Apple And SecureWorks To Work Together

What took them so long? Geez.

Were those the guys who claimed that they found a vulnerability...but it turned out they could only hack in using third party hardware connected to the mac that had its own vulnerability?

After I installed this update on my PowerBook G4 and my PowerMac Dual G4, both systems locked up within 24 hours, and they haven't done that in several months. My recommendation is to wait and see if a fix for this patch comes out that makes the code more stable.

but i thought they faked it

yea did I miss something cause I thought it was fake too.

I'd prefer to see security problems reported privately to Apple before they are generally known, but it's very hard to tell if Apple promptly fixes problems that they find are serious.

There are multiple reasons that many (all?) of these "vulnerability" discoveries eventually go public and why news of them spreads around:

1. People who find them want credit for finding them.

2. People who find them may be genuinely concerned that the software vendor won't fix the problem unless there is public pressure to do so.

3. Some feel that the public has a "need to know" that outweighs concerns that reporting a problem will encourage exploits of it.

4. People who find security problems may be trying to sell a security product to fix what they report.

5. It's often unclear when an exploit is theoretical only, when it is of real concern, how widespread its effect might be, or if the danger is being misrepresented. For example, if a website has posted a bad-intentioned application and people download it, ignore warnings or signs of trouble, and invoke it anyway, some may call it a "security hole."

6. Some people enjoy passing around news of potential problems because they don't like the "bulletproof" image many ascribe to Mac OS X.

7. News and rumors sites, including MacRumors, report when security issues are being publicized by others.

8. Some people pass along security warnings, whether or not they are of real concern, because they don't understand them.

What took them so long? Geez.

I predicted THEN this would be the outcome. They are only ANNOUNCING it now.

AFTER the most important Apple update has been DISTRIBUTED.

Typical security policy.

I wonder how much they got paid? :)

Rocketman

1. People who find them want credit for finding them.

If you read the details of every security update, Apple lists the security holes plugged and ALWAYS credits whoever discovered the problem if it was discovered by a third party.

The recent Airport security fixes did not credit SecureWorks since the fixes were a result of an internal review by Apple. I don't beleive a word SecureWorks says (since they faked the vulnerability just to be anti-Mac zealots) and won't change that point of view unless I see a credit on a security update.

If you read the details of every security update, Apple lists the security holes plugged and ALWAYS credits whoever discovered the problem if it was discovered by a third party.

The recent Airport security fixes did not credit SecureWorks since the fixes were a result of an internal review by Apple. I don't beleive a word SecureWorks says (since they faked the vulnerability just to be anti-Mac zealots) and won't change that point of view unless I see a credit on a security update.

Most likely they didn't submit a bug report to Apple, but went public with it first... for fame and glory. Apple read their "report", and preemptively audited the drivers themselves. Hence, Apple's fix might very well be to address the same issue(s), but SecureWorks didn't care to follow the rules for bug submission and weren't credited for the discovery. My guess is Apple Legal slapped them for potential libel, and gave them a swift "gag order" until they could complete their own investigation.

Fark 'em if they can't take a joke... but my guess is that the actual issue did exist and the exploit was real, and it probably did affect native drivers as well as 3rd party. By making it public, SecureWorks set themselves up as liable for damages, which could have been in the $billions. The broadcast demo used a 3rd party wireless card in an effort to skirt the issue (ie Apple Legal).

Most likely they didn't submit a bug report to Apple, but went public with it first... for fame and glory. Hence, Apple's fix might very well be to address the same issue they discovered, but SecureWorks didn't care to follow the rules for bug submission, so they weren't credited for the discovery.

I think the real question in everyone's mind was how it was reported as "Hijack a Macbook in 60 seconds"

I also question the reporters behind it ... trying to pick fights by not even providing general information.

Had they not done the little video and then gotten George Ou (a goon) to follow up reporting ... I doubt there would have been so much drama.