In response to a question on the security focus apple list I decided to reply. Gotta love the lack of gag.
I wrote this (with some edits):
Jon and I didn't discover a serious general 802.11 flaw, that's is where alot of confusion around this issue comes from. We discoveredthat in general 802.11 drivers didn't handle malformed frames very well. The flaws that were discovered (there were far more than one) were specific to certain types of chipsets (atheros, broadcom, etc...). As far as the articles go I didn't write them. If you look at mine and Jon's quotes in each article you will see something along the lines of"this is a systemic problem that affects the entire industry". I am also amused by the fact I wrote about how to find these vulns in a securityfocus article and nobody but HD Moore seemed to care. He added the ability to audit wireless drivers to metasploit. Which is really cool.
As far as when we used a third party card for the video demo. Alot of Mac fans were very upset and felt that it wasn't fair because nobody uses a third party card. That was the entire point of the demo. If we had to do it live and someone got a copy of the working exploit we didn't want it to be in something that actually affected anyone. As far as confirmation you will see we never confirmed publicly which vendors were affected. And once again I never said I wanted to stab the mac community in the eye, I said that about the actors in a commerical.
As a side note I have to mention the statement that Secureworks issued clarifying the video. She (being Lynn Fox) forgot to mention to reporters that statement was created in cooperation between Apple PR and Secureworks PR. Although Apple PR really wanted the statement to be extended to cover any demos given in person (Krebs, anonymous Blackhat employee)Secureworks couldn't do that. Minutes after this was posted Lynn Fox started pitching reporters a story that Secureworks had changed its tune based on the update. If you actually read the Secureworks statement it just covers the video and says nothing I didn't say in the video twice. I suppose her omission of this information was designed to make it appear Jon and I were frauds and thus make a big story. I suppose the headlines "Apple asked Secureworks to clarify their video, Secureworks obliges" would not have been as sensational or given the Mac zealots ammunition to drag Jon and I through the mud for months. She then called my boss at Secureworks at the time and told him she was very sorry the Mac community was taking what she said out of context, and she never intended that to happen. I also find it funny the only real news outlet that ran the Secureworks changes position story was Macword. Here is a funny note, the guy who wrote the story, Jim Dalrymple never contacted Jon,myself, or Secureworks for any reason during the entire fiasco.
It doesn't matter much to me anymore as I have yet to meet a client of Errata Security (the company i formed after leaving Secureworks) that thinks I faked it all, in fact pretty much everyone i meet thinks Apple tried a cover up that blew up into a long drawn out affair, also most Enterprise customers don't care about Apple. Also I am in the process of writing a book about horror stories of when responsible disclosure goes wrong with Apple being the flagship issues. Everything that happened will be detailed. As far as security research into Apple I haven't done much else in the last few months and I flat out refuse to report any issues to Apple security anymore because of two things. One is that i don't trust their PR department not to try and smear me again, i feel that their handling of the Secureworks statement (which again was done at their request) pretty much proved this. The second reason is simple: Apple apparently has more leaks than a sinking ship. How do I know this? Several of the bloggers who were calling for my head on a platter had information I had given to just one person at Apple and that no-one else knew, not even Jon. Its almost like pro-mac bloggers have a hotline to the 2 or 4 person security group at Apple. If a company wants me to keep details of a vulnerability private, they can at least do the same.
So what is the take away from this? It was a very poorly handled situation by everyone involved, except Jon. Jon had no real control of any of this and in the end I realized I didn't either. I lost all control when I allowed marketing people to make decisions about vulnerability disclosure. However I did make some mistakes. I should have never talked to a reporter about something we were not ready to make public. I should have realized Apple would have responded the way they did and just dropped full details of the exploit or not said anything at all. The PR war Lynn Fox waged against me was only possible because she knew i was forbidden from defending myself. With that being said I have never been a fan of full disclosure, and I am still not, unless its a vendor that has acted in bad faith. How could it have been handled differently by Apple? I have reported alot of vulnerabilities to alot of vendors and never once have I had the PR department respond to something. Take the Dell and Toshiba Bluetooth stack issues. We reported it to security, we worked with the engineers to fix it (and strangely information we gave to the engineers didn't end up on blogs), and only after everything was fixed(the process took about a month and a half) did we talk to their PR group to coordinate a joint release.
With all this being said I am shopping for a new TV to make best use of my new Apple TV when it arrives. I write this on a new Macbook Core Duo 2 while listening to my ipod play an audiobook (World War Z) that I bought from iTunes. If you didn't know better you could also say I am a walking commercial for Apple.
Is this over? Far from it.