
Security researcher Charlie Miller booted from Apple Developer Program - cubix
http://news.cnet.com/8301-27076_3-57320190-248/apple-boots-security-guru-who-exposed-iphone-exploit/
======
jjguy
It's a bad move for apple. A good relationship with the community of security
researchers is crucial - they're talented folks and their research results
grab headlines. It takes just a tiny amount of corporate humility and public
thanks to win their respect, and in return get goodwill. Treating the
community badly will get ensure the next guy won't even try to cooperate.

Over the last several years, Microsoft's MSRC has balanced this very well.
Google has done well recently, too. Lots of clued-in people in both places.

~~~
Xuzz
I'd agree more if he didn't submit — and get approved — a _working exploit_ in
their store. Without telling them about it.

Edit: Now, I don't disagree that just banning him from the program isn't a
great idea, and that pulling the app and having someone from the security team
send him an email isn't a better one. But it's hard to say this that a bad
move on Apple's part.

~~~
nodata
So how do you prove that it's possible to get this kind of exploit into the
store unless you submit it to the store?

~~~
ubernostrum
So how do you prove the DDoS vector exists unless you DDoS someone's site?

How do you prove the SQL injection vector exists unless you take over
someone's site?

etc., etc.

This was far from a harmless proof-of-concept app, and "I just wanted to prove
I could" isn't sufficient justification for it.

~~~
joelhaasnoot
Since he has control over pricing, couldn't he submit with a free price tag,
and change it to something insanely high once accepted. That way no sane
person would buy it, and he'd still prove his point. He _had_ to submit an app
and get it in for this to work ofcourse, otherwise this was a moot point. And
it's a good wakeup call to everyone. Security awewareness helps sometimes
unfortunately when you make a splash.

~~~
alttag

      > .. otherwise this was a mute point.
    

"moot". Pretty please, the word is "moot."

Otherwise, while I think you've got a point (he could have used pricing to
ensure no one ran his app), that isn't the issue here. The disclosure is. No
one is contending he did something evil with his code, it's that Apple is mad
about his code and disclosure. I don't think making it unlikely to be
purchased would have helped.

------
guan
It’s rude when according to the article he withheld details of the exploit to
give Apple time to fix the bug, but the decision is understandable since he
did violate the developer agreement. I’m not so sure about “interfering with
Apple's software and services” but his activites seem to be covered under
“hiding features from [Apple] when submitting them.”

~~~
pvg
Putting the exploit in the App Store isn't particularly polite either and
doesn't seem to serve any purpose other than generating some publicity for the
researcher. It'd be different if he believed Apple wasn't going to fix it or
that the exploit was being used or was about to be used in malicious apps -
but he doesn't claim that was his motivation.

~~~
mpyne
Except that how else is he supposed to _prove_ that it works other than
actually demonstrating it with a real app on the real App Store?

~~~
pvg
It seems he was pretty sure it was going to work - there's nothing magical
about the App Store, he'd found a way to get around the code signing checks.
I'm sure that once the vulnerability was fixed, he'd get credit. It's just
that this sort of thing won't get you in forbes.

I personally don't really think there's anything at all wrong with a bit of
harmless, nerdy limelight-seeking to boot, if that's what he was doing. Acting
like he was somehow mistreated is what seems a bit iffy.

~~~
kenjackson
The problem is Apple could claim, "In our app verification process we can
ensure such an exploit could never make it to the app store." The only way to
test the full-scope of a vulnerability is to test it in a real world scenario,
which means keeping it from Apple.

Unfortunately, I know of no other way to do it, unless companies like Apple
create security groups that work with people like Charlie and give him an
exemption to submit, and not notify other parties at Apple.

~~~
pvg
If that's the problem, it's a different problem. If I'm reading the article
right, he did submit the exploit, companies like Apple do have channels to
receive and respond to vulnerabilities and to credit people who find and
report them. There's nothing in the information released so far on this that
suggests he was, in fact, facing such a problem.

------
jjtheblunt
He's got great skills, and NSA training is as good as it gets, but he
explicitly violated the rule to not download and run code from a server, to
see if the rule would be enforced. They enforced it, just as he'd known they
would. There was no point to his doing that other than to get headlines.

~~~
kstenerud
No, he explicitly violated the rule in order to test the hypothesis that a
security hole he'd uncovered would allow unsigned code to be downloaded after
release into the app store and run on the device.

The sane response to this would be "Oh, we better fix that. Thanks. We're
removing your app BTW." The Apple response was typical of a bureaucracy.

~~~
5hoom
The lesson I would take away from this is that Apple should provide a
mechanism for security vulnerabilities to be reported officially so that
researchers don't have to engage in these sort of dubious activities. Whether
they listen to the reports or not is another matter.

Anyway, is there any special reason why reporting via
<https://ssl.apple.com/support/security/> won't work?

~~~
nookiemonster
Charlie is one of the founders of the controversial "no more free bugs"
movement.

The amount of skill necessary to identify AND exploit bugs is so great that
the bug reports themselves have value,far beyond attribution in the patch
notesand a T-Shirt. This is especially true when there is in fact a lack
market of bad people willing to pay good money for 0 day vulns.

thus, reporting vulns that way doesnt necessarily make sense. Charlie's
walking a fine line: He is not a BadGuy, but he also isn't giving away
security consulting to companies with 200 billion market capitaliazations.
Apple should pay him good money to look at this stuff. Otherwise, its going to
be only BadGuys.

------
feralchimp
"I don't think they've ever done this to another researcher. Then again, no
researcher has ever looked into the security of their App Store. And after
this, I imagine no other ones ever will," Miller said in an e-mail to CNET.
"That is the really bad news from their decision."

Take your wrist-slap like a man, sir.

Apparently the grand are also prone to self-aggrandizement. I have a lot of
respect for Miller's skills, but he's not the only smart person taking a hard
look at App Store security.

~~~
jjcm
He's certainly not the only researcher looking at the app store, then again,
he needs to play the victim a little bit right now if he wants to get public
support. Public support and media attention may very well be his only ticket
back into the developer program.

------
MichaelApproved
Apple is extremely binary. You're either with them or you're not. They don't
seem to have flexibility and the only punishment is to be banned.

Awful.

~~~
st3fan
What Miller did was clearly a violation of the Dev Program Contract that he
signed. There is no flexibility indeed when it comes to putting trojans on the
store.

------
pnathan
As a metanarrative, it's very interesting seeing the conflict between the
rules followers and the ethics followers here in this thread.

------
tomlin
I feel like if this were an Android flaw, I'd see it in the title. Miller was
booted from dev for discovering a major flaw in iOS. A hacker can have full
access to the phone and personal data by just downloading an app from the App
Store. Definitely worth mentioning in the title.

------
sdiwakar
There's always this flip-side to reporting security findings. I don't know the
details of Charlie Millers exploit, however had he gone through the process of
informing the vendor (in this case Apple) and then allowing sufficient time to
address the issue, perhaps a showdown could have been avoided (I'm assuming
that he hadn't).

People however, also forget that, there are other pressures facing info-sec
researchers - such as pressure from management at the company where they work
to 'publish' and/or present their findings under the company banner. Often,
this irks vendors, because vulnerabilities are used to promote the
researcher's (or who they work for) interests.

That said, Microsoft, Google and Facebook have very transparent processes &
expectations for submitting vulnerabilities.

------
makira
Anyone has information regarding the actual vulnerability ? That would be very
interesting. Thanks.

------
super_mario
Oops. Watch the number of trojans for OS X go up now.

------
JoeAltmaier
Its a walled garden; they can do anything they like. Live with it.

------
Tomis
The spirit of Steve Jobs lives on.

------
sigzero
He uploaded malware to the store in violation of his developers agreement.
FAIL.

~~~
mahmud
Developer agreements are not a security mechanism.

~~~
5hoom
And security research does not trump the developer agreement.

The guy submitted a real live exploit to the Joe-User facing App Store. What
on earth did he expect would happen?

~~~
mikeash
Maybe he expected a "thanks for showing us this vulnerability, we've pulled
your app from the store and are working on a fix to the problem", as a sane
response would be.

~~~
5hoom
Perhaps that is a fair point, but can you imagine the fallout if something
like this ever slipped through and was downloaded by an actual user?

It is easy to see why they don't take kindly to this sort of thing.

~~~
mikeash
All kinds of nasty things have slipped through to the users. There have been
_multiple_ remote root exploits for iOS in the wild for weeks at a time and
nobody really cared. There would be no fallout.

I agree that it's easy to see why they don't take kindly to this sort of
thing, but it should also be easy to see why they _should_ take kindly to it.

------
RusAlexander
The Apple is changing preferences, now they don't want to have a more secure
soft. IMO Steve Jobs wanted.

------
nchuhoai
I come into your party as a guest and what I do is steal all your stuff. If
you would be a white hat, you would knock at the door and kindly hint me to
the loophole instead of just doing it ...

