Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

“Since Apple is aware of my 90 days disclosure deadline, I make this information public.”

Great, so now, potentially, there are lots of people who will lose all of their baby photos, lose money or even their contact with people who are important to them just because of some arbitrary number of days you made up and because you feel slighted by apple.

This could have real consequences and you can’t expect a big company to move faster just because you want them to. I have now knowledge of the internals of the development of MacOS, but maybe this isn’t trivial to fix.



Being a big, bureaucratic leviathan of a company does not resolve you of the responsibility to protect your users. For all you know, hackers have already been exploiting this secretly, and being public, with a workaround now gives you a plausible chance to defend yourself where there was none before.


> Being a big, bureaucratic leviathan of a company does not resolve you of the responsibility to protect your users.

I never said they shouldn't do anything, I said that releasing this information before there is a patch for the vulnerability strikes me as wrong.


They didn't ask for an extension, and many vendors do ask for more time. they simply ignore a potentially massive issue.


"..This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails."

I believe Apple could easily have asked for an extension, if solving it was complex.. Apple chose not to.

(from the information available to us..)


Indeed, many security researchers are willing to extend their disclosure deadlines if the vendor gives good reason to and shows that they're taking it seriously.


"on May 15th 2019 but Apple started dropping my emails"

What does that mean? Is there proof? How long do you wait before you call not getting a response 'dropping'?

The potential consequences require more than this.


You would have a point if the exploit were more serious, and looked harder to fix than it does.

As is, this is a phishing type variant that it’s not at all clear gatekeeper was even designed to stop. However, the default behavior described (especially making symlinks to NFS shares without any sort of warning or special graphic when following them in Finder) seems sufficient for forceful language when complaining about it to Apple / giving a disclosure deadline then publishing.


90 days is very reasonable for something like this.

> Great, so now, potentially, there are lots of people who will lose all of their baby photos, lose money or even their contact with people who are important to them just because of some arbitrary number of days you made up and because you feel slighted by apple.

For all we know this has already been happening since the gatekeeper was implemented in 2012.


And now all the 'hackers' who weren't smart/lucky enough to figure this out also know how to exploit this.


Well, the choices were:

A. Leave the hole open for all crackers who already figured it out, thereby leaving a security hole open for possibly all time. Apple apparently weren’t fixing it; they first said they were going to, but then didn’t do it, and then ceased all communication.

B. Tell the world, thereby forcing Apple to fix the issue. This leaves all Apple users vulnerable to more people than choice A, but only, one would assume, for a limited time.

The ideal situation would of course have been C: Apple promptly (or at least within 90 days) fixes the issue upon being informed of it, before the world at large was made aware of it. But Apple chose not to pick this option. Only option A and B remained.


There are plenty of fruitful conversations to be had WRT the concept of responsible disclosure, but a fundamental pillar is that vendors are held to some deadline so that they cannot hem and haw indefinitely while leaving their users vulnerable. It's certainly a valid argument to posit that 90 days may be too short of a deadline, but a valid counterargument is that if a company like Apple cannot ship a security patch within 90 days, then their process itself is broken.


Nit to pick. Prefer the term coordinated disclosure. Responsible disclosure puts things on an unnecessary moral dimension. It’s not irresponsible to disclose bugs ever, IMO. I have seen this debate a million times now, but I know it is new for someone.


Notice that Intel used the term "coordinated disclosure" for last week's new raft of microarchitecture bugs; "responsible disclosure" is on the way out for exactly the reason you stated.


That is neat, I actually didn’t even notice and I read the thing. Seems like progress on this topic to me.


Thanks for the tip, I didn't know there existed a better term for this. Indeed, I always felt that "responsible" was a loaded adjective in that context.


> some arbitrary number of days you made up

As a separate datapoint, Google's Project Zero has a default 90 day public disclosure period too.

Generally, it's highly likely that the (really) bad guys already know about the exploit. Leaving the exploit known only to them and the vendor doesn't help the most vulnerable (ie, those targeted by the (really) bad guys)

~3 months is also a reasonable amount of time for coding, review, testing, QA, etc. I don't know if the author was up front about the 90 day deadline with Apple, and if not, that's not particularly friendly, but it's not out of line with other major players in the space.


not only that but i've seen security people extend 90 days when the vendor asks.


Based on the information supplied, the vendor didn't ask.

As an Apple user, the only part about this situation that is disappointing is Apple.

Depressingly, there still isn't an overall competitor that can deliver products that meet my requirements as well as Apple can, so I remain stuck.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: