'iBoot' leak may stem from low-level Apple engineer with ties to jailbreaking community

2»

Comments

  • Reply 21 of 39
    So there is a MOLE inside of Apple. This spy probably caused the recent security vulnerabilities with passwords on IOS. These mistakes are so basic, no experienced programmer should have caused them. They were deliberately introduced into IOS.
    LOL

    Your tin-foil hat is extra shiny.
    StrangeDaysmagman1979Macsplosion
  • Reply 22 of 39
    metrixmetrix Posts: 222member
    Can we hang him for treason?
  • Reply 23 of 39
    metrix said:
    Can we hang him for treason?
    Nah.

    I like him.  He’s funny!

    His story:  A spy goes to all the trouble to steal Apple’s ‘secret sauce’ then posts evidence of his misdeed on GitHub.  

    Should we we call this spy “Inspector Clouseau”?

    https://m.youtube.com/watch?v=SXn2QVipK2o
  • Reply 24 of 39
    metrix said:
    Can we hang him for treason?
    No.
  • Reply 25 of 39
    Rayz2016Rayz2016 Posts: 4,220member
    So there is a MOLE inside of Apple. This spy probably caused the recent security vulnerabilities with passwords on IOS. These mistakes are so basic, no experienced programmer should have caused them. They were deliberately introduced into IOS.
    The problem wasn’t that the bugs were introduced; the problem was that they weren’t discovered. Whether or not  they were introduced deliberately is not the issue. 
    anton zuykov
  • Reply 26 of 39
    Rayz2016Rayz2016 Posts: 4,220member
    The other thing is that the source code being released should not compromise the security of the operating system. If it does, then Apple has some tidying up to do. 



  • Reply 27 of 39
    So there is a MOLE inside of Apple. This spy probably caused the recent security vulnerabilities with passwords on IOS. These mistakes are so basic, no experienced programmer should have caused them. They were deliberately introduced into IOS.
    Yeah no. As an actual enterprise software engineer of two decades, I can tell you nothing is simple and issues usually arise from multiple unexpected conditions. 

    What’s your experience? And which iOS issues are you referring to?
    randominternetpersonanton zuykovairnerd
  • Reply 28 of 39
    thrang said:
    It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period. I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing. How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
    I fully agree. And my experiences are similar. No cloud access whatsoever, any hardware port is locked and only accessible with special rights. Even then, only certified hardware actually works, such as USB sticks that are encrypted and only decryption other certified machines. And for sure forget about emailing stuff to the outside world. Still, however, I would not rule out the chance of the one forgotten device in the cellar, or some other hole. 
    cornchip
  • Reply 29 of 39
    thrang said:
    It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period. I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing. How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
    It’s not quite that simple.  As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource.  Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource.  GitHub is the equivalent for programmers...

    The problem is Apple should have noticed their code leaving the building (they have the resources to do so).  Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).

    The problem is we don’t know how the files left.  They weren’t directly uploaded to GitHub.  They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled).  Remember this was probably done by a proficient programmer... there is always a way.  It could have been by screenshots of code, then reconstructed as text/code.  You could encrypt the files, then send them by email (bypassing the file scanning).

    The point is there is no way to create a perfectly protected environment.  You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building.  But we’re talking about software for connected mobile devices...  no work would get done.

    At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late. 

    Basically things like this are inevitable.  The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s.  Hopefully they find most of the bugs before the bad guys do...
    I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here?
    At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”. 
  • Reply 30 of 39
    foggyhill said:
    maestro64 said:
    lkrupp said:
    Well, my first question would be how could a “low-level” employee have clearance to access source code, the keys to the kingdom?

    Yeah that is the Billion $ questions, usually source code access is control to what subsystems you work on, only upper level people would have full access to all the code and code branches. There is more to this store which is not being told.
    Low level here obviously means kernel, drivers, firmware , whatever... Has nothing to do with clearance.
    Ah good point!  That makes sense, but I expect most people will interpret that in the more mainstream "just a flunky" sense.
    asdasd
  • Reply 31 of 39
    thrang said:
    It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period. I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing. How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
    It’s not quite that simple.  As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource.  Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource.  GitHub is the equivalent for programmers...

    The problem is Apple should have noticed their code leaving the building (they have the resources to do so).  Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).

    The problem is we don’t know how the files left.  They weren’t directly uploaded to GitHub.  They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled).  Remember this was probably done by a proficient programmer... there is always a way.  It could have been by screenshots of code, then reconstructed as text/code.  You could encrypt the files, then send them by email (bypassing the file scanning).

    The point is there is no way to create a perfectly protected environment.  You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building.  But we’re talking about software for connected mobile devices...  no work would get done.

    At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late. 

    Basically things like this are inevitable.  The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s.  Hopefully they find most of the bugs before the bad guys do...
    I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here?
    At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”. 
    Where there is a will, there is a way...

    Take the code and imbed it in images in cats.  Can you read your emails outside of the office?  Send the encrypted email to yourself (so that it never leaves the Corp. email system).

    You could make email attachments forbidden entirely, which also help with phishing scams, but you just handicapped your users.

    The best you can do (in many situations) is have forensic evidence to nail people’s asses to the wall after the fact.

    Networks are generally pretty good at perimeter defense, battling malicious internal people (or just stupid users) is really hard.

    I can think about dozens of ways to bypass any security measures.  How about creating a private Facebook page, and posting the code there.  Or, loggging into your banking site and pasting the code into account notes.  Many of the sites these days create secure connections, it’s not possible to monitor everything.

    Computer security is really about deterrence.  If someone is attacking from outside of the network, create enough layers to get through they look for an easier target.  Nothing is truly secure, it’s just a matter of having enough resources behind the attack.

    The problem is: Momma said “crime doesn’t pay” it really does...
    wonkothesane
  • Reply 32 of 39
    metrixmetrix Posts: 222member
    thrang said:
    It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period. I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing. How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
    It’s not quite that simple.  As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource.  Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource.  GitHub is the equivalent for programmers...

    The problem is Apple should have noticed their code leaving the building (they have the resources to do so).  Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).

    The problem is we don’t know how the files left.  They weren’t directly uploaded to GitHub.  They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled).  Remember this was probably done by a proficient programmer... there is always a way.  It could have been by screenshots of code, then reconstructed as text/code.  You could encrypt the files, then send them by email (bypassing the file scanning).

    The point is there is no way to create a perfectly protected environment.  You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building.  But we’re talking about software for connected mobile devices...  no work would get done.

    At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late. 

    Basically things like this are inevitable.  The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s.  Hopefully they find most of the bugs before the bad guys do...
    I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here?
    At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”. 
    Where there is a will, there is a way...

    Take the code and imbed it in images in cats.  Can you read your emails outside of the office?  Send the encrypted email to yourself (so that it never leaves the Corp. email system).

    You could make email attachments forbidden entirely, which also help with phishing scams, but you just handicapped your users.

    The best you can do (in many situations) is have forensic evidence to nail people’s asses to the wall after the fact.

    Networks are generally pretty good at perimeter defense, battling malicious internal people (or just stupid users) is really hard.

    I can think about dozens of ways to bypass any security measures.  How about creating a private Facebook page, and posting the code there.  Or, loggging into your banking site and pasting the code into account notes.  Many of the sites these days create secure connections, it’s not possible to monitor everything.

    Computer security is really about deterrence.  If someone is attacking from outside of the network, create enough layers to get through they look for an easier target.  Nothing is truly secure, it’s just a matter of having enough resources behind the attack.

    The problem is: Momma said “crime doesn’t pay” it really does...
    Maybe she meant it doesn’t pay morally, if you have a little guy on your shoulder.  
    edited February 10
  • Reply 33 of 39
    thrang said:
    It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period. I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing. How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
    It’s not quite that simple.  As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource.  Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource.  GitHub is the equivalent for programmers...

    The problem is Apple should have noticed their code leaving the building (they have the resources to do so).  Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).

    The problem is we don’t know how the files left.  They weren’t directly uploaded to GitHub.  They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled).  Remember this was probably done by a proficient programmer... there is always a way.  It could have been by screenshots of code, then reconstructed as text/code.  You could encrypt the files, then send them by email (bypassing the file scanning).

    The point is there is no way to create a perfectly protected environment.  You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building.  But we’re talking about software for connected mobile devices...  no work would get done.

    At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late. 

    Basically things like this are inevitable.  The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s.  Hopefully they find most of the bugs before the bad guys do...
    I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here?
    At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”. 
    Where there is a will, there is a way...

    Take the code and imbed it in images in cats.  Can you read your emails outside of the office?  Send the encrypted email to yourself (so that it never leaves the Corp. email system).

    You could make email attachments forbidden entirely, which also help with phishing scams, but you just handicapped your users.

    The best you can do (in many situations) is have forensic evidence to nail people’s asses to the wall after the fact.

    Networks are generally pretty good at perimeter defense, battling malicious internal people (or just stupid users) is really hard.

    I can think about dozens of ways to bypass any security measures.  How about creating a private Facebook page, and posting the code there.  Or, loggging into your banking site and pasting the code into account notes.  Many of the sites these days create secure connections, it’s not possible to monitor everything.

    Computer security is really about deterrence.  If someone is attacking from outside of the network, create enough layers to get through they look for an easier target.  Nothing is truly secure, it’s just a matter of having enough resources behind the attack.

    The problem is: Momma said “crime doesn’t pay” it really does...
    I get your point. Just for the sake of it: in the cases I know of you could not access your Corp email except from Corp devices if you had a specific clearance. So your cat would stay always on Corp machines and still you can’t get it off. No Facebook or other social media. No banking web site or any internet. Well that’s depending on the specific levels and I’m talking military and sensitive engineering groups in other industries here. No phones allowed with cameras. No screen recording on the PC possible etc. So really I guess one needs some quite sophisticated tools - and then it’s likely that you have a “custOmer” already for your theft. But you won’t share this to guys who shares this only with his best friend who only shares this with his best friend who accuse Tyler posts it on GitHub....
    But as said in the beginning: all a question of criminal energy plus how strong and consequent the system safeguards actually are. 
  • Reply 34 of 39
    I think of the line from 3 Days of the Condor (IIRC):

    ”Oh (my), you have no idea of the damage you’ve done.”

    I think we will see that the damage is significant and worthy of these people getting lifetime federal prison sentences. (Not only as a punishment but as a deterrent for the next asshats that think it would be fun to steal and possess critical code for whatever from whoever.  I say this as a person who never condemned the actions of Snowden because he was motivations seem legitimate.)

    By their actions, these idiots have put every Apple customer at risk. 

    I hope Apple has already mitigated the risk to user info or will be able to do so. 
    anton zuykov
  • Reply 35 of 39
    SoliSoli Posts: 8,289member
    I think of the line from 3 Days of the Condor (IIRC):

    ”Oh (my), you have no idea of the damage you’ve done.”

    I think we will see that the damage is significant and worthy of these people getting lifetime federal prison sentences. (Not only as a punishment but as a deterrent for the next asshats that think it would be fun to steal and possess critical code for whatever from whoever.  I say this as a person who never condemned the actions of Snowden because he was motivations seem legitimate.)

    By their actions, these idiots have put every Apple customer at risk. 

    I hope Apple has already mitigated the risk to user info or will be able to do so. 
    A former Kentucky judge who ran a sex trafficking ring and used his position of power coerce girls and  women is up for parole after 4 years and only has a $100k fine.
  • Reply 36 of 39
    asdasdasdasd Posts: 5,105member
    Apple isn't hiding low level kernel code in basements. It needs to be accessed by their engineers and is probably on some internal git server. And if this guy was a low level engineer he would have full rights to it, in fact Apple may give full rights to everybody so somebody at a higher layer can investigate an issue they may be seeing.

    The way to protect against this is to make sure that the employees know they will lose their job, reputation and may face criminal proceedings for deliberate violations and export of internal code. 


  • Reply 37 of 39
    Low level engineer should have followed the same guideline I have for emails...if you wouldn't want everyone to see it, DON'T WRITE IT!
    Macsplosion
  • Reply 38 of 39
    asdasd said:
    Apple isn't hiding low level kernel code in basements. It needs to be accessed by their engineers and is probably on some internal git server. And if this guy was a low level engineer he would have full rights to it, in fact Apple may give full rights to everybody so somebody at a higher layer can investigate an issue they may be seeing.

    The way to protect against this is to make sure that the employees know they will lose their job, reputation and may face criminal proceedings for deliberate violations and export of internal code. 
    For such a person, they don’t think in terms of long-term damage or harm. 
  • Reply 39 of 39
    bitmod said:
    lkrupp said:
    Well, my first question would be how could a “low-level” employee have clearance to access source code, the keys to the kingdom?
    Because Apple orchestrated this story to force compliance on updating the software and purchasing phones capable of iOS 10

    Stats on the adoption rates of new iOS in the previous 5 years should tell you, that you do not need to orchestrate anything to switch users to a newer version of iOS.
    This is not some Android with its long tail of old OS versions, spanning 7-10 major OS releases, for fux sake.
    Of course, looking at that stats might disprove your conspiracy theory...
    edited February 12
Sign In or Register to comment.