Mac Worm Author Gets Death Threats

StonyandCher write(s) to spread news about the strange story of the reported Apple OS X worm, which is growing stranger by the day. The blog of the researcher who claimed to have created the malware reportedly received death threats. The blog was then hijacked, according to the researcher, who calls him/herself InfoSec Sellout. InfoSec blamed David Maynor for hacking the blog. For his part, Maynor apparently unmasked himself as "LMH" and InfoSec as Jon Ramsey. The post to the Fuzzing mailing list has not been independently confirmed.
Update: 07/19 13:48 GMT by KD : David Maynor wrote in and denies that he is LMH.

More likely it is another publicity stunt

[vivaoporto]

More likely it is another publicity stunt, to make their work to look more "legitimate", to get more people to side with them (the "I may not agree with what you say, but would defend to death your right to say it" crowd), to generalize even more the feeling that Mac users are dangerous fanboys disconnected with the reality, etc.

The only thing easier than to make threats to people on the Internet is to fake threats to oneself on the Internet. We got plenty of these drama queens in the nineties, hopefully this is not a trend that will come back.

Re:More likely it is another publicity stunt

[CopaceticOpus]

The problem here is that the death threats need to be translated from blog-speak to their real world equivalents.

Blog-speak: thats dumb
Translation: I respectfully disagree on that point.

Blog-speak: ur a fuckin loser noob go eat shit
Translation: I strongly disagree, and hold you in low esteem.

Blog-speak: im gonna come find ur house and chainsaw you into pieces and feed u 2 my dawg
Translation: I find your opinions reprehensible and I see no value in continuing this discussion.

I don't know if it is even possible to express a legitimate death threat in blog-speak. Perhaps with punctuation it could be done.

Re:More likely it is another publicity stunt

"None of the claims have been substantiated, neither the alleged worm itself, nor the alleged threats."

You mean like all of Maynor's other allegations?

I've posted to his blog a few times, especially the ones where he is claiming that he is being censored (??? I can't say what I'm saying on my own blog because they won't allow me to say what I'm now saying, but I'm saying it, but I'm really not because of a world conspiracy) -- but surprisingly, my comments never show. Only the comments where others are obviously blowing him get through. Of course, I'm not going to claim censorship -- thats bullshit -- only a government can censor, where as you have every right to disallow contrary thought in your own living room.

But everything about this man smacks of sensationalism. For instance:

"It was a great experiment to see how the industry could handle some honesty, which they can't. They are quick to attack the credibility of others in order to hide their own flaws."

What? Someone announces a flaw, but says they won't talk about it, hints that they will sell it to the highest bidder, and the company doesn't want to deal with you??? And then when they don't bite, claim that you were actually pre-compensated for writing this virus from someone else (now who would gain from this? Spammers? Scam Artists? Mafia? Microsoft? The only ones that would gain are the scum of the earth and he has no problem claiming to take money from them).

And finally:

"I made up the LMH identity for bashing Apple and appearing on the media while I was preparing for launching Errata Security with Robert. Since my credibility was severely damaged after the wireless driver exploit, I needed a sock puppet."

Admitting that he was manipulating the media, and has an ulterior motive to bash Apple, solely for bashing Apple. The guy lied in the first apple hack, he manipulated the media, worse yet -- academic dishonesty through his publication of the 'hack' at a conference with a setup that was guaranteed to work, even when they later claimed even if it did work, it would take a few hundred attempts to even crash a machine, and far more than that to weaponize it (i.e., nearly impossible).

AND HE ACTS SHOCKED THAT HIS CREDIBILITY IS DAMAGED AND BLAMES 'FANBOYS' WHO HE PREVIOUSLY STATED HE WANTED TO STICK CIGARETTES IN THE EYES OF AS THE REASON FOR HIS LACKING CRED.

What an idiot. I hate to give the man any more air time, but I hope this is the final straw. From what I understand, he use to be a pretty good security analyst...now its just all about the publicity and not actually doing any real work. I wish there was some real and credible persons working to find holes in OS X. I use it as my daily computer. I know one member of my team found one hole a few years ago and reported it to one of the developers and it was fixed quickly (and they were properly credited for it). I know there are holes in the system, like any system, and they need to be found. And unfortunately, the only ones working on finding anything are more interested in the sensationalism than anything else.

Re:More likely it is another publicity stunt

Blog-speak: im gonna come find ur house and chainsaw you into pieces and feed u 2 my dawg
Translation: I find your opinions reprehensible and I see no value in continuing this discussion.

I don't know if it is even possible to express a legitimate death threat in blog-speak. Perhaps with punctuation it could be done.

The law takes a dim view of death threats. Even on blogs.

Could be a great way to shut up a mac fanboy though!

Unacceptable

[Ngarrang]

It is as if the fanatics actually believed their OS was so secure it had no security holes.

don't write viruses/worms and brag about it

[acomj]

Hi

I'm ____, I wrote that worm that messed up your computer costing you tons of time an agravation. Here's my email if you want to thank me.
--------------
although in this case it more like "I may have written a worm the exploits a now patched problem".

Threats are inappropriate but seriously, what did he think would happen?

Re:So this "security researcher" cannot even keep

[stubear]

You're assuming he hosts his own blog and you know what they say about assuming. Beyond that, why is his message less credible? if he can prove the worm works, the message is still the same, even if his blog is hacked. Perhaps the person responsible for hacking his blog is simply a much better hacker? There are so many variables to consider that your comment seems ridiculous when you even begin to look at even a tiny fraction of them.

Wait...

[whisper_jeff]

Wait, so someone who claims, without providing proof, that they found/created a vulnerability in an operating system is now claiming to have received death threats and claiming that their blog was hacked? Again, without providing any real proof?

Uh, yeah. Count me skeptical.

Can anyone say "attention whore."

Re:Wait...

[Sparks23]

Why on earth do so many Slashdot posters seem to think it's about Mac fandom?

It is far from impossible that there's a vulnerability in OS X; there have been vulnerabilities before, after all, and there will be again. Just because OS X is more secure in its out-of-box configuration than Windows is in its own out-of-box does not mean that OS X is completely invulnerable to all future threats. Heck, /Linux/ isn't immune to all threats past and present, after all... why should OS X somehow mystically be, /especially/ when some vulnerabilities can come from software (OpenSSH, Apache, etc.) which both operating systems share? Heck, if the vulnerability is in mDNSResponder, it may be in the UNIX implementations of zeroconf. (It's not as if the guy has given any information for someone to determine whether it is or not!)

Anyone who thinks OS X is somehow immune to all threats is a fool, or deliberately blinding themselves. But the issue people criticizing the guy generally seem to be pointing out is that regardless of the OS involved, this researcher has handled the vulnerability disclosure in an extremely unprofessional manner.

This 'researcher' makes a claim providing no proof. No details. He expects to be lauded for it, however, without providing any proof. Instead he finds himself criticized for not acting as an actual security researcher and handling the exploit disclosure in a professional manner; after all, he gave no details, he allowed no peer review, and he also said he wasn't releasing details or an exploit to Apple to look into fixing until he finished 'testing' it (which, at best, means he didn't even have the exploit confirmed for himself before he trumpeted it everywhere). So when he finds his claim challenged and he's told to send the info to Apple to fix it, or to at least reveal a little further info? Suddenly he claims he was getting death threats... equally unsubstantiated... and takes his ball to go home.

I'm not saying some devoted Mac fans might not have mailed nasty stuff to the guy; there are some crazy Mac fans. Though they're far from the only fanatics in the tech world. (The GPL diehards who attack other open-source licenses like rabid pit bulls, for instance, are definitely their spiritual kindred as far as fanaticism goes.)

But imagine this was with some other system:

Some guy posts, "I found an exploit in Ubuntu. It affects all current versions of Ubuntu, and can allow me to do some bad things. There's no current defense against it. Bow down before me!" Followed by a later post of, "No, I am not going report the exploit to the Ubuntu team. Or anyone else. Because I haven't finished testing it. Just shut up and marvel at my awesomeness for finding a difficult exploit." People would be up in arms, howling for the guy's blood about why he announced it if it's not confirmed, how it's probably a violation of some source license for him to not actually report the exploit to Ubuntu to be fixed if it's real, or whatever. If then a few days later he posted, "Oh, now I'm getting death threats, so this isn't worth it. I'm just not going to tell ANYONE what it is." people would be convinced he'd been faking it and was 'running away' to avoid having to actually produce something. (And no doubt some people would also still be posting 'Oh, you Ubuntu fanboys, why can't you believe there might be a vulnerability? Why do you have to send him death threats?')

It would be equally irresponsible to handle an exploit report in, say, Vista the same way. Though admittedly, there'd probably be less outcry, as we've become sort of inured to those reports. ("Huh. A vulnerability in Windows. Okay, whatever. Right, let's go for coffee.")

All most sensible folks are saying in this discussion is that if he's legit, this guy handled his situation Poorly. And given that there have been several poorly-handled exploit reports lately which turned out to either be hugely inaccurate ("Okay, this is only actually v

Cognitive dissonance

[manekineko2]

Cognitive dissonance is truly a funny thing. It's fascinating the lengths the human brain will go to in order to protect its version of reality.

Re:Now we know

[Sponge+Bath]

I wish they would apply this technique to spammers.

Re:Note to self

[cp.tar]

How fitting, that a person glorifying beating up weaklings writes as Anonymous Coward.

Re:Now we know

[cp.tar]

Security by malware author assassination?

Hey, if it works... I'm buying a Mac.

Unverified claims to support unverified claims

[argent]

Sheesh.

Now we have unverified claims of death threats to add credibility to unverified claims of worms attacking a deep flaw in mDNSresponder... a flaw so subtle that Apple wouldn't be able to fix it without the help of said anonymous researcher who's allegedly received death threats over it.

Now this could all be true, but then SCO could really have thousands of lines of Linux code copied from UNIX they're still hiding so they can bring it out in a dramatic eleventh-hour release and snatch victory from the jaws of defeat.

I don't doubt that there's flaws in mDNSresponder. I don't doubt that you could write a worm to exploit them. I don't doubt that Apple is capable of fixing one symptom of a flaw rather than the cause... they've done it before. But there's nothing new here... schemes like Rendozvous/Bonjour/Zeroconf and the superficially similar "Universal Plug and Play" in Windows are a compelling target for potential attacks and have been criticized in the past. They're not needed for the normal operation of the system, and should be disabled unless you actually know you need them and are on a known secure LAN ... and recipes and utilities for disabling both have been around for years.

But there is no way that any legitimate security professional would proceed in the manner that the people alleged to be involved in have been behaving over the past several months. The whole presentation of this affair seems almost designed to discredit the security community in the public eye.

Notify Apple, then release the details. There's no other ethical course of action.

sad

[tvon]

This whole thing is getting a lot of coverage for what basically amounts to "random dude claims OSX vulnerability, produces no evidence to substantiate claim".

The responses are entertaining to read though. Hoards of morons attacking the Mac platform and users without any evidence that there is anything actually wrong. Lots of straw man arguments (nobody with half a brain ever said OSX was impervious to security issues), lots of hate... so much hate.

Like a bunch of catty middle school girls...

Re:Note to self

[Whiney+Mac+Fanboy]

Shouldn't you threaten to kill yourself?

This, fellow slashdot readers is why you shouldn't be anti-mac on /. - I'm not surprised the worm author got death threats - look what I get for joking!