Developer Reveals Mac Security Hole Without Telling Apple

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Personally, I think this is a dick move. I can understand going public if you've alerted the company ahead of time and they still didn't fix the flaw but that isn't the case here.

He recently posted details of an OS X exploit, "tpwn," that lets intruders get root-level access to your Mac (even if it's running the recent 10.10.5 update) without even telling Apple, let alone waiting for a patch. It's now a race between the Cupertino crew and malware writers to make use of the discovery.
 
I totally agree Steve. I'm not fond of Google's methods, but at least they notify and provide some time for the vendor to patch. This researcher just fucked Mac users (though it apparently won't hurt you if you don't download/install compromised software).
 
The developer is 18. He probably asked Apple for reward monies, and they didn't pay up.
 
Apple probably wouldn't have fixed it quickly, if at all, anyways. Now, they might move a little faster.
 
Apple probably wouldn't have fixed it quickly, if at all, anyways. Now, they might move a little faster.

That's still not an excuse not to tell them up front. Releasing the details hurts apple's users more than it hurts apple.
 
That's still not an excuse not to tell them up front. Releasing the details hurts apple's users more than it hurts apple.

From personal experience, Apple's users are at the bottom of the list of things they give a fuck about.
 
I totally agree Steve. I'm not fond of Google's methods, but at least they notify and provide some time for the vendor to patch. This researcher just fucked Mac users (though it apparently won't hurt you if you don't download/install compromised software).

There could be some time between public announcement with demonstrations and publicly released working code. Public isn't going to give a crap about the code details past a working example. At least the malware writers won't be able to hit the ground running. Considering the knowhow grows geometrically,even making them work 3-4 more days on their malware before the fix could mitigate a lot of damage.
 
This must cross the boundary of a law that will give him a criminal record.
If not, one needs creating.
 
What this person did was accelerate a response from Apple through brute force publicity. Definitely a dick move. There are processes to be followed when finding an exploit which could compromise a user base. he didn't and now a hell of a lot of resources are going to be expended to patch the flaw before hackers can take advantage of it.
FacePalm.gif
 
Considering how many millions could be affected, it should be a civil matter.
 
Let's face it -- had he gone through legal ways of exposing the flaw it would have taken months to fix, and he might be subjected to a legal issue. Apple would find some BS way to sue the kid for "looking at copyrighted code" or something stupid.

It's apples job to make sure their stuff is bug free - if it's not, well open season. Neither the kid, nor anyone else has a duty or loyalty to apple to help them patch their stuff. If he had gone to them and said "hey I found a pretty big security flaw -- pay me and I'll help you get it sorted out" and they didn't want to play ball. Good for him on releasing it anyway.

You should be rewarded for your work - finding a flaw like that is worth some bucks, if they didn't want to pay that's their own damn fault.
 
I agree. Dick move.

That being said, I can understand their frustration. Apple hasn't exactly been very responsive to quick patch turnarounds in the past.

Could be they are just fed up and in "screw them" mode, figuring it won't make a difference anyway, because based on Apples track record they might take YEARS after notification to do anything about it...
 
Let's face it -- had he gone through legal ways of exposing the flaw it would have taken months to fix, and he might be subjected to a legal issue. Apple would find some BS way to sue the kid for "looking at copyrighted code" or something stupid.

It's apples job to make sure their stuff is bug free - if it's not, well open season. Neither the kid, nor anyone else has a duty or loyalty to apple to help them patch their stuff. If he had gone to them and said "hey I found a pretty big security flaw -- pay me and I'll help you get it sorted out" and they didn't want to play ball. Good for him on releasing it anyway.

You should be rewarded for your work - finding a flaw like that is worth some bucks, if they didn't want to pay that's their own damn fault.

He didn't give them the opportunity to say no.
 
One only has to look at the recently revealed security issues with VW electronic car keys, suppressed for 3 years, to see the problems with notifying companies first.
 
This must cross the boundary of a law that will give him a criminal record.
If not, one needs creating.

If he's in the U.S. then I don't see how. It's a free speech issue, and as much as I dislike what he did, he's got every right to do it (and he should have the right to do it).
 
From personal experience, Apple's users are at the bottom of the list of things they give a fuck about.

Yup, and that is the case with any company who are successful because of rabid fanboyism. I bet Apple will get on it now that it is out on front street vs. them just putting it on the back burner until they decided to get to it.
 
I totally agree Steve. I'm not fond of Google's methods, but at least they notify and provide some time for the vendor to patch. This researcher just fucked Mac users (though it apparently won't hurt you if you don't download/install compromised software).

But isn't that how most of these infections work? You download or install compromised software. Problem is the average person isn't smart enough to know what they are doing. Something pops up telling you that you need to click here to install mac os updates, sure I will do that. Just like they do that for flash, java, windows.... they believe that all popups / sites are 100% safe and that they should click on and install whatever they are asked to. you need me to enter my admin credentials for that, sure no problem.
 
He most likely looked for a reward the wrong way, or some management at Apple who shouldn't have that job refused him.

This is reflective of Apple, not the kid.
 
If he's in the U.S. then I don't see how. It's a free speech issue, and as much as I dislike what he did, he's got every right to do it (and he should have the right to do it).

Free Speach is not a blanket that can be used to justify anything that might come out of someone's mouth.

Many things, inciting a riot, yelling fire in a movie theater, are not covered.

He could be facilitating a mass data breach, exposing personal and private pictures, bank data, etc of many people. Callous indifference comes to mind.
 
Free Speach is not a blanket that can be used to justify anything that might come out of someone's mouth.

Many things, inciting a riot, yelling fire in a movie theater, are not covered.

He could be facilitating a mass data breach, exposing personal and private pictures, bank data, etc of many people. Callous indifference comes to mind.

So in your world, if I point out that your lock can be picked with a toothpick and demonstrate how insecure it is, I should go to jail? If so, I don't want to live in your world.
 
The magic blood of unicorns protects all macs from malware. Trufax.

Being uneducated seems to be even better. But keep reading titles instead of actually reading what the exploit is and what it requires of the user to work.
 
So in your world, if I point out that your lock can be picked with a toothpick and demonstrate how insecure it is, I should go to jail? If so, I don't want to live in your world.

Little specious dont you think?
 
This must cross the boundary of a law that will give him a criminal record.
If not, one needs creating.

I disagree. IMO its perfectly fine to share things. Do I owe Dow chemical a 60 day notice if I find out one of their chemicals is poisoning the land?
 
Fun to see so many people bashing without RTFA and even better looking up what the actual vulnerability was.

FUN FACT: If you are burned by this, you would be burned by pretty much everything and are the reason windows got such a bad rap, as you need to download the code yourself, disable your own OS safety measures and then run the code.

https://github.com/kpwn/tpwn
 
If he's in the U.S. then I don't see how. It's a free speech issue, and as much as I dislike what he did, he's got every right to do it (and he should have the right to do it).

You do know free speech only protects you from the government so you can't get arrested for saying bad things about obama like you would if you were in north korea and said something bad about their supreme ultimate l33t leader. It doesn't apply here.
 
You do know free speech only protects you from the government so you can't get arrested for saying bad things about obama like you would if you were in north korea and said something bad about their supreme ultimate l33t leader. It doesn't apply here.

There's no crime in showing that a product is flawed.
 
There's no crime in showing that a product is flawed.


Didn't say there was, but it's not because of the 1st amendment...

Releasing code to exploit a previously unknown vulnerability is not 'showing a product is flawed'. Showing a product is flawed is what they do at the white hat conventions showing Proof of Concepts without releasing actual code/specific details of the vulnerability.
 
Oh jeez, sensationalist less. What this guy did was immoral, not illegal.

I am not even sure what they did was immoral. They release information of a potential threat. Any number of companies could then work on creating a fix for it. If he releases the information to Apple first, then Apple is going to make him sign an NDA, and we all know Apple is not fond of working with others when it comes to these things.

They also have been known to be extremely slow about patching security issues. I mean for about 5 years straight the same hacker used essentially the same exploit to gain root access within 15 minutes to just about all of Apple's products at annual hacking conventions. All the information for the exploit was shared with Apple every year.

So the question of legality and morality is not as clear as you may think it is. This is why open source has become so popular, people post exploits all the time, to who? To the general public. Then others can work out ways to secure it to the benefit of all.
 
Didn't say there was, but it's not because of the 1st amendment...

Releasing code to exploit a previously unknown vulnerability is not 'showing a product is flawed'. Showing a product is flawed is what they do at the white hat conventions showing Proof of Concepts without releasing actual code/specific details of the vulnerability.

The post you replied to was replying to was a reply to this post:
This must cross the boundary of a law that will give him a criminal record.
If not, one needs creating.

Any law banning this guy from showing the flaw in this software and how it's flawed, would violate the first amendment, just like laws making it illegal to tell dirty jokes or publish Hustler or Debbie Does Dallas is protected.

The location that he exposes it is also irrelevant. Whether it's White Hat, Black Hat or you neighbors back yard, he showed that the product was flawed.
 
The post you replied to was replying to was a reply to this post:


Any law banning this guy from showing the flaw in this software and how it's flawed, would violate the first amendment, just like laws making it illegal to tell dirty jokes or publish Hustler or Debbie Does Dallas is protected.

The location that he exposes it is also irrelevant. Whether it's White Hat, Black Hat or you neighbors back yard, he showed that the product was flawed.

I replied to your post which quoted my post...

And no, the 1st amendment does not apply here. Did you actually read what the post said before replying? The location had nothing to do with the argument.... He is not showing a flaw, he is releasing code to exploit a flaw. Showing a flaw would a proof of concept to show it can be done, not giving anyone the ability to exploit it. 2 completely different things, I can't believe you are having a hard time understanding that....
 
That's still not an excuse not to tell them up front. Releasing the details hurts apple's users more than it hurts apple.

If Apple doesn't want someone doing this, they shouldn't release software with security holes in it.
 
Back
Top