Hacker News new | past | comments | ask | show | jobs | submit login
Apple to contribute to U.S. teen's education for spotting FaceTime bug (reuters.com)
256 points by daegloe on Feb 8, 2019 | hide | past | favorite | 131 comments

You know, I'm happy on some level for that individual. It seems like a great stroke of fortune. On another level, it bothers me that there are such large institutions that can arbitrarily "bless" random people like a deity or something. I also can't help but look at this cynically as a largely self-interested PR grab by Apple that is not a real sacrifice on their part.

> it bothers me that there are such large institutions that can arbitrarily "bless" random people like a deity or something.

Do you mean like how some people are born into rich families and some into poor families? (I kid :))

> I also can't help but look at this cynically as a largely self-interested PR grab by Apple that is not a real sacrifice on their part.

It may be but so what? They could have done nothing, but they didn't. Good on them for doing this.

Do you mean like how some people are born into rich families and some into poor families? (I kid :))

Why kid? This is the way of the world.

Most people on US Forbes top 500 came from poverty and / or other disadvantage.

Seemed like a dubious claim, so tried to find a source and found this old article:

Did the Forbes 400 Billionaires Really 'Build That'? https://www.cnbc.com/id/49167533

Trimming a lot:

"United for a Fair Economy breaks down the Forbes list using a baseball analogy. It says

- 35 percent of the list was born in the “batter’s box,” with a lower-middle class or middle-class background...

- 22 percent of the list were born on first base: they came from a comfortable but not rich background and might have received some start-up capital from a family member.

- 11.5 percent were born on second base, the report says. Second base is defined as people who inherited a medium sized company or more than $1 million or got “substantial” start-up capital from a business or family member.

- 7 percent were born on third base, inheriting more than $50 million in wealth or a big company. The report includes Charles Koch and Charles Butt on third base.

- 21 percent were born on home plate, inheriting enough money to make the list."

So less than 35 percent would be coming from poverty, if this study is to be believed. This is for the 400 billionaires list though.

If anything it’s intentionally misunderstanding the actual advantages from having connections.

Gates did not directly inherit vast wealth. But, most people’s parents don’t know the CEO of IBM back when it was the computer company.

That bottom 35% is a little doubious. Larry Ellison was put in that category, though he was adopted at a young age. Further, his adopted family had recently been wealthy which is a much better than average background for becoming rich.

Finally, the category they place Trump in vastly underplays the amount of direct family support he received. The initial gift was under 50 million, but was just the first of many. He would have become a billionaire simply putting the money given to him into the S&P 500.

Bill Gates went to Lakeside School here in Seattle and grew up in a nice house along the shoreline in Sand Point (a rich neighborhood of Seattle). He is hardly self made, and comes from an upper crust Seattle family that could afford the finest education and residences in Seattle.

Had Bill Gates gone to Seattle Public Schools at the time, its doubtful that he would have gained similar contacts or become notable at such an early age.

I honestly expected significantly less (I figured home plate would be the largest group) but was not surprised at all to learn 3rd base was the smallest group.

Yeah, inheriting $50mm+ seems like more than enough to disincentivize risk and innovation.

Looking more in depth at their ranking though, virtually everyone from 1st base to home plate I'd consider "rich" to start (perhaps differing degrees of "employed rich", e.g. doctors/lawyers, to sheik rich).

I mean, it considers Donald Trump, whose father died with a net worth of about $300 million to start on 2nd base!!

35% of the top 400 came from poverty? That’s actually much higher than I thought it would be and pretty dam remarkable.

At least in the US, less than 35% of the population actually lives in poverty.

Those 35% are (lower) middle class. Apparently none of the top 400 billionaires came from poverty.

I don't think this is true. Forbes says 67% of their list is "self-made", meaning they're a 6-10 on the 10 point scale defined here: https://www.forbes.com/sites/luisakroll/2018/10/03/the-forbe...

As you can see, only a 9 or 10 should really count as coming from significant disadvantage. Mark Zuckerberg is an 8 on the scale (where 10 is most disadvantaged), and I think we can all agree he did not claw his way out of poverty. I'm having trouble finding overall numbers for each rank, but I'm certain 9s and 10s are not a majority of this list if 6-10 is only 67%.

Yeah, I mean Mark Zuckerberg was the son of a doctor and a dentist in White Plains. We called people of those means "rich" when I was a kid.

This statement is saved by the "and / or other disadvantage" because that includes the subconscious guilt that they ultimately owe all of their accomplishments to their wealthy parents, which is indeed a disadvantage that I struggle with daily. :'c

I don't know about the Forbes list, but it seems the share of wealth being inherited is pretty high & increasing at a good clip:

On the Share of Inheritance in Aggregate Wealth: Europe and the USA, 1900–2010 http://www.piketty.pse.ens.fr/files/AlvaredoGarbintiPiketty2...

Do you have a source for that? "Most" seems hard to believe.

I would also be hesitant to take the top 500 as representative of the top, say, 5 million.

I will definitely need a source for that claim.

I find this hard to believe. Do you have a source?

GP seemed like obvious irony to me. 7 HN folks don't agree...

> Do you mean like how some people are born into rich families and some into poor families? (I kid :))

I understood it as: how is it that education is a privilege?


Good on Apple. But people are uneasy because it sounds like a old medieval story about a noble family rewarding a random peasant that did one of them a boon. The modern trappings are different, but the story is the same. It's great that the peasant got a fine pair of oxen, but why don't all the peasants in the kingdom have oxen to farm with in the first place.

That's not Apple's fault, but it shows how we live in a modern aristocracy, built on finance and lines of capital instead of noble bloodlines.

Is your thought that education in particular should be available to all (i.e. the oxen represent a fundamental good), or that we shouldn't live in a world where some entities have more resources than others?

On that spectrum, my thought is more towards that education should be available to all, but also that the economics we live under doesn't have a process to distribute sufficient goods widely enough such that people have strong practical independence.

It's not that some entities cannot have more than others, it's that we have entire classes where their first order needs (food, shelter, clothing) aren't met despite being willing to work and working, let alone their second order needs (enough margin of profit for emergency funding, healthcare, means to acquire skills initially or skills in different areas, etc), or even third order needs (a broad means to form new ventures addressing what is locally perceived as important). If those areas are met and within a stable system, then I think it's fine that some entities have more wealth - but too much imbalance imho causes systemic instability.

Great response, thanks for clarifying.

That's a false dichotomy.

I wasn't intending to imply it was one or the other, I was trying to get the parent to clarify their comment, and those were my 2 best guesses, sorry if came off like that.

Gotcha, no worries.

What would work for you high standards ? If they do something it's Corporate BS. If they don't then they are same old Corp machine couldn't care less.

a transparent bug bounty system

The end result will be the same. You will call this a PR stunt.

This scenario is more of a lootbox/gambling — a chance to win a big prize, but no gaurantee. A proper bug bounty system would be a consistent outcome, and far more fair.

...Does anybody consider all the existing bug bounty programs "PR stunts"? You seem like you're fishing for a reason to continue disagreeing, and you're most certainly putting words into a stranger's mouth.

A bug bounty program would demonstrate a lot more sincerity around securing their devices than a one-off reward to a kid given simply because the kid got enough attention in the media.

No, many companies have an objective bug bounty system. No one is calling those payouts PR stunts.

Many companies have a public-facing bug bounty system.

It's incredibly rare for a company to have an objective bug bounty system. I would estimate that the number of companies like this is zero. (Source: I have worked triaging reports to public bug bounty systems for large companies that you've heard of. Payouts can differ by thousands of dollars based on factors like your prior history reporting to the program, what the triager chose to put in their report (even if your two reports are identical), or the label you put on the vulnerability you're reporting.)

Perhaps. Although couldn't that just be because we're all so used to corporations having no real accountability and only occasionally deciding to make symbolic gestures as penance for their mistakes? You're probably right that, to many of us, they can't really do anything to make up for this. But that's not our problem. It's theirs.

This is a very easy problem. If you feel this strongly stop buying their products. If you don't do that clearly you don't feel strongly enough. Blaming them when they do the right thing is just going to discourage them to do so in the future

I've never bought an Apple product, but I can still be bothered by the fact that such huge corporations exist and can completely change random people's lives if they choose to.

I don't understand this thread.

The article only says: "[Apple] said it would compensate the Thompson family and make an additional gift toward 14-year-old Grant’s education."

For all we know, they got a check for $250.

How do you reconcile your statement with the fact that you, yourself, can confer life-changing benefits to all sorts of people?

The teen and mother in question were not too technically savvy. Would they have been able to meet the usual requirements of a bug bounty filing?

The mother was a lawyer who went as far as signing up for a developer account and filing a radar. They could (and did) jump through hoops to try to report it.

What about others ?

> On another level, it bothers me that there are such large institutions that can arbitrarily "bless" random people like a deity or something.

It's not all that different than in the past some regular person assisting the royalty, and being rewarded for it with some money or small title or allowance, such as being able to utilize a natural resource that's controlled by the crown. It's just a consequence of a massive power disparity, and those are natural (I mean even without market power and m oney, we're talking about a single person and an organization of tens or hundreds of thousands or people, which is its own power difference).

> I also can't help but look at this cynically as a largely self-interested PR grab by Apple that is not a real sacrifice on their part.

It probably is, but that doesn't mean its all it is. It's not always a zero sum game, and if you can help yourself and help someone else at the same time, should we denigrate that just because it's also self serving? Tempering how much good will we attribute for this action is all well and good, but let's not go too far and negate all of it or come away thinking worse of Apple just because they gain something from this as well.

The difference being that apple earns its own money which we have volunteerly given to them for iphones. Royal titles etc. however are from taxpayers money a bit like US aid to other countries or subsidized housing etc.

Taxpayers money like the 10s of billions apple stashed overseas until they (and others) managed to lobby for massive corportate tax breaks?

Before someone gives me the standard "don't hate the player hate the game" speech. I do hate the game. It's fundamentally broken and I think we need to do a 2.0 version.

Apple's money comes from money we have voluntarily given them to own one of their phones and to be part of (and actually we are then forced to be a part of) their market, since only Apple approved software can run).

A government's (a monarchy is a form of government) money comes from taxes from people who wish to be part of that system and benefit from the security and markets it provides (otherwise they can leave. Sort of. But in the past they likely could), and they are limited in what they can do because the government enforces the rules.

It's not totally dissimilar, in my eyes.

Apple and a lot of other major tech companies will pay for security exploits. This seams like a reasonable exchange. The kid gave Apple information about an exploit and Apple payed him for it.

Apple pays bug bounties, but I doubt Apple would have paid in this case until it got significant media attention.

As far as companies go, Apple has enough money to basically be a deity. I think more of it should be in the hands of their employees and the American taxpayer.

It's true, their cash on hand tops the GDP of many countries.

They also pay more in taxes than the GDP of many countries.

Do they? I thought they were notorious for not paying taxes?

Like most rational actors, they try to minimize the tax they pay. However, even a little tax on a trillion-dollar company adds up to a lot. They still pay quite a bit.

Despite the rampant reporting by the media about US companies not paying their "fair share" of taxes, as of 2017:

"The biggest taxpayer was the most profitable: Apple, which reserved $15.8 billion for income taxes on $59 billion in operating income. Apple reports its effective tax rate as 25.8%"

I think it's time to end this falsehood about Apple as I constantly see it posted on HN.

If your source is this Forbes article [1], it's referring to Apple's domestic tax rate (this is clear because they compare it to the 35% nominal domestic rate). Their worldwide tax rate is lower. Apple is projecting that its worldwide tax rate will drop to 15% now that the new US tax law has taken effect. [2]

1: https://www.forbes.com/sites/christopherhelman/2017/04/18/wh...

2: https://www.fool.com/investing/2018/02/05/heres-how-much-app...

What bothers me there is, according to my understanding, that taxation laws were changed in the last cuts so that foreign subsidiaries of corporations basically owe no US income tax on their profits (maybe ok, not sure there), but left alone the case if a US citizen relocates elsewhere and makes an income, only the first $xx,000 dollars are not taxed by the US.

Another inequity: corporations can deduct their SALT, but individuals can only deduct $10k of SALT. So many people derided Citizens United (corporate campaign contributions case) as granting personhood to corporations. But the new tax law actually grants more rights to corporations than to people!

Of course, I understand that corporations have always been able to do lots of things that people couldn't do, such as enjoy limited liability. But these are very close analogs, and there aren't any compelling policy reasons as to why corporations should get unlimited SALT deductions if people aren't given this privilege.

Do you have a source on that? The wording on that is odd, which makes me want to look into it. It may be my mistake, but I don't recall corporate taxes often called "income taxes" and it's odd how its referred to as they "reserved" it, instead of quote what was paid.

It almost sounds like they are referring to taxes withheld from paychecks for employees, which is definitely not the same as what a company pays in corporate taxes in its profit.

It's not a falsehood. I pay a higher tax rate on some of my income than Apple pays on average.

While I suspect we are going to have different viewpoints, do you employee hundres of thousands of people, contribute massively to the world economy, and innovate like Apple? Just a point, that while their effective percentage may be lower, they have massive impact, and a $59 billion tax payment.

As a public company that money will go to shareholders through stock buybacks over time. But a lot of americans do own AAPL through their retirement plans so maybe that counts for something.

I think your money should be in my account ! Well we can fantasize about other people's money.

Why should it bother you ? We all have given $10 to that homeless beggar we felt pity on. What Apple is doing is at a larger scale. We do charity for personal satisfaction and Apple might do it for PR.

Surely it bothers you if the beggar can't live without begging?

Another issue is that education is expensive enough for someone to need a private sponsor.

I mean they don't have to do anything at all so I don't view it as cynical. You can't help everyone in the world.

Feels like the headline here should be related to bug itself, the amount of privacy it violated, and how long it took Apple to fix it!

Clearly a good PR move for Apple.

Has that not already been the headline a dozen times?

Certainly Apple has deserved that scrutiny, but I was also waiting to see whether they'd do the right thing here.

On HN the Apple-related headlines that make it to the top are 80-90% how glorious Apple's closed source platform is and 10-20% how awful apple's dictatorship of their own app store is. I don't think it's true that we should not post critical articles just because Apple already "gets enough" by some standard.

I'm not discouraging anybody from posting the other articles.


Why do you expect some random member of the public to obey an arbitrary rule from the infosec community that they don't even all agree on?

Oh I don't. I expect Apple to hold their bug reporters to those standards, though, so it's interesting to see that they are giving a "bounty" to this "irresponsible disclosure".

How was the disclosure irresponsible? AIUI, multiple attempts were made to report the bug. It went viral a couple of days later on social media. I'm not aware of a link between those two events.

Huh? Group calls were not a new feature, and the teen's mother made several attempts to disclose it privately to Apple, including registering for a developer account and submitting a bug from there. I'm pretty sure that's as close as "responsible disclosure" as you can get.

> Group calls were not a new feature

This bug affected Group FaceTime, which was added in 12.1 (released in October)

> the guy didn’t report it responsibly

What? As far as I understand, with his mom, he attempted to report it to the product-security email Apple tells you to do, they were brushed off and told to file radars, which they then did. And nothing happened. So, yes, he reported it responsibly and was ignored... traditionally, that's when security researchers say you move to reporting it via more public means...

Do you know how difficult it is to get into a bounty program?

> Two key U.S. House of Representatives Democrats on Tuesday asked Apple Chief Executive Tim Cook to answer questions about the bug, saying they were “deeply troubled” over how long it took Apple to address the security flaw.

honestly this just seems like a waste of time.

As a voter, this isn't very high on the list of things I'd like to see my representatives being "deeply troubled" about...

Reported an iphone lock screen bug and received nothing. Thanks apple.

If it's a serious bug, talk to a zero day broker.

I thought Zerodium (as an example) was only interested in RCE type vulnerabilities, although I could see others being of value as well.

Zerodium might generally traffic in RCE because they're typically of the highest value. They would likely judge that to be of comparable value to some RCEs, if for no other reason because of the number of devices affected. Zerodium also isn't the only one out there.

Where did you report it, was it acknowledged, and was it ultimately fixed?

Having ran a large bug bounty program before, I can tell you a few things could have happened here...

* Issue was mis-triaged, or deemed to be very low impact - Maybe it depended on a very specific set of circumstances that was not expected to commonly occur. Usually these get silently routed to QA to investigate.

* Issue was completely overlooked - Unlikely, but security@ is a ticket queue too. Sometimes a misclick happens, or a spam filter picks it up. For every valid report, you can get 100-1000 unrelated messages.

* Issue was already known - Not good to silently ignore, but if it was already reported and in the pipeline, it probably got closed as a duplicate. Companies don't like to discuss vulnerabilities that are being actively fixed.

It was a long time ago (2013). Issue was fixed in the next iOS milestone release, but they gave no recognition at the time and no follow up besides a "thank you for reporting this" email.

Not PR worthy. They took a look at your social media and determined that you were too outspoken.

Next time you need to scream louder.

Lessons learned.

Only in the land of philanthropy is such a headline a thing, or even a PR move. So instead of giving the guardian of said teenager 200k to do with as they/he/she pleases in the interest of the child, you set up a education funding scheme? But when the government does it, it's what?

So instead of giving the guardian of said teenager 200k to do with as they/he/she pleases in the interest of the child

A lot of people are jackwagons and will spend the money on whatever they want instead of their child's education. This way Apple gets to make sure it goes to the child's future.

Source: Had to finance a big portion of college on MasterCard.

This is why.

One of my ex's maternal grandma left her a little over $100K for college. The grandma trusted her daughter and son in law to manage it. The parents divorced and the mother went wild for a while and spend it on drugs, partying, and vacations. My ex ended up taking a bit OSAP.

> when the government does it, it's what?

Unremarkable and not newsworthy?



That type of argument is unlikely to be made by users on this forum, so a sarcastic rhetorical response posted here only serves to create unwanted noise in this thread.

I get your point, but isn't the parent to my comment equally as sarcastic a rhetorical response?

They also paid some (undisclosed) amount of cash to the family.

He also got a personal visit from an unnamed Apple executive.

Nice. Bit of a side point, but I feel that we should all give a shout out to the mum who clearly was the power broker for this to happen. She did a great job navigating the maze that was Apple's bug reporting pathways.

I think so too. Focus is on the child but maybe the mom wants it that way.


I’m glad to see more attention from law makers over data security, many companies have shown little interest in correcting or preventing issues long enough.


Still should have responded to them faster. Someone at Apple just dropped the ball when they got the report.

I don't think it is any specific "someone." I think Apple's policies/procedures itself are more at fault.

The fact that there's no way clear route to submitting security issues if you aren't a registered developer is problematic.

Seriously. They'd get a ton of bad reports like everyone with a bug bounty program, but Apple isn't exactly running lean on resources.

Oh man that's terrible.

I've worked with folks who field security reports full time... you gotta have someone who can work with people and respond. It helps buy time while you fix things... / good PR.

> "In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service..."

Why would they have not done this in the first place? Apple has more money than they know what to do with, why not have teams of people banging away on this stuff? The actual exploit was incredibly simple.

What makes you think this was the first audit? Shipping a bug doesn't imply that zero QA was done.

I assume they do that sort of thing, but something was missed.

So you find out why you missed it, and do it again to look for anything else that may have been missed the same way.

They probably did do this in the first place. But products change over time, so they need to keep doing them.

Apple is playing chess right now on the brand positioning game against Alphabet and Facebook. The most cynical people will dismiss it but most people will accept it as a gesture of goodwill.

Spotting bugs pay more than bug bounties.

How so? Radar reports don't garner any payouts, do you mean with other companies?

Good PR move.

They should just give him a large bug bounty.

Does offering to contribute to someone's education sound to anyone else like they're criticising his current level of education? Seems like an insult?

Like 'we'll pay for you to get a better education so next time you'll know how to speak to us correctly.'

Why don't they just give him cash compensation if they want to apologise?

There are laws around the ways in which you can compensate minors. This may be the most reasonable way to pay the kid. That said, I assume the decision to make it an educational grant was not made without consultation with the family.

Why would it? That's just ... reading something into this that isn't there.

The child is what, 14? You're not going to just drop a bucket o' cash in his lap. They probably talked to his mom and worked this out.

Edit: Contributing to a minor's education is not uncommon in situations like this.

So a College fund or a Scholarship is an insult?

Why not just the cash? An apology but you have to spend it how Apple wants? What's up with that?


What if Apple buys a meth lab with it? You’ve just deployed a fully general argument against the existence of money.

I think I should use /s in here in future.

Well, it says they’ll “compensate [the family] and make an additional contribution [to his education fund]”, so it sounds like they’re doing both.

It sounded to me like they're offering to contribute to an already-existing college fund or start one.

Right... but why that? Do they think there's a problem with his education specifically? Why not give him cash and let him put it in an education fund, or a pension fund, or whatever he wants? Why say 'and you'll want to use this to increase your education'? Like buying him a voucher for a facelift.

The US values education quite a bit (I suspect other places do too, but I can only speak for US experience), and there's a long history of rewarding children with educational funds for all kinds of things. This is very commonplace.

As to why it's commonplace, well, if the family can afford to send the kid to college, then this is basically the same as giving them cash, since the family now gets to do what they want with the money they would have spent on his college. And if they couldn't afford to send him to college, now they can (or now they have a bit more help with it, depending on how much money was given). It looks good for the company too, since no one (except possibly you) thinks giving a kid an educational fund is a bad thing. Finally, by having such an educational stipulation, it hopefully prevents the parents (or legal guardians) from spending or wasting it on other things so that the kid ultimately reaps the benefits, which I think is prudent.

I believe he's receiving cash separately from the college fund.

A college fund is a common way to acknowledge that a teenager often isn't the best judge of how to spend an influx of cash. Heck, if all of my employee bonuses over the years had been added to my retirement fund instead of my checking account, I'd be in much better shape.

I do not think anyone offering to contribute to a tuition fund are trying to insult the person.

I can also imagine that putting the money in a fund have a lot of tax related benefits for both the persons giving and recieving the fund compared to paying it out in cash.

I don't think any parents or child is going to look that gift horse in the mouth.

They don't want to set a precedent of people blackmailing with a bug like rumours say he tried. The bounty program sets a price an avoid exploitation on both sides. Respecting that was more important.

Paying a scholarship allows Apple to send a valuable transfer but no cash, rewarding the discovery without setting a precedent.

> They don't want to set a precedent of people blackmailing with a bug like rumours say he tried.

You're creating rumors, not reporting them.

You can read the letter they sent to Apple. That wasn't even the first attempt at contact and all they asked about is if there were any bug bounties available.

Nobody tried to blackmail anyone by simply asking if the bug may be eligible for a bounty.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact