I’ve largely refrained from commenting on the whole issue of whether Apple’s Airport hardware is vulnerable to the security hole that was demonstrated at Black Hat by Maynor and Ellich, and initially reported by Brian Krebs of the Washington Post. The reason that I’ve refrained is largely because I don’t know enough to meaningfully contribute to the debate: this kind of hacking is well outside my experience, yet alone expertise. Although I know a thing or two about viruses, I’m not in any way a security analyst.
What’s more, there’s been an awful lot of noise and not enough meaningful information. A lot of Mac users seize on any challenge to the idea that the Mac is totally secure as if it were a threat to their lives. There’s an awful lot of sound and fury, and not enough smart analysis.
Which is why I’m pleased that there’s been not just one but two pieces of very smart analysis on the subject that shine out as the best writing on the subject. If you’re a Mac user, I recommend you read them both, in order.
First of all, there’s John Gruber’s excellent post on “The Curious Case of the MacBook Wi-Fi Hack“. In this, John looks at the claims made by Krebs, Maynor and Ellich, and concludes that the whole thing is bunk – the whole thing smells as bad as the breath of the Kraken. Incidentally, John the one of the finest writers on the Mac today, and if you haven’t already done so you should send him money so he can carry on doing it full-time. I don’t always agree with him, but he’s never less than excellent. Go on – get off there and send him money.
Back yet? Good. After you’ve read John’s piece, head off to Securosis.com, and read “Another Take on the Mac Wireless Hack“. This takes John’s work as a starting point, and shows how you can reach almost exactly the opposite conclusion – that there is a problem, and it’s a big one – from the same premises. It’s smart, sharp, well written and overall brilliant stuff.
So who’s right? The fact is that it’s simply too early to say. The good news is that Securosis has already been exchanging emails with John, so hopefully there will be some more discussion between the two. But what we’re really all waiting for is a categorical statement from Maynor and Ellich, and that will come only when the security hole – if there is one – is patched.