Linked by Thom Holwerda on Mon 4th Sep 2006 20:59 UTC
Privacy, Security, Encryption "Jon Ellch was one of the presenters of the now infamous 'faux disclosure' at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them."
Thread beginning with comment 159027
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Patronizing
by CaptainFlint on Tue 5th Sep 2006 01:10 UTC in reply to "RE[2]: Patronizing"
Member since:

So you wouldn't mind giving these guys access to your crack legal team? We cannot over look the possibility of legal encumberments placed to full disclosure. Read what he says about the involvement of legal elements.

Reply Parent Score: 1

RE[4]: Patronizing
by neowolf on Tue 5th Sep 2006 03:01 in reply to "RE[3]: Patronizing"
neowolf Member since:

I'd happily buy that if they were kind enough to specifically lay out the legal threats and not just imply them. If they even showed proof that Apple was threatening them with more than raw slander I'd take that as some evidence in favor of their claims. But just general "I'd prove it too you, but the results would just be too bad" just doesn't do it for me.

Reply Parent Score: 2

RE[4]: Patronizing
by elsewhere on Tue 5th Sep 2006 03:04 in reply to "RE[3]: Patronizing"
elsewhere Member since:

So you wouldn't mind giving these guys access to your crack legal team? We cannot over look the possibility of legal encumberments placed to full disclosure. Read what he says about the involvement of legal elements.

That's the part that seems overlooked, we're talking about Apple here. The company that litigates bloggers. Whether justified or not is moot, Apple has worked hard at generating a mentality of fear when it comes to discussing that which should not be discussed.

Certainly I would agree that any reported security exploit should be taken with a grain of salt unless the researchers can document it and it can be reproduced. I can also understand the risks with releasing critical vulnerability information without providing time for manufacturers to patch and release, so for something like this I'd be satisfied for now if it could at least be reproduced by a trusted and objective third-party without necessarily providing full disclosure. As "researchers", they also slightly shot themselves in the foot with the offhand remarks they initially made about smug Mac users since that impacts the perception of their objectiveness and hence their credibility.

But Apple deserves a bit of a cloud hanging over them until this is resolved one way or the other, since the researchers have a very legitimate concern for legal repercussions given Apple's own history. The researchers imply they can't discuss for fear of legal retaliation from Apple, and Apple won't actually state emphatically that the flaw does not exist. For that reason alone I'll give the researchers the benefit of the doubt. For now, at least.

If Apple's concerned that public information on the flaw puts their customers at risk, I can live with that though it at least deserves an acknowledgement that they're taking it seriously and assessing it. But if they're simply worried about their image being tarnished and hoping to simply slide in a future update to address it without anybody noticing, well then their customers deserve better.

Anyways, just my 2c.

EDIT: Ok, so after a little more googling I see now that Apple has firmly stated that they have not received any exploit code or proof of concept from Secureworks, and Atheros has stated the same. So maybe I'm leaning more towards Apple in this one, though with Apple's crack legal team I'm still willing to give the researchers some benefit of the doubt, just incrementally less than I originally was.

But I will admit that short of an NDA they may have had in place previously with Secureworks or some loophole they're exploiting by claiming EULA or DMCA or some such violation, I'm not even sure I could imagine exactly what legal hold Apple could have. But then again, IANAL. So I guess I just don't trust Apple more than I don't trust the researchers.

Edited 2006-09-05 03:20

Reply Parent Score: 3