It’s time for another edition of “Actually, no!”—the game show the Macalope just made up where he points out “facts” that show technology journalists how they’ve gotten something “wrong.”
This edition’s contestant is Network World’s John Cox:
Apple has banned well-known security researcher Charlie Miller from its developer program, for creating an apparently benign iOS app that was actually designed to exploit a security flaw he had uncovered in the firmware.
Actually, no! Apple banned Miller—for a year—for violating the terms of service of his Apple developer agreement. Which he did. This simple fact can’t really be disputed, so what people are complaining about has nothing to do with the world as it exists; it has to do with their notions of how they think it should be.
Cox gets closer to the truth in paragraph three:
Based on Greenberg’s follow-up story, Apple was clearly within its rights to do so.
Right.
Over at ZDNet, Ryan Naraine—approvingly linked to by Ed Bott, who chortles about how Apple isn’t any “kinder, gentler, more open” post-Jobs—simply skirts the reason why Miller was booted from the developer program.
Charlie Miller gets a kick of out defeating Apple’s security mechanisms, using his hacking skills to break into Macbooks and iPhones. Now, Apple has kicked the security researcher out of its iOS developer program after word got out that he built a proof-of-concept iPhone app to showcase a bypass of the code signing mechanism.
It was just for kicks! And then The Man came down on him!
A loose reading of Naraine’s piece might lead one to believe that Miller got kicked out because he found a vulnerability. Indeed, several of the commenters bemoan Apple “denying” the vulnerability exists when Miller himself says the company acknowledged it.
Naraine’s fellow ZDNet-Christmas-party attendee Adrian Kingsley-Hughes gets it right.
Now, is Apple doing the right thing by banning Miller’s developer account and removing the app? Yes, it is. The app, while not containing any malicious code, still deliberately leverages a serious security loophole and can download malicious payloads to the handset, which means that it is still malware. This sort of behavior violates Apple’s developer terms and conditions and as such is more than enough reason for Apple to give Miller the shove.
See how easy that is? Or, you know, you can try to stir up anger at draconian Apple and how it can’t take the heat of its own product fail or something.
On his Twitter account, Miller seems to have have a bad case of having his cake and wanting to eat it too:
First they give researcher’s access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry
The Macalope’s not completely familiar with Apple’s outreach program for troubled youths (read: “white hat” hackers), but he’s pretty sure it’s not a free license to go collect the private information of the company’s unwitting customers. Miller’s point is that you can’t test the whole of the system unless you can test the gatekeeping, which is sound: If Apple’s goal in inviting security researchers to kick the tires is to strengthen iOS security, they can’t just kick the back tires. And Miller’s been helpful in discovering Apple vulnerabilities in the past.
At the same time, he signed a developer license agreement and then violated it. If you need any further proof that it’s perfectly reasonable for Apple to boot him from the developer program, all you need to know is that Rob Enderle doesn’t think it’s a smart move.
QED. Case closed.
Watts Martin has an apropos analogy:
If you think you’ve found a flaw in an airport’s security checkpoint and demonstrate that by getting a harmless smoke bomb through and setting it off in the gift shop, you’ve definitely made your point, but spare us the expression of shocked surprise when the airport cops rush over to beat you with sticks instead of shaking your hand and showering you with flowers and chocolate.
It seems to be the attitude of the members of the computer security bidnez (Motto: “Hey, this is a nice operating system ya got here! It’d be a shame if something were to happen to it.” [smash]) and their blogger pals that they’re exempt from contractual obligations because they’re doing the Lord’s work or something.
The Macalope has nothing against Miller finding exploits and publicizing them. He’s not even opposed to what he did in getting the app approved. There are other ways to conduct the exploit testing, sure, but the only way to test the approval process is to submit something for approval.
Still, Miller knew what the rules were here—particularly since he paid for his own developer license. It’s in Apple’s best interest to figure out how to get researchers the access they need so they can conduct real-world testing, but let’s not shed any tears over the horrible treatment of Charlie Miller.
[Editors’ Note: In addition to being a mythical beast, the Macalope is not an employee of Macworld. As a result, the Macalope is always free to criticize any media organization. Even ours.]