From: [email protected]
To: [email protected]
Date: 14 July 2017

Subject: [Important] Vulnerability discovered in Orion Browser iPhone App - All Versions

Dear InterN0T,

What archives? This is a paid product. There is no archives that are legally
attainable? I need to see the payment or honestly, it really is a breach of
Apples Agreement not just mine.

To be fair InterN0T this is a reasonable request. iOS does have an emulator
in XCode. Separate to that though, I am concerned that you are publishing
something that was unlawfully attained.

Also what is the purpose of publishing something that was well and truly
consciously off the Appstore before you did this. I appreciate you spend
a lot of time on this, you could get paid doing better things - but it is
pointless. There is no users. You cannot test an illegal App.

I'm sorry if you go ahead and publish this, then I will personally sue you.
I am 100% without a doubt making a guarantee, that you have no right to
attain my app illegally.

You can make comments, say whatever, that is a different issue, but if you
have breached the Apple EULA and my EULA combined, and illegally attained
a copy of the IPA file then this is not admissable. It is also not ethical
or real submitting something that does not exist.

I have no issue about publishing a bug in a live App. But you consistently
keep picking the wrong time and you would be useful at the right time, under
legitimate ethical paid circumstances. I am just about to release a VPN App
that you can go tear to shreds because both of us will. The purpose of this
is to have consent, and authorisation.

I am not at all trying to threaten you. You may think what you are doing is
legal. I am telling you that I will sue you and I will immediately contact
my lawyers on Monday. I will also report this matter to the police. Software
piracy is heavily illegal now in Australia and I am a programmer who (like
you) makes money from this industry. I do not appreciate piracy.

I have no problems with you going ahead with the report if you just please give me:

a) Proof of purchase and refund; and
b) Something I can verify with Apple to at least uniquely identifies that
it is a real transaction.

I do not believe it is ethical, and I have spoken with ISC and members of
ISACA and they also agree that you must gain permission to access an App.
I would not care about this one if it was live and making money but as
again, documented, and clearly you can check LinkedIn history the date
of closure of that business trading clearly was November 2016 and the
App was slowly phased out not long after it was released as they started
adding free versions. It sold like 60 units or something. It used to be
0.99, then $1.99 and then I raised the price, and nobody bought it.

I openly make the request to verify your proof of purchase. That is what
I am asking. I am not asking for anything more. This is written inconfidence.
If you post my communication, I'm not joking, I will expose your identity
to the world and sue you.

The first issue here is:

1. Breach of Contract of both Apple (liability of Apple) and 1IQ (in EULA).
That is separate. I have found pirated copies of my software. Any ethical
hacker would have nothing to hide by showing me the legitimate purchase.
It has not been free for a very long time.

2. Responsible disclosure is a computer security term describing a vulnerability
disclosure model. It is like full disclosure, with the addition that all
stakeholders agree to allow a period of time for the vulnerability to be patched
before publishing the details. Developers of hardware and software often require
time and resources to repair their mistakes. Hackers and computer security
scientists have the opinion that it is their social responsibility to make the
public aware of vulnerabilities with a high impact. Hiding these problems could
cause a feeling of false security. To avoid this, the involved parties join
forces and agree on a period of time for repairing the vulnerability and
preventing any future damage. Depending on the potential impact of the
vulnerability, the expected time needed for an emergency fix or workaround to be
developed and applied and other factors, this period may vary between a few days
and several months. It is easier to patch software by using the Internet as a
distribution channel.

3. You fail to see that there is no future damage, so I advise you this time to
get strong legal advice as I am making no threats. I will engage the best criminal
and civil lawyers to sue you for maliciously causing harm when there is no future
damage potential.

4. Again if there was a potential impact, and hadn't decided to phase it out well
over a year ago, I would say - thankyou Intern0t and probably employ you. But again,
this is not the case.

5. Take me seriously. I have been tolerant to a point with everything else. Get legal advice.

Ask others in the field. All I want is proof of purchase and the binary file you
tested on. I then won't enforce the 'unauthorised' component. A court will see
this as unnecessary and intentional.

This is private and confidential communication between two professionals who are
attempting to discuss a question of fact. It is not to be shared with the world.
If it is, then I am going all the way from start to finish. I already know who
you are. Why waste a talent on something pointless when the VPN is weeks away
and it is paid work, but that's separate.

I do not believe it to be ethical nor do ethical hackers.

ISC2
Code of Ethics Canons: Protect society, the commonwealth, and the infrastructure.
• Promote and preserve public trust and confidence in information and systems.
• Promote the understanding and acceptance of prudent information security measures.
• Preserve and strengthen the integrity of the public infrastructure.
• Discourage unsafe practice. Act honorably, honestly, justly, responsibly, and legally.
• Tell the truth; make all stakeholders aware of your actions on a timely basis.
• Observe all contracts and agreements, express or implied.
• Treat all members fairly. In resolving conflicts, consider public safety and duties
to principals, individuals, and the profession in that order.
• Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort.
Take care to be truthful, objective, cautious, and within your competence.
• When resolving differing laws in different jurisdictions, give preference to the
laws of the jurisdiction in which you render your service. Provide diligent and
competent service to principals. • Preserve the value of their systems, applications,
and information.

Objectives for Guidance The committee is mindful of its responsibility to:
Give guidance for resolving good versus good, and bad versus bad, dilemmas. To encourage
right behavior such as: • Research • Teaching • Identifying, mentoring, and sponsoring
candidates for the profession • Valuing the certificate To discourage such behavior as:
• Raising unnecessary alarm, fear, uncertainty, or doubt • Giving unwarranted comfort
or reassurance • Consenting to bad practice • Attaching weak systems to the public network
• Professional association with non-professionals • Professional recognition of or
association with amateurs
• Associating or appearing to associate with criminals or criminal behavior

These will be tendered and expert witnesses will be called for both reasons. The other
Apps were free. You are now entering into the world of piracy. This is not legal. I must
have access to the receipt or I will submit this to eCrime and my lawyers. I think you
are in enough trouble for stalking, organising and acting in concert to DDOS my server
(unsuccessfully), sending death threats where all IP's are with the AFP, I assure you
that piracy, stalking and defamation will not make you end up in a happy place. If you
think I'm joking, go and publish and I'll see YOU on the other side.

It is illegal what you are doing - I have only asked for 2 things.

a) Proof of purchase and refund; and
b) Something I can verify with Apple to at least uniquely identifies that it is a real transaction.

Then publish it in breach of the ethics. There is no such thing as an "IPA Archive" for
paid commercial Apps unless you are dealing with pirated Apps. The EULA and Apple's
default EULA is strict and specific on that. I'll be contacting Apple's lawyers too.

It's up to you. You make your future. Don't break the law. Don't be unethical. Then publish.
Simon