Re: How Apple orchestrated web attack on researchers

["James Sineath" <bow.sineath () gmail com>]

On 3/20/07, Daniel <daniel () ugc-labs co uk> wrote:
> Tell me George, if you owned a mega corporation and you had two
> researchers threatening to drop a few % from your share price, what
> would you do? Open up your arms, give them a free macbook and see
> millions lost on the FTSE/Nasdaq?

Yea, lets just lie about everything and cover it up. That always works
out well....

> Apple's PR protected the brand, same as Bush protected his brand and
> Billy G protected his brand. This is business 101 and it's time for
> security and security researchers to realise the golden years are
> long gone in todays litigation market. I can't just walk into Ford
> and say that all american cars are crap, blow up and kill people
> without expecting some force, so why do researchers think they can
> get away with it with this "we are protecting the world" approach?

That comparison makes no sense at all. You are comparing two people
finding a flaw in wireless drivers with blowing up and killing people.

Every Machead I debate this with says the same thing. They argue about
how Full Disclosure is bad for everyone and how all of us are wrong
and unethical for releasing flaws to the public if a company doesn't
patch a flaw in a timely and appropriate manner. I'd like to remind
you that this isn't the first incident where Apple has lied to the
public about the seriousness of a flaw to protect themselves.

You (and the rest of the Apple community that thinks this way) need to
wake up. Would you rather us find flaws and keep them to ourselves if
the vendor decides not to fix it? Thats how the blackhat community
works, they find flaws and keep them to themselves for later use. The
blackhat community doesn't give a crap about what the corporations
think, they have no rules to abide by. If they find a flaw, they keep
it to themselves and use it when they deem necessary. There is a good
chance that a number of these flaws were already known by the blackhat
community.  Do you feel safe knowing that blackhats have their own
private collection of exploits that they can use against you? Would
you rather they continue to have a collection of unpatched flaws?
Instead of binding the hands of white hats with legal and political
garbage, you should be encouraging them to find and disclose flaws,
not cover them up and hide them. People need to be aware of the risk
to their information.

Don't get me wrong. I'm all for responsible disclosure, but Apple has
shown time and time again that they will not act responsibly in
return. The community needs to be aware of the risks and if Apple
won't tell the truth, then the community will.

Blackhats already have the advantage, why give them one more by
binding our hands? Do you REALLY want that risk?

-- 
Bow Sineath - bow.sineath () gmail com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave