undefined | Better HN

0 pointskristofferR8y ago0 comments

The fact that you as the ordinary student can become root and create a lot of damage so easily is the only reason the public will care.

Us geeks have been complaining about the horrible QA in macOS for years, yet nothing has been done. The fact that this is so simple to do will probably/hopefully get ordinary people to start talking about it too ("Hey, have you heard that you can hack Macs without a password? Very insecure"), which would force Apple to improve.

0 comments

openasocket8y ago

It sounds to me like you're arguing that full disclosure in this situation could lead to a worse outcome for users in the short term, but the negative publicity will force Apple to improve their security posture, leading to a better outcome for users in the long term. (Please let me know if I'm miss-characterizing your argument)

I think you have to be very careful about that line of argument. It's a single vulnerability researcher making a unilateral decision about the short term and long term security of an entire user base, based entirely on personal judgement. I personally think the researcher should make the decision that best protects users from that specific vulnerability. Making long-term changes to a company's QA should come second.

AlexandrB8y ago

> I personally think the researcher should make the decision that best protects users from that specific vulnerability.

I find it odd that you're putting the responsibility of making decisions about how to protect Apple's users on an unaffiliated third party.

Apple has a multi-hundred-billion dollar war chest and, if they wanted to, could afford to make macOS the most secure operating system on the market. The fact that they don't is their own choice and a reflection of their priorities, not some act of God or a natural disaster. Putting the onus for cleaning up the mess in the most "responsible" way possible on third parties with a fraction of Apple's resources is being too kind to Apple.

openasocket8y ago

My point was exactly the opposite of putting the onus on the researcher. I support responsible disclosure. In responsible disclosure, the researcher informs the vendor (Apple) and leaves it to them to coordinate informing people of mitigations and pushing out a patch. If the vendor fails to respond or make progress in a certain period of time, the researcher can inform the public. It specifically puts the responsibility for dealing with the vulnerability in the hands of the vendor.

ridgeguy8y ago

I think only economic consequences would cause Apple to up its QA game. Like decreased sales or lawsuits with good prospects of winning serious money.

Unfortunately, I don't believe those will happen.

j / k navigate · click thread line to collapse

0 comments

openasocket8y ago

AlexandrB8y ago

> I personally think the researcher should make the decision that best protects users from that specific vulnerability.

I find it odd that you're putting the responsibility of making decisions about how to protect Apple's users on an unaffiliated third party.

openasocket8y ago

ridgeguy8y ago

I think only economic consequences would cause Apple to up its QA game. Like decreased sales or lawsuits with good prospects of winning serious money.

Unfortunately, I don't believe those will happen.

j / k navigate · click thread line to collapse