Announcement

**BonzoESC** · December 20, 2006, 17:01

Re: Security vs Mac: Round TWO!

I like this one instead of that dumb wireless driver one since they'll be releasing source, forcing Apple to fix their bugs quickly, instead of just braying around saying that it's true and expecting people to trust them. Even if it means that I have to be careful with my iBook, it's better to get the bugs fixed sooner rather than later.

**theprez98** · December 21, 2006, 00:15

Re: Security vs Mac: Round TWO!

I hate these commercials.

**TheCotMan** · December 21, 2006, 09:52

Re: Security vs Mac: Round TWO!

Sometimes the most evangelical* OS bigots are not bothered by trivial and inconvenient obstacles called, "facts." They also tend to yell louder with more passion when they begin to worry they may lose their faith in their OS of choice.

* overzealous, belief-based pontification intended to indoctrinate others to also believe.

**Voltage Spike** · December 21, 2006, 13:21

Re: Security vs Mac: Round TWO!

Originally posted by BonzoESC View Post

I like this one instead of that dumb wireless driver one since they'll be releasing source, forcing Apple to fix their bugs quickly, instead of just braying around saying that it's true and expecting people to trust them.

We have silent disclosure (submit a bug report and don't tell people they might be at risk), closed disclosure (submit a bug report and tell people they might be at risk), and open disclosure (submit to the world and let everyone be at risk).

It would seem the best way of reporting bugs is closed disclosure with a warning that the problem will be made public after a reasonable period of time ... which is what they did with the WiFi driver exploit.

As for the "Month of Apple Bugs", I just hope that Apple has had a reasonable chance to address the issues before being released into the wild.

Originally posted by TheCotMan View Post

Sometimes the most evangelical* OS bigots are not bothered by trivial and inconvenient obstacles called, "facts." They also tend to yell louder with more passion when they begin to worry they may lose their faith in their OS of choice.

Stage 1: But if you don't like my choice of Brand X, how am I supposed to feel about myself?

Stage 2: I only accept the best. I use Brand X. Therefore Brand X must be the best! It makes sense to me, and I'll beat that sense into you if I have to!

Stage 3: Brand X sucks! I've always been a big Brand Y fan.

**BonzoESC** · December 21, 2006, 14:55

Re: Security vs Mac: Round TWO!

Originally posted by Voltage Spike View Post

We have silent disclosure (submit a bug report and don't tell people they might be at risk), closed disclosure (submit a bug report and tell people they might be at risk), and open disclosure (submit to the world and let everyone be at risk).

It would seem the best way of reporting bugs is closed disclosure with a warning that the problem will be made public after a reasonable period of time ... which is what they did with the WiFi driver exploit.

The Wifi driver exploit was bungled in such a way that nobody really knows what happened. We have no idea if Apple was notified or not (see http://www.macworld.com/news/2006/09...ndex.php?pf=1), and even though the bug's been possibly/supposedly fixed for three months now (the CVE numbers Apple's documentation reference they created, not SecurityFocus or Maynor/Ellch), no code was ever released. The way I see it, without code eventually being released, there's no way of knowing if the flaw existed or got fixed, and there's no way for the security community to learn from it other than as an example of how to not disclose flaws.

It would all be easier if wireless drivers were completely open-source (and not simply the wrappers around a big closed-source binary), but in the absence of that, up-front and honest security advisories are way more helpful than showmanship and grandstanding.

**Chris** · December 21, 2006, 16:05

Re: Security vs Mac: Round TWO!

Originally posted by Voltage Spike View Post

Stage 3: Brand X sucks! I've always been a big Brand Y fan.

Preach on brother. Fuck a bunch of Apple.

**Voltage Spike** · December 21, 2006, 19:03

Re: Security vs Mac: Round TWO!

Originally posted by BonzoESC View Post

The Wifi driver exploit was bungled in such a way that nobody really knows what happened. We have no idea if Apple was notified or not (see http://www.macworld.com/news/2006/09...ndex.php?pf=1), and even though the bug's been possibly/supposedly fixed for three months now (the CVE numbers Apple's documentation reference they created, not SecurityFocus or Maynor/Ellch), no code was ever released.

Okay, in that sense you are correct. I thought the complaint was that they didn't start by releasing the exploit. It's always possible that they didn't create an exploit but rather demonstrated that the drivers failed in a way that probably allowed for an exploit (in which case, they should release their test code).

**DaKahuna** · December 21, 2006, 19:22

Re: Security vs Mac: Round TWO!

Originally posted by Chris View Post

Preach on brother. Fuck a bunch of Apple.

If that's what trips your trigger fell free, just as long as it ain't one of mine you try that with!

Announcement

Security vs Mac: Round TWO!

Security vs Mac: Round TWO!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment