A Turkish security bod calling himself Ibrahim Balic claims his bug reports to Apple sparked the shutdown of Cupertino's Developer Centre website. The iPhone giant pulled the plug on its online home for app programmers last Thursday fearing someone was attempting to hacking into its databases. Now Balic has alleged he found 13 …
Business as usual...
"Shoot the messenger" is the usual tactic in security these days. We've seen how effective it is. Plus, it's been revealed that the NSA prefers to keep bugs to themselves in case they need to use them to collect all data. Maybe the hackers shuld take a lesson from them and keep mum about the bugs they find...
Re: Business as usual...
Maybe the hackers shuld take a lesson from them and keep mum about the bugs they find...
This would be one of the defining differences between a white hat and a black hat. Better practice for large software firms would be to post, in clear terms, what they consider legitimate security research activities and which they consider not. It also seems fair for them to post how much they are willing to pay for bugs. Google seems to have it right. I couldn't get to Apple's equivalent without registering and signing in, which is pretty much the same as their covering their hears and going "La la la la la."
It doesn't strike you as odd that the guy downloaded details on 100,000 users? What possible legitimate reason is there for this if he's purely a white hat as he claims? I think the 73 Apple employees was already overkill. I'd believe him if he only provided a couple of them. Apple has to take the worst case view that he may sell or have already sold the information he downloaded or how to do it to others.
If Apple tried to prosecute him without good evidence, that would qualify as 'shooting the messenger', but taking down the whole site to rebuild it from scratch after he tells them he 1) has working exploit(s) into their developer site and 2) downloaded details on 100,000 users just makes good sense.
Imagine the outcry if he was found to be acting nefariously but Apple had taken him at his word that he was a good guy, left the site up and slowly worked to close the holes over time, but someone grabbed all the developer details and they could have prevented it but tried to keep it all quiet? In the eyes of some, Apple can do no right, and no matter what their response was to this they'll find fault in their behaviour.
Re: 100,000 users
Even if the guy acted "in good faith", the mere fact he is stupid enough to admit he has this data in his hands now surely has turned few heads. If the NSA, MI[5,6], KGB etc haven't visited him to make an offer he could not refuse, they will, soon.
The "best" of it for him is that he could "sell" the same data to everyone -- in exchange of his life, that is. Or... in addition to that.
One has to be extremely stupid to admit such things in public!
Indeed, this is the difference between the "white" and the "black" hats. The white hat guys just know when not to be dumb.
Step one is admitting there is a problem
Its far better to have some one openly report a problem to you than wait for someone with a different motivation to keep it a secret until the full extent of the exploit can be understood and used to cause maxim damage.
I expect however that apple will be close minded about this and take heavy leagle action instead of sending a think you and a free ipad. I now await for Anon to kick back.
A locked door will only keep out an honest man.
Any corporation needs to be told about vuln's on their systems. Apple just goes nuts whenever they are see negative press, even if it makes their systems better after the fact. They have banned devs for posting them in the past. Complete and total idiocy. You gotta wonder if their board of directors enjoy having their heads in sand like ostriches.
If he did what he said he did, then kudos to the guy.
What? Four hours to pull the plug.....!
Four seconds was too long, let alone four hours.
If one researcher found these vulns, how many others have in the past and just kept stuum until they needed a quiet unnoticed exploit?
Never mind shoot the messenger, I'd say any organisation in this position should "watch their feet" before shooting anything!
"Please press the submit button below to send the bug information to the attention of Apple staff." *
* - Note: submission of a bug report shall result in immediate and irrevocable removal of developer level credentials on our system. We know that's an inconvenience, but hey... We're Apple and we're perfect. So the info you are sending us, is obviously bogus and we can't have devs spreading negative rumours about us. You know how it is. One dev sends in a bug report, then another... Before you know it, we have lost sales and people might consider switching to another OS. Not that there ARE any other OS's, of course. We're just saying that it could happen at some point. We knew you'd understand. So, all the best. Thanks for buying that locked in Apple hardware and spending hours looking for errors and mistakes that really don't exist, but you're banned for life. Maybe a shiny new iPhone will make your day better. Hugs and Kisses. An Apple Genius **
** NOTE: Not an actual genius. Draconian opinions expressed in this message are not necessarily the opinion of Apple, its management, or Board of Directors. It is, but we just don't want the limited sales we have left to be affected. Toodles.
Whistle-blowing security vulnerabilities has to be handled carefully.
Some years ago,I discovered a nasty vulnerability that is present in almost all bank systems. I was developing a new system for my bank client.
Not being suicidal, I made an appointment with the bank's chairman, then I spoke to my lawyer, who arranged an appointment with the bank's principal (only) shareholder, so ended up spending half an hour with a head of state.
I notorised a statement about the weakness and then advised the head of security that there was a flaw in the systems and to drive the point home i would carry out a transaction on a certain date that would be reversed 24 hours later.
Because I had advised my client, my lawyer, my client's shareholder and security head and set out in a notorised statement what the weakness is and how I would demonstrate it, I did not get into trouble, quite the opposite, it kept me in work for many years.
You know, nobody was aware of this vulnerability until i demonstrated the problem,, and many years later it still exists, its simply too convenient. If anybody ever exploits it, its just a cost of doing business.
The lesson is - cover your arse
...and of course, everyone believes it
Got to love how some potential nutjob says "I did it! It was me!" with no evidence whatsoever (handily, he has to keep that secret to avoid "blacklists" - where's my tinfoil hat?) and, perhaps because it's Apple, every commentard thus far appears to have just swallowed the story without question.
Thus, a stream of comments about how 4 hours is too long, how the messenger gets shot and so-forth - all on the basis of one guy, on the internet, making a claim without evidence.
Re: ...and of course, everyone believes it
Although with the YouTube video removed we can't check what was in it, so this is still not proof of anything, it's worth reading some of the replies to his tweet in which the video was linked.
From those comments, it appears he included some of the data he obtained in the video, which is why he subsequently removed it. Allegedly.
If you want to know
How the treat people who find security flaws, just ask 0xCharlie!
"An London based, Turkish researcher"...
Wow! Did they occupy London already? Or is the Kingdom an wilayah now.. or just an sanjak? :-)
Sorry, couldn't resist!
We should follow the example of the physicists
If you find a bug in the laws of the Universe you may start with contacting the Boss (that is to pray).
However, you'll end up publishing your discovery in a scientific journal, anyway.
I saw the video. Peoples names were rolling past in the background in plain text in a terminal and he was opening files containing the purloined info and highlighting people email addresses - no blurring or attempt to conceal the users information this guy is a complete idiot!
This guy is anything but a script kiddie in over his head. What White Hat in their right mind would go ahead and download 100,000 user details to prove a point - and then have the stupidity to show the list in the background on YouTube.
Frankly any "researcher" with who applies this little thought to the possible ramifications of his actions doesnt deserve the name and shouldnt be messing with other peoples systems.
""Whether Apple will choose to pursue legal action in this case remains to be seen."
Yep, Apple are so slow to run to lawyers that it is definitely open to debate.
This bloke is going to spend the next few years dong nothing but talk to lawyers and judges, all for doing the right thing (assuming he did it in the first place, which some people seem to doubt).
All fixed guys!
Yep, they fixed him good and proper. Expertise is where it matters, that being marketing. All the silence is the sign of success.
Now guys, has anyone got a Sky Hook?
A JimmysMiddleWicket tool might come in handy too.
""Apple is under new management now, but the possibility remains that it may want to make an example of him," "
Of course they will, Apple don't need another nail for the coffin!
- Breaking news: Google exec veep in terrifying SKY PLUNGE DRAMA
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Google chief Larry Page gives Sundar Pichai keys to the kingdom
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL