Windows

Lesson learned from Apple banning

Apple kicks out an iOS developer for showcasing a bypass of the code signing mechanism. Is this helping or hurting their cause?

I recently read an article about an iOS developer and hacker, Charlie Miller. It seems Charlie wrote a hack for iOS that infuriated Cupertino and they kicked him out of the developer program in retribution. It makes me ask, is Apple helping or hurting their cause by banning this developer for discovering weaknesses in the iOS platform?

As I read this article, an interesting memory came to me.

Early in my career I worked for a major Telecommunications vendor. At the time this company was pioneering early dial-up eBusiness solutions through a group that focused on State Government contracts.

This company supported many products, including a low cost dialup internet connections to college campuses around the U.S., the California Smog Check and Smog Check II VID (vehicle information database) and the California Department of Corrections dial-up pay-phone services that allowed inmates phone access to the outside world. At this point in the early nineties, they were aggressively expanding their lines, with nationwide Smog Check and Vehicle Safety programs with electronic result transmission in states outside of California and other novel ways to expand their State Government contracts through innovative, early eBusiness solutions.

One of the new systems was the California Firearms Information System .The CFIS system was built around an early All-in-One PC. The PC itself was a square box with an integrated color LCD with the motherboard and other components behind the display. The keyboard attached to the front of the LCD and could be detached for use. It was more or less a luggable, suitcase type of portable PC. It was a IA/86 system running Windows 95. The shell had been replaced so that it bypassed explorer.exe and loaded directly into a custom shell and login screen for the C.F.I.S. program. The CD and Floppy were disabled, and there were no USB or other ports that would allow an end user to bypass the custom login.

This caused us a lot of consternation when machines started being returned by dealers with applications like DOOM 2 loaded, or booting into Windows directly. The individual who was responsible for the design of the CFIS application expressed doubt that this was a software hack, and suggested that somehow the hardware was being hacked to bypass the security.

Eventually, another support engineer and I figured out how these gun-dealers were bypassing the security. If you shut down the system improperly, on a reboot Windows 95 would run a ScanDisk at DOS before loading Windows. If you were quick enough, you could pause the scan, which would give you a number of options, including to <Exit>. Exit did exactly what it sounded like, exiting the ScanDisk and returning you to the DOS prompt. Once there, you could open autoexec.bat file with Edit and modify the script so that instead of the custom shell executable, it would load explorer.exe, restoring full access to the system desktop to the end user.

It was really an elegant little hack. I discovered that I could trigger, pause and exit the scan and then load explorer.exe from the command prompt, and my co-worker assisted me with the final steps of entering the autoexec.bat (or maybe it was config.sys) and modifying the line that was calling the custom shell to load explorer.exe instead. this was something that had deviled and bothered the entire team for months since the release of the C.F.I.S. program. Young and naive, I thought the head developer for the C.F.I.S. program would be glad to hear that we had finally narrowed down what the issue was, so that it could be fixed.

Man was I in for a surprise.

The lead developer was rude, abrasive and disinterested in the discovery. I was young and looked up to this guy, and it was my first professional lesson that people who you admire professionally may actually be small minded, self-absorbed and easily threatened. Instead of moving my career ahead at this company like I thought it would, it actually helped cement my reputation as a trouble-maker who would not play by the rules. In retrospect, this helped launch my career by driving me to other firms that had more respect for out-of-the-box thinkers like myself - but at the time in my early twenties, it was very disappointing. (An interesting side-note is that the engineer who helped me fine-tune the hack also ended up working with me years later at Intel Corp.)

I think there are several lessons here.

Foremost, when someone comes to you trying to help, it is always good form to be gracious - even if they're pointing out something you missed. This can be especially challenging when the course correction comes from someone who seems less "important" in the scheme of things than you. It is easy to get caught up in your place in an organization - as a manager, or a lead or senior position. Frequently, I think we're afraid that if we let someone lower on the totem pole display more knowledge than us on an issue, it threatens our job security. I think the opposite is generally the truth, though. If someone reaches out to assist you and you treat them like dirt - it reflects horribly on your leadership skills. In my example above, the lead developer's response showed a lack of self-confidence and a defensive unwillingness to admit his fault in a design flaw. In the case of Apple, it illustrates the arrogance with which the company operates. Kicking Mr. Miller out of the developer program isn't going to stop him from finding exploits in the iOS platform. In fact, it is likely to make him work harder, and instead of working with Apple directly, Charlie will probably release those exploits to the wild in the future. Apple didn't do anything but make things tougher on themselves through their hubris.

From the other side, don't expect your heroes and idols to match your expectations. Face it, most people are neurotic balls of insecurity who are easily threatened and challenged by any perspective that doesn't align perfectly with their own perspective. Generally, their own perspective is that they're infallible, and everyone else around them are morons. Any evidence you provide to the contrary is likely to be judged as some sort of attempt to undermine their credibility and destroy their career - even if you're really trying to help them.

A great skill to develop is the ability address issues like this while handling the politics gently enough that people higher on the org-chart are not threatened. This is something I think I still struggle with to this day. We want to do the best thing for our organization or firm, but we have to make sure we don't upset or challenge someone higher up by inadvertently making them look bad (generally by solving a problem they can't).

What is your opinion, is Apple helping or hurting their cause by banning this developer for discovering weaknesses in the iOS platform? Do you have any personal examples to share? Let us hear your feedback in the forum.

About

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

93 comments
Nikhil K
Nikhil K

I am one of your millions of customers who would cringe at what everyone is clearly indicating here. Well, maybe ol' Charlie did violate the TOS. Is that all you are going to think about with all your millions of customers paying through their noses to get one of your products? If so, we are going downhill, and very fast. Hope you have thought about the backup plan or something. You had better. Best.

celltrix
celltrix

This topic is more than interesting for me but I am currently suffering from similar situation. I haven't read much about the issue of Mr. Miller being fired not until I read this article of lesson's learned from TechRep. It all depends on how Mr. Miller pointed out the issue and how it affects the reputation of Apple as a company. Perhaps I have to do more reading about it. Having said that, I want to share my personal experience about similar situation how a person in higher rank can place you in a situation where you will look like an absolute mess in a department. I am working in a Japanese company engaged in an oil-and-gas industry. I am one of the pioneer IT Engineer who was hired to be involve in building our network infrastructure from ground up. Certainly, I learned many things that one wouldn't normally experience if they join in a company that has an existing network running. After 4 months of working with this company, my Japanese boss who recruited me gave me a pay rise. Then after nine months, my boss have to return back to Japan. Another manager replaced him. This is the beginning of my nightmare. As the company is on the stage of expanding it's local network, I was the main focal person for virtually everything related to IT activities. Instructions are being given directly by the Admin. Dept. manager whom I was working with from the beginning. We need to carry on and execute IT-related activities nearly every month and have to finish things up at earliest as it is critical for our prospective client to see that we are always ready to provide the facilities they need. May be for this reason that I sometimes fail to acknowledge what my new boss wants. He started to check all my activity, and ask me to hand it over to colleagues one by one. After noticing it, I fear that it seems he is up on taking out all my activities and assigning it to somebody and that I will end up doing nothing. I talk to him about it and he had even given me the assurance that "you're point of view is narrow... you need to do that so that you can FOCUS on different things in order to MOVE UP into a better responsibility". I thought WOW! this is good. And so I started pouring whatever I know to colleague that he assigned to take over some activities from me, handing-over activities after activities. Then I noticed that I am not getting any progress or other challenging activity that I thought would replace the jobs that I used to do. I talk to my manager and I was told that it is because I was reported by my colleagues that they are having difficulty working with me. I though for a while and I agree that I sometimes act on a rough way to force other colleagues to assist on some activities that is neglected and that no one wants to do. But this is only after talking to them in a diplomatic way but not getting a result. Nevertheless, I made sure to it that I will lead the way on doing these not-so-interesting activity so that my colleagues wouldn't think that I am up on doing core activities while leaving them a not-so-important activity. To cut the story short, I compromised with my boss that I will work this things up with my colleagues. A year has passed and I followed up with my boss about assigning me to be part of other activities that I usually do (as I know inside me that I obviously done my part on patching things up with my colleague SPECIALLY when he is not around). And guess what? I was in for a surprise. My manager told me that he think I WAS JUST PLAYING WITH MY COLLEAGUES. I felt as if I was slapped side by side. And so the nightmare continues. When I do things that I thought is the right thing to do, it will be an absolute mistake. When I did not do what I thought shouldn't be done, it will be an absolute common sense that he will say I should have done. Worst of all, some colleagues with whom I had trained or handed over some of my activities are the ones who should evaluate things first if what I am about to do with the system is correct. I sometimes end up being cornered by a colleague and ask secretly what he should do. I will then simply tell that "just sign that document and say you have reviewed things out, and don't you worry, those were correct." I have spoken privately with my boss for a number of times addressing the issue and how we can resolve the matter and improve our working relationship, but things just got worst-and-worst as times goes by. I even apologized for things that might have offended him but to no avail. Some colleagues started to notice the situation and later heard my part thought that my manager was just a complete moron: he see small shortcomings from my part but not seeing who turned off the AC at the server room while sleeping and forgot to turn it back on that had I not been regularly visiting the server room will fry all the computers inside it; backup system that failed for more than a month that the person in-charge is not checking and not knowing it until the client ask for a backup; an outlet adapter that is overheating as the grade is not up to the standard required by the device connected to it. It even got into such a situation that my manager wouldn't allow me to do critical maintenance update on servers even with the presence of engineer trained by manufacturer because my manager's reason is that "someone has to check/backup my work". Even the server has crashed/restart already for a couple of times. So that's it! Some higher-ups will mess you up if they feel that you cross up with them. In my case, he clearly doesn't even care if our network infra is still running on the second day if I was the one who found out the fault and how to fix it.

jkameleon
jkameleon

... and it occured to me, that Miller is probably a victim of a fundamental misunderstanding of Apple's security philosophy, which is NOT about protecting the user from malware. It's about protecting the Apple from user. Vigorous protection of their corporate interests against anyone and everyone is the main reason Apple is doing so well.

rmcmillan
rmcmillan

This same attitude is found in the health care system as well. The system as we know is broken here in Canada, but it will not change as long as the people that can make the changes are the ones at fault. Don't rock the boat or you are out on your ear, I know from personal experience.

vezycash
vezycash

The lesson here is not about what Apple did or did not do. The lesson lies with Mr Miller who did not act like a proper hacker. History already shows that companies such as Apple would act in even worse manner cos you are showing the world how stupid they are. Especially since their ad campaigns revolve around how secure their products are in comparism to Microsoft, how no viruses exist for Mac... that Apple products need no anti-viruses. Other hackers should keep their mouth shut simple! If you are going to make an exploit, don't tell or blab about the hole first and make exploit later. The company is not going to say thank you for showing any hole - they are not interested until the public becomes alarmed because fixing holes bring in no money. If any hacker wants a "thank you" find a way of making some money out of it. When the company finds out, their accusations and irrational behaviour would be justified. This I truly feel is the real lesson to be learnt.

Neon Samurai
Neon Samurai

This all started Tuesday, patch for IOS 5.0.1 complete by Thursday. Good on Apple for the fast patch turn around time. (seems they are not reconsidering their response towards the researcher who reported it to them though)

pk de cville
pk de cville

Donovan, What's the big deal? Apple wants a team of developers (and employees and customers) who are committed to Apple's way of doing things. Do you think Google or FaceBook don't want that? When you build a company you call the shots. Apple can live with this brouhaha including your opinion about it. There's nothing here. Move on. (Write a column that will actually make a difference.) --------------- Of course, if you just need to wail at Apple, think 'different' next time.

gclarkso
gclarkso

I'm not sure what was done prior to releasing this knowledge to the public or if it was released to the public. But there are 2 things to consider. 1 It is possible the developer found an Achilles heal of Apple IOS and there was not an easy fix available. Did the developer give Apple notice of the bug before releasing it? The second would be did the developer realize he was indirectly employed by Apple. Both acted bad in the situation.

gucharles
gucharles

I would say that they are hurting their cause. I once worked a non-tech job and the same thing happened. The manager gave me a task which I completed. I had created a list of missing inventory that explained the gaps and tried to give it to them but they did not take it. The regional manager saw the display and asked about it so I gave him the list. He took it and said he would have the missing items sent to our location. The missing stock items came addressed to me. My manager was forever mad at me. I quit a couple months later.

donavonknight
donavonknight

It has always amazed me how Apple has created a monopoly by playing Godfather and getting a piece of every software sold for the iPhone. To make matters worse they decide what the software is or is not allowed to do. Hackers and developers will only be more encouraged by these actions and with Apple's stock price so high others will go after the corporation. Lawyers and the federal government may soon take action against the company just as they have Microsoft in the past. I for one will be glad to see it occur. If I write and develop software it is for what consumers desire to see not Apple and unless they hire me the profits from my efforts should not be shared with them.

john-paul.sivori
john-paul.sivori

it is shoddy enough without apple joining the rest of us hacks. Apple set out their stall - restricted yes, but very safe. End of. People who have never used a computer take to the apple, the Internet and everything in minutes when given their first iPad. Don't get me wrong, in our capacity as IT pros, iPad type restrictions are unhelpful - which is why I don't use an Apple in my day to day work. However, for punters who don't want to become PC support experts by having to restart, uninstall, purge, update etc their home machines, Apple is a Godsend. Btw - i do have 1 apple. I inherited my son's iPod. I have to say, it is the most reliable piece of kit I own. All I have to do is remember to charge it once a week. It plays music, podcasts, surfs the net etc etc. In 2 years we've only had to restart it once. So good for Apple I say.

Vulpinemac
Vulpinemac

I'll grant that I don't know every aspect of this issue, but there's two things blatantly obvious here: * He got a hack past the check stage. * He bragged about it on a public forum. Now, personally I don't see that much of a problem with the former had he then responsibly told Apple what he had done and how. I'd say there would have been at least some chance that Apple might have even offered him a position within the company. However, by bragging about it through a public forum--a magazine article, I believe--he flat-out ignored any responsibility to Apple itself in order to make a name for himself in the hacking world. As such, I fully agree with Apple's actions and disagree that it relates in any manner to the author's personal anecdote. Yes, the author has good reason to be upset, but he acted responsibly and notified his superiors of the problem, even if they didn't want to hear it. But Charlie Miller ignored his responsibilities and earned the reward he deserved.

Slayer_
Slayer_

So it won't hurt Apple at all.

BeanDare
BeanDare

I have seen the mindset of Apple in so many avenues in society, your to be creative but only to a fault. I have seen it most recently with a pretty prominate hiring agency out in Calgary who black list clients who question them on favoritism. It boils down to this the world doesn't like being shown there are problems so rather than fixing things, hiding under a rock is preferable.

brockers
brockers

...but not too different.

AMS-Ray
AMS-Ray

Google rewards those who find bugs or vulnerabilities by paying them. Apple apparently is going to punish those who do the same for their software. 'Nuff said.

AnsuGisalas
AnsuGisalas

I'll just take this time to say I admire your laidbackness. It can be infuriating at times, but I much prefer it to the alternative... which, as you say, is more the rule than the exception. Reminds me of a part of the Tao Te Ching I read a long time ago... before lunch, in fact: When you are content to be simply yourself and don't compare or compete, everybody will respect you. The opposite is true as well; when not content to be oneself, when always comparing and competing, one will have the respect of no-one.

jkameleon
jkameleon

http://en.wikipedia.org/wiki/Bozo_bit In early versions of Apple's Macintosh Operating System, the "bozo bit" was one of the flags in the Finder Information Record (also called the "no copy" flag in some documentation), which described various file attributes. When the bit was set, the file could not be copied. It was called the bozo bit because it was copy protection so weak that only a bozo would think of it, and only a bozo would be deterred by it. Apple sure hasn't changed since then.

Vulpinemac
Vulpinemac

... how banning someone who openly broadcasts how he exploited a hole in Apple's security is threatening Apple's millions of customers. Quite honestly, "the needs of the many outweigh the needs of the one."

AnsuGisalas
AnsuGisalas

Don't ask him why he's doing it... his reasons are the kinds he can't say out loud, maybe even to himself. He came into an operation that was working well, and so, in order to make himself less useless he's going about wrecking that operation in ways that point the blame to you. It sucks, and unless you can pull in favors from higher-ups or ask your former boss for assistance in finding a new position somewhere else in the organization, your only option will eventually be to leave. And by then this idiot will have tried to blacken your reputation as far as he can, in order to make your complaints less believable. Look around for other options, it's better to leave in time than wait until he can get away with firing you.

jkameleon
jkameleon

Your boss doesn't want to have indispensable techies around. He doesn't want to depend on one person alone.

dcolbert
dcolbert

Vigorous protection of their corporate interests against anyone and everyone should, conceivably result in a backlash of Microsoft style negative public perception at some point. For now, Apple enjoys tremendous good will and positive perception from the public and tech journalists. Can they maintain that positive momentum without the charisma of Steve Jobs as their leader if they continue to do things like this? I think that is a genuinely valid question, and I think the answer is that eventually the public and the press will grow tired of this kind of behavior.

seanferd
seanferd

It's a common attitude, especially enshrined in business cultures.

AnsuGisalas
AnsuGisalas

they could have probably just told him "Thanks! Taking care of it", and they'd saved themselves this whole mess.

donavonknight
donavonknight

This would be like Ford saying I want ten percent of every thing made by other companies for Ford vehicles. Or that anything made for Ford vehicles can only be purchased at the Ford Store. If Ford finds a seat cover installed not sold by them they can disable the engine. Or in the tech field it would be like a web hosting company saying message boards and comments are not allowed because you are allowing people not employed by your company to create webpages. Apple has a monopoly. You can only sell software in their store and give them part of your profits. They control what is sold and the features the software is allowed to have. If you can only purchase products in one place that one place has a monopoly. Apple will most likely be sued in Europe first because they exert so much control and force vendors to sell their products only through Apple.

Neon Samurai
Neon Samurai

The big deal is that Apple has increased risk for all it's customers by hindering a researcher who could contribute significantly to it's product quality and customer safety and does so without being on Apple's payroll. If your an Apple customer then you should consider this a big deal unless you've installed no third party apps on your personal devices.

Vulpinemac
Vulpinemac

What market is there that Apple holds almost exclusive access to? Their brand? To have a monopoly, you have to have the only product or service of its type on the market. Apple simply doesn't have one; they only have the best products and services of their types, which is a big difference.

wizard57m-cnet
wizard57m-cnet

NT, no text, just some humor to lighten the mood!

JamesRL
JamesRL

If Charlie had waited until Apple had resolved the issue to bring it to the rest of the world, he'd probably still be in the program. He not only embarassed Apple, he broadcast a vulnerability that others not as ethical as Charlie might exploit.

pk de cville
pk de cville

It's part of Google's open model; they have to celebrate the flaw finders because it all goes out in Beta! (See recent remarks regarding Google TV beta; it cost one CEO his job.)

Vulpinemac
Vulpinemac

... by the millions where this issue with Apple impacts a single non-employee researcher.

jkameleon
jkameleon

... will be discovered by the successors of the current Apple leadership.

Neon Samurai
Neon Samurai

Is Heinze a monopoly for being the only company that produces Heinze Katchup? Maybe McDonalds is a monopoly because it is the only company that sells McDonalds Big Mac's? Ford produced cars painted black; that was a product decision not a monopoly abuse of the horseless buggy market. Another company produced cars in a range of colours and the market responded by buying cars in colours other than black. For Ford to have been a monopoly in your example, the company would have had to get a cut of any accessory produced for any horseless buggy not just Ford branded ones. Apple having full control over it's own products does not make it a monopoly either. You are free to purchase personal computers, smartphones, tablets and content from any of the other companies in those markets. "Apple is a monopoly because you can only sell your software for Apple devices through Apple's repository"; give me a break. Simple solution, don't write your software for Apple devices.

Vulpinemac
Vulpinemac

And maybe you should look at Ford. If anything has a Ford label on it that item has to be licensed by Ford--and that includes plastic and die-cast metal toy cars and almost everything else Ford related. You also don't understand the software and publishing businesses very well either, as somebody has to pay for that 'publication.' Sure, you may have your in-house writers, but a lot of the real advances, whether in books or software, come from people outside the publishing house. As a writer, I see this almost every day and i see Apple's iTunes App Store (and iBook Store) as a publishing house that doesn't rely on the old traditional publishing methods. Yes, the App Store does act as a retailer as well, but it still 'publishes' the independent's work.

Vulpinemac
Vulpinemac

Miller did far worse by making his method publicly available rather than notifying Apple directly. Just as the military doesn't want any weaknesses in its methods disclosed for security's sake, neither does a software company--no matter who that might be.

AnsuGisalas
AnsuGisalas

"Outside help not appreciated"... MS has had some bad procrastination cases, but the old "proof is out" trick has worked often enough that I think researchers still bother... But when the Publisher hurts the researcher's livelyhood, out of a simple hissy-fit princess syndrome, then I fear it will make researchers focus their efforts on the companies that have at least the decency to know (on some level) that they weren't being responsive enough - and that the researcher in fact acted to aid, not hinder their general business.

wizard57m-cnet
wizard57m-cnet

As for the "best" products and services, some would question that statement. That's your opinion, which is OK by me. We're all entitled to an opinion!

Neon Samurai
Neon Samurai

For an absolute monopoly yes; 100% of the market for your good or service. In reality, one needs only have enough majority share of the market to affect it through anti-competitive actions. Microsoft did not have 100% of the OS market when found guilty under the Sherman Act. I wouldn't call Apple a monopoly for having control over it's brand either. I'm only clarifying the point of what constitutes monopoly possition in a market.

Neon Samurai
Neon Samurai

I think the greater offense was emberassing Apple. Others not as ethical as Mr Miller already know; if the a security researcher found it, you can bet a criminal researcher has also.

dcolbert
dcolbert

Calls to mind the English concepts of providence and rule-of-law during their phase of colonial empire expansion. Oh, those heady days that came right before the fall. ;)

Vulpinemac
Vulpinemac

... has any bearing on the discussion at hand. He wasn't 'jail breaking' the product, he was flat publicly announcing a vulnerability without following Apple's own rules on how to go about such things. I don't know about you, but if it were me, if somebody tried to steal my money or my customers' money, I'd want to stop them.

donavonknight
donavonknight

Apple sells a license for things with"Apple" on it but that is not what we are talking about. We are talking about apps made by independent developers that do not have an Apple label. But do not take my word for it read about the court ruling against Apple: http://www.wired.com/threatlevel/2010/07/feds-ok-iphone-jailbreaking/ I hope this helps your understanding and your profits the next time you publish something.

wizard57m-cnet
wizard57m-cnet

Threads in these discussions are almost non-existant, so I can see where you may have gotten someone elses post confused with mine. As for "harping" on something, please take some of your own "advice"...leave the military out of it. I realize you have served, but you need to get a grip...most business in this country does not follow "military rules of engagement". If they did, then companies would be paying $600 for a $6 hammer.

Vulpinemac
Vulpinemac

... since, as I pointed out earlier, monopolies and anti-trust have no purpose in this thread. To keep harping on it merely attempts to deflect from Apple's legitimate reasons for banning Miller from the iOS development program.

wizard57m-cnet
wizard57m-cnet

that you don't have to be a monopoly to be in violation of anti-trust. Nice attempt at deflection though.

Vulpinemac
Vulpinemac

... in their activities pertaining to Miller's ejection from the developer program.

Vulpinemac
Vulpinemac

... Does Apple have? iOS doesn't have a majority, so how is Apple abusing monopoly power?

AnsuGisalas
AnsuGisalas

1) Alert the Corporates. 1a) If corporates are immediately cooperative, go with that. 1b) If corporates give you the run-around, count to 10 and proceed to 2. 2) Release a proof of concept to get media assistance in putting the heat on the corporates. 3) See the corporates hopefully scrambling to fix it, finally. All the other big corps have been there... these days that's what you get when you don't help people to help you, if they offer it. Apple should learn to live with that, because there will be other weaknesses, and hopefully other infosec researchers will bother helping them again sometime. Best advice: Always go to 1a. Don't be pompous asses. Don't say "We don't make mistakes, so that weakness you found can't be real". That's just idiotic.