Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iTunes Flaw Allowed Spying On Dissidents

Soulskill posted more than 2 years ago | from the but-only-from-a-macbook dept.

Government 82

Hugh Pickens writes writes "Democracy and free speech activists worldwide have something new to worry about — cyberwarfare via iTunes. The Telegraph reports that Gamma International sells computer hacking services to governments, offering 'zero day' security flaws that allow access to target computers 'with the ability to take control of the target systems functions to the point of capturing encrypted data and communications.' FinFisher spyware, known to be used by British agencies and offered to Egypt's feared secret police, takes advantage of an unencrypted HTTP request that is filed by iTunes when Apple Software Updater is inactive. It redirects users' web browsers to a customized web page that pretends Flash is not installed on the user's computer, then installs a sophisticated piece of spyware that sends info on a user's activities directly to foreign intelligence services. The latest iTunes software update, 10.5.1, released on November 14, appears to have fixed the exploit FinFisher used. A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet Apple 'waited more than 1,200 days to fix the flaw,' writes security researcher Brian Krebs."

cancel ×

82 comments

Sorry! There are no comments related to the filter you selected.

Conspiracy! (5, Funny)

ryanmcdonough (2430374) | more than 2 years ago | (#38164994)

An amazing way to exploit software that is ubiquitous on many computers. Let's start the conspiracy now that Apple are told by governments not to fix a bug until they find a better 0Day to exploit.

Re:Conspiracy! (1, Insightful)

Anonymous Coward | more than 2 years ago | (#38165006)

Conspiracy? That sounds more like fact.

Re:Conspiracy! (1)

Phopojijo (1603961) | more than 2 years ago | (#38173596)

Nah... it sounds like Apple just was complacent and didn't care about patching a vulnerability that they knew about because they felt their engineer was better utilized for some other task.

Because that's how it always is for Apple. Security when we get around to it.

Re:Conspiracy! (5, Funny)

Chrisq (894406) | more than 2 years ago | (#38165008)

An amazing way to exploit software that is ubiquitous on many computers. Let's start the conspiracy now that Apple are told by governments not to fix a bug until they find a better 0Day to exploit.

You are obviously a government schill who has posed this as a "Lets start a conspiracy" to throw people of the fact that this is exactly what happened.

Re:Conspiracy! (1)

Anonymous Coward | more than 2 years ago | (#38165270)

I can confirm that this guy is a theorist. OUR Intelligence agencies dont need to use some 1,200 day old vulnerability to make it easy to exploit the dissonant. The Nixon administration didn't even spy on the domestic. It provided survey of the activity going on during protest to the FBI to keep them on their toes in case of an emergency or domestic attempt to terrorize or get out of line. If intelligence agencies hack or penetrate anything, they penetrate their own agencies to test network and hardware vulnerability. The NSA consult and penetration test the security of the intelligence community ALL THE TIME. Thats what software and security companies like these are for, and they're international where certain countries lack vulnerability assessment. Now, I can understand how Egypt and some places in the middle east might want to spy on their citizens if they lack control preventing themselves from social/political influence like Hamas, AQAP, etc, which, they are HIGHLY vulnerable to, and already have problems with this.
This guy hasn't concluded that any individuals in the US have been exploited by this software. Its time to stop the conspiracy bullshit and get to the facts before spreading an already rising anti-government movement.

and yes, I have read this in case you're wondering.
http://www.f-secure.com/weblog/archives/00002114.html

Re:Conspiracy! (0)

Anonymous Coward | more than 2 years ago | (#38177232)

TO: Chrisq
RE: Not Too.... ...'bright', are you. Or at least not well schooled in the world of military intel.

Regards,

Chuck(le)
[Even paranoids have enemies.]

Re:Conspiracy! (2)

jellomizer (103300) | more than 2 years ago | (#38165054)

The biggest and most used names will get the most hacking and piracy.
Being Open Source, Closes Source. Well designed or poorly designed.
Most of the security problems that take a long time to fix are passed off as not that big of a deal. With an easy work around.
You expect every software company to be trolling the hacking sites to see if there is a new exploit. It doesn't happen.
Even when a hole if found the company cannot just fix it the next day. Because then they will get dinged for making a fix that didn't work and broke the system and people will be less likely to update their computer again.
How many of you work for a company that will not push out patches for months because every patch needs to be tested. Because you have been screwed by a Microsoft patch in the past.
So if the company patches to soon without without a full analysis and testing period they get yelled at. If they do a full analysis that can take months or years they get yelled yet.

Re:Conspiracy! (1)

betterunixthanunix (980855) | more than 2 years ago | (#38165074)

The biggest and most used names will get the most hacking and piracy. Being Open Source, ...

How does one pirate open source software?

Re:Conspiracy! (2)

Bill_the_Engineer (772575) | more than 2 years ago | (#38165084)

By copying the software and rebranding it as their own work without releasing the source code or acknowledging the original software.

I assumed you meant pirate as in copyright infringement and not pirate as in arghhhh.

Re:Conspiracy! (1)

poetmatt (793785) | more than 2 years ago | (#38165120)

that's not piracy, that's just rebranding, as the poster you are replying to acknowledged.

Re:Conspiracy! (1)

skovnymfe (1671822) | more than 2 years ago | (#38165176)

It's stealing and you know it! Now pay up! $150,000 per byte of code!

Re:Conspiracy! (2)

Tsingi (870990) | more than 2 years ago | (#38165312)

that's not piracy, that's just rebranding, as the poster you are replying to acknowledged.

It's not just rebranding, redistributing modified apps without making the source available violates the GPL.
It's OK to do it, but you have to make the sources available.

Re:Conspiracy! (0)

Anonymous Coward | more than 2 years ago | (#38166486)

Piracy is unauthorised copying, If i copy OSS stuff in a way that the licence terms deny... thats piracy.

Re:Conspiracy! (2)

Bill_the_Engineer (772575) | more than 2 years ago | (#38166520)

that's not piracy, that's just rebranding, as the poster you are replying to acknowledged.

Let's me type a little slower since you were so quick in the reply that you didn't seem to comprehend my message.

Consider piracy to be copyright infringement which is the overwhelming view on Slashdot since we have the meme copyright infringement is not equal to theft here. Now consider what constitute copyright infringement of most open source software that is not in the public domain. If you copy the software and rebrand it without releasing the source code then you violated the GPL which amounts to copyright infringement. If you copy the software and rebrand it without acknowledging the original software then you violated most 4 part BSD licenses out there; Again this amounts to copyright infringement.

This is why my answer to the original poster about "How does one pirate open source software?", I said "by copying the software and rebranding it without releasing the source code or acknowledging the original software" if you consider piracy to mean copyright infringement.

I'll attribute your answer to ADHD.

Re:Conspiracy! (0)

Anonymous Coward | more than 2 years ago | (#38165112)

gpl-violations.org

Re:Conspiracy! (1)

Anonymous Coward | more than 2 years ago | (#38165122)

Mawahahahaha! I've start a pirated torrent of Debian! Now anyone can have a copy ... oh wait ...

Re:Conspiracy! (1)

JustOK (667959) | more than 2 years ago | (#38165160)

what? no one WANTS a copy?

Re:Conspiracy! (2)

arth1 (260657) | more than 2 years ago | (#38165154)

How does one pirate open source software?

Easily. Thousands of companies do it every day, the same way one pirates closed source software:
By making and/or distributing copies in violation of the license.

  • Most by not honouring licenses with clauses saying that you have to distribute the source with the compiled software or otherwise make it easily available.
  • Some by erasing the original author's names, when the license calls for an attribution.
  • The worst are those who make modifications (including fixes) to software where the license says that the source to such modifications must become open source too. They take but are unwilling to give.

In these cases, you are in violation of the license which is all that gave you a right to distribute the software. So you don't have that right because you broke the license terms, and doing so is piracy.

Re:Conspiracy! (1)

Hentes (2461350) | more than 2 years ago | (#38165382)

Open source and zero-cost are different things.

Re:Conspiracy! (0)

Anonymous Coward | more than 2 years ago | (#38165086)

Writing a single sentence.
On every line.
Does not make you.
Smart.
Go fuck yourself.
With a curling iron.

Re:Conspiracy! (4, Funny)

Yvan256 (722131) | more than 2 years ago | (#38165124)

In America
You write haiku, in Russia
The Haiku writes YOU

Re:Conspiracy! (0)

Anonymous Coward | more than 2 years ago | (#38186142)

as long as haikus written
who cares who claims to write it

Re:Conspiracy! (0)

Anonymous Coward | more than 2 years ago | (#38165140)

"Smart." is not a sentence.
Jam it.

Re:Conspiracy! (1)

Eraesr (1629799) | more than 2 years ago | (#38165102)

I welcome you to my world, where patches are tested in a half-assed way because the customer is demanding that this fix is being made available RIGHT NOW!!!! (only to install it 3 weeks later...)

Re:Conspiracy! (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38165130)

If you're having to release patches which are serious enough to have the customer demanding a fix RIGHT NOW!!1one then your coding was probably half-assed to begin with.

Trololol! ~

Re:Conspiracy! (1)

Eraesr (1629799) | more than 2 years ago | (#38187866)

Maybe I should have used the word "feature" instead of "fix".
It happens.

Re:Conspiracy! (1)

macs4all (973270) | more than 2 years ago | (#38167684)

I welcome you to my world, where patches are tested in a half-assed way because the customer is demanding that this fix is being made available RIGHT NOW!!!! (only to install it 3 weeks later...)

My world has similar features...

Re:Conspiracy! (1)

sunderland56 (621843) | more than 2 years ago | (#38165058)

Bug? Who says it was a bug? The *real* conspiracy theorists would say that it was a feature intentionally designed in for exactly this sort of use.

Re:Conspiracy! (0)

Anonymous Coward | more than 2 years ago | (#38165094)

Exactly, and it took the 1200 days to write in the new even more secret "exploits" to replace the now publicized one. Doesn't this parallel a previous article discussing how no smart phone is secure?

Speaking of Egypt. USA made tear gas sold to Egypt since the pro-democracy anti-militarism protests began, also.

Re:Conspiracy! (1)

marcroelofs (797176) | more than 2 years ago | (#38165432)

You probably mean a conspiracy THEORY?

Re:Conspiracy! (1)

wesleyjconnor (1955870) | more than 2 years ago | (#38173566)

aliens

Why didn't the security researcher (1)

Anonymous Coward | more than 2 years ago | (#38165004)

Why didn't he warn the rest of the world as well?
A company may have a problem closing a hole that is used by governments may be a thing that governments do not like.

Re:Why didn't the security researcher (1)

GameboyRMH (1153867) | more than 2 years ago | (#38165582)

They call it "responsible" disclosure.

Re:Why didn't the security researcher (1)

AHuxley (892839) | more than 2 years ago | (#38169146)

Re: The ability to warn the rest of the world?
Based on what happened to Italian telecommunications security expert and Adamo Bove, Greek telecommunications expert Costas Tsalikidis....
Bove used mobile phone logs to map more than two dozen American agents. He also uncovered undetectable illegal telco wiretaps and talked about what he found in open court.
Costas Tsalikidis found very advanced spyware in his company's mobile phone network. The Greek Prime Minister, Greek military officers, anti-war activists and a American embassy cell phone where of interest.
Do you think Costas Tsalikidis and Adamo Bove are still doing any telco security research?

This is why.. (2)

ryanmcdonough (2430374) | more than 2 years ago | (#38165016)

You should always put all your music onto a £10 mp3 player and only listen to it on there!

That's funny... (0)

AngryDeuce (2205124) | more than 2 years ago | (#38165060)

I thought iTunes itself was the spyware?

Re:That's funny... (-1)

Anonymous Coward | more than 2 years ago | (#38165324)

How is it being a virgin these days?

Re:That's funny... (5, Insightful)

CharlyFoxtrot (1607527) | more than 2 years ago | (#38165770)

I love how people here are focussing on iTunes and not the fact that British agencies are supplying the Egyptian secret police with software to nab dissidents. Seriously, WTF ?

Re:That's funny... (1)

Anonymous Coward | more than 2 years ago | (#38166254)

or you could read the FS. It's _used_ by the British and was offered to the Egyptians. Never says offered by the British. I'm guessing it was offered by FinFisher. You going to get all arsey that the US uses the same OS that is used in Iran as well?

Re:That's funny... (0)

Anonymous Coward | more than 2 years ago | (#38166298)

are they British tho ?
a quick look at the gammagroup network suggests their servers are in located in Liberia, like East Africa is the first place an English company/man would think to host now ? why choose Liberia to host your "gamma group" domains, there are some pretty desperate mutherfuckers there

of course all the domains listed are hidden whois, could be a jerk in a bedroom scraping seclists, a sales pitch and a copy of Dreamweaver for all anyone knows.

Taken from 1215.org I found Dissident guidlines (1)

Anonymous Coward | more than 2 years ago | (#38166948)

--never provide personal information that is not otherwise readily available
--never speak of anything illegal that you may have ever done
--never speak of anything illegal that others you know may have done
--do not get into speculative gossip e.g. about who does drugs or not
--do not leave personal papers lying around or unattended in public
--do not have strangers as overnight guests. They are poised to search your files
--do not write an email or a letter that you wouldn't publish in the New York Times
--do not discuss sensitive matters over the phone
--when speaking to someone you trust make sure you know who else is nearby
--break off any conversation in which a person is asking inappropriate questions
--do not fill out surveys re: anything but your political beliefs. They are not anonymous
--do not take strangers at face value. Do not be rude, of course, but take things slowly
--be transparent about your beliefs and your activities within the movement
--be suspicious of those too candid about their own illegal or financial dealings
--be suspicious of those who push to do questionable acts.

Re:That's funny... (0)

Anonymous Coward | more than 2 years ago | (#38173776)

I love it how apple did not give fuck about a reported vulnerability for 1200 days and let governments spy!!! WTF????

Liability (1)

Fished (574624) | more than 2 years ago | (#38165078)

There's really only one solution: hold software makers libel for security vulnerabilities. Until every exploit hits the vendor in the pocketbook, we'll never see real management attention paid to information security.

Re:Liability (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#38165114)

There's really only one solution: hold software makers libel for security vulnerabilities

...and thus kill the free software movement.

The real answer is that dissidents need to start being more paranoid and more technically literate. A system that is used for personal entertainment should be kept physically separated from a system that is used to communicate with fellow dissidents.

we're all screwed... (1)

j-beda (85386) | more than 2 years ago | (#38165156)

The real answer is that dissidents need to start being more paranoid and more technically literate. A system that is used for personal entertainment should be kept physically separated from a system that is used to communicate with fellow dissidents.

Face it - against a determined powerful watcher even that is not enough:

Agent X: Drat, our target "Dissident-Man" is using a "throw-away" cell phone - we don't know who they are - and they never use it for personal things, so even if we continue to track it, it won't do any good!

Agent Y: Hey, did you notice in our records that it is almost always used by the same cell tower as the phone of "Pat Civilian"? Often just before or just after? Maybe we should have a "talk" with this "Pat"?

que scary music:
dun-dun-dunnnnnnnnn

Re:we're all screwed... (1)

betterunixthanunix (980855) | more than 2 years ago | (#38165430)

...perhaps dissidents should not be carrying around cell phones? I thought that much was obvious...

My point was really about governments that spy on dissident groups' communication, as in this case from Vietnam:

http://www.eweek.com/c/a/Security/Google-Malware-Attacks-Target-Vietnam-Dissidents-498247/ [eweek.com]

Re:Liability (1)

Fished (574624) | more than 2 years ago | (#38165782)

OP.

I too worried about the free software movement when I wrote that. I think maybe if you set some sort of damage cap at "how much profit provider earns from software, directly or indirectly." Granted, in cases like iTunes or Internet Explorer, which are given away as "premiums" (kind of like banks used to give away toasters) this could be hard to calculate, but surely large company's have some sort of accounting basis for justifying how much they spend on these packages?

The point is that, in my observation, until you give company's a fiduciary motive to do something, they will <b>never</b> do it. So, if we want more secure software, we're going to have to give them a fiduciary motive. Not that software will be perfect, even then -- car manufacturers have always been liable for negligence, and there are still safety problems with cars. But there aren't nearly so many.

Re:Liability (1)

Hentes (2461350) | more than 2 years ago | (#38166124)

...and thus kill the free software movement.

How would you sue a software developed by hundreds of anonymous people?

Re:Liability (1)

NeutronCowboy (896098) | more than 2 years ago | (#38168930)

By unmasking the anonymous users and taking the shirt off their back.

Re:Liability (1)

betterunixthanunix (980855) | more than 2 years ago | (#38174472)

  1. Free software is not developed by anonymous people. In theory it could be, but in practice people use their real names and someone is responsible for the servers and infrastructure used to manage the project.
  2. Even if there were hundreds of anonymous people, there would be a few key contributors; tracking them down and suing them off the face of the Earth would be sufficient to kill a project.

Re:Liability (0)

Anonymous Coward | more than 2 years ago | (#38166568)

There's really only one solution: stop using iTunes

Re:Liability (1)

kennethmci (1472923) | more than 2 years ago | (#38165546)

this would make software extremely expensive to develop. isn't there just too many permutations of events in software to KNOW that its "100% done"? and will NEVER have an error/bug? not to mention the area of users themselves being the vulnerabilities...

Praise Apple (0)

Anonymous Coward | more than 2 years ago | (#38165096)

Wasnt Steve Jobs such a visionary?

Re:Praise Apple (0)

Anonymous Coward | more than 2 years ago | (#38165164)

Wasnt Steve Jobs such a visionary?

nope

Proof (4, Funny)

Yvan256 (722131) | more than 2 years ago | (#38165142)

Yet another proof that Flash is dangerous! /duck

What's that smell? (-1, Troll)

PopeRatzo (965947) | more than 2 years ago | (#38165150)

"Flaw" my ass.

Re:What's that smell? (1)

cerberusss (660701) | more than 2 years ago | (#38173752)

Why the fuck was Pope modded troll? It's a totally valid comment in this case.

OH NO!!!!! (1)

Murdoch5 (1563847) | more than 2 years ago | (#38165238)

Nice, I'm so glad I use Rhythmbox :-)

For once I'm glad ... (0)

Anonymous Coward | more than 2 years ago | (#38165264)

iTunes is not available on my platform.

Seriously? (3, Funny)

Anonymous Coward | more than 2 years ago | (#38165500)

Apple software that redirects you to a webpage where it requests to install Flash Player?

That's like Toyota's website sending you to a page about the Honda Civic.

The flaw may be with iTunes but the spying is done by trojan spyware that passes itself as Flash player. The title of this thing is obviously anti-Apple bashing at its finest.

Re:Seriously? (2)

GameboyRMH (1153867) | more than 2 years ago | (#38165620)

The flaw may be with iTunes but the spying is done by trojan spyware that passes itself as Flash player. The title of this thing is obviously anti-Apple bashing at its finest.

There you have it folks, if any malware exploits a vulnerability in Apple software it's not Apple's fault, it's the virus writer's fault. To say otherwise would be Apple-bashing.

Now excuse me while I make the infallible decision to leave every door on my house swinging open while I'm not at home. If any hobos or thieves enter it is not my fault, I made no mistakes.

Re:Seriously? (2)

Yvan256 (722131) | more than 2 years ago | (#38165730)

There's a vulnerability in iTunes but it's not that vulnerability that installs the malware. If I post the link to that particular website right here on Slashdot, by your logic that would mean Slashdot is now infested with spyware too.

Re:Seriously? (1)

GameboyRMH (1153867) | more than 2 years ago | (#38165848)

It relies on the user to install the malware, but the malware link wouldn't appear at all if iTunes used an HTTPS connection to check for updates

Re:Seriously? (3, Informative)

chrb (1083577) | more than 2 years ago | (#38166020)

There's a vulnerability in iTunes but it's not that vulnerability that installs the malware.

Yes it is. From TFA:

"Evilgrade leveraged a flaw in the updater mechanism for iTunes that could be exploited on Windows systems. Amato described the vulnerability: "The iTunes program checks that the binary is signed by Apple but we can inject content into the description as it opens a browser, with a malicious binary so that the user thinks its from Apple"

The only way you can argue that the updater isn't at fault is if you are going to blame the exploit that installs the malware? But by that definition, a manufacturer would never be assigned any blame for vulnerabilities, it would always be the person doing the exploiting. Does that make sense? Try this: "Microsoft bears no responsibility for any holes in Windows, even when it knows about them and doesn't fix them. The blame lies entirely with the exploit." Do you still agree with this logic when the manufacturer of the system is Microsoft, rather than Apple?

If I post the link to that particular website right here on Slashdot, by your logic that would mean Slashdot is now infested with spyware too.

Bad analogy. Slashdot isn't used as part of a Software Update system by software installed on the desktops of millions of people. Your iTunes updater isn't going to prompt you to install a new update - verified as being from Apple - because of a Slashdot post.

Re:Seriously? (1)

TheSpoom (715771) | more than 2 years ago | (#38172632)

The only way you can argue that the updater isn't at fault is if you are going to blame the exploit that installs the malware? But by that definition, a manufacturer would never be assigned any blame for vulnerabilities, it would always be the person doing the exploiting. Does that make sense? Try this: "Microsoft bears no responsibility for any holes in Windows, even when it knows about them and doesn't fix them. The blame lies entirely with the exploit." Do you still agree with this logic when the manufacturer of the system is Microsoft, rather than Apple?

Windows 7 Ultimate EULA [microsoft.com]

26. LIMITATION ON AND EXCLUSION OF DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
- anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
- claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if
- repair, replacement or a refund for the software does not fully compensate you for any losses; or
- Microsoft knew or should have known about the possibility of the damages.

Emphasis added.

Re:Seriously? (1)

Daerath (625570) | more than 2 years ago | (#38167132)

And I'm sure you're just as forgiving whenever Microsoft has a security bug that gets exploited via 3rd party software (e.g. quicktime, flash, acrobat reader, etc.). or when there is no bug and it's purely a 3rd party vuln that allows access.

Re:Seriously? (1)

E IS mC(Square) (721736) | more than 2 years ago | (#38173780)

how does it feel to constantly be Apple's bitch?

OpenOffice has the same vulnerability (5, Informative)

WD (96061) | more than 2 years ago | (#38165588)

And they haven't done anything about it for years, either.
http://blogs.oracle.com/malte/entry/evilgrade_and_openoffice_org [oracle.com]

Re:OpenOffice has the same vulnerability (1)

GameboyRMH (1153867) | more than 2 years ago | (#38165868)

I wonder if it's been fixed in LibreOffice?

Re:OpenOffice has the same vulnerability (1)

WD (96061) | more than 2 years ago | (#38165952)

I tested 3.4.4 and 3.3.4 (Latest on website now) and I couldn't even find auto-update functionality. Though I can see update functionality mentioned in the documentation:
http://help.libreoffice.org/Common/Online_Update [libreoffice.org]

So either they've pulled the functionality, or I'm looking in the wrong place.

Re:OpenOffice has the same vulnerability (1)

chrb (1083577) | more than 2 years ago | (#38166100)

Some Linux distributions nobble in-app auto-updaters, because the application is installed via their standard apt/yum package repositories. There is no need to treat one application as a special case, that requires a special updater, when you have proper package management.

Re:OpenOffice has the same vulnerability (1)

AmiMoJo (196126) | more than 2 years ago | (#38170748)

It really is coming to something when Microsoft have been doing it right for over a decade but others who should know better still screw it up. Since the Windows 98 days Windows Update has used an IP address rather than DNS lookup and it also bypasses the hosts redirect file and any other stuff that attaches to the TCP/IP stack, and then the web site and updates themselves and cryptographically verified. Since 1998.

1,200 days? (4, Funny)

alexo (9335) | more than 2 years ago | (#38165824)

Apple 'waited more than 1,200 days to fix the flaw

It's even worse than that
The waited more than a HUNDRED MILLION seconds.

I guess "more than three years" does not cut it anymore.

Re:1,200 days? (2)

Pope (17780) | more than 2 years ago | (#38166366)

Article was obviously written by a new parent.

Re:1,200 days? (0)

Anonymous Coward | more than 2 years ago | (#38166652)

You're not as pedantic as you think you are. 0-day refers to the amount of time an exploit has been in the wild, so it makes sense to not how long it's actually been in the wild without a patch in 'days'.

Re:1,200 days? (1)

AmiMoJo (196126) | more than 2 years ago | (#38170788)

It is a simple question of scale. I could tell you my car's speed in decimetres per fought night but for ease of comparison km/h or mp/h might be easier. They don't call these things zero-day exploits for nothing; typically the value of the exploit rapidly decreases as news of it spreads and people take defensive action.

Unfortunately Apple failed to act, and it isn't an isolated incident. Nothing particular against Apple, any other company that produced a popular and in fact necessary bit of software that many people have to use would be rightly condemned in the same way.

Oh well ... (1)

psergiu (67614) | more than 2 years ago | (#38166128)

OS X, Linux & *BSD are not affected.
Whoever uses Windows by it's own will it's asking for it.

Black hats (3, Insightful)

bill_mcgonigle (4333) | more than 2 years ago | (#38166418)

Gamma International sells computer hacking services to governments, offering 'zero day' security flaws

These are the real blackhats - most 'hackers' don't sell their services to get people killed. Legalized blackhats, perhaps, but blackhats nonetheless.

Re:Black hats (1)

StickANeedleInMyEye (1253490) | more than 2 years ago | (#38169436)

Most? doubt that seriously, look at the US and a company name is 'Blackwater'.

foreign intelligence? Ha! (1)

Paracelcus (151056) | more than 2 years ago | (#38167214)

"installs a sophisticated piece of spyware that sends info on a user's activities directly to foreign intelligence services"

Nothing "foreign" about it!

Heh (0)

Anonymous Coward | more than 2 years ago | (#38177086)

TO: All
RE: As If.... ....intelligent people couldn't figure that out for themselves.

Over the years, I've noticed unusual behavior on my Mac computers. I'd call Apple about it and they told me it wasn't anything to be concerned about. Things like 43 users logged onto my limited access network...when there are only six machines with that sort of authority.

[NOTE: I ran that White Pages Comptuer Lab—cranking out all the white and government pages for the western third of the US, less California and Nevada—for USWest/Qwest for a number of years. 12 Mac running 24/7/365 and a tether at my hip to alert me when things didn't work right. And, with a 27 year background of experience in military intel, I learned how to recognize when things went 'interesting'.]

Apple IS 'Big Brother'. Or at least a 'player' in the field. I suspect Microsoft is even more so.

You want 'secure' communication? Use SNAIL MAIL. And don't trust the USPS either.

Regards,

Chuck(le)
[If you're not paranoid, you're not paying attention.]

How do you tell the difference? (1)

Infernal Device (865066) | more than 2 years ago | (#38183192)

Seriously, if I'm a software company, how do I tell the difference between
1) a prominent security researcher
2) a garden-variety hacker

Consider that the incoming notification will probably go to one of several public addresses, but probably to support, feedback, publicity or bugs. Now, do each of those people need to be trained to recognize certain names (which leads us back to original question). Or do they need to be trained to recognize a crank letter from a real letter (no objective means of doing so). Or possibly distinguish technical facts from technical blathering (not at all realistic)?

It's just not realistic that a software company can be on top of every possible vulnerability at all times, and yet this is what it seems all of you expect. There are just too many clever people with time on their hands and a single-focus mentality to be able to combat all of things they might come up with.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>