Slashdot Mirror
How Apple Orchestrated Attack On Researchers
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."
All this "smear campaign" stuff... talking about how Apple really hammered him on the clarification of whether it was a 3rd party driver. And George gets indignant that Apple asked this to be done.
Yes, you could see in the video that they used a 3rd party driver. However, was it really CLEAR that the exploit only existed for the 3rd party driver? Maynor and Ellch certainly did NOT dwell on this -- they in fact spent more time saying they enjoyed doing this because Mac users were "smug."
And, gullible as the press is, the press most certainly did NOT report "3rd party flaw exposes OS X security hole!" It was more along the lines of "OMGMACCRACKOVERWIRELESS!" It was days before it was clear, and even then it was necessary to specifically explain this to people. Sure, the video showed this, but the fact of the matter is that most people, including the press, did not UNDERSTAND this fact... and this was clearly obvious from the reaction to the matter in the first place.
And what I also don't get is... what are you really showing if you use a 3rd party wireless driver to hack a MacBook which has BUILT-IN wireless? Sure, you can do it, but is that a realistic scenario? I mean, I could compromise someone's system if I stole it and they didn't have disk encryption turned on as well... is that a hack?
It doesn't seem like Apple needed to do much to make those guys look bad - they did a darn good job of it all by themselves.
#DeleteChrome
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer.
Karl Rove is Apple's PR director?
The theory of relativity doesn't work right in Arkansas.
Geez, don't leave out Matasano's response. George Ou is a tool.
Is this the same guy who doesn't know Gerbils from Goebbels?
This all sounds a little fantastic to be true. Most folks at Apple I know don't have time for an agenda. And speaking of agendas, George Ou's definitely got a hard-on for Apple.
Right, since ZDNet is such a long time Apple/Mac news and information source - and let's just overlook the phishing code embedded in the MoAB web page(s).
I doubt the real truth has actually surfaced just yet, and it may be a long time, if ever, that it does.
Face it, any OS that widely-used (read: "popular") enough is going to be subjected to bug exploitation. Even Linux has bugs http://www.wired.com/news/linux/0,1411,66022,00.ht ml although, _WAY_ less than M$. In an open source OS the bugs get fixed, IMO, faster and more reliably than your weekly M$ patch. The point is, ITS GOING TO HAPPEN!
I'll try anything once. Twice if it's DRM free.
You can lie about unverifiable truths, but not about verifiable truths.
I'll accept that the MoAB was definitely a result of the furor and press over the wireless vulnerability. But I'm not sure that I believe the smear campaign / character assassination part. Honestly, Apple really didn't need to bother; those guys' original presentation was so sketchy that they practically invited criticism themselves. First they'd say one thing (that it affected all Macs) but then they demo'ed it with a totally different hardware setup, with no good explanation as to why, producing countervailing views as to whether all Macs were really that insecure in their default state, etc. There's no way you can spin the way the vulnerability was announced as a well-managed affair. The whole thing stank from the beginning.
At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer. So as a Mac user, I'm not really unhappy at all that MoAB happened, for whatever reason. I'd rather have stuff out in the open, and patched quickly, than some sort of quasi-secret (because, let's face it, if more than one person knows about it, it's not a secret anymore) unpatched vulnerability. I like Apple's gear but that doesn't mean I don't think they need to get a swift kick in the ass every once in a while to stay on top of things.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
From one of the folks accused of conspiring with Apple:
h e-macbook-wi-fi-hack-conspiracy/
http://www.tuaw.com/2007/03/20/clarification-on-t
"While I'm flattered at the possibility of Apple even talking to me, the truth of the matter is that the company pretty much ignores TUAW, and most other Apple-related blogs, entirely. Honestly: Fox and I never exchanged so much as a "mwahaha" over email, or any other form of correspondence for that matter. I've never been contacted by anyone from Apple regarding anything besides the fact that one of my older PowerBook's warranties was about to expire, and that AppleCare would be a great way to stay within their graces."
E pluribus unum
Does Microsoft give free PR to "security researchers" every time it patches a bug? How about various linux software projects, do they crow openly about those who find bugs in their software? Or do they just patch the bugs?
Everything I've read about this suggests the "security professionals" are looking for fame and Apple doesn't care. I don't either. As long as bugs get patched, and Apple seems to have done so in a timely fashion, at least as much as Microsoft and other software companies do.
Should read: At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'no' answer.
In other words, big portions of the Mac OS are still developed as closed-source products, or by people who probably were trained in that mindset, where a bug really only matters once it's widely disclosed.
I've never bought this, because frankly I just don't trust people to keep their mouths shut while a company fixes things at their own pace. I'd rather see bugs get tons of press, and force companies into hauling their developers in on overtime and fixing the thing ASAP, so that the time before first discovery and patching is minimized. I would rather everyone know about it (including administrators and owners who can take defensive measures) than try to cover it up for as long as possible, maximizing the chance that the Russian mafia or other black hats will get their hands on an unknown (to everyone else) vuln.
Some parts of Apple seem much more comfortable with full disclosure than others, and I'm perfectly comfortable with bludgeoning the parts that aren't if that's what it takes. As a Mac user, I'm not at all displeased about MoAB, regardless of its motivations.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
but it doesn't make it look any worse. How do you hurt the image of a pair of morons who already do an incredible job of making themselves look like asshats?
MOAB as "revenge"? A number of "Apple's" bugs as listed in MOAB were in third-party software (VLC on day 2 for fuck's sake!), the same as their original hyperbolic wireless exploit shenanigans. And then they go and use an exploit on the site, and act like petulant children in their communication with others through the site, all the while crying foul that they aren't being treated like serious security professionals.
This is not "news" by any stretch of the imagination. Ou is only now "at liberty" to discuss the matter? I remember quite clearly while the whole wireless driver brouhaha was happening that he and the researchers were claiming Apple was running a "smear campaign" against them -- a campaign that everyone else in the security community and press was somehow unaware of, given how massive Ou claims it to have been.
Apple never claimed there were no flaws in their drivers, I don't know how many more times this can possibly be stated to Ou, if it is necessary to use shorter words with fewer syllables or what. Apple's only statement on the whole matter was that Maynor never provided any specific information to Apple as to what this specific security hole was supposed to be. He jumped up and down and waved his arms and told Apple they needed to fix it real soon, but neither he nor Ou nor anyone else has provided any kind of documentation indicating he gave any actual, useful information to Apple about this security vulnerability. He just made vague pronouncements about wireless security and then expected Apple to read his mind, as far as all the available evidence can prove.
Yes, Apple released patches for network drivers after this whole announcement was made -- they released patches for network drivers before then, too!
Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.
This is not a case of Apple hiding their heads in the sand, running a smear campaign, or fanbois refusing to accept that something could be less than perfect.
Provide some actual evidence and people will listen to your fearmongering, but it's been a year already since this "huge vulnerability" was disclosed and the most we've seen is a computer crash!
Recursive: Adj. See Recursive.
It seems that some things that this guy claims isn't totally correct, or is deceptive, or is missing a critical piece of information. It seems like he is never ready, willing, and able to explain himself clearly.
Maybe Apple did rake him over the coals, but it seems very unlikely that Apple had any kind of campaign against him. In fact, if they did, he'd likely have legal recourse.
I look at him as a mere self-promoter looking for some limelight.
I wouldn't hire him to do any security-related activities. And yeah, I'm looking for someone to do just that.
Apple continued to claim that there were no vulnerabilities in Mac OS X
All systems have vulnerabilities, how can they say that with a straight face?
Libertarian Leaning Political Discussion Forum.
Does it really?
I'm not mac fanboy (in fact I'm a Linux fanboy) but I do like my mac laptop and I don't really have an opinion on Apple so my point of view on the topic really sees this as a none issue.
Both parties handled the wireless 'hack' (3rd party driver doesn't really count on built in/OS supported by default hardware) badly and had their own motives for their actions.
Though the Month of Apple Bugs, as a mac user, just appeared to be either a stunt by Apple or a stunt by some one else no one cares about to show off mac security compared to windows. And really the end result was that Apple had to fix a ton of bugs; as a mac user this made me happy and happier when Apple sent several patches to my mac with these fixes in short order.
So really I see this as a null event and its effect on my opinion of Apple has only changed in two regards as a result: they will fix bugs quickly and well (regardless if this is accurate or not, remember I'm a user who really doesn't care - eg average mac user) and that with a huge security community pushing to crush 'smug' mac users outlooks on osx they only found 62 critical bugs. Seriously, 62, that's it, what a joke.
Again as a mac user this just improves my view of Apples commitment to security. Plus I think it would prove to be a comical point if there were to be such a serious Month of Windows Bugs! "Oh see my mac only had 62 bugs, your windows pc has what? 12,085,387? Have fun with that virus scanner, firewall, and content filter you need to run just to reduce your risk of your windows box getting infected!"
At the end of the day all OS have bugs and companies have to deal with them they way they see fit; and the users have to accept that or switch operating systems. It's not like you don't have a choice; heck I'm a linux user who bought a mac for a spare computer that would 'just work' when debian sid decided that my computer wasn't some thing it wanted to play with.
I ate your fish.
Everyone else gets to name a month. Dammit I want one too.
So in other words, security guys say OS X has problems, Apple says nuh uh, security guys risk the security of all the Macs out there by posting vulnerabilities for our machines that can be exploited. Wow, yah thanks for that, you really showed Apple with that... and risked my Mac's security. Thanks, thanks a ton! Way to keep Apple "honest." Do you get how sarcastic I'm being.
Maybe the drivers are built-in to the OS, and that is why Apple had some responsibility here, even if it was 3rd party hardware.
Do Maynor, Ellch, KF and LMH in fact speak for " the security community"?
Played or not, Maynor and Ellch came out swinging at Mac users and attacked them on attitude's sake alone.
Last summer, KF was blogging about what a great, rapid job Apple did on its patches, and by January, he's got them on a spit in the public square, and baiting Apple and its users.
Is this to be the public face of the security community?
What I got from the original video, taken on its face, is that the MacBook was not vulnerable, that the exploit was for some 3rd party vendor's stuff, but they were going to use the MacBook just to cheese off Apple users, whose attitudes they perceived as lousy. Human memory being what it is, like Orson Welles' The War Of The Worlds radio broadcast, they had to realize after watching the remaining lion's share of the video that people would mostly retain the image of a MacBook getting pwned.
Beyond the mechanicals, my other impression was that if they were going to demo an important vulnerability and chose to wrap it in several layers of personal feelings for a specific bunch of people, they might be skilled, but they're still unprofessional.
I'm not sure if George is trying to paint them as choirboys or simply C his own A.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist).
I believe they actually claimed they hadn't had the vulnerability in question demonstrated to them. The fact that they later patched *a* vulnerability in wireless drivers doesn't necessarily prove anything. If it does, then as an Apple basher, my future plan will be:
a) announce that I've found a vulnerability in in $OSX_FEATURE.
b) ignore requests for details, proof, etc
c) be universally regarded as an idiot
d) Wait until someone else finds a vulnerability in $OSX_FEATURE and Apple patches it.
e) trumpet from the rooftops that I said there was a vulnerability in $OSX_FEATURE months ago and OMG! Apple denied it and look, they've just fixed it and I was right all along!
f) Smugly watch the sensationalist articles about how Apple bullied me.
Oh! I see! There are lots of ADVERTISEMENTS on this blog page! Phew! This was a great way to drive traffic! Thanks ZD-Net, for the "news"!!!
Now I'll turn on CNN and watch the "news" about the next dreaded disease from Asia that could kill my children (and see Viagra ads at the same time.)
I can't stop. Seriously. Is Olbymann your puppetmaster?
Um ... why does Ou think those researchers should get credit for uncovering a vulnerability in Mac OS X that (Ou reminds us over and over again) they themselves claimed, from the beginning, that they did not uncover?
...
And when did Apple ever "claim that there were no vulnerabilities in Mac OS X"? I am pretty sure that's never been said, at least, not officially. Maybe some employee spoke out of turn, but the company itself has never made that claim. Ever.
I don't know anything about Ou, but these two huge misstatements don't make me trust him
If you think 62 is not a significant number you need to wake up and stop drinking your hippie juice, this represents more than half of windows 2003 product lifetime security bugs. so to put in perspective that is 2 years of MS bugs in a month of research hmmmm yeah keep living in your dream world where 62 bugs is small number for just a couple of guys poking around.
Well! I certainly won't be needing to ask your opinion of GM, then!
no you need to stop smoking the M$ cock. Microsoft documented well over 476 "critical" bugs of the nature OS X had.
"Slashdot, where telling the truth is overrated but lying is insightful."
Since my wireless connections, on my dual G5 and my TiBook work just fine ..
Although a quick check at Mac Fix It does discuss the problem: http://www.macfixit.com/article.php?story=20070318 234944267
Curious
SteveM
Let me ask you this-
What has Microsoft ever done for the open source community other than to try to undermine Linux?
What has Apple done to support the open source community?
Do technologies like hardware acceleration for X windows, more focus on open standards (Open LDAP, SMB, etc.), make Apple as evil as microsoft?
Jobs is as bad as Gates in some respects, but a blanket statement like this cannot possibly apply in all aspects of their work. Is Bill bad because he is supporting his charity now? Is Steve Jobs bad for spending his own money to make an animation company that produced quality family films? You can't judge on one level- it's simply impossible. Your argument needs better qualification. Saying that you like "open source and community review" will earn you a few karma points on slashdot, but in my book that post was all about "Apple is Evil."
< pinky to corner of mouth >
You seriously don't think 62 is a lot for a a couple researchers to find in one month? This was hardly an extensive complete audit of MacOS. It was what they found in 30 days. Sorry, that just doesn't seem confidence inspiring to me.
Seriously, this whole sorry saga has been hashed and rehashed all over the web. Why should /. give these clowns any more publicity? See John Gruber's blog for an excellent debunking of Maynor, Ellch, and Ou's claims.
Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.
And an asshat to boot.
SteveM
I have a friend in the security community who insists that there was also a lawsuit by Apple against David Maynor because of this incident. But he says he can't give me details because they're still confidential.
I would have thought that, by this point, with so much time gone by, and Maynor changing jobs and everything, and how bad this would look for Apple if they did bring a lawsuit against him, that surely this information would have come out by now, had there been a lawsuit. But of course, I can't prove it didn't happen, and this guy is generally very reliable and says he seen first-hand proof that it did happen, and I'd really like to know one way or the other. Is anyone in a position to comment knowledgeably about this?
Unfortunately, I have to post this anonymously for obvious reasons, in case it is true and both parties are still trying to keep it secret.
If this thing is completely related to 3rd party driver , it is a sign that Apple needs to adopt a WHQL like method to certificate third party drivers. I know it would sound bad but they could publicly call users not to use a certain, unmaintained driver which apparently got abandoned by hardware manufacturer.
I know MS one is not that serious but Apple could start from beginning learning from MS mistakes.
It could be more security and performance focused rather than vendor lock in.
BTW I bought a Windows only USB Wireless product by mistake (site error) and I have good clue what driver they may be talking about. If it is the case, it is completely unrelated to Apple really. Also I am not talking about Orangeware etccommercial drivers which are maintained very good.
Well then, I'll do my part for that cause by pointing out Firefox's development process is just as bad as Apple.
Here's a few of my favourite bugzilla bugs, in ascending order of bullshit:
#324253., a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375, a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.
How many bugs were exploited?
Did the people posting the bugs with their pompous attitude (as they did with the php, microsoft, and soon to be seen myspace) get the retirement in 6 months on the jobs they were looking for?
If their true and altruistic goal was to have these bugs fixed, well, they did a pretty good job. Too bad I don't believe in altruism through acting like an asshole.
The problem I am talking about first reared its head in the 2007-002 update, not the .9 update (though I have little doubt that it exists there as well.)
I've fallen off your lawn, and I can't get up.
Please, continue to have "Months of Apple Bugs", hell, make it every month! The more you force Apple to patch the more secure my mac will be.
Ann .... is that you babe?
If Apple is just as bad as Microsoft OSs where are all the viruses and zombing? I sometimes leave my Mac logged onto the internet for days at a time. I take a deep breath everytime I log on with an XP system. I run spybot several times a day on my PCs and never have a problem with the Mac. Why all the obsession with degrading Macs when Macs have a history of security? Better to use it as an example to Microsoft why they need to improve their security.
The Mac community seems really histrionic in comparison to Windows...what's the deal here?
It is amazing that the last update of Safari was made in 2005 (2.0.4). Do you believe Safari is more secure than FF and IE? Apple just is blind to their security problems. It is a company too closed nowadays.
Not apple, these idiots that went to all this out of spite.
Way to be adults. I don't mind the results of a more secure OS X, but this was entirely the wrong way to do it. Completely irresponsible and childish. Shame on them.
Comment removed based on user account deletion
Maynor and Ellch are liars at best and jerks either way. Ou is a braying jackass of the first rank. I don't trust a thing any of them say. The MOAB wasn't any sort of public service, it was hackerbating by spoiled children.
They wanted attention but weren't smart enough to understand what kind of attention they would get with unsubstantiated allegations. Now it is too late- the time to prove an exploit is before it has been patched and details made public by the vendor.
The best thing to do is to ignore all of these clowns.
And the captcha is "advice"...
Some moron keeps tagging every story with a claim that may or may not be true as FUD.
/rant
Please stop it.
FUD has a very specific meaning. Pay attention - FUD stands for Fear, Uncertainty, Doubt. It is a marketing strategy that spreads, you guessed it, Fear Uncertainty and Doubt about a competitors product. Every statement you disagree with is not FUD. Not every untruth is FUD. Not all FUD is untrue for that matter.
Thank You, that is all.
Essentially what you are saying is as long as Apple throws us a bone once in awhile then it's quite alright for Jobs to swing a club whenever he chooses. I am sorry, but that's NOT my view of how things should work. Selective transparency and selective accountability is for crooked politicians and evil doers.
I thought the real vulnerability demonstrated (although poorly) was that Mac OS X security model does not provide a mechanism that prevents low level drivers from exposing the OS to vulnerabilities. Is this just more blogger BS or is there some truth to this notion?
Nov 14, 2006 was the last time WebKit was updated.
With the latest patches, according to Secunia, Safari has 4 outstanding unpatched advisories, of which the most severe is "Less critical."
By comparison, Firefox 2 has 3 unpatched Secunia advisories, with the most severe also being "Less critical."
IE6 has 20 unpatched advisories, with the most severe rated "Moderately critical." IE7 has 7 unpatched advisories, with the most severe also rated "Moderately critical."
The US free market: two halves of a government-granted duopoly are free to set the market price.
really please show me. windows 2003 doesn't even have that many for its entire lifetime yet. So unless you decided to throw in every product they make this obviously a blatant lie on your part, feel free to provide a link if you can manage to get jobs c0ck from between your lips long enough to take a sip of reality.
the MOAB didn't discover all of those 62 bugs, they found 31, 6 of which involved 3rd party software.
Live EVERY week... Like it's Shark Week
anyone else see the icon next to this poster?
are we gonna get avatars?
This is too funny.
Everyone with a brain knows that the only reason Macs are thought to be more secure is because their market share is so tiny that hackers dont even bother finding holes.
Anyone that actually thinks any Mac OS is more secure than Windows because of design is either a Mac-zealot, employee, or just an idiot.
While the smearing charge may be a bit overblown, I have to say that I think Apple's entire campaign about how Mac's are more secure than PC's is absolutely ridiculous. Are there fewer known bugs in Macs? Certainly, but that is only because there is less for hackers to gain from compromising Macs. Third party vendor driver or not, Apple's massive marketing campaign would have you believe that on the day your Mac shows up, it will be impenetrable by viruses. As much as anything, what hurts Apple the most in this argument is that Mac is a complete hardware and software bundled solution, whereas no one talks about how Dell's have virus problems, because they understand that Dell only provides the hardware components. This bundled solution is pitched as easier to use, but it burdens Apple with the responsibility for any flaw in any part of the bundle. If they don't want to have to answer for every vulnerability discuovered in their bundled products, they need to unbundle their products so that people have real choice in the hardware. As long as Apple markets itself as selling packaged solutions and not component based systems as PC's are, they deserve to get all the complaints whena piece of their solution has a problem.
That is why he gets the spiffy icon.
haha nice one Lyne, way to play these chumps at their own game ;)
'nuff said.
Was that Apple's security is fantastic! Seriously, they went to all that trouble, asked for submissions, publicised it far and wide .. and that's the best they can come up with? It was like SCO and their "mountains" of code.
.. it would probably turn into a Year Of Windows Bugs, if not Decades Of Windows Bugs. Actually I take that back, there is a Decades Of Windows Bugs, it started in 1992 and it's still going strong!
What was the score again? A couple of crashing bugs, only one of them remote, and that one didn't work 95% of the time (I sure wasn't able to duplicate it). Most of the "Apple Bugs" were 3rd party, and while they were admittedly running on the Apple platform, we can hardly blame Apple themselves for 3rd party bugs. Needless to say they were almost all immediately fixed, sometimes within hours.
The lesson I got from MOAB is that in general Apple's security is excellent. I'd love to see what a "Month of Windows Bugs" would unearth
Let my new 7-digit UID be a lesson to all - write down your passwords.
How hard would it have been to include the URLs?
#324253, a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375, a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.
There needs to be a way to mod this whole item -1 troll.
Told you Microsoft was evil! Oh, wait!
When did Apple ever earn a level of trust? They are, and always have been, an insanely brutal monopolist. They are far, far, far worse than Microsoft could even DREAM of being: MS doesn't try putting companies which well their products out of business, as Apple does. Microsoft doesn't have ham-handed policies toward retailers selling their products, and then turn around and open Microsoft stores.
Lots of people are waking up to this fact, which is why Apple is getting sued by the European Union.
Want to see fair use? Try buying an Apple computer without OS X on it.
And all of this says nothing of the myth Apple (and Slashdot) try to push, which is that getting hacked, bugs, virii, and spyware are Windows-only phenomena. The MoAB shattered a lot of illusions... and it was only the tip of the iceberg.
But hey, feel free to tell us how Apple has "earned" any trust. Being "not Microsoft" does not earn one trust, contrary to Slashdot-logic.
...or someone who understands that its *nix core is inherently more secure than the NT core.
I can see that you fall into the third category.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Cute. If you'd had Windows running alongside another OS for any length of time you'd know which has more security issues.
I OS's I currently use are Windows, FreeBSD, and OpenBSD. Now go somewhere else and pretend you have a clue. I'm sure there are plenty of Linux newbs and mac zealots out there that would love to hear you preach.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
If you've had as many security problems with your *BSD installs as Windows then I'd say you're the newb. Might want to pick up a book or something.
Most folks at Apple I know don't have time for an agenda.
Not only do they lack time for an agenda, they also lack time to support their beliefs with facts. Apple employees seem to take it as a given that OS X is secure, efficient, and user friendly. In fact, there is very little solid evidence that it is better in any of those areas than either Linux or Windows.
Don't get me wrong, Apple makes decent products, but their smugness and lack of looking beyond their own company is not only annoying, it's also going to be bad for the company in the long term.
So secure it doesn't talk to anyone - not even the person who owns it!
But seriously, gotta worry about so many vulnerabilities being reported at once. Must be the tip of the iceberg.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
I thought that Apple's advantage is that it "Just Works". I guess that's out the window now. The world's going to hell in a handbasket...
A house divided against itself cannot stand.
Apple is potentially more deleterious than Microsoft. Had Apple had its way, the lock-in these days would be a dual software/hardware one, all controlled by Apple. Microsoft is despicable, as we all know. Apple has not had the chance to be despicable, thank goodness.
I think MS is unfeeling and ruthless, but Apple with the JobsMonster is far worse.
http://video.google.com/videoplay?docid=1468187717 11399295&hl=en
It looks like the third party wireless card was not used at all. No one really knows what the hell was really going on in that video.
But we were continually reminded that it was an "Apple" that was the "victim".
In short, in a totally open system, things might tend to get locked up by process.
Debian.
Thats all, just Debian and their record on timely releases.
In the free world the media isn't government run; the government is media run.
Do technologies like hardware acceleration for X windows, more focus on open standards (Open LDAP, SMB, etc.), make Apple as evil as microsoft?
Are you saying that Apple have made some contribution to hardware acceleration for X Windows? Maybe on their own platform.
Are you saying that SMB is an open standard and that Apple have contributed to it?
I think you're terminally confused.
What has Microsoft ever done for the open source community other than to try to undermine Linux?
Actually I'm pretty sure that MS have started more open source projects than Apple have. The only Apple one I know of is launchd. I know of at least two MS ones.
I thought Ou had lost all credibility by now. He's biased and stupid. I know that sounds harsh, but for heaven's sake, read his blog posts! He compared Apple to Nazi Germany, not even knowing how to spell Joseph Goebbels ("Joseph Gerbils", I'm not kidding!), and he called Fox using a number he got in a confidential mail from Maynor. I mean, geez!
The people he accuses have gone on the record saying that Fox had not contacted them. Chartier says:
This whole story only exists in Ou's head. Apple orchestrated nothing at all, the "researchers" discredited themselves all on their own, simply by claiming different, contradictory things at different times.
George Ou is nothing but a Troll. Can we please just ignore him?
We have a name for Mac users: poseurs.
But seriously, if you think the colour of a computer makes it better, then that says it all.
America, Home of the Brave.
We'll know something strange is going on when rumours of Jobs going out with Vicki Vale appear in the press.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
The big problem is that Maynor has yet to release exploit code or crash dumps for the alleged native hack.
The burden of proof remains on those who claimed the exploit, they've managed to utterly fail to live up to that burden. (Maynor's last demonstration only produced a DoS crash with the lame excuse of not wanting sniffers to get his exploit code for not showing the "pwnage".)
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Leave it to a PC user to interpret "beige" with such brickheaded literalism.
I don't use OS X, so this question isn't as rhetorical as it might seem: Does Apple usually give credit to bugs found?
I'm sorry to chime in with stupid comment. But sorry this is Slashdot so here I go ;-)
I'm sick tired of such "researchers". Back in good old days they were simply called "testers" - and their job was look for bugs localize them and report to developers. Instead of reporting bug all they do is create a "sensation" or "scandal".
Apple might not the best company when it comes to PR (actually probably second worst - right after Sony) but most of the problems gets resolved easily. And even then, most of the time Apple's PR reaction is ... right no reaction. The guys are used to live and work under piles of NDAs and very very rarely talk to press. Or rather they organize events if they want to announce something. (I'd rather give thumb up to Mac fan boys for smoking the so called "researcher" into clear. Because that what I believe took place.)
Rise of Internet unfortunately attracted hunters for cheap publicity. And most of the so called "security researchers" are fit right into the category. They relate to research equally as e.g. Britney Spears relates to music.
P.S. Disclaimers: Ex-Mac-owner. Linux developer. And yeah, I know how to write secure programs and what QA is.
All hope abandon ye who enter here.
I am the worst (or best, depending on your point of view) kind of Apple apologist, but any attempt from any company to stifle, ignore, or deny security research is not just silly, it is reprehensible. Companies with products where security is a concern should always respond with acknowledgement of the research, credit to the researchers, and evidence proving the validity of the claim either way. Then, of course, release a fix in due time if necessary. These same corporate entities ask for courtesy from the security community in notifying them first of problems, but yet many still react negatively to this valuable community-provided service. For those who behave properly, this restraint should be afforded. For those who respond as Apple have done, the appropriate response is, I think, exactly what happened: a flurry of publicized of exploits without prior and exclusive notification. Proceding in this fashion creates an incentive to take security concerns seriously and disintentives to burry them.
Why bother.
Apple did what I would expect, and as someone that owns Apple stock I would want them to do. Their image and name was being slandered and they defended themselves. And if they are being honest, they took on the costs and did their own audit, found bugs and patched them.
To this day, no exploit has been demonstrated reliably against any hardware by these guys, this is a fact.
To this day, no proof that Secureworks or these two researchers gave any information to Apple or had any contact with them prior to the media campaign has been shown. This is a fact. No crash dumps, no emails that were sent, nothing, no response from Apple, nothing. Just words against words. I'm not saying that there aren't bugs, just that the claims made by these researchers that they were pressured aren't backed.
To this date, no evidence of any threat of a law suit has been shown by either side.
So far we simply see an email from Apple's PR people (go figure, this is a fucking PR campaign) expecting clarification.
The point I take from this is that Apple at least patched their stuff. Unlike some other vendor(s) who let their products go for >3 months with exposed security flaws.
Those who have telepathy have no need to RTFA.
Leave it to a Mac user to mis-interpret sarcasm.
Anyway, why would Mac users understand imagery better or take thinks less literally?
Imagery has it's place in literature, art, music etc... And, by all means, use a Mac to create videos/music/photos/artwork, whatever... but don't claim that Mac's are somehow better. PCs can do everything a Mac can.
By the way, I may be a PC user but My OS of choice is Linux (Ubuntu flavour), Not MS. Oh Wait "My OS of choice". Interesting. Well I suppose you do have a choice:
America, Home of the Brave.
This has the same stench as that retard Paul Murphy (really Rudy de Haas).
Let's see, Microsoft pays for: fake TCO studies, fake benchmark studies, pro-msft bloggers, fake journalists like Enderle, fake think-thinks like AdTI, and astroturf campaigns; amoung other things.
Frankly, I no longer believe any pop-media blog, or article, that is pro-msft, or anti-msft-competition. Msft has too much media influence.
This is the idiot who compared Apple to the Nazis and "Joseph Gerbils." What a maroon!
So the state of California doesn't thing Apple ISN'T a monopoly.
No, that's also wrong. What California thinks is that there is nothing so terrible about how the case is laid out that they will let him try - they could easily do so even the state of California was 100% sure Apple was not a monopoly. It's quite different than saying his case actually has any chance of success.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Ok, I just saw the video. Attacker, victim, third party wireless card, interact with bytecode device driver. Oh and I notice that the video is sponsored by - Microsoft.
But what did they expect to happen. Why didn't they first privately inform Apple and then if no action was taken go public. Two security researchers in search of the glory announce an Apple exploit. The Apple PR dept goes into overdrive and spins the issue. What did you expect from the PR dept of a major corporation - the truth. Welcome to the real world.
davecb5620@gmail.com
Hey, who modded my previous entry to troll. I didn't say anything worse than the parents/grandparents, and at least I wasn't an anonymous coward.
America, Home of the Brave.
What I don't get is why people concentrate on the irrelevant issue of wether a driver works or not. The article was about Apple bullying researchers, using odd legal tactics to prevent truth about their vulnerabilities for surfacing and hiring bloggers to cover their tracks. If Microsoft had done this, it would be on front page on the newspapers, and the first item on Slashdot would be "Microsoft Bullying Security Researchers". But this is Apple, so it is probably OK for them to do it.
I find it interesting that you believe a server OS can be compared to a desktop OS on par. I guess you don't since you are trying to mask your comparison of apples to oranges with rude insults. When it comes down to it 62 bugs is nothing in a desktop environment that demands free and open usage; more so now that they are all fixed. Servers are a completely different story and no matter how much FUD or insults you throw you cannot change that.
I ate your fish.
sad but true...guess the mods got their panties in a bunch over that one!
Um, SMB was made by Microsoft, and Active Directory uses LDAP.
What book teaches how to have less than zero security problems? Can I get it on Amazon?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
...George is smoking crack. The Macalope waxes more poetic than I possibly can about why he's reached this particular conclusion.
So now you claim neither has security issues LOL A word to the... well, you: All systems have vulnerabilities. Windows just has more than BSD variants. If you believe Windows is more secure than *BSD, including OSX, please enlighten us with your proof.
I'm not suggesting that they go on a death march for every trivial bug. That's unreasonable. (Although I would like them to notify users of workarounds for all known issues, even the seemingly trivial ones, or at least note their existence somewhere.)
But here's the problem when you don't have any public disclosure, and you're laboring under the impression that nobody outside of the company knows of the bugs. Let's say you get in four trivial bugs, and one critical vulnerability. There is a lot of temptation -- and I have seen this happen, over and over, in places where I work -- to fix the trivial ones first and let the big whopper sit a while until everyone has "cleared their desk." That way, you make your metrics look good, which makes the PHB happy, etc. Then when everything else is done, work gets started on the big problem.
That's not really the best outcome for users, because unless the vulnerability was discovered internally, I just don't believe that it's really "undisclosed." Somebody knows about it, and the fewer people know about it, the more of an advantage they have, and the more tempting it's going to be for them to abuse it (either auction it off or use it directly).
So I wouldn't want a vendor freaking out every time anything comes in, but I do want them to feel like there's at least as much of a gun to their head, as there is to mine as a user, when something critical comes in.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
And thanks to them, the 10.4.9 update was rushed out the door and more complicated than it needed to be.
Many people had problems with their system not booting after appying the update. In my case, the system drive's file system had unrecoverable errors after the update installed. Say goodbye to my data.
Yes, anything really important was backed up, but I still lost a little bit and I still have to spend a bunch of time reinstalling and recovering my system to the point it was before the update.
I'm so glad to hear that the reason may be that a few people were too childish to get along, so they resorted to fighting in the public arena and in court over the security and stability of OUR systems.
Grow up for fsck sake.
Those two idiots who can't even give a proper demonstration of the problem?
KF?
LMH?
C his own A?
WHAT?
the hottest music podcast on the block
Uh, if you've dealt with exactly zero problems on your FreeBSD boxes, then you have a rather vulnerable box. The BSDs are good, but they aren't THAT good.
I'm defining a security problem as some type of breach. Your definition is obviously different. For the record, the last security issue I had with Windows was in 2001, when a worm hit my box via a remote exploit in Trillian, but I had never used any of the BSDs at that time, so I didn't count it.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
But...I thought Apple was infallible?!
Once again points to the blindingly obvious truth that the reason OSX is "secure" is because no one is trying to break in.
I still blame Apple for the poor quality of the update.
Change is certain; progress is not obligatory.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
That this update FIXED my connection problems, caused by the 2007-001 update...
10.4.9 is a major security and bugfix-type upgrade. I first, I just noticed that things went very fast. Then, I noticed that Photoshop wouldn't open a jpg. Uh-oh. Well, most of the stuff in MacFixit that isn't "reapply the combo updater," is "clean cache and dump prferences. So I ran Applejack, my freeware of choice. Ta-da. Evidently, the caches that were tossed were clogged. Works like a charm. I haven't noticed a single problem since. Sorry if that sounds gung-ho or something. It's just true.
In fact, one of the best "worry-bead" sites is MacFixit. Predictably, when people go there, they've got a problem. Things can break, after all. If you haven't tuned up your system in six months, some permission may be set wrong. You could have a corrupt font or a corrupt cache -- something that impedes a clean install of the update. Get Disk Warrior. Run Disk Warrior. Run Applejack. Unplug all USB and Firewire. All peripherals, just to be safe. Reinstall the whole thing from the combo updater.
If you base your idea of how much trouble a certain upgrade is by who's complaining at MacFixit, you're making a huge statistical error. The people who go there go there because they have problems. It's like an Internet poll: it's a huge sampling error. If you did a survey on heroin addiction at three in the morning outside a clean needle dispensary, you'd think everybody was an addict.
The other day, talking about politics, somebody said, "ALL the people I know are voting for Obama. How come Hillary is ahead in the polls?" Well, that may be true for your friends, but that is stunningly dumb for an intelligent person.
AC, perhaps you misunderstood my use of contrast to provide emphasis on my point. Otherwise, you have shown nothing but a disposition to level personal attacks. As you are clearly better informed and possessed of superior reading comprehension skills, care to enlighten me by offering any support to your claims?
Why bother.
The biggest problem with journalism, is that they take everything out of proportion. Lets cut the fat of this hole story and you'll notice that there is nothing fantastic or obscure happening here... So, the mere facts [with evidence] are: Some guys found something in a 3rd party wireless card (in the video, they show a 3rd party card, so i can not confirm that the airport has the same problem), they used a macbook to demonstrate what they found because they knew it would generate a fuss. They did NOT contact Apple offering their services as "security counselors" (if that is what they are), and then Apple had to revise their soft and make a few changes to correct some things. So.. Apple does no have to thank anything to SecureWorks, these two guys should not be pissed off, and Ou should shut his mouth and start reading before writing... dont take antyhing for granted, if there is no evidence behind what you are saying, then is better to keep your mouth shut and your ears open.
Spot on for the first observation, but a wag of my finger for the second, since it shows you didn't read or understand the post to which you replied.
LDAP is a protocol; Active Directory supports it, it's true. Open LDAP, which is what the parent post was talking about, is a product.
The parent's examples were poorly picked, but their point remains quite solid. Comparing the relative track records of Apple and Microsoft, one can see that Apple has been much more supportive of open standards and technologies in recent years. Microsoft has adopted some standards, but has either done very little to contribute back to them, or (worse) has "extended" them in proprietary ways.
Apple, on the other hand, has made community contributions back to code bases (like WebKit), and has generally been a good citizen when it comes to supporting and refining open standards and technology. They aren't perfect, and there are certainly other organizations that do even better (Ubuntu springs to mind). Still, what they do should be rewarded and encouraged, because Apple has demonstrated that it listens to constructive criticism better than most companies.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
So you are actually claiming the history is false? And that all the evidence is made up? And that the guys went later and changed the information they published origianlly (and that lots of people read) and no one noticed? And that Apple cant be possibly responsible of misbehavior? You've ben certainly brainwashed. Seriously.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck