[HN Gopher] Apple's effort to court 'ethical' hackers draws poor...
___________________________________________________________________
Apple's effort to court 'ethical' hackers draws poor reviews
Author : null0ranje
Score : 113 points
Date : 2021-09-09 13:03 UTC (9 hours ago)
(HTM) web link (www.washingtonpost.com)
(TXT) w3m dump (www.washingtonpost.com)
| throwaway20371 wrote:
| If I'm a hacker and I have an Apple 0-day, why the hell would I
| report it to Apple if I can quickly get a tidy payment on the
| black market?
| throwaway98797 wrote:
| That local 7-11 sure has a lot of cash and a sleepy clerk
| working it.
|
| How can I monetize ethics?
|
| We live in a society. We try to abide by the mores.
| throwaway20371 wrote:
| Society's mores are pretty fungible. Who'da thunk that half
| of society would be fine with killing people if the
| alternative is sometimes wearing a paper mask and getting an
| injection?
| akomtu wrote:
| Apple is trying to push a censorship module (that file
| scanner) onto every iPhone. That would be a massive damage to
| our society at a scale no black hat could ever make. Apple is
| certainly not a bastion of ethics.
| throwaway98797 wrote:
| You do you. Don't be surprised when you get cast off into
| exile. Society is pedagogically just.
| mtnGoat wrote:
| true, but as the saying goes... two wrongs a right does not
| make.
| akomtu wrote:
| Is robbing a robber a crime?
| throwaway20371 wrote:
| Yes, if the robber is a baron.
| mtnGoat wrote:
| who has the better attorney?
| occamrazor wrote:
| In fact, in most jurisdictions it is.
| twox2 wrote:
| Maybe because you don't want to be an arms dealer? Or you don't
| want to risk prison.
| 0des wrote:
| Not if you're selling to the agencies, it's a completely
| different playing field and the money is much more available.
| SXX wrote:
| What law is there against selling vuln to a random person on
| internet? And yeah you don't really need "Black" market.
| There is plenty "legit" companies around the globe that
| absolutely immoral, but their business as legal as it's could
| be.
| caeril wrote:
| Precisely this. Zerodium will sell your bug to the FBI, who
| will be happy to use it to incarcerate more Americans.
|
| They'll also absolutely sell it to China, they'll just be
| quiet about it and use one of many Thailand-based
| intermediaries.
| sukta495 wrote:
| Internal at Apple Ivan took over the team and then gotrid of all
| MSRC managers and half employees before rewards program launched.
| Team drove into ground after and churn through manager after
| manager, everyone leave
| swiley wrote:
| Apple sounds about as pleasant to work at as its platforms are
| to develop for.
| vkou wrote:
| Every large company has teams that are incredibly painful to
| work on, and ones that are not.
|
| You can't really generalize either way from one, or even a
| few anecdotes.
| WFHRenaissance wrote:
| I have a CVE from Apple for a vulnerability in a consuming-facing
| mobile application RE improper data access & failed obfuscation
| of sensitive information. People think the CVE is cool and all,
| and it might help me get my next job, but for now it hasn't
| helped me put any food on the table. Maybe next time I'll call
| China, Russia, randoms on Twitter, go public before reporting to
| them, et cetera. Incentives are f'd up.
| creamytaco wrote:
| I have had two close friends quit recently, within a few months
| of each other. They both blamed management and especially Ivan
| Krstic.
| aNoob7000 wrote:
| I'm always surprised by companies like Apple that have so much
| money that paying out bounties should be no issue at all. It
| feels like Apple doesn't like being on the weaker side of a
| negotiation.
|
| Maybe I'm a little naive, but I would set up a bounty program at
| Apple that was very lucrative for security researchers to report
| their bugs. The main goal would be to make the holders of
| security vulnerabilities concerned that someone might submit a
| bug report and make their million-dollar bug worth zero.
| bell-cot wrote:
| $can_see_story_free = $javascript_enabled ? false : true;
| lostcolony wrote:
| Wow. "Apple's bug bounty program offers $100,000 for attacks that
| gain "unauthorized access to sensitive data." Apple defines
| sensitive data as access to contacts, mail, messages, notes,
| photos or location data."
|
| But a hack that allows arbitrary, malicious applications to be
| installed doesn't count; even though it could send any user files
| on the computer (so any data that is not encrypted by its
| consuming application). That seems...a bit of a logical leap. I
| mean, yes, it can't let you access iCloud photos, but a random
| JPG on your computer is totally fair game, so even with their
| list, it feels like it should be included (let alone the excel
| file with revenue figures that are going to be broadcast at the
| next quarterly result meeting with shareholders, or the HR docs
| containing PII, or...)
| chongli wrote:
| A malicious application on macOS doesn't automatically get
| access to the user's sensitive data (contacts, photos,
| documents, etc). When an application tries to access those
| things the user normally gets a prompt from the OS to authorize
| such access. Verified bugs that allow circumvention of this
| prompt are what Apple is paying for.
| lostcolony wrote:
| From the article - "Owens created a hypothetical attack that
| gave hackers access to the victim's files. He said in an
| interview that it could have hypothetically allowed hackers
| to access corporate servers, if the target computer were used
| by a corporation."
|
| Perhaps Owens is lying. Perhaps this is misleading reporting,
| or otherwise occluding something. But on the surface of it,
| it sounds like no user intervention required.
| chongli wrote:
| Yeah so if he did as he claimed then he achieved the bypass
| Apple claims to be paying for. Now if Apple is lying and
| refusing to honour their bug bounty, that is another
| matter.
|
| My point is that just because you can get the user to
| execute your malicious executable under their user account
| does not grant you access to all their files, unlike what
| you would expect with traditional Unix permissions.
| lostcolony wrote:
| Your point is taken, but also irrelevant to the specifics
| laid out in the article. I appreciate that "normally" the
| user may have to allow access to files and things (I'm
| not sure I've ever experienced that on a Mac before when
| installing applications; I installed Sublime and could
| open and edit files without any user dialogs, but maybe I
| disabled something, or working through the UI behaves
| differently or whatever), but the whole point being made
| is what the hacker says in the article would indicate it
| should have claimed the bounty.
| netsec_burn wrote:
| Yep, this lines up with my experience. I've been trying to work
| with Apple on a critical security vulnerability for over a year
| now that affects over 100 million systems. When I'd ask the
| payout ranges at the beginning, I've had multiple people just
| block me as a contact and Apple themselves refuse to answer.
| Apple has a strict stance of submitting all of the research up
| front with no expectations as far as payment. Today, I've been
| ghosted by Apple, no reply to multiple emails. The last message I
| have is them saying they're fixing it. I chose the ethical route
| at a steep cost, the average price of the vulnerability from the
| other buyers I was talking to was 475K. There have been attempts
| to hack me 2 days after requesting a quote from some buyers. The
| most I can hope from Apple is 1/4th that. It really is the
| poorest communication out of any program I've done with the
| exception of AT&T's, who patched an RCE in their employee portal
| I reported (two months later) and then emailed me 6 months later
| saying there was no RCE. I've been told Apple is getting better
| with their communication over time, and now their average
| turnaround is 10 months.
| bink wrote:
| I assume you didn't tell Apple that you were negotiating with
| other buyers? I think most bug bounty programs will cut off
| communications at that point.
|
| I've managed several programs for some very large companies and
| haggling over bounties with a researcher is a _really_ bad
| idea. You set your bounty amounts and stick to them. If people
| want to haggle over impact that's fine, but once you exceed
| your quoted bounty amount for one person then everyone expects
| it.
| intricatedetail wrote:
| Why companies project this idea that it is wrong that people
| ask to be compensated fairly for their hard work? The culture
| of exploitation of engineers is sickening.
| sircastor wrote:
| Because it's hard to distinguish between someone who's
| trying to help you be more secure and someone who's trying
| to extort hush money out of you for an error in your code.
|
| It's not hard to read it as "we don't negotiate with
| terrorists", and Apple (or Google or Amazon...) know people
| think they have deep pockets
| Teever wrote:
| Does the difference really matter provided that the bug
| bounties are paying market rates for the bugs that people
| submit?
| selfhoster11 wrote:
| What does it matter what the reporter's motivation is?
| The fact is, you have an unpatched vuln in your code, and
| you either pay up to discover more, or it blows up in
| your face an indeterminate amount of time later.
| netsec_burn wrote:
| I looked for other buyers before Apple had a bug bounty
| program, not while talking with Apple. When I found an
| official way of submitting the vulnerability I cancelled my
| other negotiations (Apple is the correct channel and I wanted
| to see it fixed without exploitation). Regarding bounty
| amounts, I agree that they should clearly define the amounts
| for each factor of a complete exploit. That currently isn't
| done. The one thing everyone can give Zerodium credit for is
| being clear with their pricing, there's no ambiguity over
| whether you can keep your lights on by doing the research.
| bink wrote:
| That's good. It's unfortunate that the best signal most
| companies can use for whether their bounty amounts are
| sufficient is report volume and quality rather than a pro-
| active "here's what others are paying" or impact to
| customers. If they set bounties too high initially they'll
| get swamped with low-quality reports and that will slow
| response times for the good ones.
|
| The bean counters also play a big role. Most companies
| aren't ready for big bounty payouts when a program first
| starts. They set a fixed budget and are more likely to end
| a program completely if the bottom line cost is too high,
| regardless of the security impact. Security teams are aware
| of this and try to walk a fine line.
|
| For researchers who are having problems with programs I'd
| suggest trying to form a better relationship with the
| triage teams and security teams. Be helpful, not
| confrontational. Companies get their best bang-for-buck
| when they can court good researchers. They love getting
| quality researchers who report multiple findings and
| they'll do quite a lot to make them happy, including paying
| bonus bounties for future reports and being far more
| transparent with triage status.
| HelloNurse wrote:
| > Most companies aren't ready for big bounty payouts when
| a program first starts. They set a fixed budget and are
| more likely to end a program completely if the bottom
| line cost is too high, regardless of the security impact.
|
| At the beginning of a high profile bug bounty program I'd
| expect higher expenditure than in the following fiscal
| year due to the backlog of researchers who really want to
| "sell" to an official channel, not a slow start.
| hluska wrote:
| Shhhh! If you demonstrate such clear thinking you'll
| never get promoted to management...:)
| not1ofU wrote:
| Maybe because their handelers are forbidding them to fix it
| until they are done with it... maybe I'm paranoid.
| concinds wrote:
| > There have been attempts to hack me 2 days after requesting a
| quote from some buyers
|
| How did you protect yourself against those?
|
| Also, as a security researcher, are there alternatives you'd
| recommend more? Would Linux/Windows be more secure?
| netsec_burn wrote:
| TOTP two factor authentication protected me. They attacked my
| recovery email to go for my primary, at the time my recovery
| provider didn't offer 2FA. I think they may have social
| engineered the recovery with my SSN (it was a randomly
| generated password). Then they used the recovery provider to
| buy time by adding 2FA options, I began recovering within a
| minute. It was impressive how quickly they worked, they tried
| to compromise 5 other accounts in 3 minutes. Unfortunately
| for them, all of the accounts they targeted from that point
| on had 2FA, and they lost access in 15 minutes.
| heavyset_go wrote:
| If this happened to me, I'd send a tip to the FBI[1].
|
| [1] https://tips.fbi.gov
| netsec_burn wrote:
| Already done, with as much relevant information as I
| could compile. I hope they find who is attacking security
| researchers. If I had to guess, the motivation may be for
| the zerodays I have.
| ASalazarMX wrote:
| > Apple has a strict stance of submitting all of the research
| up front with no expectations as far as payment
|
| < _Giant bold white letters fade in against a black background_
| >
|
| A R R O G A N C E
| ryanmarsh wrote:
| Serious question. If Apple won't treat you in an ethical
| manner then why go the ethical route? Why not just sell the
| sploit to the highest bidder? Seems like there's a misplaced
| and unreciprocated sense of integrity on the part of many
| researchers.
| chuckee wrote:
| Because you will harm not only Apple, but also their users,
| who Apple has misled into thinking they are the secure
| choice.
| lucasyvas wrote:
| I think this is a great question - In my opinion, carving
| the ethical path from the start can and should fulfill any
| moral obligation you might have.
|
| If they don't want to play ball, take it to someone that
| will appreciate your work. Should it be used nefariously,
| you are still helping because they might take you more
| seriously next time, as they should have in the first
| place.
|
| carrot versus stick.
| saagarjha wrote:
| One, just because someone else is being unethical doesn't
| mean you can drop your ethics. Two: you don't really want
| to expose users to the exploit.
| manquer wrote:
| Usually such poor community engagement correlats to lack
| of acceptance or slow fixing timings. The best recourse
| is to disclose publicly after set number of days (90).
| paulryanrogers wrote:
| Considering the half hearted and sluggish response of
| certain huge companies I can see why some researchers
| chose the middle path and publicly disclose immediately.
| ryanmarsh wrote:
| Sometimes the ethical thing to do is adversarial. It
| forces better behavior for short term pain.
|
| As far as exposing users, that makes assumptions about
| the actions of a number of people including the company
| in question which could, if it so desired, assemble the
| resources to push a fix within 48 hours.
| jasonladuke0311 wrote:
| Just curious - do you have an ethical stance against selling to
| ZDI/Zerodium?
| lolpython wrote:
| OP edited their post to answer your question
| netsec_burn wrote:
| ZDI, like Apple, doesn't tell you the average price of the
| vulnerabilities you can sell to them when you email them
| (yes, Apple has example payout ranges, but they aren't clear
| on classification). At Pwn2Own, ZDI paid roughly half of what
| Apple should pay. When you consider Apple themselves are
| 1/4th the market price, thereby making ZDI 1/8th, it becomes
| impossible to work to them. I raised my concerns with ZDI, no
| reply.
|
| I submitted some details (nothing technical, just the
| classification and affected platforms) of my vulnerability to
| Zerodium. Two days later someone tried to hack into all of my
| personal accounts and failed due to 2FA, and not many people
| have the email I used when I communicated with them. I've
| found other buyers outside the US, but I had ethical concerns
| and decided against them (at a 300K min loss).
| petercooper wrote:
| This isn't a judgment, by the way. I'm naive about this
| area and genuinely curious.
|
| _I 've found other buyers outside the US, but I had
| ethical concerns and decided against them (at a 300K min
| loss)._
|
| What type of buyers exist who are unable to fix the
| vulnerability (in this case, who are not Apple or the
| affected vendor or do not collaborate with Apple, etc.) but
| might be considered ethical to sell to?
| 0des wrote:
| Come on, we both know the score here.. There is no
| ethical purchaser.
| petercooper wrote:
| That was my assumption, but my netsec knowledge could be
| written on a stamp, so who knows! ;-)
|
| I imagine some people think being rewarded for finding
| vulnerabilities is unethical entirely, but there seems to
| be a huge dose of pragmatism around the space.
| netsec_burn wrote:
| Answered here:
| https://news.ycombinator.com/item?id=27875883
| petercooper wrote:
| Thanks - that was helpful.
| AlexAndScripts wrote:
| Western intelligence agencies?
| manquer wrote:
| In theory a large corp netsec team may buy zero days
| vulnerabilites and then either disable the affected
| systems or engage directly with the vendor.
|
| Alternatively depending on how nationalistic someone
| feels NSA could be a eithical buyer for them as well.
| WesolyKubeczek wrote:
| I haven't read the article, because fuck paywalls. But given the
| stories from hackers that drip here and there, I have got a
| feeling they are setting forth conditions that are too crazy to
| be even taken seriously, compared to competitors.
|
| It could be that 0-days are easier just to sell to black market
| and not bother with Apple's ridiculousness and red tape.
| smoldesu wrote:
| A lot of CVE disclosures I've read involving Apple typically go
| cold-case for a few months after disclosure. The person
| responsible for the old Thunderbolt memory access hack
| (Thunderspy) didn't even hear back from Apple upon disclosing
| their findings, so I think it's safe to say that they're either
| understaffed or not interested in fixing your critical security
| vulnerability
| headmelted wrote:
| Non-paywalled link?
| commoner wrote:
| Non-paywalled archive link:
| https://web.archive.org/web/20210909140946/https://www.washi...
|
| You can generate this snapshot on your own by using "Save Page
| Now" at: https://web.archive.org
|
| If your web browser supports the extension, try Bypass Paywalls
| Clean:
|
| - Firefox: https://addons.mozilla.org/en-
| US/firefox/addon/bypass-paywal...
|
| - Chrome: https://gitlab.com/magnolia1234/bypass-paywalls-
| chrome-clean
| tailspin2019 wrote:
| > You can generate this snapshot on your own
|
| I never knew that. I've often seen archive.org links posted
| like this but without realising you can actually initiate a
| snapshot! Thanks!
| MegaDeKay wrote:
| Paste the link into google to get access to their cached
| version.
|
| https://webcache.googleusercontent.com/search?q=cache:40fEbD...
| xhkkffbf wrote:
| How funny to find hackers trying to avoid paying journalists
| for their work on a story about a company that's trying to
| avoid paying hackers for their work.
| poetaster wrote:
| xhk (etc). Nice spotting. You saved someone from drownig.
___________________________________________________________________
(page generated 2021-09-09 23:02 UTC)