All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.
I disagree, penetration testing is most often something that is contracted out or requested. Penetration testing by the public is just hacking with an official sounding name.
This is completely inaccurate (at least in most countries). The bank in this analogy *does* have a direct responsibility to protect your information/goods.
To get away from the bank analogy, most information protection and privacy laws around the world are explicitly based on the fact that once you have someone's personal information it's your responsibility to keep it, and to keep it safe for the duration of the time you have it. Any third party holding someone else's information has this responsibility. You can be sent to jail if you violate these laws and people are quite regularly. All I can say is if it isn't this way in the USA, then that's seriously "last century" thinking.
He never said the bank doesn't have a direct responsibility to protect your information goods... but you want to get away from this analogy, why? it is much better than the house burglary analogy in that a third party is involved. whether they have a duty to protect yourself or not is of no importance... *of course* they have the "duty" to protect your stuff. the question is do you vilify the person shedding the light that the bank is not doing a good job at its security or the bank itself for leaving your valuables in a situation where they can easily (easier than other banks) be stolen?
Yes it is. Just because someone exposes a security flaw doesn't make the way they went about exposing it right, or legal. If he was concerned about Apple's security why didn't he contact them about it and offer up his services rather than hacking the site and after the fact telling Apple (and the world) that he did it. Seems this is someone who is just looking for attention (or a job) than someone who is really concerned about Apple developer/users security. Sorry, but I don't think the ends justify the means.
you didn't answer my question... which of those three scenarios would you prefer to happen. a non-answer is just skirting the question. you know which is the right to choose, but you are so quick to vilify the gentleman which ultimately caused no harm and ultimately forces apple's hand to fix the situation in a timely manner. If you don't think the ends justify the means then you have no idea how security/publicity go hand in hand... i covered this in scenario (b).. did you read it? if he were to tell apple what he did or how to do it. they would have covered it up so they could take their time to fix it. while the vulnerability still exists.
also you completely disregard the fact that he didn't steal anything directly from you but from someone who is guarding your information. that is not a house break-in but a bank-robbery. if my analogy is no good, yours is worse... just think about it with an unbiased attitude. that's all i ask
Yes, because I am sure the amount Apple can receive from him in relation to its attorney fees are worthwhile.
"Little" companies/people sue big ones in the hopes of getting a boatload of $$ in damages. The big ones sue others to "punish" and set an example for others in an attempt to prevent similar occurrences from happening again. A substantial judgement against this guy would likely never get paid, but hang over him forever.
And given the size of Apple's legal department I suspect the incremental cost of causing this guy legal hell is negligible anyway.
... revealing several full names un-blurred (including women) ....
*gasp* I've never seen a woman's name before. /s.
What is the relevance of "including women"? How can you be sure they were women (or men)? For example, we learned last week that "Robert Galbraith" = J.K. Rowling.
It's not his responsibility to point out Apple's flaws by hacking their servers. The correct approach would be to speak with Apple first and let them handle it. If they don't want to fix it it's their problem. If he gets prosecuted, it's his fault.
While I appreciate a contrite attitude on the part of those that do wrong, the lawyer in me cringes at reading public apologies that are tantamount to a full confession.
While I appreciate a contrite attitude on the part of those that do wrong, the lawyer in me cringes at reading public apologies that are tantamount to a full confession.
It's not his responsibility to point out Apple's flaws by hacking their servers. The correct approach would be to speak with Apple first and let them handle it. If they don't want to fix it it's their problem. If he gets prosecuted, it's his fault.
Let me correct that for you. If they don't want to fix it it's YOUR problem because it's YOUR information.
A big shrug about what the hacker did. I for one am proud to be an Apple developer. Go ahead and show my name any time you want. Apple forced us to use our e-mail address as our developer IDs some time ago so no big secrets were exposed there either. I was kind of hoping mine would show up in that video.
I am not happy that we now know more about what is going on from this hacker's youtube video than from Apple itself. Apple should have come clean immediately when they took the Apple developer site down and not waited days to tell us. I was checking the site many times a day in hopes it would come back so I could access the developer forums, sample code and other resources. I am not really surprised that the Apple developer site was hacked. I am actually surprised that it took this long to be noticed by a casual hacker. As the hacker said in the video, it appears to have been actively leaking user info which is what made the hacker look a bit deeper.
PEN testing without authorization and proper documentation is wrong and should not be just blown off. This is serious and it shouldn’t be down played because he wanted to "TEST" without authorization to proceed.
PEN testing without authorization and proper documentation is wrong and should not be just blown off. This is serious and it shouldn’t be down played because he wanted to "TEST" without authorization to proceed.
Then there needs to be laws in place that if someone thinks a vulnerability is present that Apple is required to have a third party test and when it's all said and done share the results with the public. I am tired of the protections these companies are getting for having lousy security. You're right PEN testing shouldn't be allowed without authorization, but it should be required.
Then there needs to be laws in place that if someone thinks a vulnerability is present that Apple is required to have a third party test and when it's all said and done share the results with the public.
Abject nonsense. That's the easiest way to bankrupt any company.
Abject nonsense. That's the easiest way to bankrupt any company.
Then make it once every six months. At the end of they day if these companies can't handle personal information there needs to be intervention. Apple certainly has the money do have been doing PEN testing and fixed this long ago. They just didn't want to spend the money to protect us. How many times do we have to have a Sony/Evernote/Apple before either there is some new laws or the punishments are so severe that companies get their act together out of fear.
Abject nonsense. That's the easiest way to bankrupt any company.
How so? There is absolutely no form of checks and balances for a company that is maintaining my information in their records. Others have said that they are responsible for protecting that data, but there is not one single law or rule that says how much effort has to go into protecting my data. Legally speaking, if it is password protected, it is secure, but we all know that just applying a password is not the extent to which our data needs to be protected.
SOME sort of law needs to be in place to call out companies when we suspect there might be a security flaw in a system protecting my data. Arguing otherwise is just as you said, "abject nonsense."
... I am not really surprised that the Apple developer site was hacked. I am actually surprised that it took this long to be noticed by a casual hacker. As the hacker said in the video, it appears to have been actively leaking user info which is what made the hacker look a bit deeper.
Yep, although I'm not sure he should even be called a "hacker", unless he did more than we know.
Right now, it looks like he's just a programmer who tried out a recently discovered server bug to see if his own info came back, and was surprised to find out that it did. Then he must have tried other request combinations and tons of records came back. Not smart, but certainly a natural reaction.
His video shows that he then reported the security hole to Apple via a developer bug report.
He probably expected a reply like "Thanks for the info. Please keep it quiet while we fix the bug", which would be reassuring. It doesn't sound like that happened. Instead, when Apple immediately took down their site and wrote that it was because of an "intruder", he got worried that someone at Apple was going to try to lay blame on him, so he went public.
As he said in his video comment:
"This is definitely not an hack attack. I have reported all the bugs I have found to the company and waited for approval. I am being accused of hacking but I have not given any harm to the system and i did not wanted to damage."
Yes, he didn't handle it very well, but as you pointed out, neither did Apple.
Something I am surprised has not come up yet, is that Apple may not have brought down the site because of this guy alone. As a Network Admin, if I get a report of a breach by a White Hat, the first thing I do is check the logs to see if anyone else tried the same thing. If I find that, I would shut down the site too. If I do not, then it is a business decision of which is worst, the risk of a Black Hat while I fix it, or the cost of being down.
Based on Apple's reaction I am guessing that 1) they found other suspicious activity 2) This guy is not telling the whole story or 3) combination of the two
Comments
Quote:
Originally Posted by GTR
Sue him.
No ifs, ands, or buts.
What are the damages?
Quote:
Originally Posted by applecansuckmyd
All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.
I disagree, penetration testing is most often something that is contracted out or requested. Penetration testing by the public is just hacking with an official sounding name.
Quote:
Originally Posted by Gazoobee
This is completely inaccurate (at least in most countries). The bank in this analogy *does* have a direct responsibility to protect your information/goods.
To get away from the bank analogy, most information protection and privacy laws around the world are explicitly based on the fact that once you have someone's personal information it's your responsibility to keep it, and to keep it safe for the duration of the time you have it. Any third party holding someone else's information has this responsibility. You can be sent to jail if you violate these laws and people are quite regularly. All I can say is if it isn't this way in the USA, then that's seriously "last century" thinking.
He never said the bank doesn't have a direct responsibility to protect your information goods... but you want to get away from this analogy, why? it is much better than the house burglary analogy in that a third party is involved. whether they have a duty to protect yourself or not is of no importance... *of course* they have the "duty" to protect your stuff. the question is do you vilify the person shedding the light that the bank is not doing a good job at its security or the bank itself for leaving your valuables in a situation where they can easily (easier than other banks) be stolen?
Quote:
Originally Posted by Rogifan
Yes it is. Just because someone exposes a security flaw doesn't make the way they went about exposing it right, or legal. If he was concerned about Apple's security why didn't he contact them about it and offer up his services rather than hacking the site and after the fact telling Apple (and the world) that he did it. Seems this is someone who is just looking for attention (or a job) than someone who is really concerned about Apple developer/users security. Sorry, but I don't think the ends justify the means.
you didn't answer my question... which of those three scenarios would you prefer to happen. a non-answer is just skirting the question. you know which is the right to choose, but you are so quick to vilify the gentleman which ultimately caused no harm and ultimately forces apple's hand to fix the situation in a timely manner. If you don't think the ends justify the means then you have no idea how security/publicity go hand in hand... i covered this in scenario (b).. did you read it? if he were to tell apple what he did or how to do it. they would have covered it up so they could take their time to fix it. while the vulnerability still exists.
also you completely disregard the fact that he didn't steal anything directly from you but from someone who is guarding your information. that is not a house break-in but a bank-robbery. if my analogy is no good, yours is worse... just think about it with an unbiased attitude. that's all i ask
Quote:
Originally Posted by TBell
Yes, because I am sure the amount Apple can receive from him in relation to its attorney fees are worthwhile.
"Little" companies/people sue big ones in the hopes of getting a boatload of $$ in damages. The big ones sue others to "punish" and set an example for others in an attempt to prevent similar occurrences from happening again. A substantial judgement against this guy would likely never get paid, but hang over him forever.
And given the size of Apple's legal department I suspect the incremental cost of causing this guy legal hell is negligible anyway.
Quote:
Originally Posted by airmanchairman
... revealing several full names un-blurred (including women) ....
*gasp* I've never seen a woman's name before. /s.
What is the relevance of "including women"? How can you be sure they were women (or men)? For example, we learned last week that "Robert Galbraith" = J.K. Rowling.
It's not his responsibility to point out Apple's flaws by hacking their servers. The correct approach would be to speak with Apple first and let them handle it. If they don't want to fix it it's their problem. If he gets prosecuted, it's his fault.
Quote:
Originally Posted by bdkennedy1
It's not his responsibility to point out Apple's flaws by hacking their servers. The correct approach would be to speak with Apple first and let them handle it. If they don't want to fix it it's their problem. If he gets prosecuted, it's his fault.
Let me correct that for you. If they don't want to fix it it's YOUR problem because it's YOUR information.
I am not happy that we now know more about what is going on from this hacker's youtube video than from Apple itself. Apple should have come clean immediately when they took the Apple developer site down and not waited days to tell us. I was checking the site many times a day in hopes it would come back so I could access the developer forums, sample code and other resources. I am not really surprised that the Apple developer site was hacked. I am actually surprised that it took this long to be noticed by a casual hacker. As the hacker said in the video, it appears to have been actively leaking user info which is what made the hacker look a bit deeper.
Quote:
Originally Posted by donw35
PEN testing without authorization and proper documentation is wrong and should not be just blown off. This is serious and it shouldn’t be down played because he wanted to "TEST" without authorization to proceed.
Then there needs to be laws in place that if someone thinks a vulnerability is present that Apple is required to have a third party test and when it's all said and done share the results with the public. I am tired of the protections these companies are getting for having lousy security. You're right PEN testing shouldn't be allowed without authorization, but it should be required.
Abject nonsense. That's the easiest way to bankrupt any company.
Quote:
Originally Posted by Tallest Skil
Abject nonsense. That's the easiest way to bankrupt any company.
Then make it once every six months. At the end of they day if these companies can't handle personal information there needs to be intervention. Apple certainly has the money do have been doing PEN testing and fixed this long ago. They just didn't want to spend the money to protect us. How many times do we have to have a Sony/Evernote/Apple before either there is some new laws or the punishments are so severe that companies get their act together out of fear.
Quote:
Originally Posted by Tallest Skil
Abject nonsense. That's the easiest way to bankrupt any company.
How so? There is absolutely no form of checks and balances for a company that is maintaining my information in their records. Others have said that they are responsible for protecting that data, but there is not one single law or rule that says how much effort has to go into protecting my data. Legally speaking, if it is password protected, it is secure, but we all know that just applying a password is not the extent to which our data needs to be protected.
SOME sort of law needs to be in place to call out companies when we suspect there might be a security flaw in a system protecting my data. Arguing otherwise is just as you said, "abject nonsense."
Quote:
Originally Posted by GrangerFX
... I am not really surprised that the Apple developer site was hacked. I am actually surprised that it took this long to be noticed by a casual hacker. As the hacker said in the video, it appears to have been actively leaking user info which is what made the hacker look a bit deeper.
Yep, although I'm not sure he should even be called a "hacker", unless he did more than we know.
Right now, it looks like he's just a programmer who tried out a recently discovered server bug to see if his own info came back, and was surprised to find out that it did. Then he must have tried other request combinations and tons of records came back. Not smart, but certainly a natural reaction.
His video shows that he then reported the security hole to Apple via a developer bug report.
He probably expected a reply like "Thanks for the info. Please keep it quiet while we fix the bug", which would be reassuring. It doesn't sound like that happened. Instead, when Apple immediately took down their site and wrote that it was because of an "intruder", he got worried that someone at Apple was going to try to lay blame on him, so he went public.
As he said in his video comment:
"This is definitely not an hack attack. I have reported all the bugs I have found to the company and waited for approval. I am being accused of hacking but I have not given any harm to the system and i did not wanted to damage."
Yes, he didn't handle it very well, but as you pointed out, neither did Apple.
Based on Apple's reaction I am guessing that 1) they found other suspicious activity 2) This guy is not telling the whole story or 3) combination of the two