

Ibrahim Balic breaks silence on hacking Apple developer site - Bharath1234
http://www.news.com.au/technology/ibrahim-balic-breaks-silence-on-hacking-apple-developer-site/story-e6frfro0-1226684484916?from=public_rss

======
junto
This kind of pen-testing, without previous authorization, is a very risky
enterprise if you live in the UK. The Computer Misuse Act 1990 expressly
forbids "unauthorised access". Sections 1-3 of the Act introduced three
criminal offences:

\- unauthorised access to computer material, punishable by 6 months'
imprisonment or a fine "not exceeding level 5 on the standard scale"
(currently £5000);

\- unauthorised access with intent to commit or facilitate commission of
further offences, punishable by 6 months/maximum fine on summary conviction or
5 years/fine on indictment;

\- unauthorised modification of computer material, subject to the same
sentences as section 2 offences.

If he had been contracted to pen-test the website by Apple then it would be a
different matter.

~~~
gcb0
Those laws are retarded and it's sad to see them defended in HN.

Always try to do a parallel without computers to see if a computer law pass
the retarded test.

In this case "it's illegal to enter a door left wide open for months, pick up
a wallet full of money from a desk visible inside thru said open door, and
return it to the home owner with all the money and a note about closing the
door because it's not a safe neighborhood"

~~~
squidi
He cannot return the data per se, so there is a difference. Once it leaves
Apple's servers it could be less secure and he's not registered as a data
controller I'm sure.

In your example above, why could the person not just point out that the money
was not safe? It's no loss to them if the person does not act on the
information.

------
kybernetyk
> I have taken 73 users details (all apple inc workers only) and prove them as
> an example ...

> I have over 100,000+ users details ...

> I do not want my name to be in blacklist

One would think that 73 compromised Apple employee accounts should be enough
to make a point. Why would he take another 100k user accounts hostage?

~~~
jasallen
That probably wouldn't have shut down the site, which in turn would not have
gotten the attention. He wasn't making a point to Apple, who already knew the
bugs existed, he was making Apple do something about it. He did.

~~~
kybernetyk
> That probably wouldn't have shut down the site

So the guy is a hero. Thanks for disturbing real life businesses for several
days, I guess?

> he was making Apple do something about it.

This behavior is endemic for the self-righteous security "researcher" scene.
"I found a bug - you must do what I say, NOW, or else ..."

It's not like Apple would have ignored his bug reports if he wouldn't have
scraped 100k developer accounts.

~~~
ZoF
He says he reported the bug previously and got no response...

So, it's very much "like Apple would have ignored his bug reports..."

~~~
agent123
What he leaves out is that he waited less than a day for a response. (You can
see this from the radar shown in his video)

------
bsaul
The fact that the site is still down makes wonder what they're doing.

Provided that the hacker did report all the security bugs to Apple, one could
suppose that it would only require of couple of days to fix the bugs, put the
site back online, and start performing a full security audit along with
massive code rewrite in parallel.

The only reason i see why they would still be offline, is that they instead
decided to rewrite some crucial portion of the code from the ground up (which
is what the email they sent the other day would suggest). But 1 week in
emergency mode for a company like Apple really means rewriting TONS of code...

<offtopic> Anyone know the state of Objective-C on the server ? I really like
that language now that it has ARC, and i wonder if apple is still using that
technology on the server side </offtopic>

~~~
threeseed
The developer portal is written in WebObjects/Java.

And whilst I am sure they are using Project Wonder which wraps up a lot of the
old WebObjects code there is still the fact that it is a deprecated
technology.

And it's never just write some code and deploy in these situations. It will
involve testers signing it off, performance testing, security testing,
deployment etc. So all those parts add up. Plus there's no "Steve Jobs will
fire you" threat breathing down your neck.

~~~
protomyth
I do wish they had converted WebObjects back to Objective-C and released EOF
with it. It would have been nice to write the app and the server code in the
same language and environment.

~~~
gecko
EOF, sure, but WebObjects in general? You don't actually want that. You just
think you do.

Look: WebObjects was _amazing_ at the time. But have you used it recently
(meaning in the last several years) to write something? Because it's almost
literally impossible to write something that looks modern and acts modern.

WebObject was _designed to hide web development as much as possible from the
developer_. I.e., to make writing desktop applications and web applications as
similar as possible. You'd make a view in HTML, a controller in Objective-C
(or later Java), draw connections between them just as if you were making
something in Interface Builder, etc. Basically, HTML just became another
OpenStep view you could target.

The downside of hiding the web part of web development as much as possible is
you get a technology that is _very_ far removed from modern practice. To
achieve the view/controller design pattern above, WebObjects effectively
effectively uses a continuation-like pattern to hide the whole HTTP
request/response loop. That's why WebObjects URLs are disgusting beasts: they
tell WebObjects what state corresponds to what you're doing. ASP.NET WebForms
does this same thing, by the way, although it slaps its data (called
ViewState) into invisible form elements on the client-side, whereas WebObjects
stores its state server-side. Former inflates the page by 30k in even simple
situations, latter makes the server need tons of RAM, but they both get you to
the same place, and about equally well.

The problem is _that 's not how you write web apps these days_. If you're
doing a simple-as-tea CRUD app, then sure, whatever, but you could also just
publish your FileMaker or Access database to the web and be done with it in
that case. And for everything else, WebObjects, unlike even ASP.NET WebForms,
makes it virtually impossible to have clean, trivially usable REST endpoints,
which means you can kick your responsive client-heavy web app ideas to the
curb. Yes, you _can_ work around it, and ProjectWonder provides some tolerable
solutions, but you're _really_ fighting the framework the whole way. Why
bother?

I'm also highly dubious that having Objective-C on the server is really a good
thing. All those pointer errors you make in your iOS app that generally just
result in a crash suddenly result in your server being rooted. Memory
fragmentation becomes an insanely huge deal, since Objective-C's GC is
primitive, and so on and so forth.

EOF was great, and would probably still be great. WebObjects was a great idea
at the time, but that time has gone.

~~~
protomyth
> You don't actually want that. You just think you do.

No, I pretty sure I want an updated version of it. We don't have any clue
where it would have evolved, but I wouldn't be surprised if Apple would have
kept at it, there would have been a "Final Cut Pro X" moment.

> All those pointer errors you make in your iOS app that generally just result
> in a crash suddenly result in your server being rooted.

I really don't seem to run into those as much as others, maybe I'm lucky.
Between Ruby or Objective-C, I'll take my chances with Objective-C.

------
terabytest
With the iOS 7 launch already on a tight schedule this is a disgrace for both
Apple and developers trying to renovate their apps.

~~~
mikhailt
disgrace |disˈgrās| noun loss of reputation or respect, esp. as the result of
a dishonorable action [ in sing. ] a person or thing regarded as shameful and
unacceptable

How is it a disgrace? You're making it sound like Apple meant for this to
happen, this could've happen to any companies.

Apple should not be portrayed to be perfect at everything, they're lead by
humans who can make mistakes, just like everybody else.

Apple's fixing the problem, it is taking longer than they expected it to.
Nothing shameful or unacceptable here, just a nature of technology and
mistakes/bugs.

We do not know the full scale of the problem, media needs to stop acting like
it's just 13 bugs reported by a hacker (sorry, if he wants to be a "security
researcher", he could've acted like one). It is entirely possible that the 13
bugs was just a small scale of the problem and Apple've found more extensive
problems that can't be fixed quickly.

iOS 7 can be delayed to make up for the loss of time developers need or the
developers will have to delay their apps.

Stuff happens, we just have to rough it out, and move on.

~~~
67726e
> How is it a disgrace? You're making it sound like Apple meant for this to
> happen, this could've happen to any companies.

Well if Ibrahim is to be believed, Apple failed to reasonably handle his
disclosure of the security flaws. Apple is not entirely at fault, but they
surely failed to protect their users' data. Users trusted Apple to prevent
this from happening, but they have failed. That is a disgrace.

~~~
dubcanada
He created a bug in a portal of hundreds of thousands of bugs. That was not
even two weeks ago.

I'd be surprised if someone had even looked at the bug until a few days ago.
Then they did some investigating, determined it to be true and ran up the
manager ladder till someone said shut it down.

------
sergiotapia
I love how they just plop in some random comment from "Marco". Why is he so
famous in Mac circles?

~~~
parasubvert
Its pretty simple:

1\. Instapaper was very popular.

2\. Gruber links to him a lot, and he writes well. More cynically, he has
modeled his writing style after Gruber's, so if you want more of a Daring
fireball fix, you read Marco.

I don't think Marco's opinions really hold anywhere near the weight of John's.
Some just have an appreciation for this style of writing.

------
reggplant
The article states that the website is back up but as of now 24/07 11:08GMT
that is not the case.

This is terrible timing for me since I came back from travelling on Thursday
and haven't been able to get on with working in iOS 7. I really wish Apple
were able to provide us with more information on time-scales.

~~~
RandallBrown
Especially terrible timing for me. I hadn't gotten around to updating my phone
off the original iOS 7 beta. Guess what expired yesterday? The original iOS 7
beta. My phone is essentially a brick now until I can update to a non-expired
version of iOS.

~~~
xuki
You still can roll back to 6.1.1. And this is exactly why you don't install a
beta OS on your main phone.

Btw, you can download beta 3 using a certain p2p protocol.

------
tsenkov
> The site was put back online yesterday.

No it's not.

------
alimoeeny
I don't know what the correct action here has been, but I know as an Apple
developer that apple has been acting very irresponsibly, since the first day
they opened the app store about any bug reports or generally any developer
communications, at least in my experience. And some part of me is happy that
they hit their head against a brick wall, although my own day to day biz is
disrupted too.

------
abelardx
I can't trust anyone who spells 'purpose' as 'porpoise' even if English isn't
his first language.

------
smandou
"I don't want to be black listed"

Not everybody is Edward Snowden...

