|
|
Security researcher behind Dev Center hack admits responsibility
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
A man named Ibrahim Balic has identified himself as the person behind a hack of the Apple Developer Center. Balic describes himself as a "security researcher," only interested in seeing "how deep" he could go rather than causing any problems. He adds that he reported 13 bugs to Apple, one of which allowed him to gain access to user information. Details of 73 users, all of them Apple workers, were allegedly turned over to the company as an example. Thursday's Dev Center shutdown is said to have taken place just four hours later. Balic states that he wants to clear his name, and that he's worried about potential legal action.
In all, he claims to have obtained over 100,000 encrypted user details; a YouTube video shows a handful of names in email addresses. Those details, though, will supposedly be deleted.
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Jun 2008
Status:
Offline
|
|
"...adhering to the regulations and law..."
Whoa, there, buddy... doing pentests without explicit permission from the entity you're testing is most certainly NOT within the bounds of the law. Simply saying "I am operating within the bounds of the law" does not make it so, similar to signs that say, "Stay back 200 feet -- not responsible for broken windshields" not absolving the company of liability and responsibility for broken windshields.
Simply posting a disclaimer does not absolve one of legal responsibility. The laws govern you absolutely, despite exclaiming that they do not.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: Newport News,VA,USA
Status:
Offline
|
|
So, describing yourself as a "Security Researcher" absolves you of any responsibility or expectation that you will apply common sense? Sure he found problems but he did it in a way that disrupted a lot of people, wasted time and money and was not authorised by Apple or anyone else.
How about we have a "murder researcher", just seeing how deep he can push the knife before someone croaks?
|
Beware of geeks bearing Gifs
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2006
Status:
Offline
|
|
How about someone did a home invasion on his property just to see how deep it can harm? Just making sure you put a sign up saying "I did it and not responsible for any damage". Typical hacker's ego that takes over their moral sense.
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2001
Location: California
Status:
Offline
|
|
Assuming the guy is genuinely white-hat and is being entirely truthful about what he did (a lot of places have been reporting an unusual number of attempted password resets on accounts used on dev center, but that could theoretically be coincidence), then that in no way makes it legal, but this isn't out of line with how security researchers usually operate. And in any case--again, assuming it's true--Apple should be thankful that somebody non-malicious found the holes for them. It might explain why they didn't immediately say something.
Apple's response, however, was correct, in any case--you might chose not to pursue a legal attack against a hacker if you decide that they were white-hat and helping you find and fix a hole, but it is still the right thing to do to treat it as a regular breach in which user data may have been compromised.
He said he only sent data on Apple employees to them, which might explain why they said they didn't know if user data had been accessed or not, but it could have been.
|
|
|
|
|
|
|
|
|
Registered User
Join Date: Apr 2000
Status:
Offline
|
|
Originally Posted by DiabloConQueso
"...adhering to the regulations and law..."
Whoa, there, buddy... doing pentests without explicit permission from the entity you're testing is most certainly NOT within the bounds of the law. Simply saying "I am operating within the bounds of the law" does not make it so, similar to signs that say, "Stay back 200 feet -- not responsible for broken windshields" not absolving the company of liability and responsibility for broken windshields.
Simply posting a disclaimer does not absolve one of legal responsibility. The laws govern you absolutely, despite exclaiming that they do not.
Agreed - he sounds like the Gizmodo guy trying to 'pretend' he didn't know the phone he "bought" was a iPhone 4 prototype and that he didn't "ransom" it to Apple. Totally blameless!
|
|
|
|
|
|
|
|
|
Registered User
Join Date: Apr 2000
Status:
Offline
|
|
Originally Posted by Makosuke
Assuming the guy is genuinely white-hat and is being entirely truthful about what he did (a lot of places have been reporting an unusual number of attempted password resets on accounts used on dev center, but that could theoretically be coincidence), then that in no way makes it legal, but this isn't out of line with how security researchers usually operate.
Real researchers do it in a 'closed' environment: against their own servers running the same software, or on their own user accounts with the cooperation of the entity they're testing against.
This guy was doing this on his own.
The DA's should go all Aaron Swartz on him.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Apr 2008
Status:
Offline
|
|
Isn't that the guy who played "Malvin" in the movie "War Games"?
http://www.youtube.com/watch?v=GfJJk7i0NTk&feature=youtube_gdata_player
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|