By John Gruber
A few brief comments and links regarding the MacBook wireless security saga:
Computer security is a science. Science is conducted by gathering and evaluating evidence. My problem with Brian Krebs’s coverage of this supposed “exploit” is that his reporting is based entirely on what David Maynor told him. Just because someone says they’ve found a security flaw doesn’t mean there is one.
I wish Krebs had done a great job with this story. I think it’s great that a world-class newspaper like The Washington Post has a columnist dedicated to computer security issues — but bad reporting on computer security is worse than no reporting at all.
Assuming I’m right that Maynor and Ellch have found no exploit against the stock AirPort cards and drivers, the worst part about this fiasco might be the “boy who cried wolf” effect: A false alarm makes it more likely that if someone finds an actual serious security flaw against Mac OS X, Mac users will ignore it, thinking that it’s another over-hyped non-issue like this one appears to be.
Glenn Fleishman is doing a great job covering the continuing news at his Wi-Fi Net News web site.
Jim Thompson’s “Yet Another Thing About the Maynor/Ellch Affair” points to something in Maynor and Ellch’s video demonstration that has been bothering me, too: when Maynor gets shell access to the “attacked” MacBook, his shell’s current directory is that of the user who is logged in to the Mac’s GUI. A root exploit would typically put the current directory at “/” — that is, the root level of the startup volume.