Something I am surprised has not come up yet, is that Apple may not have brought down the site because of this guy alone. s a Network Admin, if I get a report of a breach by a White Hat, the first thing I do is check the logs to see if anyone else tried the same thing.
Yes, the reaction seems awfully big for one bug report to cause it... although to be fair, security is a huge issue these days and perhaps that's their new policy.
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
SOME sort of law needs to be in place to call out companies when we suspect there might be a security flaw in a system protecting my data.
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
You must be one of those people that when a company compromises data you protect the company.
I thought Apple was pretty clear that no "user" personal information was taken, but that the names, addresses, and personal email of the developers was taken.
I think this guy is highly suspicious anyway. Either that or he may have nothing to do with it and it's just a coincidence.
The things that seem clear to me about him:
- he's an egomaniac (the video, the attitude etc.)
- he deliberately exposed personal information in the video, while saying that he would never disclose personal information.
Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.
Therefore, either:
- he was trying to reset people's passwords and thus lying about his "white hat"
- he was lying about not passing the information on to someone else
- there is a third party that just happened to do the same trick within the same time period (unlikely)
If I was Apple, even if this guy was saying he was a white hat, the fact that I was getting reports of password reset attempts would make me do exactly the same thing that they ultimately did. Even if they believed the guy and even if they weren't getting password reset attempts, they should still have shut down the system as they did, but perhaps not used the language they did. So at the end of the day if Apple is "wrong" it's only in the language they used to describe the guy.
It seems far more likely to me that they aren't wrong though and did the only thing they could/should do.
Yeah, I got a reset password email this morning. I thought it was just some phishing message, but I think it was real. I didn't click the link, but went to Apple.com and did change my password--just in case. Then I saw this story, so then it all came together. No, this "whitehat" is a douche who got caught and now he's backpeddling, trying to avoid jail.
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
All you did was answer the very first two words of my response... you in no way addressed my entire post. taking two words out of context from someone's response is utterly useless.
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
True, it's already in a corporation's best interests to take feedback seriously.
If you reported a data leak that could be fixed, and later on someone was damaged by such a leak, the information holder could be liable.
(Depends on the damage. Recently, a class action lawsuit against LinkedIn, for an info breach of millions of passwords, was thrown out because there was no proof of actual id theft as a result.)
If you reported a data leak that could be fixed, and later on someone was damaged by such a leak, the information holder could be liable.
You can only be held liable if you describe how to access the data leak, i.e. how you broke in. Just stating that there is an information leak does not make you liable.
You must be one of those people that when a company compromises data you protect the company.
Do you have any sort of rebuttal to any of the points I've made? Or would you just like clarification thereon?
Apple has a responsibility to our data. There is no reason for any company to be legally forced to waste money responding to any Tom, Dick, or Harry who thinks there's a flaw in security. Apple already has a venue for reporting flaws in security, and if the flaw is outlined properly (and exists), they will take steps to manage it on their own.
Apple already has a venue for reporting flaws in security, and if the flaw is outlined properly (and exists), they will take steps to manage it on their own.
According to Balic, he said he followed the instructions on how to properly outline and identify the flaws in security and Apple vilified him, claiming he is a hacker and all. remember, the video came out after Apple's statements, after he followed the appropriate steps, after he found the flaws. He did everything right up until Apple's response to his actions.
"He did everything right up until Apple's response to his actions."
Everything except contract with them to test their security. Legitimate security researchers do not hack and then claim hero status after the fact.
Who ever said he was acting in a security researcher status. He was just tinkering and found the leak using his own credentials and explored a bit further and noticed it was database-wide. That could have happened to any of us. All this situation says to me is that if I EVER find a flaw in a system, to keep my mouth shut. because if i tell Apple or whoever the leak is coming from, there is a chance that not only the company will vilify me, but hundreds or thousands of people on the internet that don't know anything about the situation... i.e. most of the people i've talked to today.
You put all your money into a bank. You don't know it, but that bank isn't very secure.
Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?
a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)
b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.
c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.
Why is that not a perfectly apt analogy? Someone engaged in activities using resources or facilities they had no authority to. In the process they deprived someone of their property, and/or exercised control over information that had some form of value the the rightful owner which was diminished by the accessing.
Bear in mind, the theft of money or goods is a discrete event, but misappropriation of private information that can be used for ongoing harm to personal, professional or financial interests is in a whole other scope entirely. Also, stealing from a bank with a weak lock is no more legal than stealing from a bank with a strong one - even if it's just some of the money in the vault you steal.
You're biasing the presentation of your scenarios with an interesting choice of wording. Scenario 'A' is just involving "someone" doing the deed, but scenarios 'B' and 'C' feature "security analysts". What qualifies them as such? Is it just the mere fact that they want to be labeled thus? If the bank, or some other authorized body, isn't making the request for these attempts, then they ['security analysts'] are just out to exercise their will and impose their sense of morality/justice/whatever on the banks and their customers - or maybe they're simply out for the attention. Regardless, they're not acting in a professional, moral or legal capacity any more than the 'evil' person in scenario 'A'.
In all three of your scenarios, theft has occurred - someone in each of these has been illicitly deprived of some measure of their money. So all three scenarios involve theft (even if it's only 'a little' theft in the latter two), and none of those scenarios are actually desirable at all. The only difference is in the scope or magnitude of the theft.
For the first scenario we have straight theft. Not much to say there. Obviously we don't want that. That's why many organizations regularly perform security audits and even hire professionals to stage attempts to pick their locks.
Let's explore the other hypotheticals though.
In the second scenario, we have theft (albeit a smaller one), and the bank now knows about it … but wait, maybe the bank already knew about it, was in the process of developing and deploying a solution, but it hadn't been completed yet. The 'analyst' may have known this if they'd been authorized to make the attempt, but they weren't, they just decided to satisfy their own desire to "see how deep they could go". Now the self-righteous 'analyst' is peeved that the bank isn't making a public show of it and giving them their attention (because frankly it would disrupt business to do so, and they're already working on it, and they don;t want to open themselves up to more headaches). Since we've already established that the 'analyst' is more interested in pursuing what <they> decide is the best/right/moral/whatever course of action, the peeved 'analyst' then invariably jumps into the third scenario and they publicize the weakness in the banks' locks. Now not only do skilled professionals in the lock-picking industry know of the weakness (the ones who already knew about the weakness, by the way), but amateur lick-picks and every nit-wit with access to youtube thinks the bank is ripe for easy picking. The bank is inundated with theft attempts, most of which are failed, as they're executed by people without the requisite skill to successfully do so, but they're time-consuming to deal with none the less. However, the bank now has to spend additional time and resources dealing with both the negative publicity as well as the extra security load - making it even harder and more expensive to implement the upgrades to the locks.
But really, I like scenario "D" - Some putz stumbles across a broken lock, wanders into the vault, pockets as much cash as they can carry and then runs. The bank realizes there's an irregularity, performs an internal audit (which may have taken several days) then when they're satisfied they understand what happened, even if if they don't yet know the exact details of how, they notify their customers of a breach. The would-be thief catches wind of this and tries to cover his ass by posting a youtube video claiming he was just trying to let the bank know there was a potential problem by stealing that money. In the mean time, he's spent at least some of the stolen money (or disseminated some of the private information - something that can't be undone, like spending the cash), but still claiming that he's really not a bad guy at all and was doing it all for altruistic purposes. … Sound familiar?
Who ever said he was acting in a security researcher status. He was just tinkering and found the leak using his own credentials and explored a bit further and noticed it was database-wide. That could have happened to any of us. All this situation says to me is that if I EVER find a flaw in a system, to keep my mouth shut. because if i tell Apple or whoever the leak is coming from, there is a chance that not only the company will vilify me, but hundreds or thousands of people on the internet that don't know anything about the situation... i.e. most of the people i've talked to today.
He did. He said as much. He claimed "I am not a hacker, I do security research". He explicitly claims he was doing penetration testing. He claims he was seeing "just how deep he could go". He didn't just stumble across something, he deliberately went hunting for vulnerabilities. There is no legitimate "security researcher status". You're either working on a system with authorization to do so, or you're not. You can't claim you're "doing research" as a legitimate defense against engaging in unauthorized activity.
Let's ignore all that though and assume he was just "tinkering", that in and of itself constitutes an illicit access - he wasn't authorized to be "tinkering", only to be using the systems in the prescribed manner. But let's ignore that too, let's suppose he just, by mere happenstance, stumbled on what he considered a problem, instead of stopping at that point, you claim he took it upon himself to deliberately explore it further, to satisfy his own desire or agenda, not at the request of Apple, yet another instance of an unauthorized access. So yes, it "could have happened to any of us" ... if any of us went hunting for problems in places we were not supposed to be.
What happened was that this person made a deliberate choice to engage in his "security research" and he didn't have a right to. There was no accident here, it was his choice to probe the system. It's not vilification. There's no slander involved. He even admits it. Besides, Apple didn't call him out - <he> made a public statement, Apple just said that "...an intruder attempted to secure personal information of our registered developers from our developer website.".
It's not necessary to put a black or white label on this guy. He did this the wrong way, so therefore he should be treated the same as a malicious criminal? No. There are shades of gray. He may be a non-malicious hacker, and he found a real flaw that a malicious hacker could have exploited, which is now being fixed. Apparently, a positive outcome.
I'm not in the make-an-example-of-him crowd, because I can think of a lot of a lot of worse people and organizations that need prosecuting and they're all more powerful and dangerous than this guy.
It's not necessary to put a black or white label on this guy. He did this the wrong way, so therefore he should be treated the same as a malicious criminal? No. There are shades of gray. He may be a non-malicious hacker, and he found a real flaw that a malicious hacker could have exploited, which is now being fixed. Apparently, a positive outcome.
I'm not in the make-an-example-of-him crowd, because I can think of a lot of a lot of worse people and organizations that need prosecuting and they're all more powerful and dangerous than this guy.
For me, it's not about malice, it's about ignorance. By indulging in his own agenda (whether altruistic or not) without authorization, and without knowing what the results would be, he opens up the door for all manner of potentially damaging side-effects (not the least of which has already surfaced, in the form of the registered Apple developer phishing attempts). This doesn't affect just him. At the very least it affects both Apple, and every single developer registered with Apple (of which I am one). He made a decision that affects all of us, and he didn't ask us if the potential benefits outweigh the costs.
If he did report it, his intentions were probably not bad, although accessing a computer with permission is a crime in the US. Posting on YouTube was a big mistake and makes some form of prosecution more likely.
I doubt he had criminal intent, but definitely had poor judgement.
One cannot rob a bank to expose weaknesses, return the money, and claim one intended no harm. A crime is a crime. I'm not saying what this researcher did actually broke any laws, but unauthorized access to a computer system is illegal in a lot of places.
Apple is horrible at responding to weakness emails. They seem to only fix bugs when they are already exploited. This guy is like Snowden, in a way.
That's an absurd comparison. Apple is not the federal government.
Comments
Quote:
Originally Posted by AJMonline
Something I am surprised has not come up yet, is that Apple may not have brought down the site because of this guy alone. s a Network Admin, if I get a report of a breach by a White Hat, the first thing I do is check the logs to see if anyone else tried the same thing.
Yes, the reaction seems awfully big for one bug report to cause it... although to be fair, security is a huge issue these days and perhaps that's their new policy.
Shut up with the FUD, please.
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
Quote:
Originally Posted by Tallest Skil
Shut up with the FUD, please.
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
You must be one of those people that when a company compromises data you protect the company.
Quote:
Originally Posted by Gazoobee
I thought Apple was pretty clear that no "user" personal information was taken, but that the names, addresses, and personal email of the developers was taken.
I think this guy is highly suspicious anyway. Either that or he may have nothing to do with it and it's just a coincidence.
The things that seem clear to me about him:
- he's an egomaniac (the video, the attitude etc.)
- he deliberately exposed personal information in the video, while saying that he would never disclose personal information.
Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.
Therefore, either:
- he was trying to reset people's passwords and thus lying about his "white hat"
- he was lying about not passing the information on to someone else
- there is a third party that just happened to do the same trick within the same time period (unlikely)
If I was Apple, even if this guy was saying he was a white hat, the fact that I was getting reports of password reset attempts would make me do exactly the same thing that they ultimately did. Even if they believed the guy and even if they weren't getting password reset attempts, they should still have shut down the system as they did, but perhaps not used the language they did. So at the end of the day if Apple is "wrong" it's only in the language they used to describe the guy.
It seems far more likely to me that they aren't wrong though and did the only thing they could/should do.
Yeah, I got a reset password email this morning. I thought it was just some phishing message, but I think it was real. I didn't click the link, but went to Apple.com and did change my password--just in case. Then I saw this story, so then it all came together. No, this "whitehat" is a douche who got caught and now he's backpeddling, trying to avoid jail.
Quote:
Originally Posted by Tallest Skil
Shut up with the FUD, please.
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
"I think there is a flaw in your security."
"Okay, we'll test it."
*spends $10,000 to test it*
*next day*
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
All you did was answer the very first two words of my response... you in no way addressed my entire post. taking two words out of context from someone's response is utterly useless.
Quote:
Originally Posted by Tallest Skil
Not really, no. You can give feedback all you want, but they should not be legally required to look into it. If there's an actual flaw that can be pointed out, they'll fix it on their own.
True, it's already in a corporation's best interests to take feedback seriously.
If you reported a data leak that could be fixed, and later on someone was damaged by such a leak, the information holder could be liable.
(Depends on the damage. Recently, a class action lawsuit against LinkedIn, for an info breach of millions of passwords, was thrown out because there was no proof of actual id theft as a result.)
Quote:
Originally Posted by KDarling
If you reported a data leak that could be fixed, and later on someone was damaged by such a leak, the information holder could be liable.
You can only be held liable if you describe how to access the data leak, i.e. how you broke in. Just stating that there is an information leak does not make you liable.
Do you have any sort of rebuttal to any of the points I've made? Or would you just like clarification thereon?
Apple has a responsibility to our data. There is no reason for any company to be legally forced to waste money responding to any Tom, Dick, or Harry who thinks there's a flaw in security. Apple already has a venue for reporting flaws in security, and if the flaw is outlined properly (and exists), they will take steps to manage it on their own.
Quote:
Originally Posted by Tallest Skil
Apple already has a venue for reporting flaws in security, and if the flaw is outlined properly (and exists), they will take steps to manage it on their own.
According to Balic, he said he followed the instructions on how to properly outline and identify the flaws in security and Apple vilified him, claiming he is a hacker and all. remember, the video came out after Apple's statements, after he followed the appropriate steps, after he found the flaws. He did everything right up until Apple's response to his actions.
Everything except contract with them to test their security. Legitimate security researchers do not hack and then claim hero status after the fact.
(1) Good guy finds vulnerability
(2) Bad guy finds vulnerability
Those who attack guy #1 are ensuring that guy #2 will win the day + get your info, and victimize you.
Quote:
Originally Posted by mscientist
"He did everything right up until Apple's response to his actions."
Everything except contract with them to test their security. Legitimate security researchers do not hack and then claim hero status after the fact.
Who ever said he was acting in a security researcher status. He was just tinkering and found the leak using his own credentials and explored a bit further and noticed it was database-wide. That could have happened to any of us. All this situation says to me is that if I EVER find a flaw in a system, to keep my mouth shut. because if i tell Apple or whoever the leak is coming from, there is a chance that not only the company will vilify me, but hundreds or thousands of people on the internet that don't know anything about the situation... i.e. most of the people i've talked to today.
Quote:
Originally Posted by ukjb
That is not a very fair analogy.
Think of it this way.
You put all your money into a bank. You don't know it, but that bank isn't very secure.
Not as the bank, but as the customer of that bank (very important whose perspective you view this from), which scenario would you prefer to take place?
a) Someone breaks into the bank's vault and takes all your money. He leaves with all your money and vacations in the tropics. The bank can't do anything about it because in this hypothetical situation, the bank does not have insurance (apple can't offer you insurance if your credentials are lost or stolen, so not a bad analogy)
b) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and secretly tells the bank how he did it. the bank covers it up and underplays the effects of the break in because they don't want any more breakin attempts, don't want to lose your business, don't want the media attention involved, AND (the biggie) since everything was swept under the rug, can take their time replacing the old unsafe system with a better more secure system. All of which help make scenario (a) more of a possibility.
c) A security analyst breaks into the bank and steals $5 to prove that he was in fact there and tells the world of his feats. The bank is forced to come to terms with their lack of security and they are forced to shore up their shortcomings asap or risk more break-ins.
Why is that not a perfectly apt analogy? Someone engaged in activities using resources or facilities they had no authority to. In the process they deprived someone of their property, and/or exercised control over information that had some form of value the the rightful owner which was diminished by the accessing.
Bear in mind, the theft of money or goods is a discrete event, but misappropriation of private information that can be used for ongoing harm to personal, professional or financial interests is in a whole other scope entirely. Also, stealing from a bank with a weak lock is no more legal than stealing from a bank with a strong one - even if it's just some of the money in the vault you steal.
You're biasing the presentation of your scenarios with an interesting choice of wording. Scenario 'A' is just involving "someone" doing the deed, but scenarios 'B' and 'C' feature "security analysts". What qualifies them as such? Is it just the mere fact that they want to be labeled thus? If the bank, or some other authorized body, isn't making the request for these attempts, then they ['security analysts'] are just out to exercise their will and impose their sense of morality/justice/whatever on the banks and their customers - or maybe they're simply out for the attention. Regardless, they're not acting in a professional, moral or legal capacity any more than the 'evil' person in scenario 'A'.
In all three of your scenarios, theft has occurred - someone in each of these has been illicitly deprived of some measure of their money. So all three scenarios involve theft (even if it's only 'a little' theft in the latter two), and none of those scenarios are actually desirable at all. The only difference is in the scope or magnitude of the theft.
For the first scenario we have straight theft. Not much to say there. Obviously we don't want that. That's why many organizations regularly perform security audits and even hire professionals to stage attempts to pick their locks.
Let's explore the other hypotheticals though.
In the second scenario, we have theft (albeit a smaller one), and the bank now knows about it … but wait, maybe the bank already knew about it, was in the process of developing and deploying a solution, but it hadn't been completed yet. The 'analyst' may have known this if they'd been authorized to make the attempt, but they weren't, they just decided to satisfy their own desire to "see how deep they could go". Now the self-righteous 'analyst' is peeved that the bank isn't making a public show of it and giving them their attention (because frankly it would disrupt business to do so, and they're already working on it, and they don;t want to open themselves up to more headaches). Since we've already established that the 'analyst' is more interested in pursuing what <they> decide is the best/right/moral/whatever course of action, the peeved 'analyst' then invariably jumps into the third scenario and they publicize the weakness in the banks' locks. Now not only do skilled professionals in the lock-picking industry know of the weakness (the ones who already knew about the weakness, by the way), but amateur lick-picks and every nit-wit with access to youtube thinks the bank is ripe for easy picking. The bank is inundated with theft attempts, most of which are failed, as they're executed by people without the requisite skill to successfully do so, but they're time-consuming to deal with none the less. However, the bank now has to spend additional time and resources dealing with both the negative publicity as well as the extra security load - making it even harder and more expensive to implement the upgrades to the locks.
But really, I like scenario "D" - Some putz stumbles across a broken lock, wanders into the vault, pockets as much cash as they can carry and then runs. The bank realizes there's an irregularity, performs an internal audit (which may have taken several days) then when they're satisfied they understand what happened, even if if they don't yet know the exact details of how, they notify their customers of a breach. The would-be thief catches wind of this and tries to cover his ass by posting a youtube video claiming he was just trying to let the bank know there was a potential problem by stealing that money. In the mean time, he's spent at least some of the stolen money (or disseminated some of the private information - something that can't be undone, like spending the cash), but still claiming that he's really not a bad guy at all and was doing it all for altruistic purposes. … Sound familiar?
Quote:
Originally Posted by ukjb
Who ever said he was acting in a security researcher status. He was just tinkering and found the leak using his own credentials and explored a bit further and noticed it was database-wide. That could have happened to any of us. All this situation says to me is that if I EVER find a flaw in a system, to keep my mouth shut. because if i tell Apple or whoever the leak is coming from, there is a chance that not only the company will vilify me, but hundreds or thousands of people on the internet that don't know anything about the situation... i.e. most of the people i've talked to today.
He did. He said as much. He claimed "I am not a hacker, I do security research". He explicitly claims he was doing penetration testing. He claims he was seeing "just how deep he could go". He didn't just stumble across something, he deliberately went hunting for vulnerabilities. There is no legitimate "security researcher status". You're either working on a system with authorization to do so, or you're not. You can't claim you're "doing research" as a legitimate defense against engaging in unauthorized activity.
Let's ignore all that though and assume he was just "tinkering", that in and of itself constitutes an illicit access - he wasn't authorized to be "tinkering", only to be using the systems in the prescribed manner. But let's ignore that too, let's suppose he just, by mere happenstance, stumbled on what he considered a problem, instead of stopping at that point, you claim he took it upon himself to deliberately explore it further, to satisfy his own desire or agenda, not at the request of Apple, yet another instance of an unauthorized access. So yes, it "could have happened to any of us" ... if any of us went hunting for problems in places we were not supposed to be.
What happened was that this person made a deliberate choice to engage in his "security research" and he didn't have a right to. There was no accident here, it was his choice to probe the system. It's not vilification. There's no slander involved. He even admits it. Besides, Apple didn't call him out - <he> made a public statement, Apple just said that "...an intruder attempted to secure personal information of our registered developers from our developer website.".
I know what *I* would do with this 'security researcher'.... hint: NOT give him a job.
I'm not in the make-an-example-of-him crowd, because I can think of a lot of a lot of worse people and organizations that need prosecuting and they're all more powerful and dangerous than this guy.
Quote:
Originally Posted by Magic_Al
It's not necessary to put a black or white label on this guy. He did this the wrong way, so therefore he should be treated the same as a malicious criminal? No. There are shades of gray. He may be a non-malicious hacker, and he found a real flaw that a malicious hacker could have exploited, which is now being fixed. Apparently, a positive outcome.
I'm not in the make-an-example-of-him crowd, because I can think of a lot of a lot of worse people and organizations that need prosecuting and they're all more powerful and dangerous than this guy.
For me, it's not about malice, it's about ignorance. By indulging in his own agenda (whether altruistic or not) without authorization, and without knowing what the results would be, he opens up the door for all manner of potentially damaging side-effects (not the least of which has already surfaced, in the form of the registered Apple developer phishing attempts). This doesn't affect just him. At the very least it affects both Apple, and every single developer registered with Apple (of which I am one). He made a decision that affects all of us, and he didn't ask us if the potential benefits outweigh the costs.
I doubt he had criminal intent, but definitely had poor judgement.
That's an absurd comparison. Apple is not the federal government.