Hacker News new | ask | show | jobs
by zeveb 3125 days ago
> I still can't believe more people complain about this being publicly disclosed than this being possible in the first place.

I think the problem is due to the fact that they are fans. In this case, it's Apple, but there's no reason it couldn't be Linux or Go or whatever. Regardless, any bad news about their hero is irresponsible to disseminate. We see this same phenomenon in politics, in sports and elsewhere — I daresay it's regrettable human nature.
2 comments
eric_h 3124 days ago
I've not commented either way on the subject in this thread, but personally I would much rather have read this as a writeup 2 or 3 months from now after the discoverer had responsibly disclosed the vulnerability and Apple had a chance to patch it.

On the other hand, I'm glad that I have this information so I know not to install High Sierra on my work iMac (sitting on a desk in a WeWork behind a door whose lock would be very easy to force open) until this is fixed.

[Edit: I now see that there's a simple workaround (change the root password and keep root enabled), so I'm all for "irresponsible disclosure" in this case]

link
eric_h 3121 days ago
As an addendum apple released a fix for this less than 48 hours after it was reported (I think I've got the timeframe right), so there's something to be said for irresponsibly disclosing to light a fire under the ass of whomever is responsible for fixing a vulnerability.
link
saagarjha 3124 days ago
> I think the problem is due to the fact that they are fans.

I think this is an unfair characterization. Sure, it's hard to hear that their "hero is irresponsible", but the real reason is that this kind of behavior puts everyone at risk while Apple tries to fix it.

link
5ilv3r 3124 days ago
That may be true for cisco and juniper where upgrades must be carefully rolled out across globally distributed critical infrastructure, but this is APPLE. They need no such help. They can push to everyone, now, and it will be fine. Forcing their hand is safer than trying to hide a flaw a 3 year old could find on accident.
link
saagarjha 3124 days ago
> They can push to everyone, now, and it will be fine.

I'm pretty sure any fix has to go through Build and Integration before being rolled out. Then you need to have people actually install the update…

link
5ilv3r 3124 days ago
Oh my goodness I totally forgot they had to build it first! /s
link
recursive 3124 days ago
They were already at risk. Now they can mitigate.
link
saagarjha 3124 days ago
*Significantly more risk
link