Apple Denies Wi-Fi Flaw, Researchers Confirm 267
Glenn Fleishman writes "Apple tells Macworld.com that the Wi-Fi exploit demonstrated at Black Hat 2006 in a video doesn't show a flaw in their hardware or software. A third-party USB adapter with different chips and drivers was used, and Apple says the two researchers haven't provided Apple with code or a demonstration showing a working exploit on Apple equipment. The researchers added a note at their Web site confirming that only an unnamed third-party adapter was used. This doesn't mean the researchers have no flaw to show, but rather that their nose-thumbing at Apple users who were too secure in their security was misplaced, at least at present. The researcher's claim that they were providing information to Apple now seems off-base, too."
And of course. . (Score:0, Insightful)
What a couple of dicks (Score:5, Insightful)
Re:Uh... the "game's" rules are too strict (Score:5, Insightful)
Reality (Score:5, Insightful)
But in reality every laptop sold by Apple today ships with an Airport card, and most of the ones sold previously had one as well. What message are you really sending when you trumpet a flaw that affects 1/10 of 1% of Mac users?
The message that Mac users should be aware of possible security vulnerabilites is an excellent one but hyping a vulnerability that would simply not happen in reality was a poor vehicle to convey this message, and basically comes off as self-aggrandizing; that is to say they were far more interested in promoting themselves than warn Mac users about security flaws.
Re:Uh... the "game's" rules are too strict (Score:3, Insightful)
So, in essence, this research only "proves" that if you take something that is secure out of the box and make alterations, it's possible to break that security.
Y'all are a bunch of suckers (Score:2, Insightful)
75% of people on Slashdot all tout the party line, "Don't believe everything you read in the mainstream media." It doesn't matter whether the discussion involves Iraq, Microsoft, SCO, Linux, IBM, the U.S. government, or CmdrTaco. If it's on CNN, don't believe it.
Well, here I am, to tell you, be skeptical of regular Joes, as well.
In this discussion [slashdot.org], the only people not agreeing with the article said things like, "it was a 3rd party card." The thing is, I don't understand why you would believe ANY of it without some kind of proof, or evidence.
A video is easy to doctor. A video without any techniques and methods is monumentally stupid. I could have made the video in question in about 10 minutes.
Anyways, this is a big "FUCK YOU" to all the naysayers out there who continually announce that the end of OS X's relative security is on the horizon. I'm not saying that OS X is without flaw, and I'm not even saying there won't be widespread virus outbreak (however unlikely). But for godsakes, at least demand a shred of evidence before you proclaim the end of an era.
Re:Uh... the "game's" rules are too strict (Score:4, Insightful)
Re:So was this just a lie? (Score:3, Insightful)
No Surprise (Score:5, Insightful)
Frankly, the disclosure here was pretty amateurish. Surely they would have known that demoing the vulnerability on Apple hardware would have implicated Apple. In fact based on the "aura of smugness on security" comment it looks like they deliberately *chose* Apple hardware to be falsely implicated.
Do these guys have *any* credibility left?
Re:...or alternatively... (Score:5, Insightful)
Re:Uh... the "game's" rules are too strict (Score:1, Insightful)
It's not Apple's or MSFT's fault for faulty software someone else wrote.
Re:Uh... the "game's" rules are too strict (Score:3, Insightful)
Except that drivers either run in the kernel's address space (in which case security is impossible) or they don't (in which case performance is diminished). The only way to protect an OS from driver malfunctions is use a microkernel, so the question is whether you want slow and secure or fast and ever so slightly less secure....
Re:No Surprise (Score:3, Insightful)
Remember that when the "researchers" were confronted with this very reasonable argument, they claimed that they didn't demonstrate their "exploit" with the standard hardware because (as they claimed) "Apple had leaned on them". At that time I thought: If I was in that position, and Apple "leaned" on me, they could do as much leaning as they wanted, I would demonstrate that I can crack a standard Macintosh, as sold to customers. On the other hand, if Apple "leaned" on me by waving huge amounts of banknotes at me, I would have taken the money; and I wouldn't have used a Macintosh at all, but would have showed how vulnerable Windows is!
Re:Uh... the "game's" rules are too strict (Score:3, Insightful)
Who modded parent to +5? (Score:4, Insightful)
Re:Uh... the "game's" rules are too strict (Score:4, Insightful)
What the hackers are actually claiming is: "I can take over any Mac. All I need to do is add this 3rd party hardware, install 3rd party drivers, disable the built-in version, and sneak away without you noticing several inches of antenna sticking out the side."
who are we to question? (Score:5, Insightful)
Although we'll see nothing but speculation in this article and its comments, eventually the truth will be known, and we'll have an exploit which is documented and proven to work, or not. If Apple have a flaw, and won't admit it, that would light a fire under them wouldn't it?
Given the hackers comments :
Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook.
It sounds like they were bullshitting to try to make a splash, which they did. Till I see proof, I'm not inclined to trust either side.
Re:What a couple of dicks (Score:5, Insightful)
The thing that's more concerning to me is that the tech news and media start sounding like CNN. It seems like anybody can step up and make a loud claim about something controversial, and the news sites just spread it around. Most other tech security claims are held accountable for documenting details and specifics, and being up-front about things like, "well, this only happens while using a random 3rd party wireless card, which would admitedly happen almost never on a Mac since most have built-in wireless...".
Tar and feather RESPONSIBLY (Score:5, Insightful)
This is true in any industry.
If these guys had made it CLEAR that they were using a NON-APPLE network device from the get-go we wouldn't be having this discussion today.
What they should have said:
"We found a wireless exploit in a major-brand wireless network device. We will be releasing the name and model number of the device after responsible notification to the vendors involved. The videotape you are watching shows this device connected to an Apple Macintosh. We have also tested a device containing the same chipset connected to a Windows-based PC and found similar problems."
The presenter did mention it (Score:3, Insightful)
Re:Uh... the "game's" rules are too strict (Score:3, Insightful)
Re:Well let me join karma suicide (Score:4, Insightful)
I think there should be an automatic moderation to -2 levels for any post that predicts "I will be moderated down because some zealots don't like my opinion".
Which is sadder? (Score:4, Insightful)
2. The willingness of everyone to jump on an actual vulnerability in MacOS X (schadenfreude) ?
3. People who believe that the only reason software is vulnerable is its market share?
4. People who think that a company should be able to warrant/guarantee an OS regardless of what you do to the machine it's running on?
Does
dave
p.s. my Mini, that runs continuously 24 hours/day including web server, iTunes broadcast, etc, had a kernel panic yesterday. First time, too! I think it was because I was in the middle of LDAP client configuration and left the machine in an inconsistent state, i.e. -operator error-. No, OS X isn't perfect, but it's a damn site better than -any other OS- I've used on personal hardware. The only things I've used in almost 30 years in the business that have been more reliable are VAX/VMS, Ultrix and SunOS 4.0.3...
Two faces of trust (Score:5, Insightful)
Myself, I trust the people who actually have the code to look at. In this case that would be Apple. They have done little that would lead me to think this statement was misleading.
If you blindly mistrust any company just because it is a company, you are just as badly off as if you blindy accept anythign any company says. You need to use common sense in evaluation statements from anyone.
Not exactly surprising (Score:5, Insightful)
With the statements from Apple, the questionable reasons given by the researchers and their ire about the Mac community in general, I think the most probable conclusion is that these guys are full of shit. What I can't understand is why they'd risk their reputations on something seemingly so petty.
Headline misleading (Score:5, Insightful)
Re:Uh... the "game's" rules are too strict (Score:2, Insightful)
Right. Because trying to play a music cd on your computer and installing third party hardware and drivers are, like, exactly the same.
[sarcasm: off]
(How did the parent get modded insightful?)
I have been wondering (Score:5, Insightful)
Numbers (Score:5, Insightful)
That's a poor way to look at it, and masks the situation you have with the Mac market today.
Any of those 92% of computers may vary wildly in terms of OS loaded or software used.
With the Mac you have tens of millions of computers (fourteen million registered OS X users). Lots of them are running the same software, the same browser, at the same OS rev.
Looking at the cost of renting botnets on the grey market those millions of computers represent millions of dollars of revenue, even if you crack just a percentage of them. So the question is why would someone leave that money on the table?
The answer is obvious - because it's a lot harder to hack a Mac to use in such a way. So it's not really numbers that are preventing the serious development of attacks today so much as a stronger security model. This would potentially be true even beyond the 80% marketshare point.
Basically the reason the Mac is safer today and will continue to be so even as market share climbs is the same philosophy behind avoiding being eaten by a bear - you just have to be able to run faster than the guy next to you. Windows is puffing something fierce.
Careful now... (Score:2, Insightful)
I have done enough debugging work to know that there is always a chance somebody screws up and screws up badly... That goes for Apple just like anybody else (I'm one of their customers by the way). Just because these hackers may have slipped up (at the moment I only have your word for it) and explicitly claimed that built in Apple Wifi cards were vulnerable without checking on it first (which incidentally violates one of the golden rules of professional bug-hunting: Never claim a vulnerability must exist on operating system A because it has been demonstrated on operating system B. Create tests and prove it!) So don't get to carried away in your 'Schadenfreude' Apple is no more incapable of fucking up any more than IBM/Lenovo,HP or any other high end PC manufacturer.
Re:...or alternatively... (Score:1, Insightful)
Apple is god though..
Re:Not exactly surprising (Score:2, Insightful)
Apple made no statement denying the claims. All the said was that a 3rd party adapter was used and that no flaw in their product had been demonstrated to them. Both could be telling the truth and both could be lying. Nothing new here.
"in general, I think the most probable conclusion is that these guys are full of shit."
What stake do you, or anyone here, have in Apple being shown innocent here?
"...their ire about the Mac community in general..."
When did they display that?
You clearly have an axe to grind with anyone who dares threaten the reputation of Apple. Ire indeed.
Re:Two faces of trust (Score:3, Insightful)
Hell I would not even hold Microsoft, the king of security flaws, accountable for what some unknown guy did using a third party driver he will not produce to prove his claim. And if I would be scepticle about a security flaw in windows, which has a bad track record, you can bet I will be for OS X which has a good one.
Re:Heres how you get an exploit developped for Mac (Score:3, Insightful)
Like another poster said, not all security models are built equal. Add up all the BSD, Linux and Mac marketshares, and there is still no exploits. The *nix crowd has a higher server marketshare than desktop, which makes them even more attractive for people to crack.
And btw, not all of 'em do it for money.
Re:Well let me join karma suicide (Score:5, Insightful)
As for Apple zealots turning into "Intel Zealots" at WWDC05, well, you have to admit the new Intel Core is quite a step-up from their previous CPUs. And the Core 2 is (again) a big step-up too.
Just because something was good/bad in the past doesn't mean it's gonna be good/bad in the future (i.e. Mac OS 9 sucked but OS X is really good, Apple used to suck with their proprietary hardware and software (ADC, Apple-specific PICT screenshots that won't even load correctly in regular programs, etc) but now they're supporting standards (DVI, USB2, Wi-Fi, Bluetooth, PDF, PNG, etc).
Re:So some "facts" were just made up... (Score:5, Insightful)
Re:What a relief. (Score:5, Insightful)
Re:...or alternatively... (Score:5, Insightful)
I've had XP crash just browsing around in the Explorer, I'd consider that "normal" use.
Anyway, my original point was, don't say "no Apple users ever use third party hardware / drivers" but few do. And in this specific case very few would as wifi is 99% of the time already in your laptop so there is no need for a 3rd party wifi card/driver. In addition 3rd party wifi cards and drivers are damn rare for Macs. Well, you can pick up any USB wifi adapter, but try to find vendor supplied/supported drivers for the mac (there are plenty of open-source drivers trying out there).
Let's face it, the security team wanted to get noticed and bashing Apple's security was an easy way to do it. They got their 15 minutes of fame. Now people are looking at what they said and did and finding the flaws in what they did. If someone had looked at what they were doing beforehand the whole thing would have been laughed off..
Re:who are we to question? (Score:3, Insightful)
Re:So was this just a lie? (Score:3, Insightful)
Re:Well let me join karma suicide (Score:2, Insightful)
Apples hold (Score:3, Insightful)
Come on, Apple's rep is not hurt at all but one vulnerability - after all there have been others found and patched before - the claim to fame is that there are no exploits in the wild.
Furthermore again I have to ask, what hold does Apple have over these people that they would have held off? Given all the grief they have received over this you'd think they would come out and demonstrate the flaw using only the airport card.
It's far, far easier to believe some very smart guys stretched the truth a little to make thier claims more notcable than a VERY heavily used dirver in OSX has that kind of open flaw that has remained undiscovered to this point. It's very hard to believe that Apple leaning on them had any effect, because Apple simply has no leverage over them.
Re:Well let me join karma suicide (Score:5, Insightful)
I'm convinced slashot is filled with people who just enjoy not being willing to understand the simplest of things.
The PowerPC G5 processor is an absolutely superior design to anything Intel was putting out in the 90s. I don't know of any hardware geek who disagrees, although they may disagree on real-world performance with available complete systems.
That Intel is putting out well-designed power-efficient processors today does nothing to change the past. That IBM is uninterested in desktop computer processors NOW and is allowing the G5 to languish does nothing to diminish the fundamental superiority of the processor design, or the performance advantage it had years ago during active development.
You may as well complain that car buyers today are just fanbois, because beack in the 60s everyone knew Japanese imports were lousy, cheap machines that barely stood up to American cars. Yet now people say Japanese cars are great and reliable -- I mean, gosh, make up your minds, guys, flip-flop much? Once something is bad or good, it has to stay that way FOREVER, Mister Whirly said so!