undefined | Better HN

0 pointssillysaurus38y ago0 comments

It's the neighborly thing to do, but people are under no obligation to report vulns privately. The blame lies squarely on Apple, not on the messenger.

The fact that we know about it means we can take steps to mitigate the damage.

0 comments

e408y ago

The blame lies squarely on Apple, not on the messenger.

There is blame on both.

If you leave your key in your front door lock and I blast out on twitter your address and tell people about it, I think I have some responsibility.

interfixus8y ago

If you leave keys in other people's doors all over the neighbourhood, I damn well have a rigtht, and possibly an obligation, to make it publicly known that such a thing is taking place. So that everyone may take their own precautions.

godelski8y ago

Let's say keys were hidden around the neighborhood. Would you rather everyone in the whole town know about it or quietly and quickly go pick up all the keys before someone notices and breaks into one of the houses?

Personally I think if you report through the proper channels and nothing is changed THEN broadcast, but not as an opener.

grigjd38y ago

These keys aren't exactly hidden. This is like trying the doorknob a second time.

1 more reply

yeukhon8y ago

I am going to ask, do you want to try this scenario on your own in real life? Because often we make general statements while we don’t actually practice what we say to others when the issue is going to hurt ourselves.

EnFinlay8y ago

We all live with this scenario everyday, most consumer locks are ridiculously easy to open. https://en.wikipedia.org/wiki/Lock_bumping

1 more reply

asejfwe88238y ago

A better analogy would be "if the lending bank left the door to your new house open..."

Other than buy an Apple product, the users did nothing intentional to undermine security.

Since this is a subjective argument, based more on historical instances of "responsible disclosure" and not law, I'm gonna lean in this case of it being Apple that failed

They built the entire "walled garden" without getting outside help. They want the control, they have billions of dollars, can hire whatever talent...

Failed to spot a password-less root login issue.

People need to know today to be even more cautious about using Apple gear in public places or around plain ol' tech jerks that like to fuck with people for a gag.

Society has no legal or moral obligation to make sure Apple stays in business.

EGreg8y ago

Exactly.

Responsible disclosure is an interesting concept. How does this kind of disclosure make sure that the public knows about a company's track record of vulnerabilities, if everyone is under NDA and the company has no obligation to ever publicize it?

Now, if the reseacher could give a grace period, that's cool, but there MUST be a deadline by which stuff goes public. Hopefully the company fixes it and issues a postmortem first. If not - too bad!

pcwalton8y ago

The problem with that analogy is that the probability that the "bad guys" already know about this vulnerability is vastly higher than the probability that thieves know about how well some random house in the neighborhood is secured.

godelski8y ago

But do they? And what portion of them do? And are they using it? There's a lot of speculation here. But surely the average person doesn't know and with this being public knowledge, AND easy to execute there is a bigger chance for crime of opportunity.

ben_w8y ago

It’s always reasonable to assume that black-hats (and… what do you call government hackers — black-suits, helicopter-hats, ???) know everything that white-hats know, and that they either have or are already in the process of selling that exploit to less skilled criminals.

It’s not like being good morally correlates with being good at security.

1 more reply

tn_8y ago

How many more people now know about this vulnerability cause of this knuckle-head tweeting it? At least 100k impressions? Now think of how many more "bad guys" have access to this hack that are going to abuse it.

sooheon8y ago

And how many people and companies are now empowered to fix this issue for themselves, immediately.

1 more reply

ZenoArrow8y ago

You may say so, but really the level of incompetence of not setting a password for a root account is pretty high. The fact that someone reported it in a way you don't agree with shouldn't distract you from the fact that this highlights a serious oversight.

The main question that should be asked is, how did this get overlooked? How is it that your average website has better password security than the OS of one of the richest tech companies in the world?

To be fair to Apple, Microsoft had similar issues back in the 1990s. Perhaps it takes a string of security blunders for some tech companies to take security seriously.

bambax8y ago

If you sell locks and those locks can be opened by pulling on them twice, the reasonnable course of action is to make that fact known to every buyer ASAP, not tell you privately and wait for you to maybe issue a recall.

hunter2_8y ago

Locks don't nag you to decommission them quite as aggressively as OS X asks you to patch it. And an OS update was going to happen anyway, so including this patch doesn't really burden the user with an extra task they wouldn't already be subject to. Therefore, coordinated disclosure has a lot of value in the OS update ecosystem and very little in the physical lock ecosystem.

mholt8y ago

Wrong. This is Apple -- not the homeowners -- leaving everyone's key in everyone's door without them knowing.

giobox8y ago

Responsible Disclosure is widely regarded as a good practice in these situations. Blame isn't the key issue - fixing the problem quickly and safely is. Widespread disclosure before Apple have even a chance to respond in a timely fashion is inherently unsafe.

You would hope the self-described twitter bio "Agile Software Craftsman" might have thought about this a little before tweeting.

> https://en.wikipedia.org/wiki/Responsible_disclosure

dsp12348y ago

The poster practiced Full Disclosure, which is also a valid disclosure policy.

Since we're just making up statements, I guarantee that Apple would never voluntarily disclose this issue if it was reported privately. So Full Disclosure is the only way to put Apple's feet to the fire, as it's the only way in which this issue would have had any visibility whatsoever.

https://en.wikipedia.org/wiki/Full_disclosure_(computer_secu...

2 more replies

lawnchair_larry8y ago

"Responsible Disclosure" is a term rejected by the industry as a loaded phrase that favors vendors, instead preferring the term Coordinated Disclosure. Even so, reasonable professionals still disagree that this is the best option, in a debate that has existed for decades, so it's by no means settled as the "proper" way.

1 more reply

ridgeguy8y ago

This situation seems more like a lock manufacturer selling millions of locks that can be opened with a toothpick.

I'd lay responsibility at the lockmaker's door, not the guy who told everybody they were at the mercy of anyone with a toothpick.

bubblethink8y ago

>If you leave your key in your front door lock and I blast out on twitter your address and tell people about it, I think I have some responsibility.

That's not a faithful analogy. Apple isn't your neighbour. They are the landlord. The scenario is more like that the landlord uses bogus locks in your complex, and you post it on twitter. You could complain to them privately too, but given your past experiences perhaps, you thought that twitter would be a more effective medium.

nerfhammer8y ago

This is different though: the bug is so bad that random, inexpert users can discover it by accident. People that are not going to even be familiar with the term "responsible disclosure" at all. This may have been the case for the guy who tweeted this.

There is no realistic way to keep a lid on something like that and so in this case the blame is entirely on Apple.

teamhappy8y ago

Your analogy makes no sense. He's just as vulnerable as you are.

thanatropism8y ago

This very excellent comment lies "dead", so I'll repost it:

asejfwe8823 24 minutes ago [dead] [-]

A better analogy would be "if the lending bank left the door to your new house open..." Other than buy an Apple product, the users did nothing intentional to undermine security. Since this is a subjective argument, based more on historical instances of "responsible disclosure" and not law, I'm gonna lean in this case of it being Apple that failed They built the entire "walled garden" without getting outside help. They want the control, they have billions of dollars, can hire whatever talent... Failed to spot a password-less root login issue. People need to know today to be even more cautious about using Apple gear in public places or around plain ol' tech jerks that like to fuck with people for a gag. Society has no legal or moral obligation to make sure Apple stays in business.

collinmanderson8y ago

Mostly, they're just missing out on an up to $200,000 bug bounty.

https://www.theregister.co.uk/2016/08/05/apple_joins_the_bug...

2 more replies

arghwhat8y ago

... And means that others can utilize this to cause damage.

The idea of responsible disclosure is to minimize harm for you, the user. Not to minimize bad publicity.

dolson8y ago

In a case like this, I think it would be best to maximize the bad publicity. Bad publicity is the minimum Apple deserves for a bug like this. In my idea world they'd get a lot of bad publicity, and a significant financial penalty.

patcheudor8y ago

I get it, I really do, but it's not like he was complaining about a bad Uber driver. Disclosure in this way has real-world impacts up to and including harming people and we shouldn't ever consider it as something which is remotely acceptable. Is it acceptable to publicly disclose that an airport has a self-destruct switch which can be accessed near the NW mens bathroom? No. You contact someone who can fix the problem, then publicly disclose.

2 more replies

peteretep8y ago

    > people are under no obligation to
    > report vulns privately

Legal obligation, no, you're right. Moral obligation? Why not?

j / k navigate · click thread line to collapse

0 comments

e408y ago

The blame lies squarely on Apple, not on the messenger.

There is blame on both.

If you leave your key in your front door lock and I blast out on twitter your address and tell people about it, I think I have some responsibility.

interfixus8y ago

godelski8y ago

Personally I think if you report through the proper channels and nothing is changed THEN broadcast, but not as an opener.

grigjd38y ago

These keys aren't exactly hidden. This is like trying the doorknob a second time.

1 more reply

yeukhon8y ago

EnFinlay8y ago

We all live with this scenario everyday, most consumer locks are ridiculously easy to open. https://en.wikipedia.org/wiki/Lock_bumping

1 more reply

asejfwe88238y ago

A better analogy would be "if the lending bank left the door to your new house open..."

Other than buy an Apple product, the users did nothing intentional to undermine security.

Since this is a subjective argument, based more on historical instances of "responsible disclosure" and not law, I'm gonna lean in this case of it being Apple that failed

They built the entire "walled garden" without getting outside help. They want the control, they have billions of dollars, can hire whatever talent...

Failed to spot a password-less root login issue.

People need to know today to be even more cautious about using Apple gear in public places or around plain ol' tech jerks that like to fuck with people for a gag.

Society has no legal or moral obligation to make sure Apple stays in business.

EGreg8y ago

Exactly.

Now, if the reseacher could give a grace period, that's cool, but there MUST be a deadline by which stuff goes public. Hopefully the company fixes it and issues a postmortem first. If not - too bad!

pcwalton8y ago

godelski8y ago

ben_w8y ago

It’s not like being good morally correlates with being good at security.

1 more reply

tn_8y ago

sooheon8y ago

And how many people and companies are now empowered to fix this issue for themselves, immediately.

1 more reply

ZenoArrow8y ago

The main question that should be asked is, how did this get overlooked? How is it that your average website has better password security than the OS of one of the richest tech companies in the world?

To be fair to Apple, Microsoft had similar issues back in the 1990s. Perhaps it takes a string of security blunders for some tech companies to take security seriously.

bambax8y ago

hunter2_8y ago

mholt8y ago

Wrong. This is Apple -- not the homeowners -- leaving everyone's key in everyone's door without them knowing.

giobox8y ago

You would hope the self-described twitter bio "Agile Software Craftsman" might have thought about this a little before tweeting.

> https://en.wikipedia.org/wiki/Responsible_disclosure

dsp12348y ago

The poster practiced Full Disclosure, which is also a valid disclosure policy.

https://en.wikipedia.org/wiki/Full_disclosure_(computer_secu...

2 more replies

lawnchair_larry8y ago

1 more reply

ridgeguy8y ago

This situation seems more like a lock manufacturer selling millions of locks that can be opened with a toothpick.

I'd lay responsibility at the lockmaker's door, not the guy who told everybody they were at the mercy of anyone with a toothpick.

bubblethink8y ago

>If you leave your key in your front door lock and I blast out on twitter your address and tell people about it, I think I have some responsibility.

nerfhammer8y ago

There is no realistic way to keep a lid on something like that and so in this case the blame is entirely on Apple.

teamhappy8y ago

Your analogy makes no sense. He's just as vulnerable as you are.

thanatropism8y ago

This very excellent comment lies "dead", so I'll repost it:

asejfwe8823 24 minutes ago [dead] [-]

collinmanderson8y ago

Mostly, they're just missing out on an up to $200,000 bug bounty.

https://www.theregister.co.uk/2016/08/05/apple_joins_the_bug...

2 more replies

arghwhat8y ago

... And means that others can utilize this to cause damage.

The idea of responsible disclosure is to minimize harm for you, the user. Not to minimize bad publicity.

dolson8y ago

patcheudor8y ago

2 more replies

peteretep8y ago

    > people are under no obligation to
    > report vulns privately

Legal obligation, no, you're right. Moral obligation? Why not?

j / k navigate · click thread line to collapse