Personal and work updates from Matt

Hi, folks:

As hinted in the previous entry, , I was hospitalized last week with what I thought was a breathing problem, but turned out to be congestive heart failure. My heart was pumping less than half the blood on each beat as it should have. This is why I’ve had no energy all summer, why walking from one session to another at WWDC exhausted me, and why even finding and eliminating allergens in the GCSF studio didn’t really solve anything. As it turns out, I did have pneumonia as well, but it was largely a complication of the heart problem, not the root cause itself.

I’d love to be a spokesperson and say “have such-and-such checked so this doesn’t happen to you,” but there’s really no one key to having avoided it – the doctors’ best guess, at present, is that I picked up a virus earlier this year that damaged my heart muscle and led to cascading problems. I’ll undergo tests early next month to confirm I don’t have blocked arteries, but none of the doctors believe I do, and there are no family signs for CHF at my age (I turn 40 later this year). I had been under medical care for the respiratory problems this summer, too, so it’s not like I was ignoring them. Apparently lots of CHF cases are mistaken for asthma or other breathing problems at first.

I’ve been home for close to a week, but it’s still an adventure adjusting to the new routine, the new diet, and so on. The doctors haven’t restricted my activities because moving around helps me heal, but sitting in an office chair tires me out as much as standing after a while. I’m getting stronger, but I’m not there yet. I’m going to be out being non-sedentary for much of the next few days, if I can handle it.

We hope to resume MDJ and MWJ production early next week. I’ve spent the energy I’ve had keeping up with what’s going on, and now I just have to find the energy to get it into print for everyone (not optimal, but you have to admit, it pretty much can’t work the other way around). We are still paying attention to what we see, like these things:

  • We were a bit surprised that StuffIt Deluxe 11 is an upgrade, since Smith Micro promised last year that the Mac version with StuffIt JPEG photo compression would be a free update. Then again, that’s probably why it is a free update to anyone who purchased StuffIt Deluxe after mid-August 2005. It remains to be seen if the new version fixes the annoyances and bugs of version 10 (we don’t have a review copy yet), but StuffIt is fighting an uphill battle.

  • There’s no reason to avoid Apple’s latest AirPort security updates, but you should rely on Software Update to tell you which of the four updates to install, since it’s a bit confusing to do it by hand. (AirPort Update 2006-001 applies only to the latest Intel-based systems with Mac OS X builds later than those generally available; everyone else needs to use Security Update 2006-005 for either PowerPC Panther, PowerPC Tiger, or Intel-based Tiger systems that aren’t so new that they need the AirPort Update.)

    We’ve uploaded the list of changes in all four updates in OPML format for your perusal, and if you look, you’ll see that they’re all small updates that are tightly focused on AirPort driver issues.

    According to Apple, as told to Macworld, the fixes in the updates came from Apple’s own internal code review, prompted by the public claims that MacBook computers could be attacked and controlled without requiring the user to do anything other than have AirPort turned on (MDJ 2006.08.30). Apple insists that researchers David Maynor and Jon Ellch did not provide any specific information allowing Apple to find any specific vulnerabilities, but the focus on the issue and on similar flaws in the BSD stack led Apple to find several places where such attacks might occur, even though the company has seen absolutely no evidence that any of them did occur.

    We’ll have more on this in the next issues of each journal, but for now, let’s point out that far from claiming victory, Maynor and Ellch have now lost any shot at credibility they had left. Now that descriptions and fixes of these potential exploits are in the wild, Maynor and Ellch could easily look at the fixes (even in the Darwin source tree) and say, “Oh, yeah, that’s what we found.” But when the researchers had two months to prove it, even to Apple Computer itself, they refused. They provided only vague, non-specific hints about “something bad,” refusing to let any Macintosh security experts see the exploit, and in fact refusing to demonstrate it live before anyone who might be expert enough to catch Mac hanky-panky in progress.

    They said both that they did and didn’t find a way to exploit a standard MacBook, and every time anyone asked for details, they either said they were withholding them for the common good, or made mysterious and completely unsupportable accusations that “Apple legal” told them not to talk about it. (Apple Computer, like any other entity, has no legal right to tell people who aren’t under non-disclosure agreements what they can talk about at any time, and any court order enforcing silence would be on the public record.) It’s possible that Maynor’s employer, SecureWorks, threatened him if he didn’t remain silent, but that’s neither Apple’s fault nor a credit to Maynor. It was he and Ellch who sought publicity by going to the press before showing video of their alleged hack at the public conferences Black Hat and Defcon, so if there’s fallout from making public allegations that they can’t back up, it’s on them, not on anyone else.

    If Maynor and Ellch had demonstrated it or shown code to just one Mac expert who could have verified their claims, they’d rightly be lionized for their work. Instead, they took credit for “hacking a MacBook” at security shows and in the international press while refusing to provide even the barest proof that they’d actually accomplished what they said they had, or at least what they wanted you to believe they’d said. Now that bugs and fixes are in the real world, there’s no way of ever knowing if what they say they found matches those bugs or not – when they had the chance to prove it, they refused. It’s like saying after the fact that you knew the answer to Final Jeopardy – you have to say it before it’s revealed to get credit for knowing it.

    Thus, for now, ends the tale of two hackers who sought the limelight and couldn’t handle it when they got it. There is no reason to believe that Maynor and Ellch found anything that could actually take over an unmodified MacBook computer, and now that Apple has publicly released fixes for unexploited bugs that might fit the bill, they’ll never be able to prove they found them first. There is zero evidence that Maynor and Ellch found what they said they found, and any rational observer has to treat their findings that way. If they wanted the credit, they had plenty of opportunity to provide proof instead of vague accusations, and they refused every time. If they get bitter, they can go commiserate with Fleischmann and Pons.

We’ll get all this in better order and out the door in the next few days. I’ve appreciated the cards and letters from those of you who had heard of my heart failure, and I thank you for realizing that replies to E-mail or voicemail may be delayed for several days while I focus my energies on more important stuff. I haven’t had a lot of energy for a long time, but it’s slowly coming back, and at least now I can breathe, so things are looking up.

You have my eternal thanks for your patience – had it not been for MDJ providing medical insurance, I might not even be here to tell you this. It’s all new for me, but I’m getting used to it, and look forward to a more normal schedule just as soon as I can make it happen. Thanks again!

Matt Deatherage
Publisher, MDJ & MWJ