There has been a vicious orchestrated assault on researcher David Maynor and the company SecureWorks claiming that the Maynor and SecureWorks falsified their research presented at Black Hat 2006. In a video demonstration, Maynor completely took over an Apple MacBook using a vulnerability in a third party wireless driver. MacWorld's Jim Dalrymple was the first to regurgitate this bogus story on Thursday and followed up with "MacBook Wi-Fi hack exposed" by calling the original research a "misrepresentation". David Chartier of "The Unofficial Apple Weblog" went as far as saying "SecureWorks admits to falsifying MacBook wireless hack". Plenty of other media outlets were fed the same story but most of them knew better and refused to run this bogus story. But once Digg and Slashdot ran with this story on Friday, all hell broke loose and the story has infected the blogsphere.
I was absolutely shocked when I ran across these stories on Digg. I had personally video interviewed Maynor and his partner Jon "Johnny Cache" Ellch and these two gentlemen were very honest and straightforward. But as soon as I read the stories, the stench began to rise. Maynor and SecureWorks had been telling the truth the entire time and they had falsified nothing. The only falsification going on was the stories themselves! Not only did Dalrymple and Chartier and others like them not follow the most basic of journalism principles to at least check with the source, they apparently didn't even bother looking at the original video of David Manor released by SecureWorks.
So what exactly are Maynor and SecureWorks accused of falsifying? They are accused of "admitting" that the wireless hack was an exploit of a third party device and a third party driver. The only problem with this accusation is that it isn't exactly news since this is precisely what Maynor and company have been saying all along. This was not only evident in my video interview, but it was even in Maynor's original video demonstration along with every other news report earlier this month during Black Hat. In the first 20 seconds of the original video, Maynor bluntly states:
David Maynor: "Don't think however just because we're attacking an Apple, the flaw itself is in an Apple. We're actually using a third party wireless card".
Here's a transcript of my video interview asking about third party hardware and drivers.
George Ou: "Why would they be at fault... it would seem to me that the people that wrote the code have nothing to do with Apple"
David Maynor: "Right"
George Ou: "This is not an exploit on the AirPort card from Apple?"
David Maynor: "No"
So Maynor and SecureWorks have been telling the truth about this being a third party driver and hardware from the very beginning and they never misrepresented anything. If anything, Maynor went out of his way to avoid implicating any issues on the part of Apple because Brian Krebs of The Washington Post reported that Apple had leaned on Maynor and SecureWorks not to disclose the fact that the default Mac wireless hardware and default drivers were in fact vulnerable as well. When I asked Maynor about this at Black Hat, Maynor would not confirm or deny whether Apple had leaned on him or not saying that he didn't want to discuss it at the moment. Brian Krebs who himself had been flamed by Mac enthusiasts defended himself by releasing a word-for-word transcript of an audio tape interview he had with David Maynor in his hotel room. The transcript clearly reveals that Maynor had demonstrated the same exploit on a Mac without any third party wireless hardware! It also turns out Maynor chose an external third party hardware wireless adapter to avoid focusing attention on possible Apple hardware and software issues which may endanger Mac users.I'm going to f***ing kill you and your dog!
When I contacted David Maynor by email and later phoned him late Saturday night, Maynor was very disturbed by the whole incident. He had already been receiving hate mail and even death threats at the Black Hat convention but the threats had escalated with this latest fabricated story about him falsifying his research. In one such threat, the person stated "I'm going to f***ing kill you and your dog" to which Maynor replied "I don't have a dog". Maynor was even more disgusted with the despicable way this story was set up and then planted in the press though I've been asked not to reveal any more details at this time. What I can tell you is that Maynor and SecureWorks will not be taking this laying down and the fireworks will start in the next couple of days. [Update 3/21/2007 - Apple set this whole thing up]