iOS 11 GM leaked by an Apple employee

Both Gruber and the BBC confirmed the iOS 11 GM came from an Apple employee. I don’t know how a person can accept a paycheck from a company and then turn around and screw them like this. They betrayed Apple and every single other person in the company.

  • Mo

    I hope this twerp is caught and identified soon. I know I wouldn’t want to hire him.

  • Merckel

    A simple firing of this asshat will be a good start.

  • I wonder if it is the same employee who “accidentally” posted the HomePod firmware for download. (Yes, that could have been an accident, but in light of this, who knows?)

    Whoever it is definitely needs to be fired. Legal recourse might be on the table as well.

    I hope they got paid well by 9to5Mac and MacRumors, because they might be out of work for a very long time. And if they have a family, well, it may be time for ramen noodles every day.

  • So the code that can reveal all egrets is accessible by a url only? No login is needed? This sounds like extremely poor network and system security. This is the kind of content that must be accessible by specific IPs only!

    It seems to basic in my mind, it makes me wonder.

    • Td mac

      I agree. Why would Apple even have this out there and accessible, even if it is an obsucre URL.To me I think Apple did this on purpose. Why? Few reasons. There are too many new products to discuss and introduce. This event is typically focused on new iPhones. What was gleaned from the “GM”, assuming it really is the true “GM” to be released, is confirmation for the most part of the rumors. I haven’t really heard much about anything shockingly new or software related that we didn’t have an inkling of already. More technical stuff (i.e. processor cores, hardware names, etc). Now more time can be devoted to digging in deeper as to why and how the changes work as well as other features. Maybe something more devoted to the synergy between these products (i.e. iPhone to Homepod to ATV, to Airpods, etc). Lastly, the event is to be held on Apple’s new campus and time will be devoted to this in the Keynote I’d bet. They were still installing seats and stuff last week. When was all the equipment installed and tested? This “release” then reduces the pressure on a flawless Keynote. Lastly, look at where the leak was done. Seems a little too targeted for maximum exposure.

      • Nope. Controlled leaks are given to select press members, not MacRumors. And they’re more general, they dont reveal ALL the details like this. Apple loves to surprise and delight people….not let the gas out on every single item to be announced in great details. Nope, nope.

    • john doofus

      What’s the difference between trying to guess a (long) random URL and trying to guess a username/password?

      • A url is anonymous. If 100 people know it you can’t tell who gave it away.

        A username and password are millions of times more private and a person that leaks them is accountable. It is way more secure.

        All code repositories use them.

        And a vpn that gives access to specific IPs or even Mac addresses is something common for most businesses that take security seriously.

        Apple’s security (and apparent luck of) failed miserably. Given their size and importance to millions of people it seems very strange to me.

        • john doofus

          How are code repositories and VPN relevant here? This is the iOS GM release, which presumably will be made available to millions of people on Tuesday.

          A username/password isn’t inherently more “private” than a URL. Somebody leaking an essentially unguessable URL is no different than someone leaking a set of credentials.

          • Matthew Frederick

            Seems like you’re missing the point. Not more private, but traceable.

          • Janak Parekh

            Even that’s not necessarily true. You can have many URLs that point to the same resource, and which are distinguishable/traceable.

            I’m betting usernames/passwords weren’t used because iOS devices probably don’t have a facility for logging into an authenticated HTTP server when doing firmware updates. Instead, they rely on certificate signing for authenticity. (It wouldn’t surprise me if that changes after this release, though.)

  • NB

    Devil’s advocate here.

    1. What if they felt Apple had screwed him? How do you get back at the largest company in the world? Petty, sure. Dumb, sure. But effective for what little they could do.
    2. What if it wasn’t entirely malicious? What if they had voiced how insecure it was to have it open like this, which fell on deaf ears at such a large company? I can guarantee you that Apple will not store GMs like this again.

    Like, yes, it was likely either malicious and/or wanting to be The Person That Leaked It, but there’s nuance here we can try to account for.

    • Pretty sure Apple has HR that can deal with case 1, and they’re idiots if they don’t have a security escalation procedure.

    • rick gregory


    • Matthew Frederick

      It’s not that different from “my employer treated me poorly so I burned down the building”. Or put a backdoor in some code. Or even just stole a computer. You don’t get to attack your employer because you’re unhappy, just like you don’t get to attack anyone because you’re unhappy.

      On the second point, so the f what? They did something insecure, you told them. Boom, done. Screwing them to prove a point… why would that ever be good? Your point will be proven out in the world one day, or it won’t.

      Neither of these even slightly excuses that kind of behavior.

      • Average Zen Nihilist

        Not that different?! Arson and theft are crimes. If it can be proven that the employee acted with malicious intent and that the company suffered quantifiable losses, it might be possible to bring a civil suit, but coding a back door or leaking a URL are are not against the law AFAIK.

  • Meaux

    I agree the person that leaked this should be fired, because they violated the firm’s trust. However, I find the moralizing by the likes of Gruber and Caldwell to be hypocritical and self-serving. So it’s ok to publish stuff that you hear from “birdies” or act as unpaid PR flacks and “leak” stuff that executives want out there, but all of the sudden this is unconscionable. Frankly, I find “leaking” stuff that execs want out there without attribution as worse as they are acting as a way to launder information without Apple* having their fingerprints on them.

    • Or Google or Facebook who do the same thing
    • SherriWSiegrist


      blockquote>Google is paying 97$ per hour! Work for few hours and have longer with friends & family!!! On tuesday I got a great new Land Rover Range Rover from having earned $8752 this last four weeks.. Its the most-financialy rewarding I’ve had.. It sounds unbelievable but you wont forgive yourself if you don’t check it !ql30d: ➽➽ ➽➽;➽➽ http://GoogleFinancialJobsCash30TopShop/GetPay$97/Hour

  • Jason

    I don’t understand what the big deal is? So this got leaked. Are DF, The Loop, iMore, Six Colors all upset because they aren’t getting their inside scoop, and that they got beat to the punch in terms of being the “cool guys” with access? Granted those sites I listed are not rumor sites or leak sites but come on, the hardware is what this is about. Why don’t they get the pitchforks out for the leaked mockups of the phone from a few months ago? That to me is worse. Software? So what?

    • lacreid

      Software is arguably the reason the iPhone still commands as much attention, market share, and profit as it does while using tons of readily available hardware components.

      • Jason

        You and I know that and most readers of the sites I mentioned know that. I’m buying a new iPhone regardless. However, and I’m gonna use a football analogy here (I’m stoked the season is back): offense brings the crowds, defense wins the game. To me, the hardware is the offense, it’s what brings the crowds to the stores and the events. The defense is the software. it’s what protects that advantage.

    • john doofus

      Obviously, the leaks have revealed quite a bit about how the various features work – far more than a couple of case shells do. A big part of Apple’s product strategy is the big reveal – they put a lot of effort into their keynotes, which really are unmatched in the industry. The doofus at Apple who chose to leak the URLs has spoiled the surprise.

      • Jason

        I get it. I liken people being upset about it to the parent being upset that their kid snooped and found their Xmas gifts early. Again, I read all of the leaked info and frankly I’ll be able to wrap my head around it more once I have the hardware in my hands. Please understand this, I am not trying to say software is not as important as hardware. Apple clearly is the best marriage of the two. If I thought that I’d own a PC and an Android.

        • john doofus

          The snooping comparison is apt, at least for me. I enjoy the fanfare of a big product release and don’t like spoilers. This is the equivalent of telling people standing in line to see Empire that Darth Vader is Luke’s father.

          There’s still some mystery in how all this stuff will work, but this leak has taken some of the fun out of tomorrow. Which is a shame, both for fans of Apple and Apple’s employees.

          • Jason

            It did steal some thunder. But it didn’t make me any less excited. Example, I’m really not happy with FaceID or whatever it will be called and that part of the leak left me a little unimpressed. It seems gimmicky. I guarantee you this though, once I see how well it works because only Apple can make the things work well, I’ll be sold! That’s the surprise for me. How the stuff works tighter and only Apple can present that in a way that is convincing. The leak didn’t take hat away for me. Sure, I have an idea of what will be announced but the the execution is what I’m excited to se

          • Only a fool would conclude a thing he has never before seen or used is gimmicky and be unhappy about it.

          • Ahem….Ars Technica: “I’m worried that FaceID is going to suck—and here’s why”

          • lkalliance

            On a tangent I’m going to get the opportunity to see Empire for the first time next week at my friend’s — wait, WHAT????

          • john doofus

            Oops! Now, about Keyser Soze….

          • Meaux

            Aside from the animoji and the confirmation of the name “iPhone X,” was anything revealed new info? If animoji were going to be the “One More Thing” Apple has bigger issues than loose lipped employees.

          • john doofus

            I haven’t read the stories as I’d like to preserve as much of the surprise as possible, but the headlines I’ve seen suggest a lot of details on iPhone, Apple TV, Apple Watch, etc.

            The general reaction on twitter on elsewhere suggests a lot of stuff was revealed/confirmed. e.g. Daring Fireball:

            “More surprises were spoiled by this leak than any leak in Apple history.”

          • “Darth Vader is Luke’s father.”


  • lacreid

    I would love it if they made an exemplary firing of this jerk. Very public. Torch his career.

  • Caleb Hightower

    Maybe this employee is disgruntled about the new desk arrangement at the ‘spaceship campus’ and leaked the GM in retaliation.

    • john doofus

      LOL. Now that makes it sound justifiable. 😉

  • JimCracky

    Yes, the employee should be punished.

    But, 9to5mac and macrumors knowingly went to a private Apple server and downloaded and then reported on Apple intellectual property. That’s quite different from simple rumor mongering. They should be charged with intellectual property theft.

    • And then spread this software to other individuals to analyze. I dont even know how thats legal.

    • Right, the Apple employee told them where they could get it, but it was up to the rumor sites to actually steal it. This is a as bad as the iPhone 4 that was left in a bar. All it takes is one website willing to do something wrong.

  • I’m excited for whatever the “little things” are that Gruber teases could be spoiled by this leak. 🙂

  • dmc007

    I would love it if they made an exemplary firing of this jerk. Very public. Torch his career.

  • bdkennedy11

    People that do this don’t care about their jobs.

  • Average Zen Nihilist

    You don’t know how, Jim? I’m glad you’ve had the privilege of being respected and treated well by all your employers. Like many others, I have had the unfortunate experience of working for a small business owner who asked ridiculous things of me, refused to provide benefits, failed to pay social security, and kept my salary as low as possible. More than a decade later, I still become very angry whenever I think of that a-hole. If this person felt as screwed over as I did, it’s very clear how they can do what they did.

    • Did you do something to get back at them? Or do you think that would be wrong? Would it make you as bad as you felt that employer was?

  • caleb lee

    People that do this don’t care about their jobs.

    • Mo

      People that do this aren’t thinking beyond the next ten minutes.

  • kais

    I would love it if they made an exemplary firing of this jerk. Very public. Torch his career.

  • joshluiskir2

    Even that’s not necessarily true. You can have many URLs that point to the same resource, and which are distinguishable/traceable.I’m betting usernames/passwords weren’t used because iOS devices probably don’t have a facility for logging into an authenticated HTTP server when doing firmware updates. Instead, they rely on certificate signing for authenticity. (It wouldn’t surprise me if that changes after this release, though.)