Linked by Thom Holwerda on Wed 20th Dec 2006 10:08 UTC
Apple A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple's OS X or in Apple applications that run on top of it. The 'Month of Apple Bugs' project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias 'LMH'. This is the same researcher who in November ran the 'Month of Kernel Bugs' project. LMH's partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said.
Thread beginning with comment 194612
To read all comments associated with this story, please click here.
Because they won't inform us either ...
by MacTO on Wed 20th Dec 2006 14:41 UTC
MacTO
Member since:
2006-09-21

In the end, the means I don't believe justify the end. Why should innocent end users be potentially exposed to risks just because one individual feels the need to take an entire month to drag out releasing these problems, particular when Apple are not being given prior notice?

I think that this is a useful exercise because it is a simulation of reality. Think of it this way: a hacker wouldn't think of informing users of a new exploit, and they would be causing harm. This group is simply illustrating that there are potential exploits in a dramatic way.

Why use a dramatic way to inform the public of these exploits? If this project does have a high profile in the media, they informed Apple before hand, and gave Apple an opportunity to patch the software, Apple would end up releasing patches before the release and everyone would go through life saying, "look, no problem because Apple is fixing it promptly."

But that would be misleading because those patches take time to develop, even when they are receiving priority treatment because they are being actively profiled in the media. This way we can see how long it takes Apple to fix things when they are under the gun. We can only assume that fixes would take longer to come out when there is less pressure from projects such as this one.

In other words, by doing things in this way we get a more accurate and first hand impression of how secure Mac OS X really is.

Reply Score: 5

flanque Member since:
2005-12-15

I think this is a flawed method because the very people who are meant to be somehow protected by giving Apple a 'dramatic' demonstration so they move quicker, are the very people who will suffer.

As for pressure, I'll agree that pressure may cause a vendor to move quicker, but in this instance they have no choice but to sit back to wait and see what's released publically.

If one is really set on releasing the exploit publically if Apple chooses not to act, then an more appropriate method in my mind would be to give Apple all the technical information as well as a month to correct a flaw making sure they're aware of the deadline. That way there's pressure, sufficient prior notice and known consiquences.

In my view however, one cannot be serious about protecting a user's security on a platform if they're prepared to allow an vulnerability to go freely into the hands of the very people who will exploit it.

Reply Parent Score: 3

ddpbsd Member since:
2006-04-29

It's a little short term pain for the long term benefits.

How do you know these vulnerabilities are new? Stuff gets "rediscovered" all the time. Look at the MoBB stuff. HD Moore said he got emails from hackers out there giving him shit for releasing to the public something they had been using to exploit systems.

Reply Parent Score: 2

flanque Member since:
2005-12-15

// How do you know these vulnerabilities are new? //

They're listed as undocumented.

Reply Parent Score: 2