Apple Spokesperson Makes Startling Security Revelations.

When asked to comment on the recent Security Bitch Watch controvery (now concluding day 8!), the usually inscrutable Apple spokesperson Lynn Fox made several telling comments about the state of Mac security.

Many hours have been spent poring over Fox’s comments of a week ago Friday and whether or not they represent an outright refutal of SecureWorks claims or are just so much PR speak. Indeed, many of Fox’s comments in today’s interview might have gone unnoticed by less seasoned reporters.

Fox began by reiterating the company’s statement that SecureWorks has not presented Apple with any evidence that the Airport firmware and software supplied with the MacBook is suceptible to the attack shown in their video demonstration.

She added, however that “What surprises us is that Maynor and Ellch completely missed the massive security flaw in our Bluetooth stack.

“For instance,” Fox said, “Simply pairing a Bluetooth headset with Mac OS X for Intel causes the system to turn on remote access, remove the root password, and erase several key user-data files.

“And don’t get me started on USB,” she said, her words slurring.

“I don’t even want to talk about USB. Listen, if you mention USB, I’m going to hit you so hard you won’t even remember that plugging in a camera to a USB connection on the Mac automatically sends browser caches to the NSA.”

Fox stopped to take a slug from a small, opaque bottle she carried with her.

“Now, I’m not going to talk at all about the TCP/IP problems. Not all. So I won’t even explain that attempting to connect to AppleShare over IP with the user name ‘sjobs’ exposes the entire contents of all attached drives, all networked drives with stored passwords, and initiates password cracking against all computers on the ISP’s attached network.

“No, sirree,” Fox said, slumping quietly to the floor. “No, sirree.”

Apple declined to comment for this story, shortly after Fox passed out.

Friday Feature: Crazy Apple Help Desk.

Every Friday,

Q: If you happen to see someone using a third party card, is it ethical to tap into their MacBook using this hack?
A: No! Not at all! I mean, you wouldn’t use their toothbrush would you?
Q: No. Well… no. But, I mean, what if you suspected they might have lesbian ninja porn on their hard drive?
A: Dude…
Q: Well, I just… I’m trying to… just trying to figure out the etiquette…
A: Dude, if you suspect they have lesbian ninja porn on their hard drive, you grab the laptop and run like hell.
Q: Oh.
A: To my house.
Q: Uh… right.

Q: I have a MacBook that I’m trying to initiate the SecureWorks Wifi hack from but I’m having some trouble. I try sticking the cigarette into my eye, but find that my eyelid descends at the last minute to block it. Any tips for keeping your eye open?
A: I’ve found those things they used on Malcolm McDowell in A Clockwork Orange work really well, but Chet swears you can get the same results from ordinary toothpicks. At any rate, if you just keep at it, you’re likely to burn right through your eyelid and that’ll get the job done.
Q: And, refresh my memory… how does this help me wirelessly hack something?
A: Uh… actually, I think it’s supposed to help make your Mac more secure. Or something. To be frank, I’m kind of confused on that point.
Q: Gosh. There’s so much I don’t understand about computer security.
A: It is complicated. I guess that’s why we need the help of professionals.
Q: Mmm-hmm.

Q: I know the whole Mac universe is up in arms about this whole thing, but I’m just not seeing it. Why should I care about this?
A: Wha-why should you care?! Oh, I don’t know. Maybe you like having your eye burned out with a cigarette.
Q: C’mon, they apologized for that.
A: That’s so nice! All is forgiven! Now if I could just see out of my left eye…
Q: Oh, stop it. Look, there’s a very real chance they may actually have a hack of Airport. Why heap so much shit on them? It’s just another case of the Mac community run amok.
A: Yeah, well, if someone decides they’re going to kick a hornet’s nest, I don’t have a lot of sympathy when they go crying to their momma – or George Ou – when they get stung.
Q: Well, I guess that’s a good point.
A: Oh, and you know what else?
Q: You’re kind of worked up over this.
A: Let me just make this other point…
Q: No. No. It’s OK, dude.
A: No! NO! It’s NOT OK! See, what I was going to say is that…
Q: I’ll just… let myself out…

BREAKING NEWS: OU LASHES OUT AGAIN!

George Ou speaks again, John Gruber’s “super long analyis” (shorter Ou: “Damn, this David Burke, who has a recurring role as a D.A. on Boston Legal.

That’s just the kind of of top-notch legal advice you want when refuting a blog post!

So, let’s get down on it! Burke copies whole heaves of text from Daring Fireball to set the ground work for his massive take-down!

Sorry for the following extended quotes, but this is the evidence he uses to support his concern, search the link if you would like to double check…

Uh, no, dude, that’s OK. I’m sure you’ve got mad copy/paste skillz. I’m sure you beat the hell out of that V key.

“Copy. PASTE! Copy. PASTE! Copy. MOTHERFUCKING PASTE! Oh, man, I’m on fi-ya!

Fox’s statement simply says; Maynor and Ellch have not demonstrated such a vulnerability to Apple.

Apple may in fact fully well have been contacted by Secureworks and may be quite aware the exploit exists and are working on it.

So his main concern is garbage.  See why you need trained people to examine the evidence?

Ah! You mean like someone who plays a D.A. on TV?

There’s just one problem with Mr. Burke’s stunning legal analysis.

“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld.

[Emphasis mine.]

This is the graph that Maynor’s defenders kind sorta wish wasn’t there and, if you repeat it, will probably make them stick their fingers in their ears and go “LA-LA-LA-LA-LA-LA! I AM NOT LIS-TEN-ING!”

They much prefer to focus on the “sharing of code” quote, as Ou does here:

Fox never stated SecureWorks never contacted them, they only said that no code was shared.

The first part of that sentence is true. The second is not because of the use of the word “only.” She said that SecureWorks provided no evidence.

Ou says “You can’t have their code, bitch!”

You’re not entitled to a researcher’s code which they spent time developing.  Giving them the actual malformed packet that triggers the exploit and a pointer to the location of the flawed code is standard practice.

But for SecureWorks to have done this would have been to provide evidence, in which case Fox was mistaken or lying. But Ou’s not arguing that Fox is mistaken or lying. He’s arguing that she used PR gobbledy-gook to try to trick the world into thinking SecureWorks was wrong about the Airport hardware and drivers.

Ou then compliments his possibly imaginary friend on his legal acumen. You can learn a lot on the set of a popular legal show! I wish he’d asked him what Shatner’s really like!

While I know for a fact that Gruber is wrong and doesn’t know what he is talking about since I’m sitting on sensitive information at this point, I’m amazed that you can take Gruber’s own analysis and take it apart and get eerily close to what the truth is.

Well! Someone’s been hanging out in the super-secret hacker treefort in Maynor’s mom’s back yard with the Farah Fawcett poster on the wall!

I wonder if Ou has talked to Apple. Because single-sourcing from SecureWorks may not be the best way to go right now (see: Krebs, Brian). We already know that Ou has gone out of his way to falsely portray SecureWorks as good faith actors who were only interested in making Macs more secure and kittens and puppies more prevalent and spring! with the flowers and dancing and… and…

And that’s bullshit.

You don’t get to run around and say you want to stick a lit cigarette in its user-base’s eye and then pretend you weren’t out to get Apple.

At the end of the day, SecureWorks may be able to demonstrate a hack of Airport. I suspect there’s smoke coming out of that super-secret treefort right now and it’s not from the vigorous self-gratification to the Farah Fawcett poster. But until someone puts up or shuts up, a responsible journalist would not make ham-handed efforts to brow-beat others into silence with vague threats of lightning bolts from Mt. Olympus.

You might be thinking, jeez, this guy writes for ZDNet, I mean, that must mean he’s a responsible journalist, right?

Eh, maybe not.

666 – THE POST OF THE DEVIL

Check out the specific link to this post.

Well, let’s continue the fun, just as Satan would want us to, shall we?

IN HIS HONOR!

Blaka n’rath mkran dalla soocra m’joran!

Oh, dammit, that’s Klingon.

Well, we’ll have another post later tonight (unless one of our Apple contacts calls us and wants to go out for drinks), but as Day 2 of Security Bitch Watch draws to a close, the radio silence from George Ou, Brian Krebs and SecureWorks continues. In the mean time, you can check out some posts from the lovely and talented Glenn Fleishman on the subject, or delve into the arcane aspects of Maynor’s supposed hack at Sex, Drugs & Unix.

Also, as this whole wifi incident is rather confusing, let’s make Friday’s Help Desk a special episode. You can either email me your questions or drop them in the comments of this post.

ALL HAIL SATAN!

I don’t really mean that.

I just like Satan as a friend.

UPDATE: As fate (OR SATAN!) would have it, we are going out with one of our Apple contacts. So we’ll see you tomorrow with more on Security Bitch Watch.

Security Bitch Watch – Day 1.

On George Ou’s blog post mentioned in the story below, he noted that David Maynor (aka the sensitive pink pony of hackers, who was needlessly subjected to the vicious ridicule of Mac users spurred on by a rabid Steve Jobs screaming “Fly, my monkeys! Fly!”) would be “bringin’ it on” (not a direct quote) and that he would provide “the bitch slap Apple so badly needs” (also not a direct quote) and that “sisters would be doin’ it for themselves” (that, oddly, is a direct quote).

Ou indicated on Sunday morning that SecureWorks’ totally bitching response of doom to the scurrilous Apple’s scurrilous press release of scurrility would be revealed “in the next couple of days.”

The Oxford American Dictionaries as accessed through Dashboard define “couple” as “two” or “an indefinite small number”, but I think we can start the watch as of this morning.

If Ou is right, we shouldn’t have long to wait.

Which is good because the suspense is killing us. This is the John Mark Karr case of the Mac world, you know.

Let’s review the players here and see who’s down for what.

SecureWorks’ George Maynor and Jon “Johnny Cache” (get it?! Puns rock!) Ellch – They hacked a MacBook using a third party wireless card and driver and – according to Brian Krebs – claimed they could do the same thing with a stock Airport card and driver. Krebs also said they claimed they totally told Apple about this and got hit over the head with a sock full of nickels by Steve Jobs who said they’d better not tell anyone or he’d finish the job.

Oh, and I’m sure this isn’t in any way relevant, but they also want to stab Mac users in the eye with a lit cigarette.

Ha-ha! Oh, you guys!

The Washington Post’s Brian Krebs – Krebs wrote that Maynor and Ellch claimed the Apple-supplied Airport card and drivers could be hacked the same way the third party ones could. Then said they didn’t.

Then said he stood by his reporting.

I may have some of that out of order, but that’s essentially it.

ZDNet’s George Ou – Ou is outraged – OUTRAGED! – that Mac users don’t want to have lit cigarettes stuck in their eyes! The nerve! Listen, Mac punks, if a respected security professional wants to stick a lit cigarette in your eye, you just ask him which one! GOT IT?!

Anyway, Ou says Maynor and Johnny Cache never claimed the exploit worked on Apple Airport hardware and drivers, even though he himself linked to Krebs’ post which says they did. And he says they actually demonstrated the hack against Apple hardware and software, which I guess they must have done while just raising their eyebrows a lot and pointing in silence as Ou says they never said they could do that.

He also had the temerity to claim

…Maynor chose an external third party hardware wireless adapter to avoid focusing attention on possible Apple hardware and software issues which may endanger Mac users.

Oh, that’s so sweet of him. See, he’s just looking out for us. What a nice guy. We should send him a fruit basket or some…

WATCH OUT FOR THAT CIGARETTE! SSSSSSSSSSSSSST! AAAAAAAAAGH! MY EYE! MY EYE!!! OH, MY BEAUTIFUL EYE!!!

Yeah, whatever, dude.

Apple Computer – Apple essentially said:

We haven’t seen anything from SecureWorks except a grainy video of an exploit of a third party card and driver.

Did we mention we don’t make or resell that card and driver?

‘Cause we don’t.

Oh, and we’d really appreciate it if you fuckers would stop using a MacBook in your demo.

Hugs and kisses,
Apple.

Here’s what we at Crazy Apple Rumors Site think may have happened. Our opinion is, of course, worth exactly dick.

Maynor and Johnny Cache wanted to demonstrate an exploit they had researched. They also wanted to take a jab at the security of the Mac operating system – a metaphorical jab much like the actual jab with a lit cigarette they’d like to take into the eyes of Mac users everywhere (have you heard this part?). Not really knowing much about Macs (a point I’ll prove at the end), they decided to use a third party wireless card they already knew was exploitable, not realizing it was highly unlikely any Mac user would have a need for a third party card.

Krebs then over-hyped the Mac vulnerability, possibly misinterpreting Maynor’s comments about the exploitability of the stock Airport card and driver. It’s also possible Maynor knew there was a flaw in BSD and assumed it was also exploitable in OS X.

It’s apparently not.

So all this happened and Apple said “Wha-huh?” and Artie MacStrawman threatened Maynor’s life and then Ou freaked out.

That’s just our theory. We’ll gladly eat crow if we’re wrong. [UPDATE, ONE YEAR LATER: I came back to read this and was surprised at how much is actually right. Much, however, is wrong and since I’m all about accuracy… While we STILL haven’t seen the whole exploit, it now looks like they probably did have one on Apple’s native card. But what they sent Apple was not code for an OS X exploit. And then they acted all squirrelly instead of manning up and just releasing the damn thing. Why these few drama queens couldn’t behave like any other security professional who finds a Mac bug is beyond me.]

Except for Ugluk who doesn’t eat crows because he considers them sacred.

He’ll have crowfurkey.

Wait, that’s not right. It’d be… “crowfu”, I guess. Crowfurkey’d be some mutant hybrid of a crow and a turkey.

That’s not right either. It’d be a crow and a tofurkey.

What?

Oh.

Ugluk says that is what he’ll have. The mutant hybrid of a crow and a tofurkey. That’s apparently OK. Um… I’m not sure where we’re going to get that.

And he’d like a Sprite.

OK, look, I’m not really ready to take orders yet…

I’m not even sure if the place we normally go to get crow is open right now.

Anyway, we’re just about done with Day 1 of Security Bitch Watch and so far the silence…

…has been a little deafening.

Brian Krebs’ blog – where the whole thing started – hasn’t been updated since Friday and Ou’s blog (warning: annoying self-starting audio of Maynor’s presentation) hasn’t mentioned the controversy since the aforementioned post. SecureWorks’ web site hasn’t been updated since they added verbiage pointing out the hack took place with third party hardware and drivers.

But there is one other telling thing you need to know about this controversy:

Maynor – in the video of his presentation of the exploit – repeatedly calls the MacBook he’s using “this Apple.” As in “This Apple will connect back to the attacker.”

I don’t know about you, but that tells me a lot.

I’m just sayin’ Maynor or Krebs might want to think about what wines go with crow.