Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

“Security Researchers”

John Gruber’s latest blog entry made me laugh. In the midst of it, he writes: “enormously irresponsible for ostensibly professional security researchers”.

It seems to me that many “security researchers” are neither (a) professional nor (b) responsible. Last time I looked they were much more interested in publicity than in protecting the computer using public… there are even recent stories in the media about them making thinly veiled threats to software vendors unless they are involved in the bug fixing process.

And precisely what is their business model anyway? I mean, who exactly pays them to search for flaws? I’ll tell you who isn’t paying them… Apple. They have plenty of very clever engineers who quite clearly already understand how these things work. So why would they want to pay these people, especially as they seem more concerned with publicising the flaws they find than they are with the security of the user base? Let’s not forget that many security vulnerabilities only become vulnerabilities once published. Quite a few of the recent PC viruses only appeared after the flaws they exploit were published on CERT or Bugtraq. It isn’t exactly rocket science:– if you don’t know how to break into a system, you have to find out first, which takes time and usually requires access to a similar system (since repeated crashes of the target system, which commonly happen during the “research” stage of a hack, are a bit obvious to most people). If, on the other hand, someone publishes all of the details, some section of the user base won’t be up-to-date—even if the vendor has been given time to release a fix—and it’ll be much easier to break in.

As far as the whole Mac wireless vulnerability thing, there certainly have been vulnerabilities there in the past (e.g. via LDAP, which AFAIK used to be enabled by default), but only time will tell whether this one is real or not. I don’t think that Brian Krebs and George Ou really helped matters, what with Krebs’ original post on the subject, the title of which was ill-chosen, and Ou’s remarks about a so-called “vicious orchestrated assault” on the originators of the claims.

The fact is that the researchers clearly intended to upset the Mac using community—remarks such as Maynor’s “it eventually makes you want to stab one of those users in the eye with a lit cigarette or something” are pretty convincing evidence of that. If I were Krebs, I wouldn’t have published that statement, and as far as George Ou’s article goes, I have to say that someone who says things like Maynor did should expect a certain amount of flak as a result. Not that I’m condoning any of the things that apparently have been said to him… but let’s get this into perspective: Maynor clearly intended to upset some elements of the Mac community. He’s done so. If he’s surprised how upset they got, perhaps he (and Ou) should reflect on the fact that journalists and security researchers have been telling Mac users for some time now how naïve and vulnerable they are, usually with undertones of “You’re too smug. Just you wait, we’ll prove you all wrong”. Is it really a surprise that people who openly espouse or support this agenda get jumped on?