Network News

X My Profile
View More Activity

Update on the Apple Macbook Claims

Apple today issued a statement strongly refuting claims put forth by researchers at SecureWorks that Apple's Macbook computer contains a wireless-security flaw that could let attackers hijack the machines remotely. That claim was made by SecureWorks researcher David Maynor at the Black Hat hacker conference in Las Vegas this month, as Security Fix reported.

Maynor and researcher Jon Ellch showed Black Hat attendees a videotaped demo, wherein the two claimed to take control over a Macbook. During the demo, Maynor could be seen plugging an unnamed third-party USB-based wireless card into the Macbook. The video then shows Maynor compromising the Macbook via what he said were vulnerabilities in the third-party device, but he told me and others separately that the default wireless-device drivers in the Macbook were similarly vulnerable. Indeed, as I reported earlier, in his hotel room on the eve of that presentation, Maynor showed me a live demo of him exploiting the built-in Macbook drivers to break into the machine from another laptop -- without a third party card plugged in. On Tuesday, I posted a complete transcript of the interview I had with Maynor from that evening.

Regarding SecureWork's claim, Apple spokeswoman Lynn Fox said: "Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To date, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship. Whatever they are claiming to have found, they haven't shared it with us."

I have several times now asked SecureWorks to share with me more specific information to back up their claims, but so far I have received no further details. If I hear back from SecureWorks with any more material information, I will update the blog.

SecureWorks also posted an update on its site yesterday stating the following about Maynor's and Ellch's video presentation at Black Hat: "Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver -- not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."

A variation on that statement was made by Apple last night, but as I reported this fact in my last two blog posts about this issue, I wanted more clarification from Apple as to whether it had any evidence to indicate that the actual wireless drivers in the Macbook were vulnerable to attack. Apple's revised statement today made it clear that the company had not received any evidence from SecureWorks to back up the claim that the Macbook drivers are indeed vulnerable.

A number of news outlets and blogs have picked up on these various statements and clarifications, but nowhere have I seen this tidbit: Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine.

I looked through the last eight months of patches from Apple and could not find any evidence that it also shipped an update to correct this flaw. Fox said she would check with Apple and get back to me. Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products.

"SecureWorks has not be able to exploit this for us," Fox said. "No one has been able to show us a way to exploit our internal [wireless] device drviers with that flaw."

Update, 4:16 p.m. ET: I also spoke today with a spoke with a gentleman from Atheros Communications, the company that produces the wireless device included in Apple's Macbook. The company's chief technical officer Bill McFarland had this to say, in an e-mailed statement:

"Atheros has not been contacted by SecureWorks and Atheros has not received any code or other proof demonstrating a security vulnerability in our chips or wireless drivers used in any laptop computers. We believe SecureWorks' modified statement and the flaws revealed in its presentation and methodology demonstrates only a security vulnerability in the wireless USB adapter they used in the demo, not in the laptop's internal Wi-Fi card."

By Brian Krebs  |  August 18, 2006; 4:01 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: When Online Crooks Advertise
Next: Microsoft Re-Releases Internet Explorer Patch

Comments

As a fairly loyal mac user, I'm a bit concerned that Apple now seems to have become a target of hacking/security flaw claims seemingly in an effort to crack a more difficult nut. Fortunately, they seem to have withstood these claims, but it's still a bit worrisome that people seem to be trying mainly for the challenge.

Posted by: ah | August 18, 2006 4:27 PM | Report abuse

Brian, you say you watched them "break into the machine from another laptop -- without a third party card plugged in" but what could they do when they "broke in"? Could they take control of the machine and gain root access? Is their video from the conference available online?

I think this is mostly grandstanding on the part of SecureWorks and they are simply trying to make a name for themselves. If they really cared about securing their clients systems, they would be working with Apple to address the issue.

Posted by: Troy | August 18, 2006 4:51 PM | Report abuse

What kind of journalist would accept a video demo as proof of an exploit? I could film a demo that demonstrates my ability to hack into the Federal Reserve Bank, and transfer $100 billion into my account. What would that prove?

What kind of journalist would lead with a flamebait title like "Hijacking a Macbook in 60 Seconds or Less" when the exploit had nothing to do with Apple or the Macbook, and in fact used a third party USB wireless adapter?

A proper demonstration would be to get someone else's macbook, free of any "special modifications", and ask the hackers to demonstrate any exploit against it. All they have to do is log in, and list the files in a user directory. How hard would that have been to set up?

Posted by: uh | August 18, 2006 4:55 PM | Report abuse

Mr. Krebs, do you feel you were duped by the researchers? In other words, in the live demo you witnessed, do you believe they intentionally made it look to you like they were attacking an unmodified MacBook? It certainly seems that way. Please see my blog at http://www.isfym.com for additional background and opinion on this question.

Posted by: Alan Oppenheimer | August 18, 2006 5:37 PM | Report abuse

Well, well, well. Looks like you got punked. It's like changing the lock to a lock you have a key for then saying how easy it is to break in.

Posted by: leif | August 18, 2006 6:29 PM | Report abuse

Brian,

Thank you for the update today. I think that we are finally getting to the bottom of this.

I've said enough in past posts regarding my opinions of how this story was handled. I just have two points now.

First, the SecureWorks guys, ironically, used a Mac because they wanted to puncture the "smugness" that Mac users have about security. Surely, they also had publicity in mind. Things seem to have blown up in their faces on both counts. If they know of a vulnerability, they should report it.

But, truthfully, careful observers could see this from the beginning. They revealed their motivations up front. The lack of details and the showy nature of the video called their credibility into question. They were taken far too seriously by people who seemed to want their claims to be true.

Second, it is clear that vulnerabilities on the Mac are very newsworthy. Security researchers can generate publicity for themselves. Blog writers can generate lots of hits. This creates incentives for people to trump up and hype any security flaw far beyond its actual consequences. That seems to be what happened here.

An earlier case was the story of the Mac that was "hacked" over the internet, when it turned out that the attackers were given local user accounts on the machine in question.

Most Mac users I know are fully aware that their OS has vulnerabilities, but they get angry at the way these stories are long on hype and short on facts.

Can you blame them for feeling a little smug today?

Posted by: Thor | August 18, 2006 6:41 PM | Report abuse


In light of these events, I'd really like to know if Brian Krebs still believes that "Hijacking a MacBook in 60 seconds of less" wasn't misleading, false, and inflammatory.

Sorry to hear that you got so much hate mail about this fiasco, but after writing a headline like that and defending it to the very end of this whole charade, complaining about getting hate mail is just weasily dodging. "Oooh, look at those bad Mac users, so upset because I dissed them based on a lie! Why can't they take dissing sitting down like good little Mac users?"

Sorry, Mr. Krebs - Mac users didn't get upset because what you said was correct and their egos were damaged. They got upset because you were willing to promote a falsehood in an inflammatory way to put down a specific demographic of computer users.

Meanwhile, tens of millions of Windows laptops are still open to being hijacked in 60 seconds. Where's the headline on that?

But it looks like the only one who got owned was Brian Krebs, who apparently got caught up in the whole "Macs are no more secure than Windows" FUD that he jumped at the first chance to SMUGLY put down Mac users who are justifiably feeling confident about their security these days.

Let's hope you do the right thing by first starting with a humble apology - the world is watching.

Posted by: Paul | August 18, 2006 6:51 PM | Report abuse


I should also point out that now both Apple and Atheros have both released official statements denying SecureWorks has contacted them on this issue.

Does that mean SecureWorks lied about that too? Are they not interested in allowing the manufacturers to fix the flaw as quickly as possible? Or are they going to claim at some future time that Apple "doesn't care about security or they would have fixed this flaw by now?"

And since this flaw has apparently not been fixed because SecureWorks hasn't been talking to the necessary parties, are you going to write a new article entitled "How to Hijack a Windows Laptop in 60 Seconds or Less?"

After all, according to your argument, the original title was perfectly non-inflammatory and correct in its assertions. So why not issue a new "non-inflammatory" article titled as suggested above?

Posted by: Paul | August 18, 2006 6:58 PM | Report abuse

What planet are you people from? Is there any even moderately experienced computer user who doesn't already know that in the right circumstances, you can hijack a Windows laptop in 60 seconds or less? Do you see a whole lot of newspaper articles entitled "Sun Rises In East"? Not so much, because part of what makes something news is that it is unusual.

Mr. Krebs, whatever other flaws there might have been in the original report, has been very much upfront about what he saw, what he was told, how it happened and how the principal players responded to follow-up questions. This is how news works. It does not emerge in a cloud of infallability from on high. Gradually, what's emerging is something like the truth. So sorry to disappoint you, but it's seldom less messy than this. Deal with it, and lose the indignant dudgeon.

Posted by: Adam | August 18, 2006 7:48 PM | Report abuse

Sadly, Krebs has made his mark; the 1st article is quoted widely, the final one rarely.

swiftboating ... it's not just for politics anymore.

Posted by: Anonymous | August 19, 2006 12:01 AM | Report abuse

Paul, Brian Krebs stated that Apple admitted that they were contacted by SecureWorks prior to Black Hat -- Apple merely says that SecureWorks hasn't shared any code with them or demonstrated how the hack works.

Forget knowing nothing about security, sometimes I wonder if Mac zealots can even read. They're sure going to wind up with a lot of egg on their face when Apple ends up releasing a fix for this.

Posted by: n00b | August 19, 2006 12:14 AM | Report abuse

Its worse than Brian admits.

The USB device was NOT IN USE during the video.

The "hack" took place using the internal Apple Airport card.

Details here: http://www.smallworks.com/archives/00000461.htm

Obviously Maynor and Ellch are lying, and Krebs fell for it, hook, line and s(t)inker.

Posted by: Jim Thompson | August 19, 2006 5:15 AM | Report abuse

David Maynor's Q&A slides that he made available in security forums, show this Question:

[Q]
I saw some people quote you as saying the bug is in the built-in in card and other people quote you as saying as its not, who is right?
[A]
They both are. The exploit shown in the video was targeting a specific third party driver and that same vulnerability does not affect the built in card. We are, however, doing ongoing research on the built-in card as well and have shared our findings with Apple.

'Nuff said. Working on it, hence the hack per-se still does not work.

To be noted that Apple explicitly said they have received no words from Maynor and/or Ellch on how to exploit the internal driver which goes along as well with Atheros comments that no evidence that the flaw exists or can be exploited.
The only contacts were on the kind "there are possible flaws on wireless drives around such as the ONE we found on THIS USB card".

I have no intention to take sides in this discussion (I believe both SecureWorks and Apple have ways to approach the issue at hand in a more professional and effective manner) but I can't avoid to point out that this discussion would not exist if the common and well-accepted methodology of modern science was followed:

Researchers are supposed to document and publish their work; methodology, the specific conditions and assumptions and the results of their experiments so they can be scrutinized by their peers and other independent third-parties in order to verify the validity and implications of their work.

If we really expect anybody to consider infosec research a serious profession based on scientific foundations we need to be willing to accept and demand the practices of modern science when it comes to research work.

Otherwise we will continue to discuss about secret marketing and PR agendas, veiled threats, implausibly bullet-proof (unbreakable?) software and your favorite flavor of conspiracy theories.

The above should as well the way tech journalist should approach sensationalistic reports. Especially when it is explicitly said that the reason to show the flaw on A USB THIRD PARTY CARD slammed into a MacBook was because they wanted to jam a lit cigarette in the eyes of "smug" Mac users?

Looks like the cigarette burned their "smug" fingers instead.

I am very skeptic about any allegations of bulletproof security qualities in Apple's drivers: as there is no silver bullet in software there is no bulletproof security either, but I am equally skeptic about SecureWorks' research findings unless it is presented for public scrutiny. I realize that may happen tomorrow, next week, next month or next year (or never)...

Until then, I'll just sit and watch the fireworks or go find the facts myself.

Posted by: Seahawk | August 19, 2006 6:13 AM | Report abuse

Jim Thompson writes: "Its worse than Brian admits.

The USB device was NOT IN USE during the video.

The "hack" took place using the internal Apple Airport card.

Details here: http://www.smallworks.com/archives/00000461.htm"

Can you read and understand, man?

"Inspection of FreeBSD's ieee80211_input.c shows that data frames with both FC blts cleared are dropped, so this avenue isn't open as an exploit on Apple's hardware. (At least, not on the Atheros-based hardware, and I happen to know the guy who maintains the Apple Broadcom driver, and he's sure to have closed that hole as well.)

What is really telling is that Maynor and Ellch have to have known about this bug (they admit to same when they attempt to discredit me), so they MUST HAVE TRIED TO EXPLOIT IT on Apple's "Airport" hardware.

And they must have failed.

But rather than come out and state "the Airport card is not vulnerable", they decided that they must have enough sizzle in their story to get noticed. It just wasn't going to get anyone's notice if they showed their little hack on Windows. Everyone knows that Windows is swiss cheese by now."

Posted by: Seahawk | August 19, 2006 6:16 AM | Report abuse

More on the issue about the ifconfig showing the internal wireless used. As stated in the presentation on slide 70 at Black Hat, most often a direct return shell is not possible.

En1 actually is the built in wireless card, but you don't run this
exploit against an IP, you run it against a Mac address. En1 was
asociated to the linux machine (the Dell laptop) as a way to get the connectback shell to work. Normally with these types of exploits the wireless driver you exploit will either die or cease working correctly so. So the USB driver carries the exploited flaw, then to carry on with the hack en1 got used as the transport for it.

Without this COMBO you could not hack the MacBook. Which goes by saying it is NOT exploitable per se, as Apple and Atheron are trying indeed to say.

Posted by: Seahawk | August 19, 2006 6:27 AM | Report abuse

Not only that, even the USB card ALONE is not exploitable: the driver would die. So far, thence, only if you get yourself set with two ways to carry on wireless access, one to get hacked, and the second to keep the connection alive when the hacked driver dies or stops working.

It is certainly a serious problem to be fully researched upon or spinned to get some easy publicity. But it is definitely a cigarette that proved to be hurtful, only not for the intended target.

Posted by: Seahawk | August 19, 2006 6:36 AM | Report abuse

Mr. Krebs:

Your credibility is shot. You should offer your resignation to the Washington Post.

Posted by: George Wedding | August 19, 2006 6:54 AM | Report abuse

n00b,

No, the question is whether YOU can read. Apple clearly said that SecureWorks HAS NOT provided them with any information concerning the exploit that they demonstrated at Black Hat.

Brian writes that SecureWorks did contact Apple about a flaw. Apparently, this was some other flaw that has been known about for several months and was determined to not be a threat. As Brian wrote, "Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products.

"SecureWorks has not be able to exploit this for us," Fox said. "No one has been able to show us a way to exploit our internal [wireless] device drviers with that flaw."

Posted by: Thor | August 19, 2006 7:30 AM | Report abuse

So far, the only thing you can reasonably claim is you saw someone use a custom executable to gain access to the Macbook. For all you know, it was hooked to ssh. Yet you keep claiming more. Let's see the proof.

Posted by: Steven Fisher | August 19, 2006 10:52 AM | Report abuse

I posted this earlier and with removed. Can't see why as I believe I'm sticking to the guidlines for posting so I'm posting it again and we'll see what happens this time:

". . the point here is that Mr. Krebs, as a journalist, has a duty to the public to thoroughly investigate facts and all sides of any claims to be fact.

The headline of the original has turned out to be a very one-sided slant on the facts. It is akin to writing a headline that states "Man has sex with 3 women in one night" meanwhile omitting to say that he had actually kidnapped, raped and tortured them as well.

The fact is also now coming out that the whole exercise was basically a sham and Mr. Krebs, by not being an impartial or judicious observer, reporter and investigator of the facts was party to the sham.

As a journalist you cannot take a piece of evidence provided to you by an interested party in a claim as proof of the claim and that is what Mr. Krebs did which has pretty much negated any credibility he has an impartial reporter of the facts.

Any fool can make claims about anything and journalists have a duty to the public to report all sides of the story and take the claimants to task. Mr. Krebs pointedly failed to do this.

From now on I will certainly be taking Mr. Krebs's future "musings" as precisely that and not ascribe to them any form of journalistic credence."

Posted by: TTzz | August 19, 2006 11:52 AM | Report abuse

What a combination!

"Brian Krebs on Computer Security"
A lie,
Poor reporting,
Catchy title "Macbook Hacked"
Free publicity
Thank you Washington Post for being such a "reliable" news organization!

Posted by: Hugo S. | August 19, 2006 1:17 PM | Report abuse

Too bad that Brian sinned against the Church of Apple Perfection. Maybe you should just excommunicate him by putting him on your "do not read" list, rather than telling him to resign from the Post.

Posted by: . | August 19, 2006 1:59 PM | Report abuse

Mr. Krebs,

while I have to agree that your original title was a poor choice, I don't have great problems with your reporting.

It could certainly have been more probing and rigorous, but that's a matter of degrees and opinion, and of how many hours a day has. How much your own biases may have influenced your behavior is something only you can ultimately decide.

What I would like to hear from you is more about your (current) take on these two guys, given your fairly unique perspective based on your personal interactions.

The whole issue about a third party card was obviously unusual, but you were convinced by their personal demo to you that an Apple card had the same problem. Since the critical issue that has only now emerged is the fact that they used a non-standard driver (which basically reduces this problem to one analogous to booting into bootcamp and saying look: my mac is vulnerable to the malware out there!) the card issue was a perfect diversion, and you fell for it. Ok, I guess many others would have too.

But what is your take on these guys now, or don't you think they took you for a ride?

Posted by: cbum | August 19, 2006 2:26 PM | Report abuse

To Mr: . (above)

It's not whether he offended the Church Of Apple (Orthodox); this is a case of a reporter who was played by his sources, failed to do proper investigation, and is now refusing to retract his story. Given that Brian knew that his headline and article was going to get a lot of attention, it is more than fair to ask whether he was an unknowing dupe in all this, or whether he was an integral part of the PR plan. Given his refusal to admit he was played, the natural conclusion is he went along and did not do the neccessary investiagtion because he knew that an anti-Mac security story would get a lot of attention.


I don't know whether he should be fired, but he is damaging the credbility of the Post.

Posted by: Bob | August 19, 2006 2:51 PM | Report abuse

So are the other dioceses of the COA making claims that the credibility of these sources have been damaged as well?

Gartner

Manage Device Driver Vulnerabilities on Macs or PCs Quickly


SDA India

Wireless Vulnerability Comes as a Shocker


Macworld

Black Hat: MacBook hit with wireless hack


Seattle Post-Intelligencer (Todd Bishop)

Hacking a MacBook


IT Week

Apple MacBook Hacked Through Wireless Card


The Globe and Mail

Experts discuss wireless vulnerability


NetworkWorld

Black Hat: MacBook hit with wireless hack


Newsfactor

Wi-Fi Cards Expose Laptops to Hackers


The Register

Attackers pass on operating systems


InfoWorld

Wireless, NAC holes on display at Black Hat


Money

Researchers show 'systemic' vulnerability in wireless computers


CNET News.com

Breaking into a laptop via Wi-Fi


ABC News

Experts Discuss Wireless Vulnerability


ZDNet Blogs (George Ou)

MacBook Hack Video Draws Ire of Mac Fans


PCWorld

Lessons From the MacBook Hackers


BusinessWeek

Warning: Your Wi-Fi is Vulnerable to Attack


USA Today

Even offline computers can be hacked, researchers say


InformationWeek

Apple MacBooks, Wintel Notebooks Vulnerable to Wireless Attack


ComputerWorld

Don't Go Wireless at Black Hat


SecurityFocus

WiFi Makes Waves at Black Hat


Computer Weekly

Wi-Fi Attack to be Shown at Conference


ComputerWorld

Mac Hit With Wireless Attack


CIO Today

Experts Discuss Wireless Vulnerabilities at Black Hat Conference


International Herald Tribune

Researchers show 'systemic' wireless vulnerability


ZDNet

Breaking into a laptop via Wi-Fi


The Mac Observer

Programmers Claim to Find Common Vulnerability in Mac, Windows Laptops


United Press International

Researchers show new wireless PC hack


Access Global Knowledge

Experts Discuss Wireless Vulnerability

Posted by: . | August 19, 2006 8:02 PM | Report abuse

Dear Mr. . (above again)

I'm sure the Church of Apple (COA) will get around to blasting these other media sites as this slowly filters out. But Mr. Krebs is guilty of three things: 1) Because he had the initial "exclusive" interview with SecurityFocus, his blog was the one that broke the story, and many of the other stories were based on his (lack of) reporting; 2) Mr. Krebs has dug himself further into the whole by doing additional posts and refusing to admit that even though his sources have withdrawn their claims, the orginial story was in error and 3) What a lot of people, including myself have been feeling, is that Mr. Krebs initial lack of reporting was not due to oversight, but he was part of an active plan to defraud the security community. That is why the charges here are serious, and require him to come forward, at the very least, and admit he was "had".

Macs are insecure. I'm the first to admit it. They don't suffer from the plagues of spyware and other instrusive programs because of their low numbers. Apple put in a few design features that make them slighly more secure than a default Windows installation, but the hype that Krebs quotes about "poking a cigaratte into the eye of Mac users" suggests something else is behind this entire episode.

Learn from other's mistakes, Mr.Krebs - admit you were wrong.

If you could do some REAL reporting and tell you what the SecurityFocus people were REALLY doing that would be nice.

Posted by: Bob | August 20, 2006 2:06 AM | Report abuse

I was very troubled by sensationalist nature of the original headline and the mismatch between claims and facts. I also wonder if Brian is feeling contrite that his original post ignited a web frenzy around a claimed security flaw that cannot now be substantiated. I'd like, however, to defend Brian a bit (I've participated in criticizing plenty already).

First, he has pursued the story and brought new information to light. The statement from Atheros, for example, was a meaningful piece of reporting that helped us understand what's going on here. All fingers now point to the SecurityWorks guys. If they know of a vulnerability, they should report it.

Second, the SecurityWorks guys are not exactly, shall we say, forthcoming. Brian cannot get any additional facts unless they provide some, but they dodge and weave and issue vague statements that leave the basic question unanswered.

It remains possible that the SecurityWorks guys actually can make their exploit work on the MacBook's built-in wireless, but this possibility seems increasingly remote. If they would make a clear statement one way or another, this matter could be closed.

Posted by: Thor | August 20, 2006 9:55 AM | Report abuse

All of which misses the basic point:

PROTECT YOUR COMPUTER, NO MATTER WHAT PLATFORM.

If you plug into a network, there is no such thing as safe computing. Don't get pissed off when someone, responsibly or irresponsibly, threatens the illusion that using a Mac is safe.

I'm a loyal Mac user, going back to at least 1990, so this is not a snipe at Apple. It just seems common sense to me: the risks are so great that there is no benefit in counting on the relatively low population of the OS for security.

James

Posted by: James | August 20, 2006 10:15 AM | Report abuse

Thor,

I just want to say that I have been *very* impressed with the reasonable way you have gone about dissecting and challenging the original article.

You have been open minded and fair (as your latest blog comment proves) but unrelenting in seeking followup and full disclosure of the *exact* nature of both the public video taped demo and the private one for bk.

In fact, the vast majority of all the published comments represent the best of blogs...digging and questioning assumptions and positions until a hidden truth is revealed.

Heck, bk should do an article on this positive aspect as a followup to his slamming the mac community for its email barrage. Most Mac users are not whackos, they just want the truth, the whole truth and nothing but the truth.

Posted by: jehrler | August 20, 2006 10:49 AM | Report abuse

James, Much as I agree with much of what you wrote I must take issue with your assertion about Mac security relying ". . . on the relatively low population of the OS for security."

I suggest you read read The New York Times's David Pogue's mea culpa on the subject of the "Mac Security Via Obscurity" myth here:

http://www.nytimes.com/2003/09/18/technology/circuits/18POGUE-EMAIL.html

Pogue writes "...the conclusion is clear: Linux and Mac OS X aren't just more secure because fewer people use them. They're also much harder to crack right out of the box."

Pogue also covers Windows virus programs and other reasons why Mac OS X is simply more secure than Windows.

Posted by: TTzz | August 20, 2006 11:52 AM | Report abuse

Thor:

Thank you for you sane comments. Yes, Brian does deserve credit for his additional reporting on this issue, and also for his attempts at followup.

And yes, the SecureWorks guys are the real villians here -- if they hyped up their exploit.

But if Brian Krebs can't get the SecureWorks folks to comment on this story -- he needs to say so, and also admit, given his shoddy inital reporting and growing doubts about the exploit, that he was "had".

He also needs to admit to Mac users, that yes, the post was inflammatory ("cigarette in the eye"), and was done for the purpose of attracting additional attention to his story.

Posted by: Bob | August 20, 2006 12:11 PM | Report abuse

hate mail? he is complaining about hate mail? perhaps he shouldn't say offensive and slanderous words?

oh, sorry, I was thinking of george allen

no, i'll just go to clarendon and beat up the next ipod user i see because of their smugness.

Posted by: Anonymous | August 20, 2006 12:46 PM | Report abuse

Before I start, I don't understand PC or Mac terminology, I'm just a non savvy PC user, so forgive me if I don't use the correct words for things. Personally, I understand the mentality of those who want to hack into systems and mess about with them. I know people who have lost their computers, losts of work and money, due to people who believe interfering with the works is 'challenging' and 'fun'. I'm glad that Mac seems to be still intact, and the hackers have failed, and I hope they never succeeded, and go onto doing more important things like collecting train numbers or walking on the motorway with their eyes shut. When I read the headline 'How to hack into a Macbook in 10 seconds' I knew that there would be trouble! If Mr Krebs hadn't been taken for a ride, and it had been proven correct, he would be worshipped with garlands and parades now. He was had, and talking about forcing him to resign is just silly. Believe or not, there are people out there who think it is fun to fool people, you know, like the hackers. I've always found Mr Krebs reporting trustworthy and to insist he loose his job is just, as I said, silly. As a much greater person once put it, 'he who is without sin, (in this case, never been had by anyone who they have no reason not to trust) let them cast the first stone'.
All the best.

Posted by: Sarah | August 20, 2006 12:53 PM | Report abuse

jehrler and Bob, thanks for your comments!

Mac users often get tagged as a bunch of wackos. Unfortunately, the reputation is partially deserved, given how an article that is critical of the Mac can generate lots of vitriolic responses. It gives a lot of people the impression that we somehow think that the Mac platform is "perfect" or "invulnerable."

This impression is wrong. Most Mac users are fully aware that no platform is invulnerable. And, anyone who thinks that Mac users believe the Mac OS is perfect have not spent any time on a Mac fan web site, where vigorous debates can be found over practically any decision by Apple. Witness this discussion of the Mac OS user interface for instance:

http://www.macintouch.com/readerreports/userinterfaceissues/topic4024.html

The diversity of opinions over small details of the user interface is incredible. So, Mac users are not united by some monolithic notion that their OS is perfect. On the contrary, I think that what distinguishes us is that many of us care a great deal about our computers. Using the Mac is a very considered choice. Most non-Mac people know little about the platform, so their criticisms sound ignorant and they get blasted for it.

We are like a bunch of bees in hive. When someone comes and pokes a stick in the hive, there is a predictable reaction. Some people, like John Dvorak, know this and purposely write inflammatory articles to generate a lot of hits.

That gets to why we are upset here. It is clear that the issue of Mac security is a hot one. The SecureWorks guys obviously know this, and so does Brian given his choice of headline. If what came out of this research was a sober assement and proper documentation of a security flaw, we would not get upset. Instead, we get hype around a flaw that, from what we can tell, would affect Mac users only if they used an extraordinarily odd configuration of equipment, but the Mac angle is hyped to get publicity.

Posted by: Thor | August 20, 2006 2:41 PM | Report abuse

I'd urge you all to read this from a public forum on security. It pretty much closes the case. Next!

In fact, I'm going to reproduce it here:

It looks to me that Dave Maynor was blowing smoke in the demonstration anyway. From Brian Krebs there is a transcript. While the apparent deception continues through the use of cryptic and what appears to me technobabble, you can read his "explanations" and the credulous responses from Krebs.

Some highlights with my commentary:

Maynor: OK, so the first step in this is we want to turn this [Windows laptop] into a wireless access point.
BK: Oh, so you do have to have it connected?
Maynor: No, this is just for the demo. This is the way we've developed the demo. If I explained it any other way, you wouldn't see anything. It would just say, "Exploit done." This way you can see the results of it.


If you have an exploit that can "own" a computer there are an infinite number of ways that you could demonstrate the results of that beyond an "Exploit done" message. This reply makes no sense yet Krebs does not ask obvious questions.

BK: So explain to me again how it is that -- you said earlier that you put these two on the same subnet, because you wanted to be able to show the exploitation on the Mac system, right? But what if they weren't on the same subnet?
Maynor: So that demo compromises the Macbook, and allows me to log into it interactively. It's just like I'm sitting at the keyboard on the Mac. So that's possible because we're on the same IP network.


This is apparently a deception on Maynor's part. It is hard to understand through Maynor's obfuscation tactics but apparently he is running code on the MacBook to supply a shell back to the Dell notebook acting as the access point and exploit machine. To say that because they are on the same IP network allows a connection to a shell is bizarre. (I think Maynor means the same subnet here and not IP network but it isn't clear that he really understand what he is talking about.)

BK: I understand. But let's say this thing isn't connected to your network, and it's just broadcasting and looking for an AP?
Maynor: So at that point there's no way for a connect-back shell to work because we don't have a central communication medium, so without writing my own driver that's going to insert to like bring up the card and get the same IP address on my network, we can't do bi-way TCP communication. So, an exploit in that case would look like -- you would exploit that Macbook, and you would put something on it like a bot. But this wireless exploit is an exploitable flaw and it's in the wireless IP stack.


This is where he admits his lie in the previous question and answer. Maynor admits here that he can't insert his own driver to allow a shell to connect back to the exploit machine. He implies that it would be possible but not that he has done such a thing. Yet, he apparently shows exactly that in his demo. So, if he doesn't have a driver that does that, how did he demo it? It appears likely at this point that he faked the demo. Again, Krebs does nothing to follow up on this. Krebs appears to be incapable of understanding the implications of what he has just heard.

BK: OK, so in that case, the machine would be exploited and you would have it connect up to your IRC channel of choice or something like that?
Maynor: Exactly. It's just like any other exploit, but the only difference is the communications medium in which that exploit gets delivered. And this could just as easily be a proximity attack -- if you have an exploit for a certain type of wireless card, and wait until they come into range -- and then using fingerprinting software, determine what kind of wireless card they have and what driver, if they, say, come into the coffee shop and are using a card and firmware that you have an exploit for you could attack them.


Now we get to the real heart of the claims. Maynor claims to have found a way to inject code into a computer through a wireless device driver. This is a pretty bad security hole. But he apparently hasn't really gotten it to work in any real way. If he had gotten it to work, he would certainly have demonstrated that exploit instead of the apparently fake one. That isn't to say that someone else wouldn't be able to exploit the hole but until that happens, this remains a theoretical exploit and not something that is an actual threat.

Now Apple is saying that they don't have any evidence that their shipped drivers have this problem. That isn't to say that Apple is right, they've obviously had security flaws in the past but who are you going to believe at this point, someone who seems to have faked a exploit demonstration or the an official spokesperson for Apple?

One more point on Krebs. Here is what he says in his article on seeing the exploit himself, "I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook -- but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in."If this is true, then the Apple spokesperson is either misinformed or worse lying. Yet the company that Maynor works for is specifically disclaiming that they exploited the driver in OS X. I think the followup from Krebs will be very interesting. If he is wrong about what he saw, his reputation as a security expert is in tatters.

---

Posted by: Seahawk | August 21, 2006 1:12 AM | Report abuse

Somehow the link for the post above did not appear. Here it is in plain text:

http://www.macworld.com/forums/ubbthreads/showthreaded.php?Cat=0&Number=438291&page=0&vc=1

Posted by: Seahawk | August 21, 2006 1:13 AM | Report abuse

Very well said Thor. That really sums up the way in which the Mac community pushes Apple to produce the best and how we really give them hell when they don't come up to scratch.

Steve Jobs said once about the Mac community that ". . .you guys complain about everything!" (or words to that effect).

As you said, just visit any Mac related forum and you'll not only see the diversity of opinions but the very high standards that Mac users set and expect from Apple. That's why I'm always amazed when I hear Windows users call Mac users sheep and say that we just accept whatever Apple throws our way.

Mac users can be called many things but I don't think sheep fits the bill, which brings us back to why we are so outraged with what, by all accounts, is very poor and biased journalism in this case.

Posted by: TTzz | August 21, 2006 5:19 AM | Report abuse

After reading again the original column there were some very troubling parts:

""We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said."

The motive.

"After the demo, Ellch (who is currently pursuing his master's degree in computer security at the Naval postgraduate school in Monterey, Calif.) will talk about a new tool he's developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer."

How much does the ad space cost in Post nowadays? These guys got pretty good coverage for free.

"Maynor said he and Ellch have been in contact with Apple, Microsoft and other companies responsible for vetting the device drivers that power the embedded or third-party wireless card devices meant for those systems, and that both companies are working with wireless card vendors and original equipment manufacturers (OEMs) to remedy the problems."

Well, isn't that a lie?

Posted by: Timo | August 21, 2006 7:03 AM | Report abuse

John Gruber at Daring Fireball offers his scathing assessment of Krebs's abilities as a "Computer Security" reporter.

http://daringfireball.net/2006/08/curious_case

Posted by: Chris Christner | August 21, 2006 12:27 PM | Report abuse

If MACs are so secure then explain these:
CVE-2005-0488
CVE-2005-0988
CVE-2005-1228
CVE-2005-2335
CVE-2005-3088
CVE-2005-4348
CVE-2006-0321
CVE-2006-0392
CVE-2006-0393
CVE-2006-1472
CVE-2006-1473
CVE-2006-3459
CVE-2006-3461
CVE-2006-3462
CVE-2006-3465
CVE-2006-3495
CVE-2006-3496
CVE-2006-3497
CVE-2006-3498
CVE-2006-3499
CVE-2006-3500
CVE-2006-3501
CVE-2006-3502
CVE-2006-3503
CVE-2006-3504
CVE-2006-3505

And that's just the list for this week.

Posted by: DT | August 21, 2006 4:30 PM | Report abuse

You people act like B.K. woke up one morning and decided he would make this whole thing up, get over it. Its not like he slapped your mom or something, aren't there bigger issues than crying for an apology from a reporter that may have been duped. Hasn't the president of our fine country been lying to us for years now, have you been writing him asking him to resign?

Posted by: Todd | August 21, 2006 5:19 PM | Report abuse

DT, what's your point? OS X, as any other system, has vulnerabilities and they are fixing them? Good for you, nicely done, but that's probably not news.

OS X, Solaris, BSDs and Linuxen seem to have much less spyware, malware and viruses than the dominating system, there are lots of ways of explaining it. But I really don't care about the causes all I need is the results.

In practice at this moment and several years back non-Windows operating systems have been a safer choice. I'm happy with my choices during last 7 years (Linux/OpenBSD/OS X). I hope you are happy with yours.

Posted by: Jussi | August 21, 2006 6:20 PM | Report abuse

Oh well, at least the guys at SecureWorks got what they deserve: when you do a Google search on their company name, most of the hits in first page start with "SecureWorks admits to falsifying MacBook wireless hack".

It won't be easy to sell those superior security services to anyone with such headlines out there.

Posted by: rmac | August 22, 2006 7:26 AM | Report abuse

Mr. Kerbs,

Would you be willing to update the blog if you __don't__ hear back from SecureWorks in, say, a week or so?

If they can't get back to you in a week with a verifiable means to hijack a MacBook over a wireless connection, wouldn't it be fair to say they misrepresented the current state of their research and that their motivations for doing so are suspect?

If you say so in a post with an appropriately explicit headline and add an update to your previous posts, you're not losing face. You're earning respect.

And if a month or three from now they manage to find an exploit that works, you can post about that too and add similar updates.

I don't see how anyone could reasonably criticize your even-handedness if you took that approach.

Best wishes.

Posted by: Blinded by Disinterest | August 22, 2006 7:47 AM | Report abuse

Hello Mr Krebs... just wanted to pointed out that the computer is called "MacBook", not "Macbook". You seem to have takent the time to spell "SecureWorks" correctly, though!

Posted by: Crazy Eddie | August 22, 2006 8:49 AM | Report abuse

The following link hasn't been seen here so it's worth looking at. Jim Thompson and David Shaw have analyzed a high-resolution version of the demo and found out some very troubling information. To put it short, the 'exploit' did not allow root access. David Shaw wrote:

"Why does Maynor end up in a user directory after the code executes? If he has root access wouldn't he be presented with the "root" of the system? And when he "cd"s to "Desktop", he isn't using "/Users/dave/Desktop", he just types "Desktop"."

Jim has also explained in a very detailed level why the 'exploit' won't work on Airport:

http://www.smallworks.com/archives/00000461.htm

Posted by: rmac | August 22, 2006 10:25 AM | Report abuse

Before we roast SecureWorks and Brian, lets examine the facts carefully. In fact, I'll let others do so for me, please check:
http://securosis.com/2006/08/21/another-take-on-the-mac-wireless-hack/
for another good analysis of what was and was not revealed in the video.

SecureWorks posts more here:
http://www.secureworks.com/newsandevents/blackhatcoverage.html

Nothing definitive either way, until the final details are known, and maybe that is responsible disclosure by the parties involved. Food for thought Applites, stop with the death threats already...

Posted by: DKP | August 22, 2006 2:46 PM | Report abuse

DKP,

Not sure these links really add anything to what has already been discussed here. I agree with the analysis from the Securosis blog that it remains possible that the SecureWorks guys may, in the end, produce an exploit of the MacBook's internal wireless, but he is unpersuasive on three points:

1) He says, "Notice Apple has not made any formal statement that the MacBook (or any other product) is not vulnerable to this class of exploit? In my mind that's a glaring omission. Apple could put this to rest with a single statement, but they haven't."

Quite to the contrary, Apple absolutely cannot make a definitive claim like this and thereby put this matter to rest. How can they prove the negative? For a long time, nobody thought black swans existed either (they do) because no sighting of them had been recorded, but that was not proof that a black swan would never be found. Likewise, only the SecureWorks guys know what they have. Under the circumstances, Apple is saying only what it can, that no exploit has yet been shared or demonstrated to them.

2) He says, "using only John's [that's John Gruber of Daring Fireball] own analysis (and the fact I saw the original presentation) I can easily see Maynor, Ellch, SecureWorks, and Krebs emerging with their reputations more than intact."

SecureWorks may yet produce an exploit, but their reputations do not hinge only on whether this exploit is produced. Their reputations have much to do with the way this whole matter has been handled. They issued a video that was not a piece of serious security research; it was simplistic demo intended for consumption by less technical people. A publicity piece, in other words. They have told a reporter that Apple's internal wireless is affected but they not been forthcoming with details to the affected vendors. And, they have made statements indicating the desire to puncture the smugness of Mac users. Respect is earned, and actions of this kind do not earn respect.

3) The Securosis blog tries to make the point that the reason why the SecurityWorks guys are not more forthcoming is that they need the affected vendors to issue a patch first. Responsible disclosure policy, in other words.

I call BS here. They could easily, especially at this point, make a public statement on whether Apple's internal wireless is affected without making MacBook users a whit more vulnerable. No one is asking for them to post attack code on the web, after all. They have already stated that the MacBook internal wireless is vulnerable, according to Krebs, and this has been all over the web, so what are they protecting us from at this point? It just doesn't fly.

Methinks "responsible disclosure policy" is a nice way to buy time while they try to figure out a way to make it work on the MacBook stock configuration. That's why Apple and Atheros have not heard anything yet. If they were really responsible, they wouldn't have told Krebs either, but the draw of publicity was just too strong. Reputations intact my foot.

Finally, do not assume that all "Applites" just fire off death threats. There are idiots in all segments of society. Don't tar the rest of us with their actions.


Posted by: Thor | August 22, 2006 4:01 PM | Report abuse

@Thor

My sincere apologies for tarring all Applelites with that feather, you are right, most are upstanding decent citizens (my wife included). I guess I was a little shocked that some Applelite would have sent a death threat in dismay that there may have been a security hole on his machine afterall. And to name his dog in the threat too, that is below low...but I digress.

My point again is that we shall have to wait and see. No definitive arguments were made by you or others in regards to this issue. And the pig roasting of Brian after a bonefide interview seems overdone.

Your arguments are fair, but again, not definitive. I struggle with the idea that a security organization would expose itself to such ridicule unless there was an exploit, but I can't say one way or the other.

I will agree that the sensational way in which their exploit was revealed could have been handled better (assuming one exists), but that by itself hardly warrents the vituperation that seems to be flowing over Secureworks and BK. If this were a Windows exploit, there would be a collective yawn and move on to the next article, so I ask you who has over-reacted...?

BTW, we have Mac, Linux, and XP in this house, so we are hardly beholden to one camp or another.

Posted by: DKP | August 22, 2006 7:52 PM | Report abuse

DKP,

Apology accepted, and of course I agree with you that some people just get too carried away.

Yes, wait and see. The problem, and the maddening part of this, is that nobody knows anything definitive but the SecurityWorks guys, and they are not talking (not even to the vendors, it seems). They, in theory, could produce the exploit at any moment, but as time passes (three weeks now), one has to wonder what's going on.

You'll notice that I have not joined the chorus calling for Brian's head. I have tried to give him credit where I think credit is due. That said, Brian bears a great deal of responsibility for the way this matter has played out.

It was his original article that laid out the original claims that the MacBook's internal wireless was vulnerable to the exploit. Not only that, but he said that the VIDEO WOULD SHOW THIS. I quote: "The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless 'device driver,' the software that allows the internal wireless card to communicate with the underlying OS X operating system."

This article was linked around the web and generated a huge amount of attention very quickly. Then, when the actual video was posted, it showed the exploit on a third-party wireless card and made no mention of the internal wireless.

Naturally, the reaction from Mac users was very harsh, and I can't blame anyone. We went from thinking that this was one huge vulnerability to one that *might* apply only to a configuration that nobody would use.

To date, Brian has made no admission of error on this original statement. I think if he had reported accurately on what the video would show, different expectations would have been created, and the reaction of Mac users would be much less harsh.

Posted by: Thor | August 22, 2006 8:41 PM | Report abuse

The problem I have with the "wait and see" school of thought is how long do we wait and see?

These guys claimed that they had found a vulnerability and had exploited it but three weeks later they haven't been able to show it to anyone independent. And live, not on film.

Eventually, somewhere down the road, the tools and technology will exist to actually exploit the Macbook's current native wireless driver. It could be a few days, or weeks, or months. Will that then mean that they were right all along? I don't doubt for one second that SecureWorks are working really hard right now to do this.

The point is they claimed they have already done this now. We can't just keep waiting until they eventually manage to do it with tools or technology that don't exist now.

I also find it strange how SecureWorks claims that they are not more forthcoming because they need the affected vendors to issue a patch first. "Responsible disclosure policy". This is total BS. If that was the case why were they so happy to shout out to the whole world that the same exploit worked on the MacBook's native driver when we all know exactly who the affected vendor is.

As for Mr. Krebs. I'm sorry but he fully deserves all the stick he is getting. Not even so much for the original article which could have been put down to carelessness caused by his eagerness to break what seemed like a really big scoop, but for his barefaced refusal to accept that the whole thing is appearing to be a big lie and a sham and acknowledge his major role in spreading the lie. At best he comes out of it looking really incompetent.

People just hate it when they catch you with your hand in the cookie jar and you continue to insist that you're not doing anything wrong. Then you are telling them that they are stupid.

Posted by: TTzz | August 23, 2006 7:18 AM | Report abuse

And will you be as ready to give a mea culpa if it turns out that BK/SecureWorks were right? Maybe it takes a few weeks to rewrite drivers...

Posted by: DKP | August 23, 2006 8:55 AM | Report abuse

TTzz:

Given that the CW is that SecureWorks is 1) highly exaggerating the claim that they have discovered a wireless exploit or 2) are plain lying, how much credence can you place is their statement about "killing the dog?"

That's the problem with lying; you have one thread untangle, and you then have a hard time believing anything....

Posted by: Bob | August 23, 2006 10:26 AM | Report abuse


To those posting to say Macs are not more secure, this from your own:

http://weblog.infoworld.com/enterprisemac/archives/2006/08/is_windows_inhe.html

and on the matter of SecureWorks read this:

http://daringfireball.net/2006/08/curious_case

Macs are indisputably much more secure than Windows PC's of any version, and secondly, SecureWorks and Krebbs have got questions to answer...

Posted by: Jon T | August 23, 2006 12:06 PM | Report abuse

DKP writes, "And will you be as ready to give a mea culpa if it turns out that BK/SecureWorks were right? Maybe it takes a few weeks to rewrite drivers..."

Being skeptical of an unproven claim does not constitute grounds for apology. Bold claims were made and we have seen no evidence to support them. Many of us have pressed hard for facts but have NOT made personal insults or anything of that sort.

Whether or not SecureWorks has been able to exploit the MacBook's internal wireless, they have handled this poorly. They claimed to Brian that the exploit worked on the MacBook's internal wireless. If that's true, then they should report it to the affected vendors ASAP. If it isn't true, then they shouldn't have made the claim.

Once the claim drew significant media attention, moreover, they hid behind a fig leaf of "responsible disclosure." It's a fig leaf because, as I argued above, they've already made an "irresponsible disclosure" to Brian. Ambiguity is not protecting anyone at the moment. Out with the facts on what is vulnerable (but not the facts on how to do it, obviously).

Also, even if the claims of the SecureWorks guys were completely correct, Brian's mistake in the original reporting (about the video showing the internal wireless being exploited) still stands.

Suppose your premise is true, moreover: drivers are being rewritten for the MacBook's internal wireless as we speak. In that case, either Apple or Atheros or both have lied in saying that SecureWorks has not demonstrated a flaw to them. The lie would be far more damaging than the actual flaw. They would have a lot of explaining to do.

Posted by: Thor | August 23, 2006 12:17 PM | Report abuse

It now appears that securosis.com could be a form of astroturfing. Perhaps one of the principals trying to create reasonable doubt? The creation date for that site is very curious. The demonstration for the "MacBook Hijacking" was August 2. I can't take credit for this discovery, someone named zato on Ian Betterige's Technovia blog posted it:

http://technovia.typepad.com/technovia/2006/08/is_the_macs_air.html

Domain Name: SECUROSIS.COM
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: http://www.wildwestdomains.com
Name Server: NS2.BLUEHOST.COM
Name Server: NS1.BLUEHOST.COM
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientRenewProhibited
EPP Status: clientTransferProhibited
EPP Status: clientUpdateProhibited
Updated Date: 07-Aug-2006
Creation Date: 07-Aug-2006
Expiration Date: 07-Aug-2007

Posted by: James Bailey | August 23, 2006 2:47 PM | Report abuse

I take back the above comment. Sorry, I should have done a bit more research before posting. The timing of the formation of the blog looks like a coincidence. Apologies to mogull.

Posted by: James Bailey | August 23, 2006 2:55 PM | Report abuse

Wow. Speaking as a guy who used to be a technology columnist for a big newspaper before getting a real job in computer security (so I really feel like I can speak to all angles on this): Krebs didn't do anything wrong. I was at BlackHat. People APPLAUDED that video. Krebs reported what he saw. Not what somebody told him, but what he saw. That is, at the end of the day, what journalism, the first draft of history, is all about. The kind of overkill on display here is why I came to hate writing anything about Apple (I speak as a guy who still owns two Newtons). If you look very, very closely, you will notice that NO OTHER MAINSTREAM PUBLICATION IN AMERICA HAS A FULL TIME COMPUTER SECURITY REPORTER. That's a crime. Krebs is doing important work, critical work. And if you can't see that, you're just not paying attention. Get back to work Brian. And thanks.

Posted by: Gruntled | August 23, 2006 8:23 PM | Report abuse

Gruntled,

I agree with much of what you say, particularly about the importance of major newspapers having a security columnist, but that doesn't mean the story couldn't have been handled better.

One could imagine a far different report on the SecureWorks video. It might have had a headline like "Flaws in wireless drivers a signicant security threat." It might have described the video accurately by stating that they used a third-party card in the demonstration.

Instead, we got an article that was geared to generate hype: "Hijacking a MacBook in 60 seconds or less." It incorrectly stated that the video showed them exploiting the internal wireless drivers on the MacBook (even though Maynor says otherwise in Brian's own interview transcript). The result of the article was intense focus on only the MacBook's potential wireless problem rather than the real scope of the issue. In terms of numbers, far more Windows users are likely in jeopardy. That's largely lost at this point.

You say you came to hate writing about Apple. Well, who made this about Apple? Krebs' headline and the comments from the SecurityWorks guys about Mac users' smugness made this an Apple issue rather than a wireless driver issue. They both knew that the Apple angle is what would give the story legs. They succeeded in getting the attention they wanted, and now it's wrong for Mac users to poke at the holes in the story? Sorry, but you reap what you sow.

But, I give Brian credit for continuing to follow the story and getting quotes from Atheros. We know more now than we did last week, but we still don't know the truth.

Posted by: Thor | August 23, 2006 9:58 PM | Report abuse

TTzz: "These guys claimed that they had found a vulnerability and had exploited it but three weeks later they haven't been able to show it to anyone independent. "

Its much worse than that. Those guys contacted Apple in January, eight months ago with their famous message "you have a security hole but we won't tell you where". That means they have had eight months to prepare for that demo, check with different cards and collect evidence in general. Why would they need any additional days to collect more information? What difference does it make, after eight months, to spend a week or two preparing more information?

I also wonder why SecureWorks has been so quiet since their corporate image is also at stake. The first rule of communications in this kind of case is that you need to be fast and you need to lay down all the facts you can back up. Apple did that. Atheros did that. If they don't come out soon, all they will get is an expensive lesson on communications.

Posted by: rmac | August 24, 2006 1:57 AM | Report abuse

The people who did the demonstations, whether real or faked, made this about Apple. Not Krebs. Krebs reported what he saw. Fully and completely. That is, in my opinon, the most obviouse element of this. If there was any deception, lack of candor, duplicity -- and, out of an abundance of caution, I'm not yet prepared to say that there was, but certainly the claim by the two researcher is looking more dubious each day -- it was not on the part of Krebs. You might just as well accuse BlackHat of being irresponsible for allowing these guys to present. Oh, wait, did everybody forget that? This same material was presented in front of profoundly skeptical audience and...they thought it was interesting and deserved to be looked into.

Posted by: Gruntled | August 24, 2006 2:02 AM | Report abuse

Gruntled:"The people who did the demonstations, whether real or faked, made this about Apple. Not Krebs. Krebs reported what he saw."

That is true, but there is more. A common standard in journalism is to look for more sources. Did BK check the story with Apple before he wrote about hijacking a MacBook? If the guys didn't mean to direct this against Apple, BK very much did so with his choice of headline. It's not just about 'truthiness' but also what is fair and right. In matters that relate to security journalists are known to rely on information they get using their connections with CTOs and senior engineers. It seems that some journalists are so sure that the engineers are right that they don't need to double-check, especially not with some PR people.

Posted by: rmac | August 24, 2006 6:15 AM | Report abuse

Gruntled:"The people who did the demonstations, whether real or faked, made this about Apple. Not Krebs. Krebs reported what he saw."


What Krebs wrote:

"The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook -- and presently not publicly disclosed -- Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security.""

The problem is that Krebs wrote something that on the face wasn't true -- the video didn't show a flaw in the Airport drivers, but the now infamous 3rd party ones -- and he needs to apologize for hyping this story.

There is a deeper issue of whether SecureWorks is making up the entire exploit, and a reporter who has been burned so badly already should be more proactive in finding the truth. Instead, Krebs just complains about Mac users and "hate mail".

A possible conclusion: mainstream newspapers can't hire and retain compotent people to write about computer security - the talented ones will leave and go work somewhere else. Krebs should go. I'd rather have specialty puplications covering this issue than hacks like him.

Posted by: Bob | August 24, 2006 11:37 AM | Report abuse

Krebs' last entry was six days ago (18 Aug), nearly an eon ago in internet time.

What does the Krebbster have to say now? (Or did his laptop batteries all catch fire?)

Posted by: RealKrebsStandupPlease | August 24, 2006 4:51 PM | Report abuse

Mr. Krebs- As a MacBook owner who looks to reputable news organizations like the Post for information, could you clear this up for me? Can my MacBook, which uses the built-in wireless and doesn't have any wireless external devices attached, be hacked like what was described in your original article "Hacking a macbook in 60 seconds or less?" Your help is appreciated.

Sincerely,
Dave

Posted by: Dave Anderson | August 26, 2006 12:00 AM | Report abuse

Thor said:

"If [the SecurWorks guys] know of a vulnerability, they should report it."

Bleep. Wrong.

If they know of a vulnerability they should keep it secret to the public and distribute it on all the hacker IIRC channels, instead. That is how all Mac vulnerabilities should be disseminated.

Why should any non-Mac user help the Mac community? They ostracized themselves from the general public a long time ago.

Somebody start a collection to create a worm that erases the drives on OSX after spreading. I'll contribute $$$.

Oh, darn. That's illegal. Nuts. Maybe some dark angel will do it for free, then.

Enjoy the hatin', Macdroids...

Posted by: JustMe | August 26, 2006 3:00 AM | Report abuse

Seems that Mac users can no longer claim to be unaffected by security concerns. Frustration and hatred that brews in every Windows user who has to constantly deal with security issues of that platform has boiled over. Their jealousy has turned to desparation to drag us into their hell.

Posted by: nicsta | August 26, 2006 11:31 AM | Report abuse

Mr. Krebs- As I stated above, whether or not the stock MacBook is susceptible to this vulnerability is very important to me. Since you were the first to report on it, yet have failed to answer my simple question, I will contact your superiors directly to try and get to the bottom of this. I am currently a Post subscriber but I find the coverage of this issue rather troubling to this point.

Sincerely,
Dave Anderson

Posted by: Dave Anderson | August 26, 2006 10:56 PM | Report abuse

To others: I suggest contacting the following individuals if you're concerned about the coverage of this issue by Mr. Krebs (particularly if you're a Post subscriber):

Deborah Howell (ombudsman): ombudsman@washpost.com
Phillip Bennett (managing editor): bennettp@washpost.com

Sincerely,
Dave Anderson

Posted by: Dave Anderson | August 26, 2006 11:09 PM | Report abuse

Look at http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=18&articleId=9002725

I find it hard to believe that the researchers will take so much of all this negative reports against them if they really have shown a real exploit at BlackHat.

Since Apple has already come out in the open, why can't Brian Krebs just organize a session for them to show to WP and other publications their supposed hack? If they really have something to show. If not, maybe it's time to issue a retraction to the original story. Its not about who won or lost. I think responsible reporting of any kind need to give accurate information to readers.

Posted by: Want to know the Truth | August 28, 2006 11:29 AM | Report abuse

I'm fairly appalled by the many snipes at Brian Krebs and his reporting ability in these comments. If you have followed this blog and his other reporting, as I have, you would know that he has probably made many thousands of computers, and therefore people, safer than they would otherwise have been.

I understand that Mac is not only reliable but more secure than Windows (I know, understatement of the year), but if you think that no one will EVER hack it on a large scale, then you are kidding yourselves.

Logically then, trying to gag even overzealous reporting when it pertains to Mac would seem to be counterproductive. Some day there may be a story out there that does highlight a serious security flaw. And after reading these posts, behind it there will be a journalist too worried about the violence and/or verbal savaging that may be done to them by the Apple-loving-community to report it. Paralysis is not good for journalism.

How about you all de-personalize this so that you can see it for what it really is--a news report--and wait for a follow-up story. Having read Mr. Krebs for many months now, I have no doubt he is still working on this and he will not let it go until it comes to a definite conclusion one way or another.

Posted by: Blurb | August 29, 2006 2:56 PM | Report abuse

Blurb writes, "Logically then, trying to gag even overzealous reporting when it pertains to Mac would seem to be counterproductive"

I don't see the logic. Overzealous reporting that turns out to be incorrect (as this episode appears to be) can lead to a false sense of security. In fact because it does seem to be such a big deal to "hack" a mac, we've seen several bogus virus', worms, etc reported. And after this one, would you blame someone from viewing any claims of a new mac exploit with a high degree of skepticism? I don't see that as a positive.

"How about you all de-personalize this so that you can see it for what it really is--a news report--and wait for a follow-up story"

If Krebs wouldn't have been so sensationalistic and ready (wanting?) to believe the "security researchers" then I would agree with you. But it appears that he was so excited with himself to have broken the story on this bogus exploit that he failed to due diligence. As far as I'm concerned he still has. I don't know if he's crossed the line of journalistic integrity, as others have implied, but I'm not sure that he hasn't either.

Waiting for a follow-up story....

Posted by: Blurb2 | August 29, 2006 6:04 PM | Report abuse

Blurb: "Some day there may be a story out there that does highlight a serious security flaw"

So it is alright to cry "Wolf" whenever we feel like it because one day a wolf will really appear and attack. To hell with the FACT that there really is no wolf right now.

Mac users hold Apple to a very high standard so when someone cries out that there is a wolf on the farm we take it very seriously and will hold that person to account if it turns out to be a false alarm or, even worse, a fake.

Blurb: ". . . journalist too worried about the violence and/or verbal savaging that may be done to them by the Apple-loving-community . . ."

No journalist that speaks/writes the truth and that can back it up with evidence has anything to fear. I, for one, would certainly welcome it. Believe me, the "Apple-loving-community" dumps on Apple more than anyone else when Apple gets it wrong. As has been posted before, just visit any Mac forum and get a taste of how much stick we give Apple for any shortcoming, real or perceived.

Blurb: "I have no doubt he is still working on this and he will not let it go until it comes to a definite conclusion one way or another."

When, exactly, will that be and what is he doing??? He was very quick to break the news but his silence on the subject of late has been deafening.

Is he, perchance, waiting for someone to actually come up with an exploit that would get him out of gaol?

Posted by: TTzz | August 29, 2006 7:20 PM | Report abuse

My bet is there is not going to be a definite conclusion. The reason for that is quite simple. On day one when the story broke there were several meetings by the legal teams of every party involved. The first thing they did was to make sure that no person involved was to make any unauthorised statements.

When things get legal it becomes challenging to report because no one is saying anything. The legal experts advice people that if you make a claim, you must have evidence. If you don't have evidence, then shut up. In the business world claiming a multi-billion company has done or has not reacted is a claim that requires hard evidence. We are not talking about theories here. The fact that no demo of exploit was provided to Apple between January and August, in eight months, is a clear sign of lacking evidence.

If the guys were able to demonstrate the exploit in 60 seconds, why they didn't for eight months found a slot to drive to Cupertino and show the same 60 second show to Apple people?

If I were an attorney in the company mentioned in the first article, I would have done some serious damage control in day one. I would have silenced the staff and then just keep fingers crossed that teh Atheros or Apple legal teams won't pick this up and do the damage control on their side.

Posted by: rmac | September 2, 2006 11:31 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company