October 6, 2006
Kieren McCarthy’s article is all about insecurity
Posted Oct. 6, ’06, 8:03 AM PT by Dan Moren
Category | Security
You know what’s gotten a little old for me? Tech writers who write stories full of “facts” about Apple then complain that they get barraged by Mac “cultists.” Look, if you’re going to publish a piece that’s full of inaccuracies and FUD, you’re going to have to take your medicine.
Techworld’s Kieren McCarthy, previous recipient of John Gruber’s Jackass of the Week honors, is the latest example. He’s back, playing the “woe is me” card after his previous inflammatory (and often incorrect) article. Even better, this new article is apparently reposted largely from a personal blog entry with which John Gruber has already taken issue. Let’s look at some excerpts:
Here we go again. Security experts warn that there is a hole in one of Apple’s products, Apple says there isn’t a problem, and a month later it releases a fix for it. A journalist (me) writes a story pointing this out and is faced with email abuse from the Apple faithful.I’m very sorry that Mr. McCarthy feels that he has suffered so harshly. I mean, emails. Whew. What kind of society do we live in? Is there no decency left?
Mr. McCarthy goes on to recount the numerous problems that Apple has supposedly ignored or covered up.
Apple’s new Intel-based Mac laptops face random-shutdowns and a website, macbookrandomshutdown.com, is created. Apple refuses to discuss or acknowledge issue.As a former random shutdown sufferer, I’ll be the first to admit that Apple’s acknowledgment of this issue is on the terse side, but the fact that it exists is incontrovertible. Strike one, Mr. McCarthy.
SecureWorks security researchers report a hole in MacBook that allow someone to take control of the machine. Apple refutes the hole exists: “Despite saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is.” A month later, Apple releases a patch for the hole.Which would be damning evidence if, in fact, it was the same vulnerability. Unless you’re accusing Apple of lying, they’ve said that this was a different security hole. Strike two.
Apple pulls and re-releases a security patch (Security Update 2005-007) that covered holes in over 40 components but which rendered 64-bit applications unusable, sparking thousands of angry phonecalls.I’m going to give Mr. McCarthy a cumulative “strike three” for listing half a dozen inane stories of this kind. Unable to find enough instances of Apple’s deliberate malfeasance, he pads out his list with a variety of stories of Apple errors and quotes from security company personnel saying that Mac users have to be warned against complacency—the same thing I, a Mac user, have said many times, as recently as Tuesday.
Sure, Apple makes mistakes, but to point at some sort of concerted effort of hushing up security problems is pure pie-in-the-sky, X Files, grassy knoll, Elders of Zion conspiracy theory. Blaming Mac users for being “over-protective” is a poor excuse for posting stories that include details which are simply flat-out wrong. While we’re obviously Mac fans at MacUser, a quick look at our archives will show that we certainly don’t hesitate to give Apple a hard time when they deserve it. Mr. McCarthy’s article, meanwhile, smacks of axe-grinding. I’m sorry he had to suffer from nasty emails, but seriously: heat? kitchen? Ring any bells?
19 Comments
Leave a comment
Recent Entries
Ch-ch-ch-ch-changes afoot at MacUser
The Macalope Weekly: Leopards and monopolies and DRM! Oh, my!
Apple levels DMCA on iPodhash project
iPod touch users get second classed again with the omission of new Maps features
Apple Pro Applications Update 2008-004 makes your day
iTunes v8.0.2 comes riding on the coattails of iPhone firmware v2.2
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun.
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- Dan Moren on iPod touch users get second classed again with the omission of new Maps features
- johnnydfred on iPod touch users get second classed again with the omission of new Maps features
- on iPod touch users get second classed again with the omission of new Maps features
- Neurotic Nomad on Apple levels DMCA on iPodhash project
- Dan Moren on iPod touch users get second classed again with the omission of new Maps features
- Me Again on iPod touch users get second classed again with the omission of new Maps features
Categories
- Apple (234)
- Advertising (162)
- Events (235)
- Huh? (182)
- Humor (259)
- News (148)
- People (258)
- Rivals (405)
- Speculation (167)
- Steve Jobs (172)
- Stores (206)
- Apple TV (58)
- Business (451)
- Games (143)
- Geekery (460)
- Hardware (935)
- Accessories (79)
- Intel Macs (162)
- Ihnatko (18)
- Internet (463)
- Legal (244)
- MacUser (94)
- Macalope (8)
- Money (177)
- Music (344)
- Podcasting (100)
- Photography (74)
- Security (246)
- Software (1544)
- Updates (538)
- Tips (352)
- Troubleshooting (189)
- Video (403)
- Windows (219)
- iPhone (199)
- iPod (602)
- iPod Accessories (96)
- iPod Software (61)
- iTunes (128)
- iTunes Store (443)
Archives
- November 2008 (91)
- October 2008 (138)
- September 2008 (151)
- August 2008 (177)
- July 2008 (175)
- June 2008 (171)
- May 2008 (185)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
Never mind the fact that McCarthy treats posted exploits as equivalent to viruses in the wild, and that he pads out his list with many things that any rational person can see aren't security issues at all, but merely buggy software releases. What exactly does briefly breaking 64-bit apps have to do with security? What do random shutdowns have to do with security? Unless these things were caused by some hacker with malicious intent (and they weren't) then McCarthy is talking out his behind with this stuff.
Add it all up and it's hard not to conclude that McCarthy is intentionally trying to act as a hatchet man against Apple's security image.
Well said, Dan.
I would like to apologise for padding out my list with direct criticisms of Apple's security and its security approach from: Ken Dunham (director, iDefense); Graham Cluley (Sophos); Thomas Kristensen (CTO, Secunia); Niels Henrik Rasmussen (CTO, Secunia); Johannes Ullrich (SANS); Kyle Haugsness (SANS); NetSec, eEye, @stake, Intego and all those others quoted in the article that are, well, the world's leading security experts.
You are absolutely right to have ignored them. Keep ignoring them. What do they know that a blogger doesn't, anyway?
Kieren
Kieren, sorry, but you're the next Dvorak. I think people should just ignore people like you who write deliberately misleading and sensationalist blogs and articles for the sake of attracting attention.
Quoting authoritative sources doesn't mean that your concluded opinions are valid. The sky is blue, therefore I'm right. Nice try.
Mr. McCarthy may be constrained from saying as much, but I'll happily say that I don't find your claim that Apple's patch fixed "a different security hole" even a little bit credible.
A "different" security hole. In the same subsystem that secureworks named. With an identical attack path. Right. Frankly, it doesn't even pass the laugh test.
In fact, what Apple themselves claimed was a little more specific: they claimed that Secureworks didn't provide them with enough information to verify the hole that they'd claimed to have found, but that an internal audit turned up a hole that -- surprise, surprise -- functioned exactly as Secureworks described. You can fault Secureworks for not providing Apple their packet traces in a timely fashion (although at this point given the amount of pettifogging coming out of Apple and the usual volunteer attack-dogs on this issue I'm not willing to grant even that as a given), but choosing to believe that Secureworks made up their demonstration and that Apple then just happened to find a bug that worked in the same way requires industrial-strength self-delusion.
Amazing. Mr. McCarthy himself posted a reply! And he missed the whole point of your rebuttal! Oh well. I guess you can't win them all....
Kieren if all those experts you named genuinely said that a patch breaking 64-bit apps or the MacBook shutdown problem is a security issue, then they aren't much more impressive than you are, which is to say not impressive at all.
But then, those experts never said anything of the kind, did they?
You are a hatchet man. You take a shotgun approach, imply that logicaly unrelated things are related, and when called on it, you appeal to 'experts' who don't actually back you up. I doubt you even believe the things you're saying.
Your credibility has been completely destroyed.
Way to name-drop, Kieren. (Asshat!)
You just keep whining about OS X's insecurities, and we'll just keep using our Macs, plugged directly into the net with no firewalls, virus scanners, or malware prevention applications in-between.
The day may come when we have to forego those freedoms, but for now, you're just spinning your wheels, man.
Sorry, doctor memory, but you need to read things closer, or did you not read them at all?
The vulnerabilities Apple found do NOT function the same. Maynor and Ellch found a "hole" as you put it, that depends on a malformed packet being injected into a wireless card using a rapid fire technique to overwhelm the card so it will accept the packet, which then kills the card.
Apple's found flaws depend upon stack or heap overflows, not timing issues at all.
Apple isn't putting out any "pettifogging" as you put it, but their PR releases have been succinct and to the point.
Learn to read and you won't embarrass yourself next time.
That's right, anonymous. I use NO anti-virus software, firewall or other software to protect my Mac, running OS X 10.3. Never have. Yet in Kieren's world, if all of these "issues" are so bad, you would think comparing them to all of the holes and viruses in the Windows world he'd be having near-death experiences. I laugh when I see how much money Windows users have to shell out just to keep their PCs on the 'net. Freeware, you say? OK, but what about all the time it takes to have to download new defintions and make sure everything is running just so. This is a joke.
Rahrens: your certainty that Maynor and Elich's attack was a timing attack and neither a heap nor a stack overflow is fascinating given that they have never disclosed their code nor said much of anything about its nature.
Do you have any stinging ripostes that involve less, um, making stuff up?
Doctor Memory,
If they haven't disclosed the code nor said much of anything about its nature, what was the basis for your "identical attack path" comment?
Do you have any stinging ripostes that involve less, um, making stuff up?
V-Train: at the risk of belaboring the obvious, the attack path was the driver for the wireless interface, via the network. Neither Apple nor Secureworks have ever claimed anything different: do you know something that they don't?
While I'm not one to discount how secure OSX is, I'm not about to ditch my hardware firewall and connect directly to the net. None of us is totally secure, otherwise Apple wouldn't have to release patches at all. The fact they have to release patches indicates there were vulnerabilities that could be taken advantage of. A hardware firewall in addition to the built in firewall of OSX provides another layer of security. Advocating people not take advantage of these tools is doing the public a disservice.
First of all, I think Kieren deserves some points for showing up here to defend his artice. We may all disagree with his article (and I think the "Gruber" was awarded justly), but at least he stands behind his article. Well... in a kind of petulant way, hiding behind some names of people who (surprise!) earn money from IT insecurity, but never the less.
But Kieren - it's not helpful for your career (so to speak) it you go on record with easily disproven 'facts' (for example the random shutdown was aknowledged by Apple). It makes you an easy target. Trying to force the issue will only make you look as pathetic as George Ou. Don't go down that road.
-ch
How many times do we have to repeat; "A Vulnerability does not an Exploit make"?
And a hardware firewall works just fine, thank you, when connected locally to the Internet. I fyou have more than one machine, you "Have" to use one.
ClamXav helps us keep those bad-nasties at bay, thank you very much, so we aren't "Typhoid-Maries" in the non-Mac environments. Just use it.
Much Ado about nothing?
"Crying wolf" eventually gets the boy eaten when the real thing comes around. Until then...practice safe computing with cheap insurance. It will avoid litigation later on.
Doctor Memory;
My information was posted by Ellch himself. He posted comments on a blog - see George Ou's blog for a link. I'M not making stuff up, you are!
Just for the record, Chuck, I use free software to protect my one Windows machine, and the updates etc are automatic and hassle-free. Please note that this minor fact correction comes from a person in the Software Development industry who greatly prefers Macs, and owns several. Nor does this minor correction make Kieran McCarthy's article any more correct. (Kudos to Kieren for posting here, by the way).
Rahrens: good god, you seriously want me to track through the several hundred comments on each of Ou's blog entries that reference this fiasco to find the one that allegedly supports your point? Please just provide a quote or a link. If it will motivate you: I still assert that you are either making this up whole, or completely misunderstanding something that Ellch said.