Let's do this thing

Is the iPhone insecure? How would you know?

The Macalope
Born of the earth, forged in fire, the Macalope was branded "nonstandard" and "proprietary" by the IT world and considered a freak of nature. Part man, part Mac, and part antelope, the Macalope set forth on a quest to save his beloved platform. Long-eclipsed by his more prodigious cousin, the jackalope (they breed like rabbits, you know), the Macalope's time has come. Apple news and rumormonger extraordinaire, the Macalope provides a uniquely polymorphic approach. Disclosure.
The Macalope
4 min read

Well, the Macalope's faithful and well-groomed readers know that he doesn't suffer silly punditry lightly. And this may be only his second post over at his new digs (hey, did you check out the fussball table?!), but let's see if he's become a domesticated animal or if he still rolls the way he used to.

Before linking to the piece in question, let's take a look at a quote.

Apple excels in creative and innovative marketing. Often it's what they don't tell you that creates the most buzz. For example, we know next to nothing about the Apple iPhone.

Indeed, we don't know much. So, CNET's Robert Vamosi, why the piece oh-so-knowingly entitled "iPhone insecurity" (tip o' the antlers to PygmySurfer in comments at the old homestead for the link).

The Macalope hasn't been here long. Is there a question mark shortage?

When flaws are patched, Apple does not acknowledge the researchers who actually brought the vulnerability to its attention.

Speaking of buzz, that buzzing sound you hear might be that of the judges letting you know you've given an incorrect answer. Bzzzzzt. Sorry, Bob. Thank you for playing.

Apple routinely gives credit to researchers who bring vulnerabilities to its attention. The only instance the Macalope is aware of where it did not give credit was in l'Affair de Maynor et Ellch and if you're just tuning in to Apple Security World, you can sift through the Macalope's archives, but suffice it to say that Vamosi's just giving one side of the story.

Here's just one example:

The researchers did use a third-party wireless card for their video demonstration, but said repeatedly that the Apple Airport wireless driver was also vulnerable.

Actually, what really happened was that Maynor and Ellch demonstrated the vulnerability using a third-party card. Then they told the Washington Post's Brian Krebs that the native Airport driver was also vulnerable. After the subsequent requests to prove it, they told everyone that they weren't saying which drivers were vulnerable because that would be irresponsible.

The truth of the matter is not technically inconsistent with Vamosi's description, it's just that he leaves out several rather pertinent contextual items.

Ironically, it was another Apple vulnerability that put David Maynor in the news again this week. He was one of three independent security researchers who disclosed vulnerabilities within the new Safari 3.0 for Windows beta. Some of the flaws exist on the Mac OS as well.

Ah. Now, this point is actually quite true and it's one that was glossed over by a number of Apple bloggers. It's the Macalope's decided opinion that Apple had, in fact, better watch itself with its promises of the vaunted security of Safari and had better get with the program.

[UPDATE: as one of the Macalope's intelligent and dapper readers pointed out, Maynot did not "disclose" the vulnerabilities in the traditional sense. He just claimed to have found them without providing complete evidence. Hmm. That sounds familiar...]

But Vamosi's valid point -- that Safari's security or lack thereof could be a canary in a coal mine of trouble ahead for Apple's attempts to woo Windows users as well as sell iPhones -- is lost in a forest of anti-Apple paranoia.

A few weeks ago, I interviewed security researcher Chris Soghoian who pointed out that disclosing an Apple vulnerability is almost a guarantee of a lawsuit.

Wha-huh? Check the link the Macalope provided above. People reveal Apple vulnerabilities and get credit from the company for them all the time. Two individuals -- who to this date have not publicly release their code and so have not fully validated their contentions -- did not. Why is that? Must be because Apple's so kooky! Couldn't be the two researchers!

Further, if you take a look at the salient section of that interview, unless there were sections that were cut out, it seems Vamosi's taking some liberties with Soghoian's words. Soghoian mentions several cases of conflicts between researches and companies including the Maynor/Apple debacle and then says:

When researchers decide to go public themselves and they give advance notification to the vendors they put themselves at risk because, in many cases, trigger-happy companies' first response is to sue the researcher in an attempt to silence the researcher.

Now, that's certainly a bit less than a direct charge that Apple is guaranteed to sue you if you find a vulnerability in one of its products, don't you think?

Apple should stop attacking the messengers--the researchers--and change, as did Microsoft, by working with them.

The Macalope doesn't think Apple's perfect on security. Indeed, he thinks it could learn a couple of things from Microsoft. But Vamosi has taken the outliers, ignored the reasons they might be outliers, and attempted to make them the rule.

[POSTSCRIPT: Vamosi has retracted the part about Apple not giving credit.]