Month: August 2006

BREAKING NEWS: OU LASHES OUT AGAIN!

George Ou speaks again, John Gruber’s “super long analyis” (shorter Ou: “Damn, this David Burke, who has a recurring role as a D.A. on Boston Legal.

That’s just the kind of of top-notch legal advice you want when refuting a blog post!

So, let’s get down on it! Burke copies whole heaves of text from Daring Fireball to set the ground work for his massive take-down!

Sorry for the following extended quotes, but this is the evidence he uses to support his concern, search the link if you would like to double check…

Uh, no, dude, that’s OK. I’m sure you’ve got mad copy/paste skillz. I’m sure you beat the hell out of that V key.

“Copy. PASTE! Copy. PASTE! Copy. MOTHERFUCKING PASTE! Oh, man, I’m on fi-ya!

Fox’s statement simply says; Maynor and Ellch have not demonstrated such a vulnerability to Apple.

Apple may in fact fully well have been contacted by Secureworks and may be quite aware the exploit exists and are working on it.

So his main concern is garbage.  See why you need trained people to examine the evidence?

Ah! You mean like someone who plays a D.A. on TV?

There’s just one problem with Mr. Burke’s stunning legal analysis.

“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld.

[Emphasis mine.]

This is the graph that Maynor’s defenders kind sorta wish wasn’t there and, if you repeat it, will probably make them stick their fingers in their ears and go “LA-LA-LA-LA-LA-LA! I AM NOT LIS-TEN-ING!”

They much prefer to focus on the “sharing of code” quote, as Ou does here:

Fox never stated SecureWorks never contacted them, they only said that no code was shared.

The first part of that sentence is true. The second is not because of the use of the word “only.” She said that SecureWorks provided no evidence.

Ou says “You can’t have their code, bitch!”

You’re not entitled to a researcher’s code which they spent time developing.  Giving them the actual malformed packet that triggers the exploit and a pointer to the location of the flawed code is standard practice.

But for SecureWorks to have done this would have been to provide evidence, in which case Fox was mistaken or lying. But Ou’s not arguing that Fox is mistaken or lying. He’s arguing that she used PR gobbledy-gook to try to trick the world into thinking SecureWorks was wrong about the Airport hardware and drivers.

Ou then compliments his possibly imaginary friend on his legal acumen. You can learn a lot on the set of a popular legal show! I wish he’d asked him what Shatner’s really like!

While I know for a fact that Gruber is wrong and doesn’t know what he is talking about since I’m sitting on sensitive information at this point, I’m amazed that you can take Gruber’s own analysis and take it apart and get eerily close to what the truth is.

Well! Someone’s been hanging out in the super-secret hacker treefort in Maynor’s mom’s back yard with the Farah Fawcett poster on the wall!

I wonder if Ou has talked to Apple. Because single-sourcing from SecureWorks may not be the best way to go right now (see: Krebs, Brian). We already know that Ou has gone out of his way to falsely portray SecureWorks as good faith actors who were only interested in making Macs more secure and kittens and puppies more prevalent and spring! with the flowers and dancing and… and…

And that’s bullshit.

You don’t get to run around and say you want to stick a lit cigarette in its user-base’s eye and then pretend you weren’t out to get Apple.

At the end of the day, SecureWorks may be able to demonstrate a hack of Airport. I suspect there’s smoke coming out of that super-secret treefort right now and it’s not from the vigorous self-gratification to the Farah Fawcett poster. But until someone puts up or shuts up, a responsible journalist would not make ham-handed efforts to brow-beat others into silence with vague threats of lightning bolts from Mt. Olympus.

You might be thinking, jeez, this guy writes for ZDNet, I mean, that must mean he’s a responsible journalist, right?

Eh, maybe not.

666 – THE POST OF THE DEVIL

Check out the specific link to this post.

Well, let’s continue the fun, just as Satan would want us to, shall we?

IN HIS HONOR!

Blaka n’rath mkran dalla soocra m’joran!

Oh, dammit, that’s Klingon.

Well, we’ll have another post later tonight (unless one of our Apple contacts calls us and wants to go out for drinks), but as Day 2 of Security Bitch Watch draws to a close, the radio silence from George Ou, Brian Krebs and SecureWorks continues. In the mean time, you can check out some posts from the lovely and talented Glenn Fleishman on the subject, or delve into the arcane aspects of Maynor’s supposed hack at Sex, Drugs & Unix.

Also, as this whole wifi incident is rather confusing, let’s make Friday’s Help Desk a special episode. You can either email me your questions or drop them in the comments of this post.

ALL HAIL SATAN!

I don’t really mean that.

I just like Satan as a friend.

UPDATE: As fate (OR SATAN!) would have it, we are going out with one of our Apple contacts. So we’ll see you tomorrow with more on Security Bitch Watch.

Security Bitch Watch – Day 1.

On George Ou’s blog post mentioned in the story below, he noted that David Maynor (aka the sensitive pink pony of hackers, who was needlessly subjected to the vicious ridicule of Mac users spurred on by a rabid Steve Jobs screaming “Fly, my monkeys! Fly!”) would be “bringin’ it on” (not a direct quote) and that he would provide “the bitch slap Apple so badly needs” (also not a direct quote) and that “sisters would be doin’ it for themselves” (that, oddly, is a direct quote).

Ou indicated on Sunday morning that SecureWorks’ totally bitching response of doom to the scurrilous Apple’s scurrilous press release of scurrility would be revealed “in the next couple of days.”

The Oxford American Dictionaries as accessed through Dashboard define “couple” as “two” or “an indefinite small number”, but I think we can start the watch as of this morning.

If Ou is right, we shouldn’t have long to wait.

Which is good because the suspense is killing us. This is the John Mark Karr case of the Mac world, you know.

Let’s review the players here and see who’s down for what.

SecureWorks’ George Maynor and Jon “Johnny Cache” (get it?! Puns rock!) Ellch – They hacked a MacBook using a third party wireless card and driver and – according to Brian Krebs – claimed they could do the same thing with a stock Airport card and driver. Krebs also said they claimed they totally told Apple about this and got hit over the head with a sock full of nickels by Steve Jobs who said they’d better not tell anyone or he’d finish the job.

Oh, and I’m sure this isn’t in any way relevant, but they also want to stab Mac users in the eye with a lit cigarette.

Ha-ha! Oh, you guys!

The Washington Post’s Brian Krebs – Krebs wrote that Maynor and Ellch claimed the Apple-supplied Airport card and drivers could be hacked the same way the third party ones could. Then said they didn’t.

Then said he stood by his reporting.

I may have some of that out of order, but that’s essentially it.

ZDNet’s George Ou – Ou is outraged – OUTRAGED! – that Mac users don’t want to have lit cigarettes stuck in their eyes! The nerve! Listen, Mac punks, if a respected security professional wants to stick a lit cigarette in your eye, you just ask him which one! GOT IT?!

Anyway, Ou says Maynor and Johnny Cache never claimed the exploit worked on Apple Airport hardware and drivers, even though he himself linked to Krebs’ post which says they did. And he says they actually demonstrated the hack against Apple hardware and software, which I guess they must have done while just raising their eyebrows a lot and pointing in silence as Ou says they never said they could do that.

He also had the temerity to claim

…Maynor chose an external third party hardware wireless adapter to avoid focusing attention on possible Apple hardware and software issues which may endanger Mac users.

Oh, that’s so sweet of him. See, he’s just looking out for us. What a nice guy. We should send him a fruit basket or some…

WATCH OUT FOR THAT CIGARETTE! SSSSSSSSSSSSSST! AAAAAAAAAGH! MY EYE! MY EYE!!! OH, MY BEAUTIFUL EYE!!!

Yeah, whatever, dude.

Apple Computer – Apple essentially said:

We haven’t seen anything from SecureWorks except a grainy video of an exploit of a third party card and driver.

Did we mention we don’t make or resell that card and driver?

‘Cause we don’t.

Oh, and we’d really appreciate it if you fuckers would stop using a MacBook in your demo.

Hugs and kisses,
Apple.

Here’s what we at Crazy Apple Rumors Site think may have happened. Our opinion is, of course, worth exactly dick.

Maynor and Johnny Cache wanted to demonstrate an exploit they had researched. They also wanted to take a jab at the security of the Mac operating system – a metaphorical jab much like the actual jab with a lit cigarette they’d like to take into the eyes of Mac users everywhere (have you heard this part?). Not really knowing much about Macs (a point I’ll prove at the end), they decided to use a third party wireless card they already knew was exploitable, not realizing it was highly unlikely any Mac user would have a need for a third party card.

Krebs then over-hyped the Mac vulnerability, possibly misinterpreting Maynor’s comments about the exploitability of the stock Airport card and driver. It’s also possible Maynor knew there was a flaw in BSD and assumed it was also exploitable in OS X.

It’s apparently not.

So all this happened and Apple said “Wha-huh?” and Artie MacStrawman threatened Maynor’s life and then Ou freaked out.

That’s just our theory. We’ll gladly eat crow if we’re wrong. [UPDATE, ONE YEAR LATER: I came back to read this and was surprised at how much is actually right. Much, however, is wrong and since I’m all about accuracy… While we STILL haven’t seen the whole exploit, it now looks like they probably did have one on Apple’s native card. But what they sent Apple was not code for an OS X exploit. And then they acted all squirrelly instead of manning up and just releasing the damn thing. Why these few drama queens couldn’t behave like any other security professional who finds a Mac bug is beyond me.]

Except for Ugluk who doesn’t eat crows because he considers them sacred.

He’ll have crowfurkey.

Wait, that’s not right. It’d be… “crowfu”, I guess. Crowfurkey’d be some mutant hybrid of a crow and a turkey.

That’s not right either. It’d be a crow and a tofurkey.

What?

Oh.

Ugluk says that is what he’ll have. The mutant hybrid of a crow and a tofurkey. That’s apparently OK. Um… I’m not sure where we’re going to get that.

And he’d like a Sprite.

OK, look, I’m not really ready to take orders yet…

I’m not even sure if the place we normally go to get crow is open right now.

Anyway, we’re just about done with Day 1 of Security Bitch Watch and so far the silence…

…has been a little deafening.

Brian Krebs’ blog – where the whole thing started – hasn’t been updated since Friday and Ou’s blog (warning: annoying self-starting audio of Maynor’s presentation) hasn’t mentioned the controversy since the aforementioned post. SecureWorks’ web site hasn’t been updated since they added verbiage pointing out the hack took place with third party hardware and drivers.

But there is one other telling thing you need to know about this controversy:

Maynor – in the video of his presentation of the exploit – repeatedly calls the MacBook he’s using “this Apple.” As in “This Apple will connect back to the attacker.”

I don’t know about you, but that tells me a lot.

I’m just sayin’ Maynor or Krebs might want to think about what wines go with crow.

Everybody Tired of One Mac User.

Yet another Apple nay-sayer has fallen afoul of the one member of the Macintosh community that everyone wishes would just go away.

According to a blog post by George Ou (link via Daring Fireball), Artie MacStrawman is at it again.

Ou claims that MacStrawman disparaged the character of the security professionals who are quoted as having claimed to have wirelessly hacked Apple’s Airport drivers, a claim refuted by Apple.

Further, Ou says that MacStrawman threatened to kill one of the professionals – David Maynor – and his imaginary dog.

Mac users will remember MacStrawman as the Mac user who:

  • Says the Mac is utterly invulnerable to any and all malicious attack.
  • Mindlessly worships Steve Jobs.
  • Blindly buys anything Apple releases no matter how dumb and stupid and dumb it is.
  • Refuses to accept that Windows might be better at anything. Even being Windows.
  • Emails death threats to anyone who disagrees with him.

Daring Fireball’s John Gruber said “I just wish that guy’d switch to Windows or Ubuntu or something.

“But… he’s Artie MacStrawman. So I guess that’s not going to happen.”

Complicating matters is the fact that MacStrawman may have initiated the entire controversy. According to Maynor, it was MacStrawman’s argument that the Mac is utterly impregnable to attack that caused him to hack a MacBook using a third-party wireless card and driver and then claim that he could do the same thing with an Airport card and driver without actually having tried it.

Maynor did admit that he was the first to issue a threat, saying that he wanted to stick a lit cigarette into MacStrawman’s eye.

“I shouldn’t have said that,” Maynor said. “It’s just that that guy really bugs me.”

At least on this point, Maynor and the Mac community can agree. Artie MacStrawman bugs everyone.

Friday Feature: Crazy Apple Help Desk.

Every Friday, the staff at Crazy Apple Rumors Site answers common help questions based on our vast experience with Apple products and our fervent belief that we know more than you do.

Q: I have a Power Mac G5 and I upgraded the OS to Tiger five months ago. My problem is, for some reason I still don’t have smart folders. All I have are these stupid folders. Like this one. “System.” What’s that? Stupid. “Applications.” Stupid. Where are the smart folders? The folders that totally rule? ‘Cause all I see are these dumbass folders.
A: Uh… well, smart folders are folders that you configure to contain files that match certain parameters that you set.
Q: What?
A: You, um, you go to the Finder and go to the file menu and choose New Smart Folder. Then you set the paramaters for the kind of file…
Q: No, no, no! I don’t want folder that will put a bunch of files together! I want folders that will help me crush my enemies!
A: Oh. Uh… I think you’re going to have to go with a third party solution for that.
Q: Hmph. Well, is there something you can recommend?
A: Uh, I hear Folders Of Vengeance is good.
Q: Oooh…

Q: I have a Mac mini and I installed Boot Camp on it as soon as it came out. I’ve been running Windows and I really like it. So much so that I’m really thinking of switching from the Mac to Windows.
A: Oh. That’s too bad. What is it you like about Windows so much?
Q: Well, it’s free! I mean, I just downloaded it from www.ubuntu.com and installed it!
A: Uh… that’s not Windows. That’s Ubuntu.
Q: Oh. Ubuntu?
A: Yeah. I’ts a Linux distribution. Supposed to be good for you.
Q: Huh.
A: Yeah. Totally different operating system.
Q: Wow. I guess that explains all the free apps and all the compiling and stuff.
A: Yeah.
Q: Well, if I’m going to be a Linux user, does this mean I have to stop showering?
A: Not completely, but no more than once a week. Also, you have to go on long, boring rants about DRM.
Q: Hmm. I guess I can do that.
A: You also have to get really big, out-of-style glasses. And women are out of the question.
Q: Ugh. See, I’m just not sure I’m ready for… you know… the Linux lifestyle.
A: I know what you mean. Personally, if I’m not going to have sex with women, I’d rather just go gay than Linux.
Q: Oh. That… gay… sounds nice. Kind of happy. What OS do I install to do that?
A: There’s no OS. There is some butt sex.
Q: What?
A: I was… just kind of kidding.
Q: Oh.

Q: I have a black MacBook that I recently maxed out on RAM. I do a lot of Keynote presentations and the RAM really seems to help. But my question isn’t about that. My question is, who’s the bigger hack: Paul Thurrott or Rob Enderle?
A: Oh. Wow. Uh… boy…
Q: It’s tough to pick just one, isn’t it?
A: Yes, it is! Ooh, wow.
Q: I’m going to need an answer, though.
A: OK. OK. I’ve gotta go with Enderle. I mean, Thurrott’s got his biases, but Enderle is just wrong all the time. He disproves the broken clock theory.
Q: Enderle is correct! OK, let’s move on to question 2. Who’s a bigger prima donna, Jason O’Grady or Dan Knight?
A: Another tough call. But I’m going to go with O’Grady, as LowEndMac actually has valuable content.
Q: The answer is… O’Grady!
A: Yes!
Q: OK. Just one more, for all the money, the car and the lifetime supply of Vagisil.
A: I’m ready.
Q: John Dvorak or Steve Ballmer – who eats more ass?
A: Ohh!
Q: Yes? You’re smiling!
A: I know this one! It’s Dvorak!
Q: THAT IS CORRECT! John C. Dvorak does eat more ass than Steve Ballmer! Congratulations! You’ve won the money, the car, and the lifetime supply of Vagisil!
A: I already know where I’m going to use that, Ted!
Q: That’s all the time we have. I want to thank all our other contestants and we’ll see you next time on Mac Community Quiz!