How Apple Orchestrated Attack On Researchers 389
An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."
So I don't get it... (Score:5, Interesting)
Yes, you could see in the video that they used a 3rd party driver. However, was it really CLEAR that the exploit only existed for the 3rd party driver? Maynor and Ellch certainly did NOT dwell on this -- they in fact spent more time saying they enjoyed doing this because Mac users were "smug."
And, gullible as the press is, the press most certainly did NOT report "3rd party flaw exposes OS X security hole!" It was more along the lines of "OMGMACCRACKOVERWIRELESS!" It was days before it was clear, and even then it was necessary to specifically explain this to people. Sure, the video showed this, but the fact of the matter is that most people, including the press, did not UNDERSTAND this fact... and this was clearly obvious from the reaction to the matter in the first place.
And what I also don't get is... what are you really showing if you use a 3rd party wireless driver to hack a MacBook which has BUILT-IN wireless? Sure, you can do it, but is that a realistic scenario? I mean, I could compromise someone's system if I stole it and they didn't have disk encryption turned on as well... is that a hack?
Re:well (Score:2, Interesting)
All systems have vulnerabilities, how can they say that with a straight face?
They didn't say it. They just didn't rush to fall on their swords for some undisclosed third party's driver bugs fast enough for Ou, Maynor and Ellch's taste.
Re:So I don't get it... (Score:4, Interesting)
But it should not have been *clear*, since the exploit did exist for Apple drivers as well as the 3rd party. It was only because Apple leaned on them to show the exploit with 3rd party drivers that it was done that way. So they cooperated with Apple, and got hosed for it.
Re:So I don't get it... (Score:3, Interesting)
In short, in a totally open system, things might tend to get locked up by process.
I don't think it actually works out to be better, on balance, to have a closed system, but going to an open system is not purely beneficial to the market. In order to demonstrate that an open system is better overall, you not only have to show that it has benefits, but that those benefits outweigh the costs.
What about implementing WHQL? (Score:3, Interesting)
I know MS one is not that serious but Apple could start from beginning learning from MS mistakes.
It could be more security and performance focused rather than vendor lock in.
BTW I bought a Windows only USB Wireless product by mistake (site error) and I have good clue what driver they may be talking about. If it is the case, it is completely unrelated to Apple really. Also I am not talking about Orangeware etccommercial drivers which are maintained very good.
Re:Go Figure! (Score:3, Interesting)
Those people are minority.
There are very popular and sometimes expensive security products on Mac which consists of Application filtering firewalls, antiviruses (yes, check download numbers) and many more. Of course there are some snake oil sellers (Not Intego, I don't agree) who tries to exploit the user interest and ship zero function crap. Sadly, they are popular too.
There are some anti-rootkit packages recently which seems to be BSD/Linux focused. While they couldn't find anything, non techie users spared time and download them and sent their comments to sites like Versiontracker.
Re:So I don't get it... (Score:5, Interesting)
No question that the update worked for some people. Including - presumably, anyway - the developer who built it.
But the thread I pointed out was but one of many that has sprung up this month, each with several, sometimes many, Mac users going "say... what the heck?" Take look at the other threads. Tons of people talking about failures, with one or two saying "worked for me." Lots of well-intentioned people (not from Apple) suggesting workaround attempts (try deleting your lists of trusted networks, switch encryption modes, use ethernet) and no one saying "here is Apple's fix." That's not the ratio you want to see.
My own situation is Mac centric; I use a mini Intel dual-core as the source of the wifi, and normally have various Mac clients, an XP client, a Wii client and a PS3 client. The update hosed me; no individual client or set of clients can connect to the mini more than once; the mini has to be rebooted before a new connection can be opened. My network is open; no passwords, no WEP or WPx or etc.; There are no other wifi networks within reception range, no competing signals in the same spectrum (rural life has at least these advantages), and the distance of any client to the mini is less than 30 feet along any one vector - meaning full strength reception, basically - so it is about the simplest situation you can imagine.
Everything had been working perfectly until 2007-002. Since then, I've added the .9 update to the OS, no change. Considering that adding 2007-002 to the mini broke the XP machine's ability to play client, I'm rather convinced that there are multiple problems - most reports talk about their Mac not talking to a hub (such as a DLink) - so they can't have broken host for them, only client; while in my situation, the Mac *is* the host, and the update would not have affected the XP, Wii or PS3 clients, though it could, and apparently did, hose my Macbook pro and the other minis. So there are at least two problems, one for host use and one for client use.
It is an interesting and frustrating situation. I hope it is resolved shortly. I don't much like having Ethernet strung all over the place at home, and I can't take my Macbook pro anywhere and get online via wifi; it won't connect unless it is wired. Luckily I have an ethernet connection at work, we don't use wifi there; but I *was* in the habit of surfing at the coffee shop, the doctor's office, the hospital and at friend's houses. You don't realize how much you're going to miss convenience like that until it's gone.
Re:George Ou? (Score:3, Interesting)
At Apple? Fuck yeah. At least the ones who started loading ESPP in 1997 are rich today.
Besides, you can be rich and stupid or comfortable and smart. I much prefer to be (and socialize with) the latter.
Since when? (Score:0, Interesting)
When did Apple ever earn a level of trust? They are, and always have been, an insanely brutal monopolist. They are far, far, far worse than Microsoft could even DREAM of being: MS doesn't try putting companies which well their products out of business, as Apple does. Microsoft doesn't have ham-handed policies toward retailers selling their products, and then turn around and open Microsoft stores.
Lots of people are waking up to this fact, which is why Apple is getting sued by the European Union.
Want to see fair use? Try buying an Apple computer without OS X on it.
And all of this says nothing of the myth Apple (and Slashdot) try to push, which is that getting hacked, bugs, virii, and spyware are Windows-only phenomena. The MoAB shattered a lot of illusions... and it was only the tip of the iceberg.
But hey, feel free to tell us how Apple has "earned" any trust. Being "not Microsoft" does not earn one trust, contrary to Slashdot-logic.
Re:Ha! Bring on the Mac-klash! (Score:2, Interesting)
Re:So I don't get it... (Score:1, Interesting)
Re:What a continuing cry for attention (Score:4, Interesting)
That's why this is such a ridiculous drama -- all Maynor or anyone else has to do to show Apple is a bunch of liars is provide the documentation trail they sent to Apple that they supposedly ignored. A year later, they still haven't provided even that, much less any evidence of the flaw itself.
Re:You can smear shit.... (Score:5, Interesting)
Which of course brings up another point: how does fucking over Omni Group (who have an excellent record of responding to such things very promptly) by publicising a bug without telling them about it first count as "revenge on Apple"? How does "outing" multi-platform bugs in open source projects instead of simply supplying patches to fix them do anything whatsoever to Apple? If these people had a beef against Apple for something or other, then take it out on Apple, not products or projects that have no connection with them besides running on Apple's OS.
NB: I don't know if I'm the only one who noticed that MOAB didn't publish a single bug in Microsoft Office for the Mac despite it (a) having rather a lot of them, and (b) being much more popular on OS X than any of the 3rd. party products or projects they did "examine". Given Microsoft's notably poor record with security issues in Office for Windows, I would have thought that this would have been the first non-Apple product they looked at (closely followed by IE, MSN Messenger, Media Player, and various other known sources of a multitude of exploits on Windows). I'm not suggesting this indicates any involvement by MS in MOAB (I'm not a conspiracy theorist who believes that they're behind every spiteful bunch of childish wankers with a vitriolic hatred of Apple, Linux, or whatever), but rather that it's possibly indicative of a notable bias which the so-called "computer press" doesn't seem to have noticed.
So called researchers. (Score:5, Interesting)
I'm sorry to chime in with stupid comment. But sorry this is Slashdot so here I go ;-)
I'm sick tired of such "researchers". Back in good old days they were simply called "testers" - and their job was look for bugs localize them and report to developers. Instead of reporting bug all they do is create a "sensation" or "scandal".
Apple might not the best company when it comes to PR (actually probably second worst - right after Sony) but most of the problems gets resolved easily. And even then, most of the time Apple's PR reaction is ... right no reaction. The guys are used to live and work under piles of NDAs and very very rarely talk to press. Or rather they organize events if they want to announce something. (I'd rather give thumb up to Mac fan boys for smoking the so called "researcher" into clear. Because that what I believe took place.)
Rise of Internet unfortunately attracted hunters for cheap publicity. And most of the so called "security researchers" are fit right into the category. They relate to research equally as e.g. Britney Spears relates to music.
P.S. Disclaimers: Ex-Mac-owner. Linux developer. And yeah, I know how to write secure programs and what QA is.
What exactly was the smear? (Score:2, Interesting)
Apple did what I would expect, and as someone that owns Apple stock I would want them to do. Their image and name was being slandered and they defended themselves. And if they are being honest, they took on the costs and did their own audit, found bugs and patched them.
To this day, no exploit has been demonstrated reliably against any hardware by these guys, this is a fact.
To this day, no proof that Secureworks or these two researchers gave any information to Apple or had any contact with them prior to the media campaign has been shown. This is a fact. No crash dumps, no emails that were sent, nothing, no response from Apple, nothing. Just words against words. I'm not saying that there aren't bugs, just that the claims made by these researchers that they were pressured aren't backed.
To this date, no evidence of any threat of a law suit has been shown by either side.
So far we simply see an email from Apple's PR people (go figure, this is a fucking PR campaign) expecting clarification.
Re:I'm all for it! (Score:3, Interesting)
I've been a Mac owner for about six years and a Mac user off and on for twenty. (I've also owned several PCs, running, at various points, Windows 2000, Windows 95, DR-DOS, FreeBSD and a half-dozen distributions of Linux going all the way back to SLS before the kernel had hit 1.0.) While I've definitely met a few pricks among Apple users, the stupid ignorant fanboy who believes that OS X and Mac hardware is perfect in every meaningful way only seems to exist in those flaming, spittle-flecked anti-Apple rants. What seems to offend some PC users is simply the fact that by owning a Mac at all we are making a statement that we think OS X is better than Windows and Linux. Dear Lord, we've expressed a preference -- what arrogant fools we must be.
Re:Since when? (Score:3, Interesting)
Congratulations. Your post is so stupid it make me spill my soda while laughing out loud at what a moron you are. You obviously don't know what a monopoly is, but you somehow assume you know better than all the lawyers and economists in the world and for some reason your uninformed opinions must be correct. I actually read your post twice looking for the "ha ha I'm kidding no one is really this dumb" comment. Comedy gold.