Latest in George ou

Image credit:

Clarification on the MacBook Wi-Fi hack 'conspiracy'

David Chartier

Many say that 'perception is everything,' and this unwritten rule holds true in both journalism and the blogosphere. While I, having no formal journalistic training, will be the first to clarify that I am inarguably a member of the latter, it has come time for me to also clarify a few things concerning my coverage of, and pseudo-involvement with, this MacBook Wi-Fi hack drama.

If you need a refresher: back in early August of 2006, Brian Krebs wrote an article for The Washington Post titled Hijacking a Macbook in 60 Seconds or Less (product misspelling maintained in the name of accuracy). In this video, David Maynor of SecureWorks demonstrated his ability to wirelessly hack into an Intel-based MacBook that was using a 3rd party wireless card. At the beginning of this video and again at the end, Maynor plainly states that he's using a 3rd party card and it is that card's flawed drivers - not Apple's - which allowed him to maliciously take control of Mac OS X. Naturally, some furious debates erupted across the net over just about every imaginable angle one could take on this demonstration.

Eventually, SecureWorks felt the need to clarify on their site (a disclaimer that has apparently been taken down) that the hack was done with 3rd party drivers - the subject of many debates since all MacBooks ship with built-in Wi-Fi, virtually negating the need to ever use one of these cards from what was, at the time, an undisclosed manufacturer (which further upset critics). This clarification, however, is what broke the dam in my opinion. In the video, Maynor was up-front about the drivers once at the beginning and again at the end, but never *during* the demonstration. This by itself isn't much to get one's mouse chord tangled over, but Brian Krebs's article was titled "Hijacking a Macbook..." not "Hacking Mac OS X via 3rd party flaws." While being blunt about what and how he hacked a MacBook in the Washington Post video, Maynor and his partner Jon "Johnny Cache" Ellch kept claiming afterwards that they also found this flaw in the software that ran the MacBook's internal Wi-Fi card - software written by Apple - but couldn't disclose or even demonstrate it because Apple was 'leaning on them.' For more on this, see Gruber's spot-on coverage at this search link of Daring Fireball as well as this coverage from the Macalope. To add to the confusion that helped ignite all this drama though, Krebs also wrote this in his original Washington Post article (emphasis is mine):

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook -- and presently not publicly disclosed...

This is where I believe perception matters most, and why I titled my follow-up post as SecureWorks admits to falsifying MacBook wireless hack. I felt that Krebs, in the language he used in his article, as well as Maynor and Ellch, with their demo and fairly serious follow-up claims against Apple's security reputation, were misrepresenting what was actually going on in the name of pageview-fluffing drama. With a healthy 'I want to put a cigarette out in a Mac user's eye' distaste for the outer-fringe Mac community's attitude towards security, they blurred some of the details and pressed a hot-button of the Mac discussion, creating the perception of danger. Whether I'm right or wrong, SecureWorks' need to clarify the demo means something got lost in translation, and I wanted to point that out to bring another context to the discussion.

The reason I bring this all up is that George Ou of ZDNet, perhaps one of the few - or only - valiant defenders of Maynor and Ellch over the months is at it again, after catching up on his X-Files episodes it would seem. Ou's latest on the drama - which, believe me, I wish would go away just as much as you - is a claim that I, and other bloggers, were working with Lynn Fox (Apple's PR director) in a conspiracy against David Maynor and SecureWorks. While I'm flattered at the possibility of Apple even talking to me, the truth of the matter is that the company pretty much ignores TUAW, and most other Apple-related blogs, entirely. Honestly: Fox and I never exchanged so much as a "mwahaha" over email, or any other form of correspondence for that matter. I've never been contacted by anyone from Apple regarding anything besides the fact that one of my older PowerBook's warranties was about to expire, and that AppleCare would be a great way to stay within their graces. If selling that PowerBook on eBay back in the day so I could switch to an iMac denotes conspiracy in my blood, then by all means, Ou himself should probably be the one to strip me of my underhanded blogging credentials.

Until my eBay practices become a more significant matter of blogging ethics, however, I hope as much as the rest of you that this MacBook Wi-Fi hack topic can fade off into Google's archives where it belongs.

From around the web

ear iconeye icontext filevr