Linked by Thom Holwerda on Mon 22nd Jul 2013 10:10 UTC
Apple "Apple revealed Sunday that its Developer Center suffered a lengthy outage this week following a security breach that may have compromised data, but a security researcher has provided evidence to suggest the shutdown was in response to his identification of a vulnerability." It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that's about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be "open" about this disaster in its public statement.
Thread beginning with comment 567710
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Unfortunate course of action
by bouhko on Mon 22nd Jul 2013 12:45 UTC in reply to "Unfortunate course of action"
bouhko
Member since:
2010-06-24

It is not clear why he did this, he says it was to get Apple's attention but he had not contacted Apple about the bugs prior to the hack, he decided to hack first.

I don't know from where you get this information, but he is claiming the contrary in this techcrunch comment :
http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center...

Where he says :
I didn't attempt to get the datas first and report then, instead I have reported first.


His version is basically : "I reported bugs to Apple, they didn't answer my mails so I got pissed off and collected data".

Now, it is unclear how much time he gave Apple between the first report and his collection of user data in retaliation.

But it seems Apple f--ked up too. It's not really smart to ignore the emails of someone reporting vulnerabilities on your website.

I think we should wait for further clarification before jumping to conclusion about the good Apple being hacked by a bad guy.

Edited 2013-07-22 12:46 UTC

Reply Parent Score: 5

MOS6510 Member since:
2011-05-12

Being "pissed off" isn't justification to break the law, no matter what someone thinks of it.

It's not easy for us on the outside to judge how Apple was dealing with it until he got pissed off. If Apple verified those bugs and assumed it wouldn't go public or that guy may get annoyed it would seem a little naive considering past public cases.

Reply Parent Score: 3

bouhko Member since:
2010-06-24

Being "pissed off" isn't justification to break the law, no matter what someone thinks of it.

It's not easy for us on the outside to judge how Apple was dealing with it until he got pissed off. If Apple verified those bugs and assumed it wouldn't go public or that guy may get annoyed it would seem a little naive considering past public cases.

I agree. I was just pointing out that it seems he did in fact report before exploiting (which is the right thing to do).

Reply Parent Score: 4

Tony Swash Member since:
2009-08-22

Reading his comment, and taking into account the ambiguity caused by the guy obviously not writing in his mother tongue, it seems very unclear what the time table is. If somebody finds a security loop hole in a big complex system and reports it how long is it acceptable before he goes public? A week? A month? Ever?

Is it ever justified to actually hack into a system and take confidential data even if it is intended as a way of bringing an issue to someone's attention?

I don't know the answers to those questions and the issues raised seem complex and not very clear cut. I think actually hacking a system and taking data in order to prove a point is probably mostly bad most of the time and expecting to be promptly publicly thanked by those whose system one had hacked is ridiculous.

I certainly think that sweeping statements like this are premature and simplistic.

[q] It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that's about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be "open" about this disaster in its public statement.

Reply Parent Score: 2

Laurence Member since:
2007-03-26

Sometimes organizations will leave known vulnerabilities in place even after they've been reported. So sometimes it takes the threat of going public -and even much worse- to actually get companies to take notice.

While I don't agree with taking such data - sometimes it's a lesser evil compared to that software going unpatched and open to genuine malicious intent. So while I don't agree with what he did, I can forgive him for doing it.

Reply Parent Score: 4

Laurence Member since:
2007-03-26


I don't know from where you get this information, but he is claiming the contrary in this techcrunch comment :
http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center...

Where he says :
"I didn't attempt to get the datas first and report then, instead I have reported first."

His version is basically : "I reported bugs to Apple, they didn't answer my mails so I got pissed off and collected data".

Now, it is unclear how much time he gave Apple between the first report and his collection of user data in retaliation.

But it seems Apple f--ked up too. It's not really smart to ignore the emails of someone reporting vulnerabilities on your website.

I think we should wait for further clarification before jumping to conclusion about the good Apple being hacked by a bad guy.

He wouldn't be the first security researcher to do so either. I've read a few times where people have gotten fed up with the lack of cooperation Apple give when vulnerabilities are reported.

Edited 2013-07-22 15:19 UTC

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

"I reported bugs to Apple, they didn't answer my mails so I got pissed off and collected data".


Doesn't matter, still a dumbass and unethical move. Doesn't matter if he waited days or weeks or whatever. There are proper ways of disclosing stuff without stealing data and if he don't know or don't care, well, that makes him either stupid or a bad guy.

It's not really smart to ignore the emails of someone reporting vulnerabilities on your website.


We don't know how long he waited and no matter how long it doesn't give him right to steal data.

the good Apple being hacked by a bad guy.


Good or not, there's little doubt that the hacker's a moron.

Edited 2013-07-22 16:35 UTC

Reply Parent Score: 4

manjabes Member since:
2005-08-27

Jesus H. F. Christ, listen to yourselves! Had it happened to Ballmersoft, Oracle, Sony or whatever the unquestioned "baddies" are, you'd be rooting for the guy, no excuses. But because poor little underdog Apple got pwned, excuses start spawning left and right, moral judgements like "it's not ethical and legal to hack (Apple)" arise from te grave etc.

Reply Parent Score: 1