« iTunes Art | Main | Don't You Feel Safer Now? »

CNet's Exaggerations May Kill Kittens

Is there some sort of a bonus system at CNet for writers who can make inflammatory statements? Do they get paid extra based on the number of page views each article generates? Because if that’s true then we can understand that they are just taking a page out of the tool’s box of hackneyed journalism tips for generating ad revenue.

Here’s the latest round of lies, damned lies, and CNet “Reporting” (with apologies to actual reporters for lumping them in with this sort of crap).

First of all, the headline: Security Bites Podcast: Macs face Wi-Fi hijack risks. Certainly that’s one way to put it. Here’s another: “Apple releases security update for Wi-Fi to fix a potential security hole with no known exploits.”

Yeah, I know, not nearly as sexy as the original. It does have the advantage of being true, but let’s not let that get in our way, shall we?

The same article goes on to state:

A month-and-a-half ago, Apple dismissed claims that Macs could be hijacked via Wi-Fi. This week, however, the Cupertino, Calif., company released security updates for a trio of flaws in Mac OS X that could be exploited to do just that.

The paragraph contains two links to two other articles. Let’s deal with them one at a time. The first is to MacBook "hack" still stirring controversy which is dated August 18, 2006 3:48 PM PDT. Today is September 22, 2006. The patches were released yesterday (September 21st). So it’s a month and about 4 days since this report, but CNet claims it was a month and a half ago. Why the exaggeration? Is it supposed to make Apple seem slower in responding than they really are? I mention this because it shows that CNet is clearly exaggerating, which can be proven simply by looking at the timeline.

When did Apple make a statement? According to Macworld, it was on August 17, 2006 4:33 pm ET which you can verify by reading MacBook Wi-Fi hack didn’t use Apple drivers. So CNet claims that Apple dismissed these claims a month and a half ago, but really it was about a month and 4 days. Since when is 4 days equal to half a month? Only in CNet world.

So we are 6 words into CNet’s coverage and we’ve already identified a factual error of exaggeration. If this was a college course in journalism, I think the grade would be at a B or C depending on your instructor.

Now let’s look at the content of that statement. CNet “staff” wrote: “Apple dismissed claims that Macs could be hijacked via Wi-Fi”. Hrm. They did? Where was that?

CNet links to itself (the “MacBook ‘hack’ still stirring controversy” article linked above) where it is reported that Apple’s reply was:

But the SecureWorks researchers have still not shown any proof that Apple Computer’s wireless hardware and software is flawed, despite the claims that it was vulnerable, Lynn Fox, an Apple spokeswoman, said in a statement. “SecureWorks has not shared or demonstrated any code that is relevant to the hardware and software that we ship,” she said.

Pardon me, but there seems to be a rather wide stretch of road between Apple “dismissing” claims that Macs “could be” hijacked via Wi-Fi and Apple saying “No one has shown us anything proof or demonstrated how this can happen.” The difference is significant. It’s the difference between Apple saying “Macs are completely safe!” and Apple saying “There are no problems we are aware of, despite claims that there are problems.”

That’s a world of difference. CNet is overstating what Apple said, and when Apple said it.

If you want to know precisely what was said, here is a quote from the Macworld article mentioned above:

“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld. “To the contrary, the SecureWorks demonstration used a third party USB 802.11 device–not the 802.11 hardware in the Mac–a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”

Once again, Apple didn’t say there was no chance of a problem, just that there was no evidence of a problem.

The second link CNet makes is to the new patches: “This week, however, the Cupertino, Calif., company released security updates for a trio of flaws in Mac OS X that could be exploited to do just that.” The article links to New Apple patch plugs Wi-Fi hijack flaws, which is, on the whole, a bit more balanced. For example, that article states:

There are no known exploits for the vulnerabilities addressed by the update, Apple said. This means people should not be under immediate threat of attack.

I love the way that they say “should not be” as if to imply “you might be” rather than “it’s damn highly unlikely.”

What it doesn’t say, but should, is: “This means people should not be under immediate threat of attack, despite previous claims that there were known exploits, which there’s still no evidence of whatsoever except a video of an exploit which in all likelihood didn’t use the drivers which were patched today anyway.”

What should have been reported is that Apple, when presented with the possibility of flaws even when no flaws were demonstrated, set about to conduct a security audit, found some flaws which were not part of the original allegations, and patched them before any exploits were made known.

Instead, CNet went after the “juicier” story that Apple was only now fixing flaws that had been shown to it 35 days earlier. Oh, I mean “a month and a half earlier.”

So, in sum, what we have learned is this:

  • Mac users were never vulnerable to any known threat
  • Apple took the possibility seriously enough that they went searching for possible problems when the issue was raised without any supporting evidence (this is was CNet refers to as Apple “dismissing” the idea)
  • Roughly one month after the claim-with-no-proof was made, Apple patched both its Intel and PowerPC hardware to be more secure from flaws which were never known to have ever been exploited anywhere by anyone, even those who made the initial claims of having knowledge of a security problem.
  • CNet overstated both what Apple said and when they said it

For a better and easier to understand translation of what Apple’s latest security patches do, see The AirPort Security Update and the Supposed MacBook Wi-Fi Hack. In particular note this paragraph:

“No known exploit” does not just mean that there aren’t any attacks in the wild; it means no one has demonstrated to Apple a way to take advantage of these frame validation issues. They fixed them to eliminate potential exploits, not to address actual, known exploits.

Finally, in closing, although no kittens have been demonstrated as being killed by the slipshod reporting at CNet, the most I can say is that kittens should not be under immediate threat of attack.

Posted by on September 22, 2006 11:52 PM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)