Is there some sort of a bonus system at CNet for writers who can make inflammatory statements? Do they get paid extra based on the number of page views each article generates? Because if that’s true then we can understand that they are just taking a page out of the
Here’s the latest round of lies, damned lies, and CNet “Reporting” (with apologies to actual reporters for lumping them in with this sort of crap).
First of all, the headline:
Yeah, I know, not nearly as sexy as the original. It does have the advantage of being true, but let’s not let that get in our way, shall we?
The same article goes on to state:
A month-and-a-half ago, Apple dismissed claims that Macs could be hijacked via Wi-Fi. This week, however, the Cupertino, Calif., company released security updates for a trio of flaws in Mac OS X that could be exploited to do just that.
The paragraph contains two links to two other articles. Let’s deal with them one at a time. The first is to
When did Apple make a statement? According to Macworld, it was on August 17, 2006 4:33 pm ET which you can verify by reading
So we are 6 words into CNet’s coverage and we’ve already identified a factual error of exaggeration. If this was a college course in journalism, I think the grade would be at a B or C depending on your instructor.
Now let’s look at the content of that statement. CNet “staff” wrote: “Apple dismissed claims that Macs could be hijacked via Wi-Fi”. Hrm. They did? Where was that?
CNet links to itself (the “MacBook ‘hack’ still stirring controversy” article linked above) where it is reported that Apple’s reply was:
But the SecureWorks researchers have still not shown any proof that Apple Computer’s wireless hardware and software is flawed, despite the claims that it was vulnerable, Lynn Fox, an Apple spokeswoman, said in a statement. “SecureWorks has not shared or demonstrated any code that is relevant to the hardware and software that we ship,” she said.
Pardon me, but there seems to be a rather wide stretch of road between Apple “dismissing” claims that Macs “could be” hijacked via Wi-Fi and Apple saying “No one has shown us anything proof or demonstrated how this can happen.” The difference is significant. It’s the difference between Apple saying “Macs are completely safe!” and Apple saying “There are no problems we are aware of, despite claims that there are problems.”
That’s a world of difference. CNet is overstating what Apple said, and when Apple said it.
If you want to know precisely what was said, here is a quote from the Macworld article mentioned above:
“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld. “To the contrary, the SecureWorks demonstration used a third party USB 802.11 device–not the 802.11 hardware in the Mac–a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”
Once again, Apple didn’t say there was no chance of a problem, just that there was no evidence of a problem.
The second link CNet makes is to the new patches: “This week, however, the Cupertino, Calif., company released security updates for a trio of flaws in Mac OS X that could be exploited to do just that.” The article links to
There are no known exploits for the vulnerabilities addressed by the update, Apple said. This means people should not be under immediate threat of attack.
I love the way that they say “should not be” as if to imply “you might be” rather than “it’s damn highly unlikely.”
What it doesn’t say, but should, is: “This means people should not be under immediate threat of attack, despite previous claims that there were known exploits, which there’s still no evidence of whatsoever except a video of an exploit which in all likelihood didn’t use the drivers which were patched today anyway.”
What should have been reported is that Apple, when presented with the possibility of flaws even when no flaws were demonstrated, set about to conduct a security audit, found some flaws which were not part of the original allegations, and patched them before any exploits were made known.
Instead, CNet went after the “juicier” story that Apple was only now fixing flaws that had been shown to it 35 days earlier. Oh, I mean “a month and a half earlier.”
So, in sum, what we have learned is this:
- Mac users were never vulnerable to any known threat
- Apple took the possibility seriously enough that they went searching for possible problems when the issue was raised without any supporting evidence (this is was CNet refers to as Apple “dismissing” the idea)
- Roughly one month after the claim-with-no-proof was made, Apple patched both its Intel and PowerPC hardware to be more secure from flaws which were never known to have ever been exploited anywhere by anyone, even those who made the initial claims of having knowledge of a security problem.
- CNet overstated both what Apple said and when they said it
For a better and easier to understand translation of what Apple’s latest security patches do, see
“No known exploit” does not just mean that there aren’t any attacks in the wild; it means no one has demonstrated to Apple a way to take advantage of these frame validation issues. They fixed them to eliminate potential exploits, not to address actual, known exploits.
Finally, in closing, although no kittens have been demonstrated as being killed by the slipshod reporting at CNet, the most I can say is that kittens should not be under immediate threat of attack.