Slashdot Mirror
How Apple Orchestrated Attack On Researchers
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."
All this "smear campaign" stuff... talking about how Apple really hammered him on the clarification of whether it was a 3rd party driver. And George gets indignant that Apple asked this to be done.
Yes, you could see in the video that they used a 3rd party driver. However, was it really CLEAR that the exploit only existed for the 3rd party driver? Maynor and Ellch certainly did NOT dwell on this -- they in fact spent more time saying they enjoyed doing this because Mac users were "smug."
And, gullible as the press is, the press most certainly did NOT report "3rd party flaw exposes OS X security hole!" It was more along the lines of "OMGMACCRACKOVERWIRELESS!" It was days before it was clear, and even then it was necessary to specifically explain this to people. Sure, the video showed this, but the fact of the matter is that most people, including the press, did not UNDERSTAND this fact... and this was clearly obvious from the reaction to the matter in the first place.
And what I also don't get is... what are you really showing if you use a 3rd party wireless driver to hack a MacBook which has BUILT-IN wireless? Sure, you can do it, but is that a realistic scenario? I mean, I could compromise someone's system if I stole it and they didn't have disk encryption turned on as well... is that a hack?
I'll accept that the MoAB was definitely a result of the furor and press over the wireless vulnerability. But I'm not sure that I believe the smear campaign / character assassination part. Honestly, Apple really didn't need to bother; those guys' original presentation was so sketchy that they practically invited criticism themselves. First they'd say one thing (that it affected all Macs) but then they demo'ed it with a totally different hardware setup, with no good explanation as to why, producing countervailing views as to whether all Macs were really that insecure in their default state, etc. There's no way you can spin the way the vulnerability was announced as a well-managed affair. The whole thing stank from the beginning.
At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer. So as a Mac user, I'm not really unhappy at all that MoAB happened, for whatever reason. I'd rather have stuff out in the open, and patched quickly, than some sort of quasi-secret (because, let's face it, if more than one person knows about it, it's not a secret anymore) unpatched vulnerability. I like Apple's gear but that doesn't mean I don't think they need to get a swift kick in the ass every once in a while to stay on top of things.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Honestly, this whole post of his seems to me to be incredibly stupid. All he's saying here is that Apple tried to force them to clarify that the were using a 3rd party card, and they were. Where does all this "smear" crap come from. The more released about this whole thing, the more it becomes clear that the original "researchers" where being somewhat unclear in their disclosures, and that Apple simply wanted them to clear it up. I SERIOUSLY doubt that Apple called up TUAW and said something to the effect of "We've got a situation here, we need to discredit these guys.." It just doesn't make any sense. All that's clear here is that the "researchers" made an error in not disclosing all the facts of their hack. They used a Mac to make it appear that Mac OS X was just as vulnerable as any other operating system, and didn't come up with an exploit for actual Apple hardware and drivers. Hell, they still haven't even identified the maker of the card. The WHOLE presentation, boils down to being about as effective as making their own hardware device and drivers and finding and writing in a flaw to exploit. We still have no clue if this was a pre-discovered flaw in that card's driver. Additionally, the recent presentation displaying a crash of the same MacBook running 10.4.6 only demonstrates that they may have done the same thing with Apple's older drivers. They figured out the flaw Apple patched and then worked out an exploit for it.
Stop posting anything about these guys, they don't deserve the publicity, and all this crap about smearing and breaking Apple's hardware is both moot and full of willful misinterpretation. These guys are attention seekers and no more.
No one believed this story about Apple pressuring the security researchers for 2 reasons. No security company would actually let their name be dragged through the dirt by the internet community for the sake of saving face for another company especially Apple. Secondly their story changed by the day and requests to see an exploit/method/code release were constantly denied. The only demonstration was highly dubious as it was presented as a video.
Since the fiasco came about Apple did then commission an external company to look for bugs in their airport drivers, while some bugs were found they were unrelated to the publicised "macbook remote exploit" (the security researchers gave such little information anyway.)
Then finally once all the patches were out by Apple, the security researchers piped up again claiming that the exploits they discovered were the ones that Apple had patched. (When in all reality they probably just examined the old and new drivers and looked for the differences.)
Suggestions that Apple users are blind, security unaware dummies is what caused most of the outrage. Going out claiming that the Apple user base believe they are impervious to spyware/viruses/etc. is an invitation for negative feedback. It has very little to do with "Attacking the mac-zealots precious platform"... after all much of the operating system is open source darwin, a BSD implementation.
As for the followup month-of-apple-bugs and other negative security feedback, those are most definitely not solely rooted by this sole affair. Ou is merely trying to spin them this way to provide some kind of grass-roots response to his purported conspiracy.