Slashdot Mirror
How Apple Orchestrated Attack On Researchers
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."
All this "smear campaign" stuff... talking about how Apple really hammered him on the clarification of whether it was a 3rd party driver. And George gets indignant that Apple asked this to be done.
Yes, you could see in the video that they used a 3rd party driver. However, was it really CLEAR that the exploit only existed for the 3rd party driver? Maynor and Ellch certainly did NOT dwell on this -- they in fact spent more time saying they enjoyed doing this because Mac users were "smug."
And, gullible as the press is, the press most certainly did NOT report "3rd party flaw exposes OS X security hole!" It was more along the lines of "OMGMACCRACKOVERWIRELESS!" It was days before it was clear, and even then it was necessary to specifically explain this to people. Sure, the video showed this, but the fact of the matter is that most people, including the press, did not UNDERSTAND this fact... and this was clearly obvious from the reaction to the matter in the first place.
And what I also don't get is... what are you really showing if you use a 3rd party wireless driver to hack a MacBook which has BUILT-IN wireless? Sure, you can do it, but is that a realistic scenario? I mean, I could compromise someone's system if I stole it and they didn't have disk encryption turned on as well... is that a hack?
It doesn't seem like Apple needed to do much to make those guys look bad - they did a darn good job of it all by themselves.
#DeleteChrome
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer.
Karl Rove is Apple's PR director?
The theory of relativity doesn't work right in Arkansas.
Geez, don't leave out Matasano's response. George Ou is a tool.
Is this the same guy who doesn't know Gerbils from Goebbels?
This all sounds a little fantastic to be true. Most folks at Apple I know don't have time for an agenda. And speaking of agendas, George Ou's definitely got a hard-on for Apple.
Right, since ZDNet is such a long time Apple/Mac news and information source - and let's just overlook the phishing code embedded in the MoAB web page(s).
I doubt the real truth has actually surfaced just yet, and it may be a long time, if ever, that it does.
Face it, any OS that widely-used (read: "popular") enough is going to be subjected to bug exploitation. Even Linux has bugs http://www.wired.com/news/linux/0,1411,66022,00.ht ml although, _WAY_ less than M$. In an open source OS the bugs get fixed, IMO, faster and more reliably than your weekly M$ patch. The point is, ITS GOING TO HAPPEN!
I'll try anything once. Twice if it's DRM free.
I'll accept that the MoAB was definitely a result of the furor and press over the wireless vulnerability. But I'm not sure that I believe the smear campaign / character assassination part. Honestly, Apple really didn't need to bother; those guys' original presentation was so sketchy that they practically invited criticism themselves. First they'd say one thing (that it affected all Macs) but then they demo'ed it with a totally different hardware setup, with no good explanation as to why, producing countervailing views as to whether all Macs were really that insecure in their default state, etc. There's no way you can spin the way the vulnerability was announced as a well-managed affair. The whole thing stank from the beginning.
At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer. So as a Mac user, I'm not really unhappy at all that MoAB happened, for whatever reason. I'd rather have stuff out in the open, and patched quickly, than some sort of quasi-secret (because, let's face it, if more than one person knows about it, it's not a secret anymore) unpatched vulnerability. I like Apple's gear but that doesn't mean I don't think they need to get a swift kick in the ass every once in a while to stay on top of things.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
From one of the folks accused of conspiring with Apple:
h e-macbook-wi-fi-hack-conspiracy/
http://www.tuaw.com/2007/03/20/clarification-on-t
"While I'm flattered at the possibility of Apple even talking to me, the truth of the matter is that the company pretty much ignores TUAW, and most other Apple-related blogs, entirely. Honestly: Fox and I never exchanged so much as a "mwahaha" over email, or any other form of correspondence for that matter. I've never been contacted by anyone from Apple regarding anything besides the fact that one of my older PowerBook's warranties was about to expire, and that AppleCare would be a great way to stay within their graces."
E pluribus unum
Does Microsoft give free PR to "security researchers" every time it patches a bug? How about various linux software projects, do they crow openly about those who find bugs in their software? Or do they just patch the bugs?
Everything I've read about this suggests the "security professionals" are looking for fame and Apple doesn't care. I don't either. As long as bugs get patched, and Apple seems to have done so in a timely fashion, at least as much as Microsoft and other software companies do.
Should read: At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'no' answer.
In other words, big portions of the Mac OS are still developed as closed-source products, or by people who probably were trained in that mindset, where a bug really only matters once it's widely disclosed.
I've never bought this, because frankly I just don't trust people to keep their mouths shut while a company fixes things at their own pace. I'd rather see bugs get tons of press, and force companies into hauling their developers in on overtime and fixing the thing ASAP, so that the time before first discovery and patching is minimized. I would rather everyone know about it (including administrators and owners who can take defensive measures) than try to cover it up for as long as possible, maximizing the chance that the Russian mafia or other black hats will get their hands on an unknown (to everyone else) vuln.
Some parts of Apple seem much more comfortable with full disclosure than others, and I'm perfectly comfortable with bludgeoning the parts that aren't if that's what it takes. As a Mac user, I'm not at all displeased about MoAB, regardless of its motivations.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
but it doesn't make it look any worse. How do you hurt the image of a pair of morons who already do an incredible job of making themselves look like asshats?
MOAB as "revenge"? A number of "Apple's" bugs as listed in MOAB were in third-party software (VLC on day 2 for fuck's sake!), the same as their original hyperbolic wireless exploit shenanigans. And then they go and use an exploit on the site, and act like petulant children in their communication with others through the site, all the while crying foul that they aren't being treated like serious security professionals.
This is not "news" by any stretch of the imagination. Ou is only now "at liberty" to discuss the matter? I remember quite clearly while the whole wireless driver brouhaha was happening that he and the researchers were claiming Apple was running a "smear campaign" against them -- a campaign that everyone else in the security community and press was somehow unaware of, given how massive Ou claims it to have been.
Apple never claimed there were no flaws in their drivers, I don't know how many more times this can possibly be stated to Ou, if it is necessary to use shorter words with fewer syllables or what. Apple's only statement on the whole matter was that Maynor never provided any specific information to Apple as to what this specific security hole was supposed to be. He jumped up and down and waved his arms and told Apple they needed to fix it real soon, but neither he nor Ou nor anyone else has provided any kind of documentation indicating he gave any actual, useful information to Apple about this security vulnerability. He just made vague pronouncements about wireless security and then expected Apple to read his mind, as far as all the available evidence can prove.
Yes, Apple released patches for network drivers after this whole announcement was made -- they released patches for network drivers before then, too!
Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.
This is not a case of Apple hiding their heads in the sand, running a smear campaign, or fanbois refusing to accept that something could be less than perfect.
Provide some actual evidence and people will listen to your fearmongering, but it's been a year already since this "huge vulnerability" was disclosed and the most we've seen is a computer crash!
Recursive: Adj. See Recursive.
Everyone else gets to name a month. Dammit I want one too.
Do Maynor, Ellch, KF and LMH in fact speak for " the security community"?
Played or not, Maynor and Ellch came out swinging at Mac users and attacked them on attitude's sake alone.
Last summer, KF was blogging about what a great, rapid job Apple did on its patches, and by January, he's got them on a spit in the public square, and baiting Apple and its users.
Is this to be the public face of the security community?
What I got from the original video, taken on its face, is that the MacBook was not vulnerable, that the exploit was for some 3rd party vendor's stuff, but they were going to use the MacBook just to cheese off Apple users, whose attitudes they perceived as lousy. Human memory being what it is, like Orson Welles' The War Of The Worlds radio broadcast, they had to realize after watching the remaining lion's share of the video that people would mostly retain the image of a MacBook getting pwned.
Beyond the mechanicals, my other impression was that if they were going to demo an important vulnerability and chose to wrap it in several layers of personal feelings for a specific bunch of people, they might be skilled, but they're still unprofessional.
I'm not sure if George is trying to paint them as choirboys or simply C his own A.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Apple continued to claim that there were no vulnerabilities in Mac OS X
All systems have vulnerabilities, how can they say that with a straight face?
They didn't say it. They just didn't rush to fall on their swords for some undisclosed third party's driver bugs fast enough for Ou, Maynor and Ellch's taste.
0 1 - just my two bits
Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist).
I believe they actually claimed they hadn't had the vulnerability in question demonstrated to them. The fact that they later patched *a* vulnerability in wireless drivers doesn't necessarily prove anything. If it does, then as an Apple basher, my future plan will be:
a) announce that I've found a vulnerability in in $OSX_FEATURE.
b) ignore requests for details, proof, etc
c) be universally regarded as an idiot
d) Wait until someone else finds a vulnerability in $OSX_FEATURE and Apple patches it.
e) trumpet from the rooftops that I said there was a vulnerability in $OSX_FEATURE months ago and OMG! Apple denied it and look, they've just fixed it and I was right all along!
f) Smugly watch the sensationalist articles about how Apple bullied me.
Oh! I see! There are lots of ADVERTISEMENTS on this blog page! Phew! This was a great way to drive traffic! Thanks ZD-Net, for the "news"!!!
Now I'll turn on CNN and watch the "news" about the next dreaded disease from Asia that could kill my children (and see Viagra ads at the same time.)
Um ... why does Ou think those researchers should get credit for uncovering a vulnerability in Mac OS X that (Ou reminds us over and over again) they themselves claimed, from the beginning, that they did not uncover?
...
And when did Apple ever "claim that there were no vulnerabilities in Mac OS X"? I am pretty sure that's never been said, at least, not officially. Maybe some employee spoke out of turn, but the company itself has never made that claim. Ever.
I don't know anything about Ou, but these two huge misstatements don't make me trust him
Their entire presentation did a lot more harm to their case than the exploit ever could have left untouched. Ou is just picking up the pieces left of his credibility now since the entire IT world slammed him hard and exposed him for being a liar.
"Slashdot, where telling the truth is overrated but lying is insightful."
no you need to stop smoking the M$ cock. Microsoft documented well over 476 "critical" bugs of the nature OS X had.
"Slashdot, where telling the truth is overrated but lying is insightful."
Let me ask you this-
What has Microsoft ever done for the open source community other than to try to undermine Linux?
What has Apple done to support the open source community?
Do technologies like hardware acceleration for X windows, more focus on open standards (Open LDAP, SMB, etc.), make Apple as evil as microsoft?
Jobs is as bad as Gates in some respects, but a blanket statement like this cannot possibly apply in all aspects of their work. Is Bill bad because he is supporting his charity now? Is Steve Jobs bad for spending his own money to make an animation company that produced quality family films? You can't judge on one level- it's simply impossible. Your argument needs better qualification. Saying that you like "open source and community review" will earn you a few karma points on slashdot, but in my book that post was all about "Apple is Evil."
< pinky to corner of mouth >
You seriously don't think 62 is a lot for a a couple researchers to find in one month? This was hardly an extensive complete audit of MacOS. It was what they found in 30 days. Sorry, that just doesn't seem confidence inspiring to me.
Seriously, this whole sorry saga has been hashed and rehashed all over the web. Why should /. give these clowns any more publicity? See John Gruber's blog for an excellent debunking of Maynor, Ellch, and Ou's claims.
If this thing is completely related to 3rd party driver , it is a sign that Apple needs to adopt a WHQL like method to certificate third party drivers. I know it would sound bad but they could publicly call users not to use a certain, unmaintained driver which apparently got abandoned by hardware manufacturer.
I know MS one is not that serious but Apple could start from beginning learning from MS mistakes.
It could be more security and performance focused rather than vendor lock in.
BTW I bought a Windows only USB Wireless product by mistake (site error) and I have good clue what driver they may be talking about. If it is the case, it is completely unrelated to Apple really. Also I am not talking about Orangeware etccommercial drivers which are maintained very good.
Comment removed based on user account deletion
Only time will tell if Apple is just as bad as MS. While they are gaining market share, at what point do the vulnerabilities turn into money? 8%? 15%? 39%? (I'm going off of these figures)
With help from third parties (AV software (no, I'm not talking Norton...), firewalls, etc.) I think Windows is a LOT more secure than it used to be. I personally wouldn't trust MS by itself. But it all goes back to market share. No system is invincible, so why not go after the biggest and milk it for all it's worth?
Some moron keeps tagging every story with a claim that may or may not be true as FUD.
/rant
Please stop it.
FUD has a very specific meaning. Pay attention - FUD stands for Fear, Uncertainty, Doubt. It is a marketing strategy that spreads, you guessed it, Fear Uncertainty and Doubt about a competitors product. Every statement you disagree with is not FUD. Not every untruth is FUD. Not all FUD is untrue for that matter.
Thank You, that is all.
Nov 14, 2006 was the last time WebKit was updated.
With the latest patches, according to Secunia, Safari has 4 outstanding unpatched advisories, of which the most severe is "Less critical."
By comparison, Firefox 2 has 3 unpatched Secunia advisories, with the most severe also being "Less critical."
IE6 has 20 unpatched advisories, with the most severe rated "Moderately critical." IE7 has 7 unpatched advisories, with the most severe also rated "Moderately critical."
The US free market: two halves of a government-granted duopoly are free to set the market price.
How hard would it have been to include the URLs?
#324253, a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375, a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.
...or someone who understands that its *nix core is inherently more secure than the NT core.
---- Apple's massive marketing campaign would have you believe that on the day your Mac shows up, it will be impenetrable by viruses.
Pragmatically, Macs are impenetrable by viruses, and have been for years.
If you want to counter that argument in concrete terms, by showing a Mac virus with 1/100th the penetration of Blaster, Nimda, Sobig, et al, feel free. If you can't, you'll have to admit that historically, Macs have not been penetrated to 1/100th the degree that Windows machines have.
If you want to make a hard prediction that Macs will be penetrated to N degree within the next X months, go ahead. If not, you'll have to admit that you can't be confident in making such a prediction.
If you want to present evidence that Macs are about to be compromised through a specific vector, trot it out. If you can't, you'll have to admit you don't have any evidence that would support such a claim.
If all you can really bring against the Mac is a pack of abstractions that boil down to, "nothing is perfect," nobody cares. It's a truism that has no practical meaning.
If you want to say something useful about a Mac's vulnerability, put it in concrete terms. Is having your Mac hijacked by malware more or less likely than getting killed in a car crash? Is it more or less likely than dying by falling down the stairs? Is it more or less likely than being struck by lightning? Is it more or less likely than winning the lottery? Is it more or less likely than having a meteorite come crashing through your roof?
If you think it's more likely than any of those things, show me the numbers to back it up.
"They are, and always have been, an insanely brutal monopolist."
In what market does Apple have a monopoly?
"which is why Apple is getting sued by the European Union."
um, no they are not. And what would they be sued for?
"Want to see fair use? Try buying an Apple computer without OS X on it."
I also can't buy a Nokia phone without the Nokia OS in it. Oh the humanity! And why would you want to get a Mac without OS X? What would you gain from that that you couldn't gain from simply buying the computer and erasing the HD? And what does your question have to do with "fair use"? You are not in any shape or form prevented from running some other OS on the Mac.
"The MoAB shattered a lot of illusions"
MoAB was a flop, IMO. They stuffed their numbers by adding bugs in applications that had nothing to do with Apple (like VLC).
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
In short, in a totally open system, things might tend to get locked up by process.
Debian.
Thats all, just Debian and their record on timely releases.
In the free world the media isn't government run; the government is media run.
I thought Ou had lost all credibility by now. He's biased and stupid. I know that sounds harsh, but for heaven's sake, read his blog posts! He compared Apple to Nazi Germany, not even knowing how to spell Joseph Goebbels ("Joseph Gerbils", I'm not kidding!), and he called Fox using a number he got in a confidential mail from Maynor. I mean, geez!
The people he accuses have gone on the record saying that Fox had not contacted them. Chartier says:
This whole story only exists in Ou's head. Apple orchestrated nothing at all, the "researchers" discredited themselves all on their own, simply by claiming different, contradictory things at different times.
George Ou is nothing but a Troll. Can we please just ignore him?
The big problem is that Maynor has yet to release exploit code or crash dumps for the alleged native hack.
The burden of proof remains on those who claimed the exploit, they've managed to utterly fail to live up to that burden. (Maynor's last demonstration only produced a DoS crash with the lame excuse of not wanting sniffers to get his exploit code for not showing the "pwnage".)
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
I'm sorry to chime in with stupid comment. But sorry this is Slashdot so here I go ;-)
I'm sick tired of such "researchers". Back in good old days they were simply called "testers" - and their job was look for bugs localize them and report to developers. Instead of reporting bug all they do is create a "sensation" or "scandal".
Apple might not the best company when it comes to PR (actually probably second worst - right after Sony) but most of the problems gets resolved easily. And even then, most of the time Apple's PR reaction is ... right no reaction. The guys are used to live and work under piles of NDAs and very very rarely talk to press. Or rather they organize events if they want to announce something. (I'd rather give thumb up to Mac fan boys for smoking the so called "researcher" into clear. Because that what I believe took place.)
Rise of Internet unfortunately attracted hunters for cheap publicity. And most of the so called "security researchers" are fit right into the category. They relate to research equally as e.g. Britney Spears relates to music.
P.S. Disclaimers: Ex-Mac-owner. Linux developer. And yeah, I know how to write secure programs and what QA is.
All hope abandon ye who enter here.
I am the worst (or best, depending on your point of view) kind of Apple apologist, but any attempt from any company to stifle, ignore, or deny security research is not just silly, it is reprehensible. Companies with products where security is a concern should always respond with acknowledgement of the research, credit to the researchers, and evidence proving the validity of the claim either way. Then, of course, release a fix in due time if necessary. These same corporate entities ask for courtesy from the security community in notifying them first of problems, but yet many still react negatively to this valuable community-provided service. For those who behave properly, this restraint should be afforded. For those who respond as Apple have done, the appropriate response is, I think, exactly what happened: a flurry of publicized of exploits without prior and exclusive notification. Proceding in this fashion creates an incentive to take security concerns seriously and disintentives to burry them.
Why bother.
Apple did what I would expect, and as someone that owns Apple stock I would want them to do. Their image and name was being slandered and they defended themselves. And if they are being honest, they took on the costs and did their own audit, found bugs and patched them.
To this day, no exploit has been demonstrated reliably against any hardware by these guys, this is a fact.
To this day, no proof that Secureworks or these two researchers gave any information to Apple or had any contact with them prior to the media campaign has been shown. This is a fact. No crash dumps, no emails that were sent, nothing, no response from Apple, nothing. Just words against words. I'm not saying that there aren't bugs, just that the claims made by these researchers that they were pressured aren't backed.
To this date, no evidence of any threat of a law suit has been shown by either side.
So far we simply see an email from Apple's PR people (go figure, this is a fucking PR campaign) expecting clarification.
What I don't get is why people concentrate on the irrelevant issue of wether a driver works or not. The article was about Apple bullying researchers, using odd legal tactics to prevent truth about their vulnerabilities for surfacing and hiring bloggers to cover their tracks. If Microsoft had done this, it would be on front page on the newspapers, and the first item on Slashdot would be "Microsoft Bullying Security Researchers". But this is Apple, so it is probably OK for them to do it.
While there are indeed real "Mac zealots" out there, there seems to be a far, far greater number of PC users who squeal like stuck pigs and go on flaming, spittle-flecked anti-Apple rants whenever anyone suggests that they prefer Macs to PCs -- even when the preference is stated no more challengingly than, "Why, yes, I do own a Mac."
I've been a Mac owner for about six years and a Mac user off and on for twenty. (I've also owned several PCs, running, at various points, Windows 2000, Windows 95, DR-DOS, FreeBSD and a half-dozen distributions of Linux going all the way back to SLS before the kernel had hit 1.0.) While I've definitely met a few pricks among Apple users, the stupid ignorant fanboy who believes that OS X and Mac hardware is perfect in every meaningful way only seems to exist in those flaming, spittle-flecked anti-Apple rants. What seems to offend some PC users is simply the fact that by owning a Mac at all we are making a statement that we think OS X is better than Windows and Linux. Dear Lord, we've expressed a preference -- what arrogant fools we must be.
Congratulations. Your post is so stupid it make me spill my soda while laughing out loud at what a moron you are. You obviously don't know what a monopoly is, but you somehow assume you know better than all the lawyers and economists in the world and for some reason your uninformed opinions must be correct. I actually read your post twice looking for the "ha ha I'm kidding no one is really this dumb" comment. Comedy gold.