undefined | Better HN

0 pointsovercast8y ago0 comments

Excuse my language, but this was a dick move to post this publicly, especially on Twitter. Go through private bug channels properly for something as serious as this. Of course doing it that way doesn't give you your 15 minutes of interweb fame.

0 comments

17 comments · 4 top-level

zerostar078y ago· 5 in thread

this is too serious to hide. better to tell users how to fix it than wait until apple releases something

glhaynes8y ago

That's not how responsible disclosure works.

testvox8y ago

But it's how full disclosure works which is more responsible then coordinated disclosure.

overcastOP8y ago

Yeh, except for the millions of MacOS users out there, like my parents who don't read Twitter, or HN or any of the other sites people think that everyone stays up on. They are the targets.

fixermark8y ago

Not technically. Exploitation still requires physical access to the machine or remote access to have been enabled, right? Did your parents who don't read Twitter or HN enable a feature that generally only power users want or need?

pkaye8y ago

I think it is only a local exploit. The bigger risk are the Macs in schools and libraries.

mikeash8y ago· 3 in thread

Maybe he didn't know about the proper procedures to handle a security vulnerability. You wouldn't have to be a security researcher to discover this bug, and I don't see any indication that he is one.

always_good8y ago

Also, it's reasonable for someone to think that making a public stink about it is in the best interest of all the people then that can immediately patch it themselves instead of having to wait for Apple to push a patch and then for everyone to download that patch.

I'm not convinced private disclosure is without its downsides nor a panacea.

Jedd8y ago

Maybe. Look at his twitter page though: https://twitter.com/lemiorhan

Not impossible to believe he's unaware of the right way of handling this kind of issue, but that banner photo (Enthralling My F-ing Audience) [1] and stats there suggest he should be aware that there probably are sensible and polite procedures for this, even if he didn't immediately know what they were.

[1] http://jesuschristsiliconvalley-blog.tumblr.com/post/4653787...

1 more reply

overcastOP8y ago

I would say it's pretty basic common sense, not to publicly announce ANYTHING that could immediately affect millions of people. Unless he's just a sociopath.

From his Twitter account, he's not just some layman stumbling across it.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

1 more reply

giarc8y ago· 3 in thread

Probably could still get 15 minutes of fame if you disclosed privately then blogged about the back and forth and a picture of the $10,000 cheque from Apple.

CameronBanga8y ago

Apple doesn't pay bounties for this sort of report, even if direct to their team. They have a private bounty program, for a select few.

bredren8y ago

That this would be the prevailing understanding is exactly why a bug like this would live in the wild at all. There are plenty of other orgs out there who would have paid big money for this.

3pt141598y ago

Source? I've heard of iPhone vulnerabilities getting high six figures from Apple (for root access via sms). Why wouldn't Apple pay for something like this?

fixermark8y ago· 2 in thread

When I put it into my personal malice / ignorance balance, it weighs out to the likelihood that the discloser isn't plugged in enough to the infosec scene to be aware that there are already best practices for this kind of disclosure.

It's a big world out there, especially nowadays. And nothing I've seen in recent history suggests to me the average user knows or cares about infosec concerns beyond basic hindsight understandings.

testvox8y ago

Isn't the best practice full disclosure? It seems like it was followed well.

overcastOP8y ago

Sure, now look at his Twitter account. He looks pretty plugged into the software community.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

1 more reply

j / k navigate · click thread line to collapse

0 comments

17 comments · 4 top-level

zerostar078y ago· 5 in thread

this is too serious to hide. better to tell users how to fix it than wait until apple releases something

glhaynes8y ago

That's not how responsible disclosure works.

testvox8y ago

But it's how full disclosure works which is more responsible then coordinated disclosure.

overcastOP8y ago

Yeh, except for the millions of MacOS users out there, like my parents who don't read Twitter, or HN or any of the other sites people think that everyone stays up on. They are the targets.

fixermark8y ago

pkaye8y ago

I think it is only a local exploit. The bigger risk are the Macs in schools and libraries.

mikeash8y ago· 3 in thread

Maybe he didn't know about the proper procedures to handle a security vulnerability. You wouldn't have to be a security researcher to discover this bug, and I don't see any indication that he is one.

always_good8y ago

I'm not convinced private disclosure is without its downsides nor a panacea.

Jedd8y ago

Maybe. Look at his twitter page though: https://twitter.com/lemiorhan

[1] http://jesuschristsiliconvalley-blog.tumblr.com/post/4653787...

1 more reply

overcastOP8y ago

I would say it's pretty basic common sense, not to publicly announce ANYTHING that could immediately affect millions of people. Unless he's just a sociopath.

From his Twitter account, he's not just some layman stumbling across it.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

1 more reply

giarc8y ago· 3 in thread

Probably could still get 15 minutes of fame if you disclosed privately then blogged about the back and forth and a picture of the $10,000 cheque from Apple.

CameronBanga8y ago

Apple doesn't pay bounties for this sort of report, even if direct to their team. They have a private bounty program, for a select few.

bredren8y ago

That this would be the prevailing understanding is exactly why a bug like this would live in the wild at all. There are plenty of other orgs out there who would have paid big money for this.

3pt141598y ago

Source? I've heard of iPhone vulnerabilities getting high six figures from Apple (for root access via sms). Why wouldn't Apple pay for something like this?

fixermark8y ago· 2 in thread

It's a big world out there, especially nowadays. And nothing I've seen in recent history suggests to me the average user knows or cares about infosec concerns beyond basic hindsight understandings.

testvox8y ago

Isn't the best practice full disclosure? It seems like it was followed well.

overcastOP8y ago

Sure, now look at his Twitter account. He looks pretty plugged into the software community.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

1 more reply

j / k navigate · click thread line to collapse