Apple Excommunicates iOS Cracker - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Apple Excommunicates iOS Cracker
Threaded  |  Newest First  |  Oldest First
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
11/8/2011 | 6:08:50 PM
re: Apple Excommunicates iOS Cracker
Hmm, piss off a hacker that was trying to help......

http://bit.ly/dI3hcF
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
11/8/2011 | 8:42:09 PM
re: Apple Excommunicates iOS Cracker
I can understand Miller's frustration to a degree, but he also has to realize that's the contract he signed with Apple. If I went to work for a company that enforced a policy of no bow ties and Fez hats, and I wore them because I thought the policy was dumb, I don't get to gripe when I get the call from HR to pack up my stuff.

You go to work for a company, you agree to their rules. If he wants to show people that Apple devices have a myriad of security holes (a noble thing to do) then he should stop working for them.

Tom LaSusa
InformationWeek
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
11/9/2011 | 1:06:58 AM
re: Apple Excommunicates iOS Cracker
Agree to some extent, but as a professional you need to speak up when it is on topic and the company's policy or decision is plain wrong. And a good company will thank you for it, admit that you are right, and give you a good position where you can put your skills to better use. Why do you think other companies pay bounties for bug hunters?
But Apple is run by morons who are so far from reality that this idiotic move is no surprise.
PJONES773
50%
50%
PJONES773,
User Rank: Apprentice
11/9/2011 | 3:24:33 PM
re: Apple Excommunicates iOS Cracker
Bow ties are cool.
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
11/9/2011 | 8:58:35 PM
re: Apple Excommunicates iOS Cracker
Whew...thank goodness someone got the reference! ;-)

Tom LaSusa
InformationWeek Community Manager and lifelong Whovian
TheUO
50%
50%
TheUO,
User Rank: Apprentice
11/8/2011 | 9:53:04 PM
re: Apple Excommunicates iOS Cracker
From the few details given in the article, he only made one mistake by failing to disclose the proof-of-concept app that he made and had passed through to the marketplace. Otherwise, he, apparently, disclosed the bug to Apple which should, in my mind, be paying him and giving him job offers for finding it. Sure, he didn't keep it "under wraps" like they always want, but hey, they can now address this serious bug, which in the wrong hands could have really made Apple look bad given their persona of it always working flawlessly all the time with no vulnerabilities. Treating him like this will probably just make things worse for them, should he get disgruntled and turn malicious. He already has a good history of finding seriously fatal flaws, what if he's upset enough to take the black hat route next time he finds one? Sometimes it's better to take the "high road" and admit your deficiencies as opposed to always attacking those that bring them to light like they are the ones in the wrong.

Yes, he could have probably handled it better and disclosed what he was planning before he did it, but in that case, I'm sure they would have just shut him down before he could have had a chance to test and release it, which is typical Apple. They would rather squash and silence it than admit there's a bug. This would have left it open for more malicious people/groups to find and exploit it for real, with real world repercussions. So, they'll just punish him instead of taking the time to learn from him or offer to let him teach them a thing or two because, God forbid, something bad is disclosed to the public about anything Apple related.

In addition to that, public disclosure of bugs should keep Apple's programmers from becoming complacent with the idea that everything they make is bug free. As a programmer, I know that the majority of code out there has vulnerabilities, I find them in mine, and if you're confident that your code doesn't contain any, that's when your most likely to introduce them or let one slip through...

My personal opinion: Give that man a medal and tell your QA department to make him an offer he can't refuse.
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
11/12/2011 | 6:15:34 AM
re: Apple Excommunicates iOS Cracker
As a former NSA Analyst, Charlie Miller has found a perfectly good home. Meet the Advisory board:

http://www.accuvant.com/about/...

Charlie has top security research billing where he is at which is much better than working for Apple. OTOH, did you mean that "make him an offer he can't refuse" in the same vein as something being offered by the goodfellas? In that case, I think that Apple has already done that.
Bprince
50%
50%
Bprince,
User Rank: Apprentice
11/8/2011 | 11:40:23 PM
re: Apple Excommunicates iOS Cracker
To TheUO's point below, how many readers think this will have an impact on research into iOS bugs/malware by legitimate researchers? What do you think that impact will be?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
RJF19
50%
50%
RJF19,
User Rank: Apprentice
11/9/2011 | 2:25:55 PM
re: Apple Excommunicates iOS Cracker
So, the guy finds a flaw that could potentially hurt Apple where it really matters and they punish him? Steve, you left too soon...
RayfromNH
50%
50%
RayfromNH,
User Rank: Apprentice
11/9/2011 | 7:41:24 PM
re: Apple Excommunicates iOS Cracker
Miller is showing the kind of thinking outside the box that is required to find and expose security flaws. Accuvant is lucky to have him as a consultant. Apple on the other hand is showing the kind of stick to the policy thinking that will turn them into the next big company that puts stockholders and company policy before customers and innovation.
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
11/10/2011 | 12:36:03 AM
re: Apple Excommunicates iOS Cracker
Miller does all of us real service. He's done it for awhile, alerting Apple and others to potential flaws. Apple has clearly not been closed to that; it has maintained its relationship with him. It has continued to approve and publish his apps.

A distinction has to be made between describing flaws and offering proof of concept on request perhaps in a test environment vs introducing a potential portal for malware in a production app whilst doing the publicity circuit to describe how it works. That's clearly in violation of his contract with Apple, which presumably he signed without a gun pointed at his temple.

What's more, since a curated environment is part of Apple's branding, they have to defend it. If they had not responded firmly to this breach of protocol there would have been complaints from the other direction. Google can get away with backing out 50 apps with malware after the fact. Its users prize so called openness and assume such risks. Apple cannot afford to take that approach at this point.

So Miller's out of the app store for one year. That's enough to show they mean business. Hopefully they will encourage him to continue looking for flaws and reporting them. Hopefully a full relationship can resume after a year. Hopefully others with Miller's interests will find a more effective way of handling such situations in future.

Hey Apple, while you're at it, close that loophole. . .
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
11/12/2011 | 6:17:43 AM
re: Apple Excommunicates iOS Cracker
It is fair if they do the same thing to everybody else. It is always unproductive to turn down information that can be used to improve your product.
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
11/12/2011 | 7:22:27 AM
re: Apple Excommunicates iOS Cracker
Will somebody please pass the hemlock? Charlie Miller, I suggest you put that anger to use by improving the security of the various Linux distros and Android instead. I for one would welcome these other products getting enhanced security. Charlie, if you drop me a line I will tell you what I use personally so you can start making them more secure first. Apple doesn't think their products are practically perfect. Apple thinks their products and the way they do everthing is perfect. Good. Let the black-hats shatter that delusion of invincibility from now on.


The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll