Okay, so I can’t believe I’m defending Apple in this post.
He starts with a point I can get behind – that it’s hardly sporting to give a demonstration of an exploit using a video – it’s like demonstrating a piece of software with a screenshot. There’s no feel for “yes, I really saw that happen”.
On the other hand, I can also get behind the researchers’ reasoning for not demonstrating the exploit live – in an auditorium filled with WiFi-enabled notebooks, you’re not going to be popular if you launch an exploit that takes down even 10% of the audience. Funny, yes. Popular, no. Appropriate, definitely not.
Joe comes up with a really catchy term for this, “faux disclosure”. Not that this is really any different from someone who posts news of an exploit without any accompanying code – which is a pretty responsible way to publicly disclose a vulnerability prior to its being patched, in my opinion.
But the really offensive part comes later:
I asked Lynn Fox, Apple’s director of Mac public relations, two very direct questions.
1. Are Apple MacBook users at risk using their built-in Wi-Fi capability?
2. Is Krebs’ Washington Post report about Apple pressuring researchers not to reveal a MacBook Wi-Fi vulnerability/exploit accurate?
I’ve received no response to that query. Nor do I expect one.
And of course, “Apple pressuring researchers” could be as savage as the security response team at Apple (they have one, yes?) asking the researchers to hold off publishing details until they have a patch together. “Think of the users,” I’m sure they’d say – damn, that’s pressure. OK, so maybe there’s more to it than that, but we have no reason to believe so.
Since this is all speculation and rumour, it’s really no surprise that anyone is willing to confirm anything – and that’s just what you need to feed a good conspiracy theory. A good slice of silence practically confirms the best kind of fear, uncertainty and doubt (FUD). A smart listener can learn to understand that silence, or “I refuse to dignify that question with an answer” sometimes means only that the question, or the questioner, is not worth answering.
And as for an earlier comment in his article – “what is meant by full disclosure these days” – notifying the vendor before notifying the world (which, clearly, contains, as a subset, all the hackers, crackers and script juvies in the world, as well as all the users) – boy, that really tips the wink as to which side this poster is on – he wants to punish the vendors, and it doesn’t matter to Joe who gets hurt along the way.
A mature response is to do whatever it takes to protect the users, now and in the future. If punishing the vendor is the only way to protect the user, then so be it – but it seems like we left that back some time closer to the last century. If assisting the vendor is the best way to protect the users, then assist the vendor, no matter how repugnant they are to you.
Joe Barr needs to mature a little. Grow up.