Linked by Thom Holwerda on Tue 28th Jun 2011 22:16 UTC
Apple With all the news about Anonymous, LulzSec, Anti-Sec, and so on, you'd almost forget there are more ethical hacking groups out there as well. One such group, YGN Ethical Hacker Group, informed Apple of several weaknesses in its developers website on April 25. Apple acknowledged the flaws, but so far, hasn't done anything about them. YGN Ethical Hacker Group has now stated they will fully disclose the vulnerabilities if Apple doesn't fix them in the coming few days.
Thread beginning with comment 478986
To read all comments associated with this story, please click here.
Responsible?
by ourcomputerbloke on Tue 28th Jun 2011 23:28 UTC
ourcomputerbloke
Member since:
2011-05-12

ETHICAL Hacker Group ... will fully disclose the vulnerabilities if Apple doesn't fix them in the coming few days


I find this a very responsible way of dealing with hacking


Not sure that I can see how this is responsible, or ethical.

Scenario: You discover that your local bank has a dodgy lock on their front door and you tell them about it but they don't fix it within your allowed timeframe. Do you then run an ad in the national newspaper effectively telling all the crooks who they can burgle and how to do it?

Edited 2011-06-28 23:29 UTC

Reply Score: 2

RE: Responsible?
by pantheraleo on Tue 28th Jun 2011 23:33 in reply to "Responsible?"
pantheraleo Member since:
2007-03-07

Do you then run an ad in the national newspaper effectively telling all the crooks who they can burgle and how to do it?


Yes? At least that's what I would do. If they won't fix a security concern, I will widely publicize it to force them to fix it.

Edited 2011-06-28 23:33 UTC

Reply Parent Score: 3

RE[2]: Responsible?
by ourcomputerbloke on Tue 28th Jun 2011 23:38 in reply to "RE: Responsible?"
ourcomputerbloke Member since:
2011-05-12

Yes? At least that's what I would do. If they won't fix a security concern, I will widely publicize it to force them to fix it.


And if they were burgled would you accept that you are an accessory to the crime? I'm no lawyer but I suspect that's the way it would be viewed...

Edited 2011-06-28 23:39 UTC

Reply Parent Score: 1

RE: Responsible?
by Thom_Holwerda on Tue 28th Jun 2011 23:35 in reply to "Responsible?"
Thom_Holwerda Member since:
2005-06-29

Do you then run an ad in the national newspaper effectively telling all the crooks who they can burgle and how to do it?


...to inform the public that their money is not safe, so they can transfer it somewhere else, somewhere safe. If my bank has unsafe locks and were unwilling to do something about it, I'd rather know about it so I can secure my money.

Reply Parent Score: 2

RE[2]: Responsible?
by MOS6510 on Wed 29th Jun 2011 10:30 in reply to "RE: Responsible?"
MOS6510 Member since:
2011-05-12

You do realize your money isn't actually stored in a large fault at your local bank?

If every customer of your bank came to collect their money there wouldn't be enough, far from it.

Reply Parent Score: 2

RE: Responsible?
by Bill Shooter of Bul on Wed 29th Jun 2011 05:55 in reply to "Responsible?"
Bill Shooter of Bul Member since:
2006-07-14

A thousand times: YES. Time and time again, companies have shown they will not fix security issues unless they are disclosed or threatened to be exposed. Security researchers are not the only ones that look for exploits. In fact most exploits are found after they have been exploited ( without any public disclosure by a security researcher). The public disclosure ensures that all stake holders have a better idea of the risks and can make better business decisions based on that; ie rewarding companies with good security and punishing those without good security.

I know I've posted this a few times here already, but since the same conversation keeps coming up here it is again:

http://www.schneier.com/blog/archives/2007/01/debating_full_d.html

Edited 2011-06-29 05:57 UTC

Reply Parent Score: 3

RE: Responsible? - responsible disclosure
by jabbotts on Wed 29th Jun 2011 16:01 in reply to "Responsible?"
jabbotts Member since:
2007-09-06

Apple has known since April 25th. People with criminal intent probably found this on there own and already know about it too. Apple's customers are the last to find out about it and they are the one's who suffer as a result of any criminals exploiting these issues.

The group discovered problems without breaking laws.
The group disclosed vulnerabilities to Apple directly so they could address them.
The group disclosing those vulnerabilities to the public after the grace period given to Apple allows the public to mitigate the risks or at least accept them with informed concent until Apple fixes the problems.

It is indeed ethical. Unethical would have been exploiting the vulnerabilities for criminal gain, not reporting them to Apple and not reporting them to the public when Apple failed to address them for the responsible protection of it's customers.

Look at it this way. I build a tree-house for my kids. Someone sees that parts or coming loose; kids could fall through the floor or be hit by falling parts. They report it to me "When I picked Jimmy up after the play date the other day, I noticed that the old tree-house needs some work."

Two months later I've done nothing to address the risk of injury. "look, I'm not comfortable with Jimmy visiting to play with your kids if they are going to be in or around that tree-house."

I still do nothing so they start telling friends who also have kids that come over to play with my kids.

One might call this responsible parenting versus alling children to get hurt by ignoring these known problems.


The real problem is that companies like Apple have more motivation to avoid the expense of fixing the "tree-house". It often takes public disclosure and proof of concept documentation to convince such companies that there is indeed risk of there customers being hurt when they come over to play. At minimum, customers can be aware of possible injury and take steps to protect themselves.

Reply Parent Score: 3