His intelligence was rivaled by his stupidity. He should have just contacted Apple and told them what the issue was.

downstairs: tallguywithglasseson: Guy broke the rules and deserved it, it's totally understandable, Apple's being reasonable

I think its a bad PR move, but I can agree somewhat. I mean the guy DID upload malware. Even if he meant no harm, if someone downloaded/installed it, it would put their phone in a compromised state. And a lot of corporations that use iPhones for business would be pissed that such a thing even exists.

If the guy really wanted to help, he'd email Apple and tell them instructions on how he *could have* uploaded malware to the app store, and ask them to fix their store.

Sadly, Apple would not of done a damn thing and would of actually said no such flaw exists. Ive seen reports and heard from people working at the Apple Store to tell customers that Apple products don't get malware and viruses. And if they did have them, not to fix them.

GAT_00: That sounds about right from the Evil Empire.

I wonder how the Fanbois will spin this?

Except he didn't "warn and inform Apple", he wrote the exploitable app, got it into the app store and then told Apple about it. Absolutely, it's Apple's fault that they didn't look at the app closer, not going to argue that. But a better way of going about it would have been to inform Apple _before_ doing anything like this.

I know first-hand that Apple are a bunch of asses to deal with for anything App Store-related, but the terms of the Developer Agreement are pretty clear.

Don't submit malware. Don't publicize confidential information about Apple's technologies or potential security problems therewith.

Wanna be a white hat hacker? Clear it with your 'target' first.

If I had developed a bomb that the TSA couldn't see in their scanner, I would run down to the airport, put it through, and then whip it out on the other side and yell "Ta Da!"

Then I would wait patiently while the TSA and federal agents went to bake me a cake and fetch me my Medal of Freedom.

GAT_00: That sounds about right from the Evil Empire.

I wonder how the Fanbois will spin this?

They won't worry about it. Because Apple fanbois aren't actually capable of thought.

cmunic8r99: Saborlas: Dear Apple,

Thank you for shooting yourself in the foot. I can't think of any other company who DOESN'T deserve its popularity to your extent. Please continue to make yourself look as bad as you actually are.

Hate and kisses,
Saborlas

PS you assholes didn't invent a frogdamn thing, you just took other people's inventions, put them in an ugly off-white case, and marketed them to idiots with more money than brains. P. T. Barnum would be proud.

5/10

would have been much better without the postscript.

Cue the 'O'Rly?' owl.

After getting skint on a nearly-$2000 iMac 24, and discovering its many glaring flaws (among them its being stuck together from cheap chinee components, which fail expensively) I joined the 'Anything but Apple' group on Facebook.

/Steve Jobs? Read THE NEXT BIG THING

I submitted this almost two weeks ago! And with a better headline that included a paddlin' reference!

xmasbaby: If I had developed a bomb that the TSA couldn't see in their scanner, I would run down to the airport, put it through, and then whip it out on the other side and yell "Ta Da!"

Then I would wait patiently while the TSA and federal agents went to bake me a cake and fetch me my Medal of Freedom.

xmasbaby: If I had developed a bomb that the TSA couldn't see in their scanner, I would run down to the airport, put it through, and then whip it out on the other side and yell "Ta Da!"

Then I would wait patiently while the TSA and federal agents went to bake me a cake and fetch me my Medal of Freedom.

So, basically, neither of you have any idea what happens when you try and simply tell a company about a security flaw affecting their products or services without actually making a point of showing the problem in action.

/ hint: it's nothing

Or, if I choose to NOT be a failure, I could quote the proper second person...

skinink: His intelligence was rivaled by his stupidity. He should have just contacted Apple and told them what the issue was.

You are all mad at a telephone design firm because they offer telephones you don't like. There is no hope for peace on Earth.

Makh: Saborlas: PS you assholes didn't invent a frogdamn thing, you just took other people's inventions, put them in an ugly off-white case, and marketed them to idiots with more money than brains. P. T. Barnum would be proud.

Apple stole their mobile OS from Palm, that's why no Apple handheld devices predate the Palm pilot.

Not sure if serious.

SpeedyBB: After getting skint on a nearly-$2000 iMac 24, and discovering its many glaring flaws (among them its being stuck together from cheap chinee components, which fail expensively) I joined the 'Anything but Apple' group on Facebook.

anyone that's around the geek tab enough knows i am anything but an Apple apologist. however....you should know that "anything but Apple" is likely made in the same Foxconn factory in China (with Thai/Malaysian/Mexican parts)...Dell, HP, etc. Even building your own machine will land you Chinese parts.


If you don't shop around and get what you need for the best amount of money , you can't blame the company that made the product too much.

meatofmystery: anyone that's around the geek tab enough knows i am anything but an Apple apologist. however....you should know that "anything but Apple" is likely made in the same Foxconn factory in China (with Thai/Malaysian/Mexican parts)...Dell, HP, etc. Even building your own machine will land you Chinese parts.

So much this. My Windows 7 box I built from scratch and my iMac share many of the same components.

/although the screen on the Mac is better
//but the SSD in my Windows 7 box blows away the iMac's 7200 RPM drive

downstairs: And a lot of corporations that use iPhones for business would be pissed that such a thing even exists.

So, no one would have gotten hurt?

Joking aside, I actually get where apple is coming from this time. If you're going to go through all the trouble of setting up the whole walled garden business, you can't ignore a public violation of your terms. It'll just set up the next actually malicious guy to say, "well, you didn't kick HIM out."

Of course, if their platform was more open and less restrictive to developers, perhaps he could have demonstrated this without uploading it to the app store proper...

Uh a lot of you people are wrong. The hacker actually has a doctorate in Mathematics at Notre Dame and worked at the NSA for 5 years. He knew what he was doing and knew he would be kicked off and would do it again. He was also the guy who won the hack 2 own contests from a few years ago which at defcon I believe the challenge was out there to hack 3 laptops one with OSX one with Windows and the other with Linux. Guess which one he hacked. He did this on purpose though cause like all companies when you get information about an invulnerability in your system you like to keep it quite. Also typically those people can end up in jail who have informed the company about said hack. So I'm pretty sure he wasn't an idiot and he is fine with everything that happened. To read his interview with Engadget the link is Link (new window)

bravian: So much this. My Windows 7 box I built from scratch and my iMac share many of the same components.

My Mac mini and the wife's Gateway laptop that we happened to both buy in the same month, a couple of years before we even met, shared pretty much every relevant component with each other, excepting the shapes of the motherboard and the case.

/although the screen on the Mac is better
//but the SSD in my Windows 7 box blows away the iMac's 7200 RPM drive

So put a SSD into the iMac.

GAT_00: That sounds about right from the Evil Empire.

I wonder how the Fanbois will spin this?

Guy intentionally submits a crack to the App store and Apple banhammers him. They must be an Evil Empire. Only Fanbois would defend them.

Seriously, don't you ever get tired of your own knee-jerk stupidity? I do.

I like Charlie Miller. I follow him on Twitter (@0xcharlie) and I like what he's done to bring attention to security issues with Apple's products to everyone's attention. He's also stated he's a fan of Apple's products, as am I. So what he's done in the past for the most part I'm on board with.

But in this situation he made a mistake, and I'd say it's due to his ego.

It's one thing to point out to Apple a potential flaw so they may address it. It's a completely different thing to put this flaw in an app and publish it onto the App Store, no matter what you "intended" to do with it afterwards. He was removed from the developer program for that and rightfully so. If he can't understand that then that's too bad for him. And if he continues down a road of victimization then I'm going to have to reconsider my opinion of him.

Apple is overpriced crap marketed to idiots, but I'm siding with Apple on this one.

Violate the terms of your dev agreement, get the banhammer. If that's literally the only way to demonstrate a security flaw and get it taken seriously, then do it and accept the consequences. Just don't biatch to much about it afterward.

/I pay for insurance on my HTC EVO 4G
//I don't biatch when the Sprint Store refuses to repair my phone when I have aftermarket firmware
///I knew what I was doing when I rooted it and installed aftermarket firmware
////that's why I cover my ass and have a stock rom on my SD card.

This would have never happened if Ste......

ah, never mind

theurge14: I like Charlie Miller. I follow him on Twitter (@0xcharlie) and I like what he's done to bring attention to security issues with Apple's products to everyone's attention. He's also stated he's a fan of Apple's products, as am I. So what he's done in the past for the most part I'm on board with.

But in this situation he made a mistake, and I'd say it's due to his ego.

It's one thing to point out to Apple a potential flaw so they may address it. It's a completely different thing to put this flaw in an app and publish it onto the App Store, no matter what you "intended" to do with it afterwards. He was removed from the developer program for that and rightfully so. If he can't understand that then that's too bad for him. And if he continues down a road of victimization then I'm going to have to reconsider my opinion of him.

How could he know if the flaw worked unless he sent it through the process? The whole point of the attack was to see if his malware could get through the inspection process not to see if he could write malicious code.

Subby: Apple profusely thanks and rewards a hacker who finds serious security flaws in the App Store. Just kidding. They threw him out of the developer program
Article: Apple didn't suspend Miller from the Apple Developer program because he found a flaw.

Well, shiat, if we're just making stuff up at this point, then why bother linking to real stories?

psychoace: Uh a lot of you people are wrong. The hacker actually has a doctorate in Mathematics at Notre Dame and worked at the NSA for 5 years. He knew what he was doing and knew he would be kicked off and would do it again. He was also the guy who won the hack 2 own contests from a few years ago which at defcon I believe the challenge was out there to hack 3 laptops one with OSX one with Windows and the other with Linux. Guess which one he hacked. He did this on purpose though cause like all companies when you get information about an invulnerability in your system you like to keep it quite. Also typically those people can end up in jail who have informed the company about said hack. So I'm pretty sure he wasn't an idiot and he is fine with everything that happened. To read his interview with Engadget the link is Link (new window)

Holly run-on sentences batman!

/Still, interesting.

psychoace: Uh, a lot of you people are wrong. The hacker actually has a doctorate in Mathematics at Notre Dame and worked at the NSA for 5 years. He knew what he was doing and knew he would be kicked off. He was also the guy who won the hack 2 own contests from a few years ago, which was at defcon I believe. The challenge was to hack 1 of 3 laptops. One with OSX one with Windows and the other with Linux. Guess which one he hacked. He did this on purpose, cause like all companies when you get information about a vulnerability in your system you like to keep it quite. Also typically those people can end up in jail who have informed the company about said hack. So I'm pretty sure he wasn't an idiot and he is fine with everything that happened. To read his interview with Engadget the link is Link (new window)

Better? I tend to write in rough draft

The right way to do it is to install malware on millions of iPhones, then hold Apple for ransom to turn the botnet off without harvesting information from them.

fluffy2097: The right way to do it is to install malware on millions of iPhones, then hold Apple for ransom to turn the botnet off without harvesting information from them.

I'm sure that Apple has a way to remotely delete apps from their phones. I mean, Google can, and they have done it in the past.

fluffy2097: The right way to do it is to install malware on millions of iPhones, then hold Apple for ransom to turn the botnet off without harvesting information from them.

Apple? psh. Considering the amount of biatching American carriers have done about the iPhone's data consumption... ransom AT & T.

"We'll let people make phone calls if you pay up"

theurge14: I like Charlie Miller. I follow him on Twitter (@0xcharlie) and I like what he's done to bring attention to security issues with Apple's products to everyone's attention. He's also stated he's a fan of Apple's products, as am I. So what he's done in the past for the most part I'm on board with.

But in this situation he made a mistake, and I'd say it's due to his ego.

It's one thing to point out to Apple a potential flaw so they may address it. It's a completely different thing to put this flaw in an app and publish it onto the App Store, no matter what you "intended" to do with it afterwards. He was removed from the developer program for that and rightfully so. If he can't understand that then that's too bad for him. And if he continues down a road of victimization then I'm going to have to reconsider my opinion of him.

Except that you're forgetting he is an expert in this subject zone. He probably knows what he's doing enough that he can ensure that he doesn't damage anything.

downstairs: If the guy really wanted to help, he'd email Apple and tell them instructions on how he *could have* uploaded malware to the app store, and ask them to fix their store.

There's no way to know for certain whether a vulnerability on iOS is legit without submitting it to the store, since Apple's review process includes at least some sort of (certainly primarily automated) code inspection and will kick it back with a rejection for various reasons, most of which are hard to be aware of until you've run in to it. If they're catching it then it's not really something to worry about--just yet another verboten "undocumented API".

Kar98: bravian: So much this. My Windows 7 box I built from scratch and my iMac share many of the same components.

My Mac mini and the wife's Gateway laptop that we happened to both buy in the same month, a couple of years before we even met, shared pretty much every relevant component with each other, excepting the shapes of the motherboard and the case.

/although the screen on the Mac is better
//but the SSD in my Windows 7 box blows away the iMac's 7200 RPM drive

So put a SSD into the iMac.

As I remember, getting in to one of those new iMacs requires no less than suction cups in order to lift up the screen... idk if that's changed since I last worked on them. Quite a bit of work to replace a hard drive.

/Macs are great for when you want a good computer out of the box
//for real performance, build a Windows 7 system yourself

Hacking is not security. Hacking has value, but it's not security. Security is controls, monitoring, procedures, etc. Hackingis breaking something. A better test of somebody's skills is not can they break something...but can they fix it. Miller might be a smart guy, but his hacks were mostly ego posturing for him and his employer, Accuvant (which is notorious for sensationalist garbage).

I Miller really truly cared about Apple and helping the security industry, he wouldn't go bragging all over the Internet about his 1337 hax0r skillz. He would propose some ways to fix the problems and make apps more secure.

In this sense, I have little sympathy for Miller. Like a lot of famous hackers, it's all about the hacking for them, not the solution. This is why BlackHat and Defcon are such a waste of time. Yeah, sure it's cool to see all the hacking. But few, if any, of those people have any idea how to FIX the problems they uncover. This is kind of like loaning your car to a friend who returns it and says, "your steering is busted, go fix it." Gosh. thanks.

Marine1: Kar98: bravian: So much this. My Windows 7 box I built from scratch and my iMac share many of the same components.

My Mac mini and the wife's Gateway laptop that we happened to both buy in the same month, a couple of years before we even met, shared pretty much every relevant component with each other, excepting the shapes of the motherboard and the case.

/although the screen on the Mac is better
//but the SSD in my Windows 7 box blows away the iMac's 7200 RPM drive

So put a SSD into the iMac.

As I remember, getting in to one of those new iMacs requires no less than suction cups in order to lift up the screen... idk if that's changed since I last worked on them. Quite a bit of work to replace a hard drive.

/Macs are great for when you want a good computer out of the box
//for real performance, build a Windows 7 system yourself

The suction cups just allow you to pull the magnetic glass off the front of the iMac. If you want, you can pry it with your fingers. Either way, it's a simple step that is not as difficult as you think it may be. Suction cup on, pull glass off. Done in 5 seconds.

The rest of the replacement process may be difficult, I'm not familiar, but your example isn't hard to perform at all.

Repeat link. :(

downstairs: But, but.... Apple products can't get viruses, and its impossible to install malware on Apple devices!

I hope he goes rogue.

The most basic tenet of the Apple Cult is the belief that Apple is perfect. He was a heretic.

psychoace: How could he know if the flaw worked unless he sent it through the process?

You might not be aware -- though everybody in the Apple Developer Program is -- that it's possible to install an iOS app onto actual devices for testing, and even submit it to Apple for official review, without making it available to the public through the App Store.

If I were Apple, I'd have suspended his account too. And then hired him as a Security Analyst, so he can be a pain in the ass through safe and sanctioned channels instead of putting customers at risk.