Most likely another from of bikeshedding; people don't have real input on the main matter, so they comment on circumstantial matters just so they can throw in their 2c

I wouldn't bash the guy. Someone already let him know about his technical faux pas in a professional manner on his twitter.

My guess is he found this vulnerability on accident, freaked out, and tweeted about it. Probably has limited infosec experience.

Or he cares more about doing the right thing than about following best practices designed to protect the guilty under the guise of helping users.

Idk why u say “designed to protect the guilty under the guise of protecting the innocent”.. it clearly does both. It does protect the innocent. That is a fact! It also does protect the guilty! Both are true. It makes it harder to have a strong view when you must acknowledge both facts I suppose

I don't know, he's tweeted more about the topic: https://twitter.com/lemiorhan/status/935619881143324673

So he's either not reading his replies or he's being deliberately irresponsible. My guess, based on his profile and online behavior, is that he's trying to ride the coattails of getting some exposure online.

Definitely. How many people outside the infosec industry know that responsible disclosure channels exist?

> I still can't believe more people complain about this being publicly disclosed than this being possible in the first place.

I think the problem is due to the fact that they are fans. In this case, it's Apple, but there's no reason it couldn't be Linux or Go or whatever. Regardless, any bad news about their hero is irresponsible to disseminate. We see this same phenomenon in politics, in sports and elsewhere — I daresay it's regrettable human nature.

I've not commented either way on the subject in this thread, but personally I would much rather have read this as a writeup 2 or 3 months from now after the discoverer had responsibly disclosed the vulnerability and Apple had a chance to patch it.

On the other hand, I'm glad that I have this information so I know not to install High Sierra on my work iMac (sitting on a desk in a WeWork behind a door whose lock would be very easy to force open) until this is fixed.

[Edit: I now see that there's a simple workaround (change the root password and keep root enabled), so I'm all for "irresponsible disclosure" in this case]

As an addendum apple released a fix for this less than 48 hours after it was reported (I think I've got the timeframe right), so there's something to be said for irresponsibly disclosing to light a fire under the ass of whomever is responsible for fixing a vulnerability.

> I think the problem is due to the fact that they are fans.

I think this is an unfair characterization. Sure, it's hard to hear that their "hero is irresponsible", but the real reason is that this kind of behavior puts everyone at risk while Apple tries to fix it.

That may be true for cisco and juniper where upgrades must be carefully rolled out across globally distributed critical infrastructure, but this is APPLE. They need no such help. They can push to everyone, now, and it will be fine. Forcing their hand is safer than trying to hide a flaw a 3 year old could find on accident.

Oh my goodness I totally forgot they had to build it first! /s

They were already at risk. Now they can mitigate.