The bank in this analogy *does* have a direct responsibility to protect your information/goods.
To get away from the bank analogy, most information protection and privacy laws around the world are explicitly based on the fact that once you have someone's personal information it's your responsibility to keep it, and to keep it safe for the duration of the time you have it. Any third party holding someone else's information has this responsibility. You can be sent to jail if you violate these laws and people are quite regularly. All I can say is if it isn't this way in the USA, then that's seriously "last century" thinking.