How Apple Orchestrated Attack On Researchers

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."

So I don't get it...

[CatOne]

All this "smear campaign" stuff... talking about how Apple really hammered him on the clarification of whether it was a 3rd party driver. And George gets indignant that Apple asked this to be done.

Yes, you could see in the video that they used a 3rd party driver. However, was it really CLEAR that the exploit only existed for the 3rd party driver? Maynor and Ellch certainly did NOT dwell on this -- they in fact spent more time saying they enjoyed doing this because Mac users were "smug."

And, gullible as the press is, the press most certainly did NOT report "3rd party flaw exposes OS X security hole!" It was more along the lines of "OMGMACCRACKOVERWIRELESS!" It was days before it was clear, and even then it was necessary to specifically explain this to people. Sure, the video showed this, but the fact of the matter is that most people, including the press, did not UNDERSTAND this fact... and this was clearly obvious from the reaction to the matter in the first place.

And what I also don't get is... what are you really showing if you use a 3rd party wireless driver to hack a MacBook which has BUILT-IN wireless? Sure, you can do it, but is that a realistic scenario? I mean, I could compromise someone's system if I stole it and they didn't have disk encryption turned on as well... is that a hack?

Re:So I don't get it...

[Jeff DeMaagd]

It's not necessarily implausible. How about better wireless? Wireless-n is faster and has longer range, but is not available to the original Core Duo models. Upgrading the built-in wireless is possible, but not easy. One can consider an add-on.

But the quality of third party device drivers isn't really something you can blame Apple for, at least I don't think so. I don't blame Microsoft or Linus if nVidia fubars a driver, I blame the company whose name is on the driver.

Re:

[Bretai]

I think George Ou brings up 3rd party drivers as a distraction and because it's an easier position to defend. Unfortunately for him, this isn't about 3rd party drivers for two reasons. First, David Maynor has admitted that the presentation given to Brian Krebs, before the "Hijack a Mac in 60 Seconds" piece that started it all, did not use a 3rd party wireless card. Secondly, he hasn't released the 3rd party exploit either!!

Maynor is responsible for the media attention, and Apple's response. Of course, all o

Re:So I don't get it...

[fyngyrz]

Well, I guess it's moot right now, since Apple broke it's wireless support thoroughly with the 2007-002 update [apple.com] back at the beginning of March, and has remained silent about addressing the problem since then. I've been back to wired connections for weeks now.

It is somewhat problematic to try to hack a connection that won't connect. :-)

I suppose eventually they'll fix this; the silence is a little disturbing, though. It seems... poorly thought out.

Re:So I don't get it... Me Neither ...

[SteveM]

Since my wireless connections, on my dual G5 and my TiBook work just fine ..

Although a quick check at Mac Fix It does discuss the problem: http://www.macfixit.com/article.php?story=20070318 234944267 [macfixit.com]

Curious

SteveM

Re:

[fyngyrz]

The problem I am talking about first reared its head in the 2007-002 update, not the .9 update (though I have little doubt that it exists there as well.)

Re:

[aristotle-dude]

Well, I guess it's moot right now, since Apple broke it's wireless support thoroughly with the 2007-002 update [apple.com] back at the beginning of March, and has remained silent about addressing the problem since then. I've been back to wired connections for weeks now.

Hmmm. I'm posting right now from my MBP connected to my wireless router. No problems here. I did not experience any lack of wireless network connectivity even though I was diligent in installing all updates as they came out.

Re:So I don't get it...

[fyngyrz]

No question that the update worked for some people. Including - presumably, anyway - the developer who built it.

But the thread I pointed out was but one of many that has sprung up this month, each with several, sometimes many, Mac users going "say... what the heck?" Take look at the other threads. Tons of people talking about failures, with one or two saying "worked for me." Lots of well-intentioned people (not from Apple) suggesting workaround attempts (try deleting your lists of trusted networks, switch encryption modes, use ethernet) and no one saying "here is Apple's fix." That's not the ratio you want to see.

My own situation is Mac centric; I use a mini Intel dual-core as the source of the wifi, and normally have various Mac clients, an XP client, a Wii client and a PS3 client. The update hosed me; no individual client or set of clients can connect to the mini more than once; the mini has to be rebooted before a new connection can be opened. My network is open; no passwords, no WEP or WPx or etc.; There are no other wifi networks within reception range, no competing signals in the same spectrum (rural life has at least these advantages), and the distance of any client to the mini is less than 30 feet along any one vector - meaning full strength reception, basically - so it is about the simplest situation you can imagine.

Everything had been working perfectly until 2007-002. Since then, I've added the .9 update to the OS, no change. Considering that adding 2007-002 to the mini broke the XP machine's ability to play client, I'm rather convinced that there are multiple problems - most reports talk about their Mac not talking to a hub (such as a DLink) - so they can't have broken host for them, only client; while in my situation, the Mac *is* the host, and the update would not have affected the XP, Wii or PS3 clients, though it could, and apparently did, hose my Macbook pro and the other minis. So there are at least two problems, one for host use and one for client use.

It is an interesting and frustrating situation. I hope it is resolved shortly. I don't much like having Ethernet strung all over the place at home, and I can't take my Macbook pro anywhere and get online via wifi; it won't connect unless it is wired. Luckily I have an ethernet connection at work, we don't use wifi there; but I *was* in the habit of surfing at the coffee shop, the doctor's office, the hospital and at friend's houses. You don't realize how much you're going to miss convenience like that until it's gone.

Re:So I don't get it...

[Squozen]

I know this doesn't help, but... it works for me.

Re: the point

[Herby Sagues]

What I don't get is why people concentrate on the irrelevant issue of wether a driver works or not. The article was about Apple bullying researchers, using odd legal tactics to prevent truth about their vulnerabilities for surfacing and hiring bloggers to cover their tracks. If Microsoft had done this, it would be on front page on the newspapers, and the first item on Slashdot would be "Microsoft Bullying Security Researchers". But this is Apple, so it is probably OK for them to do it.

Re:

[Graff]

Well I think that you have to understand just who is going to be vocal on the support forums. Is it going to be the people that the update worked flawlessly or is it going to be people who encountered problems? Obviously most people visit support forums to complain about problems so you are going to get a much larger ratio of "it's broke" to "it works".

For what it's worth the update worked flawlessly for me on several systems I have that use wireless. I'm not saying that there is no problem for other peo

Re:So I don't get it...

[Dogtanian]

Nice try at FUD. I work with 3,000 Mac (Education) and we've encountered ZERO problems connecting to our Wi-Fi.

I assume you intended replying to a different post to the one you *actually* replied to. At any rate, what's the feelgood (but equally false) opposite of FUD? This smacks of it, because you've given us an unsubstantiated (and suspiciously vague) claim and as an AC, we can't even judge your credibility via your posting history.

There isn't even enough detail to speculate on the reasons that you supposedly had such a smooth ride. But that's assuming that you didn't just make it all up in the first place.

Re:

[dubbreak]

I call BS. Even if they work in education and they manage or know someone who manages 3000 macs I really doubt they ALL connect via wireless to the local area network. It makes no sense. In an office or education setting (school, university etc) there is no reason to not use wired. Presumeably the labs and offices would have been wired with CAT5 a long time ago as wireless has only become affordable lately (long after computers were used in education and connected via a LAN). From performance, reliability a

Re:So I don't get it...

[xzvf]

The bottom line here is not that OSX is a secure operating system (it is to a great extent). We should look at this article as an example of how closed source and protectionist behavior is detremental. Apple makes a good product and I own some of their hardware, but I prefer to have open systems based on open standards whenever possible. Or maybe I should say transparent. Most SEC rules for public companies are designed to allow investors to see the company's financial behavior. Many interested eyes means an honest market (despite occasional dishonest behavior we trust the market with our 401Ks, if we didn't we'd have gold bars under our mattress). Apple's secretive nature and marketing spin is in many ways a bad thing for consumers in the long run. Do you really trust Apple to always provide a solid OS, your music and video, and phone service without some checks and balances? I would prefer true freedom. That's not to say Apple hasn't earned some level of trust, but if we can't verify, how long will that last?

Re:

[The_Wilschon]

OTOH, just to play the devil's advocate, you might say that the closed nature of Apple allows them more freedom to innovate with new modes of operation. If there were more transparency in Apple and its competitors, then certain things that Apple might do would be considered trustworthy. If they tried to branch out into new territory business-model and software-management-model wise, then we would be able to see that, and since most people don't trust change, they would lose market- and mind-share. With a

Locked up by process?

[myowntrueself]

In short, in a totally open system, things might tend to get locked up by process.

Debian.

Thats all, just Debian and their record on timely releases.

Re:

[10Ghz]

"They are, and always have been, an insanely brutal monopolist."

In what market does Apple have a monopoly?

"which is why Apple is getting sued by the European Union."

um, no they are not. And what would they be sued for?

"Want to see fair use? Try buying an Apple computer without OS X on it."

I also can't buy a Nokia phone without the Nokia OS in it. Oh the humanity! And why would you want to get a Mac without OS X? What would you gain from that that you couldn't gain from simply buying the computer and erasing

Re:

[99BottlesOfBeerInMyF]

Apple has now extended their monopoly to include pretty much everything Apple branded...

Congratulations. Your post is so stupid it make me spill my soda while laughing out loud at what a moron you are. You obviously don't know what a monopoly is, but you somehow assume you know better than all the lawyers and economists in the world and for some reason your uninformed opinions must be correct. I actually read your post twice looking for the "ha ha I'm kidding no one is really this dumb" comment. Comedy gold.

Re:So I don't get it...

[civilizedINTENSITY]

"However, was it really CLEAR that the exploit only existed for the 3rd party driver?"

But it should not have been *clear*, since the exploit did exist for Apple drivers as well as the 3rd party. It was only because Apple leaned on them to show the exploit with 3rd party drivers that it was done that way. So they cooperated with Apple, and got hosed for it.

Re:

[CatOne]

Is this documented somewhere or is this more stuff that George Ou is "hinting at?"

Would love to see some actual details on this, if it's true.

Re:So I don't get it...

[civilizedINTENSITY]

At the risk of being redundant (posting this to other similar replies): Does the Washington Post count? Security Fix Brian Krebs on Computer Security "Indeed, as I reported earlier, in his hotel room on the eve of that presentation, Maynor showed me a live demo of him exploiting the built-in Macbook drivers to break into the machine from another laptop -- without a third party card plugged in." Try the first URL in the article and search for Washington Post, then follow the links to the story.

Not really

[TheConfusedOne]

The big problem is that Maynor has yet to release exploit code or crash dumps for the alleged native hack.

The burden of proof remains on those who claimed the exploit, they've managed to utterly fail to live up to that burden. (Maynor's last demonstration only produced a DoS crash with the lame excuse of not wanting sniffers to get his exploit code for not showing the "pwnage".)

Re:So I don't get it...

[LO0G]

From the list (http://projects.info-pull.com/moab/):
1 and 3 were in quicktime (an apple product, but not Mac specific)
4 was in iLife (mac specific)
9, 10, 11, 12, and 13 were related to loading .DMG files, which are Mac specific.
14 was in appletalk
15 was in the permissions on the /Applications directory
23 was in QuickDraw (mac specific)
24 was in the Mac auto-update logic
28 was in the crash dump handling logic
29, and 30 were in various Mac specific utilities (iChat, Safari, HelpViewer).

I don't think that's "a significant minority". By my guestimate, 5 of the 30 were in 3rd party apps.

Re:So I don't get it...

[Anonymous Coward]

31 issues, of which:

23 in software by Apple
1 in software by Adobe
1 in software by Insanity LLC.
1 in software by Videolan
1 in software by The Omni Group
1 in software by Javelin.cc
1 in software by Maxum Development
1 in software by Panic Inc.
1 in software by Telestream/Microsoft

31 issues, of which:

17 in OS X
8 in third party apps not installed by default
3 in Apple apps installed by default
2 in a third party app for OS X and Windows, not installed by default
1 in an Apple app not installed by default
1 in an Apple app for OS X and Windows

Shooting fish in a barrel

[93 Escort Wagon]

It doesn't seem like Apple needed to do much to make those guys look bad - they did a darn good job of it all by themselves [slashdot.org].

Re:Shooting fish in a barrel

[Overly Critical Guy]

George Ou's been beating this never-ending drum for page hits. Here's a response. [macalope.com]

To address the summary:

Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist).

They said in the notes that they did a security audit with no input from the researchers and patched what they discovered.

Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch.

Why should they have?

Re:Shooting fish in a barrel

[catwh0re]

While I congratulate slashdot on trying to post the story from the "other side". The researchers, for the most part, did all the smearing on their own behalf. The whole affair basically started with a digg article which read "Hijacking a Macbook in 60 seconds or less." This sensational headlining story was slowly diluted over time to a remote exploit on a 3rd party card. The authors claimed it could be done with the built in card, but claimed that Apple had pressured them not to demonstrate this.

No one believed this story about Apple pressuring the security researchers for 2 reasons. No security company would actually let their name be dragged through the dirt by the internet community for the sake of saving face for another company especially Apple. Secondly their story changed by the day and requests to see an exploit/method/code release were constantly denied. The only demonstration was highly dubious as it was presented as a video.

Since the fiasco came about Apple did then commission an external company to look for bugs in their airport drivers, while some bugs were found they were unrelated to the publicised "macbook remote exploit" (the security researchers gave such little information anyway.)

Then finally once all the patches were out by Apple, the security researchers piped up again claiming that the exploits they discovered were the ones that Apple had patched. (When in all reality they probably just examined the old and new drivers and looked for the differences.)

Suggestions that Apple users are blind, security unaware dummies is what caused most of the outrage. Going out claiming that the Apple user base believe they are impervious to spyware/viruses/etc. is an invitation for negative feedback. It has very little to do with "Attacking the mac-zealots precious platform"... after all much of the operating system is open source darwin, a BSD implementation.

As for the followup month-of-apple-bugs and other negative security feedback, those are most definitely not solely rooted by this sole affair. Ou is merely trying to spin them this way to provide some kind of grass-roots response to his purported conspiracy.

i didn't know that.

[User 956]

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer.

Karl Rove is Apple's PR director?

More commentary here

[Anonymous Coward]

Geez, don't leave out Matasano's response [matasano.com]. George Ou is a tool.

George Ou?

[vought]

Is this the same guy who doesn't know Gerbils from Goebbels [macalope.com]?

This all sounds a little fantastic to be true. Most folks at Apple I know don't have time for an agenda. And speaking of agendas, George Ou's definitely got a hard-on [zdnet.com] for Apple.

Re:George Ou?

[lactose99]

Most folks at Apple I know don't have time for an agenda.

I take it you don't know anyone from Apple's [slashdot.org] legal [theregister.co.uk] department [wsj.com]?

Re:

[vought]

I take it you don't know anyone from Apple's legal department?

No, I only hang out with the smart people - the engineers.

Re:

[pizpot]

...ever met many rich engineers?

Re:

[vought]

...ever met many rich engineers?


At Apple? Fuck yeah. At least the ones who started loading ESPP in 1997 are rich today.

Besides, you can be rich and stupid or comfortable and smart. I much prefer to be (and socialize with) the latter.

Doesn't quite wash

[djupedal]

Right, since ZDNet is such a long time Apple/Mac news and information source - and let's just overlook the phishing code embedded in the MoAB web page(s).

I doubt the real truth has actually surfaced just yet, and it may be a long time, if ever, that it does.

Re:

[webword]

Exactly.

What's the real story? Also, who has the resources and inclination to continue?

Re:

[Ilgaz]

For OS X outsiders and people watching only "MOAB are nice guys trying to help" sites, MOAB actually tried and succeeded to DOS OS X default browser Safari on their day 29 error page.

It would be a bit understandable if they displayed that malformed jp2 to .apple.com IPs but they didn't. They attacked unsuspecting end user trying to inform himself/herself which is completely unacceptable. If you remember Safari is a tabbed browser, a huge chance of information loss was there too.

Go Figure!

[PO1FL]

Face it, any OS that widely-used (read: "popular") enough is going to be subjected to bug exploitation. Even Linux has bugs http://www.wired.com/news/linux/0,1411,66022,00.ht ml [wired.com] although, _WAY_ less than M$. In an open source OS the bugs get fixed, IMO, faster and more reliably than your weekly M$ patch. The point is, ITS GOING TO HAPPEN!

Re:

[Ilgaz]

Some of these "researchers" think Apple community consists of "maccies" who thinks their system is super secure by default.

Those people are minority.

There are very popular and sometimes expensive security products on Mac which consists of Application filtering firewalls, antiviruses (yes, check download numbers) and many more. Of course there are some snake oil sellers (Not Intego, I don't agree) who tries to exploit the user interest and ship zero function crap. Sadly, they are popular too.

There are some a

Re:Go Figure!

[mstone]

Oh fer Pete's sake.. Leave Artie McStrawman alone. Those of us in the Apple camp don't want him.

Once you get past your fascination with Artie, you'll see that many Mac users do not, in fact, think the Mac is utterly and totally bulletproof. OTOH, we're also aware that compromised Windows machines can be found by the hundreds of thousands in the botnets that generated some 90% of the email (spam) traffic last December, while there hasn't been a single large-scale exploit of the Mac since OS X came out.

The sheer difference in exploit numbers suggests that the Mac has some good things going for it in terms of security. Does that make the Mac perfect? Of course not. Does that make the Mac less likely to suffer data loss or force its owner to waste time checking for digital cockroaches every day?

Yes.

Re:

[vought]

That's fucking ridiculous. Any developer with a Radar account knows better.


You will never find a more wretched hive of scum and assumption than Mos Slashdot.

And you know, that makes it kind of fun sometimes.

I don't quite buy it.

[Kadin2048]

I'll accept that the MoAB was definitely a result of the furor and press over the wireless vulnerability. But I'm not sure that I believe the smear campaign / character assassination part. Honestly, Apple really didn't need to bother; those guys' original presentation was so sketchy that they practically invited criticism themselves. First they'd say one thing (that it affected all Macs) but then they demo'ed it with a totally different hardware setup, with no good explanation as to why, producing countervailing views as to whether all Macs were really that insecure in their default state, etc. There's no way you can spin the way the vulnerability was announced as a well-managed affair. The whole thing stank from the beginning.

At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer. So as a Mac user, I'm not really unhappy at all that MoAB happened, for whatever reason. I'd rather have stuff out in the open, and patched quickly, than some sort of quasi-secret (because, let's face it, if more than one person knows about it, it's not a secret anymore) unpatched vulnerability. I like Apple's gear but that doesn't mean I don't think they need to get a swift kick in the ass every once in a while to stay on top of things.

Whoops -- correction.

[Kadin2048]

At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer.

Should read: At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'no' answer.

In

Ou appears to be a liar

[samkass]

From one of the folks accused of conspiring with Apple:

http://www.tuaw.com/2007/03/20/clarification-on-th e-macbook-wi-fi-hack-conspiracy/ [tuaw.com]

"While I'm flattered at the possibility of Apple even talking to me, the truth of the matter is that the company pretty much ignores TUAW, and most other Apple-related blogs, entirely. Honestly: Fox and I never exchanged so much as a "mwahaha" over email, or any other form of correspondence for that matter. I've never been contacted by anyone from Apple regarding anything besides the fact that one of my older PowerBook's warranties was about to expire, and that AppleCare would be a great way to stay within their graces."

Re:Ou appears to be a liar

[PhoenixK7]

Honestly, this whole post of his seems to me to be incredibly stupid. All he's saying here is that Apple tried to force them to clarify that the were using a 3rd party card, and they were. Where does all this "smear" crap come from. The more released about this whole thing, the more it becomes clear that the original "researchers" where being somewhat unclear in their disclosures, and that Apple simply wanted them to clear it up. I SERIOUSLY doubt that Apple called up TUAW and said something to the effect of "We've got a situation here, we need to discredit these guys.." It just doesn't make any sense. All that's clear here is that the "researchers" made an error in not disclosing all the facts of their hack. They used a Mac to make it appear that Mac OS X was just as vulnerable as any other operating system, and didn't come up with an exploit for actual Apple hardware and drivers. Hell, they still haven't even identified the maker of the card. The WHOLE presentation, boils down to being about as effective as making their own hardware device and drivers and finding and writing in a flaw to exploit. We still have no clue if this was a pre-discovered flaw in that card's driver. Additionally, the recent presentation displaying a crash of the same MacBook running 10.4.6 only demonstrates that they may have done the same thing with Apple's older drivers. They figured out the flaw Apple patched and then worked out an exploit for it.

Stop posting anything about these guys, they don't deserve the publicity, and all this crap about smearing and breaking Apple's hardware is both moot and full of willful misinterpretation. These guys are attention seekers and no more.

Re:

[civilizedINTENSITY]

Well except that the exploit worked for Mac HW too. The email sent by Apple with notice to be placed on the web site didn't say, "Note: we said it was a third party driver", which would have been true, they did. Rather it was to force them to say, "...is reliant the use of a third party driver. In short, the answer is yes. The MacBook is not inherently vulnerable to the attack, and I never said that it was." Which is *not* true, and indeed is a lie. That is the core of the problem. Apple wanted them to

Re:

[SteveM]

Well except that the exploit worked for Mac HW too.

Do you have any proof of this, other than Maynor-Ellch claims? An actual instance of the exploit working on Mac HW? Because I've not seen any.

And George Ou doesn't count.

SteveM

Re:

[account_deleted]

Comment removed based on user account deletion

Microsoft bugs?

[Damek]

Does Microsoft give free PR to "security researchers" every time it patches a bug? How about various linux software projects, do they crow openly about those who find bugs in their software? Or do they just patch the bugs?

Everything I've read about this suggests the "security professionals" are looking for fame and Apple doesn't care. I don't either. As long as bugs get patched, and Apple seems to have done so in a timely fashion, at least as much as Microsoft and other software companies do.

Re:

[Anonymous Coward]

I'm not sure about Linux projects, but Microsoft regularly (always?) adds an "Acknowledgements" section to the security bulletins. An example: http://www.microsoft.com/technet/security/Bulletin /MS07-014.mspx [microsoft.com]

Re:Microsoft bugs?

[ZachPruckowski]

Actually, most of the Linux security update notices I get clearly say who found the bug/exploit.

Re:

[The Bungi]

Except the Mozilla ones that are "protected" so no one can look at them, or the ones that were released by the researcher after getting frustrated with the Mozilla developers, in which case there is no attribution.

Re:

[neil.orourke]

Does Microsoft give free PR to "security researchers" every time it patches a bug?

Actually, yes they do. You have to go to the actual release notes for each patch, but it's there.

http://www.microsoft.com/technet/security/Bulletin /ms07-008.mspx [microsoft.com], for example, credits the person who pointed it out. This is common across virtually every security update.

You can smear shit....

[Senjutsu]

but it doesn't make it look any worse. How do you hurt the image of a pair of morons who already do an incredible job of making themselves look like asshats?

MOAB as "revenge"? A number of "Apple's" bugs as listed in MOAB were in third-party software (VLC on day 2 for fuck's sake!), the same as their original hyperbolic wireless exploit shenanigans. And then they go and use an exploit on the site, and act like petulant children in their communication with others through the site, all the while crying foul that they aren't being treated like serious security professionals.

Re:

[LoRdTAW]

Apparently the MOAB [wikipedia.org] is quite useful for revenge.

Re:

[Ilgaz]

That's a flat out lie and you know it. http://projects.info-pull.com/moab/ [info-pull.com]

What lie?

http://groups.google.com/group/moabfixes/browse_fr m/thread/41c76ee5cbadc74 [google.com]

They frozen Safari for God's sake, a tabbed browser. I was suspicious about the alleged IRC attack to Freenode #macdev channel but I became sure about it after that day.

They released another exploit (a DOS actually,again!) for my favorite browser, Omniweb and Omni Group fixed it in 2 hours, Sunday, Macworld times. Those assholes still didn't update their lame , trying to be funny page suggesting people to use another browse

Re:You can smear shit....

[Weedlekin]

"Omniweb and Omni Group fixed it in 2 hours, Sunday, Macworld times. Those assholes still didn't update their lame , trying to be funny page suggesting people to use another browser."

Which of course brings up another point: how does fucking over Omni Group (who have an excellent record of responding to such things very promptly) by publicising a bug without telling them about it first count as "revenge on Apple"? How does "outing" multi-platform bugs in open source projects instead of simply supplying patches to fix them do anything whatsoever to Apple? If these people had a beef against Apple for something or other, then take it out on Apple, not products or projects that have no connection with them besides running on Apple's OS.

NB: I don't know if I'm the only one who noticed that MOAB didn't publish a single bug in Microsoft Office for the Mac despite it (a) having rather a lot of them, and (b) being much more popular on OS X than any of the 3rd. party products or projects they did "examine". Given Microsoft's notably poor record with security issues in Office for Windows, I would have thought that this would have been the first non-Apple product they looked at (closely followed by IE, MSN Messenger, Media Player, and various other known sources of a multitude of exploits on Windows). I'm not suggesting this indicates any involvement by MS in MOAB (I'm not a conspiracy theorist who believes that they're behind every spiteful bunch of childish wankers with a vitriolic hatred of Apple, Linux, or whatever), but rather that it's possibly indicative of a notable bias which the so-called "computer press" doesn't seem to have noticed.

What a continuing cry for attention

[NMerriam]

This is not "news" by any stretch of the imagination. Ou is only now "at liberty" to discuss the matter? I remember quite clearly while the whole wireless driver brouhaha was happening that he and the researchers were claiming Apple was running a "smear campaign" against them -- a campaign that everyone else in the security community and press was somehow unaware of, given how massive Ou claims it to have been.

Apple never claimed there were no flaws in their drivers, I don't know how many more times this can possibly be stated to Ou, if it is necessary to use shorter words with fewer syllables or what. Apple's only statement on the whole matter was that Maynor never provided any specific information to Apple as to what this specific security hole was supposed to be. He jumped up and down and waved his arms and told Apple they needed to fix it real soon, but neither he nor Ou nor anyone else has provided any kind of documentation indicating he gave any actual, useful information to Apple about this security vulnerability. He just made vague pronouncements about wireless security and then expected Apple to read his mind, as far as all the available evidence can prove.

Yes, Apple released patches for network drivers after this whole announcement was made -- they released patches for network drivers before then, too!

Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.

This is not a case of Apple hiding their heads in the sand, running a smear campaign, or fanbois refusing to accept that something could be less than perfect.

Provide some actual evidence and people will listen to your fearmongering, but it's been a year already since this "huge vulnerability" was disclosed and the most we've seen is a computer crash!

Re:

[civilizedINTENSITY]

Actually Apple tried to force the researchers to state that there were no holes in Apple drivers. Seems wrong to me.

Re:

[civilizedINTENSITY]

The Washington Post seems to disagree with your version of history: "Update on the Apple Macbook Claims

Apple today issued a statement strongly refuting claims put forth by researchers at SecureWorks that Apple's Macbook computer contains a wireless-security flaw that could let attackers hijack the machines remotely. "

Re:What a continuing cry for attention

[NMerriam]

That's what the Post blog (the other place that misrepresented the story too much initially to risk backing down) says, but not what Apple actually said at the time. If you read the statement by Apple, they refute that Maynor has provided them with any evidence of a flaw in their network drivers, which he stated he had but they didn't bother to fix it. They never claimed there were no flaws at all, that would be a ridiculous statement for ANY company to make about anything, they just said that they had no idea what flaw Maynor was talking about.

That's why this is such a ridiculous drama -- all Maynor or anyone else has to do to show Apple is a bunch of liars is provide the documentation trail they sent to Apple that they supposedly ignored. A year later, they still haven't provided even that, much less any evidence of the flaw itself.

D All of the Above

[SteveM]

Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.

And an asshat to boot.

SteveM

March is 'month of slow news days' on slashdot.

[tinkertim]

Everyone else gets to name a month. Dammit I want one too.

Reasonable question...

[jpellino]

Do Maynor, Ellch, KF and LMH in fact speak for " the security community"?

Played or not, Maynor and Ellch came out swinging at Mac users and attacked them on attitude's sake alone.

Last summer, KF was blogging about what a great, rapid job Apple did on its patches, and by January, he's got them on a spit in the public square, and baiting Apple and its users.

Is this to be the public face of the security community?

What I got from the original video, taken on its face, is that the MacBook was not vulnerable, that the exploit was for some 3rd party vendor's stuff, but they were going to use the MacBook just to cheese off Apple users, whose attitudes they perceived as lousy. Human memory being what it is, like Orson Welles' The War Of The Worlds radio broadcast, they had to realize after watching the remaining lion's share of the video that people would mostly retain the image of a MacBook getting pwned.

Beyond the mechanicals, my other impression was that if they were going to demo an important vulnerability and chose to wrap it in several layers of personal feelings for a specific bunch of people, they might be skilled, but they're still unprofessional.

I'm not sure if George is trying to paint them as choirboys or simply C his own A.

Skeptical

[Colitis]

Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist).

I believe they actually claimed they hadn't had the vulnerability in question demonstrated to them. The fact that they later patched *a* vulnerability in wireless drivers doesn't necessarily prove anything. If it does, then as an Apple basher, my future plan will be:

a) announce that I've found a vulnerability in in $OSX_FEATURE.
b) ignore requests for details, proof, etc
c) be universally regarded as an idiot
d) Wait until someone else finds a vulnerability in $OSX_FEATURE and Apple patches it.
e) trumpet from the rooftops that I said there was a vulnerability in $OSX_FEATURE months ago and OMG! Apple denied it and look, they've just fixed it and I was right all along!
f) Smugly watch the sensationalist articles about how Apple bullied me.

Re:

[civilizedINTENSITY]

Washington Post: "Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine."

Apple exploit code

[lancejjj]

From the article:

[The blogger Wu] specifically asked Maynor and Ellch if they were using Apple's Wi-Fi hardware in their official Black Hat demonstration. They clearly said that no Apple Wi-Fi product was used for the exploit.

Finally the truth comes out - Maynor's Wi-Fi vulnerability demonstration had nothing to do with Apple's Wi-Fi products. He was just using the Apple platform for presentation impact. Otherwise it would have been an even more boring talk than it was (at least for us technical guys). Ah.... ...um, didn't we learn about this trick a few months ago? Is this another SlashDup, or is there some finer point in his long post that I'm missing?

Oh! I see! There are lots of ADVERTISEMENTS on this blog page! Phew! This was a great way to drive traffic! Thanks ZD-Net, for the "news"!!!

Now I'll turn on CNN and watch the "news" about the next dreaded disease from Asia that could kill my children (and see Viagra ads at the same time.)

I am confused

[pudge]

Um ... why does Ou think those researchers should get credit for uncovering a vulnerability in Mac OS X that (Ou reminds us over and over again) they themselves claimed, from the beginning, that they did not uncover?

And when did Apple ever "claim that there were no vulnerabilities in Mac OS X"? I am pretty sure that's never been said, at least, not officially. Maybe some employee spoke out of turn, but the company itself has never made that claim. Ever.

I don't know anything about Ou, but these two huge misstatements don't make me trust him ...

Re:

[ryanr]

Um ... why does Ou think those researchers should get credit for uncovering a vulnerability in Mac OS X that (Ou reminds us over and over again) they themselves claimed, from the beginning, that they did not uncover?

Where did Maynor and Ellch claim they did not discover the vulnerability?

Re:

[pudge]

Um ... why does Ou think those researchers should get credit for uncovering a vulnerability in Mac OS X that (Ou reminds us over and over again) they themselves claimed, from the beginning, that they did not uncover?

Where did Maynor and Ellch claim they did not discover the vulnerability?

That was Ou's main point: that they were not demonstrating any vulnerability in Mac OS X or Apple hardware (and therefore Apple was wrong to "smear" them). The question you should be asking Ou is, where did they ever claim they DID discover the vulnerability?

How do you mod a front page article as "Troll"?

[Dragonfly]

Seriously, this whole sorry saga has been hashed and rehashed all over the web. Why should /. give these clowns any more publicity? See John Gruber's blog [daringfireball.net] for an excellent debunking of Maynor, Ellch, and Ou's claims.

What about implementing WHQL?

[Ilgaz]

If this thing is completely related to 3rd party driver , it is a sign that Apple needs to adopt a WHQL like method to certificate third party drivers. I know it would sound bad but they could publicly call users not to use a certain, unmaintained driver which apparently got abandoned by hardware manufacturer.

I know MS one is not that serious but Apple could start from beginning learning from MS mistakes.

It could be more security and performance focused rather than vendor lock in.

BTW I bought a Windows only USB Wireless product by mistake (site error) and I have good clue what driver they may be talking about. If it is the case, it is completely unrelated to Apple really. Also I am not talking about Orangeware etccommercial drivers which are maintained very good.

Re:

[NoodleSlayer]

There aren't many 3rd party drivers--- apart from the occasional printer driver, that are used with Mac OS X on a regular basis to begin with. Because as has been pointed out time and time again they were using a 3rd party wifi product on a laptop with wifi built in. In general about everything is built into a mac and Apple directly supports said products with drivers either written or supported by Apple.

Re:

[Ilgaz]

I see "macbooks" everywhere so it will/may change in the future. I mean, popularity of Mac exploded and from driver discussion mailing list, I assume lots of vendors are "learning" how to write OS X drivers for their product.

So I suggest it for future and I also heard sort of executable/driver signing (not like MS!) coming to Leopard.

I'm all for it!

[iCEBaLM]

Please, continue to have "Months of Apple Bugs", hell, make it every month! The more you force Apple to patch the more secure my mac will be.

Re:

[Oswald]

Sir or Madam, I commend you. Apparently you are able to use and enjoy your Macintosh without feeling the need to become a shill for this for-profit, publicly-held, multi-billion dollar corporation. Their product is not you; you are not identified or completed by your use of their product. This is a radical new concept which should receive wide dissemination.

Re:

[Watts Martin]

While there are indeed real "Mac zealots" out there, there seems to be a far, far greater number of PC users who squeal like stuck pigs and go on flaming, spittle-flecked anti-Apple rants whenever anyone suggests that they prefer Macs to PCs -- even when the preference is stated no more challengingly than, "Why, yes, I do own a Mac."

I've been a Mac owner for about six years and a Mac user off and on for twenty. (I've also owned several PCs, running, at various points, Windows 2000, Windows 95, DR-DOS, Free

Proof is in the using

[edwardpickman]

If Apple is just as bad as Microsoft OSs where are all the viruses and zombing? I sometimes leave my Mac logged onto the internet for days at a time. I take a deep breath everytime I log on with an XP system. I run spybot several times a day on my PCs and never have a problem with the Mac. Why all the obsession with degrading Macs when Macs have a history of security? Better to use it as an example to Microsoft why they need to improve their security.

Re:

[spxero]

Only time will tell if Apple is just as bad as MS. While they are gaining market share, at what point do the vulnerabilities turn into money? 8%? 15%? 39%? (I'm going off of these figures [hitslink.com])

With help from third parties (AV software (no, I'm not talking Norton...), firewalls, etc.) I think Windows is a LOT more secure than it used to be. I personally wouldn't trust MS by itself. But it all goes back to market share. No system is invincible, so why not go after the biggest and milk it for all it's worth?

Stunning.

[mattgreen]

The Mac community seems really histrionic in comparison to Windows...what's the deal here?

Embarrassed for them

[Oz0ne]

Not apple, these idiots that went to all this out of spite.

Way to be adults. I don't mind the results of a more secure OS X, but this was entirely the wrong way to do it. Completely irresponsible and childish. Shame on them.

Why is this tagged FUD??

[germansausage]

Some moron keeps tagging every story with a claim that may or may not be true as FUD.

Please stop it.

FUD has a very specific meaning. Pay attention - FUD stands for Fear, Uncertainty, Doubt. It is a marketing strategy that spreads, you guessed it, Fear Uncertainty and Doubt about a competitors product. Every statement you disagree with is not FUD. Not every untruth is FUD. Not all FUD is untrue for that matter.

Thank You, that is all. /rant

Re:

[93 Escort Wagon]

Every statement you disagree with is not FUD.

Welcome to Slashdot - it sounds like you're new here.

For a lot of /.ers it's obvious that FUD = "anything I disagree with". And, if they have mod points, they replace FUD with "-1, Flamebait" moderations.

Are you fucking kidding me?

[LKM]

I thought Ou had lost all credibility by now. He's biased and stupid. I know that sounds harsh, but for heaven's sake, read his blog posts! He compared Apple to Nazi Germany, not even knowing how to spell Joseph Goebbels ("Joseph Gerbils [macalope.com]", I'm not kidding!), and he called Fox using a number he got in a confidential mail from Maynor [daringfireball.net]. I mean, geez!

The people he accuses have gone on the record saying that Fox had not contacted them. Chartier says: [macalope.com]

What a riot: no, I have never been contacted by Fox or anyone else from Apple regarding any of this stuff. In fact, I'm not even receiving those post-support call surveys or notices that my Mac warranties are about to expire and that AppleCare is an affordable way to stay within Apple's graces.

This whole story only exists in Ou's head. Apple orchestrated nothing at all, the "researchers" discredited themselves all on their own, simply by claiming different, contradictory things at different times.

George Ou is nothing but a Troll. Can we please just ignore him?

So called researchers.

[ThePhilips]

I'm sorry to chime in with stupid comment. But sorry this is Slashdot so here I go ;-)

I'm sick tired of such "researchers". Back in good old days they were simply called "testers" - and their job was look for bugs localize them and report to developers. Instead of reporting bug all they do is create a "sensation" or "scandal".

Apple might not the best company when it comes to PR (actually probably second worst - right after Sony) but most of the problems gets resolved easily. And even then, most of the time Apple's PR reaction is ... right no reaction. The guys are used to live and work under piles of NDAs and very very rarely talk to press. Or rather they organize events if they want to announce something. (I'd rather give thumb up to Mac fan boys for smoking the so called "researcher" into clear. Because that what I believe took place.)

Rise of Internet unfortunately attracted hunters for cheap publicity. And most of the so called "security researchers" are fit right into the category. They relate to research equally as e.g. Britney Spears relates to music.

P.S. Disclaimers: Ex-Mac-owner. Linux developer. And yeah, I know how to write secure programs and what QA is.

Forget responsible exploit publishing?

[Lethyos]

I am the worst (or best, depending on your point of view) kind of Apple apologist, but any attempt from any company to stifle, ignore, or deny security research is not just silly, it is reprehensible. Companies with products where security is a concern should always respond with acknowledgement of the research, credit to the researchers, and evidence proving the validity of the claim either way. Then, of course, release a fix in due time if necessary. These same corporate entities ask for courtesy from the security community in notifying them first of problems, but yet many still react negatively to this valuable community-provided service. For those who behave properly, this restraint should be afforded. For those who respond as Apple have done, the appropriate response is, I think, exactly what happened: a flurry of publicized of exploits without prior and exclusive notification. Proceding in this fashion creates an incentive to take security concerns seriously and disintentives to burry them.

Re:

[cloricus]

Does it really?
I'm not mac fanboy (in fact I'm a Linux fanboy) but I do like my mac laptop and I don't really have an opinion on Apple so my point of view on the topic really sees this as a none issue.

Both parties handled the wireless 'hack' (3rd party driver doesn't really count on built in/OS supported by default hardware) badly and had their own motives for their actions.
Though the Month of Apple Bugs, as a mac user, just appeared to be either a stunt by Apple or a stunt by some one else no

Re:

[LurkerXXX]

You seriously don't think 62 is a lot for a a couple researchers to find in one month? This was hardly an extensive complete audit of MacOS. It was what they found in 30 days. Sorry, that just doesn't seem confidence inspiring to me.

Re:

[godawful]

the MOAB didn't discover all of those 62 bugs, they found 31, 6 of which involved 3rd party software.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Cid Highwind]

Apple continued to claim that there were no vulnerabilities in Mac OS X

All systems have vulnerabilities, how can they say that with a straight face?

They didn't say it. They just didn't rush to fall on their swords for some undisclosed third party's driver bugs fast enough for Ou, Maynor and Ellch's taste.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Apple is Evil.

[mkiwi]

Call me a troll and call this a flamebait... ok, i will.

Let me ask you this-
What has Microsoft ever done for the open source community other than to try to undermine Linux?
What has Apple done to support the open source community?
Do technologies like hardware acceleration for X windows, more focus on open standards (Open LDAP, SMB, etc.), make Apple as evil as microsoft?

Jobs is as bad as Gates in some respects, but a blanket statement like this cannot possibly apply in all aspects of their work. Is Bill bad because he is supporting his charity now? Is Steve Jobs bad for spending his own money to make an animation company that produced quality family films? You can't judge on one level- it's simply impossible. Your argument needs better qualification. Saying that you like "open source and community review" will earn you a few karma points on slashdot, but in my book that post was all about "Apple is Evil."

< pinky to corner of mouth >

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Apple is Evil. (Links)

[shoolz]

How hard would it have been to include the URLs?

#324253 [mozilla.org], a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375 [mozilla.org], a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 [mozilla.org] - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.

Re:

[Ilgaz]

It worked (!). Average Mac user thinks a security researcher is something that calls him names and tips homophobic accusations, attacks his browser, attacks his platform of choice freezing it.

I expected a protest from REAL security researchers about this sick kind of behaviour and childish comments/jokes.

MOAB worked actually, snake oil sellers are happy with the exploding download numbers of their products thanks to those idiots even posted a IRC attack script and removed it a bit later.

Nov 14, 2006

[Foerstner]

Nov 14, 2006 [apple.com] was the last time WebKit was updated.

With the latest patches, according to Secunia, Safari has 4 outstanding unpatched advisories, of which the most severe is "Less critical."

By comparison, Firefox 2 has 3 unpatched Secunia advisories, with the most severe also being "Less critical."

IE6 has 20 unpatched advisories, with the most severe rated "Moderately critical." IE7 has 7 unpatched advisories, with the most severe also rated "Moderately critical."

Re:

[Graham J - XVI]

...or someone who understands that its *nix core is inherently more secure than the NT core.

Re:Truth in advertising

[mstone]

---- Apple's massive marketing campaign would have you believe that on the day your Mac shows up, it will be impenetrable by viruses.

Pragmatically, Macs are impenetrable by viruses, and have been for years.

If you want to counter that argument in concrete terms, by showing a Mac virus with 1/100th the penetration of Blaster, Nimda, Sobig, et al, feel free. If you can't, you'll have to admit that historically, Macs have not been penetrated to 1/100th the degree that Windows machines have.

If you want to make a hard prediction that Macs will be penetrated to N degree within the next X months, go ahead. If not, you'll have to admit that you can't be confident in making such a prediction.

If you want to present evidence that Macs are about to be compromised through a specific vector, trot it out. If you can't, you'll have to admit you don't have any evidence that would support such a claim.

If all you can really bring against the Mac is a pack of abstractions that boil down to, "nothing is perfect," nobody cares. It's a truism that has no practical meaning.

If you want to say something useful about a Mac's vulnerability, put it in concrete terms. Is having your Mac hijacked by malware more or less likely than getting killed in a car crash? Is it more or less likely than dying by falling down the stairs? Is it more or less likely than being struck by lightning? Is it more or less likely than winning the lottery? Is it more or less likely than having a meteorite come crashing through your roof?

If you think it's more likely than any of those things, show me the numbers to back it up.