You may not have noticed, but there is a serious
storm brewing in the collision of Apple, network
security and technology PR. It started earlier this
month when Washington Post reporter Brian Krebs
posted an article entitled "
Hacking a MacBook in 60 Seconds or
Less" about a WiFi security exploit that was
demonstrated at the Black Hat security
conference. The security researchers, Jon
"Johnny Cache" Ellch* and David Maynor, both of
SecureWorks, made a disingenuous statement that
"they weren't picking on Macs here, but..." and
in fact the article itself is clearly trying to
exploit Apple's security reputation to grab a
cheap headline. Well fine, but then it turns out
that maybe there wasn't a hack at all, as the
security researchers didn't actually use the
MacBook's built-in WiFi hardware or software,
but rather added a third-party card and driver
and then hacked that. Which set off storm #1
wherein a huge number of bloggers, reporters and
users said -- justifiably -- WTF?
Not content to leave well enough alone, and
apparently not thinking clearly enough to provide a
well-reasoned response, Krebs came back with this in
a
subsequent post: "During the
course of our interview, it came out that Apple
had leaned on Maynor and Ellch pretty hard not
to make this an issue about the Mac drivers
— mainly because Apple had not fixed the
problem yet. Maynor acknowledged that he used a
third-party wireless card in the demo so as not
to draw attention to the flaw resident in
Macbook drivers. But he also admitted that the
same flaws were resident in the default Macbook
wireless device drivers, and that those drivers
were identically exploitable. And that is what I
reported. I stand by my own reporting, as
according to Maynor and Ellch it remains a fact
that the default Macbook drivers are indeed
exploitable." Translation: they said it and
alluded to a big coverup so it must be true. And
just to fuel the fire, Krebs added: "Again, the
point was not to pick on Macs, but..." (article
headline not withstanding -- maybe it was added
in production, yeah, that must be it...) To
which a now considerably annoyed collection of
journalists, users and bloggers responded: WTF?
So then Krebs comes back with another
response that acknowledges that
while he inexplicably hasn't acknowledged this
in his two previous articles on this subject, he
has in fact seen the exploit working directly on
Apple hardware/software. Um, okay, but why
didn't you say that to begin with, or at least
in your subsequent followup? And then the plot
thickens: Apple
denies that Secureworks has
shared any exploit with them, with Apple
spokesperson Lynn Fox rather unequivocally (?)
stating: "Whatever they are claiming to have
found, they haven't shared it with us." And
then, Secureworks itself added this disclaimer:
"This video presentation at Black Hat
demonstrates vulnerabilities found in wireless
device drivers. Although an Apple MacBook was
used as the demo platform, it was exploited
through a third-party wireless device driver
— not the original wireless device driver
that ships with the MacBook. As part of a
responsible disclosure policy, we are not
disclosing the name of the third-party wireless
device driver until a patch is available."
Adding insult to injury, Secureworks is
apparently now not returning Krebs' phone calls
asking for clarification: "I have several times
now asked SecureWorks to share with me more
specific information to back up their claims,
but so far I have received no further details.
If I hear back from SecureWorks with any more
material information, I will update the blog."
So, what is really going on? Unfortunately, almost a
month later, we don't yet have a clear answer from a
security standpoint, which is just ridiculous. What
we do know, however, is how not to handle this from a
PR standpoint.
PR LOSERS: Maynor, Ellch and Secureworks, who clearly
took advantage of the Mac's security reputation for
professional gain and have thus far failed to
substantiate their claims. If you buy into the myth
that any coverage is good coverage, then I guess
you'd be overjoyed. But if the objective was to
enhance their reputation as outstanding and
responsible security consultants, I'd say they're not
doing too well thus far. A simple statement
clarifying the situation was warranted
weeks
ago: is the MacBook hackable or not?
PR LOSER: Brian Krebs – went for a
diggable headline and it came
back to bury him. Had a chance to clear it up in
a subsequent
post but botched it. Came back a
week later and tried
again. Had apparently still not
tried to use the usual journalistic technique of
verification, and two weeks later that didn't
turn out so
well.
PR LOSERS: Tech Journalists – who unfortunately
have also jumped on the argument from both sides,
using sensationalist headlines around the story and a
red herring argument: that the Mac hack was clearly
done with third party hardware. Duh. We knew that on
day one, and it is neither "
admitting falsification" to
clarify that nor a "
vicious attack" to seek
clarification on the true question: is the
MacBook hackable? Could we see a little bit of,
I don't know, actual reporting or investigative
journalism? Hmmm? Maybe?
UNKNOWN: Apple. If their PR statement can be taken at
face value then they are going to come out of this
way ahead. If details come out indicating that they
are being disingenuous, then not so much.
So is there a winner in all this? I believe so: a
number of bloggers who come at this either from the
Mac or from the
security side have taken a
well-reasoned, in depth look at the issues and,
although reaching opposite conclusions, have at
least attempted to sort out all of the
conflicting claims and counter-claims while
staying focused on the real issue (say it with
me here): is the MacBook hackable or not?. As a
PR professional that has been at this longer
than most of the people mentioned in this post,
I find it fascinating that bloggers are stepping
in where journalists and columnists used to
tread. Technology journalists will always remain
central to what it is that we do, but we have
long been encouraging clients to pay more
attention to the blogging community in key
markets. This confirms that recommendation.
(Clarification: Rich Mogull of
securosis.com, the security blog
mentioned above, is a long time Gartner analyst
and someone we've dealt with for clients. So one
could argue that he doesn't count as a "blogger"
– but it was on his blog that he tackled
this issue and this is my article so I get to
classify him as I please. So there.)
* as a footnote, can we please all agree that, in the
tech industry at least, having a hip nickname like
"Johnny Cache" makes you sound like an idiot?
-posted by Paul