‘Brian Krebs Watch’ on Whether Apple Lied About Maynor and Ellch

Based on the handful of emails David Maynor released last week, this is a fair analysis of whether and how they refute Lynn Fox’s statements regarding what information Maynor and Ellch had supplied to Apple. In short: what Apple said was either true or still inconclusive. (Maynor only released emails sent from his personal account; he is apparently not permitted to release any email sent from his account with then-employer SecureWorks.)

If there’s a problem, I think it’s that Fox’s statements carried the implication that Maynor had sent Apple no technical information at all regarding his research; that’s not the case. He did send Apple information, including scripts. One problem seems to be that no one at Apple was able to use his information to reproduce any of the exploits.

The other curious thing is that Maynor also discovered a Bluetooth exploit, sent Apple packet captures regarding it, and but that problem apparently remains unfixed today, six months later, in Mac OS X 10.4.8.

Thursday, 8 March 2007