If they won't pay then you can always donate it to the government
of North Korea.
DPRK Embassy
Glinkastraße 5-7, 10117 Berlin, Germany
The bloke who found a password-spaffing bug in macOS says he won't divulge details on the flaw to Apple until the tech titan agrees to properly compensate vulnerability researchers. Germany-based freelance bug-hunter Linus Henze says the security weakness can be exploited by malware and other dodgy apps running on a Mac to …
Well seeing as the software is locally installed, if you get malware installed on your device then your security is already compromised. Even without hitting keychain, surely it could just key log passwords anyway?
Granted this gives you a smaller time window and you grab all the passwords in one hit.
"macOS is so secure you don't even need...."
For people who make idiotic snide straw man comments like this, security is not black and white but a spectrum. For many technical reasons, MacOS is more secure than others like Windows and Linux. Any Unix is less secure than Burroughs/Unisys MCP (which has bounds checking in the architecture). While these machines are even more secure, vulnerabilities are always there, but less of them and harder to exploit.
That is all you can do for security. But you don't ignore it because you can't be 100% secure.
"Because look how shiny my Apple device is! Look! It's soooo shiny! Loot at it! Shiny! Shiny! Shiny!"
No. Macintosh users are more serious than that. As Steve Jobs once said "Interface design is less about the way it looks, but the way it works".
For people who make idiotic snide straw man comments like this, security is not black and white but a spectrum. For many technical reasons, MacOS is more secure than others like Windows and Linux. Any Unix is less secure than Burroughs/Unisys MCP (which has bounds checking in the architecture). While these machines are even more secure, vulnerabilities are always there, but less of them and harder to exploit.
That is all you can do for security. But you don't ignore it because you can't be 100% secure.
Will Apple try to sue him for blackmail? Anything is possible in this fantastic world.
That'll be why he hasn't mentioned any value for bug finding. As soon as any price is mentioned the blackmail lawyers can get to work, currently he could argue in court that a 'thank you' would be recompense.
Illegal > Blackmailer - "Give me 'X' or else I'll ..."
Legal > Lawyer - "Give my client 'X' or we'll drag you through the courts"
@Wellyboot: Illegal > Blackmailer - "Give me 'X' or else I'll ..."
But surely he's not saying he will do anything at all, he's only saying he won't do something specific that he's under no legal obligation to do in the first place.
All he's saying is "I have some information that I'm willing to sell you for 'X'" which is just the standard business model of any consultancy.
Maybe he's being truthful when he says he's doing it to point out a shortcoming in Apple's bug bounty program, maybe not, we don't know. But let's say they pay him. What stops the next guy from saying he's holding back telling them because he thinks they aren't paying enough, and wants a guarantee he will get a certain amount of money? What if he wants more than their highest payout, because he thinks that's inadequate for the bug he found?
At what point does it go from 'changing corporate behavior you think falls short of an ideal' and become blackmail?
'But let's say they pay him. What stops the next guy from saying he's holding back telling them because he thinks they aren't paying enough, and wants a guarantee he will get a certain amount of money? What if he wants more than their highest payout, because he thinks that's inadequate for the bug he found?
At what point does it go from 'changing corporate behavior you think falls short of an ideal' and become blackmail?'
At no point. None of what you have described is blackmail. No body is obliged to buy or sell anything. No one in your scenario has threatened anything, not vaguely or specifically. No criteria for blackmail has been met.
I guess I assumed that he was going to release the exploit, but if all he's going to do is not tell Apple then why should they care? The only difference it makes is that it gives blackhats a place to look for a bug, but it also gives Apple a place to look for it...the race is on!
Is he asking for money, recognition or both?
If it's money, I have bad news for him - even if you don't set a price on it I think you have already passed the point of probity, and if you want to know how that works I only have to highlight the FaceTime bug which has emerged as been known for a LOT longer than when it got acknowledged publicly (btw, still waiting for a fix on that although I have just seen something show up in iOS betas).
There's also the fact that it's now out there that it is possible, so it's not going to take that long for someone else to work it out - thus, even the limited disclosure for publicity (read: pressure) reasons is causing harm.
That said, I can see where he's coming from and frankly, I'm a bit disappointed with Apple having not much of a program in this respect. Microsoft has it because it sorely needs it (that said, they don't pay for all fixes either - one of the rather major Outlook password bugs just got fixed quietly without the people who discovered it being paid a penny).
Must do better - all of them.
Given that there are over an order of magnitude more Windows boxes in use, the Windows flaw has a lot more potential targets for the bad guys. Couple that with the fact that Windows has an even larger installed base advantage in the corporate world (where such a flaw would be more easily monetized by the bad guys) and you'd think that if macOS was $50K the equivalent for Windows would be $1 million...
YeahBut. In orgs that have both, they keep all the mission-critical artsy-fartsy stuff they use to pitch for bucks on the apple stuff...Because the people they underpay to make up that faff can't run anything more difficult in order to make pie and hockey stick charts. Or kids leaping through the air while apparently having some sort of climax experience. We all know that's where the real money is.
Do I need a sarc tag?
No, not a sarc tag but maybe a dummy/pacifier might be more appropriate.
Macs, just like Windows and Linux boxes are just another tool to get things done; some prefer one and some prefer another.
This constant ‘wah wah wah’ around “my choice is better than yours and therefore I’m superior” is getting f’ing tiresome.
Maybe we need a tag/icon for ‘I’m superior’ shit so we can avoid those posts and move on to the genuinely entertaining ones.
If someone finds a flaw in software/OS/website/etc. then would it be illegal to sell that flaw to the highest bidder? What law would be breaking, if any?
If my assumption above is correct then it makes absolute sense to reward researchers for finding flaws and reporting them although they would have to be careful not to get into a bidding war with more nefarious buyers?
A few years ago "hacking" and not just "cracking" became a crime in Germany.
Are you equating with him finding the exploit to hacking?
This is not a remote website hack, or an attack against a 3rd party service. He played around with his own personal property and discovered the flaw. Therefore no 'hacking' - from a legal sense - has taken place, as it was all against his own property.
Are you equating with him finding the exploit to hacking?
Not me, the law is very broad scope. It has, for example, been argued that developing and using penetration test libraries is illegal so you now (I've seen such requests) need to obtain explicit permission from suppliers in order to test your own systems that they've developed or host. At the same time, it's legal to use software that cracks DeCSS so that you can make copies of your own DVDs…
In the current case I think it was unwise of the guy to go public like this because the authorities will have to act. If then refuses to provide details of the exploit, he could very well incriminate himself as the result of a publicity stunt. But, IANAL.
I think there's quite an ethical leap between using a bug you found to shame a company that (significantly) lags the others in its inducements for bug reports, and seeking to profit from knowledge of a bug by other means.
Assuming he hasn't tried to sell it by any other means, good for him.
Let's be totally honest here. If a bounty is offered it means Apple will be admitting it's possible that bugs exist. Apple's sales teams used to deny the possibility of anything being hacked or for a virus to exist on an Apple product. If a reward was offered it might cause more experts to look for them. More experts looking could cause more to be found and there goes the illusion of total security.