[ISN] How Apple orchestrated web attack on researchers

From: InfoSec News (alerts@private)
Date: Tue Mar 20 2007 - 21:24:47 PST


By George Ou 
March 20th, 2007

Last summer, when I wrote "Vicious orchestrated assault on MacBook 
wireless researchers", it set off a long chain of heated debated and 
blogs. I had hoped to release the information on who orchestrated the 
vicious assault, but threats of lawsuits and a spineless company that 
refused to defend itself meant I couldn't disclose the details.  A lot 
has changed since then: researcher David Maynor is no longer working for 
SecureWorks and he's finally given me permission to publish the details.

The scandal broke when Jim Dalrymple put out a hit piece on security 
researchers David Maynor and Jon "Johnny Cache" Ellch, saying that their 
research was a "misrepresentation".  Dalrymple based his conclusion 
solely on the word of Apple PR director Lynn Fox.  David Chartier went 
even further and said that "SecureWorks admits to falsifying MacBook 
wireless hack" based solely on a SecureWorks disclaimer (it's no longer 
there) that merely reaffirmed what the original video was saying all 
along - that the hack demonstrated in the video was based on third-party 
wireless hardware.  I had personally interviewed the two researchers 
before this whole scandal broke out and I specifically asked Maynor and 
Ellch if they were using Apple's Wi-Fi hardware in their official Black 
Hat demonstration, and they clearly said that no Apple Wi-Fi product was 
used for the exploit.  That's why I was shocked to see the researchers 
blamed for changing their story and "admitting" they made the whole 
thing up when no one changed the story and no one admitted to anything.  
Yet the headline from Chartier, along with Dalrymple's story, were 
blasted all over the web after it made Digg and Slashdot and everyone 
simply assumed Maynor and Ellch were frauds because they supposedly 
"admitted it".

Through all of this, I've been accused of covering up for my "buddies" 
and losing my objectivity, but I had never met David Maynor and Jon 
Ellch and last summer was my first trip ever to Black Hat and Defcon.  
It was by mere chance that I overheard them in an interview with another 
reporter in the press room. I asked them if I could videotape an 
interview with them afterwards, and they said yes which led to this 
interview.  But when I read the news that the researchers "admitted to 
falsifying their research", I was shocked and I almost believed it for a 
second until I read the stories and saw that there was no admission but 
a simple reaffirmation of what had been claimed all along on 
SecureWorks' website in some obscure location that blogger Chartier just 
*happened* to find.  It didn't matter that the so-called "evidence" 
wasn't an "admission" at all because it looked the part and that's all 
that was needed to hang the two researchers and brand them as frauds.  
But did Chartier really just happen to come across the evidence?

When I called David Maynor to get to the bottom of this, it turned out 
that Apple PR director Lynn Fox (who was also cited by Jim Dalrymple as 
proof that the researchers "misrepresented" the research) was the 
puppetmaster from start to finish.  She not only contacted sympathetic 
bloggers like Chartier and "journalists" like Jim Dalrymple, she was 
actually the one that got SecureWorks to publish the "clarification" in 
the first place.  Once she got SecureWorks to publish a clarification 
that merely reiterated the fact that third-party hardware was used in 
the original video (which was clearly disclosed in the first 20 seconds 
of the video that it was third-party hardware), she used that as 
"incriminating" evidence that the researchers admitted to falsifying the 
video and shared her "findings" with Apple-friendly press.

But how did Lynn Fox get SecureWorks to publish a clarification on their 
website?  It turned out that Fox had actually wanted an even more 
incriminating statement from David Maynor himself and sent him an email 
on 8/15/2006 (two days before the public accusations of fraud hit the 
web) demanding that he post a confession word-for-word.  Maynor refused 
and told Fox to speak to SecureWorks PR and the two parties came to a 
compromise on 8/16/2006 where SecureWorks would simply post a 
clarification.  SecureWorks never knew what hit them when the 
accusations of fraud hit on 8/17/2006 because they figured they were 
merely posting a clarification that reiterated what they had been saying 
all along, but they had no idea that MacWorld and an unofficial Apple 
blog would tear them to pieces and simply assume it was an admission 
that facts were originally misrepresented.  As proof of how this all 
went down, here is the email Lynn Fox sent to David Maynor demanding 
that he post the confession publicly.  I was given a copy of it on 

    From: Lynn Fox <####@apple.com>
    To: David Maynor <####@mac.com>
    Cc: Moody David <####@apple.com>, Wiley Hodges <####@apple.com>
    Date: Tue Aug 15, 2006 06:14:09 PM PDT
    Subject: Your post on SecureWorks website

    <<Original Attached>>


    Below is the note we drafted about the MacBook exploit confusion.

    Please confirm that you've received this and will post it without 
    text changes on your blog and front and center on SecureWorks' news 
    & events page tonight. The placement of this post should be as 
    prominent as the initial announcement of the exploit demo at Black 

    You are welcome to call me on my cell at 415-###-#### if you need to 
    discuss any further.



    For the Record: MacBook is not inherently vulnerable to Black 
    Hat-demonstrated exploit
    By David Maynor

    I want to clarify something about the wifi device driver exploit we 
    demonstrated at Black Hat in Las Vegas a couple weeks ago.

    Confusion has mounted as to whether the exploit I demoed at Black 
    Hat and for Brian Krebs of the Washington Post is reliant the use of 
    a third party driver. In short, the answer is yes. The MacBook is 
    not inherently vulnerable to the attack, and I never said that it 

    Part of the confusion lies in the fact that we have not specifically 
    named the third-party device driver; this is because we know that 
    the vendor is working on a patch and we don't want to release the 
    name of the chipset until the fix is in place.

    I hope this clears up some of the confusion. Stay tuned for a live 
    demo of this exploit live at Toorcon.

Note that I've masked out parts of the email addresses and parts of Lynn 
Fox's cell phone number for privacy issues but I can assure you it was 
the right phone number.  I actually called the number to confirm if it 
was real and Lynn Fox was quite upset and demanded to know where I got 
the number.  I declined to answer since the email at the time was given 
to me by David Maynor off-the-record.  I asked Fox about the scandal and 
she told me that her cell phone was breaking up and that she'd call me 
back.  Within a minute I had David Maynor Instant Messaging me that Lynn 
Fox was on the phone with him in a rage.  I told him I didn't disclose 
anything to Fox and Maynor simply directed Fox to SecureWorks PR.

When I finally got Fox back on the phone, I asked her some questions 
about how MacWorld and the unofficial Apple blog got the information on 
the so-called confession.  I got all my questions answered but I can't 
disclose what she said since Lynn Fox refused to speak on the record.  
But the bottom line is that Lynn Fox played Jim Dalrymple, David 
Chartier, and the rest of the Mac press/blogosphere like a violin, 
though it was clear they were all willing participants.  When I pointed 
out the flaws in their stories, Chartier and Dalrymple simply ignored me 
and stuck to their guns.

So what was the end result of all this?  Apple continued to claim that 
there were no vulnerabilities in Mac OS X but came a month later and 
patched their Wireless Drivers (presumably for vulnerabilities that 
didn't actually exist).  Apple patched these "non-existent 
vulnerabilities" but then refused to give any credit to David Maynor and 
Jon Ellch.  Since Apple was going to take research, not give proper 
attribution, and smear security researchers, the security research 
community responded to Apple's behavior with the MoAB (Month of Apple 
Bugs) and released a flood of zero-day exploits without giving Apple any 
notification.  The end result is that Apple was forced to patch 62 
vulnerabilities in just the first three months of 2007 including last 
week's megapatch of 45 vulnerabilities.

Apple is a mega corporation that nearly smashed the reputation of two 
individuals with bogus claims of fraud.  It didn't matter they weren't 
the one's pulling the trigger because they were pulling all the strings.  
David Chartier should be ashamed of himself and his blog.  Jim Dalrymple 
of Macworld and his colleagues that jumped on the bandwagon should be 
ashamed of their reporting.  Frank Hayes was the only one of Dalrymple's 
colleagues that had the decency and honor to apologize.  Most of all, 
shame on Apple.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Tue Mar 20 2007 - 21:34:47 PST