Several weeks ago, we regaled you with the tale of how a pair of hackers, David Maynor and Jon "Johnny Cache" Ellch
claimed that they could pwn a MacBook in a minute flat. The dynamic duo then showed the exploit to Brian Krebs, a reporter at
The Washington Post and a controversy ensued over the next few weeks as to who had shown exactly what to whom when. The most recent episode involved
Apple telling
Macworld two days ago that SecureWorks, Maynor's employer, hadn't showed Apple any specific information -- however, on its own, Apple discovered a problem, then released security and wireless patches for PowerPC-based and Intel-based Macs. Meanwhile, SecureWorks has been awfully mum on the issue, refusing to say anything further to Krebs or to the
IDG News Service. Glenn Fleishman has a very lengthy blog entry over at
Wi-Fi Net News that provides a play-by-play of this whole situation, but points out that Maynor and Ellch are scheduled to speak at Toorcon in San Diego later this month, and concludes by saying that he thinks the pair will show their cards and tell all, which may finally settle this torrid affair.
Reader Comments (Page 1 of 1)
William DC @ Sep 23rd 2006 3:50PM
These guys are stuck in a super lose/lose situation. If it turns out that they were telling the truth, then the Apple lemmings will call foul, claiming that they're trying to make their wonderful unhackable and virus-free machines less secure (Something they probably don't really understand, but they fear words like "hack", so go figure). The Microsoft drones will chuckle to themselves, embracing even further their bloated systems, but then not care for the hackers since they dared to touch an Apple product. As for the Linux users, they're too busy bragging about how this would never happen on their machines, and everyone else's who has seen the true light, while searching for obscure builds of drivers to make their components work. *sigh*
I'm With Stupid @ Sep 23rd 2006 4:07PM
"These guys are stuck in a super lose/lose situation. If it turns out that they were telling the truth, then the Apple lemmings will call foul, claiming that they're trying to make their wonderful unhackable and virus-free machines less secure (Something they probably don't really understand, but they fear words like "hack", so go figure). The Microsoft drones will chuckle to themselves, embracing even further their bloated systems, but then not care for the hackers since they dared to touch an Apple product. As for the Linux users, they're too busy bragging about how this would never happen on their machines, and everyone else's who has seen the true light, while searching for obscure builds of drivers to make their components work. *sigh*"
Let me guess, you are a Amiga user and thus above the hoi polloi?
Travis Pulley @ Sep 23rd 2006 4:07PM
I hate to be a grammar nazi here (ok, that's not entirely true), but it's a fresh story and I think I should point out that "... Maynor's employer, hadn't showed them any ..." made me cringe and confuse me into thinking I was reading slashdot.
Davo Awesome @ Sep 24th 2006 10:10AM
"..didn't show Apple..."
Geoffrey Sperl @ Sep 23rd 2006 4:28PM
As a Mac user, I had a hard time believing the claims on this one... especially after nothing could be done to replicate it.
I honestly don't buy that any OS is more secure than the others, but it has looked like Maynor and Ellch we're doing nothing more than blowing smoke and trying to get attention. And, really, that's too bad because now that they've cried wolf, no one will believe them next time.
Marshall @ Sep 23rd 2006 4:30PM
I know Maynor, lol...
bender @ Sep 23rd 2006 4:38PM
OSX hacked in under 7 minutes: http://www.mac360.com/index.php/mac360/comments/mac_mini_os_x_hacked_in_under_7_minutes/
Hacking OSX: http://news.com.com/2100-1002_3-6046197.html
OSX is not safer than Windows, it's even less secure. The only saving factor is the minimal number of users (5%). That is the stance of some security experts.
rahrens @ Sep 25th 2006 11:08PM
"Participants were given local client access to the target computer and invited to try their luck."
Uh, this is old news. Not real, the "hackers" already had access. Let's try again with a Mac that's configured outta the box and the hackers DON'T have access to a local account...
This one was discredited months ago!
Mac User @ Sep 23rd 2006 4:58PM
Nice story but there's a typo in it. "pwn" Oops, perhaps a spell check should be used in the future. If you wish to remain respectable you should avoid these errors.
Suwandy Chandra Tjin @ Sep 23rd 2006 8:15PM
To Mac User:
just because you aren't 1337 enough, don't start blaming Engadget about "spell check" errors. The word "pwn" is very commonly used slang now.
Read this:
http://en.wikipedia.org/wiki/Pwn
"Pwned j00!!"
wickedawesome @ Sep 23rd 2006 5:03PM
The sentence is poorly-constructed, but for larger reasons than what I understand to be your opinion that the comma in your quote was unnecessary. It is actually necessary there, but only because the rest of the sentence is already way out of control by that point.
"The most recent episode involved Apple telling Macworld yesterday that SecureWorks, Maynor's employer, hadn't showed them any specific information, but on its own discovered a problem, and then released security and wireless patches for PowerPC-based and Intel-based Macs."
In this sentence, "Maynor's employer" is being used as an appositive modifying "SecureWorks," and so the comma on each side is appropriate. It's difficult to notice this because you're well into a complex sentence structure, about three phrases removed from the core subject and verb of the sentence.
Another major problem with this sentence is the loss of reference in the pronouns starting in the second major clause. 'It' is being used to refer both to Apple and to SecureWorks, but there's no clear indication when the switch is made.
The ideas in this sentence could have been much more clearly explained in multiple sentences, but a tighter one-sentence construction might go like this:
Yesterday, Apple told MacWorld that SecureWorks, Maynor's employer, had not shown Apple any specific information, but that Apple had discovered problems on its own and released security updates for both PowerPC and Intel Macs.
I hope you are relieved of your discomfort with the comma, knowing that the problems are in fact worse than even you had imagined.
Cyrus Farivar @ Sep 24th 2006 2:54AM
Actually, you make a good point. I've revised the sentence for clarity.
Zadillo @ Sep 23rd 2006 5:31PM
bender, you do realize that the article you posted was a spoof, right? And that the CNET article in response to it was basically a result of them falling for the spoof?
Your overall point is well taken, but these are pretty bad examples of "evidence" to use.
Yeesh.
rip @ Sep 23rd 2006 5:49PM
Bender:
Your first link was a parody article.
Your second link appears to be true, but local client access was provided. Also, it was configured as a server with remote services (including web server)running.
What does that mean? The hacker was provided with an account id on the comp and multiple ports were opened that would not normally be running(the average home user does not have his/her mac configured as a web server).
In other words the test was a joke.
While the OSX isn't invulnerable, it's currently a whole lot better than Windows.
So let's recount: one fake article and one rigged contest. Is that the best you could come up with? And that somehow makes you think OSX security is worse than windows?
Thanks for playing, there are some wonderful parting gifts for you...
Pfft.
Zadillo @ Sep 23rd 2006 6:01PM
Ahh, thanks for that correction rip. I didn't read over the CNET article carefully, and thought it was the other one they posted (where they took the spoof that bender posted in the first link as being serious).
Mac User @ Sep 23rd 2006 10:02PM
I'm not 1337? What the hell is 1337? Who are you trying to impress with this gibberish? What happened to American culture? If you want to downgrade civilization with your nonsensical banter then fine, just keep it to yourself.
Nerdtalker @ Sep 24th 2006 4:40PM
ROFL, you're such a typical mac user, completely oblivious to the real world of computing.
Thank you so much for bringing some humor, and yet another angle of mac-hatred to this story.
Here's another word you can go look up, and it describes you: "n00B"
HughJass @ Sep 23rd 2006 11:17PM
Mac User, please do everyone a favor and lighten up. 1337, haxor, pwn - these are slang terms used among hackers and gamers. Engadget, like always, uses them facetiously.
Jeff @ Sep 24th 2006 2:57AM
BACK to the topic at hand: those clowns never found anything but an exploit on a third party driver that has absolutely nothing to do with macbooks in the wild, and rigged up a macbook to be vulnerable and are eating up every minute of their bullshit story's limelight.
douchebags.
gozer @ Sep 24th 2006 1:24PM
gruber has a verbose (as always) analysis of where we're at now with these two clowns. at BEST they've handled the situation very poorly with everyone involved and at worst they're complete publicity whores and liars.
Dar the Monk @ Sep 24th 2006 2:14PM
For those here who have been consumed with the fog of words and have forgotten the situations, here is a good read about it:
http://daringfireball.net/2006/08/curious_case
As for the above posts, you all have seem to lost sight of the post. Since the two "hackers" have never produced any evidence to the supposed problem of found in Mac OSX drivers, they can NEVER claim to have hacked anything now. If they attempt to do so, then they will be accused of plagiarizing the security updates.
But let us all not forget, THEY WERE GIVEN TIME, but did not produce anything. Because of this fact, I am opt to support Apple on this issue and say that the two "hackers" are nothing but liars. sorry to all who hate Apple, that this statement will surely cause puffed up egos and pride to respond (insert someones name here).
Bring Peace with Humility.
Darrell @ Sep 24th 2006 2:18PM
Correction for the linguists in here:
"...the supposed problem they had found...."
And if there is anymore, please take pity on my abilities and show mercy.
ryan @ Sep 24th 2006 3:08PM
Meh. I doubt this actually has anything to do with "security". "Security Update" just sounds better than "Crappy Driver Update". My MacBook Pro crashed constantly with the Airport active. Look for the "Wireless Causing Kernel Panics?" thread in the Apple support forums. Hundreds of responses describing the same thing. People have had their logic boards replaced multiple times. And yet, the Airport card never crashed XP under BootCamp.
Long story short - since installing this "security" update, I haven't had a single crash.
Tom @ Sep 26th 2006 2:58AM
My fave account: http://www.crazyapplerumors.com/?p=665
It doesn't appear that the driver/card config. was even the standard Apple config. So dudes hack an OS with 3rd party drivers/card, and Apple takes the blame. Well, sure OS X obviously must take some of the flak but very very few mac users would use any driver other than the standard one, nor would there be any need to use a card other than the default installed one in the vast majority of cases.
No doubt Macs are insecure, but demonstrating another hack for windows is not a good way to get publicity.
shinyhat @ Sep 26th 2006 1:20PM
I think these guys are if for some trouble. Had they actually had a real exploit, they would have shown it to Apple. Apple has of course tried to get them to prove their claims and they are acting like bitches. Making Apple out to be some big bad guy who can't admit they have a security flaw. Yes, it's likely true that Apple asked them to shut the hell up. But wouldn't you? They are defaming the company's image with accusations that they refuse to prove. The fact is that they have not been able to sit down and do the hack in front of any credible witnesses. I hope Apple will sue these guys out of business and set an example to the hacker community that you better not fsck around with claims unless you can prove yourself. If they really do have a hack and they have just been playing games with Apple by refusing to cooperate then i still say these guys are pricks.
Sitting Duck @ Nov 28th 2006 7:43PM
I believe they could pwn the MacBook. And I think something similar has happened to me. A hacker who goes by the name Neo has been invading the privacy of my home network for almost two years. He even listens to us over the microphone of my laptop. We find no evidence of attack in our sniffer files which I have posted for all to see at my blog HackerInTheHouse.com and have discussed at my podcast at talkshoe.com. I would appreciate it if David, Jon and the community would weigh in.