More drama with Apple's AirPort security

More drama with Apple's AirPort security

Summary: Apple released updates to their wireless networking drivers last week and they appear to have created more questions than they answered with it.


airportextreme.jpgApple released updates to their wireless networking drivers last week and they appear to have created more questions than they answered with it.

AirPort Update 2006-001 (version 1.0) was released to "improves AirPort reliability on Macintosh computers" and is only for Apple's AirPort Extreme cards. An AirPort security update was also included in Security Update 2006-005.

Some have questioned whether Apple's wireless update was released specifically as a result of the MacBook WiFi hack that was shown by David Maynor and Jon "Johnny Cache" Ellch at the Black Hat conference in Las Vegas last month.

According to CNET reporter Joris Evers "Apple's security patches are not related to the Black Hat presentation."

ZDNet's own George Ou has defended the hacking duo and asked Apple some tough questions that have yet to be answered. He's even asking readers for questions he should ask the duo at a conference that opens Friday in San Diego. Judging by the 143+ TalkBack comments he appears to have hit a nerve.

According to Engadget, Apple claims that Maynor and Ellch's employer (SecureWorks) hasn't shown them any specific information "however, on its own, Apple discovered a problem, then released security and wireless patches."

Wi-Fi Net News' Glenn Fleishman notes that Maynor and Ellch are scheduled to speak at Toorcon 8 in San Diego on 29 September 2006. From the Talk Details on the Toorcon Web site:

This presentation won't be a typical as it will cover the complete story, but it will also offer analysis and commentary of public responses while at the same time giving anyone who has a question a chance to have it answered.

Hopefully we'll finally get to put this issue to bed.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This would be George_Ous oppurtunity to VINDICATE himself .

    I guess we will all have to continue waiting for as The APPLE Turns here in the ZDNET caves . On another note I've been hearing alot about these same issues with other platforms .
    • Other platforms

      "[i]On another note I've been hearing alot about these same issues with other platforms[/i]"

      True. But then I don't recal other platform's users getting hysterical trying to say it aint so. And insulting security experts and journalists left, right and center when they dare say or even imply that their platform might be vulnerable. I don't recall other platform vendors trying to hide the truth from the public, and being in serious denial mode. Then fixing the very same flaws but saying the two are not related.

      Time for a serious smackdown. Is it the 29th already?

      I hope the Apple fanboys are taking the rest of this week to work on their apologies...
      • Total recall

        I don't recall other platform users being told they should have lit cigarettes stuck in their eyes, nor do I recall seeing Washington Post headlines declaring "Hack a Windows/Linux PC in 60 seconds".

        ---I hope the Apple fanboys are taking the rest of this week to work on their apologies...---

        You mean like the ones Maynor and Ellch have already had to issue for their comments about Mac users?
        tic swayback
      • serious denial?

        I'd say the serious denial here is on the part of the Windows "fanbois" that can't read.

        Mac users on this and other forums I have been reading haven't been denying that M&E found a hack - what we've consistently complained about are the following issues:

        1. M&E didn't do a straight hack - they used a third party card (which they duly noted), but then mentioned that they did so to "protect the manufacturer" from exposure. After holding the MacBook up to the camera to be sure you knew they were hacking a Mac? WTF kind of "protection" is that"?
        2. They next didn't tell us that the hack they used required TWO cards for them to be able to perform the hack in the demo the way they did. Which they did NOT mention in the video.
        3. In an interview with the Post's Krebs, they allege that the MacBook's internal card is also susceptible to the same hack, but don't provide any proof, not does Krebs offer proof of the demo he said the was given in an exclusive.
        4. When people in the Mac world begin to question the methodology used by M&E, people like Krebs and Ou write further blog articles offering a defense of M&E, but without additional proof or answers to the many questions that the initial video raised.

        I won't try to go into the many technical issues - I am not technically trained enough to do so, but many such issues have been raised that M&E and SecureWorks have refused to answer.

        I say it again, nobody that is seriously involved in either the technical or journalistic world regarding the Macintosh platform will ever deny that the Mac OS is invulnerable, nor that there have never been patches issues by Apple to cover such vulnerabilities. It is not invulnerable, and there HAVE been patches for such issues in the past, just as there will be in the future.

        What has gotten under the skin of many of us is the rabid tendency of both Windows fanboys and Windows centric journalists to trumpet such an ill-managed demo by researchers that have made such rabidly anti-mac comments and have subsequently failed to provide Apple with the necessary code to find and patch the claimed vulnerability.

        What I will say to all of you is this:

        Regardless of how this particular brouhaha turns out, if in the future, some responsible researcher finds a vulnerability, notifies Apple, who then issues a patch and gives that researcher credit, THEN you can crow till your hearts' content, and I will come back and admit to that issue, and will not try to deny anything. I will, in fact, thank that researcher for trying, and succeeding, in making my chosen platform safer to use.

        But until then, unless M&E succeed in demoing at Toorcon that their claim was, in fact, the very vulnerabilities Apple just patched, then I will continue to say that their demo was poorly set up, badly publicized, and especially targeted at Apple in an attempt to garner publicity for their jointly authored upcoming book, as well as their demos at both the Black Hat conference, and at Toorcon. You cannot deny that, in that, they have succeeded.

        I for one, will listen for their demo at Toorcon to see if they will vindicate themselves, or prove themselves to be boobs. In fact, if they DO vindicate themselves, they will also prove themselves to be irresponsible researchers after all.

        How? Simple. If they prove to the world that Apple was incorrect in their recent patch comments that those patches did not patch M&E's vulnerability, they simultaneously prove that they purposely held back that information from Apple in their communications with them.

        How do I know that? Because Apple has a stellar history of crediting researchers who DO find and cooperate with Apple in fixing those issues. To the contrary of what Windows fanboys here and elsewhere try to say, Apple has not tried to brush this under the rug. All they can do as a company is wait for a researcher to contact them.

        Actually, that's not all; the other thing they can do is just what they did: audit their own software based upon public reports about the issue. Apple does not live in a vacuum, they can and do read these forums, and the news blogs, and are apparently capable of looking for vulnerabilities themselves. Which is just what they did, and when M&E failed to provide them with what they needed, they looked themselves.

        Did they find the same thing? I don't know, I am not technically trained in writing software. But Apple, who DOES have such people, says they are not the same. They have no reason to lie; it could be exposed as such at Toorcon, if it were.

        To me, and a lot of other reasonable people looking at this, M&E don't look good, they started this out with a bad attempt at publicity, and have failed to contact even those bloggers that have been supporting them to settle the issue.

        Your milage may (and undoubtedly will) differ, but we will all be waiting to hear what they have to say at Toorcon this week.
        • Peter loves that Strawman

          I think it's the only argument he can win, one where he completely makes up the argument for the other side so he can defeat it.
          tic swayback
    • uh, did you forget the zero-day IE exploit coverage?

  • one more thing...

    I just wanted to mention that this story turns out to be one of the more balanced I have seen, with less built in bias than most others...

    -cough_Ou _cough-

    Thanks, ZDNet, for at least ONE fairly balanced look at this issue.
  • ivxkecb 45 twc

    oguqhj,rzhjhgna19, gbgmg.