Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Security researcher behind Dev Center hack admits responsibility

Security researcher behind Dev Center hack admits responsibility
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jul 22, 2013, 11:19 AM
 
A man named Ibrahim Balic has identified himself as the person behind a hack of the Apple Developer Center. Balic describes himself as a "security researcher," only interested in seeing "how deep" he could go rather than causing any problems. He adds that he reported 13 bugs to Apple, one of which allowed him to gain access to user information.

Details of 73 users, all of them Apple workers, were allegedly turned over to the company as an example. Thursday's Dev Center shutdown is said to have taken place just four hours later. Balic states that he wants to clear his name, and that he's worried about potential legal action.

In all, he claims to have obtained over 100,000 encrypted user details; a YouTube video shows a handful of names in email addresses. Those details, though, will supposedly be deleted.

     
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Jul 22, 2013, 11:36 AM
 
"...adhering to the regulations and law..."

Whoa, there, buddy... doing pentests without explicit permission from the entity you're testing is most certainly NOT within the bounds of the law. Simply saying "I am operating within the bounds of the law" does not make it so, similar to signs that say, "Stay back 200 feet -- not responsible for broken windshields" not absolving the company of liability and responsibility for broken windshields.

Simply posting a disclaimer does not absolve one of legal responsibility. The laws govern you absolutely, despite exclaiming that they do not.
     
Forum Regular
Join Date: Sep 2000
Location: Newport News,VA,USA
Status: Offline
Reply With Quote
Jul 22, 2013, 11:50 AM
 
So, describing yourself as a "Security Researcher" absolves you of any responsibility or expectation that you will apply common sense? Sure he found problems but he did it in a way that disrupted a lot of people, wasted time and money and was not authorised by Apple or anyone else.

How about we have a "murder researcher", just seeing how deep he can push the knife before someone croaks?
Beware of geeks bearing Gifs
     
Grizzled Veteran
Join Date: Nov 2006
Status: Offline
Reply With Quote
Jul 22, 2013, 01:14 PM
 
How about someone did a home invasion on his property just to see how deep it can harm? Just making sure you put a sign up saying "I did it and not responsible for any damage". Typical hacker's ego that takes over their moral sense.
     
Dedicated MacNNer
Join Date: Aug 2001
Location: California
Status: Offline
Reply With Quote
Jul 22, 2013, 04:34 PM
 
Assuming the guy is genuinely white-hat and is being entirely truthful about what he did (a lot of places have been reporting an unusual number of attempted password resets on accounts used on dev center, but that could theoretically be coincidence), then that in no way makes it legal, but this isn't out of line with how security researchers usually operate. And in any case--again, assuming it's true--Apple should be thankful that somebody non-malicious found the holes for them. It might explain why they didn't immediately say something.

Apple's response, however, was correct, in any case--you might chose not to pursue a legal attack against a hacker if you decide that they were white-hat and helping you find and fix a hole, but it is still the right thing to do to treat it as a regular breach in which user data may have been compromised.

He said he only sent data on Apple employees to them, which might explain why they said they didn't know if user data had been accessed or not, but it could have been.
     
Registered User
Join Date: Apr 2000
Status: Offline
Reply With Quote
Jul 22, 2013, 05:57 PM
 
Originally Posted by DiabloConQueso View Post
"...adhering to the regulations and law..."

Whoa, there, buddy... doing pentests without explicit permission from the entity you're testing is most certainly NOT within the bounds of the law. Simply saying "I am operating within the bounds of the law" does not make it so, similar to signs that say, "Stay back 200 feet -- not responsible for broken windshields" not absolving the company of liability and responsibility for broken windshields.

Simply posting a disclaimer does not absolve one of legal responsibility. The laws govern you absolutely, despite exclaiming that they do not.
Agreed - he sounds like the Gizmodo guy trying to 'pretend' he didn't know the phone he "bought" was a iPhone 4 prototype and that he didn't "ransom" it to Apple. Totally blameless!
     
Registered User
Join Date: Apr 2000
Status: Offline
Reply With Quote
Jul 22, 2013, 05:59 PM
 
Originally Posted by Makosuke View Post
Assuming the guy is genuinely white-hat and is being entirely truthful about what he did (a lot of places have been reporting an unusual number of attempted password resets on accounts used on dev center, but that could theoretically be coincidence), then that in no way makes it legal, but this isn't out of line with how security researchers usually operate.
Real researchers do it in a 'closed' environment: against their own servers running the same software, or on their own user accounts with the cooperation of the entity they're testing against.

This guy was doing this on his own.

The DA's should go all Aaron Swartz on him.
     
Forum Regular
Join Date: Apr 2008
Status: Offline
Reply With Quote
Jul 22, 2013, 07:09 PM
 
Isn't that the guy who played "Malvin" in the movie "War Games"?

http://www.youtube.com/watch?v=GfJJk7i0NTk&feature=youtube_gdata_player
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 02:39 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2