Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Apple Orchestrated Attack On Researchers

Posted by kdawson on from the no-way-to-win-friends dept.

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."

6 of 389 comments (clear)

  1. So I don't get it... by CatOne · · Score: 5, Interesting

    All this "smear campaign" stuff... talking about how Apple really hammered him on the clarification of whether it was a 3rd party driver. And George gets indignant that Apple asked this to be done.

    Yes, you could see in the video that they used a 3rd party driver. However, was it really CLEAR that the exploit only existed for the 3rd party driver? Maynor and Ellch certainly did NOT dwell on this -- they in fact spent more time saying they enjoyed doing this because Mac users were "smug."

    And, gullible as the press is, the press most certainly did NOT report "3rd party flaw exposes OS X security hole!" It was more along the lines of "OMGMACCRACKOVERWIRELESS!" It was days before it was clear, and even then it was necessary to specifically explain this to people. Sure, the video showed this, but the fact of the matter is that most people, including the press, did not UNDERSTAND this fact... and this was clearly obvious from the reaction to the matter in the first place.

    And what I also don't get is... what are you really showing if you use a 3rd party wireless driver to hack a MacBook which has BUILT-IN wireless? Sure, you can do it, but is that a realistic scenario? I mean, I could compromise someone's system if I stole it and they didn't have disk encryption turned on as well... is that a hack?

    1. Re:So I don't get it... by civilizedINTENSITY · · Score: 3, Interesting

      "However, was it really CLEAR that the exploit only existed for the 3rd party driver?"

      But it should not have been *clear*, since the exploit did exist for Apple drivers as well as the 3rd party. It was only because Apple leaned on them to show the exploit with 3rd party drivers that it was done that way. So they cooperated with Apple, and got hosed for it.

    2. Re:So I don't get it... by fyngyrz · · Score: 4, Interesting

      No question that the update worked for some people. Including - presumably, anyway - the developer who built it.

      But the thread I pointed out was but one of many that has sprung up this month, each with several, sometimes many, Mac users going "say... what the heck?" Take look at the other threads. Tons of people talking about failures, with one or two saying "worked for me." Lots of well-intentioned people (not from Apple) suggesting workaround attempts (try deleting your lists of trusted networks, switch encryption modes, use ethernet) and no one saying "here is Apple's fix." That's not the ratio you want to see.

      My own situation is Mac centric; I use a mini Intel dual-core as the source of the wifi, and normally have various Mac clients, an XP client, a Wii client and a PS3 client. The update hosed me; no individual client or set of clients can connect to the mini more than once; the mini has to be rebooted before a new connection can be opened. My network is open; no passwords, no WEP or WPx or etc.; There are no other wifi networks within reception range, no competing signals in the same spectrum (rural life has at least these advantages), and the distance of any client to the mini is less than 30 feet along any one vector - meaning full strength reception, basically - so it is about the simplest situation you can imagine.

      Everything had been working perfectly until 2007-002. Since then, I've added the .9 update to the OS, no change. Considering that adding 2007-002 to the mini broke the XP machine's ability to play client, I'm rather convinced that there are multiple problems - most reports talk about their Mac not talking to a hub (such as a DLink) - so they can't have broken host for them, only client; while in my situation, the Mac *is* the host, and the update would not have affected the XP, Wii or PS3 clients, though it could, and apparently did, hose my Macbook pro and the other minis. So there are at least two problems, one for host use and one for client use.

      It is an interesting and frustrating situation. I hope it is resolved shortly. I don't much like having Ethernet strung all over the place at home, and I can't take my Macbook pro anywhere and get online via wifi; it won't connect unless it is wired. Luckily I have an ethernet connection at work, we don't use wifi there; but I *was* in the habit of surfing at the coffee shop, the doctor's office, the hospital and at friend's houses. You don't realize how much you're going to miss convenience like that until it's gone.

      --
      I've fallen off your lawn, and I can't get up.
  2. Re:What a continuing cry for attention by NMerriam · · Score: 3, Interesting

    That's what the Post blog (the other place that misrepresented the story too much initially to risk backing down) says, but not what Apple actually said at the time. If you read the statement by Apple, they refute that Maynor has provided them with any evidence of a flaw in their network drivers, which he stated he had but they didn't bother to fix it. They never claimed there were no flaws at all, that would be a ridiculous statement for ANY company to make about anything, they just said that they had no idea what flaw Maynor was talking about.

    That's why this is such a ridiculous drama -- all Maynor or anyone else has to do to show Apple is a bunch of liars is provide the documentation trail they sent to Apple that they supposedly ignored. A year later, they still haven't provided even that, much less any evidence of the flaw itself.

    --
    Recursive: Adj. See Recursive.
  3. Re:You can smear shit.... by Weedlekin · · Score: 4, Interesting

    "Omniweb and Omni Group fixed it in 2 hours, Sunday, Macworld times. Those assholes still didn't update their lame , trying to be funny page suggesting people to use another browser."

    Which of course brings up another point: how does fucking over Omni Group (who have an excellent record of responding to such things very promptly) by publicising a bug without telling them about it first count as "revenge on Apple"? How does "outing" multi-platform bugs in open source projects instead of simply supplying patches to fix them do anything whatsoever to Apple? If these people had a beef against Apple for something or other, then take it out on Apple, not products or projects that have no connection with them besides running on Apple's OS.

    NB: I don't know if I'm the only one who noticed that MOAB didn't publish a single bug in Microsoft Office for the Mac despite it (a) having rather a lot of them, and (b) being much more popular on OS X than any of the 3rd. party products or projects they did "examine". Given Microsoft's notably poor record with security issues in Office for Windows, I would have thought that this would have been the first non-Apple product they looked at (closely followed by IE, MSN Messenger, Media Player, and various other known sources of a multitude of exploits on Windows). I'm not suggesting this indicates any involvement by MS in MOAB (I'm not a conspiracy theorist who believes that they're behind every spiteful bunch of childish wankers with a vitriolic hatred of Apple, Linux, or whatever), but rather that it's possibly indicative of a notable bias which the so-called "computer press" doesn't seem to have noticed.

    --
    I'm not going to change your sheets again, Mr. Hastings.
  4. So called researchers. by ThePhilips · · Score: 4, Interesting

    I'm sorry to chime in with stupid comment. But sorry this is Slashdot so here I go ;-)

    I'm sick tired of such "researchers". Back in good old days they were simply called "testers" - and their job was look for bugs localize them and report to developers. Instead of reporting bug all they do is create a "sensation" or "scandal".

    Apple might not the best company when it comes to PR (actually probably second worst - right after Sony) but most of the problems gets resolved easily. And even then, most of the time Apple's PR reaction is ... right no reaction. The guys are used to live and work under piles of NDAs and very very rarely talk to press. Or rather they organize events if they want to announce something. (I'd rather give thumb up to Mac fan boys for smoking the so called "researcher" into clear. Because that what I believe took place.)

    Rise of Internet unfortunately attracted hunters for cheap publicity. And most of the so called "security researchers" are fit right into the category. They relate to research equally as e.g. Britney Spears relates to music.

    P.S. Disclaimers: Ex-Mac-owner. Linux developer. And yeah, I know how to write secure programs and what QA is.

    --
    All hope abandon ye who enter here.