Skip the navigation

Sorry Security

By Frank Hayes
October 2, 2006 12:00 PM ET

Computerworld - I owe David Maynor and Jon Ellch an apology. Several weeks ago, in a column titled “Quack Hackers,” I described their presentation at this year’s Black Hat USA security conference as one of a pair of “hoax hacks” and “rigged demos of make-believe security holes.” At Black Hat, Maynor and Ellch (who hacks under the name “Johnny Cache”) showed how they could hack into a Macintosh laptop via Wi-Fi, as long as the Mac was using a no-name Wi-Fi card with buggy drivers. But Maynor and Ellch also told a Washington Post reporter they could pull the same trick on stock Mac Wi-Fi — a trick they refused to demonstrate. Baloney, I said. It’s bogus, a publicity stunt using Apple’s name to grab headlines.

I was wrong. How do I know? Apple told me so.

Let’s be clear: Apple isn’t saying Maynor and Ellch were right. When Apple issued three patches last month for flaws in the Mac’s Wi-Fi software, the company’s position was that they were the result of Apple’s internal audit of the code.

Which is true — as far as it goes. According to an Apple spokesman, SecureWorks (the company Maynor and Ellch work for) “approached us with a potential flaw, but since they did not supply us with any information to allow us to identify a problem, we initiated our own audit.”

So let’s recap: Apple thought its Wi-Fi code was just fine, thanks.

Until Apple saw Maynor and Ellch’s wireless Mac hack demonstration.

After which Apple suddenly got really interested in combing through its Wi-Fi code again — and quickly found three separate security holes that could allow attackers to run their own code on some Wi-Fi-equipped Mac laptops.

Maybe what Apple found on its own wasn’t what Maynor and Ellch found. SecureWorks is still keeping mum on that question.

But Maynor and Ellch showed Apple something. And whatever it was jolted the company into action. Without it, there wouldn’t have been any code audit — or any patches.

And Mac Wi-Fi users would still be at risk.

Is Apple’s carefully worded nondenial denial about the genesis of those patches aggravating? Sure. So is SecureWorks’ silence. And so is the fumbled newspaper interview that made Maynor and Ellch’s Black Hat presentation look like a publicity stunt. (Maynor has since acknowledged that he thought many of his comments to the reporter would be off the record, and Ellch has said that it was his first newspaper interview.)

Get ready for more of that aggravation.

Hackers turned security researchers aren’t going to become media-savvy overnight. IT security is now big news, and few ex-hackers can finesse the media glare. They’ll figure it out eventually, but until then, there’ll be more mishandled interviews and unintended results.



Our Commenting Policies