How Apple Orchestrated Attack On Researchers 389
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."
Shooting fish in a barrel (Score:4, Insightful)
Doesn't quite wash (Score:5, Insightful)
I doubt the real truth has actually surfaced just yet, and it may be a long time, if ever, that it does.
Go Figure! (Score:4, Insightful)
I don't quite buy it. (Score:5, Insightful)
At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer. So as a Mac user, I'm not really unhappy at all that MoAB happened, for whatever reason. I'd rather have stuff out in the open, and patched quickly, than some sort of quasi-secret (because, let's face it, if more than one person knows about it, it's not a secret anymore) unpatched vulnerability. I like Apple's gear but that doesn't mean I don't think they need to get a swift kick in the ass every once in a while to stay on top of things.
Re:George Ou? (Score:5, Insightful)
I take it you don't know anyone from Apple's [slashdot.org] legal [theregister.co.uk] department [wsj.com]?
Microsoft bugs? (Score:4, Insightful)
Everything I've read about this suggests the "security professionals" are looking for fame and Apple doesn't care. I don't either. As long as bugs get patched, and Apple seems to have done so in a timely fashion, at least as much as Microsoft and other software companies do.
Whoops -- correction. (Score:3, Insightful)
Should read: At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'no' answer.
In other words, big portions of the Mac OS are still developed as closed-source products, or by people who probably were trained in that mindset, where a bug really only matters once it's widely disclosed.
I've never bought this, because frankly I just don't trust people to keep their mouths shut while a company fixes things at their own pace. I'd rather see bugs get tons of press, and force companies into hauling their developers in on overtime and fixing the thing ASAP, so that the time before first discovery and patching is minimized. I would rather everyone know about it (including administrators and owners who can take defensive measures) than try to cover it up for as long as possible, maximizing the chance that the Russian mafia or other black hats will get their hands on an unknown (to everyone else) vuln.
Some parts of Apple seem much more comfortable with full disclosure than others, and I'm perfectly comfortable with bludgeoning the parts that aren't if that's what it takes. As a Mac user, I'm not at all displeased about MoAB, regardless of its motivations.
You can smear shit.... (Score:5, Insightful)
MOAB as "revenge"? A number of "Apple's" bugs as listed in MOAB were in third-party software (VLC on day 2 for fuck's sake!), the same as their original hyperbolic wireless exploit shenanigans. And then they go and use an exploit on the site, and act like petulant children in their communication with others through the site, all the while crying foul that they aren't being treated like serious security professionals.
Re:So I don't get it... (Score:5, Insightful)
But the quality of third party device drivers isn't really something you can blame Apple for, at least I don't think so. I don't blame Microsoft or Linus if nVidia fubars a driver, I blame the company whose name is on the driver.
Re:Nelson (Score:2, Insightful)
I'm not mac fanboy (in fact I'm a Linux fanboy) but I do like my mac laptop and I don't really have an opinion on Apple so my point of view on the topic really sees this as a none issue.
Both parties handled the wireless 'hack' (3rd party driver doesn't really count on built in/OS supported by default hardware) badly and had their own motives for their actions.
Though the Month of Apple Bugs, as a mac user, just appeared to be either a stunt by Apple or a stunt by some one else no one cares about to show off mac security compared to windows. And really the end result was that Apple had to fix a ton of bugs; as a mac user this made me happy and happier when Apple sent several patches to my mac with these fixes in short order.
So really I see this as a null event and its effect on my opinion of Apple has only changed in two regards as a result: they will fix bugs quickly and well (regardless if this is accurate or not, remember I'm a user who really doesn't care - eg average mac user) and that with a huge security community pushing to crush 'smug' mac users outlooks on osx they only found 62 critical bugs. Seriously, 62, that's it, what a joke.
Again as a mac user this just improves my view of Apples commitment to security. Plus I think it would prove to be a comical point if there were to be such a serious Month of Windows Bugs! "Oh see my mac only had 62 bugs, your windows pc has what? 12,085,387? Have fun with that virus scanner, firewall, and content filter you need to run just to reduce your risk of your windows box getting infected!"
At the end of the day all OS have bugs and companies have to deal with them they way they see fit; and the users have to accept that or switch operating systems. It's not like you don't have a choice; heck I'm a linux user who bought a mac for a spare computer that would 'just work' when debian sid decided that my computer wasn't some thing it wanted to play with.
Re:So I don't get it... (Score:5, Insightful)
Re:George Ou? (Score:2, Insightful)
Reasonable question... (Score:4, Insightful)
Played or not, Maynor and Ellch came out swinging at Mac users and attacked them on attitude's sake alone.
Last summer, KF was blogging about what a great, rapid job Apple did on its patches, and by January, he's got them on a spit in the public square, and baiting Apple and its users.
Is this to be the public face of the security community?
What I got from the original video, taken on its face, is that the MacBook was not vulnerable, that the exploit was for some 3rd party vendor's stuff, but they were going to use the MacBook just to cheese off Apple users, whose attitudes they perceived as lousy. Human memory being what it is, like Orson Welles' The War Of The Worlds radio broadcast, they had to realize after watching the remaining lion's share of the video that people would mostly retain the image of a MacBook getting pwned.
Beyond the mechanicals, my other impression was that if they were going to demo an important vulnerability and chose to wrap it in several layers of personal feelings for a specific bunch of people, they might be skilled, but they're still unprofessional.
I'm not sure if George is trying to paint them as choirboys or simply C his own A.
Re:Ou appears to be a liar (Score:5, Insightful)
Stop posting anything about these guys, they don't deserve the publicity, and all this crap about smearing and breaking Apple's hardware is both moot and full of willful misinterpretation. These guys are attention seekers and no more.
Skeptical (Score:5, Insightful)
I believe they actually claimed they hadn't had the vulnerability in question demonstrated to them. The fact that they later patched *a* vulnerability in wireless drivers doesn't necessarily prove anything. If it does, then as an Apple basher, my future plan will be:
a) announce that I've found a vulnerability in in $OSX_FEATURE.
b) ignore requests for details, proof, etc
c) be universally regarded as an idiot
d) Wait until someone else finds a vulnerability in $OSX_FEATURE and Apple patches it.
e) trumpet from the rooftops that I said there was a vulnerability in $OSX_FEATURE months ago and OMG! Apple denied it and look, they've just fixed it and I was right all along!
f) Smugly watch the sensationalist articles about how Apple bullied me.
Re:So I don't get it... (Score:0, Insightful)
Apple exploit code (Score:4, Insightful)
Oh! I see! There are lots of ADVERTISEMENTS on this blog page! Phew! This was a great way to drive traffic! Thanks ZD-Net, for the "news"!!!
Now I'll turn on CNN and watch the "news" about the next dreaded disease from Asia that could kill my children (and see Viagra ads at the same time.)
Re:Microsoft bugs? (Score:1, Insightful)
I am confused (Score:3, Insightful)
And when did Apple ever "claim that there were no vulnerabilities in Mac OS X"? I am pretty sure that's never been said, at least, not officially. Maybe some employee spoke out of turn, but the company itself has never made that claim. Ever.
I don't know anything about Ou, but these two huge misstatements don't make me trust him
Re:So I don't get it... (Score:1, Insightful)
Comment removed (Score:3, Insightful)
Re:Ou appears to be a liar (Score:3, Insightful)
Well except that the exploit worked for Mac HW too.
Do you have any proof of this, other than Maynor-Ellch claims? An actual instance of the exploit working on Mac HW? Because I've not seen any.
And George Ou doesn't count.
SteveM
Re:Apple is Evil. (Score:5, Insightful)
Let me ask you this-
What has Microsoft ever done for the open source community other than to try to undermine Linux?
What has Apple done to support the open source community?
Do technologies like hardware acceleration for X windows, more focus on open standards (Open LDAP, SMB, etc.), make Apple as evil as microsoft?
Jobs is as bad as Gates in some respects, but a blanket statement like this cannot possibly apply in all aspects of their work. Is Bill bad because he is supporting his charity now? Is Steve Jobs bad for spending his own money to make an animation company that produced quality family films? You can't judge on one level- it's simply impossible. Your argument needs better qualification. Saying that you like "open source and community review" will earn you a few karma points on slashdot, but in my book that post was all about "Apple is Evil."
< pinky to corner of mouth >
Re:Proof is in the using (Score:2, Insightful)
With help from third parties (AV software (no, I'm not talking Norton...), firewalls, etc.) I think Windows is a LOT more secure than it used to be. I personally wouldn't trust MS by itself. But it all goes back to market share. No system is invincible, so why not go after the biggest and milk it for all it's worth?
Why is this tagged FUD?? (Score:3, Insightful)
Please stop it.
FUD has a very specific meaning. Pay attention - FUD stands for Fear, Uncertainty, Doubt. It is a marketing strategy that spreads, you guessed it, Fear Uncertainty and Doubt about a competitors product. Every statement you disagree with is not FUD. Not every untruth is FUD. Not all FUD is untrue for that matter.
Thank You, that is all.
Re:So I don't get it... (Score:3, Insightful)
Would love to see some actual details on this, if it's true.
Re:Shooting fish in a barrel (Score:4, Insightful)
To address the summary:
They said in the notes that they did a security audit with no input from the researchers and patched what they discovered.
Why should they have?
Re:Go Figure! (Score:5, Insightful)
Once you get past your fascination with Artie, you'll see that many Mac users do not, in fact, think the Mac is utterly and totally bulletproof. OTOH, we're also aware that compromised Windows machines can be found by the hundreds of thousands in the botnets that generated some 90% of the email (spam) traffic last December, while there hasn't been a single large-scale exploit of the Mac since OS X came out.
The sheer difference in exploit numbers suggests that the Mac has some good things going for it in terms of security. Does that make the Mac perfect? Of course not. Does that make the Mac less likely to suffer data loss or force its owner to waste time checking for digital cockroaches every day?
Yes.
Re:Shooting fish in a barrel (Score:5, Insightful)
No one believed this story about Apple pressuring the security researchers for 2 reasons. No security company would actually let their name be dragged through the dirt by the internet community for the sake of saving face for another company especially Apple. Secondly their story changed by the day and requests to see an exploit/method/code release were constantly denied. The only demonstration was highly dubious as it was presented as a video.
Since the fiasco came about Apple did then commission an external company to look for bugs in their airport drivers, while some bugs were found they were unrelated to the publicised "macbook remote exploit" (the security researchers gave such little information anyway.)
Then finally once all the patches were out by Apple, the security researchers piped up again claiming that the exploits they discovered were the ones that Apple had patched. (When in all reality they probably just examined the old and new drivers and looked for the differences.)
Suggestions that Apple users are blind, security unaware dummies is what caused most of the outrage. Going out claiming that the Apple user base believe they are impervious to spyware/viruses/etc. is an invitation for negative feedback. It has very little to do with "Attacking the mac-zealots precious platform"... after all much of the operating system is open source darwin, a BSD implementation.
As for the followup month-of-apple-bugs and other negative security feedback, those are most definitely not solely rooted by this sole affair. Ou is merely trying to spin them this way to provide some kind of grass-roots response to his purported conspiracy.
Re:Truth in advertising (Score:4, Insightful)
Pragmatically, Macs are impenetrable by viruses, and have been for years.
If you want to counter that argument in concrete terms, by showing a Mac virus with 1/100th the penetration of Blaster, Nimda, Sobig, et al, feel free. If you can't, you'll have to admit that historically, Macs have not been penetrated to 1/100th the degree that Windows machines have.
If you want to make a hard prediction that Macs will be penetrated to N degree within the next X months, go ahead. If not, you'll have to admit that you can't be confident in making such a prediction.
If you want to present evidence that Macs are about to be compromised through a specific vector, trot it out. If you can't, you'll have to admit you don't have any evidence that would support such a claim.
If all you can really bring against the Mac is a pack of abstractions that boil down to, "nothing is perfect," nobody cares. It's a truism that has no practical meaning.
If you want to say something useful about a Mac's vulnerability, put it in concrete terms. Is having your Mac hijacked by malware more or less likely than getting killed in a car crash? Is it more or less likely than dying by falling down the stairs? Is it more or less likely than being struck by lightning? Is it more or less likely than winning the lottery? Is it more or less likely than having a meteorite come crashing through your roof?
If you think it's more likely than any of those things, show me the numbers to back it up.
Locked up by process? (Score:5, Insightful)
Debian.
Thats all, just Debian and their record on timely releases.
Are you fucking kidding me? (Score:4, Insightful)
I thought Ou had lost all credibility by now. He's biased and stupid. I know that sounds harsh, but for heaven's sake, read his blog posts! He compared Apple to Nazi Germany, not even knowing how to spell Joseph Goebbels ("Joseph Gerbils [macalope.com]", I'm not kidding!), and he called Fox using a number he got in a confidential mail from Maynor [daringfireball.net]. I mean, geez!
The people he accuses have gone on the record saying that Fox had not contacted them. Chartier says: [macalope.com]
This whole story only exists in Ou's head. Apple orchestrated nothing at all, the "researchers" discredited themselves all on their own, simply by claiming different, contradictory things at different times.
George Ou is nothing but a Troll. Can we please just ignore him?
Not really (Score:4, Insightful)
The burden of proof remains on those who claimed the exploit, they've managed to utterly fail to live up to that burden. (Maynor's last demonstration only produced a DoS crash with the lame excuse of not wanting sniffers to get his exploit code for not showing the "pwnage".)
Re:So I don't get it... (Score:5, Insightful)
There isn't even enough detail to speculate on the reasons that you supposedly had such a smooth ride. But that's assuming that you didn't just make it all up in the first place.
Forget responsible exploit publishing? (Score:3, Insightful)
I am the worst (or best, depending on your point of view) kind of Apple apologist, but any attempt from any company to stifle, ignore, or deny security research is not just silly, it is reprehensible. Companies with products where security is a concern should always respond with acknowledgement of the research, credit to the researchers, and evidence proving the validity of the claim either way. Then, of course, release a fix in due time if necessary. These same corporate entities ask for courtesy from the security community in notifying them first of problems, but yet many still react negatively to this valuable community-provided service. For those who behave properly, this restraint should be afforded. For those who respond as Apple have done, the appropriate response is, I think, exactly what happened: a flurry of publicized of exploits without prior and exclusive notification. Proceding in this fashion creates an incentive to take security concerns seriously and disintentives to burry them.
Re:So I don't get it... (Score:2, Insightful)
Have you considered it may be some other software that you've installed?
Have you tested this possibility?
Do you backup or clone your system to some other storage before blindly applying updates? You should be doing these things.
How about this: you install Mac OS X 10.4.x to a firewire hard drive. Install the security update. Does this break your system? Probably not. Now add all your third party stuff. Broken or working?
Stop ranting and do something to fix it.
Re:So I don't get it... (Score:3, Insightful)
For what it's worth the update worked flawlessly for me on several systems I have that use wireless. I'm not saying that there is no problem for other people but I have everything working just fine. That being said any time I have had a problem with Apple's stuff they have fixed it fairly promptly. I hope the same happens with you.
Re: the point (Score:3, Insightful)
Re:So I don't get it... (Score:3, Insightful)
Maynor is responsible for the media attention, and Apple's response. Of course, all of that would mean nothing, and he would be a superstar hacker if he just released his exploit. He could do it for a clueless reporter on demand in August of last year. Now, eight months later, it's too hard to reproduce in front of a technical audience? Sounds like a rigged demo to me.
Apple isn't as friendly or responsive to security researchers as they should be from what I can tell, but none of that is an issue given the magnitude of Maynor and Ellch's misconduct.
Re:So I don't get it... (Score:3, Insightful)
The university I attend has wireless throughout the entire campus. How many school workstations connect to the network wirelessly? None. Sure students and professors connect to the wireless with their laptops, but none of the managed school computers do. You'd just be asking for problems. So again I say BS.