Skip to content

Commit b8d8fc5

Browse files
sickcodessickcodes
committed
Add Rapid7/Ford YouTube Letter to @nahamsec. Closes #53 
1 parent 4aa2366 commit b8d8fc5

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,9 @@ Historical archives were taken with explicit permission to continue wonderful wo
8383

8484
| **When** | **Entity** | **Researcher(s)** | **Topic** | **Status** |
8585
|---|---|---|---|---|
86+
87+
Ben Sadeghipour
88+
| 2022-07-23 | [Ford](https://www.ford.com/) @ford, [Rapid7](https://www.rapid7.com/) @rapid7 | [Ben Sadeghipour](https://x.com/nahamsec/) | Rapid7 asks NahamSec to take down a video about Ford. | On August 23, 2023, Ben Sadeghipour (nahamsec) [tweeted](https://x.com/nahamsec/status/1694388639994675568) that he had received an email from Rapid7 about one of his YouTube videos. Rapid7 claimed that nahamsec was "operating illegally" and is "active in aiding criminals in their fradulent activities". @Rapid7 was acting on behalf of @Ford, as part of Rapid7's effort to allegedly, "neutralize active cyber threats that endanger their brand, customers and employees." In a twitter reply, nahamsec stated that he replied to the email, "I told them I have done nothing wrong and that if they want it gone they'll have to wait a bit." |
8689
| 2023-04-12 | [FreeHour](https://www.freehour.eu/) | Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins | Students arrested, stripped naked, violated by Police. | On October 18, four computer-science students emailed [FreeHour](https://www.freehour.eu/) about software vulnerabilities in their student timetabling app, with a hefty 90 day disclosure window. Alongside their responsible disclosure to [FreeHour](https://www.freehour.eu/), the students asked if their good-faith advisory would be eligible for a possible bounty, once the bug had been patched. One or more imbeciles at [FreeHour](https://www.freehour.eu/) lied to the Police about the nature of the student activity. [Scerri, Grigolo and Debono received serach warrants, all their homes were raided by the Police](https://timesofmalta.com/articles/view/we-wanted-help-students-arrested-exposing-freehour-security-flaw.1024757), and instead of receiving a bug bounty reward, they were heinously strip searched, had their computers violated as a result of the inadequeate response by FreeHour. Originally, the authorities told them that their items would be returned within several weeks but they are currently still having their right violated. Collins was in England studying for his PhD, yet was questioned when he returned to the country for Christmas. [FreeHour](https://www.freehour.eu/) founder and CEO [Zach Ciappara](https://www.linkedin.com/in/zach-ciappara/) said that, once he received the e-mail from the four students in October, he contacted the office of the Information and Data Protection Commissioner (IDPC) and the Cyber Crime Unit for advice. After the situation began to escalate for FreeHour, the CEO subsequently [published a statement on Instagram](https://www.instagram.com/p/Cq712wtITdm/). According to another statement, "Due to the mention of payment, changes to the app’s front end & a 90 day ultimatum, FreeHour was legally advised to report this to the Police as a potential threat. [The company is starting to do cyber now](https://www.freehour.eu/post/what-freehour-is-doing-after-learning-what-happened-to-the-4-students), and is apparently committed to doing so on an ongoing basis. "We are also willing to work with the four students to assist in improved security, and to implement new measures. Moreover, we are undergoing internal training in INFOSEC, GDPR and data integrity," CEO Zach Ciappara added. It is unclear whether the students would be willing to work with the company again, given they were stip searched, raided, violated, and arrested. |
8790
| 2022-02-12 | [Cole County Prosecuting Attorney @ The State of Missouri](https://colecounty.org/430/Attorneys) | [Josh Renaud](https://twitter.com/Kirkman) - [View Statement](https://joshrenaud.com/pd/josh-renaud-personal-statement.pdf) | Prosecutor Drops Charges After Four "Anxious" Months | On February 11th, the public received a statement from [Josh Renaud](https://twitter.com/Kirkman), who was previously unnamed in the incident below, dated 2021-10-15 involving [The State of Missouri](https://www.mo.gov/) & [St. Louis Post-Dispatch](https://www.stltoday.com/). In [Renaud's statement](goodies/josh-renaud-personal-statement.pdf), Renaud was accused on television as a malicious "hacker". [In his statement](goodies/josh-renaud-personal-statement.pdf), Renaud details the significant harm caused by this investigation, which is, "entirely legal and consistent with established journalistic principles." It is also the only way to report bugs: to the vendor, of course. Renaud's statement details that this, "has been one of the most difficult seasons of [his] nearly 20-year career in journalism. But [he had] found strength in the prayers and support of my family and friends and so many others across the country." This entry has been entered as a separate update as Renaud was previously unnamed. The statement speaks for itself and should be a wake up call to those who persecute others for political gain, as stated by the state Senate, "more care was given to political gain than the harm caused to a man and his family.” Renaud's experience, "hasn’t been easy." Renaud was, "politically persecuted," and was even used & abused in "attack ads" aired by his political action committee. [The full statement is well & truly worth reading. Possibly one of the most important statements a researcher has made in recent times.](goodies/josh-renaud-personal-statement.pdf) |
8891
| 2021-10-21 | [Apple](https://apple.com/), [@apple](https://github.com/apple) | [Denis Tokarev](https://twitter.com/illusionofcha0s), [@illusionofchaos](https://github.com/illusionofchaos) | DMCA Takedowns of Mirror | iOS App Developer & Security Researcher [Denis Tokarev (illusionofchaos)](https://github.com/illusionofchaos) has developed an interesting relationship with Apple since early 2021. The researcher participated in Apple's Bug Bounty program in hope's of receiving a payout for his research having submitted the details between March 10 and May 4 of 2021. Four months later, Tokarev published his (Disclosure of four 0-day iOS vulnerabilities and his opinion of the [Apple Security Bounty Program](https://habr.com/en/post/579714/). To this day, Tokarev is still not listed on the [Apple Security Advisory for iOS 14.7 and iPadOS 14.7 security advisory.](https://support.apple.com/en-us/HT212601). In his words, "_When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time._" Frustrated with the lackluster **communication** between Apple's illusive security team, Tokarev eventually published his Proofs of Concept on GitHub: ["iOS gamed exploit (fixed in 15.0.2)"](https://github.com/illusionofchaos/ios-gamed-0day), a redacted ["Analyticsd pre-14.7 exploit"](https://github.com/illusionofchaos/ios-analyticsd-pre14.7-exploit), ["nehelper enumerate installed apps 0-day (iOS 15.0)"](https://github.com/illusionofchaos/ios-nehelper-enum-apps-0day), and ["Nehelper Wifi Info 0-day (iOS 15.0)"](https://github.com/illusionofchaos/ios-nehelper-wifi-info-0day). A Jailbreak community member, [@rllbe](https://github.com/rllbe), released a [patch exclusively for Jailbroken devices named entitlementfix](https://www.reddit.com/r/jailbreak/comments/pvaztb/free_release_entitlementfix_workaround_for_the_3/). This is great for Jailbroken phones but does not help the millions of regular iPhones which are still vulnerable to attacks, namely information disclosure. Valued at $100,000 or more on the Example/Dummy Bounty payout page, or perhaps an exponentially higher value on the grey market, Tokarev has yet to receive a bounty, nor recognition, other than an email from Apple stating that they made an error in crediting his research. Apple silently patched one of the exploits in July with the release of iOS 14.7. To add to the already difficult relationship, Tokarev discovered and mirrored a helpful website with API documentation named "Atlas" for research purposes. ["Atlas is developed and maintained by the Hardware Test Engineering (HWTE) Software Platform group."](https://web.archive.org/web/20211019101209/http://101.132.96.154/) The repository [is currently serving the DMCA takedown notice Apple sent him](https://github.com/illusionofchaos/apple-atlas-docs). What makes this takedown unique is that the fact that the original server is still live; Tokarev mirrored a documentation resource, which is very common procedure on GitHub. Along with the GitHub DMCA notice, Tokarev [had multiple tweets also taken down](https://twitter.com/illusionofcha0s/status/1450588596407259139). The DMCA content removal [takedown notices on GitHub are publicly etched into GitHub's DMCA repository](https://github.com/github/dmca/blob/master/2021/10/2021-10-18-apple.md); the [Lumen database copy can be viewed here](https://lumendatabase.org/notices/25498447). The researcher was also [locked out of his Twitter account at one point](https://twitter.com/illusionofcha0s/status/1450902601864732679/photo/1). As per DMCA submission rules on Twitter, the firm representing Apple, swears, "_under penalty of perjury,_" that the the documentation is Apple's copyright. What makes this case seem targeted is that **only** Tokarev's content has been DMCA'ed by Apple- absolutely no other reply, public tweet, or image containing the IP address has apparently been removed from Twitter. [An archive of the alleged offending content page, while still live, is archived.](https://web.archive.org/web/20211019101209/http://101.132.96.154/). On October 25, 2021, [@apple](https://github.com/apple) eventually added the contribution, in Analytics affecting iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). It was issued CVE-2021-30871 and the impact statement was, "A local attacker may be able to access analytics data." NIST analysts scored the bug [5.5 CVSS MEDIUM](https://nvd.nist.gov/vuln/detail/CVE-2021-30871).|

0 commit comments

Comments
 (0)