Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Reveals a Severe, Unpatched Mac Password Flaw To Protest Apple Bug Bounty (venturebeat.com)

Posted by msmash on from the security-woes dept.

Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.

While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

155 comments

  1. It just works by fluffernutter · · Score: 3, Funny

    It just works.. If someone wants to know your password.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:It just works by marklark · · Score: 1

      And, if you're already logged in to the account...

      Logout or have a locking screensaver and you're safe. This would not be a problem in my home.

    2. Re:It just works by dgatwood · · Score: 1

      And, if you're already logged in to the account...

      Are you sure? I mean, ostensibly it doesn't work if the keychain is locked, which at least is supposed to happen when you sign out (*not* when the screen saver locks the screen), but can we be certain that this isn't a password bypass attack on the keychain locking itself? The article says nothing about the mechanism of action, nor about conditions under which it is reproducible.

      Logout or have a locking screensaver and you're safe.

      I'm pretty sure that's not true. Apps continue to run in the background when the screen is locked, and AFAIK have the same access to the keychain as they do when the screen is unlocked. So yes, ostensibly locking the screen prevents someone from running the app, but if somebody manages to couple this with a remote exploit that allows running code without console access, I don't think a locking screensaver will help.

      Basically, you're relying on defense in depth and hoping for the best, unless I'm missing something, and that's less than ideal. :-)

      It is probably better to change your keychain settings to lock the keychain on sleep and then put your machine to sleep instead of leaving it protected only by a screensaver — assuming, of course, that this is not a complete password bypass.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    3. Re:It just works by Anonymous Coward · · Score: 0

      Have you tried to log in as root with no password recently. That bug could be back. Would make this one easier to use.

    4. Re:It just works by marklark · · Score: 1

      And, if you're already logged in to the account...

      Are you sure?

      No, but if this is the scariest form of the video, I'm not impressed. It demonstrates that the user is logged in and the keychain is already unlocked.

      I mean, ostensibly it doesn't work if the keychain is locked, which at least is supposed to happen when you sign out (*not* when the screen saver locks the screen), but can we be certain that this isn't a password bypass attack on the keychain locking itself? The article says nothing about the mechanism of action, nor about conditions under which it is reproducible.

      I'm assuming that the screensaver is running while "KeySteal" is not yet. So, it can't steal things. If the thief can log in, then they have access to the Keychain anyway.

      Logout or have a locking screensaver and you're safe.

      I'm pretty sure that's not true. Apps continue to run in the background when the screen is locked, and AFAIK have the same access to the keychain as they do when the screen is unlocked.

      Yes, but since it's shown already running in an unlocked session. If the thief can't log in, they can't launch "KeySteal"

      So yes, ostensibly locking the screen prevents someone from running the app, but if somebody manages to couple this with a remote exploit that allows running code without console access, I don't think a locking screensaver will help.

      Those are hypotheticals that are not demonstrated in the video. Maybe if the thief has root access they can steal even more, but that's not demonstrated.

      Basically, you're relying on defense in depth and hoping for the best, unless I'm missing something, and that's less than ideal. :-)

      And Unix userspaces, too.

      It is probably better to change your keychain settings to lock the keychain on sleep and then put your machine to sleep instead of leaving it protected only by a screensaver — assuming, of course, that this is not a complete password bypass.

      Maybe. If there is more fire to go with this smoke, I'll be glad to learn more.

    5. Re:It just works by dgatwood · · Score: 1

      So yes, ostensibly locking the screen prevents someone from running the app, but if somebody manages to couple this with a remote exploit that allows running code without console access, I don't think a locking screensaver will help.

      Those are hypotheticals that are not demonstrated in the video. Maybe if the thief has root access they can steal even more, but that's not demonstrated.

      Those are not hypotheticals. I'm just describing a chained privilege escalation exploit, which is how most actual exploits in the real world happen. Like all local security holes, this can't cause users any problems until somebody comes up with an attack that lets them run code on the box, but that doesn't mean the exploit isn't worth worrying about.

      Those are hypotheticals that are not demonstrated in the video. Maybe if the thief has root access they can steal even more, but that's not demonstrated.

      The design of the keychain is such that even with root privileges, it is not supposed to be possible for a local attacker to gain access to the contents of the keychain. Data is encrypted at rest, and it is not supposed to be possible for arbitrary processes to access data except as permitted by each item's ACL (and even then, only after the keychain is unlocked). If any of those security measures aren't working, then it is a very *big* security hole, because it means that your keychain's keys are only as secure as the least secure app on your system.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    6. Re: It just works by Anonymous Coward · · Score: 0

      You know, 99% of Windows exploits were user installed because they didn't know better.

      If we apply the same logic, Windows is pretty secure

    7. Re: It just works by Anonymous Coward · · Score: 0

      Even if you have to be logged in I would be concerned. You are assuming someone wants to get into the computer to steal passwords which is rarely the case. While the program demonstrated is to test the exploit it could easily be updated to send the retrieved passwords externally.

  2. So, blackmail? by Anonymous Coward · · Score: 0

    This seems like sour grapes on the "Fark you, pay me" model. Companies offering paid bug bounties is a nice thing, but since when is it a requirement?

    1. Re:So, blackmail? by cob666 · · Score: 4, Interesting

      It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question. 0Day exploits can fetch a lot of money on the open market and if companies don't want those exploits published to the public then they will have to compete with the open market to obtain them.

      --
      Do what thou wilt shall be the whole of the Law - Aleister Crowley
    2. Re:So, blackmail? by Sarten-X · · Score: 3, Insightful

      Back in my day, we just tried to follow "responsible disclosure", and reported vulnerabilities because it made the world a safer place.

      This kind of stunt undermines that, by making responsible researchers (like me) more easily confused with actual blackmailers.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    3. Re: So, blackmail? by Anonymous Coward · · Score: 0

      It seems more like a move to challenge Apple. I doubt it is so much about personal incentive.

    4. Re:So, blackmail? by Anonymous Coward · · Score: 5, Interesting

      It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question. 0Day exploits can fetch a lot of money on the open market and if companies don't want those exploits published to the public then they will have to compete with the open market to obtain them.

      ^^This. No one is under any ethical or legal obligation to report their discovered bugs to Apple (as the way it should be).

      Legal? You're absolutely right. But if your ethics allow you to say "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid." then you're pretty much a piece of shit, ethically speaking.

    5. Re:So, blackmail? by Luthair · · Score: 1

      The distinction is likely the amount of time invested. I would hazard you stumbled across them or find them via some minor poking which is distinctly different from today where researchers are writing complex software and spending inordinate amounts of time.

      Of course the clear answer would be if you're looking to get paid not to bother with vendors that won't compensate you for the time invested.

    6. Re:So, blackmail? by Luthair · · Score: 4, Informative

      Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.

    7. Re:So, blackmail? by QuietLagoon · · Score: 1

      I was going to post about the "it certainly looks like blackmail" aspect of this. If Apple doesn't want to offer bug bounties, that is their choice. That choice does not give anyone a bye to act in an unethical manner.

    8. Re:So, blackmail? by willaien · · Score: 2

      Then, when you tell the company about the exploit, and they ignore it for an entire year, what should you do? At some point, you have an obligation to make the exploit public so that the company is forced to deal with it, instead of letting others who discovered it in private exploit it freely. It's why Google has a responsible disclosure policy that involves telling the company privately for a certain amount of time, then a public disclosure a set number of days after.

    9. Re:So, blackmail? by Anonymous Coward · · Score: 0

      Yes, I agree. One douchenozzle means you should be one too.

      1) It's completely unethical to sell an exploit, ever.
      2) Making the data available to the the public and the company at the same time isn't very nice, but there's no obligation there.
      3) The devil is ALWAYS in the details.
            a) If they make it hard to report, #2 seems more ethical.
            b) Do reasonable security precautions by the user make the exploit invalid?
            c) Is it really an easy exploit or does it rely on security issues in things like USB, or that you have to have the machine unlocked and run a piece of software that works with "trusted developers only" turned on?

      Remember all the people that used to whine about Bonno cheer-leading against AIDS and poverty and wanted him to mind his own business? Whining about no bounty is the same.

      What I would like to know is how many "valid" 'white-hats' actually hold back exploits for use in competitions or bigger bounties? Maybe that's replaced someone that would report everything when they find it, now that it's monetized.

      Because it's Apple, we're having this conversation again.

    10. Re:So, blackmail? by Anonymous Coward · · Score: 0

      or..... it's Apple that's a piece of shit for expecting valuable information for free.

    11. Re:So, blackmail? by Anonymous Coward · · Score: 0

      "I know a way to disregard many, many customers." --Apple

    12. Re:So, blackmail? by Darth · · Score: 5, Insightful

      Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free? Apple is certainly rich enough to either pay bounties or to hire an army of security researchers to test their products.

      apple didn't expect or require anything from him. he knew before he started that apple doesn't pay bounties for bugs and he still chose to spend his time and effort looking for a bug specifically so he could release it into the wild. he could have spent his time researching software from a company that does pay bounties for bugs.

      he's a dick.

      --
      Darth --
      Nil Mortifi, Sine Lucre
    13. Re: So, blackmail? by Anonymous Coward · · Score: 0

      I think you're blowing it out of the water a bit there friend.

    14. Re:So, blackmail? by Baloroth · · Score: 1

      If you think this is "blackmail" I think you have a fundamental misunderstanding of the way blackmail works. You're supposed to *threaten* doing something bad and ask for payment in order to not do the bad thing in order to blackmail someone. Disclosure without the threat or request for payment is just a straight up "fuck you", which is very different (ethically and legally).

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    15. Re:So, blackmail? by ceoyoyo · · Score: 1

      It's generally considered that there is an ethical obligation to report security issues.

      It may be illegal to disclose those flaws publicly without notifying the company first. It's almost certainly illegal pretty much everywhere to sell them. "Give me money or I'm going to publish/sell this flaw I discovered" is likewise illegal.

    16. Re:So, blackmail? by cayenne8 · · Score: 1

      Legal? You're absolutely right. But if your ethics allow you to say "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid." then you're pretty much a piece of shit, ethically speaking.

      Well, a fella has to make a living somehow.....

      You gotta pay the bills and this kind of work takes time and effort, so.....

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    17. Re:So, blackmail? by lgw · · Score: 1, Offtopic

      So a heart surgeon shouldn't expect pay? It's just an hour of him time to save a life, after all.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    18. Re:So, blackmail? by Anonymous Coward · · Score: 0

      Yeah, bug bounties can be a nightmare to police. Companies can create underground economies in bug bounties if done wrong.

    19. Re:So, blackmail? by Anonymous Coward · · Score: 0

      But they are complete dicks if they disclose or sell them to be exploited.

    20. Re:So, blackmail? by Anonymous Coward · · Score: 0

      One side acting in an unethical manner does not mean the other side is being a saint.

    21. Re:So, blackmail? by Anonymous Coward · · Score: 0

      But if your ethics allow you to say "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid." then you're pretty much a piece of shit, ethically speaking.

      Are you talking about company employees who receive bug reports but don't act on them to fix said bugs because "it's not their job" or hackers who find out bugs but don't wildly distribute that information to the public, as the company won't do anything alone to mitigate anything, because no one pays them for the information? Ie, it sounds like the most ethical thing would be free 0day disclosure if a company has a history of not fixing bugs.

    22. Re:So, blackmail? by sexconker · · Score: 1

      Bug bounty programs are a fucking scam.

      They exist only to benefit companies. They get the PR points for "caring" about security, they get the benefit of people doing their job for them for pennies on the dollar, and they get the control they truly crave. If you want that pittance you need to abide by their terms, meaning you've got to expose your real identity and wait for months for a response, and even longer for a fix (if one ever comes). If you change your mind and think it's better to go public, you get no pittance AND the company will sue you AND try to get you thrown in jail. You're no longer a security researcher, you're a HACKER!! You didn't follow RESPONSIBLE DISCLOSURE (which is entirely defined by the company and entirely ignored)!! Under the CFAA, you can go to jail for the rest of your life (every single packet you send counts as one illegal act)!! Etc.

      Fuck that shit.

      If you're white hat, go public on day 0 every single time. Sure, it might be a bit chaotic, but that's the ONLY way companies will start caring about security. If you want to get paid, set up a Bitcoin wallet and ask for donations. But your real bread and butter will come from consulting fees as scared people will flock to you.

      If you're black hat, just sell the exploits as usual.

    23. Re:So, blackmail? by sexconker · · Score: 1

      "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid."

      I know a way to secure our products. There's an action I could take, requiring a little bit of capital and time, to do that. But I choose to release buggy, insecure shit."

      Don't pass the buck downstream. Withholding disclosures is doubly dumb because you don't know who else has found the same flaw.

    24. Re:So, blackmail? by Anonymous Coward · · Score: 0

      I was going to post about the "it certainly looks like blackmail" aspect of this. If Apple doesn't want to offer bug bounties, that is their choice. That choice does not give anyone a bye to act in an unethical manner.

      Exactly.

      Try getting a Bounty from 99% of Linux Distros.

    25. Re:So, blackmail? by pem · · Score: 1
      There is nothing unethical about pointing out security flaws.

      Quite the contrary -- if a flaw exists, someone else is probably already exploiting it.

    26. Re: So, blackmail? by Anonymous Coward · · Score: 0

      So Apple being UNwilling to pay a penny per user to save their customers from millions in fraud plus the time and effort to try and mitigate it, is AOK with you?

      Why do you appoint the blame to a person who has announced the vulnerability, (a vulnerability likely already in use by other people who found but did not announce it,) and not to Apple, the company that created thr problem?

    27. Re: So, blackmail? by Anonymous Coward · · Score: 0

      He reported it. It is not his obligation to help them fix it as an unpaid slave. Free market. You can claim his time ia worth zero dollars a lifetime. He can claim his time is worth a billion dollars a second. Apple can negotiate a price if they want him to help them locate the exact flaw.

    28. Re: So, blackmail? by Anonymous Coward · · Score: 0

      And did that habit lead to a world free of security bugs due to the presence of reasonably funded, security focused development teams across all industries?

      No?

      Then maybe try something new.

    29. Re:So, blackmail? by farble1670 · · Score: 0

      It's NOT a requirement that companies offer bug bounties, just as it's not a requirement that people who find these exploits are required to report them to the company in question.

      IKR. It's completely reasonable to compromise the security of hundreds of thousands of users because you didn't get your paycheck.

    30. Re:So, blackmail? by Anonymous Coward · · Score: 0

      Ethical != Legal, as you point out, and that's exactly why he can do such a thing. Many american companies don't have ethics btw, because ethics gets in the way of profits.

      Don't be surprised when someone shoves ethics out of the window when dealing with companies. As they will surely throw you under a bus if it suits them.

    31. Re:So, blackmail? by farble1670 · · Score: 1

      Is it ethical for Apple or its customers to expect outsiders to spend hundreds or thousands of man hours finding bugs in their software for free?

      Point me to the document / press release where Apple asks outsiders to spend thousands of many hours to find bugs.

    32. Re:So, blackmail? by Anonymous Coward · · Score: 0

      he's a dick.

      That he may be, but there is nothing illegal about being a dick. In some countries it is pretty much required to be the head of state.

    33. Re:So, blackmail? by Tyr07 · · Score: 1

      If you're super worried about ethics you wouldn't buy the product anyway, made overseas because our standard of living makes it too expensive, but they can work them 14 hour days with no OT and lower pay than our minimum wage. Never mind any other over seas gear you buy "cheap"

      Better check your own ethics before you talk about anothers.

    34. Re:So, blackmail? by Tyr07 · · Score: 2

      Apple started getting rid of the headphone since they don't get royalties from it and you can purchase other brand headphones without them making money. So now you have to buy special adapters and give more money to apple if you want to use headphones.

      Apple's a dick.

    35. Re:So, blackmail? by QuietLagoon · · Score: 1
      ,,,There is nothing unethical about pointing out security flaws....

      I didn't say there was. The unethical mention in my comment was relating to the blackmail aspect.

    36. Re:So, blackmail? by Anonymous Coward · · Score: 0

      Legal? You're absolutely right. But if your ethics allow you to say "I know a way to harm many, many people. There's an action I could take, requiring very little time or effort, which could mitigate that. But I choose not to do it unless I get paid." then you're pretty much a piece of shit, ethically speaking.

      Let's your principle that to another example. Say you spot a young 21 year old in college not paying attention in class and spending their college years only partying. It takes you very little effort to point it out to them, which may mitigate a lifetime of stress on themselves, their spouse and their future kids. They may even become a public official and affect lives of hundreds if not thousands of people. So do you go about your life pointing people's flaws to them? If you don't then you're a piece of.... by your own logic.

    37. Re: So, blackmail? by Anonymous Coward · · Score: 0

      If it was worth something then Apple should pay. Wanting something for nothing isn't ethical either.

    38. Re: So, blackmail? by Anonymous Coward · · Score: 0

      Minimum wage for him, but if he operated on those Chinese prisoners you can retract all his operations because they were unethical.

      Oh wait, we're talking about a vulnerability disclosure. Is that still valid if it was done unethically? I guess the answer is yes, the bug still needs to be fixed.

    39. Re:So, blackmail? by Anonymous Coward · · Score: 0

      There's a lot of dicks in this world. Just saying.

    40. Re:So, blackmail? by Anonymous Coward · · Score: 0

      People are going to find the bugs regardless. Apple has a duty to secure their products. Realistically, they should be doing something to ensure that the wrong people don't find the bugs first. Or at least keep egg from their faces.

    41. Re: So, blackmail? by Anonymous Coward · · Score: 0

      Definitely no longer âoecredibleâ researcher

    42. Re:So, blackmail? by Anonymous Coward · · Score: 0

      I think the word everyone is looking for is "Extortion" and that is usually frowned upon. As in "Pay me my money or else...". He is under no obligation to report anything to Apple and nothing is stopping him from publishing all the 0-day exploits he uncovers. However, if someone uses one of his 0-day exploits to commit a cyber crime the victim can haul his ass into court claiming he is an accessory to the crime committed.

    43. Re:So, blackmail? by Anonymous Coward · · Score: 0

      Apple asked outsiders to test their product when Apple released a device that has security features that protect your credit card, bank account and thousands of dollars worth of hardware. Security has to be tight and I can tell you right now that if the customers dont test it, the black hats sure will.

      Saying the guy is a dick for revealing the exploit is like saying your neighbour is a dick for leaving a note on your door saying "Stop leaving your front door open, you will get robbed". Except in this case it isn't your house, its everybody elses houses.

      Nobody is a dick here, in reality the idiots are the people buying Apple products knowing the Apple cares about Apple and not about something as insignificant as a customer. If you don't like their business practices then don't buy their stuff.

    44. Re:So, blackmail? by StuartHankins · · Score: 1

      That logic only holds while there are no 3rd party alternatives. Since there is a viable 3rd party ecosystem, this design change doesn't necessarily net Apple any money through adapters.

      That doesn't mean I am happy I don't have a new headphone adapter on my Macbook Pro. Oh wait, even their base model has one. Maybe you're talking about the iMac not having a headphone jack. Oh wait... the iMac also has a headphone jack.

      So your ire must be that the most portable Apple gadgets -- the iPhone and the iPad -- no longer tether the user unless you buy a dongle. I can't get excited about that, it doesn't affect me in any way, and if I wanted to use headphones with either device I would prefer not to be tethered to the device. Of course you may have a different opinion, but it seems silly to get all worked up about it. You don't get upset because there isn't a built-in SCSI or FireWire connector on modern computers do you? Even though we can all agree that those interfaces may have some utility to some people? Apple ditched the floppy and people lost their minds. They stopped providing parallel ports and surely the gods were mad at us and we would not survive. Yet we did, and today we're happy not to be burdened with extra legacy connectors. Do you really want USB2 or USB3 connectors on a new machine? Most people probably don't.

      Painting this as some conspiracy to extract money is something only the paranoid do. We're better than that.

    45. Re:So, blackmail? by farble1670 · · Score: 1

      Realistically, they should be doing something to ensure that the wrong people don't find the bugs first. Or at least keep egg from their faces.

      Sorry, are you suggesting Apple doesn't do anything to ensure their products don't have bugs or security holes?

    46. Re:So, blackmail? by farble1670 · · Score: 1

      Saying the guy is a dick for revealing the exploit is like saying your neighbour is a dick for leaving a note on your door saying "Stop leaving your front door open, you will get robbed"

      Uh no, it's not all like that. It's like your neighbor discovering your door is unlocked and putting a note on everyone door letting them know.
      https://slashdot.org/comments....

    47. Re:So, blackmail? by Anonymous Coward · · Score: 0

      ^^This. No one is under any ethical or legal obligation to report their discovered bugs to Apple (as the way it should be). Apple can choose whether or not to pay for it in order to encourage reporting, likewise they can choose to make it easy or difficult for people to report bugs, it's a business decision that they have to make and live with the consequences of.

      ^^^This is the reasoning behind why the US is shithole. Millions of Mac users can now have their passwords stolen, which can lead to very severe consequences like identity theft, fraud, loss of credit, etc. and the US response to that is "Who the fuck cares? Apple should make the decision that makes them the most money." Plenty easy to say that when it's not their ass on the line, but put them in the crosshairs without recourse and suddenly they will change their tune. We need a way to make sure these assholes actually suffer when these things happen. Their love of money needs to be taken out back and shot.

    48. Re:So, blackmail? by pem · · Score: 1

      Nobody forced those users to choose Apple.

    49. Re:So, blackmail? by pem · · Score: 1

      There are actually philosophical arguments to be made about why blackmail should not be illegal, but the resemblance between this and blackmail is only superficial in any case.

    50. Re:So, blackmail? by Tyr07 · · Score: 1

      Actually I still have a parallel port on my PC. It also has PS2 keyboard and mouse slots, and a lot of boards I work with still have serial ports.

      Going to USB 2/3 is compatible with USB 1 devices, and are only an improvement, allowing more features to be used. In fact, it consolidates it so a lot of devices can just use a single port type, instead of needing a ton of adapters to connect devices.

      So your logic is shit and you know it.

      This would be akin, to everyone like today using USB ports for most additional devices, and someone being like HARK! USB slots are too big! For design we use knew triangler USB ports. You'll need an adapter to connect regular square ones.

      It provides no actual bonus to users, or new features or functions. It's not about technology evolving, it's a business change to get more revenue out of their users. That's all, it's shit and we can smell it, get over it, you'll hear about it.

    51. Re:So, blackmail? by StuartHankins · · Score: 1

      The examples you gave -- USB1, PS2, serial -- are legacy ports. Nowadays, the vast majority of computers do not have any of these. USB3 on USB-C and Thunderbolt have replaced them. Yes USB2/3 steps down to USB1 speeds in most cases, but there are issues sometimes where it doesn't work and you actually have to replace the obsolete equipment or keep an old-style computer around. Yes, serial is sometimes used on old routers/switches which means you might need an adapter if you buy new equipment.

      You seem very upset. Do you feel threatened by new things? Step off the amphetamines please.

    52. Re:So, blackmail? by Anonymous Coward · · Score: 0

      Exactly! I have been publicly credited with reporting a serious security flaw, I did not expect any more and did not get any, I did it (quickly) so we can all be safer. Anyone who holds back reporting a security bug is not helping us, they lose their White Hat credential and simply have become a blackmailer. If he wants to make money so badly then he should pick the company that has the biggest payout that year and focus on them.

  3. What a callous prick. by nuckfuts · · Score: 4, Insightful

    Don't call yourself a "whitehat" if you refuse to behave honorably unless paid a "bounty".

    1. Re: What a callous prick. by Anonymous Coward · · Score: 4, Informative

      "Even on iOS, where Apple does offer bug bounties, the process for submitting bugs to the company is overly complex and dilatory â" an issue spotlighted in the recent FaceTime spy bug debacle. Researchers have also accused Apple of hiding notices of bug fixes in sneaky ways and of taking too long to address reported issues, even when the security or privacy implications are serious."

      Need I say more?

    2. Re: What a callous prick. by Anonymous Coward · · Score: 0

      yes you do. such as why that quote has any relation to what nuckfuts said.

    3. Re: What a callous prick. by Anonymous Coward · · Score: 0

      yes you do. such as why that quote has any relation to what nuckfuts said.

      we will bypass the broken circuitry in your brain and show the answer:

      what is the point of filing bugs if apple does not fix them?

    4. Re:What a callous prick. by Anonymous Coward · · Score: 0

      Awesome gatekeeping you're doing there.

    5. Re:What a callous prick. by Anonymous Coward · · Score: 1

      Don't tell me Apple gives a damn about users if they want charity AND on a silver platter.

    6. Re:What a callous prick. by msauve · · Score: 2

      Don't call yourself a company concerned with privacy if you can't secure your products on your own, and won't pay others for their efforts.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    7. Re:What a callous prick. by Anonymous Coward · · Score: 0

      Your loyalty to Corporate positions are... questionable at best.

      Why she we play by their rules. Would you prefer he go to the highest bidder?

      'Whitehat' indeed, since he announced it period.

    8. Re:What a callous prick. by AmiMoJo · · Score: 1

      I wouldn't risk reporting a bug unless there was a bug bounty programme. The risk of them turning around and suing you or calling the cops is too great.

      Of course in this case we know Apple doesn't do that so it's not excuse for this guy, but as a general point companies without bug bounties are too risky for many whitehats to go near. Just this week there was a story about some guys who were physically assaulted at a trade show by the CEO of a company they reported a bug too.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:What a callous prick. by Anonymous Coward · · Score: 0

      Except as an independent researcher, he has absolutely no obligation, moral or otherwise, to assist a trillion-dollar-company wipe it's own ass. I'm a Mac user. I love Apple, I do. I switched whole-hog to Apple after 25 years as a Windows guy, and I don't regret it one bit.

      He's done the legwork. He's found the weakness. He's done what Apple should have done, and I firmly believe he should be rewarded for his effort.

      But Apple, right now, needs to either PREVENT this sort of exploitation in the first place ON THEIR OWN, or be willing to reward the guys who find their fuckups and don't simply burn macOS users one by one.

      Maybe this guy isn't the nicest around. But he's certainly not the worst.

  4. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  5. RIP OS X by jellomizer · · Score: 1

    Apple is rather clear without actually saying it. I really doesn't have interest in the Macintosh platform and OS X.
    Getting a MacBook Pro or a Powerbook back a decade ago, you really got a high end laptop, and for the Time they were attractive units. OS X based on a real Unix Kernel, gave it unprecedented security and stability, all the features that Linux had, plus a UI more advanced then Windows.

    Now OS X is showing its age, the updates on both the hardware and the OS have been lackluster. If I showed you a 2001 Titanium Powerbook. and the latest Macbook Pro, they will look rather similar. Gray, brushed metal clamshell laptop.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:RIP OS X by Anonymous Coward · · Score: 0

      Showing its age? What are you smoking? MacOS just got a new filesystem last year. And the user experience just got improved with dark mode this year.

    2. Re:RIP OS X by Anonymous Coward · · Score: 0

      Showing its age? What are you smoking? MacOS just got a new filesystem last year. And the user experience just got improved with dark mode this year.

      showing its age indeed, Apple takes 10 years to make a filesystem that works properly with SSDs and it picks up "dark mode" from old saabs that had it for decades.

    3. Re:RIP OS X by Anonymous Coward · · Score: 0

      Showing its age? What are you smoking? MacOS just got a new filesystem last year. And the user experience just got improved with dark mode this year.

      showing its age indeed, Apple takes 10 years to make a filesystem that works properly with SSDs and it picks up "dark mode" from old saabs that had it for decades.

      I believe that Apple only seriously worked on APFS for about 3 years.

      Apple never said "Dark Mode" was "Unique". Only that it was "Requested by Pro-Users".

      Why all the Hate and Lies?

  6. The 2014 MacBook Pro is Ancient by Anonymous Coward · · Score: 0

    Apple can't afford pay bug bounties on all their old products. How far back should they go and how much should they pay? Apple is awash in unreported bugs, and this could break the company.

    1. Re:The 2014 MacBook Pro is Ancient by AlanObject · · Score: 1

      Apple can't afford ...

      It is hard to believe someone could write that seriously.

      Apple has around $240 billion cash on hand. They could allocate $10 billion to nothing but awards for bug fixes and they wouldn't even feel it. Arguably they could do that every year.

    2. Re:The 2014 MacBook Pro is Ancient by drinkypoo · · Score: 3, Interesting

      Apple has around $240 billion cash on hand. They could allocate $10 billion to nothing but awards for bug fixes and they wouldn't even feel it. Arguably they could do that every year

      Yeah, or they could hire enough people to find (and prevent!) the bugs before they reach customers. But clearly, they don't care enough to do that. And the only way to make them care is public disclosure.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re: The 2014 MacBook Pro is Ancient by Anonymous Coward · · Score: 0

      Most concisely meaningful and relevant post of this entire topic so far.

    4. Re:The 2014 MacBook Pro is Ancient by stuff-n-things · · Score: 1

      People are continuing to use older computers (and phones) because they stopped getting significantly better every few years quite a bit more than 5 years ago. I'm typing this on 2014 MBP because the keyboard doesn't suck (unlike my manager's 2017 MBP, which has had issues despite not being "ancient"), and Apple has not released anything portable with more than 16GB of memory. Don't need a FPS video card or a marginally supported touch bar, but rather memory for VMs connecting to different VPNs (one of the joys of consulting). Been thinking about putting Mint on it, so maybe it's time, and just deal with whatever M$ wants to re-license the W10 VMs.

  7. Updates lately have been great by SuperKendall · · Score: 0

    Now OS X is showing its age, the updates on both the hardware and the OS have been lackluster.

    What are you smoking?

    The iMac Pro was great. The new Mac mini was fantastic. The newer laptops are really nice, the only issue being some have issues with the keyboard (which they've mostly resolved in newer models).

    Mojave has been one of the better updates since they focused on optimization and stability improvements...

    If I showed you a 2001 Titanium Powerbook. and the latest Macbook Pro, they will look rather similar

    Go buy a bright purple Dell laptop then. Mac owner are the people who care about how well something functions, not how it looks.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Updates lately have been great by Anonymous Coward · · Score: 0

      The newer laptops are really nice, the only issue being some have issues with the keyboard (which they've mostly resolved in newer models)

      you must have a severe brain injury to not notice the missing magsafe connector

    2. Re:Updates lately have been great by Waffle+Iron · · Score: 1

      Go buy a bright purple Dell laptop then. Mac owner are the people who care about how well something functions, not how it looks.

      Too bad you weren't there to tell that to Steve Jobs 20 years ago. You could have helped Apple avoid wasting billions of dollars on Lucite.

    3. Re:Updates lately have been great by b0s0z0ku · · Score: 1

      ONLY issue? Please. Soldered-in non-upgradeable RAM and storage are major issues, since Apple charges sodomizing prices for more RAM and/or SSD. A battery that's not easily replaced below the touchpad and keyboard is another issue (it tends to swell, breaking the parts above it). USB-C ports only, check. In the real world, people still need other ports and shouldn't have to carry dongles.

      No. Thinkpad owners are the ones that care about function over looks. X and T series beat the socks off of Macbooks, but are ugly as sin. They can even run "borrowed" copies of OS X if you don't care about taking food out of Timmy-boy's mouth,

    4. Re:Updates lately have been great by iCEBaLM · · Score: 1

      The iMac Pro was great. The new Mac mini was fantastic.

      They're overpriced and underwhelming, way more than before. I had one of the first intel xeon Mac Pros, and at the time if you tried to build or buy something similar it would be about the same price for the components. Now you're touting the new mac mini as being fantastic?

      You can build one for about half the price that's smaller and faster: https://www.youtube.com/watch?...

      Apple computers are not a compelling value.

    5. Re: Updates lately have been great by Anonymous Coward · · Score: 0

      "The Apple %product11 was %adjective!"

      Take your tired Apple hype expletives some place else.

    6. Re:Updates lately have been great by Anonymous Coward · · Score: 0

      I got the first Xeon Mac Pro and it was fantastic. Now I'm back on Windows 7 because current Apple computers are toys and Windows 10 is an abomination.

    7. Re:Updates lately have been great by dgatwood · · Score: 2

      The iMac Pro was great. The new Mac mini was fantastic.

      They're overpriced and underwhelming, way more than before. I had one of the first intel xeon Mac Pros, and at the time if you tried to build or buy something similar it would be about the same price for the components. Now you're touting the new mac mini as being fantastic?

      You can build one for about half the price that's smaller and faster: https://www.youtube.com/watch?...

      FWIW, the Mac Mini was always overpriced, from the first day that the Intel version shipped. Competing on cost was never Apple's strong point, though they were usually within a few percent on high-end models in their base configuration (with no extra RAM or HD upgrades). Their upgrades have almost always historically been more expensive than buying the machine in the base configuration, buying the upgrade outright, and throwing away the parts you took out.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    8. Re:Updates lately have been great by Anonymous Coward · · Score: 0

      I got the first Xeon Mac Pro and it was fantastic. Now I'm back on Windows 7 because current Apple computers are toys and Windows 10 is an abomination.

      So let me get this straight:

      You think that the latest Mac Software and Hardware are "toys", and your brilliant "solution" is to jump ship to a Windows version that is THREE Major Revisions Old?!?

      Yeah, that sounds like a reasonably sustainable long-term plan there...

    9. Re:Updates lately have been great by _merlin · · Score: 1

      Yeah, I used to use MacBooks Pros and before that PowerBooks, but I've switched to Dell Latitude. This notebook is unglamorous black plastic, but packs in a lot more functionality for the price, has three USB type A ports, gigabit Ethernet, HDMI, and user-replaceable RAM, SSD, battery, and even keyboard and display. No-one who cares about functionality would be using a MacBook at this point.

    10. Re:Updates lately have been great by Jeremi · · Score: 1

      You can build one for about half the price that's smaller and faster:

      The middle third of that video is the presenter going over all the different components that don't quite work right, due to the fact that MacOS/X doesn't support that hardware.

      People who buy Macs are willing to spend extra money in exchange for having a computer that "just works". For them, buying a computer that you have to futz with is like buying a pair of jeans that doesn't fit right and has to be hand-altered -- you could do that and save some money, but it's easier to just spend the extra money to get something that fits properly from the get-go. If you're only buying a computer every 3-5 years, and you're going to be spending 20+ hours a week using it, the higher Apple price only amounts to about 10 extra cents a day.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  8. This asshole needs his fingers broken by Anonymous Coward · · Score: 0

    Seriously, anyone who would reveal such info for vindictive purposes deserves to suffer.

    Fuck this prick.

    1. Re:This asshole needs his fingers broken by Anonymous Coward · · Score: 0

      No FUCK apple.

    2. Re:This asshole needs his fingers broken by b0s0z0ku · · Score: 1

      Assuming this is a real exploit (for all we know, the program he ran had root credentials saved!), isn't it better that he revealed it to the public vs selling it to the highest black-hat bidder?

    3. Re:This asshole needs his fingers broken by drinkypoo · · Score: 1

      Seriously, anyone who would reveal such info for vindictive purposes deserves to suffer.

      What info?

      Fuck this prick.

      Stop sucking Apple's.

      If he deserves to have his fingers broken for announcing that he has found a severe security problem (but not how to exploit it) what do Apple programmers deserve for creating it with their incompetence? What does Apple management deserve for letting it be created, and for being unwilling to pay bounties, which have been proven effective in getting researchers to disclose bugs to vendors instead of selling them on the black market?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. I'm fine with it. by Anonymous Coward · · Score: 0

    He didn't release specifics, so it can't easily be duplicated. He points out to Apple, "Hey, I'm working here. So how about a little something-something for my time." I don't have an issue with that.

    If you happen across a bug and report that to Apple free of charge, that's fine. That's your decision. If you work to find a bug and ask to be paid for your work, that's fine too. It's not released to hackers. Presumably, he hasn't sold it hackers. Apple has the ability to try to figure out the problem on their own (they can pay their own employees if they are not going to pay him).

  10. That's why i don't use those bullshit keychains by Anonymous Coward · · Score: 0

    If they compromise it, all your accounts are hosed. Might as well just use the same password everywhere.

  11. Knuth got it right by Anonymous Coward · · Score: 0

    bug bounties have been best practice since at least vol. 1 of the Art of Programming, no?

  12. I thought by Anonymous Coward · · Score: 0

    what happens on your mac stays on your mac. I guess not. Thats just more apple lies and bullshit.

    1. Re:I thought by Anonymous Coward · · Score: 0

      This a local exploit that requires the user be logged in. So yeah, it stays on your Mac.

  13. Dubious veracity ... by b0s0z0ku · · Score: 2

    It's a Youtube video of some sort of program running. How do we know that the program can proceed without root (or admin user) access? For all we know, the program is given an admin password in its config files -- there's no real proof that it can proceed without credentials.

  14. And, to make your point more clear... by pem · · Score: 1
    In my opinion, this is more of a white hat operation than black hat.

    A true black hat would be getting whatever they could for the bug on the black market (and silently hurting Apple's customers), rather than taking an action that could (a) help Apple help its customers better long-term (even if there is short term pain) and (b) help other security researchers (who also have to eat, after all) by forcefully pointing out Apple's current policy. If Apple changes the policy to a researcher's liking, that researcher could decide to invest time and effort on Apple stuff; otherwise, perhaps the researcher might decide that his efforts are better spent helping other companies that show how much they appreciate the efforts of external researchers.

    Or the researcher might just decide that, since Apple has a huge user base and a demonstrated lack of commitment to security, it should be a fertile hunting ground if he wishes to go over to the dark side.

  15. dump-keychain by johnrpenner · · Score: 5, Interesting

    using:

    security dump-keychain -d login.keychain > keychain.txt

    in the terminal works rather nicely. this used to do so without authentication for the individual items.

    newer versions of macOS now ask for user password before revealing passwords — but for a long time, and for older systems, this works quite nicely.

    2cents from slushy toronto
    john p

  16. interesting comment from him by Anonymous Coward · · Score: 0

    "'without root or administrator privileges and without password prompts, of course"

    of course to get to that point he was logged in and installed an app, not from a secure source, which I think requires admin privs to run it for the first time in 10.14, then could do this. so there had to have been password prompts to get to that point
    so the system was already compromised and once compromised, guess what, it can be more compromised.

    maybe it is just me, this is not a big surprise. it is poor security and a bug, but not as simple as he makes it out to be

    1. Re:interesting comment from him by Anonymous Coward · · Score: 0

      or maybe he just made a few API calls in his application with a known embedded userid and password in the account he was already logged into

      https://developer.apple.com/documentation/security/keychain_services/keychain_items/searching_for_keychain_items

      it does not show which account he is accessing the keychain from

      maybe not a bug at all

  17. I know a lot of folks are upset at him by jjshoe · · Score: 4, Informative

    1) He hasn't released how to actually exploit it.
    2) This is a five, maybe six, figure bug on the black market.
    3) He's simply saying 'Hey, wake up, you're doing a giant disservice to all your users by pushing people to the black market.'

    --
    -- botsex is {grep;touch;strip;unzip;head;mount} /dev/girl -t {wet;fsck;fsck;yes;yes;yes;umount} {/de
    1. Re:I know a lot of folks are upset at him by fortythirteen · · Score: 1

      Is he just going to sit on it if Apple doesn't pay? Assuming this isn't all LARPing, do you think he's safe walking around with such a valuable 0day and supposedly altruistic intentions? Do you think he's not already getting seven figure crypto offers for it?

      The way he went about this shows that the guy is already ethically compromised.

    2. Re:I know a lot of folks are upset at him by jjshoe · · Score: 1

      1) Rhetorical, clearly.
      2) I think his odds of harm coming to him are less than a vehicle involved accident.
      3) No.

      --
      -- botsex is {grep;touch;strip;unzip;head;mount} /dev/girl -t {wet;fsck;fsck;yes;yes;yes;umount} {/de
    3. Re:I know a lot of folks are upset at him by Anonymous Coward · · Score: 0

      Apple routinely ignores and sits on bugs. Remember the bug where you could log in as root without a password? It was reported to them in July of that year, and they ignored it until it blew up on social media in November.

      The FaceTime bug was reported to them weeks before it blew up on social media, and they STILL haven't released a fix for it. They currently still have part of FaceTime turned off on the server to mitigate the issue, and they only did that after it blew up on social media.

      I wouldn't bother reporting to Apple either because they just don't care about bugs any more. There are a ton of less important non-security related bugs that have just been left for years, like Apple Music and iTunes routinely crashing. The Apple Watch will occasionally just refuse to sync with its paired iPhone, and this has just been left as-is for multiple iOS and Watch OS releases. When you run into some flaw with an Apple product, you'll frequently find that they already know about it, there is no work-around, and it dates back years.

    4. Re:I know a lot of folks are upset at him by lazarus · · Score: 3, Insightful

      If he uses this to, say, recover $145M in cryptocurrency from a laptop, then I'm sure he will do well...

      --
      I am not interested in articles about life extension advancements.
    5. Re:I know a lot of folks are upset at him by Anonymous Coward · · Score: 0

      Nope. If he was going to sell this to someone other than Apple, he wouldn't be announcing it as even a possibility.

    6. Re:I know a lot of folks are upset at him by fortythirteen · · Score: 1

      1) It's not clear that he'll just sit on it, especially considering he hasn't told a soul what it actually is. He could sell it on the black market and nobody would know it was this exact expoit.
      2) You said yourself that it's six figure exploit. You can have someone killed in the low fives.
      3) If it's a six figure exploit why wouldn't he be receiving credible offers?

    7. Re:I know a lot of folks are upset at him by Holi · · Score: 2

      In what way does killing him help reveal his exploit? That makes zero sense in this case.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    8. Re:I know a lot of folks are upset at him by Anonymous Coward · · Score: 0

      He hasn't released how to actually exploit it.

      From the screenshots he released, this is likely because he hasn't exploited it.

      His program is displaying nothing but the same user keys shown in keychain for his account.
      Of course those are decrypted when you log in, that's normal behavior.

      I don't see any system accounts, or any keys from other user accounts.

      So he hasn't shown any exploit, which would explain why he hasn't released anything.
      He really should have logged into the guest account and shown his exploit displaying all the other user keys he shouldn't have access too. That would actually demonstrate an exploit exists.

    9. Re:I know a lot of folks are upset at him by Jeremi · · Score: 1

      In what way does killing him help reveal his exploit? That makes zero sense in this case.

      You're right, it doesn't, but I've watched enough TV shows to imagine someone deciding to provide him with a little "wrench therapy" until he agrees to cough up the exploit to them.

      Not that I think that's really likely either -- life isn't like a TV plot. But it's conceivable.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  18. How is this not Black Hat? by fortythirteen · · Score: 4, Insightful

    In "protest of a lack of bug bounties" this individual is:

    1. Posting a YouTube video showing a purported P1, 0day security exploit.
    2. Not releasing any information on how to reproduce or resolve their expoit.
    3. Holding out for Apple to pay a "bug bounty" (read: ransom)

    We're through the looking glass is this is what qualifies as "security research" nowadays.

    1. Re:How is this not Black Hat? by Anonymous Coward · · Score: 0

      If he was a Black Hat he wouldn't have published this info, but used it or sold it.

      Judgemental dumbass.

    2. Re:How is this not Black Hat? by Anonymous Coward · · Score: 1

      In "protest of a lack of bug bounties" this individual is:
      1. Posting a YouTube video showing a purported P1, 0day security exploit.
      2. Not releasing any information on how to reproduce or resolve their expoit.
      3. Holding out for Apple to pay a "bug bounty" (read: ransom)
      We're through the looking glass is this is what qualifies as "security research" nowadays.

      Don't hate the player, hate the game.
      Congress decided companies can disclaim liability for most security vulnerabilities.
      Economically then, there is no incentive to fix those vulnerabilities.

      Somebody decided to play by the rules as they stand now, and you're crying foul.
      Hate the game? Then change the rules.

    3. Re:How is this not Black Hat? by Anonymous Coward · · Score: 0

      "We're through the looking glass"

      The person who polished the mirror is this guy. Now you can see yourself a bit more clearly. Get a haircut.

      Are you hating on him for it?

    4. Re:How is this not Black Hat? by fortythirteen · · Score: 1

      Remember how, in Die Hard, the terrorists believed that they were fighting for a greater cause? Didn't change the fact that they were fucking terrorists.

  19. No Apple doesn't by bussdriver · · Score: 1

    Apple has billions of $ invested; it's not sitting in a bank. They have become a Mutual Fund which pays dividends on their stock. They could probably transition into a full blown fund and stop making anything.

    --
    Democracy Now! - uncensored, anti-establishment news
    1. Re: No Apple doesn't by Anonymous Coward · · Score: 0

      Umm yes Apple does. Apple has more CASH in the bank than any other company.

    2. Re:No Apple doesn't by AlanObject · · Score: 1

      Source: Apple's cash pile hits $285.1 billion, a record.

      Yes I realized from the get-go that it is not all in a single passbook savings at Wells Fargo at 0.82% interest. All the same the assertion that Apple "can't afford" something is just amazing.

    3. Re:No Apple doesn't by thomn8r · · Score: 1

      Yes I realized from the get-go that it is not all in a single passbook savings at Wells Fargo at 0.82% interest.

      If it was, Wells Fargo would have figured out how to steal it by now.

  20. You are blackmailing by crying blackmail! by Fringe · · Score: 2
    If part of his expected income is from this, your attempt at shaming him for actions you disapprove of is pure bullying. Apple has no right to first refusal if they won't compensate for the effort.

    Just because you want to blackmail him into giving his work for free to Apple doesn't mean that's the ethical choice. As long as he is not DIRECTLY harming others, his disclosures still fall on the ethical side. You, however, fall on the "troll" side.

    1. Re:You are blackmailing by crying blackmail! by Anonymous Coward · · Score: 0

      If part of his expected income is from this, and he chose to spend his time working on a system that he knew does not offer bounties, that makes him an idiot.

      The fact that he then released it in such a way as to make sure that the most damage was done means he is a dick.

      And because you can't seem to grasp these simple facts, you are the "troll".

    2. Re:You are blackmailing by crying blackmail! by Holi · · Score: 1

      In what way has he released anything "in such a way as to make sure that the most damage"

      It really seems you are accusing him of acts he has not performed.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    3. Re:You are blackmailing by crying blackmail! by farble1670 · · Score: 1

      As long as he is not DIRECTLY harming others, his disclosures still fall on the ethical side.

      There is no legal or moral argument that supports that line of thinking.

    4. Re:You are blackmailing by crying blackmail! by Fringe · · Score: 1

      There is no legal or moral argument that supports that line of thinking.

      There is no evidence that you know anything about legal or moral arguments, nor that you are an authority on anything.

    5. Re:You are blackmailing by crying blackmail! by Anonymous Coward · · Score: 0

      He is directly harming others by releasing details of the exploit to anyone except Apple. That makes him a black hat, and the ethical hacking community should reject him. He has stated he's releasing it to others because Apple does not pay a bug bounty, a fact he knew prior to investing any time or effort. But even if you invest time or effort, how in the world are you guaranteed any payment from that?

      This is no different than showing people how to bypass a key fob from an automobile manufacturer. No one is guaranteed income from a company with whom they do not have a contract. That's a very entitled -- and legally wrong -- mindset. What he's done is setup evidence of extortion and I hope he is fully prosecuted to the maximum for his shady behavior. Perhaps some pound-him-in-the-ass Federal prison time would be beneficial to helping him see the light.

    6. Re:You are blackmailing by crying blackmail! by Anonymous Coward · · Score: 0

      You shouldn't reveal your limitations and lack of knowledge so easily. Run along and let the adults talk, your ideas are preposterous garbage and your trolling ability is shameful. I'm sure there are sperm more capable of an intelligent thought than you.

    7. Re:You are blackmailing by crying blackmail! by farble1670 · · Score: 1

      Actually there is. Ever heard of accessory to a crime?
      https://en.wikipedia.org/wiki/...

      E.g., if I give you the key to someone's house so you can murder them, I'm not innocent. This is such common sense it's hard to believe you are challenging it.

  21. Credible researcher? by Pinky's+Brain · · Score: 4, Insightful

    White hats were reporting exploits long before you could make money with it, the money is not some inherent right. The guy is not a white hat, he's an asshat.

  22. It begs the question by eclectro · · Score: 0

    Do mac users really need passwords??

    Most of them have got to be SteveJobs1234 anyway.

    --
    Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
    1. Re:It begs the question by Anonymous Coward · · Score: 0

      It's actually IWantToSuckSteveJobsKnob

    2. Re: It begs the question by Anonymous Coward · · Score: 0

      His door knob? Or did you mean his 'nob'? Fucking ignorant American who needs to learn some English.

    3. Re: It begs the question by Anonymous Coward · · Score: 0

      Actually in American English, it IS spelled with a K. American spelling is more logical, or better, you might say. We spell color color, not colour (which looks like it should be pronounced call-hour,) and meter is spelled meter, not metre, which should be pronounced met-rey. But to each his or her own.

  23. Single Button? by Anonymous Coward · · Score: 0

    Lie. I pressed every button at least once and none of them showed me any passwords.

  24. One button? I call BS. No way. by Wargames · · Score: 1

    I have pressed every button on a Mac at least once and none show passwords. Do I have to type in a command line and then hit one button? In which case I can also create a complete post like this one with just one button.

    --
    -- Each tock of the Planck clock is a new world and here we are still life. --
  25. A quick change of reputation! by chrism238 · · Score: 1

    This article's summary begins with "Linuz Henze, a credible researcher....." but the linked article reports "Previously credible researcher Linuz Henze...."
    Zero to hero in quick time!

    1. Re:A quick change of reputation! by Harinezumi · · Score: 1

      How, exactly, does any of this affect his credibility as a researcher? If the report checks out as reproducible, that should only make his research more credible. His job is research, not Apple customer service.

  26. Mac Attack by AndyKron · · Score: 1

    It just works

  27. Well, Apple might not pay... by Anonymous Coward · · Score: 0

    ...but others would.

  28. Good on him! by Anonymous Coward · · Score: 0

    If the guy sought donations I'd gladly give him a nice one. It gives me a chuckle when someone gives Apple's chain a good and well-deserved yanking.

  29. this is why i read hacker news... by Anonymous Coward · · Score: 0

    All the posts here are jokes. Over on hacker news, they're actually talking about the mechanism.

    sad what /. has become.

  30. one step removed from 'digital extortion' by david.emery · · Score: 1

    I'd like to see a law requiring disclosure of vulnerabilities with penalties for non-compliance.

    But first, I want a law that makes companies liable for bugs and vulnerabilities, i.e. one that outlaws most of the terms in shrink-wrap licenses. When companies actually pay damages, they'll start being A Lot More Careful.

    1. Re:one step removed from 'digital extortion' by pauljlucas · · Score: 2

      When companies actually pay damages, they'll start being A Lot More Careful.

      Good, cheap, fast: pick any two. If you assume good = careful, then either the software will be cheap, but slow between releases; or fast but expensive. Most consumers prefer cheap. One problem with cheap but slow is that companies need to be able to pay their employees between releases.

      --
      If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
  31. What's the fuss? by Anonymous Coward · · Score: 0

    We've always been able to dump all the keychain information in one go from the keychain? Desperately trying to make an anti-Apple case?

  32. Re:What a callous prick. Fuck You, Cunt Bastard. by Anonymous Coward · · Score: 0

    How about fuck you. They are whitehats. They are MODERN DAY GANDALF! They are Christly and beautiful!

    You are a fucking fuck piece of shit.

    And apple is a fucking god damned piece of fucking low life scum shit.

    There should be a LAW that requires these fucking chicom-spy infested shit fuck asshole murderous evil vile tech companies to pay for bug bounties.

    The chicoms have infiltrated everywhere and they only way to stop it is to do bounties like this to root our the chicom spy code planted there ON PURPOSE.

    Fuck you traitor. You are a traitor and a spy for the chicoms and a piece of shit.

  33. Since when is business blackmail? by Anonymous Coward · · Score: 0

    It's too easy to assume that forcing Apple's hand by outing them is a negative, when at worst it's simply amoral. Apple is in business to make money, therefore it cannot criticize anyone else doing the same. It has no moral standing to do so.

    The security researcher gave Apple first option on the bug, which they deemed as worthless. The researcher, following Apple's lead openly published the 'worthless' piece of information in order to test if it was really worthless. If indeed it is not, then the researcher is simply exposing Apply as the greedy company it is, mooching off the goodwill of other's (researchers).

  34. Ahhh...Wait What? by WindowsStar · · Score: 1

    This has been known for a long time. How is this person taking credit for something we have been using to help retrieve forgotten passwords or help move a user to a new MAC??

  35. white hat? by sad_ · · Score: 1

    since when do white hats do something for money.
    there have been white hats who made security issues public before fixed were available, sure, but most of the time after working (or trying to work) for months with the company in questions and finally hitting a dead end. you use it as a last resort.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.