[MW Forums]

Apple is not saying whether it will patch a flaw in its iPhone before it is disclosed at Black Hat next week. more

[jedi228]

While security companies do provide some useful services, they rely on creating an buzz of fear and hysteria in order to sell their products. They cast themselves as David taking on Goliath and as reformers exposing a corrupt regime. Actually much of the time they expose obscure hypothetical issues that aren't causing problems in real life and often the problem-fixing-genius comes from the same social circle as the bad guys that created the problem in the first place.
Some security issues are real and most hardware and software makers are slow to fix problems and make full disclosure. On the other hand, security companies and pundits fall on the other extreme and toot their own horn over obscure minutiae. Media is unhelpful because media guys just want to hype a new story without a lot of discernment on whether the issue is actually relevant in real life.
Most end-users are left with confusion because they are caught between manufacturers, "security" experts and a hyperactive media. I really hate computer security issues.

[thgd]

Don't be too sure that these so called "security researchers" will prove anything of value at this upcoming conference.
The video ISE and this "Dr." and "former NSA employee" created only showed Safari quitting and, in the next scene, unreadable gibberish scrolling onto another computer monitor. The narrative tells us nefarious things happened but there is no concrete indication to support the premise.
Should we really be believing unfounded accusations from obscure "experts" ?
Does this really prove that the iPhone can easily be compromised or is it actually blatant opportunism to gain publicity for an otherwise obscure security company ?
Yes, computer security is very serious business but I don't think shadowy hackers masquerading as white knights is a serious solution.

[Peter Cohen]

Security firms need to toe a very cautious line with these sorts of things. Companies that come out with hysterical report after hysterical report lose credibility in the industry -- and with tech journalists -- fairly quickly. Unfortunately, those that only report hysterically every once in a while usually eke through. Tech journalists, like everyone else in Western culture, suffer from a paralyzing lack of attention span sometime. /forums/ubbthreads/images/graemlins/smile.gif

[PeterG]

Peter,
If Apple gives a fix to their "hack", without it being in the wild or crashing AT&T, couldn't they then say, "See Apple did a fix and we were right" giving them the credibility they are looking for, without demonstrating it.
What are the Laws (a short version) of someone showing a hack to the world without being sued?
If I was those guys, I'd be looking out for the guy in front of their forum, in the expensive suit, holding the brief case.
Peter

[jdb8167]

Quote:

---

Don't be too sure that these so called "security researchers" will prove anything of value at this upcoming conference.
The video ISE [...] created only showed Safari quitting and, in the next scene, unreadable gibberish scrolling onto another computer monitor. The narrative tells us nefarious things happened but there is no concrete indication to support the premise.
Should we really be believing unfounded accusations from obscure "experts"?

---

Unlike some other highly-publicized reports, this one seems credible to me. While the video is certainly no proof, the fact that they are willing to show the crack (presumably) at Black Hat gives some pretty solid evidence that it is real.
If ISE can't demonstrate what they claim then they will be subject to the same sort of ridicule as as certain "security researcher" received when he couldn't deliver the goods. But they seem to be practicing responsible disclosure and have even claimed to have provided Apple with a fix. I say we give them the benefit of the doubt until shown differently.

[Ilgaz]

Everyone "shooting the messenger" is much more security threat than some documented,identified security researchers open alert about security.
I am sure lots of companies has totally gave up announcing security glitches/potential issues about OS X to public, I have no clue what they do with them. They either report to Apple Inc. (if they are serious,good guys) or putting them on black market. Thing is, it became harder and harder to hear security issues from formal, non anonymous companies rather than obvious trolls who hates everything Apple and distributes false information on purpose.
I keep getting updates to my antivirus application (prefer not to say) and from some false alerts compiling open source software, I heard 2-3 non reported issues thanks to stone age heuristics currently in use by OS X security software. I checked the companies press/security etc. sections, no clue about them. They didn't even want to elaborate on issue, they said "this is a false alert,we fixed it on next definitions release". Current situation is actually the most big security risk ever.
If this is demonstrated on a web video rather than a secure conference to closed group of security professionals, people should look at mirror to blame. Every kind of security alert had "They are liars!", "Snake oil sellers!" kind of response from loudmouth but (thank God) low number of fanatics. We are dealing with humans here,not just computers. So, expect each little issue to be openly reported to web along with step by step guide if a miracle doesn't happen and those fanatics change their attitude.
I also expect at least professional reporters/moderators of Macworld to stay neutral until the issue is actually demonstrated to real security professionals rather than fanatics of both sides.

[michaelb]

I think Apple has an equal or greater eye on the hacker attempts to unlock the phone.
My theory is that they have a Firmware 1.0.1 update more or less ready to go which fixes some of the launch bugs, patches this and related security issues, and adds a few compelling new features, but haven't decided on the exact release time.
Perhaps the moment a successful unlock hack is found, the next day Apple releases the firmware update (maybe also an iTunes update), effectively countering it by changing the lock code/algorithm. If they released it before the hack was found, they'd have to go longer in the update cycle before addressing it.
In fact, Apple may even be disappointed the hackers are taking their sweet time unlocking the phone - it means they could have to sit on the update longer than they want!
Or I could be completely wrong and Apple could be secretly cheering on the hackers (never revealing this to AT&T or their European partners of course), knowing that sales would spike and warm glowing "numbers sold" figures would zoom up. If this wild theory was actually true, it would be nice if Apple could offer some anonymous tips - I think the hackers are stuck with where to look for the unlock code.

[lkrupp]

Quote:

---

Or I could be completely wrong and Apple could be secretly cheering on the hackers (never revealing this to AT&T or their European partners of course), knowing that sales would spike and warm glowing "numbers sold" figures would zoom up. If this wild theory was actually true, it would be nice if Apple could offer some anonymous tips - I think the hackers are stuck with where to look for the unlock code.

---

I'm sorry but this whole idea of hacked iPhone sales is way off base. There aren't enough geeks out there to make a difference. OS X has been "hacked" for some time now to run on non-Apple PCs and there is no indication that this is being done by anyone other than a few freaks for bragging rights. The same goes for a hacked iPhone. The vast, vast, vast (did I say vast?) majority of potential iPhone buyers have neither the desire nor the competence to plunk down $600 for a device and then alter the device and its software, thereby voiding any warranty or technical support options, so they can use it on a different wireless carrier. The idea that unauthorized "unlocked" iPhones will sell like hotcakes is, frankly, ridiculous.
As to the original topic of this thread we have yet to see one of these security flaws blossom into a real world exploit. The security "researchers" have cried wolf so many times now their dog-and-pony shows don't seem credible anymore. And as a previous poster mentioned the line between "researchers" and the bad guys is not clearly defined. These people seem more concerned with self-aggrandizement than with promoting better security. Not to say that the software vendors are concerned either. A better solution would be to open up these vendors to liability claims for damage or theft caused by faulty software. Then you'd see some real concern over security flaws. Let Apple or Microsoft get nailed with a few multi-million dollar judgments because of a buffer overflow. On the other side of the coin let's see one these researchers get ten years in jail for publishing exploit code before there's a patch available.