Jump to content

Researcher demos new macOS Keychain exploit, holds data from Apple

DrMacintosh
By DrMacintosh
in Tech News
 Share
Posted
2 minutes ago, dalekphalm said:

It's okay for him to hold the data hostage but only so long as nothing horrible happens? Seriously flawed logic.

 

He's obviously more than welcome to be an asshole and keep the data to himself - just as I have the right to call him an asshole for doing so.

No, it's okay for him to hold it to himself as long as he wants -- even if it ended up being the in the wild -- so long as he wasn't the one to release it. He has no obligation to release his work to Apple if they're not willing to come to agreeable terms. 

PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, 79wjd said:

No, it's okay for him to hold it to himself as long as he wants -- even if it ended up being the in the wild -- so long as he wasn't the one to release it. He has no obligation to release his work to Apple if they're not willing to come to agreeable terms. 

You're correct in that he has no legal obligation to do so (although you could argue gross negligence if he had information that could reasonably have lead to a fix before the malware was released).

 

But that's not the point. Morally, he's wrong. Granted, morality is somewhat flexible - different people believe in different things. But he has information that could make the internet safer. He's refusing to part with that information because he wants to get paid - sure okay - but he knew he wasn't getting paid to begin with.

 

Especially since people are apparently totally okay with this exploit being out there since it's not public - if that's the case, then Apple has little motivation to give him any money, and therefore he's "holding" the info to himself for no good reason.

 

He's still an asshole - straight up.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 2/9/2019 at 4:31 PM, 79wjd said:

He hasn't disclosed the bug. I see nothing wrong with witholding a bug if they're not willing to pay anything. Disclosing it is something else.

They payed the kid who found the FaceTime bug, so this guy should be rewarded too.

I WILL find your ITX build thread, and I WILL recommend the SIlverstone Sugo SG13B

 

Primary PC:

i7 8086k - EVGA Z370 Classified K - G.Skill Trident Z RGB - WD SN750 - Jedi Order Titan Xp - Hyper 212 Black (with RGB Riing flair) - EVGA G3 650W - dual booting Windows 10 and Linux - Black and green theme, Razer brainwashed me.

Draws 400 watts under max load, for reference.

 

How many watts do I needATX 3.0 & PCIe 5.0 spec, PSU misconceptions, protections explainedgroup reg is bad

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 minutes ago, fasauceome said:

They payed the kid who found the FaceTime bug, so this guy should be rewarded too.

Agreed, they should pay him.

 

The difference is that the kid didn't withhold the exploit data and demand payment. As soon as they were able to get in contact with Apple, they gave Apple the information with no expectation of payment.

 

There's no question that macOS (and all Apple software) should be part of the Apple Bug Bounty. But the researcher featured in the OP knew this wasn't the case.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 hours ago, dalekphalm said:

How do you know they've given Apple enough information?

The article explained he showed them proof it was an exploitable and in which part of the OS?  That is enough information.

 

5 hours ago, dalekphalm said:

Certainly they could probably make some educated guesses, and eventually reverse engineer his exploit.

Yes, they can do that, or they can buy the information of him.  It's completely their decision.  He isn't going to release this to the public (that we know of) so they aren't being blackmailed into paying for it.

5 hours ago, dalekphalm said:

But it doesn't matter that he's not threatening to make it public - that would certainly be worse (and probably straight up illegal), but what he's doing is still wrong.

 

Why is it still wrong? it's not blackmail, it's not a ransom and he has covered the ethical side of it by letting them know it exists.  

 

5 hours ago, dalekphalm said:

We're essentially just taking the chance that he's the only one who's found it yet. He knew he wasn't gonna get paid before he even started the research. It might make sense for him to withhold the info, but it's not in the public interest. If he had the public interest in mind, he'd just give Apple the info, and work out money stuff later (and take the risk that he might not get paid).

 

That's up to apple to decide,  why should the general public do any security QC for apple (or for any company) and be expected to hand the results over for free?    If apple think they can work it out quick enough and cheaper than paying this man a bounty then they can do that.  To me this is like any other business that looks for issues and creates solutions for other business, there is no legal obligation for a business to buy it and they aren't preventing the business from implementing their own solution.

 

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, mr moose said:

The article explained he showed them proof it was an exploitable and in which part of the OS?  That is enough information.

Perhaps it's enough - we'll see. I do hope you are correct.

2 minutes ago, mr moose said:

Yes, they can do that, or they can buy the information of him.  It's completely their decision.  He isn't going to release this to the public (that we know of) so they aren't being blackmailed into paying for it.

 

Why is it still wrong? it's not blackmail, it's not a ransom and he has covered the ethical side of it by letting them know it exists. 

It's wrong because he's making Apple's job harder, and therefore increasing the risk to the public.

 

If all Apple needed was the info he's already given them, then what's the point anyway? He's never going to get paid if they don't actually need that information.

2 minutes ago, mr moose said:

That's up to apple to decide,  why should the general public do any security QC for apple (or for any company) and be expected to hand the results over for free?    If apple think they can work it out quick enough and cheaper than paying this man a bounty then they can do that.  To me this is like any other business that looks for issues and creates solutions for other business, there is no legal obligation for a business to buy it and they aren't preventing the business from implementing their own solution.

That's kind of my point though - he did do security QC for them, despite knowing he wouldn't get paid. While I think he should get paid (or rather, Apple's Bug Bounty should be revised to include all Apple software, and retroactively applied to cases like his), that does not override that I think he's morally incorrect by holding onto information that could prove vital in fixing a flaw.

 

I certainly understand why everyone wants him to get paid - I do too. But he knew the terms of Apple's bounty program before he started researching the exploit.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, dalekphalm said:

Perhaps it's enough - we'll see. I do hope you are correct.

It's wrong because he's making Apple's job harder, and therefore increasing the risk to the public.

How is he making it harder? he has told them where to look for the exploit.  He didn't put the exploit there, nor did he tell anyone how to exploit it.

Just now, dalekphalm said:

If all Apple needed was the info he's already given them, then what's the point anyway? He's never going to get paid if they don't actually need that information.

 

Because they might decide it's worth paying him, just like other companies decide to buy solutions dreamt up by other entrepreneurs instead of designing their own.   It's really just a standard form of business, the only difference here is the bug bounty program which he can leverage to promote being paid for his work.

 

Just now, dalekphalm said:

That's kind of my point though - he did do security QC for them, despite knowing he wouldn't get paid. While I think he should get paid (or rather, Apple's Bug Bounty should be revised to include all Apple software, and retroactively applied to cases like his), that does not override that I think he's morally incorrect by holding onto information that could prove vital in fixing a flaw.

He did the work knowing there was no legal obligation to get paid but he is not demanding payment. That is the important difference, he is saying I have done this work for you, I would like to get paid (especially seeing as you have a bounty program fro IOS), And if you do pay me I will give you all the information I have, if you don't then you that is your legal right and you can close the exploit yourself.

 

Just now, dalekphalm said:

I certainly understand why everyone wants him to get paid - I do too. But he knew the terms of Apple's bounty program before he started researching the exploit.

Again, he is just leveraging the bounty programs existence to sell his work.  The fact they don't pay for discovering these exploits doesn't mean anything unless he was intent on blackmailing them. But he isn't. 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, mr moose said:

How is he making it harder? he has told them where to look for the exploit.  He didn't put the exploit there, nor did he tell anyone how to exploit it.

If that's the case, why is he even holding back data from Apple, then?

 

Your argument is that he gave them enough info to proceed. If that's true, then the rest of the story and his requests for payment are pointless pieces of information that don't mean anything.

1 minute ago, mr moose said:

Because they might decide it's worth paying him, just like other companies decide to buy solutions dreamt up by other entrepreneurs instead of designing their own.   It's really just a standard form of business, the only difference here is the bug bounty program which he can leverage to promote being paid for his work.

Indeed they might decide that. However, in my personal opinion, he should have given them the full details either way, and taken the chance that they might pay him. He could have used the Goodwill of him giving away the exploit data in full voluntarily to pressure Apple publicly into rewarding him (Like the Facetime kid - granted that was a kid, so it would have been a PR disaster for Apple to not reward the kid).

1 minute ago, mr moose said:

He did the work knowing there was no legal obligation to get paid but he is not demanding payment. That is the important difference, he is saying I have done this work for you, I would like to get paid (especially seeing as you have a bounty program fro IOS), And if you do pay me I will give you all the information I have, if you don't then you that is your legal right and you can close the exploit yourself.

Well, kinda. He kind of is demanding payment. Since there are apparently details he knows that he has yet to show Apple.

 

Either that means he's demanding payment, or the details he is withholding are useless (AKA he's bluffing).

1 minute ago, mr moose said:

Again, he is just leveraging the bounty programs existence to sell his work.  The fact they don't pay for discovering these exploits doesn't mean anything unless he was intent on blackmailing them. But he isn't. 

 

Either one of two situations is happening:

1. He's not technically blackmailing them, but is doing something similar yet lesser, since the information he holds is valuable enough that he thinks Apple might pay him for it. Or

2. He's bluffing Apple, and the information he has is worthless.

 

Both can't be true.

 

If #1 is true, he's a massive dick. If #2 is true, then I guess, good for him? He's making himself look like an Asshole for no reason then.

 

If he wants to champion changes to the Bug Bounty program, this is not the way to do it, in my opinion.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, dalekphalm said:

If that's the case, why is he even holding back data from Apple, then?

 

Because he wants to get paid for his work.

2 minutes ago, dalekphalm said:

Your argument is that he gave them enough info to proceed. If that's true, then the rest of the story and his requests for payment are pointless pieces of information that don't mean anything.

No it doesn't.  I would have thought it was pretty evident that he is 1. raising awareness of the lack of the bounty program on mac, 2. wanting to be paid for his work and 3. not reducing security in the process.

2 minutes ago, dalekphalm said:

Indeed they might decide that. However, in my personal opinion, he should have given them the full details either way, and taken the chance that they might pay him.

I think it is way more likely they won't have paid him given their track record with legitimate claims. 

 

2 minutes ago, dalekphalm said:

He could have used the Goodwill of him giving away the exploit data in full voluntarily to pressure Apple publicly into rewarding him (Like the Facetime kid - granted that was a kid, so it would have been a PR disaster for Apple to not reward the kid).

He would need an exorbitant amount of public pressure on apple for that to work.  Why should he let payment for his work rest on a chances against the odds?   

2 minutes ago, dalekphalm said:

Well, kinda. He kind of is demanding payment. Since there are apparently details he knows that he has yet to show Apple.

How can he demand payment?  they don;t need him, there is no legal obligation, it's completely apples choice. That is not a demand by any definition.

2 minutes ago, dalekphalm said:

Either that means he's demanding payment, or the details he is withholding are useless (AKA he's bluffing).

Neither, he is saying here is the exploit, here is the proof it works,  if you want my research you can pay me. Otherwise apple can sort it out themselves.

2 minutes ago, dalekphalm said:

Either one of two situations is happening:

1. He's not technically blackmailing them, but is doing something similar yet lesser, since the information he holds is valuable enough that he thinks Apple might pay him for it. Or

2. He's bluffing Apple, and the information he has is worthless.

 

Both can't be true.

 

If #1 is true, he's a massive dick. If #2 is true, then I guess, good for him? He's making himself look like an Asshole for no reason then.

 

If he wants to champion changes to the Bug Bounty program, this is not the way to do it, in my opinion.

You are bifurcating the issue that aren't necessarily absolute or exclusive of other conditions.

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
32 minutes ago, mr moose said:

Because he wants to get paid for his work.

Indeed he does. But he also knew he wouldn't before he started. That's like me painting a portrait of the queen and being mad that she didn't contract me to do it. Yes, obviously not exactly the same situation, but surely you get the idea?

32 minutes ago, mr moose said:

No it doesn't.  I would have thought it was pretty evident that he is 1. raising awareness of the lack of the bounty program on mac, 2. wanting to be paid for his work and 3. not reducing security in the process.

Entirely speculation that he's not reducing security in the process.

32 minutes ago, mr moose said:

I think it is way more likely they won't have paid him given their track record with legitimate claims. 

I think it's likely that they probably still won't pay him - but that's up for debate.

32 minutes ago, mr moose said:

He would need an exorbitant amount of public pressure on apple for that to work.  Why should he let payment for his work rest on a chances against the odds?   

How can he demand payment?  they don;t need him, there is no legal obligation, it's completely apples choice. That is not a demand by any definition.

Neither, he is saying here is the exploit, here is the proof it works,  if you want my research you can pay me. Otherwise apple can sort it out themselves.

You are bifurcating the issue that aren't necessarily absolute or exclusive of other conditions.

I think we're not going to agree on this matter.

 

I firmly believe that since he's still withholding data, he certainly feels that the data is worth something to Apple. Therefore it is in the public's interest that Apple receives the Data.

 

He by no means has to comply. I just think he should - and that's pretty much that. I don't agree with his methods, because his methods are only slightly worse than actual blackmail, in my opinion.

 

And yes, it would take massive public pressure. But why not start somewhere? Better that we actually get Apple to change the terms of the Bounty program, in the long run.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, dalekphalm said:

Indeed he does. But he also knew he wouldn't before he started. That's like me painting a portrait of the queen and being mad that she didn't contract me to do it. Yes, obviously not exactly the same situation, but surely you get the idea?

He's not getting mad because they aren't paying.  It would be like painting a picture of the queen and hoping she pays for it.  But she is under no obligation to do so and can have her own picture painted if she wants.

1 hour ago, dalekphalm said:

Entirely speculation that he's not reducing security in the process.

How? he didn't release the details to the public.  If by your earlier argument that he hasn't given apple enough information to fix it then he also hasn't giving hackers enough information to exploit it.

 

1 hour ago, dalekphalm said:

I think it's likely that they probably still won't pay him - but that's up for debate.

I think we're not going to agree on this matter.

I don't care if he gets paid or not, I'm just saying he has a right too ask for payment for his work.  It doesn't matter if his work is in security or finding solutions to some other mundane part of a factory process.

 

1 hour ago, dalekphalm said:

I firmly believe that since he's still withholding data, he certainly feels that the data is worth something to Apple. Therefore it is in the public's interest that Apple receives the Data.

Or that they solve the issue themselves.  He has worked to uncover the problem, if they want to pay their engineers to do the same that is their prerogative, but there is no way that it is ethical that anyone should be compelled to hand over their work free of charge.

 

1 hour ago, dalekphalm said:

He by no means has to comply. I just think he should - and that's pretty much that. I don't agree with his methods, because his methods are only slightly worse than actual blackmail, in my opinion.

 

And yes, it would take massive public pressure. But why not start somewhere? Better that we actually get Apple to change the terms of the Bounty program, in the long run.

I would say he isn't going to start with his money on the line.   I wouldn't put my income on the line chasing an ideal I have no control over so I don't expect anyone else to.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On Sunday, February 10, 2019 at 5:19 PM, dalekphalm said:

I get that the researcher wants to get paid. I agree with the fact that the Bug Bounty should indeed include macOS (and all other Apple software).

 

With that in mind? Fuck you for holding onto the details. Yes, the details haven't been publicly disclosed yet. And yes, as far as we know, it's not in the wild yet.

 

But that's one hell of an assumption. Just because there's no confirmed cases of using the exploit does not mean that it isn't out there. We have absolutely no idea. And because this deals with passwords (granted, even if the risk isn't particularly high to normal users who use iCloud)? Fuck you. Give Apple the damn details.

 

Sure, try and negotiate payment (especially if you set a deadline for public release). But if Apple doesn't give you the money? Try Patreon or GoFundMe. It'll make you less of a selfish asshole.

Why the hell is a multi-billion dollar corporation entitled to something they want for free?

 

I sure as hell can't walk into an apple store and demand an iphone for free and then expect apple to set up a "gofundme" account to pay for it...

 

A business that charges $750 for the bottom of the line garbage phone surely can afford it. Especially if "security" is at the forefront of their ecosystem like they have recently started making claim to.

 

Make a deal.

What does windows 10 and ET have in common?

 

They are both constantly trying to phone home.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 2/8/2019 at 12:33 AM, Drak3 said:

Having passwords stored on anything other than local machines is something you should never do.

I do not use browser sync and some people laugh at me. I just backup browser profile with other stuff.

Computer users fall into two groups:
those that do backups
those that have never had a hard drive fail.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×