Hacker News new | past | comments | ask | show | jobs | submit login

So how do you prove the DDoS vector exists unless you DDoS someone's site?

How do you prove the SQL injection vector exists unless you take over someone's site?

etc., etc.

This was far from a harmless proof-of-concept app, and "I just wanted to prove I could" isn't sufficient justification for it.




You prove DDoS vectors exist by DDoSing your own site, or one you have permission to work on. Same with SQLi vulnerabilities. If you want to report a vulnerability you've found to a company, include a working exploit in your report, but don't run it. If the company ignores you or tries to brush the vulnerability off, that's where it gets hairy and responsible disclosure comes into play.

We don't know what his level of communication was with Apple, but it doesn't appear that he notified them before testing this exploit. Had they refused to address the issue or otherwise brushed him off, this would be a reasonable escalation. The same story on r/netsec [1] is being linked to a Forbes article [2], which claims he notified Apple three weeks ago. That's not a ton of time.

Ultimately, he very much violated their ToS and Apple is well within their rights to give him the boot. Whether that was a smart decision on their part remains to be seen.

[1] http://www.reddit.com/r/netsec/comments/m48gx/charlie_miller... , http://www.reddit.com/r/netsec/comments/m3uwo/mac_hacker_cha...

[2] http://www.forbes.com/sites/andygreenberg/2011/11/07/apple-e...


Since the only place you can install software on iOS devices is through the store, it is important to demonstrate the attack vector by which it can be gained.

It indicates both a security flaw in the platform itself, and a security flaw in the app store approval process, both should be highlighted.


Since he has control over pricing, couldn't he submit with a free price tag, and change it to something insanely high once accepted. That way no sane person would buy it, and he'd still prove his point. He _had_ to submit an app and get it in for this to work ofcourse, otherwise this was a moot point. And it's a good wakeup call to everyone. Security awewareness helps sometimes unfortunately when you make a splash.


  > .. otherwise this was a mute point.
"moot". Pretty please, the word is "moot."

Otherwise, while I think you've got a point (he could have used pricing to ensure no one ran his app), that isn't the issue here. The disclosure is. No one is contending he did something evil with his code, it's that Apple is mad about his code and disclosure. I don't think making it unlikely to be purchased would have helped.


You don't need to "take over someone's site" to prove that their site has a SQLI vector, just put in a little string somewhere.


In the UK, using SQL injection to "put a little string somewhere" would be illegal.


Oh probably. But I'm pointing out that you can demonstrate a SQLI attack without having to completly take down someone's site.


Those things have already been proven. We're talking about research here.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: