How Apple Orchestrated Attack On Researchers

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."

Re:So I don't get it...

[squiggleslash]

It really is remarkable that even now, after Maynor and Ellch have been proven to have been 100% correct and on the level, the smear campaign and blatant misrepresentations against them continue to repeated and, apparently, taken just as seriously as they were when the likes of John Gruber plugged them and gave them credibility in front of the wider Mac community.

It was explained in the video that Maynor and Ellch were using a third party wireless card, but this was presented a month later as something the researchers had hidden, lied about, and as proof they were being dishonest.

It was explained repeatedly why the researches were not using live Apple hardware to demonstrate the bug in front of the Blackhat conference. But it's still posed as a question.

It was clear, early on, that the bug was, in fact, real, and widely known (similar bugs were in the FreeBSD drivers for the same hardware), and Apple themselves publicly fixed the fucking thing a month or two after the disclosure (without crediting the researchers), but it's still presented as if there never was a bug, that Apple's bug fixes were somehow unrelated.

And now Ou presents compelling evidence that Apple's PR department did, in fact, organize the smear campaign against Maynor and Ellch, and you still act as if it's not really a smear campaign, that there were legitimate reasons to be mistrustful of the researchers. Because, you know, it's still worth lying (and make no mistake, that's what Apple's PR department did, by spreading the meme that the researchers had actively mislead people about the hardware they were using) if the truth is damning by itself. Right?

You're a tool dude. The best thing you could do right now is admit you've been used, and apologize to Maynor and Ellch for your part in continuing to smear their reputation.