How Apple Orchestrated Attack On Researchers

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."

More commentary here

[Anonymous Coward]

Geez, don't leave out Matasano's response [matasano.com]. George Ou is a tool.

George Ou?

[vought]

Is this the same guy who doesn't know Gerbils from Goebbels [macalope.com]?

This all sounds a little fantastic to be true. Most folks at Apple I know don't have time for an agenda. And speaking of agendas, George Ou's definitely got a hard-on [zdnet.com] for Apple.

Ou appears to be a liar

[samkass]

From one of the folks accused of conspiring with Apple:

http://www.tuaw.com/2007/03/20/clarification-on-th e-macbook-wi-fi-hack-conspiracy/ [tuaw.com]

"While I'm flattered at the possibility of Apple even talking to me, the truth of the matter is that the company pretty much ignores TUAW, and most other Apple-related blogs, entirely. Honestly: Fox and I never exchanged so much as a "mwahaha" over email, or any other form of correspondence for that matter. I've never been contacted by anyone from Apple regarding anything besides the fact that one of my older PowerBook's warranties was about to expire, and that AppleCare would be a great way to stay within their graces."

What a continuing cry for attention

[NMerriam]

This is not "news" by any stretch of the imagination. Ou is only now "at liberty" to discuss the matter? I remember quite clearly while the whole wireless driver brouhaha was happening that he and the researchers were claiming Apple was running a "smear campaign" against them -- a campaign that everyone else in the security community and press was somehow unaware of, given how massive Ou claims it to have been.

Apple never claimed there were no flaws in their drivers, I don't know how many more times this can possibly be stated to Ou, if it is necessary to use shorter words with fewer syllables or what. Apple's only statement on the whole matter was that Maynor never provided any specific information to Apple as to what this specific security hole was supposed to be. He jumped up and down and waved his arms and told Apple they needed to fix it real soon, but neither he nor Ou nor anyone else has provided any kind of documentation indicating he gave any actual, useful information to Apple about this security vulnerability. He just made vague pronouncements about wireless security and then expected Apple to read his mind, as far as all the available evidence can prove.

Yes, Apple released patches for network drivers after this whole announcement was made -- they released patches for network drivers before then, too!

Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.

This is not a case of Apple hiding their heads in the sand, running a smear campaign, or fanbois refusing to accept that something could be less than perfect.

Provide some actual evidence and people will listen to your fearmongering, but it's been a year already since this "huge vulnerability" was disclosed and the most we've seen is a computer crash!

Re:So I don't get it...

[fyngyrz]

Well, I guess it's moot right now, since Apple broke it's wireless support thoroughly with the 2007-002 update [apple.com] back at the beginning of March, and has remained silent about addressing the problem since then. I've been back to wired connections for weeks now.

It is somewhat problematic to try to hack a connection that won't connect. :-)

I suppose eventually they'll fix this; the silence is a little disturbing, though. It seems... poorly thought out.

Re:Microsoft bugs?

[Anonymous Coward]

I'm not sure about Linux projects, but Microsoft regularly (always?) adds an "Acknowledgements" section to the security bulletins. An example: http://www.microsoft.com/technet/security/Bulletin /MS07-014.mspx [microsoft.com]

Re:Microsoft bugs?

[ZachPruckowski]

Actually, most of the Linux security update notices I get clearly say who found the bug/exploit.

Comment removed

[account_deleted]

Comment removed based on user account deletion

How do you mod a front page article as "Troll"?

[Dragonfly]

Seriously, this whole sorry saga has been hashed and rehashed all over the web. Why should /. give these clowns any more publicity? See John Gruber's blog [daringfireball.net] for an excellent debunking of Maynor, Ellch, and Ou's claims.

Re:Skeptical

[civilizedINTENSITY]

Washington Post: "Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine."

Re:Doesn't quite wash

[Ilgaz]

For OS X outsiders and people watching only "MOAB are nice guys trying to help" sites, MOAB actually tried and succeeded to DOS OS X default browser Safari on their day 29 error page.

It would be a bit understandable if they displayed that malformed jp2 to .apple.com IPs but they didn't. They attacked unsuspecting end user trying to inform himself/herself which is completely unacceptable. If you remember Safari is a tabbed browser, a huge chance of information loss was there too.

Re:Apple is Evil.

[Ant P.]

Well then, I'll do my part for that cause by pointing out Firefox's development process is just as bad as Apple.

Here's a few of my favourite bugzilla bugs, in ascending order of bullshit:
#324253., a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375, a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.

Re:You can smear shit....

[Ilgaz]

That's a flat out lie and you know it. http://projects.info-pull.com/moab/ [info-pull.com]

What lie?

http://groups.google.com/group/moabfixes/browse_fr m/thread/41c76ee5cbadc74 [google.com]

They frozen Safari for God's sake, a tabbed browser. I was suspicious about the alleged IRC attack to Freenode #macdev channel but I became sure about it after that day.

They released another exploit (a DOS actually,again!) for my favorite browser, Omniweb and Omni Group fixed it in 2 hours, Sunday, Macworld times. Those assholes still didn't update their lame , trying to be funny page suggesting people to use another browser.

We were talking about whining security researchers (!) who hated the response time of vendor yes? What about fixing your God damn page thanking Omnigroup and other 3rd party vendors for a quick fix?

Re:George Ou?

[Anonymous Coward]

Even Apple's engineers have time for agendas. This is why MAX_PATH under OSX is still limited to 1024 characters.

Ask some of Apple's engineers about this and you'll find out that the engineers who call the shots at Apple don't regard this as a problem - while many of the other engineers do.

Nov 14, 2006

[Foerstner]

Nov 14, 2006 [apple.com] was the last time WebKit was updated.

With the latest patches, according to Secunia, Safari has 4 outstanding unpatched advisories, of which the most severe is "Less critical."

By comparison, Firefox 2 has 3 unpatched Secunia advisories, with the most severe also being "Less critical."

IE6 has 20 unpatched advisories, with the most severe rated "Moderately critical." IE7 has 7 unpatched advisories, with the most severe also rated "Moderately critical."

Re:So I don't get it...

[LO0G]

From the list (http://projects.info-pull.com/moab/):
1 and 3 were in quicktime (an apple product, but not Mac specific)
4 was in iLife (mac specific)
9, 10, 11, 12, and 13 were related to loading .DMG files, which are Mac specific.
14 was in appletalk
15 was in the permissions on the /Applications directory
23 was in QuickDraw (mac specific)
24 was in the Mac auto-update logic
28 was in the crash dump handling logic
29, and 30 were in various Mac specific utilities (iChat, Safari, HelpViewer).

I don't think that's "a significant minority". By my guestimate, 5 of the 30 were in 3rd party apps.

Re:Apple is Evil. (Links)

[shoolz]

How hard would it have been to include the URLs?

#324253 [mozilla.org], a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375 [mozilla.org], a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 [mozilla.org] - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.

Re:So I don't get it...

[civilizedINTENSITY]

At the risk of being redundant (posting this to other similar replies): Does the Washington Post count? Security Fix Brian Krebs on Computer Security "Indeed, as I reported earlier, in his hotel room on the eve of that presentation, Maynor showed me a live demo of him exploiting the built-in Macbook drivers to break into the machine from another laptop -- without a third party card plugged in." Try the first URL in the article and search for Washington Post, then follow the links to the story.

Re:Since when?

[10Ghz]

"They are, and always have been, an insanely brutal monopolist."

In what market does Apple have a monopoly?

"which is why Apple is getting sued by the European Union."

um, no they are not. And what would they be sued for?

"Want to see fair use? Try buying an Apple computer without OS X on it."

I also can't buy a Nokia phone without the Nokia OS in it. Oh the humanity! And why would you want to get a Mac without OS X? What would you gain from that that you couldn't gain from simply buying the computer and erasing the HD? And what does your question have to do with "fair use"? You are not in any shape or form prevented from running some other OS on the Mac.

"The MoAB shattered a lot of illusions"

MoAB was a flop, IMO. They stuffed their numbers by adding bugs in applications that had nothing to do with Apple (like VLC).

Re:So I don't get it...

[Anonymous Coward]

31 issues, of which:

23 in software by Apple
1 in software by Adobe
1 in software by Insanity LLC.
1 in software by Videolan
1 in software by The Omni Group
1 in software by Javelin.cc
1 in software by Maxum Development
1 in software by Panic Inc.
1 in software by Telestream/Microsoft

31 issues, of which:

17 in OS X
8 in third party apps not installed by default
3 in Apple apps installed by default
2 in a third party app for OS X and Windows, not installed by default
1 in an Apple app not installed by default
1 in an Apple app for OS X and Windows