Hacker News new | past | comments | ask | show | jobs | submit login

> I have taken 73 users details (all apple inc workers only) and prove them as an example ...

> I have over 100,000+ users details ...

> I do not want my name to be in blacklist

One would think that 73 compromised Apple employee accounts should be enough to make a point. Why would he take another 100k user accounts hostage?




That probably wouldn't have shut down the site, which in turn would not have gotten the attention. He wasn't making a point to Apple, who already knew the bugs existed, he was making Apple do something about it. He did.


> That probably wouldn't have shut down the site

So the guy is a hero. Thanks for disturbing real life businesses for several days, I guess?

> he was making Apple do something about it.

This behavior is endemic for the self-righteous security "researcher" scene. "I found a bug - you must do what I say, NOW, or else ..."

It's not like Apple would have ignored his bug reports if he wouldn't have scraped 100k developer accounts.


"This behavior is endemic for the self-righteous security 'researcher' scene"

Yes, and that behavior is moving us to a world where corporations have to be careful what they put out, not just rush the newest shiny feature out faster. Besides, who do you want exploiting the bug, a self-righteous guy who 'may' be in it for his own glory, or an out-and-out criminal?


He says he reported the bug previously and got no response...

So, it's very much "like Apple would have ignored his bug reports..."


What he leaves out is that he waited less than a day for a response. (You can see this from the radar shown in his video)


His video shows that he filed radars on July 19th - the same day downloaded the 100,000 developer names and email addresses.

This is not responsible reporting, and he's clearly broken the UK computer misuse laws, since he signed an agreement with Apple governing the use of these systems.

I hope he's arrested soon. This behavior does nothing to help legitimate business or the security community.


If it truly was same day, I agree, that changes everything. I'll wait until more information comes out to decide.


He probably downloaded 100k accounts (perhaps a range of IDs) and then grepped them for @apple.com accounts.


Maybe, but he writes that he still has those 100k data sets. So why didn't he delete them after grep ran through?


Because he's clearly not very experienced in this. Apparently his video (when it was up) had confidential information shown in it: https://twitter.com/ibrahimbalic/status/359347248473190402. Who the hell flouts confidential information in a public fashion? There's a interview with him with English subtitles here: http://video.ntvmsnbc.com/applei-sarsan-turk-yazilimci-ntvms..., where he says some interesting things near the end. It looks like he used a struts2 vulnerability, HN had a discussion about this 2 days ago: https://news.ycombinator.com/item?id=6080620, https://news.ycombinator.com/item?id=6082599. He basically did what Weeve did, except Weeve is in confinement now.


>He basically did what Weeve did, except Weeve is in confinement now.

Hopefully not for long... https://news.ycombinator.com/item?id=6093468

Don't get me wrong, I don't agree with what he did, but the whole case is baffling to me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: