×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Apple Orchestrated Attack On Researchers

kdawson posted more than 7 years ago | from the no-way-to-win-friends dept.

Security 389

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

389 comments

Did you know.. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18424515)

Steve Jobs has a cave under his house?

So I don't get it... (5, Interesting)

CatOne (655161) | more than 7 years ago | (#18424521)

All this "smear campaign" stuff... talking about how Apple really hammered him on the clarification of whether it was a 3rd party driver. And George gets indignant that Apple asked this to be done.

Yes, you could see in the video that they used a 3rd party driver. However, was it really CLEAR that the exploit only existed for the 3rd party driver? Maynor and Ellch certainly did NOT dwell on this -- they in fact spent more time saying they enjoyed doing this because Mac users were "smug."

And, gullible as the press is, the press most certainly did NOT report "3rd party flaw exposes OS X security hole!" It was more along the lines of "OMGMACCRACKOVERWIRELESS!" It was days before it was clear, and even then it was necessary to specifically explain this to people. Sure, the video showed this, but the fact of the matter is that most people, including the press, did not UNDERSTAND this fact... and this was clearly obvious from the reaction to the matter in the first place.

And what I also don't get is... what are you really showing if you use a 3rd party wireless driver to hack a MacBook which has BUILT-IN wireless? Sure, you can do it, but is that a realistic scenario? I mean, I could compromise someone's system if I stole it and they didn't have disk encryption turned on as well... is that a hack?

Re:So I don't get it... (4, Insightful)

Jeff DeMaagd (2015) | more than 7 years ago | (#18424645)

It's not necessarily implausible. How about better wireless? Wireless-n is faster and has longer range, but is not available to the original Core Duo models. Upgrading the built-in wireless is possible, but not easy. One can consider an add-on.

But the quality of third party device drivers isn't really something you can blame Apple for, at least I don't think so. I don't blame Microsoft or Linus if nVidia fubars a driver, I blame the company whose name is on the driver.

Re:So I don't get it... (4, Informative)

fyngyrz (762201) | more than 7 years ago | (#18424675)

Well, I guess it's moot right now, since Apple broke it's wireless support thoroughly with the 2007-002 update [apple.com] back at the beginning of March, and has remained silent about addressing the problem since then. I've been back to wired connections for weeks now.

It is somewhat problematic to try to hack a connection that won't connect. :-)

I suppose eventually they'll fix this; the silence is a little disturbing, though. It seems... poorly thought out.

Re:So I don't get it... (1, Insightful)

huber (723453) | more than 7 years ago | (#18424897)

I read that thread. And while I won't argue that those individuals are not having problems, I'd like to point out that many people including myself have had no problems with that or any recent updates, including 10.4.9. In fact, the wireless on my Macbook pro has improved very much since i got it a few months ago.

Re:So I don't get it... (4, Interesting)

fyngyrz (762201) | more than 7 years ago | (#18425021)

No question that the update worked for some people. Including - presumably, anyway - the developer who built it.

But the thread I pointed out was but one of many that has sprung up this month, each with several, sometimes many, Mac users going "say... what the heck?" Take look at the other threads. Tons of people talking about failures, with one or two saying "worked for me." Lots of well-intentioned people (not from Apple) suggesting workaround attempts (try deleting your lists of trusted networks, switch encryption modes, use ethernet) and no one saying "here is Apple's fix." That's not the ratio you want to see.

My own situation is Mac centric; I use a mini Intel dual-core as the source of the wifi, and normally have various Mac clients, an XP client, a Wii client and a PS3 client. The update hosed me; no individual client or set of clients can connect to the mini more than once; the mini has to be rebooted before a new connection can be opened. My network is open; no passwords, no WEP or WPx or etc.; There are no other wifi networks within reception range, no competing signals in the same spectrum (rural life has at least these advantages), and the distance of any client to the mini is less than 30 feet along any one vector - meaning full strength reception, basically - so it is about the simplest situation you can imagine.

Everything had been working perfectly until 2007-002. Since then, I've added the .9 update to the OS, no change. Considering that adding 2007-002 to the mini broke the XP machine's ability to play client, I'm rather convinced that there are multiple problems - most reports talk about their Mac not talking to a hub (such as a DLink) - so they can't have broken host for them, only client; while in my situation, the Mac *is* the host, and the update would not have affected the XP, Wii or PS3 clients, though it could, and apparently did, hose my Macbook pro and the other minis. So there are at least two problems, one for host use and one for client use.

It is an interesting and frustrating situation. I hope it is resolved shortly. I don't much like having Ethernet strung all over the place at home, and I can't take my Macbook pro anywhere and get online via wifi; it won't connect unless it is wired. Luckily I have an ethernet connection at work, we don't use wifi there; but I *was* in the habit of surfing at the coffee shop, the doctor's office, the hospital and at friend's houses. You don't realize how much you're going to miss convenience like that until it's gone.

Re:So I don't get it... Me Neither ... (1)

SteveM (11242) | more than 7 years ago | (#18424913)

Since my wireless connections, on my dual G5 and my TiBook work just fine ..

Although a quick check at Mac Fix It does discuss the problem: http://www.macfixit.com/article.php?story=20070318 234944267 [macfixit.com]

Curious

SteveM

Re:So I don't get it... Me Neither ... (1)

fyngyrz (762201) | more than 7 years ago | (#18425035)

The problem I am talking about first reared its head in the 2007-002 update, not the .9 update (though I have little doubt that it exists there as well.)

ATTN: SWITCHEURS! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18424951)

If you don't know what Cmd-Shift-1 and Cmd-Shift-2 are for, GTFO.
If you think Firefox is a decent Mac application, GTFO.
If you're still looking for the "maximize" button, GTFO.
If you don't know Clarus from Carl Sagan, GTFO.

Bandwagon jumpers are not welcome among real Mac users [atspace.com] . Keep your filthy PC fingers to yourself.

Re:So I don't get it... (1)

billcopc (196330) | more than 7 years ago | (#18425127)

It is somewhat problematic to try to hack a connection that won't connect. :-)

Don't you get it ? That's the fix for the exploit! Hey it works for Microsoft!

Re:So I don't get it... (5, Insightful)

xzvf (924443) | more than 7 years ago | (#18424719)

The bottom line here is not that OSX is a secure operating system (it is to a great extent). We should look at this article as an example of how closed source and protectionist behavior is detremental. Apple makes a good product and I own some of their hardware, but I prefer to have open systems based on open standards whenever possible. Or maybe I should say transparent. Most SEC rules for public companies are designed to allow investors to see the company's financial behavior. Many interested eyes means an honest market (despite occasional dishonest behavior we trust the market with our 401Ks, if we didn't we'd have gold bars under our mattress). Apple's secretive nature and marketing spin is in many ways a bad thing for consumers in the long run. Do you really trust Apple to always provide a solid OS, your music and video, and phone service without some checks and balances? I would prefer true freedom. That's not to say Apple hasn't earned some level of trust, but if we can't verify, how long will that last?

Re:So I don't get it... (2, Interesting)

The_Wilschon (782534) | more than 7 years ago | (#18424919)

OTOH, just to play the devil's advocate, you might say that the closed nature of Apple allows them more freedom to innovate with new modes of operation. If there were more transparency in Apple and its competitors, then certain things that Apple might do would be considered trustworthy. If they tried to branch out into new territory business-model and software-management-model wise, then we would be able to see that, and since most people don't trust change, they would lose market- and mind-share. With a closed system, they are evaluated entirely on their end results, so they are more free to innovate internally, and might well find some new internal mode which turned out to be better than anything done before.

In short, in a totally open system, things might tend to get locked up by process.

I don't think it actually works out to be better, on balance, to have a closed system, but going to an open system is not purely beneficial to the market. In order to demonstrate that an open system is better overall, you not only have to show that it has benefits, but that those benefits outweigh the costs.

Re:So I don't get it... (0, Insightful)

Anonymous Coward | more than 7 years ago | (#18424819)

I'm not a mac user but wasn't the month of apple bugs a real joke ? I don't recall any serious bugs ever popping up....

Re:So I don't get it... (0)

Ilgaz (86384) | more than 7 years ago | (#18425063)

I'm not a mac user but wasn't the month of apple bugs a real joke ? I don't recall any serious bugs ever popping up....
You don't have to be a Mac user, being a geek or knowing what opensource is enough to discredit them.

Day 2 was a VLC bug which is an open source project. They could login to CVS whatever and add that one liner fix which they didn't. Colloquy which they exploited to attack freenode is an open source product too. Same deal.

Re:So I don't get it... (1, Funny)

Rodness (168429) | more than 7 years ago | (#18425089)

Exactly. The "Month of Apple Bugs" was, for the most part, the "Month of Bugs that are Mostly Indirectly Related to Apple Because They Just Happen to Involve Software Running on the Mac Which Didn't Come From Apple".

As I recall there were a few bugs (a very significant minority) in there that Apple had some responsibility for, but they were obscure and there were no known in-the-wild attacks.

MoAB was nothing but a smear campaign. I'm happy to see Apple smearing them back.

Re:So I don't get it... (3, Interesting)

civilizedINTENSITY (45686) | more than 7 years ago | (#18424859)

"However, was it really CLEAR that the exploit only existed for the 3rd party driver?"

But it should not have been *clear*, since the exploit did exist for Apple drivers as well as the 3rd party. It was only because Apple leaned on them to show the exploit with 3rd party drivers that it was done that way. So they cooperated with Apple, and got hosed for it.

Nelson (-1, Troll)

LurkerXXX (667952) | more than 7 years ago | (#18424523)

This story deserves a 'haha' in the tagging beta if any ever did.

Apple got a very deserved smackdown. I hope they handle themselves better in the future.

Re:Nelson (1, Insightful)

cloricus (691063) | more than 7 years ago | (#18424713)

Does it really?
I'm not mac fanboy (in fact I'm a Linux fanboy) but I do like my mac laptop and I don't really have an opinion on Apple so my point of view on the topic really sees this as a none issue.
 
Both parties handled the wireless 'hack' (3rd party driver doesn't really count on built in/OS supported by default hardware) badly and had their own motives for their actions.
Though the Month of Apple Bugs, as a mac user, just appeared to be either a stunt by Apple or a stunt by some one else no one cares about to show off mac security compared to windows. And really the end result was that Apple had to fix a ton of bugs; as a mac user this made me happy and happier when Apple sent several patches to my mac with these fixes in short order.
 
So really I see this as a null event and its effect on my opinion of Apple has only changed in two regards as a result: they will fix bugs quickly and well (regardless if this is accurate or not, remember I'm a user who really doesn't care - eg average mac user) and that with a huge security community pushing to crush 'smug' mac users outlooks on osx they only found 62 critical bugs. Seriously, 62, that's it, what a joke.
 
Again as a mac user this just improves my view of Apples commitment to security. Plus I think it would prove to be a comical point if there were to be such a serious Month of Windows Bugs! "Oh see my mac only had 62 bugs, your windows pc has what? 12,085,387? Have fun with that virus scanner, firewall, and content filter you need to run just to reduce your risk of your windows box getting infected!"
 
At the end of the day all OS have bugs and companies have to deal with them they way they see fit; and the users have to accept that or switch operating systems. It's not like you don't have a choice; heck I'm a linux user who bought a mac for a spare computer that would 'just work' when debian sid decided that my computer wasn't some thing it wanted to play with.

Re:Nelson (1)

Anonymous Coward | more than 7 years ago | (#18424891)

If you think 62 is not a significant number you need to wake up and stop drinking your hippie juice, this represents more than half of windows 2003 product lifetime security bugs. so to put in perspective that is 2 years of MS bugs in a month of research hmmmm yeah keep living in your dream world where 62 bugs is small number for just a couple of guys poking around.

Re:Nelson (2, Informative)

falcon5768 (629591) | more than 7 years ago | (#18424905)

no you need to stop smoking the M$ cock. Microsoft documented well over 476 "critical" bugs of the nature OS X had.

Re:Nelson (2)

LurkerXXX (667952) | more than 7 years ago | (#18424943)

You seriously don't think 62 is a lot for a a couple researchers to find in one month? This was hardly an extensive complete audit of MacOS. It was what they found in 30 days. Sorry, that just doesn't seem confidence inspiring to me.

Shooting fish in a barrel (4, Insightful)

93 Escort Wagon (326346) | more than 7 years ago | (#18424525)

It doesn't seem like Apple needed to do much to make those guys look bad - they did a darn good job of it all by themselves [slashdot.org] .

ATTN: Windows/Linux refugees! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18425159)

The only thing more pathetic than a PC user is a PC user trying to be a Mac user. We have a name for you people: switcheurs.

There's a good reason for your vexation at the Mac's user interface: You don't speak its language. Remember that the Mac was designed by artists [atspace.com] , for artists [atspace.com] , be they poets [atspace.com] , musicians [atspace.com] , or avant-garde mathematicians [atspace.com] . A shiny new Mac can introduce your frathouse hovel to a modicum of good taste, but it can't make Mac users out of dweebs [atspace.com] and squares [atspace.com] like you.

So don't force what doesn't come naturally. You'll be much happier if you stick to an OS that suits your personality. And you'll be doing the rest of us a favor, too; you leave Macs to Mac users, and we'll leave beige to you.

i didn't know that. (4, Funny)

User 956 (568564) | more than 7 years ago | (#18424527)

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer.

Karl Rove is Apple's PR director?

HURR HURRRRHURRRRRRRRR (0)

Anonymous Coward | more than 7 years ago | (#18424861)

I can't stop. Seriously. Is Olbymann your puppetmaster?

More commentary here (4, Informative)

Anonymous Coward | more than 7 years ago | (#18424529)

Geez, don't leave out Matasano's response [matasano.com] . George Ou is a tool.

George Ou? (4, Informative)

vought (160908) | more than 7 years ago | (#18424535)

Is this the same guy who doesn't know Gerbils from Goebbels [macalope.com] ?

This all sounds a little fantastic to be true. Most folks at Apple I know don't have time for an agenda. And speaking of agendas, George Ou's definitely got a hard-on [zdnet.com] for Apple.

Re:George Ou? (4, Insightful)

lactose99 (71132) | more than 7 years ago | (#18424597)

Most folks at Apple I know don't have time for an agenda.

I take it you don't know anyone from Apple's [slashdot.org] legal [theregister.co.uk] department [wsj.com] ?

Re:George Ou? (3, Funny)

vought (160908) | more than 7 years ago | (#18424623)

I take it you don't know anyone from Apple's legal department?

No, I only hang out with the smart people - the engineers.

Re:George Ou? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18425043)

Well, you can't expect a PC user to know his history lessons, can you? I've never met a PC user with any interests outside dorkdom.

Re:George Ou? (1)

NetwrkEngr (1044550) | more than 7 years ago | (#18425101)

So how is the post you linked incorrect? And how does it show he has a "hard-on" for Apple? It seems to be a pretty accurate assesment of privilege escalation on the two systems to me...

Apple is Evil. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18424537)

As evil as Microsoft. And Jobs is just as bad as Gates. Call me a troll and call this a flamebait, but I truely believe the only way to keep things in check is transparency, open source and community review.

Son, we don't like yer type 'round here. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18424789)

We don't take kindly to people who point out painful truths about our idols here. Steve Jobs is one of them thar geniouses and everything he has come up with is gold.

I bet you don't even like that feller in them Apple/Pee Cee commericals.

Re:Apple is Evil. (0)

Anonymous Coward | more than 7 years ago | (#18424901)

Well! I certainly won't be needing to ask your opinion of GM, then!

Re:Apple is Evil. (4, Insightful)

mkiwi (585287) | more than 7 years ago | (#18424939)

Call me a troll and call this a flamebait... ok, i will.

Let me ask you this-
What has Microsoft ever done for the open source community other than to try to undermine Linux?
What has Apple done to support the open source community?
Do technologies like hardware acceleration for X windows, more focus on open standards (Open LDAP, SMB, etc.), make Apple as evil as microsoft?

Jobs is as bad as Gates in some respects, but a blanket statement like this cannot possibly apply in all aspects of their work. Is Bill bad because he is supporting his charity now? Is Steve Jobs bad for spending his own money to make an animation company that produced quality family films? You can't judge on one level- it's simply impossible. Your argument needs better qualification. Saying that you like "open source and community review" will earn you a few karma points on slashdot, but in my book that post was all about "Apple is Evil."

< pinky to corner of mouth >

Re:Apple is Evil. (1, Informative)

Ant P. (974313) | more than 7 years ago | (#18425003)

Well then, I'll do my part for that cause by pointing out Firefox's development process is just as bad as Apple.

Here's a few of my favourite bugzilla bugs, in ascending order of bullshit:
#324253., a cross site XSS exploit which nobody responsible for the code seems to care about.
#45375, a request to make tooltips not cut off at an arbritrary length, which they refuse to fix in Firefox apparently out of spite.
#18574 - The MNG bug... you really have to see this farce with your own eyes. Especially the bit where the asshole in charge of the image code stated that the MNG DLL has to fit within his deliberately impossible to reach size requirements before he'd even consider re-adding it.

Re:Apple is Evil. (2, Funny)

KuRa_Scvls (932317) | more than 7 years ago | (#18425177)

People like you never get satisfied, even in the polls.

They give you the option to choose CowboyNeal, and do you take it? NO!

Sheesh.

Doesn't quite wash (4, Insightful)

djupedal (584558) | more than 7 years ago | (#18424549)

Right, since ZDNet is such a long time Apple/Mac news and information source - and let's just overlook the phishing code embedded in the MoAB web page(s).

I doubt the real truth has actually surfaced just yet, and it may be a long time, if ever, that it does.

Re:Doesn't quite wash (1)

webword (82711) | more than 7 years ago | (#18424579)

Exactly.

What's the real story? Also, who has the resources and inclination to continue?

Re:Doesn't quite wash (2, Informative)

Ilgaz (86384) | more than 7 years ago | (#18424987)

For OS X outsiders and people watching only "MOAB are nice guys trying to help" sites, MOAB actually tried and succeeded to DOS OS X default browser Safari on their day 29 error page.

It would be a bit understandable if they displayed that malformed jp2 to .apple.com IPs but they didn't. They attacked unsuspecting end user trying to inform himself/herself which is completely unacceptable. If you remember Safari is a tabbed browser, a huge chance of information loss was there too.

Go Figure! (4, Insightful)

PO1FL (1074923) | more than 7 years ago | (#18424569)

Face it, any OS that widely-used (read: "popular") enough is going to be subjected to bug exploitation. Even Linux has bugs http://www.wired.com/news/linux/0,1411,66022,00.ht ml [wired.com] although, _WAY_ less than M$. In an open source OS the bugs get fixed, IMO, faster and more reliably than your weekly M$ patch. The point is, ITS GOING TO HAPPEN!

Re:Go Figure! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18424923)

Noone denies Linux has bugs, and noone denies that Windows has bugs, but until recently every Apple apologist from here to cupertino was adamant that OS X was perfect. Amazing how the tune has changed now.

Re:Go Figure! (2, Interesting)

Ilgaz (86384) | more than 7 years ago | (#18425015)

Some of these "researchers" think Apple community consists of "maccies" who thinks their system is super secure by default.

Those people are minority.

There are very popular and sometimes expensive security products on Mac which consists of Application filtering firewalls, antiviruses (yes, check download numbers) and many more. Of course there are some snake oil sellers (Not Intego, I don't agree) who tries to exploit the user interest and ship zero function crap. Sadly, they are popular too.

There are some anti-rootkit packages recently which seems to be BSD/Linux focused. While they couldn't find anything, non techie users spared time and download them and sent their comments to sites like Versiontracker.

The PR rule Apple forgot (0)

Anonymous Coward | more than 7 years ago | (#18424573)

You can lie about unverifiable truths, but not about verifiable truths.

I don't quite buy it. (5, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#18424575)

I'll accept that the MoAB was definitely a result of the furor and press over the wireless vulnerability. But I'm not sure that I believe the smear campaign / character assassination part. Honestly, Apple really didn't need to bother; those guys' original presentation was so sketchy that they practically invited criticism themselves. First they'd say one thing (that it affected all Macs) but then they demo'ed it with a totally different hardware setup, with no good explanation as to why, producing countervailing views as to whether all Macs were really that insecure in their default state, etc. There's no way you can spin the way the vulnerability was announced as a well-managed affair. The whole thing stank from the beginning.

At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer. So as a Mac user, I'm not really unhappy at all that MoAB happened, for whatever reason. I'd rather have stuff out in the open, and patched quickly, than some sort of quasi-secret (because, let's face it, if more than one person knows about it, it's not a secret anymore) unpatched vulnerability. I like Apple's gear but that doesn't mean I don't think they need to get a swift kick in the ass every once in a while to stay on top of things.

Whoops -- correction. (2, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#18424629)

At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'yes' answer.


Should read: At any rate, though, I don't think it's really any surprise that large parts of Apple still bow to the notion that "if there's a bug in the code, and nobody outside of the company knows about it, is it really a bug?" somehow warrants a 'no' answer.

In other words, big portions of the Mac OS are still developed as closed-source products, or by people who probably were trained in that mindset, where a bug really only matters once it's widely disclosed.

I've never bought this, because frankly I just don't trust people to keep their mouths shut while a company fixes things at their own pace. I'd rather see bugs get tons of press, and force companies into hauling their developers in on overtime and fixing the thing ASAP, so that the time before first discovery and patching is minimized. I would rather everyone know about it (including administrators and owners who can take defensive measures) than try to cover it up for as long as possible, maximizing the chance that the Russian mafia or other black hats will get their hands on an unknown (to everyone else) vuln.

Some parts of Apple seem much more comfortable with full disclosure than others, and I'm perfectly comfortable with bludgeoning the parts that aren't if that's what it takes. As a Mac user, I'm not at all displeased about MoAB, regardless of its motivations.

Re:I don't quite buy it. (1)

Wazukkithemaster (826055) | more than 7 years ago | (#18424631)

how could you ever know that you were the ONLY person in the world that knew something? You wouldn't even know it was a secret... you'd probably ruin it for everybody else (i mean nobody else...) or do i?

Ou appears to be a liar (4, Informative)

samkass (174571) | more than 7 years ago | (#18424583)

From one of the folks accused of conspiring with Apple:

http://www.tuaw.com/2007/03/20/clarification-on-th e-macbook-wi-fi-hack-conspiracy/ [tuaw.com]

"While I'm flattered at the possibility of Apple even talking to me, the truth of the matter is that the company pretty much ignores TUAW, and most other Apple-related blogs, entirely. Honestly: Fox and I never exchanged so much as a "mwahaha" over email, or any other form of correspondence for that matter. I've never been contacted by anyone from Apple regarding anything besides the fact that one of my older PowerBook's warranties was about to expire, and that AppleCare would be a great way to stay within their graces."

Re:Ou appears to be a liar (0)

Anonymous Coward | more than 7 years ago | (#18424683)

Mod parent up. Ou is mad paranoid, or he's just a moron trying to generate page views via controversy. Journalism at its best.

Re:Ou appears to be a liar (5, Insightful)

PhoenixK7 (244984) | more than 7 years ago | (#18424799)

Honestly, this whole post of his seems to me to be incredibly stupid. All he's saying here is that Apple tried to force them to clarify that the were using a 3rd party card, and they were. Where does all this "smear" crap come from. The more released about this whole thing, the more it becomes clear that the original "researchers" where being somewhat unclear in their disclosures, and that Apple simply wanted them to clear it up. I SERIOUSLY doubt that Apple called up TUAW and said something to the effect of "We've got a situation here, we need to discredit these guys.." It just doesn't make any sense. All that's clear here is that the "researchers" made an error in not disclosing all the facts of their hack. They used a Mac to make it appear that Mac OS X was just as vulnerable as any other operating system, and didn't come up with an exploit for actual Apple hardware and drivers. Hell, they still haven't even identified the maker of the card. The WHOLE presentation, boils down to being about as effective as making their own hardware device and drivers and finding and writing in a flaw to exploit. We still have no clue if this was a pre-discovered flaw in that card's driver. Additionally, the recent presentation displaying a crash of the same MacBook running 10.4.6 only demonstrates that they may have done the same thing with Apple's older drivers. They figured out the flaw Apple patched and then worked out an exploit for it.

Stop posting anything about these guys, they don't deserve the publicity, and all this crap about smearing and breaking Apple's hardware is both moot and full of willful misinterpretation. These guys are attention seekers and no more.

Re:Ou appears to be a liar (1)

civilizedINTENSITY (45686) | more than 7 years ago | (#18424903)

Well except that the exploit worked for Mac HW too. The email sent by Apple with notice to be placed on the web site didn't say, "Note: we said it was a third party driver", which would have been true, they did. Rather it was to force them to say, "...is reliant the use of a third party driver. In short, the answer is yes. The MacBook is not inherently vulnerable to the attack, and I never said that it was." Which is *not* true, and indeed is a lie. That is the core of the problem. Apple wanted them to lie, and when they wouldn't tell the lie, they were called liars.

Re:Ou appears to be a liar (2, Insightful)

SteveM (11242) | more than 7 years ago | (#18424937)

Well except that the exploit worked for Mac HW too.

Do you have any proof of this, other than Maynor-Ellch claims? An actual instance of the exploit working on Mac HW? Because I've not seen any.

And George Ou doesn't count.

SteveM

Re:Ou appears to be a liar (0)

Anonymous Coward | more than 7 years ago | (#18425125)

Stop posting anything about these guys, they don't deserve the publicity

Come on, get real! Slashdot will post anything that gets them lots of page hits. This has been known(*) for a long, long time.

* - outside of Slashdot, where the grownups hang out.

yep, they sure showed apple... (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18424587)

All that time researching flaws in Apples software, saving Apple money having to do it, pointing out problems Apple might not have found for months or years, or until malicious hackers began exploiting them, allowing Apple to patch them.

Yup, I bet Apple is REAL sorry now.

Microsoft bugs? (3, Insightful)

Damek (515688) | more than 7 years ago | (#18424617)

Does Microsoft give free PR to "security researchers" every time it patches a bug? How about various linux software projects, do they crow openly about those who find bugs in their software? Or do they just patch the bugs?

Everything I've read about this suggests the "security professionals" are looking for fame and Apple doesn't care. I don't either. As long as bugs get patched, and Apple seems to have done so in a timely fashion, at least as much as Microsoft and other software companies do.

Re:Microsoft bugs? (3, Informative)

ZachPruckowski (918562) | more than 7 years ago | (#18424805)

Actually, most of the Linux security update notices I get clearly say who found the bug/exploit.

Re:Microsoft bugs? (1)

The Bungi (221687) | more than 7 years ago | (#18424911)

Except the Mozilla ones that are "protected" so no one can look at them, or the ones that were released by the researcher after getting frustrated with the Mozilla developers, in which case there is no attribution.

Re:Microsoft bugs? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18424843)

Yes Microsoft clearly attributes credit to the security researchers that report security bugs to them in both the knowledge base article and the security advisory as does linux and most other responsible vendors that are interested in working with the security community. Apple doesn't "get" security, it never has, but with its increasing popularity it is going to be forced into the harsh reality that ignorance is not bliss.

You can smear shit.... (4, Insightful)

Senjutsu (614542) | more than 7 years ago | (#18424637)

but it doesn't make it look any worse. How do you hurt the image of a pair of morons who already do an incredible job of making themselves look like asshats?

MOAB as "revenge"? A number of "Apple's" bugs as listed in MOAB were in third-party software (VLC on day 2 for fuck's sake!), the same as their original hyperbolic wireless exploit shenanigans. And then they go and use an exploit on the site, and act like petulant children in their communication with others through the site, all the while crying foul that they aren't being treated like serious security professionals.

Re:You can smear shit.... (0)

Anonymous Coward | more than 7 years ago | (#18424703)

That's a flat out lie and you know it. http://projects.info-pull.com/moab/ [info-pull.com]

Re:You can smear shit.... (2, Informative)

Ilgaz (86384) | more than 7 years ago | (#18425047)

That's a flat out lie and you know it. http://projects.info-pull.com/moab/ [info-pull.com]
What lie?

http://groups.google.com/group/moabfixes/browse_fr m/thread/41c76ee5cbadc74 [google.com]

They frozen Safari for God's sake, a tabbed browser. I was suspicious about the alleged IRC attack to Freenode #macdev channel but I became sure about it after that day.

They released another exploit (a DOS actually,again!) for my favorite browser, Omniweb and Omni Group fixed it in 2 hours, Sunday, Macworld times. Those assholes still didn't update their lame , trying to be funny page suggesting people to use another browser.

We were talking about whining security researchers (!) who hated the response time of vendor yes? What about fixing your God damn page thanking Omnigroup and other 3rd party vendors for a quick fix?

What a continuing cry for attention (4, Informative)

NMerriam (15122) | more than 7 years ago | (#18424651)

This is not "news" by any stretch of the imagination. Ou is only now "at liberty" to discuss the matter? I remember quite clearly while the whole wireless driver brouhaha was happening that he and the researchers were claiming Apple was running a "smear campaign" against them -- a campaign that everyone else in the security community and press was somehow unaware of, given how massive Ou claims it to have been.

Apple never claimed there were no flaws in their drivers, I don't know how many more times this can possibly be stated to Ou, if it is necessary to use shorter words with fewer syllables or what. Apple's only statement on the whole matter was that Maynor never provided any specific information to Apple as to what this specific security hole was supposed to be. He jumped up and down and waved his arms and told Apple they needed to fix it real soon, but neither he nor Ou nor anyone else has provided any kind of documentation indicating he gave any actual, useful information to Apple about this security vulnerability. He just made vague pronouncements about wireless security and then expected Apple to read his mind, as far as all the available evidence can prove.

Yes, Apple released patches for network drivers after this whole announcement was made -- they released patches for network drivers before then, too!

Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.

This is not a case of Apple hiding their heads in the sand, running a smear campaign, or fanbois refusing to accept that something could be less than perfect.

Provide some actual evidence and people will listen to your fearmongering, but it's been a year already since this "huge vulnerability" was disclosed and the most we've seen is a computer crash!

Re:What a continuing cry for attention (1)

civilizedINTENSITY (45686) | more than 7 years ago | (#18424931)

Actually Apple tried to force the researchers to state that there were no holes in Apple drivers. Seems wrong to me.

Re:What a continuing cry for attention (1)

civilizedINTENSITY (45686) | more than 7 years ago | (#18424949)

The Washington Post seems to disagree with your version of history: "Update on the Apple Macbook Claims

Apple today issued a statement strongly refuting claims put forth by researchers at SecureWorks that Apple's Macbook computer contains a wireless-security flaw that could let attackers hijack the machines remotely. "

D All of the Above (1)

SteveM (11242) | more than 7 years ago | (#18424955)

Ou continues to be either grossly deceived, completely inept at actually investigating and reporting, or so caught up in his ego that he can't recognize he's been played like a piano.

And an asshat to boot.

SteveM

David Maynor is being oppressed! (0)

Anonymous Coward | more than 7 years ago | (#18424665)

It seems that some things that this guy claims isn't totally correct, or is deceptive, or is missing a critical piece of information. It seems like he is never ready, willing, and able to explain himself clearly.

Maybe Apple did rake him over the coals, but it seems very unlikely that Apple had any kind of campaign against him. In fact, if they did, he'd likely have legal recourse.

I look at him as a mere self-promoter looking for some limelight.

I wouldn't hire him to do any security-related activities. And yeah, I'm looking for someone to do just that.

well (1)

mastershake_phd (1050150) | more than 7 years ago | (#18424705)

Apple continued to claim that there were no vulnerabilities in Mac OS X

All systems have vulnerabilities, how can they say that with a straight face?

Re:well (1)

falcon5768 (629591) | more than 7 years ago | (#18424757)

they never did, Ou is lying out of his ass. Hell the simple fact that OS X has a thing called "security updates" proves that Ou is lying out of his ass.

Ou has this mistaken belief that Apple was attacking him and the two guys who did the exploit. The facts of the time though show that not only did Apple pretty much ignore them, but the rest of the "security world" they are hiding behind completely bashed them for their gall.

If you check out Ou's blog, you will find that while he targets Apple in particular, he has conspiracies for just about every company out there against him. Basically he's the 2000's version of Dvorak.

Re:well (2, Interesting)

Cid Highwind (9258) | more than 7 years ago | (#18424797)

Apple continued to claim that there were no vulnerabilities in Mac OS X

All systems have vulnerabilities, how can they say that with a straight face?


They didn't say it. They just didn't rush to fall on their swords for some undisclosed third party's driver bugs fast enough for Ou, Maynor and Ellch's taste.

March is 'month of slow news days' on slashdot. (4, Funny)

tinkertim (918832) | more than 7 years ago | (#18424731)

Everyone else gets to name a month. Dammit I want one too.

So in other words... (1)

The Lost Supertone (754279) | more than 7 years ago | (#18424755)

So in other words, security guys say OS X has problems, Apple says nuh uh, security guys risk the security of all the Macs out there by posting vulnerabilities for our machines that can be exploited. Wow, yah thanks for that, you really showed Apple with that... and risked my Mac's security. Thanks, thanks a ton! Way to keep Apple "honest." Do you get how sarcastic I'm being.

Re:So in other words... (1)

ocelotbob (173602) | more than 7 years ago | (#18424833)

Would you feel better if they would have done like most people who try to find security holes and simply sold that info to the highest bidder? Least with reasonable disclosure, you have some chance of trying to mitigate the problem through security policy.

Re:So in other words... (2, Insightful)

falcon5768 (629591) | more than 7 years ago | (#18424899)

Except they never disclosed the info to Apple directly, which was the point of everyone in the security community who bashed them. They just released the info during Black Hat (misrepresenting what the problem actually was) all the while making fun of Apple and Mac users.

Their entire presentation did a lot more harm to their case than the exploit ever could have left untouched. Ou is just picking up the pieces left of his credibility now since the entire IT world slammed him hard and exposed him for being a liar.

3rd party hardware; drivers built-in to Mac OS X? (0)

Anonymous Coward | more than 7 years ago | (#18424769)

Maybe the drivers are built-in to the OS, and that is why Apple had some responsibility here, even if it was 3rd party hardware.

Reasonable question... (3, Insightful)

jpellino (202698) | more than 7 years ago | (#18424795)

Do Maynor, Ellch, KF and LMH in fact speak for " the security community"?

Played or not, Maynor and Ellch came out swinging at Mac users and attacked them on attitude's sake alone.

Last summer, KF was blogging about what a great, rapid job Apple did on its patches, and by January, he's got them on a spit in the public square, and baiting Apple and its users.

Is this to be the public face of the security community?

What I got from the original video, taken on its face, is that the MacBook was not vulnerable, that the exploit was for some 3rd party vendor's stuff, but they were going to use the MacBook just to cheese off Apple users, whose attitudes they perceived as lousy. Human memory being what it is, like Orson Welles' The War Of The Worlds radio broadcast, they had to realize after watching the remaining lion's share of the video that people would mostly retain the image of a MacBook getting pwned.

Beyond the mechanicals, my other impression was that if they were going to demo an important vulnerability and chose to wrap it in several layers of personal feelings for a specific bunch of people, they might be skilled, but they're still unprofessional.

I'm not sure if George is trying to paint them as choirboys or simply C his own A.

Skeptical (4, Insightful)

Colitis (8283) | more than 7 years ago | (#18424813)

Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist).

I believe they actually claimed they hadn't had the vulnerability in question demonstrated to them. The fact that they later patched *a* vulnerability in wireless drivers doesn't necessarily prove anything. If it does, then as an Apple basher, my future plan will be:

a) announce that I've found a vulnerability in in $OSX_FEATURE.
b) ignore requests for details, proof, etc
c) be universally regarded as an idiot
d) Wait until someone else finds a vulnerability in $OSX_FEATURE and Apple patches it.
e) trumpet from the rooftops that I said there was a vulnerability in $OSX_FEATURE months ago and OMG! Apple denied it and look, they've just fixed it and I was right all along!
f) Smugly watch the sensationalist articles about how Apple bullied me.

Re:Skeptical (1)

Steve--Balllmer (1070854) | more than 7 years ago | (#18424867)

g) Contact George Ou (or Paul Thurrott, John Dvorak, or any other "technology expert" with a blog) and have him write some incredibly inane piece of drivel about your prosecution, and wait for the ad hits to come in. h) Await my Acer Ferrari laptop to come in from Redmond

Re:Skeptical (2, Informative)

civilizedINTENSITY (45686) | more than 7 years ago | (#18424969)

Washington Post: "Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine."

Apple exploit code (3, Insightful)

lancejjj (924211) | more than 7 years ago | (#18424825)

From the article:

[The blogger Wu] specifically asked Maynor and Ellch if they were using Apple's Wi-Fi hardware in their official Black Hat demonstration. They clearly said that no Apple Wi-Fi product was used for the exploit.
Finally the truth comes out - Maynor's Wi-Fi vulnerability demonstration had nothing to do with Apple's Wi-Fi products. He was just using the Apple platform for presentation impact. Otherwise it would have been an even more boring talk than it was (at least for us technical guys). Ah.... ...um, didn't we learn about this trick a few months ago? Is this another SlashDup, or is there some finer point in his long post that I'm missing?

Oh! I see! There are lots of ADVERTISEMENTS on this blog page! Phew! This was a great way to drive traffic! Thanks ZD-Net, for the "news"!!!

Now I'll turn on CNN and watch the "news" about the next dreaded disease from Asia that could kill my children (and see Viagra ads at the same time.)

hows it feel? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18424847)

how do you fanbois like getting fucked in the ass by faggot faggity apple? do you feel like you've been fucked hard and long? well, you have been. you got the aids in the ass from faggot apple.

Re:hows it feel? (0)

Anonymous Coward | more than 7 years ago | (#18425077)

Ann .... is that you babe?

I am confused (2, Insightful)

pudge (3605) | more than 7 years ago | (#18424877)

Um ... why does Ou think those researchers should get credit for uncovering a vulnerability in Mac OS X that (Ou reminds us over and over again) they themselves claimed, from the beginning, that they did not uncover?

And when did Apple ever "claim that there were no vulnerabilities in Mac OS X"? I am pretty sure that's never been said, at least, not officially. Maybe some employee spoke out of turn, but the company itself has never made that claim. Ever.

I don't know anything about Ou, but these two huge misstatements don't make me trust him ...

How do you mod a front page article as "Troll"? (3, Informative)

Dragonfly (5975) | more than 7 years ago | (#18424953)

Seriously, this whole sorry saga has been hashed and rehashed all over the web. Why should /. give these clowns any more publicity? See John Gruber's blog [daringfireball.net] for an excellent debunking of Maynor, Ellch, and Ou's claims.

Lawsuit? Anyone? (0)

Anonymous Coward | more than 7 years ago | (#18424963)

I have a friend in the security community who insists that there was also a lawsuit by Apple against David Maynor because of this incident. But he says he can't give me details because they're still confidential.

I would have thought that, by this point, with so much time gone by, and Maynor changing jobs and everything, and how bad this would look for Apple if they did bring a lawsuit against him, that surely this information would have come out by now, had there been a lawsuit. But of course, I can't prove it didn't happen, and this guy is generally very reliable and says he seen first-hand proof that it did happen, and I'd really like to know one way or the other. Is anyone in a position to comment knowledgeably about this?

Unfortunately, I have to post this anonymously for obvious reasons, in case it is true and both parties are still trying to keep it secret.

What about implementing WHQL? (2, Interesting)

Ilgaz (86384) | more than 7 years ago | (#18424965)

If this thing is completely related to 3rd party driver , it is a sign that Apple needs to adopt a WHQL like method to certificate third party drivers. I know it would sound bad but they could publicly call users not to use a certain, unmaintained driver which apparently got abandoned by hardware manufacturer.

I know MS one is not that serious but Apple could start from beginning learning from MS mistakes.

It could be more security and performance focused rather than vendor lock in.

BTW I bought a Windows only USB Wireless product by mistake (site error) and I have good clue what driver they may be talking about. If it is the case, it is completely unrelated to Apple really. Also I am not talking about Orangeware etccommercial drivers which are maintained very good.

Re:What about implementing WHQL? (1)

NoodleSlayer (603762) | more than 7 years ago | (#18425153)

There aren't many 3rd party drivers--- apart from the occasional printer driver, that are used with Mac OS X on a regular basis to begin with. Because as has been pointed out time and time again they were using a 3rd party wifi product on a laptop with wifi built in. In general about everything is built into a mac and Apple directly supports said products with drivers either written or supported by Apple.

Did MOAB work? (1)

needacoolnickname (716083) | more than 7 years ago | (#18425025)

How many bugs were exploited?

Did the people posting the bugs with their pompous attitude (as they did with the php, microsoft, and soon to be seen myspace) get the retirement in 6 months on the jobs they were looking for?

If their true and altruistic goal was to have these bugs fixed, well, they did a pretty good job. Too bad I don't believe in altruism through acting like an asshole.

Re:Did MOAB work? (1)

Ilgaz (86384) | more than 7 years ago | (#18425135)

It worked (!). Average Mac user thinks a security researcher is something that calls him names and tips homophobic accusations, attacks his browser, attacks his platform of choice freezing it.

I expected a protest from REAL security researchers about this sick kind of behaviour and childish comments/jokes.

MOAB worked actually, snake oil sellers are happy with the exploding download numbers of their products thanks to those idiots even posted a IRC attack script and removed it a bit later.

I'm all for it! (1)

iCEBaLM (34905) | more than 7 years ago | (#18425037)

Please, continue to have "Months of Apple Bugs", hell, make it every month! The more you force Apple to patch the more secure my mac will be.

Re:I'm all for it! (1)

Oswald (235719) | more than 7 years ago | (#18425187)

Sir or Madam, I commend you. Apparently you are able to use and enjoy your Macintosh without feeling the need to become a shill for this for-profit, publicly-held, multi-billion dollar corporation. Their product is not you; you are not identified or completed by your use of their product. This is a radical new concept which should receive wide dissemination.

Proof is in the using (1)

edwardpickman (965122) | more than 7 years ago | (#18425079)

If Apple is just as bad as Microsoft OSs where are all the viruses and zombing? I sometimes leave my Mac logged onto the internet for days at a time. I take a deep breath everytime I log on with an XP system. I run spybot several times a day on my PCs and never have a problem with the Mac. Why all the obsession with degrading Macs when Macs have a history of security? Better to use it as an example to Microsoft why they need to improve their security.

When was last time Apply updated Safari? (0, Troll)

zmartass (1078251) | more than 7 years ago | (#18425149)

It is amazing that the last update of Safari was made in 2005 (2.0.4). Do you believe Safari is more secure than FF and IE? Apple just is blind to their security problems. It is a company too closed nowadays.

Embarrassed for them (1)

Oz0ne (13272) | more than 7 years ago | (#18425157)

Not apple, these idiots that went to all this out of spite.

Way to be adults. I don't mind the results of a more secure OS X, but this was entirely the wrong way to do it. Completely irresponsible and childish. Shame on them.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...