Daniel Eran Dilger
Random header image... Refresh for more!

Kevin Poulsen Attacks Ron Paul, iPhone, Mac Users In a Single Broad Brush of Wired Incompetence.

Kevin Poulsen
Daniel Eran Dilger
Embarrassed over a sensationalist article he commissioned on iPhone security panic, Wired editor Kevin Poulsen pulled no punches to cover over his sloppy work by publishing an inaccurate, politically-tained smear piece that mixed in a conspiracy theory regarding presidential candidate Ron Paul into the discussion of Apple’s iPhone security. Someone with Poulsen’s tainted history in computer security issues should know better.

What Wired Wrote.
Last month, Poulsen contracted with writer Kim Zetter to deliver an article on iPhone security, which Wired published under the headline “IPhone’s Security Rivals Windows 95 (No, That’s Not Good).”The article presented the idea of “least privilege,” an uncontroversial security principle that simply states that individual processes should have no more power than they minimally need to operate. Citing Dan Geer as her source for the obvious, Zetter criticized Apple’s iPhone on the basis of running internal processes all in the same security context with equal privilege.

Her Wired article then veered into sensationalism and myth before jumping the curb and plowing into uninformed fantasy. Following the cue of the “Windows 95” headline, Zetter described the plague of Internet malware that caused billions in damage and interruption for Windows users and suggested that famous Windows malware outbreaks–from 1999’s Melissa to today’s Storm outbreak–were just around the corner for iPhone users because of its security architecture.

Why Wired Was Wrong.
That’s where Wired’s ambulance chase crashed directly into the wall of reality. As I outlined in “Kim Zetter and the iPhone Root Security Myth,” neither Melissa nor Storm have anything to do with “least privilege” or running processes as root.

Melissa is a Microsoft Office macro virus which did its damage acting as a PC user–not as an elevated process with root permissions. It didn’t need root permissions to scour users’ Windows contacts and mail out sensitive documents via Microsoft’s Outlook email program, or even to delete the user’s own files off their hard drive or any files it could find on connected server shares.

Storm, the other example Wired cited, is similarly a Trojan Horse that provokes users to open a file attachment. That script then installs malicious software which hides within the Windows Registry and sets up Windows Services that distribute mountains of spam without the user ever knowing that new software had been installed. Storm does not need root level permissions to do this.

My article noted, “Certainly Wired editors should know that root access or administrative privilege is not required for sending out emails or deleting one’s own files. Administrative privileges are apparently also not required for printing sensationalist, uninformed articles either.”

 Wp-Content Uploads 2007 10 200710231834

Kim Zetter and the iPhone Root Security Myth

The Root of the Problem.
The Wired article desperately tried to associate the iPhone with Windows’ security problems, but did so using uninformed, illogical, specious reasoning. While one can criticize Apple’s architecture by comparing it to best practices in desktop operating systems, it’s also important to recognize two related facts:

  • the iPhone does not directly expose public interfaces to attackers in the same way as desktop operating systems like Windows do.
  • users have very limited means for installing software on the iPhone, so attackers similarly have far fewer vectors to attack.

That does not mean the iPhone is invulnerable to attack or exploit. It means that it is far more difficult to attack, and far easier to secure after an exploit is discovered. No device or platform is immune to attack; however, if the cost of mounting an attack exceeds the value of breaking in, there will be no attacks.

Similarly, while the Mac isn’t theoretically impossible to infect with spyware, adware, and spam bots, it simply is much more cost effective to direct attacks at Windows, which is easier to exploit, already has plenty of open vulnerabilities that have been exploited, and has an installed base of exploitable systems that are unlikely to ever be patched. The Mac–and the iPhone–share non of those circumstances.

Security Cost Vs Vulnerability Value.
The iPhone’s TIFF vulnerability is currently being exploited to allow users to break through the iPhone’s security to install their own software. There is no current malware that exploits this vulnerability, but it would certainly be possible to deliver this. However, while there is value in breaking open the iPhone to install user software, there is little value in installing spambots (EDGE Spam! Oh the humanity!) or other malware on the iPhone.

Conversely, Apple has already indicated that it intends to patch flaws as quickly as they are found, to prevent users from cracking the phone to work on other networks. In other words, Apple has a business model that requires it to secure the iPhone. The duel between Apple patching iPhone flaws to prevent its use on other networks and hackers trying to install alternative software will likely escalate. However, that will also price malware opportunists out of the market.

On Windows, spammers and adware marketers go after legions of unpatched, easy to exploit systems and use free methods like viral spam to attack users. However, Microsoft had no financial reason to stop these exploits on Windows; it left known, gaping holes open for over a decade. Those holes have been widely exploited for easy profits from distributing spam and the pop up advertising that plagues Windows today.

Microsoft can try to secure Vista, but there are a billion PCs that could not run Vista if they wanted to, and hundreds of millions more that have no interest in ever upgrading to Microsoft’s $300 to $500 solution to the problem it created. Add in Microsoft Office, which is still full of known vulnerabilities, and Microsoft’s security record only looks good in White Papers.

Exploited Panic.
However, the key problem with Wired’s sensationalist article was that it confused Windows’ problems with root user security escalation. While Windows does have privilege escalation flaws on an architectural level, its security problems are not all related to security escalation, as Wired’s own examples demonstrate.

In fact, the most problematic issues with Windows aren’t related to “running as root” at all but rather its allowing automated, invisible actions to run as the regular user, without their knowledge. Wired’s article ignored this reality to instead deliver a frothing fantasy of iPhones being taken over by rogue cyber-thieves intent on stealing user’s contacts and using their iPhone cameras to snap spy photos, a scenario that has no business model outside of James Bond movies.

This is completely ignorant and irresponsible. I challenged Wired to balance its report by talking to a variety of sources to discover the real story, rather than just repeating a few sound bites captured in interviews with a single source’s perspective. The Wired article only directly cited one person, and made passing reference to comments on the web by two other individuals. The idea of multiple sources is to discover the truth through multiple viewpoints, not to find several wags who all repeat the same factoids devoid of context.

Wired’s misleading presentation of security, architected by Poulsen, is particularly ironic given Poulsen’s past life as a fugitive criminal. Before directing sensationalized, misleading attacks upon Apple’s security, Poulsen was sentenced to more than four years in prison in 1995 for breaking into computers to obtain information. He had plead guilty to seven counts of mail, wire, and computer fraud; money laundering; and obstruction of justice in 1994.

While Poulsen has since been rehabilitated and has used his knowledge to hunt sex offenders on MySpace, his desperate interest to portray Apple’s iPhone security in a false light and compare it to Windows 95 is particularly egregious given that he was locked up in prison when Microsoft unleashed its security problems upon the world, and was forbidden from touching computers for another three years after his release. While Poulens’ “crimes” were most likely overblown by prosecutors, how much does Poulsen even know about Microsoft’s security problems of the 90s?

Cybercrime : Piercing the darkness: Kevin Poulsen

Incidentally, Poulsen looks better in 2007 than he did in seventeen years ago in 1990, despite his time in prison. Perhaps we’d all be better off behind bars than exposed to the daily frustrations of Microsoft’s Windows.

Kevin Poulsen Prison

Another Issue Presented, Ignored by Wired: Army Macs.
In addition to the direct criticism of Wired’s uninformed, sensationalist piece, I noted two other important facts to consider. One was that in 1999, just as Microsoft’s security crisis was beginning to erupt and cause widespread problems for users, the US Army moved its web servers from Microsoft’s Windows NT to Macintosh servers running WebSTAR on the classic Mac OS.

The Army discovered that Windows NT’s security architecture–while it accounted for privilege escalation in its design–was actually less secure in practice than the Macintosh, which at the time had no real user level security; it ran everything essentially as “root.” After moving to Macs, the Army’s website stopped being defaced at regular intervals, not because it met some “security feature checklist” that a journalist could write about glowingly, as many did at the time, but rather because there were few known exploits for the Mac.

Just like the iPhone today, the classic Mac OS had few open ports or other vectors to exploit, and no spam and attack industry built up around those weaknesses. The Mac was less secure in theory, but more secure in practice. When covering a sensationalized topic, reality always trumps theoretical fluff.

Wired refused to acknowledge that its article was long on theoretical conjecture and short on exposure to engineering and deployment reality. This was because Wired only interviewed security experts paid to talk about theory rather than engineers who deliver actual products that have requirements outside of impressing journalists.

Another Issue Presented, Ignored by Wired: User Recovery.
The second issue I presented, which Wired made no mention of in its one-sided scare piece, was that one of the biggest problems for end users is not getting infected, but getting cleaned up afterward. For most users, the real damages suffered from malware installations on Windows PCs isn’t that they lose performance or end up getting their top secret documents stolen, but that they face real expense to clean up their infected machines.

A non-technical Windows user faces virus cleanup fees of around $200 from the technicians at BestBuy, or has to spend the time cleaning up the system themselves. That means backing up files, reinstalling Windows, reinstalling all applications, and learning how to migrate all their data back without reinfecting their system. This is a real and significant problem for Windows users. Running anti-virus software also slows down the system overall, and can add problems, incompatibilities, and open new vulnerabilities itself. This expense and irritation has sent many Windows users to the Mac.

This problem is also not something Microsoft cares a lot about. That’s because many users facing the daunting cleanup of a Windows PC simply throw it out and buy a cheap new PC. That makes Microsoft and PC makers more money, and has essentially rewarded them for delivering a poor product with little regard for security over the last two decades. When a monopolist delivers a bad product, users have to buy new replacements more frequently. Compare American auto makers in the late 70s.

In contrast, the iPhone isn’t a desktop PC with the same management problems. If a user were to find their system infected with adware or root exploits, all they’d need to do is plug it in and restore the system. A fully new operating system would be installed, and all their data files, photos, music, movies, contacts, calendar, and email settings would be restored automatically from iTunes.

When Apple delivers its SDK for the iPhone next spring, you can bet that software won’t be installed like Windows, but rather like the iPod, with signed applications that iTunes manages and authenticates. Delivering exploits and malware for the iPhone will be prohibitively expensive because Apple will simply price it out of the garbage market of spammers. That will also allow legitimate developers to sell very low cost mobile software to a broad audience of legitimate users. The Age of Windows will dawn draw to a close, and our kids will never know the horror of pandemic security problems introduced into the world by Microsoft.

Zetter Upset With Criticism.
In response to my article, Zetter posted a comment that noted, “Much of what Dan finds objectionable about this piece was added by the editor, Kevin Poulsen, who also came up with the premise for the story. If readers have a problem with the piece, I’m sure Kevin would be open to discussing it with them.”

A variety of other readers also dismissively decided that the article I’d written was arguing against widely-held security principles on desktop systems. This argument is difficult to make for anyone who actually read what I wrote. Among those critics was Wired editor Kevin Poulsen, who Zetter blamed for the panicked sensationalism and digg-baiting headline slapped on her story.

Wired responded with an unprofessional, embarrassing diatribe entitled “Backlash Comparison: Who’s Nuttier, Apple Fanatics or Ron Paul Enthusiasts?” where Poulsen himself delivered a childish missive that attempted to compare my article to the political campaign of presidential candidate Ron Paul.

Poulsen even noted that “smears and ad hominem attacks are an occupational hazard of journalism,” and set up a chart that described his sensationalized Wired piece as a “provocation” but “an accurate article.” “Daniel Eran Dilger falsely accuses Kim of basing the entire article on a single source,” Poulsen claimed, ignoring my actual criticism of his article’s “accuracy.”

However, I didn’t falsely accuse Zetter of anything; I wrote she “should have talked to more than just one source,” because the only view she cited in the article was of a single group. A journalist reporting on a controversial topic interviews people with a variety of positions and describes their views. Finding three people to say the same sensationalist idea devoid of any context is not a story, it’s a PR piece for the group attacking Apple’s product. Zetter made no effort to balance her story, and Poulson only insisted on amplifying the rhetoric into comical levels of irresponsibility.

Poulsen’s Mud Slinging Backfires.
Poulsen then attacked MacDailyNews for citing my criticism of Poulsen’s Wired article written by Zetter and announced that MDN “declined to correct the false story.” Channeling Bill O’Reilly, Poulson also dredged up comments made by anonymous readers on another website making critical remarks about Wired’s article and its author because they addressed Zetter by her gender.

However, at no point did Poulsen make any effort to examine the facts I presented, which dismantled the irresponsible story Poulsen himself outlined and embellished for maximum link-baiting. Poulsen really outdid himself by mixing in Dvorak style anti-Apple link bait with an assault on Ron Paul, who has supporters just as dedicated as Apple.

Poulsen’s polarizing, politicizing attack smear sounds a lot like Fox News, and his arrogantly dismissive comments about Ron Paul–which included an attack article written by Poulsen’s friend and colleague Sarah Lai Stirland–only drives the comparison closer. For his irresponsible screed defending his original poorly formed article, Kevin Poulsen gets a Zoon.

Wired readers commenting on Poulsen’s attack piece (including Ron Paul supporters) similarly took issue with Poulsen’s simpleton mud slinging:

“A good analysis of the situation would include a look at the media and its role in the situation. Words like ”nuttier“, ”fanatics“, ”Long shot“ and ”fringe“ certainly don’t give the impression of fairness and balance in those rare occasions when the MSM deign to even report on Ron Paul.”

“The amount of slanderous Wired articles released over the past few days is truly disgusting. I am a tech nerd of the highest caliber; I am a electronics/electrical engineering student, and will be deeply involved in technology for the rest of my life. I am so abhorred at the disposition your magazine has attempted to disseminate, I will go out of my way to ensure I, my family, and my friends never purchase nor read a WIRED magazine. As long as I live, I will remember how hard your periodical worked to belittle the patriotic, noble efforts of a doctor, congressman, and presidential candidate named Ron Paul.”

“If Wired understood journalism was more than just stating an uninformed opinion maybe people wouldn’t get so pissed. Wired is one of the most fact light and glossy ad heavy rags out there designed for the intellectually-light, consumerist moron.”

What do you think? I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , , , , ,