More drama with Apple's AirPort security
Summary: Apple released updates to their wireless networking drivers last week and they appear to have created more questions than they answered with it.
Apple released updates to their wireless networking drivers last week and they appear to have created more questions than they answered with it.
AirPort Update 2006-001 (version 1.0) was released to "improves AirPort reliability on Macintosh computers" and is only for Apple's AirPort Extreme cards. An AirPort security update was also included in Security Update 2006-005.
Some have questioned whether Apple's wireless update was released specifically as a result of the MacBook WiFi hack that was shown by David Maynor and Jon "Johnny Cache" Ellch at the Black Hat conference in Las Vegas last month.
According to CNET reporter Joris Evers "Apple's security patches are not related to the Black Hat presentation."
ZDNet's own George Ou has defended the hacking duo and asked Apple some tough questions that have yet to be answered. He's even asking readers for questions he should ask the duo at a conference that opens Friday in San Diego. Judging by the 143+ TalkBack comments he appears to have hit a nerve.
According to Engadget, Apple claims that Maynor and Ellch's employer (SecureWorks) hasn't shown them any specific information "however, on its own, Apple discovered a problem, then released security and wireless patches."
Wi-Fi Net News' Glenn Fleishman notes that Maynor and Ellch are scheduled to speak at Toorcon 8 in San Diego on 29 September 2006. From the Talk Details on the Toorcon Web site:
This presentation won't be a typical as it will cover the complete story, but it will also offer analysis and commentary of public responses while at the same time giving anyone who has a question a chance to have it answered.
Hopefully we'll finally get to put this issue to bed.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
This would be George_Ous oppurtunity to VINDICATE himself .
Other platforms
True. But then I don't recal other platform's users getting hysterical trying to say it aint so. And insulting security experts and journalists left, right and center when they dare say or even imply that their platform might be vulnerable. I don't recall other platform vendors trying to hide the truth from the public, and being in serious denial mode. Then fixing the very same flaws but saying the two are not related.
Time for a serious smackdown. Is it the 29th already?
I hope the Apple fanboys are taking the rest of this week to work on their apologies...
Total recall
---I hope the Apple fanboys are taking the rest of this week to work on their apologies...---
You mean like the ones Maynor and Ellch have already had to issue for their comments about Mac users?
serious denial?
Mac users on this and other forums I have been reading haven't been denying that M&E found a hack - what we've consistently complained about are the following issues:
1. M&E didn't do a straight hack - they used a third party card (which they duly noted), but then mentioned that they did so to "protect the manufacturer" from exposure. After holding the MacBook up to the camera to be sure you knew they were hacking a Mac? WTF kind of "protection" is that"?
2. They next didn't tell us that the hack they used required TWO cards for them to be able to perform the hack in the demo the way they did. Which they did NOT mention in the video.
3. In an interview with the Post's Krebs, they allege that the MacBook's internal card is also susceptible to the same hack, but don't provide any proof, not does Krebs offer proof of the demo he said the was given in an exclusive.
4. When people in the Mac world begin to question the methodology used by M&E, people like Krebs and Ou write further blog articles offering a defense of M&E, but without additional proof or answers to the many questions that the initial video raised.
I won't try to go into the many technical issues - I am not technically trained enough to do so, but many such issues have been raised that M&E and SecureWorks have refused to answer.
I say it again, nobody that is seriously involved in either the technical or journalistic world regarding the Macintosh platform will ever deny that the Mac OS is invulnerable, nor that there have never been patches issues by Apple to cover such vulnerabilities. It is not invulnerable, and there HAVE been patches for such issues in the past, just as there will be in the future.
What has gotten under the skin of many of us is the rabid tendency of both Windows fanboys and Windows centric journalists to trumpet such an ill-managed demo by researchers that have made such rabidly anti-mac comments and have subsequently failed to provide Apple with the necessary code to find and patch the claimed vulnerability.
What I will say to all of you is this:
Regardless of how this particular brouhaha turns out, if in the future, some responsible researcher finds a vulnerability, notifies Apple, who then issues a patch and gives that researcher credit, THEN you can crow till your hearts' content, and I will come back and admit to that issue, and will not try to deny anything. I will, in fact, thank that researcher for trying, and succeeding, in making my chosen platform safer to use.
But until then, unless M&E succeed in demoing at Toorcon that their claim was, in fact, the very vulnerabilities Apple just patched, then I will continue to say that their demo was poorly set up, badly publicized, and especially targeted at Apple in an attempt to garner publicity for their jointly authored upcoming book, as well as their demos at both the Black Hat conference, and at Toorcon. You cannot deny that, in that, they have succeeded.
I for one, will listen for their demo at Toorcon to see if they will vindicate themselves, or prove themselves to be boobs. In fact, if they DO vindicate themselves, they will also prove themselves to be irresponsible researchers after all.
How? Simple. If they prove to the world that Apple was incorrect in their recent patch comments that those patches did not patch M&E's vulnerability, they simultaneously prove that they purposely held back that information from Apple in their communications with them.
How do I know that? Because Apple has a stellar history of crediting researchers who DO find and cooperate with Apple in fixing those issues. To the contrary of what Windows fanboys here and elsewhere try to say, Apple has not tried to brush this under the rug. All they can do as a company is wait for a researcher to contact them.
Actually, that's not all; the other thing they can do is just what they did: audit their own software based upon public reports about the issue. Apple does not live in a vacuum, they can and do read these forums, and the news blogs, and are apparently capable of looking for vulnerabilities themselves. Which is just what they did, and when M&E failed to provide them with what they needed, they looked themselves.
Did they find the same thing? I don't know, I am not technically trained in writing software. But Apple, who DOES have such people, says they are not the same. They have no reason to lie; it could be exposed as such at Toorcon, if it were.
To me, and a lot of other reasonable people looking at this, M&E don't look good, they started this out with a bad attempt at publicity, and have failed to contact even those bloggers that have been supporting them to settle the issue.
Your milage may (and undoubtedly will) differ, but we will all be waiting to hear what they have to say at Toorcon this week.
Peter loves that Strawman
uh, did you forget the zero-day IE exploit coverage?
one more thing...
-cough_Ou _cough-
Thanks, ZDNet, for at least ONE fairly balanced look at this issue.
ivxkecb 45 twc