How Apple orchestrated web attack on researchers
Last summer, when I wrote “Vicious orchestrated assault on MacBook wireless researchers,” it set off a long chain of heated debates and blogs. I had hoped to release the information on who orchestrated the vicious assault, but threats of lawsuits and a spineless company that refused to defend itself meant I couldn’t disclose the details. A lot has changed since then: Researcher David Maynor is no longer working for SecureWorks, and he’s finally given me permission to publish the details.
The scandal broke when Jim Dalrymple put out a hit piece on security researchers David Maynor and Jon “Johnny Cache” Ellch, saying that their research was a “misrepresentation.” Dalrymple based his conclusion solely on the word of Apple PR director Lynn Fox. David Chartier went even further and said that, “SecureWorks admits to falsifying MacBook wireless hack” based solely on a SecureWorks disclaimer (it’s no longer there) that merely reaffirmed what the original video was saying all along — that the hack demonstrated in the video was based on third-party wireless hardware. I had personally interviewed the two researchers before this whole scandal broke out, and I specifically asked Maynor and Ellch if they were using Apple’s Wi-Fi hardware in their official Black Hat demonstration. They clearly said that no Apple Wi-Fi product was used for the exploit. That’s why I was shocked to see the researchers blamed for changing their story and “admitting” they made the whole thing up when no one changed the story and no one admitted to anything. Yet the headline from Chartier, along with Dalrymple’s story, was blasted all over the Web after it made Digg and Slashdot. Everyone simply assumed Maynor and Ellch were frauds because they supposedly “admitted it.”
[…]
So what was the end result of all this? Apple continued to claim that there were no vulnerabilities in Mac OS X, but came a month later and patched its wireless drivers (presumably for vulnerabilities that didn’t actually exist). Apple patched these “nonexistent vulnerabilities” but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple’s behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The result was that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007, including last week’s megapatch of 45 vulnerabilities.
Apple is a mega corporation that nearly smashed the reputation of two individuals with bogus claims of fraud. It didn’t matter that they weren’t the ones pulling the trigger because they were pulling all the strings. David Chartier should be ashamed of himself and his blog. Jim Dalrymple of Macworld and his colleagues who jumped on the bandwagon should be ashamed of their reporting. Frank Hayes was the only one of Dalrymple’s colleagues who had the decency and honor to apologize. Most of all, shame on Apple.
(from TechRepublic, How Apple orchestrated web attack on researchers)
This supports two things I have been saying ever since I had the misfortune of using a Mac PowerBook for a while and being exposed to the whole “cult of Mac” back in 2005:
1) Macs are not secure. The only reason that Mac users think Macs are secure is because the Apple marketing machine tells them so (as in the recent Mac vs. PC television advertisements) and because Mac users are willfully ignorant.
2) Apple is every bit as ruthless, monopolistic, and anti-consumer as Microsoft is, if not more so. The only real difference between the two companies is that Microsoft is better at it.