A Researcher Discovered A Huge iOS Security Flaw And Apple Banned Him From Its Developer Program

From: Rod-Lists 
------------------------------------------------------
http://www.businessinsider.com/charlie-miller-ios-security-2011-11?utm

=============================================================== From: Rod-Lists ------------------------------------------------------ a video detailing the code signing flaw in iOS. http://www.youtube.com/watch?v=ynTtuwQYNmk ----- Rod-Lists wrote:

=============================================================== From: Chad Smith ------------------------------------------------------ I *LOVE* how the headline (both in your email, and in the article) call the man a "Developer" - and the first line of the story reveals he's a.... well, I'll just copy and paste. "Charlie Miller is a well-known Apple hacker who happened across a surprising iOS security flaw, reports CNN." *- Chad W. Smith* *"I like a man who's middle name is W."* President George W. Bush - February 10, 2003 bit.ly/gwb-dubya

=============================================================== From: Chad Smith ------------------------------------------------------ And he wasn't banned for finding the flaw - he was banned for developing an app *THAT EXPLOITS IT*. *- Chad W. Smith* *"I like a man who's middle name is W."* President George W. Bush - February 10, 2003 bit.ly/gwb-dubya

=============================================================== From: Chad Smith ------------------------------------------------------ Also, an intelligent commenter on YouTube pointed out... "I think he breached the contract by talking to the media and posting this on you tube. Breach of trust - so he got the sack. Lesson: all systems today are vulnerable to adversaries in any shape and form. Simple as that.= =EF=BB=BF" *- Chad W. Smith* *"I like a man who's middle name is W."* President George W. Bush - February 10, 2003 bit.ly/gwb-dubya ..

=============================================================== From: James Nylen ------------------------------------------------------ I don't believe you.

=============================================================== From: Christopher Rimondi ------------------------------------------------------ Charlie Miller has been the source of a steady stream of Apple bugs for several years since he started winning the Pwn2Own contests. This type of reaction by Apple is why vulnerability researches are increasingly not disclosing their research. Instead they are selling them to the highest bidder such as organized crime, .mil, .gov, or some other spook. This is Apple cutting of their nose to spite their face.

=============================================================== From: Ed King ------------------------------------------------------ sometimes I doubt your commitment to Sparkle Motion=0A=0A=0A=0A=0A

=============================================================== From: chad78@gmail.com ------------------------------------------------------

=============================================================== From: Ralph Edge ------------------------------------------------------ This comment is cracking me up right now. You think they would have hired the guy by now(wonder if they tried and he declined...). And he wasn't banned for finding the flaw - he was banned for developing an How else could you find and test a flaw, other than to develop an app that exploits it? He mentioned that he uploaded it in order to test it, but that the exploit code would only work on his phone. Apple had to review the app/code before they even put it up there. So he also uncovered a weakness in their review process? They should consider themselves lucky that this great mind is also of good karma. He could easily find someone to tell about the exploit who would not only be grateful to him, but would give him monetary compensation as well. Instead of being a security problem Apple knows about and fixes, it could be a 0-day that ends up with thousands of customers' data being leaked. -Ralph s .=EF=BB=BF" ... "

=============================================================== From: Chad Smith ------------------------------------------------------ Why should they reward him for something they already knew, then building an app to exploit it, *AND* running to the web/press about it? That would be like me knocking on the door of a bank and saying: "Hey, your backdoor doesn't lock fully - if you jiggle it, it comes open." "Thanks, we know. We've ordered a new door, it should be here soon." "But no - really, watch..." *Starts to jiggle the door.* "SIR! Please step away from the door. You are not permitted back here." "But I could just walk right in. HEY, EVERYBODY - This bank's backdoor doesn't lock very well. Watch!".... There is absolutely *NOTHING* Good Karma / white hat / godly / kind / helpful / pure / righteous / altruistic about ANY of that behavior after the first step. *- Chad W. Smith* *"I like a man who's middle name is W."* President George W. Bush - February 10, 2003 bit.ly/gwb-dubya e t d t : ems t.=EF=BB=BF" g l .... ." m

=============================================================== From: Stephen Kraus ------------------------------------------------------ I'd still rather exploits and bugs be PUBLIC then hidden in the dark Chad " red ion s, e: tems at.=EF=BB=BF" he's n rts : tm

=============================================================== From: Chad Smith ------------------------------------------------------ What possible reason? If *APPLE* knows (and they are the only ones who can do anything about it) - what good does it do to inform the media? Until Apple fixes it - the less people that know about it, the less likely it is to actually be exploited. By telling the world, the only possible good is people are less likely to buy apps, make in-app purchases, or update their apps. All (except the last one) hurt Apple's bottom line. Yeah, that could potentially motivate Apple to fix the problem faster, maybe - but I doubt they are purposefully dragging their feet to fix something that doesn't benefit them in any way to have broken. As someone potentially in the crosshairs on this - the fewer people know about the better. *- Chad W. Smith* *"I like a man who's middle name is W."* President George W. Bush - February 10, 2003 bit.ly/gwb-dubya On Wed, Nov 9, 2011 at 10:27 AM, Stephen Kraus wrot= e: g ." " g , ered tion es, g te: stems hat.=EF=BB=BF" he's wn orts : utm

=============================================================== From: Stephen Kraus ------------------------------------------------------ Because in the past, and still in the future, companies GET informed, and then do very little towards fixing exploits and bugs. Chad, half the bugs and exploits out there would NEVER have been fixed until there was a major security breach somewhere OR they were made public. ) s t ote: d ." r d t, vered o ation xes, ng ote: ystems that.=EF=BB=BF" s he's own ports e: ?utm

=============================================================== From: Christopher Rimondi ------------------------------------------------------ Here is a great story of how being ungrateful to security researchers can back fire http://bytelib.com/first-state-superannuation-abandons-legal-charges-agains= t-webster/ . Basically, researcher finds Direct Object Reference bug in one of Australia's government mandated pension funds website. He then alerts IT department of fund about it. They thank him for his help. Then their legal team gets involved... The Fund sends the police after him and threatens to sue him unless he hands over his computer for "forensic evidence". Researcher refuses and the main stream media gets a hold of the story. IT staff at the Fund come forward and say that management knew about the bug and several others yet did nothing. Now the Fund is no longer threatening to sue him, the police are no longer investigating him, and the Fund is being investigated by the Australian government for lax software development practices. " red ion s, e: tems at.=EF=BB=BF" he's n rts : tm

=============================================================== From: Rod-Lists ------------------------------------------------------ only on his phone . Problem is you can't test it without putting it in the app store. ----- Chad Smith wrote: - Chad W. Smith President George W. Bush - February 10, 2003 bit.ly/gwb-dubya - Chad W. Smith "I like a man who's middle name is W."

=============================================================== From: Stephen Kraus ------------------------------------------------------ I think the saddest part is the app store APPROVED his app

=============================================================== From: Rod-Lists ------------------------------------------------------ you and me both. Now weher is my rabbit mask? ----- Ralph Edge wrote: This comment is cracking me up right now. You think they would have hired the guy by now(wonder if they tried and he = declined...). =20 n app *THAT EXPLOITS IT*. How else could you find and test a flaw, other than to develop an app that = exploits it? He mentioned that he uploaded it in order to test it, but tha= t the exploit code would only work on his phone. Apple had to review the a= pp/code before they even put it up there. So he also uncovered a weakness = in their review process? They should consider themselves lucky that this great mind is also of good = karma. He could easily find someone to tell about the exploit who would no= t only be grateful to him, but would give him monetary compensation as well= . Instead of being a security problem Apple knows about and fixes, it coul= d be a 0-day that ends up with thousands of customers' data being leaked. -Ralph From: Chad Smith Sent: Wed, November 9, 2011 10:02:56 AM nd Apple Banned Him From Its Developer Program "I think he breached the contract by talking to the media and posting this = on you tube. Breach of trust - so he got the sack. Lesson: all systems toda= y are vulnerable to adversaries in any shape and form. Simple as that.=EF= =BB=BF" - Chad W. Smith "I like a man who's middle name is W." an app *THAT EXPLOITS IT*. - Chad W. Smith President George W. Bush - February 10, 2003 bit.ly/gwb-dubya he man a "Developer" - and the first line of the story reveals he's a.... w= ell, I'll just copy and paste. "Charlie Miller is a well-known Apple hacke= r who happened across a surprising iOS security flaw, reports CNN." - Chad W. Smith "I like a man who's middle name is W."

=============================================================== From: Chad Smith ------------------------------------------------------ And by *Banning* him - they ensure that will never happen again. 1. Knowingly writing an app with a purposeful exploit 2. Knowingly submitting an infected app to the app store 3. Violating confidentially by telling everyone Any one of those 3 are enough to get you banned from the developers program. The fact is - he didn't just violate the terms - he wiped his butt with them and threw them out of his moving car in the middle of the desert. *- Chad W. Smith* *"I like a man who's middle name is W."* President George W. Bush - February 10, 2003 bit.ly/gwb-dubya

=============================================================== From: Stephen Kraus ------------------------------------------------------ Great, so the next exploit will probably just be out in the wild then, right where I want it! *wrings hands menacingly*

=============================================================== From: Rod-Lists ------------------------------------------------------ Apple punishes those who test their security. Apple doesn't want you to know about security flaws. Ergo we must consider apple inherently insecure. ----- Original Message ----- From: Stephen Kraus To: CHUGALUG Sent: Wed, 9 Nov 2011 12:04:03 -0500 (EST) Subject: Re: [Chugalug] A Researcher Discovered A Huge iOS Security Flaw And Apple Banned Him From Its Developer Program Great, so the next exploit will probably just be out in the wild then, right where I want it! *wrings hands menacingly*

=============================================================== From: Aaron Welch ------------------------------------------------------ +1 -AW n app to exploit it, *AND* running to the web/press about it? esn't lock very well. Watch!".... ful / pure / righteous / altruistic about ANY of that behavior after the fir= st step. declined...). =20 n app *THAT EXPLOITS IT*. exploits it? He mentioned that he uploaded it in order to test it, but tha= t the exploit code would only work on his phone. Apple had to review the ap= p/code before they even put it up there. So he also uncovered a weakness in= their review process? karma. He could easily find someone to tell about the exploit who would no= t only be grateful to him, but would give him monetary compensation as well.= Instead of being a security problem Apple knows about and fixes, it could b= e a 0-day that ends up with thousands of customers' data being leaked. : nd Apple Banned Him =46rom Its Developer Program on you tube. Breach of trust - so he got the sack. Lesson: all systems toda= y are vulnerable to adversaries in any shape and form. Simple as that.=EF=BB= =BF" n app *THAT EXPLOITS IT*. e man a "Developer" - and the first line of the story reveals he's a.... wel= l, I'll just copy and paste. "Charlie Miller is a well-known Apple hacker w= ho happened across a surprising iOS security flaw, reports CNN."

=============================================================== From: Aaron Welch ------------------------------------------------------ bout the better. This makes me want to slap you. Pressure Apple to fix their problems public= ly. They will not do it out of good will for the exact reason that you are s= tating. -AW=

=============================================================== From: David White ------------------------------------------------------ Ralph is right. Apple (and other companies) won't always fix their stuff unless they are pressured to. (From the article): *Miller was surprised by his discovery and brought it to Apple's attention three weeks ago. He was told a fix was in the works.** * Assuming this statement is true, then this should already be a non-issue. To not fix security holes such as this is irresponsible. They had it coming. They knew about it, and didn't do anything about it.

=============================================================== From: James Nylen ------------------------------------------------------ The copy in this article made my eyes bleed. nst-webster/ g g ." " g , ered tion es, g te: stems hat.=EF=BB=BF" he's wn orts : utm

=============================================================== From: Dave Brockman ------------------------------------------------------ You're way too low with that half number. I think the percentage would be closer to 85-90% quite honestly. At least with Apple/MS/Oracle. There are some who take disclosures seriously, but it isn't those three. Regards, dtb

=============================================================== From: Dave Brockman ------------------------------------------------------ Whoever is using Rod's account, stop it! My brain can't take Rod posts making sense, and good sense at that! Regards, dtb P.S. Well done Rod!

=============================================================== From: Dave Brockman ------------------------------------------------------ So, you're saying that only that guys in black hats should know about vulnerabilities right? That in an instance just such as this, where the vendor is not quickly fixing the issue (and this is a biggie, MS would have issued an OOB patch for this), instead of being informed of it (logical conclusion is so you can take your own mitigation actions as needed) instead of just relying on the vendor who keeps telling you their product is perfectly safe.... You do understand that the guys in the black hats do communicate right? It won't be one lone guy out in the wild who figures this out, it will be all over the seedier parts of the great Internet and there will be dozens of new crapware exploiting this one vulnerability. I don't think you know how the other half really operate..... You deserve every piece of malware that finds itself a home on any electronic device you own. Regards, dtb

=============================================================== From: Dave Brockman ------------------------------------------------------ 3 Weeks passes most conscience tests regarding public disclosure. 2 weeks heads up to the vendor is pretty close to the norm, although I see nicer white hats that wait 30 days. Based on the critical nature of this vulnerability, I would think 10 days would be sufficient. Regards, dtb

=============================================================== From: Dave Brockman ------------------------------------------------------ Was that a translation? Wow, someone needs a new editor... Regards, dtb

=============================================================== From: Mike Harrison ------------------------------------------------------ The world is full if shades of grey, few things are absolute. I tend to trust people who understand and created their own ethics and morality more than those that blindly accept a prepackaged bundle from their church or some section of society. Mr. Miller made some choices, that to him, made sense. I'll contend he understood all of the possible ramifications and probably traded being part of the Apple ecosystem for some fame and other potential fortunes. It signals to me, that for whatever reasons, he has little interest in being inside the Apple ecosystem any more. Thank you Mr. Miller. His small contribution of chaos will probably make major changes in the way many things get done for all those people whome pay a little extra to be part of the iEcoSystem. At least, I hope so.