Thom Holwerda of OSNews Calls “Mac Shot First” Misinformation and Slander. Oops!
March 31st, 2008
Daniel Eran Dilger
Responding to the article “Mac Shot First: 10 Reasons Why CanSecWest Targets Apple,” Thom Holwerda of OSNews wrote a point by point essay titled “Countering Misinformation” that described my article as “an unrivaled wealth of misinformation, [with] some things even bordering on slander.” Of course, one can’t write slander (it’s called libel), but his serious accusations failed to refute any of the points I raised, and really betray his effort to smear me rather than correct any facts I presented. He’s wrong, here’s why.
To get a sense of Holwerda’s biases, his initial OSNews report on the CanSecWest event echoed the sensationalism of bloggers and corporate media sources. He even tied in a blurb from the fatally flawed 0-day study released by the Swiss Federal Institute of Technology for good measure.
The following letter presents why OSNews’ article accusing me of slander and misinformation was wrong and asks the author to print a retraction to the misstatements and errors he made. It also serves as an outline for both how to effectively disagree, and how easy it is to present an argument of logical fallacy.
OSNews: Please Issue a Correction.
I write RoughlyDrafted. In your article “Countering misinformation,” you accuse me falsely characterizing the CanSecWest contest and slandering unstated parties. The problem is, while you spare no effort in tarring and feathering my article and me personally, you don’t actually seem to understand the points being made, and fail to actually address them.
1. “Exploits discovered for the Mac have little other value outside of contests like CanSecWest.”
The point here is that exploits for other platforms have value outside of CSW. You went off on a tangent that assumed the reason for there being no Mac malware market based on speculation and fantasy, and then state the obvious that exploits need to be fixed. You never addressed the actual point though.
If a black hat researcher discovered an exploit for Windows, would they sell it as malware, or attempt to get $10,000 in a once a year contest with it, racing against other contestants and potentially getting nothing if they are beaten? Now, if they found an exploit affecting Mac OS X, as Miller did, they have no option but CSW. You danced all around the point, but never addressed it.
2. “The CanSecWest contest clearly appears intent to transfer the security focus belaboring Windows to other platforms.”
You accuse me of conspiracy thinking and then say “I am not really sure why they detail Microsoft’s ‘Get the facts’ debacle, as it is of no relevance at all,” but that was the entire point. If you can’t see relevance between Microsoft’s marketing machine, which actively pays for false headlines, and the false headlines generated by the Microsoft supported contest, then you’re not very good at connecting dots.
There is no conspiracy theory here. CSW was aware of the headlines they were going to be generating because they did the exact same thing last year. Those headlines refuted what is known to be the case–that Macs have no real malware while Windows PCs are plagued with it and have been for years–in what can’t be easily refuted to be anything other than an effort to “transfer the security focus belaboring Windows to other platforms”
CSW discredited themselves by hosting a sensationalized contest, and without ever correcting or clarifying the misinformation the media reported. You can argue CSW’s motivations, but that’s why I used the language “clearly appears intent.” It did!
[Update: while the motives of those setting up CanSecWest's contest can be argued both ways, Microsoft's maximizing of the simplistic marketing message in the media can't. Jeff Jones, a director in Microsoft's security group, blogged about the winning Mac OS X crack, noting:
“I don't really care for 'hack the box' contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't.”
Jones' blog is headlined “SECURITY IS NOT SIMPLE, SO WE SHOULD TRY NOT TO SIMPLIFY IT TO THE POINT OF USELESSNESS.” However, he also added, “having said that, given how obnoxious and misleading I find those Mac OS X ads and how they've spent millions of dollars publicly criticizing Windows Vista security improvements, I find it ironic and apropos that Mac OS X was the first machine to be owned in the PWN 2 OWN contest at CanSecWest today.”
The media only reported his final line. Further, Jones' comment that Apple's 'Get a Mac' ads are “misleading” is fully unsubstantiated. Windows Enthusiasts like to work themselves into a frenzy relating how upset they are about this message, but they don't refute it. Also, saying Apple spends “millions of dollars publicly criticizing Windows Vista security improvements” is not really accurate or fair.
Jeff Jones Security Blog : Mac OS X Security - Reality Check #2]
3. “The contest prominently focused attention on the brand name of the MacBook Air.”
You pedantically looked up the model numbers of the other laptops, but none of the headlines nor the stories relating the event presented any of those details. The points I raised were not an attack on CSW itself, but “10 Things to Remember About CanSecWest and Software Vulnerabilities,” in other words, a refutation to the sensationalized stories presented by the mainstream tech media.
4. “The Mac exploit was something Charlie Miller had in hand when he arrived.”
Again, you argue against the words without understanding the point. I wasn’t arguing that Miller should have been ill prepared, I was noting that Miller did not crack the Mac in two minutes due to its being a Swiss cheese of holes, as the media reported. Your inability to directly refute any point I make indicates that you’re more interested in a delivering a personal smear than correct any “misinformation.”
[Update: Some people think this was a controversial idea I invented. It is not. Reader Don Bach sent in a link to an article interviewing Miller, and he states, with regard to the Mac OS X exploit he used to win the contest, “We sat down about three weeks ago and decided we wanted to throw our hats into the ring. It took us a couple of days to find something, then the rest of the week to work up an exploit and test it. It took us maybe a week altogether”.
Miller's comments intended to express how trivially easy it was to find an exploit by raking through FOSS code that Apple hasn't updated, but it also points out that Miller had a plan in hand and was politically motivated beyond many of his colleagues to find an exploit that would target the Mac. The rest of the article repeated portions of Jones' comments above, devoid of any context. Shame on Softpedia.
Microsoft Finds Irony in Mac OS X Getting Hacked Before Vista SP1 - Courtesy of Jeff Jones, Strategy Director in the Microsoft Security Technology Unit - Softpedia ]
5. “The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan.”
There were multiple points under this subheading, but the main one was that CSW is held at an arbitrary time, and that its results this year do not reflect the security of Vista users over the last year, nor Linux users prior to the day of the event. I also noted that last year, Apple delivered patches right before the event.
The point was not that SP1 should have been excluded, but that CSW’s test says little about the status of actual, real world security of the involved platforms. It is simply not a reflection of the security one can expect as a past, present, or future user of either platform, yet that’s what the media portrayed it to mean. This is a gross simplification serving as misinformation.
Certainly, the volume of malware and viruses affecting Windows, the real world losses Windows users face, and the real inconvenience of being under constant attack and needing to run antivirus software (which exposes vulnerabilities of its own) is more relevant than a publicity stunt biased against open source, biased against politically motivated targets, and based on a version of software that most Windows users are not using (most users are not using Vista, and Vista users are still advised against installing SP1 as I noted).
6. “Miller reported hacking something related to Safari, but the details haven’t been revealed.”
At the time of writing the article, the attack vector had not been fully revealed. The point was that it was not clear what the issue was. This was not an attack on CSW or Miller, but listed as one of “10 Things to Remember About CanSecWest and Software Vulnerabilities.”
Your need to attack every one of these items, without actually addressing the real point of any of them, indicates that you have an agenda of attacking me personally, not a real interest in clarifying the facts. I was presenting facts, not outlining why Apple was good and Microsoft was evil, or why Miller or CSW were bad. I was presenting why the media reports of the event were misleading. The ten points are “things to remember,” not complaints directed at CSW, Miller, Microsoft or any of the other targets you imagined.
Again, your point by point dismissal, each of which fails to actually address the idea being presented, demonstrates you are intent on a smear job, not a rebuttal of facts.
7. “Attendees with the ability to crack Linux ‘didn’t want to put the work into developing the exploit code that would be required to win the contest’, according to [an] IDG article.”
Here, you simply misquote me in saying I “stated that exploits for Macs were not used by malware creators in the wild because the Mac’s userbase is too small, and now [I] claim that an exploit for a home operating system whose userbase is probably even smaller can be sold for a lot of cash?”
It was you that invented the idea the Mac user base is too small, but that’s not the real reason there’s no Mac malware market, as I point out later in detail. I also note that many exploits that could be lodged against Linux may also be used to target Windows or Macs, including the Flash flaw that was used to exploit Vista on the third day. It apparently could have been used against Ubuntu as well.
Next, you say I misquoted IDG’s article. You are simply wrong; I did not, as your own quotations show.
You then talk about IDG not making the point I made about motivation, and insist that there was no empirical study done proving beyond a reasonable doubt that a certain number of Linux vulnerabilities were not used. This is simply ridiculous, specious, and makes no valid point. You haven’t refuted the idea that there was no one advertising a political motivation to attack Linux, and clearly there was not.
On the other hand, Miller quite clearly expressed a political motivation for exposing Mac security, whether you chose to believe he did so to embarrass Apple, to make Microsoft look good in comparison, or simply because he loves Macs and want them to improve.
8. “Many exploits and vulnerabilities are not unique to ‘Mac, Windows, or Linux’, but instead are cross platform threats.”
You say “This is a very valid remark, but also an utterly irrelevant one in this specific context.” Wrong, the very point was that potential attacks on Linux might well be used against Windows instead, which clearly happened on day three because a cross platform attack on Flash was used to compromise Vista and not the Linux machine.
The point is that researchers were free to attack the system they wanted, and cross platform attacks were targeted as the contestants chose, not in some level playing field way that exercised the security of each platform equally.
That was the core point of the entire article, as stated in the beginning: “rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice.”
You get sidetracked talking about WebKit, which is not related to the point I made at all. Your talk about children and cookies is also completely irrelevant. If you are going to “refute” the information I’m presenting, writing your own missives that have nothing to do with my comments does nothing but indicate that you don’t understand the arguments being made.
9. “Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms.”
Again, you dodge the point and write about unrelated subjects. You did not refute that Miller came prepared and ready to hack, while there were no high profile black hat hackers who voiced an intent to embarrass Microsoft of Ubuntu prior to the contest.
Instead, you say Linux users must be interested in getting money, and that they contribute flaws in public databases. The problem with your idea is that the press doesn’t create sensational headlines based on bug reports in Mozilla’s Bugzilla listings, as they do from CSW’s press releases. Also, you don’t refute the idea that any exploits that may work on Linux might otherwise be sold as Windows malware vehicles, although you agreed that was a valid remark.
Secondly, you ask why the Flash exploit was only used on the third day to get a $5,000 prize. If you were familiar with the contest, you’d know that attacks on third party apps were only allowed on the third day. This betrays your ability to criticize, because you are talking past your knowledge.
10. “Apple’s use of open source makes it easier for researchers like Miller to identify exploits.”
In your comments, you insist this is not true, then backtrack to say it is. It most certainly is, for the reasons I outlined. I did not say this makes any exploits of FOSS-related code in Mac OS X uncountable as exploits against the Mac, but rather outlined that such exploits have often already been fixed outside of Apple, and can be distributed at minimal effort. Apple appears to have internally released a patch for the PCREL flaw Miller found the same day as the attack.
I noted that Apple’s use of open source served to harden, not weaken, its security profile. I did not excuse Apple for having an explosed flaw related to a delay in updating its imported code, and noted the criticism of Apple’s updating pace in both this article and the previous. I also presented context describing why Apple might delay in releasing code.
In your conclusion, you accuse me of “an unrivaled wealth of misinformation,” which you never spell out, and say “some things even bordering on slander,” which you similarly failed to mention. Also, slander relates to spoken attacks; libel was the word you were after, but it is a serious accusation to make without providing any backing.
Your half-baked reply cheapens the reputation of OSNews and defames me and my site through your own failing to understand the issues involved, the points I raised, and why I raised them. Repeated accusations that I presented “misinformation” raises your article to the level of libel itself. You owe it to your readers to print a retraction.
Daniel Eran Dilger
What CanSecWest Means for Platform Security.
For what it’s worth, most of my criticisms and context are presented to refute the simplistic, false reports of CanSecWest in the corporate tech media and by bloggers who should have known better. CanSecWest’s contest is set up to be a bit sensationalistic, but the point appears to be to discover flaws and deliver them to the vendor to fix, improving both the platforms, their related software (on day two), and third party tools (on day three).
From that perspective, CanSecWest provides a valuable alternative to the malware market, which currently serves as the primary motivator for discovering flaws. As similar mechanisms are created to find and solve vulnerabilities in software, everyone will win, from users to platform vendors to third party developers. Well, everyone but the malware industry.
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!