Linked by Thom Holwerda on Mon 22nd Jul 2013 10:10 UTC
Apple "Apple revealed Sunday that its Developer Center suffered a lengthy outage this week following a security breach that may have compromised data, but a security researcher has provided evidence to suggest the shutdown was in response to his identification of a vulnerability." It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that's about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be "open" about this disaster in its public statement.
Thread beginning with comment 567712
To view parent comment, click here.
To read all comments associated with this story, please click here.
Tony Swash
Member since:
2009-08-22

Reading his comment, and taking into account the ambiguity caused by the guy obviously not writing in his mother tongue, it seems very unclear what the time table is. If somebody finds a security loop hole in a big complex system and reports it how long is it acceptable before he goes public? A week? A month? Ever?

Is it ever justified to actually hack into a system and take confidential data even if it is intended as a way of bringing an issue to someone's attention?

I don't know the answers to those questions and the issues raised seem complex and not very clear cut. I think actually hacking a system and taking data in order to prove a point is probably mostly bad most of the time and expecting to be promptly publicly thanked by those whose system one had hacked is ridiculous.

I certainly think that sweeping statements like this are premature and simplistic.

[q] It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. Would be nice of Apple to acknowledge his work, although as we all know, that's about as unlikely as Pluto blocking the sun, no matter how Apple claims it wants to be "open" about this disaster in its public statement.

Reply Parent Score: 2

Laurence Member since:
2007-03-26

Sometimes organizations will leave known vulnerabilities in place even after they've been reported. So sometimes it takes the threat of going public -and even much worse- to actually get companies to take notice.

While I don't agree with taking such data - sometimes it's a lesser evil compared to that software going unpatched and open to genuine malicious intent. So while I don't agree with what he did, I can forgive him for doing it.

Reply Parent Score: 4

Soulbender Member since:
2005-08-18

The problem is that he never put any pressure on them. He just sat on his ass and maybe sent some emails to Apple. He never publicly disclosed the vulnerabilities after, say, a week of no action from Apple like he should have done.

To be honest, it smells not unlike that he tried to extort something from them. I mean, why else would he not publicly disclose what he knew once he thought Apple had taken too long? The only other explanation that makes sense is that he's an incompetent dumbass.

Reply Parent Score: 3