I say this not to boast, but to establish my bona fides. I've personally been involved in the process of contacting a computer vendor to tell them that we've found a vulnerability in their product. Some vendors have been great to work with - Microsoft was very good, even in the 1990s: they'd just ask that we hold an announcement until they had a patch written and tested. After all, it doesn't do anyone any good to announce a vulnerability if there's no fix.
Hey, all y'all are really screwed! Aren't we the cleverest kids on the block?
We worked very hard at Responsible Disclosure, which is more or less described above. Not everyone did. Sometimes, they were Black Hats, keeping their exploits to themselves ("Day Zero" exploits, called that because the vendor hasn't created a patch yet, and so the clock can't start running on your patch cycle).
Sometimes, announcements went out because a vendor simply refused to make a patch, or sometimes even acknowledge that they'd been told. The security mailing list archives are filled with threads along the line of I'm announcing because Foo, Inc won't reply to my notification about their vulnerability in FooOs.
Protip to vendors: it's considered polite to have a "firstname.lastname@example.org" address, with someone who actually reads the emails.
And so to the big security news, about Apple's App Store basically having no security at all. Reader Joseph emails to point us to this:
A man who created a bogus stock price tracker app for the iPhone that was in fact malware has been thrown out of Apple’s developer program. That would seem uncontroversial until you discover the app was designed to highlight a security flaw rather than cause damage or steal data.Now this is an interesting situation. Miller did not notify Apple until after he had created his app. Some people in the industry think that's a no-no. Certainly, this is why Apple expelled him from their Developer program.
Charlie Miller was told his right to create and upload apps had been terminated “effective immediately.”
If Miller’s name seems familiar, that may be because he’s a perennial winner at the PWN2OWN competition, held at the CanSecWest security event in Vancouver each year. Contestants can ask judges to visit a URL using various combinations of hardware, operating system and browser, with the latest publicly available security updates applied. Last year was a particularly bad day for Apple with a MacBook Pro running Safari the first computer to fall (Miller being the successful attacker) and the iPhone the first smartphone hacked.
Me, I'm not sure that this was the right thing to do. I personally have had vendors tell me that they don't want to fix a vulnerability I've reported to them. There are lots of excuses they give; if they're honest, they'll say "it's too hard" - this happened with Sun Microsystems, where the bug was buried deep in the guts of RPC. The code was 15 years old then, and nobody really knew how it worked (yes, this happens more than you'd think). Everyone was afraid to touch the code, because the breakage they might do in "fixing" the problem might be horrific. OK, fair enough.
But usually the official excuse you get back is "we were unable to recreate the bug, and so view the problem as theoretical". The proper response to this is OK here's some exploit code, biatches. Usually gets the proper level of attention.
But how do you do this in the App Store "Walled Garden" environment? The exploit has to be an app. And the app has to come through the App Store - if you jail break your phone, there's no guarantee that the code works the same way. Maybe it does, maybe it doesn't.
If you're talking about a serious vulnerability, you need certainty, because the cost of the fix will be measured in tens of thousands of dollars to get the patch created, and much more for everyone to get the upgrade installed. You really really don't want to go off half cocked here. Word will get around the security community.
So what was Miller supposed to do? Yeah, he could have notified Apple, but they are infamous for their lousy attitude to security. And that notification would put them on the lookout for interesting App Store submissions from Miller.
Infinite Loop. n. See Loop, Infinite. It's in Cupertino, actually, and Apple's HQ is right there.
And so, Jeremiah Wright like, Apple's security chickens are coming home to roost. They've demonstrated repeated contempt for the security industry, and have repeatedly flouted expected practice. They are presumptively in perpetual wagon-circling mode, and so they can't play the victim card that mean old Charlie Miller isn't following the rules when he basically said here's your exploit code, biatches.
And so the way that they expelled him from their App Developer group looks petty and spiteful. It also looks pathetic. Consider: Miller is perhaps the world expert in Apple exploits. He can feed information to any of a thousand other App Developers.
Protip to the Apple security team: Google LBJ I'd rather have him inside the tent peeing out than outside the tent peeing in. I even linkified it for you.