Slashdot Mirror
How Apple Orchestrated Attack On Researchers
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."
It doesn't seem like Apple needed to do much to make those guys look bad - they did a darn good job of it all by themselves.
#DeleteChrome
Right, since ZDNet is such a long time Apple/Mac news and information source - and let's just overlook the phishing code embedded in the MoAB web page(s).
I doubt the real truth has actually surfaced just yet, and it may be a long time, if ever, that it does.
Face it, any OS that widely-used (read: "popular") enough is going to be subjected to bug exploitation. Even Linux has bugs http://www.wired.com/news/linux/0,1411,66022,00.ht ml although, _WAY_ less than M$. In an open source OS the bugs get fixed, IMO, faster and more reliably than your weekly M$ patch. The point is, ITS GOING TO HAPPEN!
I'll try anything once. Twice if it's DRM free.
I'll accept that the MoAB was definitely a result of the furor and press over the wireless vulnerability. But I'm not sure that I believe the smear campaign / character assassination part. Honestly, Apple really didn't need to bother; those guys' original presentation was so sketchy that they practically invited criticism themselves. First they'd say one thing (that it affected all Macs) but then they demo'ed it with a totally different hardware setup, with no good explanation as to why, producing countervailing views as to whether all Macs were really that insecure in their default state, etc. There's no way you can spin the way the vulnerability was announced as a well-managed affair. The whole thing stank from the beginning.
At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer. So as a Mac user, I'm not really unhappy at all that MoAB happened, for whatever reason. I'd rather have stuff out in the open, and patched quickly, than some sort of quasi-secret (because, let's face it, if more than one person knows about it, it's not a secret anymore) unpatched vulnerability. I like Apple's gear but that doesn't mean I don't think they need to get a swift kick in the ass every once in a while to stay on top of things.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Most folks at Apple I know don't have time for an agenda.
I take it you don't know anyone from Apple's legal department?
Fully licensed blockchain psychiatrist
but it doesn't make it look any worse. How do you hurt the image of a pair of morons who already do an incredible job of making themselves look like asshats?
MOAB as "revenge"? A number of "Apple's" bugs as listed in MOAB were in third-party software (VLC on day 2 for fuck's sake!), the same as their original hyperbolic wireless exploit shenanigans. And then they go and use an exploit on the site, and act like petulant children in their communication with others through the site, all the while crying foul that they aren't being treated like serious security professionals.
It's not necessarily implausible. How about better wireless? Wireless-n is faster and has longer range, but is not available to the original Core Duo models. Upgrading the built-in wireless is possible, but not easy. One can consider an add-on.
But the quality of third party device drivers isn't really something you can blame Apple for, at least I don't think so. I don't blame Microsoft or Linus if nVidia fubars a driver, I blame the company whose name is on the driver.
The bottom line here is not that OSX is a secure operating system (it is to a great extent). We should look at this article as an example of how closed source and protectionist behavior is detremental. Apple makes a good product and I own some of their hardware, but I prefer to have open systems based on open standards whenever possible. Or maybe I should say transparent. Most SEC rules for public companies are designed to allow investors to see the company's financial behavior. Many interested eyes means an honest market (despite occasional dishonest behavior we trust the market with our 401Ks, if we didn't we'd have gold bars under our mattress). Apple's secretive nature and marketing spin is in many ways a bad thing for consumers in the long run. Do you really trust Apple to always provide a solid OS, your music and video, and phone service without some checks and balances? I would prefer true freedom. That's not to say Apple hasn't earned some level of trust, but if we can't verify, how long will that last?
Honestly, this whole post of his seems to me to be incredibly stupid. All he's saying here is that Apple tried to force them to clarify that the were using a 3rd party card, and they were. Where does all this "smear" crap come from. The more released about this whole thing, the more it becomes clear that the original "researchers" where being somewhat unclear in their disclosures, and that Apple simply wanted them to clear it up. I SERIOUSLY doubt that Apple called up TUAW and said something to the effect of "We've got a situation here, we need to discredit these guys.." It just doesn't make any sense. All that's clear here is that the "researchers" made an error in not disclosing all the facts of their hack. They used a Mac to make it appear that Mac OS X was just as vulnerable as any other operating system, and didn't come up with an exploit for actual Apple hardware and drivers. Hell, they still haven't even identified the maker of the card. The WHOLE presentation, boils down to being about as effective as making their own hardware device and drivers and finding and writing in a flaw to exploit. We still have no clue if this was a pre-discovered flaw in that card's driver. Additionally, the recent presentation displaying a crash of the same MacBook running 10.4.6 only demonstrates that they may have done the same thing with Apple's older drivers. They figured out the flaw Apple patched and then worked out an exploit for it.
Stop posting anything about these guys, they don't deserve the publicity, and all this crap about smearing and breaking Apple's hardware is both moot and full of willful misinterpretation. These guys are attention seekers and no more.
Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist).
I believe they actually claimed they hadn't had the vulnerability in question demonstrated to them. The fact that they later patched *a* vulnerability in wireless drivers doesn't necessarily prove anything. If it does, then as an Apple basher, my future plan will be:
a) announce that I've found a vulnerability in in $OSX_FEATURE.
b) ignore requests for details, proof, etc
c) be universally regarded as an idiot
d) Wait until someone else finds a vulnerability in $OSX_FEATURE and Apple patches it.
e) trumpet from the rooftops that I said there was a vulnerability in $OSX_FEATURE months ago and OMG! Apple denied it and look, they've just fixed it and I was right all along!
f) Smugly watch the sensationalist articles about how Apple bullied me.
Let me ask you this-
What has Microsoft ever done for the open source community other than to try to undermine Linux?
What has Apple done to support the open source community?
Do technologies like hardware acceleration for X windows, more focus on open standards (Open LDAP, SMB, etc.), make Apple as evil as microsoft?
Jobs is as bad as Gates in some respects, but a blanket statement like this cannot possibly apply in all aspects of their work. Is Bill bad because he is supporting his charity now? Is Steve Jobs bad for spending his own money to make an animation company that produced quality family films? You can't judge on one level- it's simply impossible. Your argument needs better qualification. Saying that you like "open source and community review" will earn you a few karma points on slashdot, but in my book that post was all about "Apple is Evil."
< pinky to corner of mouth >
In short, in a totally open system, things might tend to get locked up by process.
Debian.
Thats all, just Debian and their record on timely releases.
In the free world the media isn't government run; the government is media run.
There isn't even enough detail to speculate on the reasons that you supposedly had such a smooth ride. But that's assuming that you didn't just make it all up in the first place.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).