If he did report it, his intentions were probably not bad, although accessing a computer with permission is a crime in the US. Posting on YouTube was a big mistake and makes some form of prosecution more likely.
I doubt he had criminal intent, but definitely had poor judgement.
Regardless, the penalties for this kind of crime have been drastically increased. He may end up in federal prison for a long, long time.
For me, it's not about malice, it's about ignorance. By indulging in his own agenda (whether altruistic or not) without authorization, and without knowing what the results would be, he opens up the door for all manner of potentially damaging side-effects (not the least of which has already surfaced, in the form of the registered Apple developer phishing attempts).
Why are you blaming the phishing attacks on him? He said he hadn't shared any info with anyone else.
Quote:
This doesn't affect just him. At the very least it affects both Apple, and every single developer registered with Apple (of which I am one). He made a decision that affects all of us, and he didn't ask us if the potential benefits outweigh the costs.
He officially reported some data leaks to Apple via his developer account.
Everything that happened to the website after that was Apple's doing.
Why are you blaming the phishing attacks on him? He said he hadn't shared any info with anyone else.
First off, his word on that isn't really worth a damn, since we already know he went and published some of the names. You may be willing to take his word on that, but many of us won't - and for good reason. As for the phishing attempts, if I were a betting man, I'd wager there are probably opportunist third parties exploiting the heightened awareness of a security hole (which wouldn't be as much the case if he hadn't gone public), hoping for someone to be careless and slip up. Also, there's no reason to believe that he isn't responsible for at least some of them, given that:
A) He claims he harvested over 100,000 sets of account data. Unnecessary, a single record he wasn't supposed to have access to would've been a sufficient proof-of-concept, and the 73 records he claims were Apple employee's were certainly more than enough, so the extra 100K had to have some purpose.
He also claims he was deliberately probing to see "how deep he could go". It actually follows that he would be trying to engineer the passwords from any end-users he had data for, so he could "go deeper" into the systems that weren't compromised.
Quote:
Originally Posted by KDarling
He officially reported some data leaks to Apple via his developer account.
Everything that happened to the website after that was Apple's doing.
Again, all I have on that is <his> word on whether it was reported to Apple. Apple's statement is that "...an intruder attempted to secure personal information of our registered developers from our developer website.". There's no mention of anything along the lines of "we were notified of a potential security breach". I may have little reason to take the statements of a PR department from <any> company at face value, but I have absolutely <zero> reason to believe this person - especially when he's claiming responsibility for deliberately putting my personal information at risk. From what I see (reading between the lines, as it were), this is someone caught with his hand in the cookie jar trying to do damage control (albeit in a really dumb way).
What happened to the developer portal after this? As far as I know, it was taken offline to guarantee no additional compromises occurred. That likely wouldn't have happened if this individual hadn't taken the actions he did. Given Apple's historical behavior, if he had simply quietly notified them, they would've done a slow and considered rollout of a fix when it would least affect the uptime of the services that developers are relying on for their business. So are you serious with the assertion that it's "Apple's doing"? Since everyone else is on the analogy train, I'll hop on too:
That's like saying it's a victims fault for bleeding all over the floor when someone else shot them. What happened was a reaction to an attack.
Again, all I have on that is <his> word on whether it was reported to Apple.
It was.
A list of his bug reports... including this one, #14488816, have already been pasted on the internet.
Quote:
Apple's statement is that "...an intruder attempted to secure personal information of our registered developers from our developer website.". There's no mention of anything along the lines of "we were notified of a potential security breach".
Exactly. If his vulnerability report(s) were the cause of the website shutdown, then Apple should've simply said that they were made aware of a problem.
Instead, they said "intruder". So either a) he wasn't the cause at all, or b) he was and Apple scared him for no good reason, or c) after his report they looked at the logs and discovered that someone else had also found the bug and downloaded data.
If he were a actual researcher on this 1) asked apple if he could notifying the test 2) did as was he did on a test breach as directed by apple 3)Given information to apple about it, not announce the info online about it 4)had no proof of the info as of now.
When they use term 'sensitive' they refer to information someone can't easily get by another means
People give out their email addresses all the time. Unlike say your password, credit card info etc
A list of his bug reports... including this one, #14488816, have already been pasted on the internet.
Exactly. If his vulnerability report(s) were the cause of the website shutdown, then Apple should've simply said that they were made aware of a problem.
Instead, they said "intruder". So either a) he wasn't the cause at all, or b) he was and Apple scared him for no good reason, or c) after his report they looked at the logs and discovered that someone else had also found the bug and downloaded data.
Again, this is on <his> word. As far as I know, this list is one <he> published, which shows nothing even remotely close to proof. Give me 10 minutes and I can whip up some markup to mimic the bug reporter page with some fanciful bugs and take a screenshot - that doesn't make it legit. The Apple dev bugbase won't let me search bugs submitted by another developer - only bugs I've submitted. Maybe I'm unique in my access rights there, but this means I still have no reason to trust his word.
Exactly, they said "intruder", which in the absence of any other information, means they <detected> the breach, not that they were notified of a vulnerability thorough proper or expected channels. According to his own statements, it was a grand total of 4 (four) hours between his attack and him supposedly submitting a bug report (which would be one of thousands submitted on any given day), and the time the portal was shut down. That jives with the scenario where Apple detected the attack, not a response to a bug report, which one can't reasonably expect to have been even seen by anyone at Apple in that timeframe, much less verified.
So:
a) Is irrelevant, as he's made the claim that he <did> illicitly obtain over 100,000 user records he had no right to take. It's possible he wasn't the <only> cause, but the unauthorized access of 100,000+ user records was most certainly a contributing factor. Apple never singled him out as the attacker that prompted the shutdown, he made the assertion that he believed it was him. However, given what little information we do have - from this person - the timeline makes it a logical conclusion to draw that it was in fact his attack that was what prompted the shutdown. Although even if it wasn't, that's still meaningless in the context of my previous posts, as he does admit he engaged in the activity that had the potentially for damaging effects for all of Apples' developers, as well as Apple, and he did it without right or authority. That is my major gripe with this situation. I can't access the dev portal for device provisioning as a result of this shutdown - that negatively impacts <my> business.
b) Is nonsense. Apple didn't do anything to him (that we know of). All apple did was to lock down the site in response to an unknown security breach in order to prevent further unauthorized access - a reasonable and prudent measure. According to his own statements, he got scared when the portal was shut down and Apple notified developers of a breach, and he believed he was responsible. He admits he knew his actions would put him in potential legal trouble, and he posted the statements and video to try to mitigate the problem before it blew up in his face (too much). Apple had nothing to do with him being "scared". That was his own irresponsible behavior. That said, and this is just opinion, I don't believe being scared prompted his response, I believe his public statements were for the sole purpose of garnering attention for himself.
c) Does nothing to mitigate his responsibility for his actions, as (once again) he <admitted> he took [copied] over 100,000 user records for which he had no legitimate claim to. It's still possible someone else made a concurrent attack and breached the system, but we're talking about this character and his actions which he lays claim to.
He did. He said as much. He claimed "I am not a hacker, I do security research". He explicitly claims he was doing penetration testing. He claims he was seeing "just how deep he could go". He didn't just stumble across something, he deliberately went hunting for vulnerabilities. There is no legitimate "security researcher status". You're either working on a system with authorization to do so, or you're not. You can't claim you're "doing research" as a legitimate defense against engaging in unauthorized activity.
Let's ignore all that though and assume he was just "tinkering", that in and of itself constitutes an illicit access - he wasn't authorized to be "tinkering", only to be using the systems in the prescribed manner. But let's ignore that too, let's suppose he just, by mere happenstance, stumbled on what he considered a problem, instead of stopping at that point, you claim he took it upon himself to deliberately explore it further, to satisfy his own desire or agenda, not at the request of Apple, yet another instance of an unauthorized access. So yes, it "could have happened to any of us" ... if any of us went hunting for problems in places we were not supposed to be.
What happened was that this person made a deliberate choice to engage in his "security research" and he didn't have a right to. There was no accident here, it was his choice to probe the system. It's not vilification. There's no slander involved. He even admits it. Besides, Apple didn't call him out - <he> made a public statement, Apple just said that "...an intruder attempted to secure personal information of our registered developers from our developer website.".
He compromised their system illegally and cost them and developers real money and time as a result. I guarantee he won't be receiving the Medal of Honor.
Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.
Therefore, either:
- he was trying to reset people's passwords and thus lying about his "white hat"
- he was lying about not passing the information on to someone else
- there is a third party that just happened to do the same trick within the same time period (unlikely)
Or random password resets from people who've forgotten their username, have your email address and are trying to get your apple ID are actually very common and it is just that the suggestion this might be related to the shutdown caused developers who normally delete them to start discussing it incase it's related. If that hapens you suddenly 'see' a pattern which was always there but never discussed. I must get a couple of month, normally when I get one I get three or four at the same time (possibly because the idiot who really has forgotten his username keeps wondering why his reset mail never comes and keeps trying, possibly because my email is on another hack list and they try 'em all a few times.).
Not saying he wasn't lying, not saying he didn't distribute the info and I sure wish, having reported this to apply, he sat on his hands for more than a few days so they could read his bug report and address it before launching in to make a name for himself. Good that the vulnerability is being fixed, would have preferred it if Apple had been able to fix it quietly without having all their devs offline for coming close to a week.
He compromised their system illegally and cost them and developers real money and time as a result.
He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability. Apple are responsible for developers and their own loss of money and time.
He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability. Apple are responsible for developers and their own loss of money and time.
That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.
Yeah right, put a load of money in the pockets of overpaid lawyers, probably a lot more than any damage this guy has done. Either way you lose, but you stand to lose a lot more in the legal system.
That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.
The response was a necessary reaction to a large vulnerability, no matter who found it first.
However, better that it happened with someone like him, rather than someone who would've downloaded and sold millions of records to spammers and phishers.
Of course, this all assumes that it was his actions that triggered Apple's response.
That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.
Unnecessary to point out that the door was open? If my neighbour knocked to point that out to me I'd thank them, rather than shout at them for pointing it out. And it's my fault for leaving it open in the first place. If my business, or my partners' business suffers because I left it open then that's my fault, not the neighbours.
He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability. Apple are responsible for developers and their own loss of money and time.
Quote:
Originally Posted by Crowley
Unnecessary to point out that the door was open? If my neighbour knocked to point that out to me I'd thank them, rather than shout at them for pointing it out. And it's my fault for leaving it open in the first place. If my business, or my partners' business suffers because I left it open then that's my fault, not the neighbours.
Absurd apologism.
Ok, more bad analogies. I'll play too:
It would be a more accurate analogy to say not that you left a door open, but rather you left one unlocked. Your neighbor didn't innocently notice anything just wandering by, they deliberately tried all the doors and windows in your house to see if any were unlocked. Finding one unlocked, they walked in and took a number of things, including some things belonging to a house-guest you happen to be hosting at the time. Your neighbor didn't point anything out to you, they left a tiny note under your doormat 'just to let you know how deep into your house they could go'. Mind you, you didn't even see the note (why would you be checking under your doormat when you just found you'd been robbed). You didn't yell at your neighbor, you didn't even know who stole from you. You locked up the house and called the police - of course, now your guests can't get their things out, as the police have cordoned off your house to perform a forensic investigation.
So now, whose fault do you think it is that your guest can't get their things? Yours for reacting in a responsible manner to an intrusion, or the neighbors who unlawfully entered your house and took things without your permission or knowledge?
I'll say it again, blaming a victim for the results of the actions of a perpetrator's wrongdoing against them is unequivocally absurd.
Analogies are not needed. The situation is simple.
Apple promised to keep their customers' information secure. That inherently includes protecting info on their servers from unauthorized access of any kind, whether good or bad intentioned.
Apple, like other companies before it, failed to do what they promised.
Comments
Regardless, the penalties for this kind of crime have been drastically increased. He may end up in federal prison for a long, long time.
Quote:
Originally Posted by SpamSandwich
That's an absurd comparison. Apple is not the federal government.
But they have more cash than the Feds....
Quote:
Originally Posted by GoodGrief
For me, it's not about malice, it's about ignorance. By indulging in his own agenda (whether altruistic or not) without authorization, and without knowing what the results would be, he opens up the door for all manner of potentially damaging side-effects (not the least of which has already surfaced, in the form of the registered Apple developer phishing attempts).
Why are you blaming the phishing attacks on him? He said he hadn't shared any info with anyone else.
Quote:
This doesn't affect just him. At the very least it affects both Apple, and every single developer registered with Apple (of which I am one). He made a decision that affects all of us, and he didn't ask us if the potential benefits outweigh the costs.
He officially reported some data leaks to Apple via his developer account.
Everything that happened to the website after that was Apple's doing.
Quote:
Originally Posted by KDarling
Why are you blaming the phishing attacks on him? He said he hadn't shared any info with anyone else.
First off, his word on that isn't really worth a damn, since we already know he went and published some of the names. You may be willing to take his word on that, but many of us won't - and for good reason. As for the phishing attempts, if I were a betting man, I'd wager there are probably opportunist third parties exploiting the heightened awareness of a security hole (which wouldn't be as much the case if he hadn't gone public), hoping for someone to be careless and slip up. Also, there's no reason to believe that he isn't responsible for at least some of them, given that:
A) He claims he harvested over 100,000 sets of account data. Unnecessary, a single record he wasn't supposed to have access to would've been a sufficient proof-of-concept, and the 73 records he claims were Apple employee's were certainly more than enough, so the extra 100K had to have some purpose.
Quote:
Originally Posted by KDarling
He officially reported some data leaks to Apple via his developer account.
Everything that happened to the website after that was Apple's doing.
Again, all I have on that is <his> word on whether it was reported to Apple. Apple's statement is that "...an intruder attempted to secure personal information of our registered developers from our developer website.". There's no mention of anything along the lines of "we were notified of a potential security breach". I may have little reason to take the statements of a PR department from <any> company at face value, but I have absolutely <zero> reason to believe this person - especially when he's claiming responsibility for deliberately putting my personal information at risk. From what I see (reading between the lines, as it were), this is someone caught with his hand in the cookie jar trying to do damage control (albeit in a really dumb way).
What happened to the developer portal after this? As far as I know, it was taken offline to guarantee no additional compromises occurred. That likely wouldn't have happened if this individual hadn't taken the actions he did. Given Apple's historical behavior, if he had simply quietly notified them, they would've done a slow and considered rollout of a fix when it would least affect the uptime of the services that developers are relying on for their business. So are you serious with the assertion that it's "Apple's doing"? Since everyone else is on the analogy train, I'll hop on too:
That's like saying it's a victims fault for bleeding all over the floor when someone else shot them. What happened was a reaction to an attack.
Quote:
Originally Posted by Tallest Skil
Did you miss the part where Apple wasn't actually hacked?
That's right TS. It was just security research
Quote:
Originally Posted by GoodGrief
Again, all I have on that is <his> word on whether it was reported to Apple.
It was.
A list of his bug reports... including this one, #14488816, have already been pasted on the internet.
Quote:
Apple's statement is that "...an intruder attempted to secure personal information of our registered developers from our developer website.". There's no mention of anything along the lines of "we were notified of a potential security breach".
Exactly. If his vulnerability report(s) were the cause of the website shutdown, then Apple should've simply said that they were made aware of a problem.
Instead, they said "intruder". So either a) he wasn't the cause at all, or b) he was and Apple scared him for no good reason, or c) after his report they looked at the logs and discovered that someone else had also found the bug and downloaded data.
1) asked apple if he could notifying the test
2) did as was he did on a test breach as directed by apple
3)Given information to apple about it, not announce the info online about it
4)had no proof of the info as of now.
Quote:
Originally Posted by KDarling
It was.
A list of his bug reports... including this one, #14488816, have already been pasted on the internet.
Exactly. If his vulnerability report(s) were the cause of the website shutdown, then Apple should've simply said that they were made aware of a problem.
Instead, they said "intruder". So either a) he wasn't the cause at all, or b) he was and Apple scared him for no good reason, or c) after his report they looked at the logs and discovered that someone else had also found the bug and downloaded data.
Again, this is on <his> word. As far as I know, this list is one <he> published, which shows nothing even remotely close to proof. Give me 10 minutes and I can whip up some markup to mimic the bug reporter page with some fanciful bugs and take a screenshot - that doesn't make it legit. The Apple dev bugbase won't let me search bugs submitted by another developer - only bugs I've submitted. Maybe I'm unique in my access rights there, but this means I still have no reason to trust his word.
Exactly, they said "intruder", which in the absence of any other information, means they <detected> the breach, not that they were notified of a vulnerability thorough proper or expected channels. According to his own statements, it was a grand total of 4 (four) hours between his attack and him supposedly submitting a bug report (which would be one of thousands submitted on any given day), and the time the portal was shut down. That jives with the scenario where Apple detected the attack, not a response to a bug report, which one can't reasonably expect to have been even seen by anyone at Apple in that timeframe, much less verified.
So:
a) Is irrelevant, as he's made the claim that he <did> illicitly obtain over 100,000 user records he had no right to take. It's possible he wasn't the <only> cause, but the unauthorized access of 100,000+ user records was most certainly a contributing factor. Apple never singled him out as the attacker that prompted the shutdown, he made the assertion that he believed it was him. However, given what little information we do have - from this person - the timeline makes it a logical conclusion to draw that it was in fact his attack that was what prompted the shutdown. Although even if it wasn't, that's still meaningless in the context of my previous posts, as he does admit he engaged in the activity that had the potentially for damaging effects for all of Apples' developers, as well as Apple, and he did it without right or authority. That is my major gripe with this situation. I can't access the dev portal for device provisioning as a result of this shutdown - that negatively impacts <my> business.
b) Is nonsense. Apple didn't do anything to him (that we know of). All apple did was to lock down the site in response to an unknown security breach in order to prevent further unauthorized access - a reasonable and prudent measure. According to his own statements, he got scared when the portal was shut down and Apple notified developers of a breach, and he believed he was responsible. He admits he knew his actions would put him in potential legal trouble, and he posted the statements and video to try to mitigate the problem before it blew up in his face (too much). Apple had nothing to do with him being "scared". That was his own irresponsible behavior. That said, and this is just opinion, I don't believe being scared prompted his response, I believe his public statements were for the sole purpose of garnering attention for himself.
c) Does nothing to mitigate his responsibility for his actions, as (once again) he <admitted> he took [copied] over 100,000 user records for which he had no legitimate claim to. It's still possible someone else made a concurrent attack and breached the system, but we're talking about this character and his actions which he lays claim to.
He compromised their system illegally and cost them and developers real money and time as a result. I guarantee he won't be receiving the Medal of Honor.
Quote:
Also, a lot of developers were posting that their emails had experienced multiple password reset attempts over the last few days.
Therefore, either:
- he was trying to reset people's passwords and thus lying about his "white hat"
- he was lying about not passing the information on to someone else
- there is a third party that just happened to do the same trick within the same time period (unlikely)
Or random password resets from people who've forgotten their username, have your email address and are trying to get your apple ID are actually very common and it is just that the suggestion this might be related to the shutdown caused developers who normally delete them to start discussing it incase it's related. If that hapens you suddenly 'see' a pattern which was always there but never discussed. I must get a couple of month, normally when I get one I get three or four at the same time (possibly because the idiot who really has forgotten his username keeps wondering why his reset mail never comes and keeps trying, possibly because my email is on another hack list and they try 'em all a few times.).
Not saying he wasn't lying, not saying he didn't distribute the info and I sure wish, having reported this to apply, he sat on his hands for more than a few days so they could read his bug report and address it before launching in to make a name for himself. Good that the vulnerability is being fixed, would have preferred it if Apple had been able to fix it quietly without having all their devs offline for coming close to a week.
Quote:
Originally Posted by SpamSandwich
He compromised their system illegally and cost them and developers real money and time as a result.
He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability. Apple are responsible for developers and their own loss of money and time.
Quote:
Originally Posted by Crowley
He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability. Apple are responsible for developers and their own loss of money and time.
That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.
"the phishing emails are timed to well not to be connected"
What?
Quote:
Originally Posted by GTR
Sue him.
No ifs, ands, or buts.
Yeah right, put a load of money in the pockets of overpaid lawyers, probably a lot more than any damage this guy has done. Either way you lose, but you stand to lose a lot more in the legal system.
Quote:
Originally Posted by GoodGrief
That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.
The response was a necessary reaction to a large vulnerability, no matter who found it first.
However, better that it happened with someone like him, rather than someone who would've downloaded and sold millions of records to spammers and phishers.
Of course, this all assumes that it was his actions that triggered Apple's response.
Quote:
Originally Posted by GoodGrief
That's ridiculous on the face of it. Nobody said he brought down the site, rather that his illegal breach of Apples private servers necessitated the lockdown response by Apple, in order to prevent any additional compromises. His actions directly contributed to the current state of affairs. The response was a necessary reaction to his unnecessary (and unauthorized) choice to act.
Unnecessary to point out that the door was open? If my neighbour knocked to point that out to me I'd thank them, rather than shout at them for pointing it out. And it's my fault for leaving it open in the first place. If my business, or my partners' business suffers because I left it open then that's my fault, not the neighbours.
Absurd apologism.
Quote:
Originally Posted by Crowley
He didn't bring down the site, Apple withdrew it because they became aware of a vulnerability. Apple are responsible for developers and their own loss of money and time.
Quote:
Originally Posted by Crowley
Unnecessary to point out that the door was open? If my neighbour knocked to point that out to me I'd thank them, rather than shout at them for pointing it out. And it's my fault for leaving it open in the first place. If my business, or my partners' business suffers because I left it open then that's my fault, not the neighbours.
Absurd apologism.
Ok, more bad analogies. I'll play too:
It would be a more accurate analogy to say not that you left a door open, but rather you left one unlocked. Your neighbor didn't innocently notice anything just wandering by, they deliberately tried all the doors and windows in your house to see if any were unlocked. Finding one unlocked, they walked in and took a number of things, including some things belonging to a house-guest you happen to be hosting at the time. Your neighbor didn't point anything out to you, they left a tiny note under your doormat 'just to let you know how deep into your house they could go'. Mind you, you didn't even see the note (why would you be checking under your doormat when you just found you'd been robbed). You didn't yell at your neighbor, you didn't even know who stole from you. You locked up the house and called the police - of course, now your guests can't get their things out, as the police have cordoned off your house to perform a forensic investigation.
So now, whose fault do you think it is that your guest can't get their things? Yours for reacting in a responsible manner to an intrusion, or the neighbors who unlawfully entered your house and took things without your permission or knowledge?
I'll say it again, blaming a victim for the results of the actions of a perpetrator's wrongdoing against them is unequivocally absurd.
Analogies are not needed. The situation is simple.
Apple promised to keep their customers' information secure. That inherently includes protecting info on their servers from unauthorized access of any kind, whether good or bad intentioned.
Apple, like other companies before it, failed to do what they promised.
The real victims are their customers.