Hacker News new | past | comments | ask | show | jobs | submit login
Ibrahim Balic breaks silence on hacking Apple developer site (news.com.au)
75 points by Bharath1234 on July 24, 2013 | hide | past | favorite | 49 comments



This kind of pen-testing, without previous authorization, is a very risky enterprise if you live in the UK. The Computer Misuse Act 1990 expressly forbids "unauthorised access". Sections 1-3 of the Act introduced three criminal offences:

- unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale" (currently £5000);

- unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment;

- unauthorised modification of computer material, subject to the same sentences as section 2 offences.

If he had been contracted to pen-test the website by Apple then it would be a different matter.


Those laws are retarded and it's sad to see them defended in HN.

Always try to do a parallel without computers to see if a computer law pass the retarded test.

In this case "it's illegal to enter a door left wide open for months, pick up a wallet full of money from a desk visible inside thru said open door, and return it to the home owner with all the money and a note about closing the door because it's not a safe neighborhood"


He cannot return the data per se, so there is a difference. Once it leaves Apple's servers it could be less secure and he's not registered as a data controller I'm sure.

In your example above, why could the person not just point out that the money was not safe? It's no loss to them if the person does not act on the information.


I don't believe I defended those laws, nor critised them. I merely stated the facts.


Agreed. I would think cases like the Andrew Auernheimer (who was convicted and sentenced to three years in jail) would be a wake up call for pen testing sites without prior authorization.

Taking the 73 accounts is arguable in court.

Once you cross the line and scrap another 100K users in order to get their attention and shut the developer site down - you've just boxed yourself. There is no really no defense for doing something like this, regardless of your motives.


> I have taken 73 users details (all apple inc workers only) and prove them as an example ...

> I have over 100,000+ users details ...

> I do not want my name to be in blacklist

One would think that 73 compromised Apple employee accounts should be enough to make a point. Why would he take another 100k user accounts hostage?


That probably wouldn't have shut down the site, which in turn would not have gotten the attention. He wasn't making a point to Apple, who already knew the bugs existed, he was making Apple do something about it. He did.


> That probably wouldn't have shut down the site

So the guy is a hero. Thanks for disturbing real life businesses for several days, I guess?

> he was making Apple do something about it.

This behavior is endemic for the self-righteous security "researcher" scene. "I found a bug - you must do what I say, NOW, or else ..."

It's not like Apple would have ignored his bug reports if he wouldn't have scraped 100k developer accounts.


"This behavior is endemic for the self-righteous security 'researcher' scene"

Yes, and that behavior is moving us to a world where corporations have to be careful what they put out, not just rush the newest shiny feature out faster. Besides, who do you want exploiting the bug, a self-righteous guy who 'may' be in it for his own glory, or an out-and-out criminal?


He says he reported the bug previously and got no response...

So, it's very much "like Apple would have ignored his bug reports..."


What he leaves out is that he waited less than a day for a response. (You can see this from the radar shown in his video)


His video shows that he filed radars on July 19th - the same day downloaded the 100,000 developer names and email addresses.

This is not responsible reporting, and he's clearly broken the UK computer misuse laws, since he signed an agreement with Apple governing the use of these systems.

I hope he's arrested soon. This behavior does nothing to help legitimate business or the security community.


If it truly was same day, I agree, that changes everything. I'll wait until more information comes out to decide.


He probably downloaded 100k accounts (perhaps a range of IDs) and then grepped them for @apple.com accounts.


Maybe, but he writes that he still has those 100k data sets. So why didn't he delete them after grep ran through?


Because he's clearly not very experienced in this. Apparently his video (when it was up) had confidential information shown in it: https://twitter.com/ibrahimbalic/status/359347248473190402. Who the hell flouts confidential information in a public fashion? There's a interview with him with English subtitles here: http://video.ntvmsnbc.com/applei-sarsan-turk-yazilimci-ntvms..., where he says some interesting things near the end. It looks like he used a struts2 vulnerability, HN had a discussion about this 2 days ago: https://news.ycombinator.com/item?id=6080620, https://news.ycombinator.com/item?id=6082599. He basically did what Weeve did, except Weeve is in confinement now.


>He basically did what Weeve did, except Weeve is in confinement now.

Hopefully not for long... https://news.ycombinator.com/item?id=6093468

Don't get me wrong, I don't agree with what he did, but the whole case is baffling to me.


The fact that the site is still down makes wonder what they're doing.

Provided that the hacker did report all the security bugs to Apple, one could suppose that it would only require of couple of days to fix the bugs, put the site back online, and start performing a full security audit along with massive code rewrite in parallel.

The only reason i see why they would still be offline, is that they instead decided to rewrite some crucial portion of the code from the ground up (which is what the email they sent the other day would suggest). But 1 week in emergency mode for a company like Apple really means rewriting TONS of code...

<offtopic> Anyone know the state of Objective-C on the server ? I really like that language now that it has ARC, and i wonder if apple is still using that technology on the server side </offtopic>


It was a really bad idea to plan a "complete overhaul" and "rebuild" everything, over the weekend. Some manager must've thought that they could wave a wand and get shit done.


They certainly aren't using WebObjects for everything, so I can't imagine they are particularly happy with it. Little bits of it are PHP for example, like the file search on the main page:

    https://developer.apple.com/search/index.php?q=HN


That URL is SO depressing...

It could almost be the masterpiece of a tumblr blog on top technology companies using crapware for themselves.


In 2011 it took Sony about a month to restore PSN services after its infamous breach: http://en.wikipedia.org/wiki/PlayStation_Network_outage#Time...


The developer portal is written in WebObjects/Java.

And whilst I am sure they are using Project Wonder which wraps up a lot of the old WebObjects code there is still the fact that it is a deprecated technology.

And it's never just write some code and deploy in these situations. It will involve testers signing it off, performance testing, security testing, deployment etc. So all those parts add up. Plus there's no "Steve Jobs will fire you" threat breathing down your neck.


It really amaze me that Apple didn't and continues not to invest more on server side technologies, knowing how much apps are connected today (i can't find a single app that doesn't talk to a server one way or another).

I mean, we all know the sad state of server-side development compared to client-side (x), yet it took a personal project for Google to create Go, it took a legal issue with java for Microsoft to start working on C#, and Apple still got nothing.

(x) : not wanting to launch a flame war, but the fact that people at Google created both Go and Dart in the last 5 years does say something, not to mention the countless "Java+" languages like scala or groovy. Also, by client-side i mostly mean objective-c on xcode, which has really become a joy.


I do wish they had converted WebObjects back to Objective-C and released EOF with it. It would have been nice to write the app and the server code in the same language and environment.


Completely agree. Objective-C with ARC and blocks has the perfect blend of dynamic language + static typing that i'm looking for (although the syntax really feels like a hack).

Now, libraries for the server are clearly not there, and i suppose that you would need to write them in C to get descent performances, which is unrealistic i guess.


EOF, sure, but WebObjects in general? You don't actually want that. You just think you do.

Look: WebObjects was amazing at the time. But have you used it recently (meaning in the last several years) to write something? Because it's almost literally impossible to write something that looks modern and acts modern.

WebObject was designed to hide web development as much as possible from the developer. I.e., to make writing desktop applications and web applications as similar as possible. You'd make a view in HTML, a controller in Objective-C (or later Java), draw connections between them just as if you were making something in Interface Builder, etc. Basically, HTML just became another OpenStep view you could target.

The downside of hiding the web part of web development as much as possible is you get a technology that is very far removed from modern practice. To achieve the view/controller design pattern above, WebObjects effectively effectively uses a continuation-like pattern to hide the whole HTTP request/response loop. That's why WebObjects URLs are disgusting beasts: they tell WebObjects what state corresponds to what you're doing. ASP.NET WebForms does this same thing, by the way, although it slaps its data (called ViewState) into invisible form elements on the client-side, whereas WebObjects stores its state server-side. Former inflates the page by 30k in even simple situations, latter makes the server need tons of RAM, but they both get you to the same place, and about equally well.

The problem is that's not how you write web apps these days. If you're doing a simple-as-tea CRUD app, then sure, whatever, but you could also just publish your FileMaker or Access database to the web and be done with it in that case. And for everything else, WebObjects, unlike even ASP.NET WebForms, makes it virtually impossible to have clean, trivially usable REST endpoints, which means you can kick your responsive client-heavy web app ideas to the curb. Yes, you can work around it, and ProjectWonder provides some tolerable solutions, but you're really fighting the framework the whole way. Why bother?

I'm also highly dubious that having Objective-C on the server is really a good thing. All those pointer errors you make in your iOS app that generally just result in a crash suddenly result in your server being rooted. Memory fragmentation becomes an insanely huge deal, since Objective-C's GC is primitive, and so on and so forth.

EOF was great, and would probably still be great. WebObjects was a great idea at the time, but that time has gone.


> You don't actually want that. You just think you do.

No, I pretty sure I want an updated version of it. We don't have any clue where it would have evolved, but I wouldn't be surprised if Apple would have kept at it, there would have been a "Final Cut Pro X" moment.

> All those pointer errors you make in your iOS app that generally just result in a crash suddenly result in your server being rooted.

I really don't seem to run into those as much as others, maybe I'm lucky. Between Ruby or Objective-C, I'll take my chances with Objective-C.


I guess Jobs's ghost fired Forestall, then.


With the iOS 7 launch already on a tight schedule this is a disgrace for both Apple and developers trying to renovate their apps.


As you can't currently submit apps that have been built for iOS7 it shouldn't have an impact for developers working on rewrites. The biggest problem being the prerelease documentation is down whilst the current docs are up, however as they're included with XCode that's actually not a huge deal.

Plus iOS7 would be on a tight schedule if Apple had actually announced a release date, as it is iOS7 is on a schedule we just don't know what it is.


disgrace |disˈgrās| noun loss of reputation or respect, esp. as the result of a dishonorable action [ in sing. ] a person or thing regarded as shameful and unacceptable

How is it a disgrace? You're making it sound like Apple meant for this to happen, this could've happen to any companies.

Apple should not be portrayed to be perfect at everything, they're lead by humans who can make mistakes, just like everybody else.

Apple's fixing the problem, it is taking longer than they expected it to. Nothing shameful or unacceptable here, just a nature of technology and mistakes/bugs.

We do not know the full scale of the problem, media needs to stop acting like it's just 13 bugs reported by a hacker (sorry, if he wants to be a "security researcher", he could've acted like one). It is entirely possible that the 13 bugs was just a small scale of the problem and Apple've found more extensive problems that can't be fixed quickly.

iOS 7 can be delayed to make up for the loss of time developers need or the developers will have to delay their apps.

Stuff happens, we just have to rough it out, and move on.


> How is it a disgrace? You're making it sound like Apple meant for this to happen, this could've happen to any companies.

Well if Ibrahim is to be believed, Apple failed to reasonably handle his disclosure of the security flaws. Apple is not entirely at fault, but they surely failed to protect their users' data. Users trusted Apple to prevent this from happening, but they have failed. That is a disgrace.


He created a bug in a portal of hundreds of thousands of bugs. That was not even two weeks ago.

I'd be surprised if someone had even looked at the bug until a few days ago. Then they did some investigating, determined it to be true and ran up the manager ladder till someone said shut it down.


I love how they just plop in some random comment from "Marco". Why is he so famous in Mac circles?


Its pretty simple:

1. Instapaper was very popular.

2. Gruber links to him a lot, and he writes well. More cynically, he has modeled his writing style after Gruber's, so if you want more of a Daring fireball fix, you read Marco.

I don't think Marco's opinions really hold anywhere near the weight of John's. Some just have an appreciation for this style of writing.


because he always has something to say. You want a quote from somebody recognizable on an apple-related news story? marco will already have one for you.


The article states that the website is back up but as of now 24/07 11:08GMT that is not the case.

This is terrible timing for me since I came back from travelling on Thursday and haven't been able to get on with working in iOS 7. I really wish Apple were able to provide us with more information on time-scales.


Especially terrible timing for me. I hadn't gotten around to updating my phone off the original iOS 7 beta. Guess what expired yesterday? The original iOS 7 beta. My phone is essentially a brick now until I can update to a non-expired version of iOS.


You still can roll back to 6.1.1. And this is exactly why you don't install a beta OS on your main phone.

Btw, you can download beta 3 using a certain p2p protocol.


If you've got a model a1429 I actually have a copy sat on my machine, I can put it on Dropbox and give you a link.


I would not trust everything the article reports.

Slightly off topic, but for those unfamiliar with news.com.au it is a low quality sensationalist outlet who frequently post link bait material.

Some of their stories are shared from their News Corp partners but the rest is celebrity gossip and reddit reposts.


They may have checked developer.apple.com, which is up. It's just when you try to get into the dev centers that you get the notice.


I noticed today that the resolution center also isn't working right. I can receive/view messages but get an error when I try to send them. Unsure if it's linked to the dev center being down but I would guess it is.


Yeap, no dice. Still offline 7/24 7:23AM EST


> The site was put back online yesterday.

No it's not.


I don't know what the correct action here has been, but I know as an Apple developer that apple has been acting very irresponsibly, since the first day they opened the app store about any bug reports or generally any developer communications, at least in my experience. And some part of me is happy that they hit their head against a brick wall, although my own day to day biz is disrupted too.


I can't trust anyone who spells 'purpose' as 'porpoise' even if English isn't his first language.


"I don't want to be black listed"

Not everybody is Edward Snowden...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: