By John Gruber
Infolio — No-nonsense task management and team collaboration
This Techworld article on last week’s AirPort security updates, titled “Apple Coats WiFi [sic] Security Hole”, is wrong in nearly every assertion it makes.
The Techworld article is credited to the dual byline of “Jim Dalrymple, Macworld and Kieren McCarthy, Techworld”, but I suspected from the start that the objectionable aspects are entirely the work of McCarthy, and that Dalrymple’s name got dragged into this by whatever the rules are for dual-bylining when a Techworld writer runs something containing reporting from a Macworld writer.
[Update 27 September 2006: As of today, the article is now credited solely to Kieren McCarthy.]
Dalrymple has a solid track record as a reporter for Macworld, and his reporting for Macworld regarding this Wi-Fi hack saga has been spotless. In particular, his story for Macworld regarding last week’s AirPort security updates is error-free.
I emailed Dalrymple to ask about his role in the Techworld article, and he responded: “Rest assured, John, not a word of the revised article was written or approved by me. I stand by the original article I wrote for Macworld.”
Jason Snell, editor-in-chief of Macworld, told me via email:
Just an official notice that Macworld does not endorse that Techworld story, which was created by a Techworld writer with Jim’s name attached. […]
We stand by our story; we wish Techworld would stand by theirs and not misuse the name of our reporter on its snide opinion article masquerading as news.
Hence I’m bestowing Jackass of the Week honors solely upon McCarthy. In fact, if anything, McCarthy deserves double jackass honors — once for the crummy article and again for putting Jim Dalrymple’s name on it.
McCarthy starts with the unfair accusation that Apple has issued contradictory statements regarding last week’s AirPort security updates:
Apple has patched a serious security hole in its WiFi driver, despite disputing its existence last month.
A security and AirPort update for Mac OS X fixes holes found in the company’s wireless drivers by a researcher at SecureWorks. Despite claiming that the researcher was wrong and the drivers were not in any way vulnerable, the patch covers the self-same problem.
Apple’s statements on this topic last month, as reported by Dalrymple himself in Macworld — and not only reprinted in Techworld, but linked to in this very article (see “claiming”, above) — were very precise: Apple denied only that SecureWorks had provided them with evidence of Wi-Fi flaws affecting Apple products. No one from Apple said anything, one way or the other, about whether the company was aware of any such flaws.
(And Apple certainly didn’t deny that any such flaws existed — that would be a reckless statement under any conditions. Even if you’re not aware of any flaws, it’s impossible to know whether there exist flaws you aren’t aware of. It’s the difference between “known unknowns” and “unknown unknowns”, in Rumsfeld-ese.)
There is no evidence whatsoever that last week’s security updates cover the “self-same problem” demonstrated by David Maynor and Jon Ellch at August’s Black Hat conference — and Apple has specifically denied that they do.
The company changed its tune over the hole, complaining that SecureWorks had not given it sufficient information and so it had in fact discovered the problem itself.
There has been no tune-changing at all — Apple claimed a month ago that they had received no evidence of flaws in their products from SecureWorks, and they claimed the same thing last week after releasing the updates.
SecureWorks researcher David Maynor and “Johnny Cache” demonstrated the vulnerability — where a hole in Apple’s MacBook wireless software driver allows a hacker to take control of the machine — at the Black Hat conference in August. Maynor said at the time that they had demoed the flaw on the Mac because of the “Mac user base aura of smugness on security”.
Maynor and Ellch’s demonstration at Black Hat was explicitly regarding a third-party card and driver. It remains a central question in the saga whether they have also discovered a similar vulnerability in Apple’s built-in AirPort drivers, but one fact that is undisputed by anyone is that their public demonstration did not involve Apple’s card or driver. Undisputed.
That smugness was nowhere to be seen yesterday as Apple informed the faithful that it personally had discovered the problem that wasn’t a problem anyway because no one had exploited it — except for the two people up on stage at the Black Hat conference, that is.
Again, wrong. For one thing, Maynor and Ellch demonstrated no such thing while on stage. Famously, they presented their exploit demonstration on video, so as to prevent anyone in attendance from recording the Wi-Fi network packets to copy the attack. And their videotaped exploit was explicitly an attack against a non-Apple card and non-Apple driver.
Next and final paragraph:
The issue isn’t wide-ranging in that it only affects the Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless. That leaves Intel-based Mac mini, MacBook, and MacBook Pro computers completely unaffected.
Again, wrong. McCarthy apparently only read the description of the first of the three issues addressed in last week’s update. The first of the three issues does not affect Intel-based Mac Minis, MacBooks, and MacBook Pros, but that’s because those three Macs use a different AirPort card; the other two AirPort issues addressed last week do affect these Macs.
Amazingly, not only does every single paragraph of this article contain at least one factual error, but even the errors reported within the article itself contradict each other. In the fourth and fifth paragraphs, McCarthy claims that last week’s Apple security update addresses an issue exposed by Maynor and Ellch’s Black Hat demonstration against a MacBook. In the next and final paragraph, McCarthy claims the security update does not affect MacBooks or MacBook Pros.
It boggles the mind.