How Apple Orchestrated Attack On Researchers 389
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."
More commentary here (Score:4, Informative)
George Ou? (Score:5, Informative)
This all sounds a little fantastic to be true. Most folks at Apple I know don't have time for an agenda. And speaking of agendas, George Ou's definitely got a hard-on [zdnet.com] for Apple.
Ou appears to be a liar (Score:5, Informative)
http://www.tuaw.com/2007/03/20/clarification-on-t
"While I'm flattered at the possibility of Apple even talking to me, the truth of the matter is that the company pretty much ignores TUAW, and most other Apple-related blogs, entirely. Honestly: Fox and I never exchanged so much as a "mwahaha" over email, or any other form of correspondence for that matter. I've never been contacted by anyone from Apple regarding anything besides the fact that one of my older PowerBook's warranties was about to expire, and that AppleCare would be a great way to stay within their graces."
What a continuing cry for attention (Score:5, Informative)
Apple never claimed there were no flaws in their drivers, I don't know how many more times this can possibly be stated to Ou, if it is necessary to use shorter words with fewer syllables or what. Apple's only statement on the whole matter was that Maynor never provided any specific information to Apple as to what this specific security hole was supposed to be. He jumped up and down and waved his arms and told Apple they needed to fix it real soon, but neither he nor Ou nor anyone else has provided any kind of documentation indicating he gave any actual, useful information to Apple about this security vulnerability. He just made vague pronouncements about wireless security and then expected Apple to read his mind, as far as all the available evidence can prove.
Yes, Apple released patches for network drivers after this whole announcement was made -- they released patches for network drivers before then, too!
Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.
This is not a case of Apple hiding their heads in the sand, running a smear campaign, or fanbois refusing to accept that something could be less than perfect.
Provide some actual evidence and people will listen to your fearmongering, but it's been a year already since this "huge vulnerability" was disclosed and the most we've seen is a computer crash!
Re:So I don't get it... (Score:5, Informative)
Well, I guess it's moot right now, since Apple broke it's wireless support thoroughly with the 2007-002 update [apple.com] back at the beginning of March, and has remained silent about addressing the problem since then. I've been back to wired connections for weeks now.
It is somewhat problematic to try to hack a connection that won't connect. :-)
I suppose eventually they'll fix this; the silence is a little disturbing, though. It seems... poorly thought out.
Re:Microsoft bugs? (Score:3, Informative)
Re:Microsoft bugs? (Score:4, Informative)
Comment removed (Score:3, Informative)
How do you mod a front page article as "Troll"? (Score:4, Informative)
Re:Skeptical (Score:3, Informative)
Re:Doesn't quite wash (Score:3, Informative)
It would be a bit understandable if they displayed that malformed jp2 to
Re:Apple is Evil. (Score:1, Informative)
Here's a few of my favourite bugzilla bugs, in ascending order of bullshit:
#324253., a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375, a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.
Re:You can smear shit.... (Score:3, Informative)
http://groups.google.com/group/moabfixes/browse_f
They frozen Safari for God's sake, a tabbed browser. I was suspicious about the alleged IRC attack to Freenode #macdev channel but I became sure about it after that day.
They released another exploit (a DOS actually,again!) for my favorite browser, Omniweb and Omni Group fixed it in 2 hours, Sunday, Macworld times. Those assholes still didn't update their lame , trying to be funny page suggesting people to use another browser.
We were talking about whining security researchers (!) who hated the response time of vendor yes? What about fixing your God damn page thanking Omnigroup and other 3rd party vendors for a quick fix?
Re:George Ou? (Score:1, Informative)
Ask some of Apple's engineers about this and you'll find out that the engineers who call the shots at Apple don't regard this as a problem - while many of the other engineers do.
Nov 14, 2006 (Score:5, Informative)
With the latest patches, according to Secunia, Safari has 4 outstanding unpatched advisories, of which the most severe is "Less critical."
By comparison, Firefox 2 has 3 unpatched Secunia advisories, with the most severe also being "Less critical."
IE6 has 20 unpatched advisories, with the most severe rated "Moderately critical." IE7 has 7 unpatched advisories, with the most severe also rated "Moderately critical."
Re:So I don't get it... (Score:5, Informative)
1 and 3 were in quicktime (an apple product, but not Mac specific)
4 was in iLife (mac specific)
9, 10, 11, 12, and 13 were related to loading
14 was in appletalk
15 was in the permissions on the
23 was in QuickDraw (mac specific)
24 was in the Mac auto-update logic
28 was in the crash dump handling logic
29, and 30 were in various Mac specific utilities (iChat, Safari, HelpViewer).
I don't think that's "a significant minority". By my guestimate, 5 of the 30 were in 3rd party apps.
Re:Apple is Evil. (Links) (Score:5, Informative)
#324253 [mozilla.org], a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375 [mozilla.org], a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 [mozilla.org] - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.
Re:So I don't get it... (Score:4, Informative)
Re:Since when? (Score:3, Informative)
In what market does Apple have a monopoly?
"which is why Apple is getting sued by the European Union."
um, no they are not. And what would they be sued for?
"Want to see fair use? Try buying an Apple computer without OS X on it."
I also can't buy a Nokia phone without the Nokia OS in it. Oh the humanity! And why would you want to get a Mac without OS X? What would you gain from that that you couldn't gain from simply buying the computer and erasing the HD? And what does your question have to do with "fair use"? You are not in any shape or form prevented from running some other OS on the Mac.
"The MoAB shattered a lot of illusions"
MoAB was a flop, IMO. They stuffed their numbers by adding bugs in applications that had nothing to do with Apple (like VLC).
Re:So I don't get it... (Score:5, Informative)
23 in software by Apple
1 in software by Adobe
1 in software by Insanity LLC.
1 in software by Videolan
1 in software by The Omni Group
1 in software by Javelin.cc
1 in software by Maxum Development
1 in software by Panic Inc.
1 in software by Telestream/Microsoft
31 issues, of which:
17 in OS X
8 in third party apps not installed by default
3 in Apple apps installed by default
2 in a third party app for OS X and Windows, not installed by default
1 in an Apple app not installed by default
1 in an Apple app for OS X and Windows