I think he meant claims. As mentioned elsewhere in the thread, finding
the exploits is non-trivial work usually done by experts. I doubt the
bug bounty paid by some tech companies really makes up for the hours
spent tracking this stuff down, but it's nice like a chocolate chip
cookie. With millions of people beating on OSX, especially now with the
"public" betas, I'm sure Apple is hoping that more monkies will be
generating Shakespeare and want to report where things fell apart. A bug
bounty would certainly increase the incentive to report any issues folks
have stumbled upon.
CB
On 8/13/15 3:31 PM, Shaf wrote:
No clue what 'clqames' means.
Either way, your argument is flawed. That's like saying everybody who
wants a job shouldn't work for the money otherwise the job market would
be overloaded and employees wouldn't be filtered by quality.
On 8/13/2015 8:25 PM, george b wrote:
No I do not think so then all the people who need some money would be reporting
these things just to get funds and overload their system andthen they would
never be able to check the validity of all the clqames
-----Original Message-----
From: macvisionaries@googlegroups.com [mailto:macvisionaries@googlegroups.com]
On Behalf Of Shaf
Sent: Thursday, August 13, 2015 11:53
To: macvisionaries@googlegroups.com
Subject: Re: Why you shouldn't freak out about scary sounding exploits
That's good for you. A wealthy company such as Apple should pay those
who find security holes and report to them.
On 8/13/2015 7:36 PM, Littlefield, Tyler wrote:
Hello: A lot of companies do have bounties like this. For example,
the company I worked for works on Drupal. There was a bounty
offered through the association. I report stuff like this I find
when it is a problem, not because I want to get paid but because
that's the only way to fix things. I do it because it's the right
thing to do and it helps other people. Any security holes that can
be fixed, regardless of whether or not I get paid helps me (as I'm
obviously using the product) and it helps others as well.
Thanks, On 8/13/2015 2:27 PM, Shaf wrote:
Why should I tell Apple of exploits if they don't pay me?? They
should introduce a bug bounty program. Otherwise I have no
interest in keeping their bugs confidential.
On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote:
With the complexity of OSX and iOS I think if somebody figures
out the right combination of tweaks to bypass security they
should tell Apple right away and hold off a bit before telling
the world. At least give them a chance to fix it before giving
a free hand up to the bad guys. Of course that lead time needs
to be kinda short as the vulnerability needs to be fixed before
some bad folks find it and/or continue to use it. With Apple's
automatic updates it can also be a while before a reasonable
chunk of the population has installed the patch. So I'd guess
90 days would be pretty reasonable. If a patch hasn't been
released by then then it's time to put public pressure on
Apple.
That said, the oasis of pulchritude hasn't entirely dried up.
Yes, there are issues and the popularity of the platform has
attracted unwanted attention from certain quarters but at
least there seems to be a reasonably good attempt to put locks
on all the doors. They just sometimes forget and leave a window
open.
CB
On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote:
I don’t agree with the author. Of course, this is
MacWorld—some amount of Apple butt-kissing is to be
expected—but I find his attitude very worrying.
First, “Responsible disclosure” vs “Full disclosure” is a
choice of researchers, and privileged authors of the press
shouldn’t be using their personal ethical judgements about
it to suppress public information about flaws simply on that
basis. That alone is reason enough to simply distrust any
further writings of the author. I am personally of the
opinion that we are well past the usefulness of “Responsible
disclosure” as a strategy; giving companies rope, but not
quite enough to hang themselves with, isn’t moving security
forward any faster.
Second, and more important, a privilege escalation
vulnerability isn’t a problem for advanced users, who
already know what Glen is suggesting, i.e. don’t run dodgy
software. It is precisely those people who have been trained,
per the standard advice, not to type in their passwords when
they are suspicious who will be most hit by the root bypass.
Obviously, better advice would be “Just don’t trust anyone”,
but that’s not how the world works, sadly. I think it’s time
for us to acknowledge that the Mac, once a peaceful
neighbourhood with only the occasional bit of
easily-preventable rogue badness that you could get rid of by
just clicking “No” or “Cancel” or whatever, is now
increasingly occupied by bad software that is
well-advertised, easily installed and hard to recognise by a
lot of inexperienced people, and anybody giving a Mac to
somebody to keep them (the recipient) quiet and out of their
(the donor’s) hair now needs to hold Apple’s once glorious
patch turnaround times to account. This is *especially* true
if the donor has delivered the Mac with a limited user
account and all necessary software already installed or only
accessible from the Mac App Store, because as soon as Flash
becomes the vector, we’re all finished.
Microsoft have learned their security lessons the hard and
painful way, and now it’s Apple’s turn. Please don’t give
apologists fodder for their absurd denials.
--
¯\_(ツ)_/¯
--
You received this message because you are subscribed to the Google Groups
"MacVisionaries" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to macvisionaries+unsubscr...@googlegroups.com.
To post to this group, send email to macvisionaries@googlegroups.com.
Visit this group at http://groups.google.com/group/macvisionaries.
For more options, visit https://groups.google.com/d/optout.
