Pressure put on Apple to fix iPhone exploit

What a bunch of a$$holes.. hey, i know. lets threaten a company to fix something or we'll release the information to hackers all over the globe! you may as well lock down a corporate email system and bribe the company... same damn thing.

wannabees! I get so tired of so called 'security experts' who try strong arm tactics and coercion under the guise of public concern. It might just have already occurred to Apple that they should have these same concerns close to their vest, don't you think?

You'd think these people would be a little more grateful. If it weren't for vulnerabilities, they might have to go do something useful with their lives.

This is akin to security by obscurity. An old way of securing a system was to just set it up in a way that wasn't standard and hope nobody could figure it out.

Obviously someone can figure out how to get into an iPhone from the outside and compromise security. Is it better for you to know about the problem and the things you can do to minimize the risks or is it better to keep it hush hush until the problem can be solved?

Personally since I own an iPhone its more important for me to know about the issue and thus ... what things I shouldn't do while Apple is working on fixing the problem. Hiding it so script kiddie #5 doesn't have it handed to them certainly does NOT negate the risk!

I don't consider what they are doing as a way to blackmail Apple into action. Other folks however may see it differently and we have to respect their opinions even if we don't agree.

There is no real motivation to 'blackmail' Apple here. They have already alerted Apple and they made the issue public (announcement was made earlier this week). Why blackmail them? What if the fix causes much deeper issues on the phone? Should Apple (or anyone for that matter) rush to fix the issue and put out a half ass'd attempt at a fix, which could cause potentially more issues? It's absurd. I's just strong arm tactics which shouldn't be done. There is no motivation but making yourself look cool at the hackers conventions!

The problem with this "fix it by then or else" strategy is that it doesn't take account of the fact that releasing software (especially to a large user base) is a complicated process. If some of the security experts are to be believed, you can "just" fix something and ship it, which simply isn't true.

Moreover, the impression of an external security expert as to what the most important thing to fix might be may not match the impressions of those people with access to the source code. So trying to force a quick fix is foolish because it might end up with users being exposed for longer to a much more serious bug that outside researchers don't know about (yet).

Finally, in answer to ttrostel, the sad fact is that a lot of the research done by security researchers and published on CERT and Bugtraq is used as a source of vulnerabilities by hackers. After all, why bother finding your own vulnerabilities when other people will do it for free, and when many users don't patch their systems (even when vendors release patches quickly)?

So there *is* a very real benefit to keeping security issues under wraps. It might not prevent their exploitation, but it makes it *much* harder, because only those capable of finding and developing an exploit are then able to use them.

The Only 'exploit' Is the PR happy guy in the lab. Out of a lab, here's the count so far:

Mac OSX: ZERO for 30 million users

iPod: ZERO for 110 million users

iPhone: ZERO for 1 million users.

Apple: ZERO for 140 million devices out there.

Of course, you can break into your own house or inject yourself with ebola and claim panic.

JUst because Symantec, McAffee and others make nearly ZERO from Mac users is not a reason to create fake panic just to boost their sales.

There is a platform where people just work and it just works. If you don't use a Mac or don't care to - that's fine - just stay on your side of the fence. You don't know what you are talking about.

ajhoughton

I honestly understand the benefits of keeping security issues under wraps. What I was saying is that *I OWN* an iPhone.

Personally I would rather know what flaws it has so that I can mitigate the risks. For the manufacturer ... or anyone else to not communicate these issues means that I am unable to mitigate them.

Yes there are lots of people who do not patch their machines. Yes there are people who upon reading the vulnerabilities will seek to exploit them. Yes there can be a lag between when something is discovered and when something is fixed.

I'm just saying that, for example, if my Pinto is susceptible to rear impact flaws or the deadbolt on the front of my house is susceptible to "lock bumping", I'd like to know about it ahead of time. Your opinion of course is your own ... we simply choose to disagree on what course of action is in the best interests of the consumers.

Thats a good point ... how many of you actually know about lock bumping? Look it up ... choose to be informed!

Isn't it amazing on how easy it is to dismantle and criticize anything that is a "FIRST" from Apple. When Microsoft and other companies put out their pieces of crap, no one seems to be concerned about that because that is "the norm". It's OK to accept that. So all this non-sense about an iPhone exploit is no different and any other devices filled with security holes. Granted, Apple has NOT come out with a press release on this issue and I am glad because that in of itself is a statement to all the whiners crying about the iPhone security exploit. Also, bear in mind that the iPhone grants the User a choice to connect to the WiFi or decline the WiFi and connect to the Cellular network. Therefore, it's up to the User to decide as to whether or not they trust the WiFi Connection. There are several other phones (UTStarcom PPC-6700 / XV-6700 / HTC Apache) that utilize WiFi connectivity but no one is talking about them...Now that the whole world has made me aware of unsafe WiFi; I will start practicing "Safe-WiFi-iPhone"...BIG DAMM DEAL :-()