I think the trouble is people like a puzzle. Just look what happened with domain cache poisoning. Word gets out about an attack, people start discussing it, people stumble upon the method, and suddenly it’s in the wild — and that was even after it was disclosed to vendors.

If Miller wants to set up a paypal donate button to make some cash, I’ll gladly click on it. In the meantime, I’d like my iPhone to be as safe as programatically possible, so here’s hoping he discloses vulnerabilities to the manufacturers as he finds them, the he can get his fame at white hat conferences presenting on his findings… after they’ve been patched :-/

Kind of. He discovered two exploitable bugs leading up to the first Pwn2Own contest, but, since the rules said you can only win once, he used the first right away and held back the second bug. The next year, Apple still had not fixed that vulnerability — and nobody else knew about it, since he remained quiet — so he used it to win the contest again.

As for whether or not he should have told Apple…well, it is a grey area. Certainly, it would be verging on (or perhaps actually is) criminal to release details of a bug or how to exploit it before notifying the vendor, but Miller has never done that. He has just said that there is a vulnerability that could potentially be exploited, and never provided the barest hint of a clue on how it could be done.

At this point, the ball is really in Apple’s court to do something about this vulnerability — track it down themselves, give Miller a call, or ignore him as a crackpot. Given Miller’s history, he seems unlikely to be a crackpot, and if Apple wanted to fix it immediately, they would hire him.

But also, given Miller’s history of never using an exploit maliciously, Apple seems to be taking the tact nobody else will figure out how to exploit it, and, if they wait a year, they can get the Pwn2Own contest to pay for the legwork and get the details for free in a few months. I happen to agree with Apple the risk of a wild exploit before the next Pwn2Own is very low, but I find their attitude towards security far more disturbing than anything Charlie Miller should or should not be doing.

Get over myself? For what, being more educated than you?

“Everyone knows companies often employ hackers and as the article also points out hackers often find holes and point them out to companies”

Those are ethical hackers… dont comment if you dont know shit about the subject kid. Thanks!

Ooooh please, stereotyped? Get over yourself. Everyone knows companies often employ hackers and as the article also points out hackers often find holes and point them out to companies….it was just a funny statement….calm down.

@Kevin

Your last sentence was mad funny dude.