Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Little .Mac Security Flaw

Posted by kdawson on from the case-for-thumb-drives dept.

deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."

31 of 328 comments (clear)

  1. Apple's response? by PFAK · · Score: 5, Insightful

    Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

    --

    Free means no restrictions, ironic the FSF's GPL forces restrictions, isn't it? What's your definition of free?
    1. Re:Apple's response? by kaos07 · · Score: 2, Insightful

      I don't think it's the best way to deal with the problem, but I can see logic in taking down the post. The less people who know about this the better. The only thing a thread would achieve is a) People all going "WTF LULZ APPLE FIX DIS IMMEDIATELY" which would have no effect on Apple's speed in providing a solution, or b) "Wow that's a cool trick, I'm going to try it at my local net cafe" - not something we want.

      However Apple, like most corporations, clearly hasn't heard of the "Streisand effect" http://en.wikipedia.org/wiki/Streisand_effect

  2. Slant much? by Osty · · Score: 4, Insightful

    I love how this is a "little", "minor" security flaw, and even though Apple actively deleted the post exposing this information nobody's really up in arms as it's just due to "bad interface design". If this were a Microsoft property, people would be screaming bloody murder.

  3. When Will Apple Learn by numbsafari · · Score: 5, Insightful

    I am an new Apple user. And reasonably happy.

    However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.

    Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

    You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.

    Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

    Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.

    It's not a question of if, but when. Will Apple be prepared? So far, all signs point to "NO".

    PS... the CAPTCHA word for this post was "condom".. how appropriate considering the whole point is to have a good profolactic. A good metaphore for Apple's current approach to security.

    1. Re:When Will Apple Learn by mr100percent · · Score: 3, Insightful

      I disagree, Apple has responded quite well, building in access control systems, program app exceutable digital signing, sandboxes, Address Space Randomization, Input Manager Restrictions, Filevault encryption, etc.

      Apple hasn't experienced a real virus outbreak, but they thought ahead to implement these features before anything has happened. They beat Microsoft in many of these areas.

    2. Re:When Will Apple Learn by Anonymous Coward · · Score: 2, Insightful

      Fair point, but they are still choosing system-level components and laying them out. They would be stupid not to. Perhaps they even have a couple engineers laying out motherboards.

      I guess my point was that what they do is make good decisions--that's much more significant than any minor layout tasks they might do. I've worked for a few companies that had engineers working at creating their own chip designs, board layouts, etc. Although it can be "Engineering", it's not particularly hard. (By Hard I mean unproven, how can this be done, etc). Hard is writing a multi-threaded OS core--they can't (and were smart enough to realize that). Hard is trying to get hundreds of video cards to work, taking advantage of the particulars of each different card.

      Here's a good hard problem--as an OS vender, create a system and spec that allows two different companies with no knowledge of each other to write applications in such a manner as one might embed itself in the other, allowing in-place editing of the embedded document (switching appropriate UI elements to those of the embedded program as needed). This is virtually impossible, Microsoft tries to do crap like this and gets to the "Functional Demo level" while pretty seriously degrading the stability of the system go do so.

      At all these hard problems Microsoft just piles on the engineers, gets some limited success--in many cases at the cost of system stability.

      Apple doesn't even try. They know where their strengths lie--they are pretty much a system integrator. Okay, maybe not like Joe's custom computer, but they certainly show no more technical skill than Dell or any laptop maker. (Except, as I said, they write a serviceable X-windows replacement.)

      By the way, by far my favorite things that apple did, any one company could have if they tried hard enough, but nobody ever has:
            Make a laptop where suspend WORKS repeatedly, without ever degrading
            Make a desktop/laptop that is dead quiet unless it absolutely needs the power
            Looks cool (hell, I bet 40% of the engineering staff is set to this task, they should get it right)

      Hmm, thought the list was longer...

    3. Re:When Will Apple Learn by jcr · · Score: 3, Insightful

      Don't they just order and piece together hardware just like joe shmoe's computer shop would?

      No, they don't. That's why the MacBook Pro is thinner and lighter than machines from other vendors with comparable performance specs, for example.

      -jcr

      --
      The only title of honor that a tyrant can grant is "Enemy of the State."
    4. Re:When Will Apple Learn by 99BottlesOfBeerInMyF · · Score: 2, Insightful

      Saying apple makes good hardware though? Don't they just order and piece together hardware just like joe shmoe's computer shop would? Do they manufacture motherboards, CPUs, ram or hard drives? They might make the cases, I doubt they make the power supplies.

      Apple is an OEM like Dell or actually, more like Sony. Most of the components they use are standardized, but they do have motherboards designed just for them, they design how all the components go together, which ones to use, and what the required specifications (acceptable failure rate) are. Not all machines are created equal in this regard. Just take a look at the percentage of machines returned due to failed hardware that consumer reports publishes each year and you'll see Apple at the top of the list, closely followed by Sony, Lenovo and (surprisingly Dell this year as they've managed to turn around their laptop manufacturing, although not desktops). Other vendors have up to five times the percentage of hardware failure.

      So they made a good OS? Naw, they made a darn good windowing system to replace X though. Of course, all the concepts were out there--nothing technically groundbreaking.

      They (or Next who took over Apple) made a lot more than the windowing system. They made the kernel, the APIs the filesystem, the services framework, much of the userspace apps and daemons, and don't forget openstep. As for the graphics, well a PDF (vector) based windowing system was certainly ahead of it's time, although the networking capabilities were retrograde.

      So what does Apple actually make?

      They make the software, minus some pieces where they share development with the OSS community. They make the hardware.

      They restrict the hardware which must avoid thousands of "little annoyances" PC users see (like laptop suspend being flaky).

      Ummm. The flakey driver annoyances are always a problem for the hardware vendor, not the OS vendor. MS doesn't write drivers for Dell hardware, Dell does. Each OEM is usually responsible for getting drivers together and each OEM supports a subset of hardware, just like Apple.

      They let someone else create the multi-threading OS kernel for them because that's hard.

      Mach? Mach has been so remade by the Next engineers that it is pretty much their baby at this point. When Next was acquired by (or acquired) Apple they remade it further making it more monolithic and they've been reworking it ever since. Apple certainly does their own kernel.

      The other thing they bring is a lot of people who grab onto anything that they can latch onto to make them appear different--the VW bug, iPod, blackberry...

      How does an iPod make one appear different? They make up nearly 70% of portables.

      ...security-wize, but if they ever start doing any ground-breaking work, they will most likely start seeing some serious problems.

      You mean like being the first desktop OS to implement an SELinux style mandatory access control system by default and use it to sandbox services? The verdict is still out, but they seem to have done a pretty kick-ass job with that one so far. Apple has a lot of really good security people from Next and from BSD and other UNIX backgrounds that have been hired into the company in the last five years. Some of them do some solid, cutting-edge work. Apple's problem is that they are such a mixed bag when it comes to engineering, a lot of the userspace and services people are at the opposite end of the spectrum and don't think about security at all. Still, Apple is ready and poised to kick some serious butt when it comes to security enhancements, when and if, security ever becomes a real problem for the majority of their users. They are also getting a lot of free testing and fixes from the community, since so many people in the computer security industry are now using OS X on their own system

  4. Just another hit against Apple... by Shifuimam · · Score: 3, Insightful

    Yet another incident where Apple blatantly ignores the customers they claim to value so much...and they will likely continue to do so until there's such a shitstorm about this that they have no choice but to respond. Apple used to be a good company...ten years ago. Now they're just as bad (if not worse, in many regards) as every other IT giant out there. Sad.

    --
    I'm a geek girl. Seriously.
  5. How many people actually use iDisk? by Anonymous Coward · · Score: 1, Insightful
    My mother uses a Mac so I was interested in making sure she doesn't get pwned. I never heard of iDisk so I checked it out.

    .Mac iDisk lets you store, access, and share large files with drag-and-drop simplicity. And with ample online storage, even huge files are no problem.

    It sounds neat but mom isn't going to use it. My way to do the same thing is just to ssh to my desktop at work and do whatever. So, I wouldn't use something like iDisk. It is also neat that you can share large files with your buddies. otoh, people can share movies online without iDisk.

    So, my question is, how many people actually use iDisk? How much of a problem is this actually.

  6. Re:Huh? by Moofie · · Score: 2, Insightful

    Seems to me that if you're concerned about security, you should think very carefully about using a public terminal.

    --
    Why yes, I AM a rocket scientist!
  7. Re:Huh? by Knuckles · · Score: 4, Insightful

    Of course its a toss up if an average user would use a log off button

    That's why all bank sites I know log you out if you are inactive for a while. Seems like a good idea.

    --
    "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
  8. No, incident does prove Apple is lacking ... by AHumbleOpinion · · Score: 4, Insightful

    Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.

    You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.

    1. Re:No, incident does prove Apple is lacking ... by Anonymous Coward · · Score: 2, Insightful

      If you have an ADC account (it's free) you can submit via bugreport.apple.com

      Feedback never gets a response from what I have heard, but is listened to. Look at the new feature in the latest Garageband update for example.

      As for the forums, they say quite clearly they are for user to user technical support, not discussion of policies.

    2. Re:No, incident does prove Apple is lacking ... by Tim+C · · Score: 2, Insightful

      The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy.
      No - but not putting a log out button on a protected web resource does mean that they are either lax or lazy. I have no particular antipathy towards Apple, but that's just plain dumb. Even if the flaw isn't serious it certainly *looks* bad, and violates established practice for web applications.
      --
      It's official. Most of you are morons.
    3. Re:No, incident does prove Apple is lacking ... by kelleher · · Score: 2, Insightful

      Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy. Wrong - it means exactly that.

      If their security folks weren't lax and/or lazy there would be a well known and well understood process within Apple for all the divisions to follow when a possibly security flaw was reported. The process should include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.

    4. Re:No, incident does prove Apple is lacking ... by bigstrat2003 · · Score: 2, Insightful

      Yet has nothing to do with it. That logout option should've been there from day 1 of *writing* the damn application. Common sense says: if you have a log-in, give the user the option to log out. Apparently some team at Apple lacks (or lacked) common sense.

      --
      "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
    5. Re:No, incident does prove Apple is lacking ... by NMerriam · · Score: 3, Insightful

      If their security folks weren't lax and/or lazy there would be a well known and well understood process within Apple for all the divisions to follow when a possibly security flaw was reported. The process should include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.


      There is a well known and well understood process, it's called bugreporter.apple.com. The process does include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.

      What you're complaining about is that random forum administrators don't have the responsibility, time or technical ability to personally evaluate every forum post for whether it contains a bug or a security flaw as opposed to a stupid user error.
      --
      Recursive: Adj. See Recursive.
    6. Re:No, incident does prove Apple is lacking ... by NMerriam · · Score: 4, Insightful

      You claim that what forum admins do is unrelated to security. That is mistaken. Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scenario indicates that something is lacking at Apple.


      Or it indicates that user forums are not the place to report security flaws, and that user forum administrators are in no way able to evaluate what is a stupid user error vs what is an actual security issue across the hundreds of different hardware and software combinations Apple offers. If you think every forum post should simply be echoed to the bug tracker, that's your prerogative, but it seems to be a great way to waste a lot of the qualified bug-squashers' time.
      --
      Recursive: Adj. See Recursive.
    7. Re:No, incident does prove Apple is lacking ... by Anonymous Coward · · Score: 2, Insightful

      if forum admin don't have the necessary technical skills to evaluate which report are security issues, why are they deleting them so that noone else can? or pointing those users to the correct place to report such issues? putting your head in the sand only makes things worse, and gives apple their reputation for arrogance

  9. A minor flaw? Tosh. by blowdart · · Score: 5, Insightful

    0H N0ES U DIDNT APPLE IS TEH PERFECT

    Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin. Nor is it a user interface problem; by using session cookies closing the browser would logout the user, with or without a logout button.

    The site listed (but not linked) in the summary doesn't describe the issue as minor, or a UI problem, so one can only assume that description comes from the summary author.

    1. Re:A minor flaw? Tosh. by Malevolyn · · Score: 2, Insightful

      As a player for both all three teams (so to speak) I'd have to say the article title is a bit sarcastic. I'm sure most people can agree that one of the differences between Apple and Microsoft is in how seriously they take themselves. Users tend to follow suit, which leads to sarcastic article title for what is very obviously a very large security flaw; in contrast, Microsoft articles lean more towards the more professional side.

      --
      Your ad here.
    2. Re:A minor flaw? Tosh. by shmlco · · Score: 4, Insightful

      So the sequence is IF you use a Mac and IF you're a .Mac member and IF you use iDisk and IF you check your iDisk from a public browser THEN someone could potentially access those files.

      Sorry, but the aggregate of all of those conditions is probably 0.000001%. Is it a problem? Yes? A major flaw? No. Worth discussing? Hardly. Check 100,000 public terminals and will you find one instance of the problem? Doubtful. In fact, I'd say that the fact that we're just now discovering the issue five years after .Mac and iDisk premired illustrates more than anything else as to just how "significant" it may be.

      Should it be fixed? Sure.

      As to your commments, I'm pretty sure I've ever seen anyone at anytime claim that Apple or Mac or OS X or the iPod or the iPhone is "PERFECT". Better, perhaps, but perfect? Nope. One has only to look at the tech notes and Software Updates to realize that. As such your entire anti-fanboi rant is pretty much just a strawman setup so you can knock him down, and pat yourself on the back in the process.

      A better issue would have been followed from "A quick review of any public terminal's browser history could bring up all kinds of interesting things." Like failing to log out of Gmail or an Amazon account. But no. We have to do yet another Apple vs. Microsoft vs. Linux flamewar. Guess it's another slow Sunday at /..

      Finally, the summary says, "feedback at apple.com/feedback has gone unanswered"... which is ALWAYS the case. It's a feedback site. It says feedback will be unanswered. To quote, "We read all feedback carefully, but please note that we cannot respond to the comments you submit." But again no, we have to make sure it looks like Apple is ignoring the "problem".

      --
      Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
    3. Re:A minor flaw? Tosh. by PM4RK5 · · Score: 2, Insightful

      You know the fanboi is well aware of the drivel he spews when he resorts to defending Apple anonymously.

      And yet the whole of Slashdot can go ahead bashing Apple without actually investigating the problem. Had anyone actually checked, they'd have noticed that the main .Mac page—which is how one accesses the iDisk interface—has this nifty little logout button, as seen in this screenshot.

      But it's more fun to bash Apple unconditionally.

      Perhaps it's a minor oversight that the self-contained iDisk interface lacks a logout button, but to say that "there is no way for the average computer user to log-out of their iDIsk on public computers" is patently false. Sure, they have to use the main .Mac page to do it, but you have to open that page to get to your iDisk in the first place. So: it's the user's choice to close that window while working on iDisk (the iDisk interface opens in a second window), and the user's oversight in failing to return there to log out.

      Investigative journalism at its best. Cripes.

    4. Re:A minor flaw? Tosh. by fatlaces · · Score: 2, Insightful

      Interestingly, that $99.99 is paid by you, not by advertisements. I haven't used it, but I think that would lead to a little cleaner interface/experience. I think ye olde internet was like that until the end of Compuseve and such.

      Still, for a hundred bucks I would need more storage, and the ability to use PERL/PHP with my sites.

  10. Catchup by Anonymous Coward · · Score: 1, Insightful
    • access control systems - built into windows since 3.1 (but only useful since NT4)
    • program app exceutable digital signing - Windows 2000
    • sandboxes - .net 1.0
    • Address Space Randomization - announced in Vista first
    • Filevault encryption - announced in Vista first; encryption with user keys was available in Windows 2000
  11. Re:Clear private data by Osty · · Score: 4, Insightful

    2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?

    Slashdot has a "public" option. If you click that when you log in, your login state is only stored for the session and freed when you close the browser.

    3. Many other sites do too.. it's called convenience.

    Many other sites also implement a "public" mode like Slashdot has. Just as two other examples, Microsoft's Outlook Web Access (OWA) lets you choose "public" or "private" when you login, and Microsoft's Passport/Windows Live ID gives you the option to save email + password, just email, or nothing (the latter two are effectively session-only logins, as you still need the user's password in order to login subsequently). As well, every other site also has the ability to logout, which .Mac is missing.

    Otherwise, yes, you're right a decent timeout is a good idea.. but what is "decent"? Sounds pretty subjective.

    A "decent timeout" is trivially simple -- mark your cookie only valid for the current session (aka, use a "session cookie"). This is at odds with persistent login designs, so you have to give users the option -- login with a session cookie ("public terminal") that will expire when you close the browser, or login with a persistent cookie ("private terminal") that will remain valid for some period of time. If you only choose the latter, like .Mac, you must also provide a "logout" option. Anything less is a security violation.

  12. Re:Huh? by tedrlord · · Score: 4, Insightful

    The whole problem is that they're not concerned about security. Most security measures are because users aren't concerned about security. They get really concerned when they find out someone's taken all their stuff, but that's a different subject.

    Anyway, as computer nerds, we're supposed to be concerned about computer security. Most people aren't. They have their own concerns. I'm glad that they're around to look after other things, so I don't have to be concerned about my bank running out of money, or my medication not being poisoned, or my car falling apart while I drive it, or all those nice other things that could be a really big problem if there weren't people making sure we were safe.

    Anyway, a good computer security example is antivirus software. I stay the hell away from the stuff, it's slow and buggy and bogs down my system more than most viruses do. On linux, it's not an issue since security issues there are better handled by better configuration and monitoring, and on my windows box I just use manual system/network diagnostic tools to keep an eye on it and fix whatever's needed.

    Does that mean I recommend the same to my friends? Hell no! I make sure they always run both a good antivirus and a firewall at all times. Otherwise they get viruses constantly. They just don't have the background to understand what they should and shouldn't do to avoid the things, not to mention the lack of skill necessary to deal with viruses as they come.

    My friends aren't stupid (most of them anyway), it's just not what they do. They use computers as tools to get things done, and if they're not making it safe and easy to do the work they want, then the computers aren't working right. That's just how it is, and that's why services that allow people to use public terminals need to be built from the ground up to make it secure to use a public terminal.

    You'd think Apple of all people (er, companies) would understand the need to make the right interface for different kinds of applications. Well, maybe I'm thinking back to the Eighties, way before their brushed metal/colorful candy era. If I had my way, they'd have canonized Raskin by now.

    --
    [insert witty quote here]
  13. Re:Huh? by eck011219 · · Score: 2, Insightful

    All of that is true. But Apple has this whole "I'm a Mac" ad campaign that touts the ease of use of Macs for the average joe out there, but then does something like this where you need to know fairly deeply what's going on internally to keep yourself safe. To the typical user, if it's not on-screen, it's gone. They understand "log out," but won't understand that there are still scrids of their session left on a public computer even if the browser is closed.

    Moreover, look at even the phrasing of the examples you give. Firefox is "clear private data" -- pretty straightforward, and you know what you're doing. "Reset Safari" is pretty cryptic by comparison -- it's fewer words (something Apple strives for, often rightly so), but it's far less descriptive of what's going on. Kind of a semantic version of the one-button mouse -- interestingly simple in theory, but it falls apart in practice.

    But all of that phrasing business is almost beside the point -- what average MyMom user at a library computer is going to know to clear the browser's history and cache to log out of iDisk? One doesn't seem to have to do with the other. In this case, there simply needs to be a button to log out. I'm sure the Apple interface designers shudder at the thought of the added clutter, but so be it.

    --
    It is pitch black. You are likely to be eaten by a grue.
  14. Re:The price of popularity by 99BottlesOfBeerInMyF · · Score: 2, Insightful

    ...chuckling not only at the security issues that are popping up, but at Apple's reaction to all of them.

    I've been working in the security industry for years. I've submitted bugs to Apple, MS, and various Linux and BSD projects. Apple's reaction to such submissions has been better than average. For the most part, they seem to acknowledge security related bugs and fix them before they are exploited, including providing credit to the bug reporter. I guess what I'm saying is, if you're judging "Apple's" response to security related bugs, maybe looking at how they handle problems reported to them through their publicly accessible bug reporting system is a better measuring stick, than looking at how they handle posts in forums. Not that I approve of censoring their forums, it just doesn't seem to be an important aspect of how they respond with regard to security. Not to sound like an Apple fan or anything, but I've frankly been impressed by Apple's quick turnaround on serious bugs.

  15. Re:Your post spells out Apple's shortcomings... by NMerriam · · Score: 2, Insightful

    No one is saying that a forum admin should evaluate the validity of the issue.

    That's precisely what you're saying, otherwise Apple should just pay it's security team to be the forum administrators so that nothing is missed. You can't tell someone to forward some things and not others without asking them to evaluate the messages to determine which need forwarding. In order to evaluate which need forwarding, you need technical knowledge about what is being discussed.

    Also you are creating a silly red herring. This particular security problem is independent of hardware or software. The problem and fix lie in a *web* interface

    So because it's a web interface it isn't software? It doesn't require any technical knowledge to evaluate? That doesn't even make any sense. There's no difference between a web interface and a standalone application interface in terms of telling a security issue from someone just bitching or being an idiot.

    Another silly red herring. There are qualified people between the forum admin and the developers. Isolating developers from the noise is a common thing in many organizations. If your silly scenario were true, if a forum guy could directly contact a developer then that would be yet another example of where a shortcoming may lie. Misrepresenting my position will not revive your failed logic.


    Nor will misrepresenting mine. Triage is one of the most important and time-consuming parts of dealing with bugs and security issues, and if you think Apple's finest programmers are running the first-line triage on the bug database, you're crazy. They have a whole staff with actual technical training and resources available whose sole job it is to do that triage, and basically what you're suggesting is that every single Apple employee should be trained in those skills and have those resources, or that the triage team should take over every form of communication "just in case".

    Because unless every Apple employee from the janitor to the shipping clerk knows as much as the triage team, they DON'T have the skills necessary to know what does and doesn't need to be reported to the triage team (hi, I'm a catch-22, nice to meet you!).
    --
    Recursive: Adj. See Recursive.