Computerworld - I owe David Maynor and Jon Ellch an apology. Several weeks ago, in a column titled “Quack Hackers,” I described their presentation at this year’s Black Hat USA security conference as one of a pair of “hoax hacks” and “rigged demos of make-believe security holes.” At Black Hat, Maynor and Ellch (who hacks under the name “Johnny Cache”) showed how they could hack into a Macintosh laptop via Wi-Fi, as long as the Mac was using a no-name Wi-Fi card with buggy drivers. But Maynor and Ellch also told a Washington Post reporter they could pull the same trick on stock Mac Wi-Fi — a trick they refused to demonstrate. Baloney, I said. It’s bogus, a publicity stunt using Apple’s name to grab headlines.
I was wrong. How do I know? Apple told me so.
Let’s be clear: Apple isn’t saying Maynor and Ellch were right. When Apple issued three patches last month for flaws in the Mac’s Wi-Fi software, the company’s position was that they were the result of Apple’s internal audit of the code.
Which is true — as far as it goes. According to an Apple spokesman, SecureWorks (the company Maynor and Ellch work for) “approached us with a potential flaw, but since they did not supply us with any information to allow us to identify a problem, we initiated our own audit.”
So let’s recap: Apple thought its Wi-Fi code was just fine, thanks.
Until Apple saw Maynor and Ellch’s wireless Mac hack demonstration.
After which Apple suddenly got really interested in combing through its Wi-Fi code again — and quickly found three separate security holes that could allow attackers to run their own code on some Wi-Fi-equipped Mac laptops.
Maybe what Apple found on its own wasn’t what Maynor and Ellch found. SecureWorks is still keeping mum on that question.
But Maynor and Ellch showed Apple something. And whatever it was jolted the company into action. Without it, there wouldn’t have been any code audit — or any patches.
And Mac Wi-Fi users would still be at risk.
Is Apple’s carefully worded nondenial denial about the genesis of those patches aggravating? Sure. So is SecureWorks’ silence. And so is the fumbled newspaper interview that made Maynor and Ellch’s Black Hat presentation look like a publicity stunt. (Maynor has since acknowledged that he thought many of his comments to the reporter would be off the record, and Ellch has said that it was his first newspaper interview.)
Get ready for more of that aggravation.
Hackers turned security researchers aren’t going to become media-savvy overnight. IT security is now big news, and few ex-hackers can finesse the media glare. They’ll figure it out eventually, but until then, there’ll be more mishandled interviews and unintended results.
- Study: Total Economic Impact of Google Apps Employees can work faster and IT spending can decrease when companies switch to Google Apps, says a commissioned study by Forrester Consulting. Going...
- Protecting Digitalized Assets in Healthcare Healthcare providers face an urgent, internal battle every day: security and compliance versus productivity and service. For most healthcare organizations, the fight is...
- Is a SaaS Deployment Right for You? Find out the answer and as well as the other deployment options.
- Discover How Mail Express Solves 2 of Your Biggest IT Headaches Email. It can be the source of some of IT's biggest headaches. As it eats up storage and bandwidth, it also opens up...
- Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing...
- Video surveillance for IT: maximum image quality, minimum bandwidth Join us on Thursday, May 8th at 1 p.m. EST when Willem Ryan, Senior Product Marketing Manager at Avigilon, will discuss how IT... All Management White Papers | Webcasts