Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on July 22nd, 2013 at 9:16 PM EST
Most people have probably heard by now that Apple’s developer site has been hacked. The site has been down since last Thursday, and Apple finally announced that it was down following an intrusion by a hacker. (Don’t worry, only a few bits of fairly minor personal information about developers was captured. Customer data was not involved.) In response, a security researcher named Ibrahim Balic publicly claimed responsibility, saying that he had discovered bugs in Apple’s system and had alerted them to the fact.
On the surface, it seems that this is simply a case of someone trying to do the right thing and being misunderstood. However, after reading the details of this incident, it’s hard to find anything that Mr. Balic did right. Let’s start with the basic premise: that Mr. Balic was experimenting with Apple’s servers to search for weaknesses. If he had had permission from Apple to do this, it would have been fine. He did not. Therein lies the problem. Where does one draw the line between a malicious hacker who thinks he’s been caught and tries to spin a story to save his behind and a security researcher who was searching for exploits without permission? It’s all a matter of intent, and knowing what his intent was with certainty would require a bit of mind-reading.
Next, as part of Mr. Balic’s attempt to clear his name, he posted a video on YouTube demonstrating some of the data he had collected. This video has since been removed, and I never saw it, but it apparently showed the names and e-mail addresses of a number of developers. I’m not sure exactly what the purpose of that video was. It would certainly seem to provide proof of his involvement in capturing data from Apple’s servers, and a lack of judgement in sharing a portion of that data with the general public, while not in any way proving his good intentions.
Of course, this brings up the issue of the data itself. Finding a server vulnerability and reporting it to the company running that server is one thing. That happens all the time. It really crosses an ethical line, though, to siphon off data through that vulnerability. If your information is good, proving the vulnerability through actively exploiting it is completely unnecessary. Worse is the apparent volume of data that was collected. Although it’s still unclear exactly how much data he collected, it certainly appears that he has claimed to have grabbed over 100,000 developer records. Even if you believe that collecting a few records for proof of his claims would be okay, which I don’t, I would guess that 100,000 is excessive by anyone’s definitions.
On top of all that, the way that Balic reported the issue to Apple seems a bit unprofessional. Balic says that he informed Apple by submitting his findings through the bug reporter system (part of Apple’s developer web site). While this may sound okay, most people familiar with that system know that the bug reporter gets a huge amount of traffic, and should not be used as the sole method for getting Apple’s attention on a vital security issue. Apple, in fact, has a specific e-mail address for reporting security issues, which I would think any professional security researcher working with Apple products or services should be aware of. Why didn’t he report his findings there? (Or did he do so, but then omitted mention of the one sensible thing he did from all the craziness that he posted?)
At the end of the day, the real core of the issue is intent. How do we know whether this was a case of malicious intrusion where the hacker realized he’d left a trail and needed to cover his behind, or a case of beneficial security research? We can’t know. Balic claims to have acted with the intention to help Apple, yet his actions do not seem to support that. Apple’s public statements indicate that they are calling this an attack, and that they view his actions as malicious. It will be interesting to see how all this plays out. I would be extremely surprised, however, if Mr. Balic ends up not being in some serious legal hot water when all is said and done.
Tags: Ibrahim Balic