Computerworld - I owe David Maynor and Jon Ellch an apology. Several weeks ago, in a column titled “Quack Hackers,” I described their presentation at this year’s Black Hat USA security conference as one of a pair of “hoax hacks” and “rigged demos of make-believe security holes.” At Black Hat, Maynor and Ellch (who hacks under the name “Johnny Cache”) showed how they could hack into a Macintosh laptop via Wi-Fi, as long as the Mac was using a no-name Wi-Fi card with buggy drivers. But Maynor and Ellch also told a Washington Post reporter they could pull the same trick on stock Mac Wi-Fi — a trick they refused to demonstrate. Baloney, I said. It’s bogus, a publicity stunt using Apple’s name to grab headlines.
I was wrong. How do I know? Apple told me so.
Let’s be clear: Apple isn’t saying Maynor and Ellch were right. When Apple issued three patches last month for flaws in the Mac’s Wi-Fi software, the company’s position was that they were the result of Apple’s internal audit of the code.
Which is true — as far as it goes. According to an Apple spokesman, SecureWorks (the company Maynor and Ellch work for) “approached us with a potential flaw, but since they did not supply us with any information to allow us to identify a problem, we initiated our own audit.”
So let’s recap: Apple thought its Wi-Fi code was just fine, thanks.
Until Apple saw Maynor and Ellch’s wireless Mac hack demonstration.
After which Apple suddenly got really interested in combing through its Wi-Fi code again — and quickly found three separate security holes that could allow attackers to run their own code on some Wi-Fi-equipped Mac laptops.
Maybe what Apple found on its own wasn’t what Maynor and Ellch found. SecureWorks is still keeping mum on that question.
But Maynor and Ellch showed Apple something. And whatever it was jolted the company into action. Without it, there wouldn’t have been any code audit — or any patches.
And Mac Wi-Fi users would still be at risk.
Is Apple’s carefully worded nondenial denial about the genesis of those patches aggravating? Sure. So is SecureWorks’ silence. And so is the fumbled newspaper interview that made Maynor and Ellch’s Black Hat presentation look like a publicity stunt. (Maynor has since acknowledged that he thought many of his comments to the reporter would be off the record, and Ellch has said that it was his first newspaper interview.)
Get ready for more of that aggravation.
Hackers turned security researchers aren’t going to become media-savvy overnight. IT security is now big news, and few ex-hackers can finesse the media glare. They’ll figure it out eventually, but until then, there’ll be more mishandled interviews and unintended results.
Oracle Software Licensing: The Value of Resellers
NEW white paper explores real-world insights and:
* The Rise of Audits
* Compliance Spend
* SAM and Compliance
* Working Directly with a...
- ACM Leadership Guide Knowledge worker effectiveness has emerged as a top priority to both optimize the customer experience and help employees work more efficiently. See how...
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Expert Panel: Enterprise Mobility and Data Loss Prevention When it comes to enterprise mobility, it's not just about devices, it's about the way people work. Hear this expert panel discuss the... All Management White Papers | Webcasts