undefined | Better HN

0 pointsovercast8y ago0 comments

Excuse my language, but this was a dick move to post this publicly, especially on Twitter. Go through private bug channels properly for something as serious as this. Of course doing it that way doesn't give you your 15 minutes of interweb fame.

0 comments

fixermark8y ago

When I put it into my personal malice / ignorance balance, it weighs out to the likelihood that the discloser isn't plugged in enough to the infosec scene to be aware that there are already best practices for this kind of disclosure.

It's a big world out there, especially nowadays. And nothing I've seen in recent history suggests to me the average user knows or cares about infosec concerns beyond basic hindsight understandings.

testvox8y ago

Isn't the best practice full disclosure? It seems like it was followed well.

overcastOP8y ago

Sure, now look at his Twitter account. He looks pretty plugged into the software community.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

fixermark8y ago

Yes. And from his personal site [http://www.lemiorhanergin.com/]:

He's a manager. CSM, PSM1, PSD1, Scrum Master, Kanban Practitioner. Code retreat facilitator. Translated Agile Manifesto into Turkish. The only thing that immediately makes me think he even touches code is "git trainer and lover." Notably lacking from his résumé: references to specific open source projects he's worked on or code he's written (though personally, I'd be concerned because his résumé does list "Restful Services" and I'd expect that to have given him a taste of infosec basics, but maybe it's a bit of résumé padding... shouldn't it be spelled "RESTful services?" ;) ).

It feels weird to say for those of us deeply immersed in the internet / telecoms / web app side of software development, but depending on your focus, you can do an awful lot of software development without ever brushing up against the sharp edge of infosec.

mikeash8y ago

Maybe he didn't know about the proper procedures to handle a security vulnerability. You wouldn't have to be a security researcher to discover this bug, and I don't see any indication that he is one.

always_good8y ago

Also, it's reasonable for someone to think that making a public stink about it is in the best interest of all the people then that can immediately patch it themselves instead of having to wait for Apple to push a patch and then for everyone to download that patch.

I'm not convinced private disclosure is without its downsides nor a panacea.

Jedd8y ago

Maybe. Look at his twitter page though: https://twitter.com/lemiorhan

Not impossible to believe he's unaware of the right way of handling this kind of issue, but that banner photo (Enthralling My F-ing Audience) [1] and stats there suggest he should be aware that there probably are sensible and polite procedures for this, even if he didn't immediately know what they were.

[1] http://jesuschristsiliconvalley-blog.tumblr.com/post/4653787...

mikeash8y ago

How do the banner or stats suggest he should have known about this?

1 more reply

overcastOP8y ago

I would say it's pretty basic common sense, not to publicly announce ANYTHING that could immediately affect millions of people. Unless he's just a sociopath.

From his Twitter account, he's not just some layman stumbling across it.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

mikeash8y ago

If that were true, then the security community wouldn't have spent years fighting about whether responsible disclosure was the right approach. That's for people who actually understand this stuff. It's unreasonable to expect an outsider to derive it all on their own from first principles.

1 more reply

giarc8y ago

Probably could still get 15 minutes of fame if you disclosed privately then blogged about the back and forth and a picture of the $10,000 cheque from Apple.

CameronBanga8y ago

Apple doesn't pay bounties for this sort of report, even if direct to their team. They have a private bounty program, for a select few.

bredren8y ago

That this would be the prevailing understanding is exactly why a bug like this would live in the wild at all. There are plenty of other orgs out there who would have paid big money for this.

3pt141598y ago

Source? I've heard of iPhone vulnerabilities getting high six figures from Apple (for root access via sms). Why wouldn't Apple pay for something like this?

zerostar078y ago

this is too serious to hide. better to tell users how to fix it than wait until apple releases something

glhaynes8y ago

That's not how responsible disclosure works.

testvox8y ago

But it's how full disclosure works which is more responsible then coordinated disclosure.

overcastOP8y ago

Yeh, except for the millions of MacOS users out there, like my parents who don't read Twitter, or HN or any of the other sites people think that everyone stays up on. They are the targets.

fixermark8y ago

Not technically. Exploitation still requires physical access to the machine or remote access to have been enabled, right? Did your parents who don't read Twitter or HN enable a feature that generally only power users want or need?

pkaye8y ago

I think it is only a local exploit. The bigger risk are the Macs in schools and libraries.

j / k navigate · click thread line to collapse

0 comments

fixermark8y ago

It's a big world out there, especially nowadays. And nothing I've seen in recent history suggests to me the average user knows or cares about infosec concerns beyond basic hindsight understandings.

testvox8y ago

Isn't the best practice full disclosure? It seems like it was followed well.

overcastOP8y ago

Sure, now look at his Twitter account. He looks pretty plugged into the software community.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

fixermark8y ago

Yes. And from his personal site [http://www.lemiorhanergin.com/]:

mikeash8y ago

Maybe he didn't know about the proper procedures to handle a security vulnerability. You wouldn't have to be a security researcher to discover this bug, and I don't see any indication that he is one.

always_good8y ago

I'm not convinced private disclosure is without its downsides nor a panacea.

Jedd8y ago

Maybe. Look at his twitter page though: https://twitter.com/lemiorhan

[1] http://jesuschristsiliconvalley-blog.tumblr.com/post/4653787...

mikeash8y ago

How do the banner or stats suggest he should have known about this?

1 more reply

overcastOP8y ago

I would say it's pretty basic common sense, not to publicly announce ANYTHING that could immediately affect millions of people. Unless he's just a sociopath.

From his Twitter account, he's not just some layman stumbling across it.

Agile Software Craftsman, iyzicoder @ http://www.iyzico.com , Founder of Software Craftsmanship Turkey @scturkey, The community guy http://bit.ly/lemiorhan

mikeash8y ago

1 more reply

giarc8y ago

Probably could still get 15 minutes of fame if you disclosed privately then blogged about the back and forth and a picture of the $10,000 cheque from Apple.

CameronBanga8y ago

Apple doesn't pay bounties for this sort of report, even if direct to their team. They have a private bounty program, for a select few.

bredren8y ago

That this would be the prevailing understanding is exactly why a bug like this would live in the wild at all. There are plenty of other orgs out there who would have paid big money for this.

3pt141598y ago

Source? I've heard of iPhone vulnerabilities getting high six figures from Apple (for root access via sms). Why wouldn't Apple pay for something like this?

zerostar078y ago

this is too serious to hide. better to tell users how to fix it than wait until apple releases something

glhaynes8y ago

That's not how responsible disclosure works.

testvox8y ago

But it's how full disclosure works which is more responsible then coordinated disclosure.

overcastOP8y ago

Yeh, except for the millions of MacOS users out there, like my parents who don't read Twitter, or HN or any of the other sites people think that everyone stays up on. They are the targets.

fixermark8y ago

pkaye8y ago

I think it is only a local exploit. The bigger risk are the Macs in schools and libraries.

j / k navigate · click thread line to collapse