undefined | Better HN

0 pointskristofferR8y ago0 comments

Closed disclosure does, to a large degree, prevent negative publicity. I don't think it is in dispute that this bug would receive vastly less media coverage if it were only revealed as a bug in outdated/patched versions of the OS.

I don't want to see Apple hurt (I'm an Apple-guy myself, using Macs, iPhone, iPad and Apple Watch), I want to see them improve. I doubt they start will start caring about QA unless they're forced to.

One absurdly serious and stupid password bug like this can be a honest mistake, but three (that we know of, that were full disclosures) in a few months is negligence that should be criminal if it isn't.

0 comments

thetruthseeker18y ago

Closed disclosure is responsible disclosure. Moving past the terminology, I am an Apple user as well, I am pretty satisfied with how quickly Apple resolves issues.

Now if every person started disclosing vulnerabilities via twitter without giving the company turn around time to resolve the issue based on their dissatisfaction with Apple based on standards they came up with personally, I don’t think it is nice or fair.

crankylinuxuser8y ago

So, obscurity is responsible disclosure? Cause being "closed disclosure" is being obscure.

A root password solves this issue. Its seconds to implement and helps right now.... Not "later" as closed disclosure does.

I'd rather know every error and critical bug. I can bring up with our team and decide now to either sudo service * stop or continue.

Your closed options keep the fact I'm vulnerable away, along with any pathways I might have to fix.

BinaryIdiot8y ago

This is a rather limited view point. You forget the majority of macOS users are NOT technically savy. This is why responsible disclosure is so important as it gives tech companies time to create and push a fix to protect their users.

Disclosing this immediately puts those people who can't setup enable the root and set its password into more harm's way.

2 more replies

thetruthseeker18y ago

I think the responsible way to handle it is, you inform Apple in a closed way. Once they come up with a fix, if you think they didn’t come up with a fix soon enough, make that information public then on how long it took Apple to turn this around. Disclosing every vulnerability to the internet and setting their ass on fire is not a good way to solve this IMO.

azernik8y ago

Obscurity is not long-term security, but it can buy you a bit of time to get a fix released and pushed out to users.

ukblewis8y ago

I actually do think it is in dispute. This is a tweet after all. This guy could totally tweet about it in much the same way after Apple released a patch. The negative publicity would still exist because the bug would be equally stupid and disastrous, just fewer people would be harmed along the way.

mark-r8y ago

It wouldn't be as clear that the bug is widely reproducible after the patch is put out. And it certainly wouldn't gather as much attention.

freedomben8y ago

Exactly. Everyone I know on Mac immediately tried reproducing this bug the moment they heard about it. On those systems where it didn't reproduce, they immediately dismissed it as a false report.

ksec8y ago

That is assuming people patch their Mac ASAP. It will still be on high alert for most media if they have disclose it few days after the bug was fixed.

azernik8y ago

Giving Apple negative publicity is not an end that justifies harming its users.

j / k navigate · click thread line to collapse

0 pointskristofferR8y ago0 comments

I don't want to see Apple hurt (I'm an Apple-guy myself, using Macs, iPhone, iPad and Apple Watch), I want to see them improve. I doubt they start will start caring about QA unless they're forced to.

0 comments

thetruthseeker18y ago

Closed disclosure is responsible disclosure. Moving past the terminology, I am an Apple user as well, I am pretty satisfied with how quickly Apple resolves issues.

crankylinuxuser8y ago

So, obscurity is responsible disclosure? Cause being "closed disclosure" is being obscure.

A root password solves this issue. Its seconds to implement and helps right now.... Not "later" as closed disclosure does.

I'd rather know every error and critical bug. I can bring up with our team and decide now to either sudo service * stop or continue.

Your closed options keep the fact I'm vulnerable away, along with any pathways I might have to fix.

BinaryIdiot8y ago

Disclosing this immediately puts those people who can't setup enable the root and set its password into more harm's way.

2 more replies

thetruthseeker18y ago

azernik8y ago

Obscurity is not long-term security, but it can buy you a bit of time to get a fix released and pushed out to users.

ukblewis8y ago

mark-r8y ago

It wouldn't be as clear that the bug is widely reproducible after the patch is put out. And it certainly wouldn't gather as much attention.

freedomben8y ago

Exactly. Everyone I know on Mac immediately tried reproducing this bug the moment they heard about it. On those systems where it didn't reproduce, they immediately dismissed it as a false report.

ksec8y ago

That is assuming people patch their Mac ASAP. It will still be on high alert for most media if they have disclose it few days after the bug was fixed.

azernik8y ago

Giving Apple negative publicity is not an end that justifies harming its users.

j / k navigate · click thread line to collapse