Hacker Newsnew | comments | show | ask | jobs | submit | Quarrelsome's commentslogin

I'm confused. The description of the problem doesn't rule out an issue with IBrute (targetted attack on usernames, passwords) but then they state it wasn't an issue with ICloud or FindMyPhone.

Is this to suggest that its social engineering or just a password reset job? I don't otherwise see how an attack on usernames and passwords translates.

I guess the thing I'm really trying to figure is that if it was IBrute (which personally I would find an embarrassing failure) would they actually admit it?

-----


They seem to have specifically ruled it out later in the statement, as iBrute was targeted at Find my iPhone:

> None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

-----


>> They seem to have specifically ruled it out later in the statement

>> > None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

Have they ruled it out? When you factor that the statement's intended audience is the entire world, not just cyber security experts, the wording becomes muddy, as it depends on you how you interpret the word "breach".

If someone successfully uses a password attack, is it actually a 'breach' of Apple's systems? After all, the systems successfully prevented entry until a valid password was entered, which is exactly what the systems were designed to do.

-----


Understood. My second question then is just asking whether Apple have a reputation for truthiness in this arena. I genuinely don't know, I'm asking.

-----


I think that have a pretty good record on owning up to something. It would hurt them much much more to lie about it at this point.

-----


I'm curious what you base that on... that they own up to problems. I know it's certainly not true with hardware issues. They may eventually fix it, but it's rare that they'll comment on it.

-----


Not necessarily. They could make an argument that the services themselves were not "breached", however the users weak passwords allowed them to be compromised.

-----


That's certainly what they want you to take away from it, but is it what they actually said?

Failing to rate limit login attempts is a fuzzy sort of failure. I would probably call it a "vulnerability", but I wouldn't call it a "breach" to take advantage of it to figure out someone's password.

To me, this reads as a carefully crafted non-denial that looks like a denial if you don't really pay close attention.

-----


Location: Iceland.

Remote: Sure but I prefer inhouse.

Willing to relocate: Yes.

Tech: C#, AngularJs, Sql and all the techs that one usually associates with these. My C# is much stronger than my js though.

Resume: By request (10+ years commerical experience, including enterprise solutions sold for $ millions).

Email: uchihajax AT THE gmail (only willing to post my trash email online).

I'm more an Apps guy than a barebones guy. I can do complex stuff like debugging multi-threaded code and writing stuff that is atomic but my maths is generally pretty bad. I'm also very good with people, talking and writing.

-----


Not very. We don't know if they contacted Apple. However from my knowledge Apple doesn't offer bug bounty or often respond to security notifications.

-----


he's assuming from when the tool was released. The exploit was in the wild for much longer.

-----


The password list for this particular implementation is pretty limited. I doubt all the celebs hacked had a password on that list. The concept may well have been used with different code / pw dictionary.

-----


The leaker got doxxed by 4chan and doesn't seem capable of discovering the exploit on his own.

Though he's commented to Buzzfeed denying it was him (but anyone would).

http://www.buzzfeed.com/charliewarzel/bryan-hamade-blamed-by...

@nikcub still thinks it's him

https://twitter.com/nikcub/status/506465151562694656

-----


i'm watching them continue to attempt to hack new accounts on a forum, so whatever apple patched with this bug wasn't it.

-----


I think you misunderstand the trouble one can cause through limited information. We can phish, we can gain access to some personal information.

Both of those pots of "gold" are threatening enough attack vectors.

-----


I think its the size of the burden. If you're creating a thing from scratch and are responsible for pretty much every single aspect of it from dev to sysadmin PLUS you have CTO responsibilities on top of that you just lose track of stuff and make the odd mistake.

"I'll fix that a bit later" becomes "I have no idea what code is there anymore nor even the time to contemplate it".

Perhaps.

-----


I love the EU man. It doesn't look like you understand the plan. Given the size of the US, China and India each European nation alone is weak. However combined they are the largest economy in the world.

We're doing this to remain relevant and to prevent other nations from tearing us apart through uneven economic exchanges much like workers ensure they cannot be exploited by joining unions. It is a union and has all the perks (and problems!) associated with unionization.

-----


Surely Java should be more like:

Because when I get a int, it should definitely be a bloody int.

-----


More like: "we failed to notice the mistake C made of giving stupid meaningless names to types, rather than introducing meaningful names like int16, int32, int64."

When you say "int", you should get an integer - not an element of a (decided by the author arbitrarily) finite subset of integers.

-----


You're missing out. All it forces you to do is push your html fiddling into directives and use dependency injection (which is awesome anyway).

It does way more than knockout.

-----


..... Forgetful George was crying in the corner.

"What's wrong?" quizzed Ivy Iterator.

"It's too complicated" moaned George, he continued: "Mr Main has asked me to deliver all of these invites to the birthday party but I keep forgetting which people I've given invitations to. I gave Sam three invites and Polly hasn't got one yet, it's no use! I can't remember which invite is which!"

"Don't worry" said Ivy, "lets work together to make this more simple! I'll remember which invitation we're giving and which one is next, so all you have to do is deliver the invite!"

George beamed, "Really? You can do that for me?"

"Sure thing George! They don't call me Ivy Iterator for nothing!"

-----


So eh.. when is your book coming out?

(that's cryptic internet speak for, man I really like what you wrote, I can totally imagine the next chapter being about George asking Ivy how she did that!)

-----


It's like, "Design Patterns Personified!"

Sign me up to buy two copies when you do your kickstarter.

-----


Now you've trapped yourself. You HAVE to write it.

-----


This is excellent. You're on to something, why not write more?

-----

More

Applications are open for YC Summer 2015

Guidelines | FAQ | Support | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: