About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Home » Learning Curve » Red Hat Diaries

iPhone security concerns 'exaggerated'

That got you here, didn't it?

This is an article about ethics in journalism. It's taken a lot of research. It's a long article. Hopefully it's a good read. Hopefully it's accurate.

It's about how people in power looking down at the marketplace like the apparatchiks at Red Square on May Day can know how to manipulate public perception - and how they go about doing it - so as to get you the consumers to spend money on things you might not otherwise consider purchasing.

It takes up one isolated example of direct market manipulation. But the hope is that this example sheds light onto exactly how consumers are manipulated and what consumers can do to counteract this manipulation.

The 'Ethics' of Journalism

Get It

Try It

Responsible journalism requires two things of people in the media.

- If a journalist is expressing opinion the piece must make it clear it's opinion only.

- If a journalist is 'reporting' then it is not permissible to fudge facts or use paid mouthpieces - not even for colour quotes.

Some 'journalists' such as the Enderles deliberately cross over both lines because they're paid to do so (by Microsoft). Jim Dalrymple crosses over both lines too - and in fact does things even the Enderles wouldn't attempt.

And whether Dalrymple's actually 'paid' by Apple is moot. He might not be on salary as the Enderles are with Microsoft but there are other ways to deal out perks and Jim Dalrymple no doubt has quite a collection by now.

All corporations have - in varying degrees - people on the 'inside'. It's unavoidable and inevitable. As big as the marketplace is the major players are actually very few and form a tightly knitted community. Sooner or later the reporters and editors of Macworld are going to come into contact with the brass at Apple.

People Don't Read

And a lot of the skulduggery builds on the unfortunate fact that people don't read. Past the headlines that is. The task isn't so much to create a good article that makes the rounds as it is to create a good meme of a headline that makes the rounds - and with further pull from the contractor it's easy to make the right headline make the rounds.

The example cited in this article made the rounds over 100,000 times.

But that's where responsible journalism comes in. The media aren't supposed to give in to temptations to directly manipulate what people think and perceive. That's propaganda. That's brainwashing. That's unethical. The media have to be careful about this. They must continually be on their guard to not in any way twist or distort the news.

(In some countries - but certainly not in the US and certainly not on Fox - it's considered unethical for a television news reporter to show any facial expression whatsoever.)

And they must never be perceived as anything less than impartial either - or else they lose their credibility. And then their readership. And then their revenues. And then they're out of business and they can't publish anymore.

It's a question of common sense, you say, and more importantly it's a question of ethics. So why do journalists break their own code? Indeed. But they do break it - they break it all the time. But why?

- Because in at least this particular case but certainly in most others it's a question of consumer information. The consumer has the right, the privilege, the duty to question those who put products on the market and to look critically at those products.

And unfortunately this doesn't sit well with many corporations and so people of questionable integrity like Jim Dalrymple are needed to 'set things right'.

- And because companies like Apple and people like Jim Dalrymple aren't afraid to 'take a chance' - gamble everything on a little bit of innocent 'deception'.

Past Performances

A year ago Dalrymple was called on by Apple's Lynn Fox to smear Brian Krebs and David Maynor. Dalrymple pulled an excellent shell game out of his pocket: first he published one article at one site hinting that Maynor may not have been up front with details of the MacBook exploit - and then went 'crosstown' to publish another article citing his first article and raised the stakes, now using the first article as a factual 'source' that Maynor was a fraud.

Brian Krebs is no hacker but he's a responsible journalist and he reported on what he saw. He's an OS X user (top of the line MBP) like many, loves the system, loves the hardware, and what he saw scared him as it should. He in no way can know if Maynor was tricking him. He had to rely on Maynor's honesty. But the night before Maynor's presentation at Black Hat Krebs saw Maynor set out and boot an out of the box MacBook - sans the USB stick he'd use by agreement with Apple the following day - and break into it remotely.

By the following day, after Maynor's presentation, Lynn Fox was scrambled. And she in turn scrambled her friends. Most notable of which was Jim Dalrymple.

The Dalrymple articles about Maynor were very strange to the critical eye. And the critical eye saw through the scam with the 'double posting'. But people don't read.

Dalrymple was later outed for being in direct contact with Apple's Lynn Fox over this one, more or less acting on her direct orders to 'smear Maynor'. But that changes nothing. Again: people don't read.

Time went on. Apple patched the holes Maynor pointed to, Apple got Maynor's employer to put a muzzle on Maynor so he couldn't talk about the holes even after they were patched, Maynor left his job and started slowly going out of his mind - and Apple (and Dalrymple) kept on, one life destroyed but the Cupertino bottom line once again safely beyond harm's reach.

New Enemies, New Challenges

Cut to the present. A year later Lynn Fox is again scrambled and again she has to scramble Dalrymple. This is the second year in a row. With Apple's OS X increasingly under the hacker electron microscope it's probably going to become a recurring thing, an annual event.

Dalrymple better plan on taking summer holidays some other time of year.

Dalrymple's latest 'job' which coincided roughly with Charlie Miller's presentation at Black Hat is actually in response to something else. But Lynn must have grinned: for the timing was not only good - it was great. She could kill not two but three birds with one stone.

A clean sweep.

But nothing must spoil the grand release of the iPhone. Lynn Fox knows that - that is her responsibility.

But what had happened? Who were the new enemies?

The new enemies were the Gartner research group and NASA - the United States National Aeronautics and Space Administration.

They were attacking the iPhone. Both had came out and said the device, though revolutionary, wasn't ready for the enterprise.

'In a story that is sure to get on the nerves of some Apple fanatics, NASA - our country's space division - has said that the iPhone is not 'enterprise ready' and thus will not allow astronauts to carry the phone. In its place the organisation is pressing the Blackberry 8800 or the Treo 750', wrote MacNN - and ironically the author of the article agreed.

'Spoilsport space agency NASA decided against giving astronauts and other staff the Apple iPhone', wrote Anna Lagerkvist at Tech.co.uk. 'NASA officials made the decision last month after agreeing that the iPhone was not enterprise ready.' Instead staff will get Blackberry 8800 and Palm Treo 750 handsets.'

The Tech.co.uk article went on to cite InformationWeek which is a known Enderle hangout. The InformationWeek article was published on Sunday 31 July at 09:20 AM - less than two days after the release of the iPhone.

Setting Things in Motion

'Apple iPhone Out, BlackBerry 8800 In At NASA', wrote Paul McDougall. 'The minutes of a meeting of NASA tech officials show that the space agency has determined the iPhone not to be enterprise ready.'

The decision was made by NASA's ODIN ('Outsourcing Desktop Initiative for NASA') office. NASA are namely attempting to outsource IT support to companies in the private sector.

Jeff Stephens, acting project manager for ODIN who also works for Lockheed Martin, commented from his DC office only to say he couldn't comment. Yet InformationWeek insist they have seen minutes of the meeting.

After attempting to elicit further information from Stephens by email, InformationWeek called Apple Inc. Although Apple did not return the call they did start setting things in motion.

And although the minutes of the NASA meeting in no way cited reasons for nixing the iPhone, InformationWeek picked up clues from an earlier Gartner report.

In June Gartner cited a lack of support from major device management and mobile security software suites, lack of removable batteries, and Apple's exclusive contract with network provider AT&T as possible Achilles heels.

Were the Enderles at InformationWeek attempting to sink the iPhone? Were they attempting to cite an unspecified NASA decision as reason to believe the iPhone was not only not ready for the enterprise but also 'insecure'?

For that is definitely the message Apple got - and the reason Lynn Fox and Jim Dalrymple were again scrambled.

And to make matters worse Charlie Miller of ISE and formerly of the NSA was scheduled to speak at Black Hat in two days and explain how he'd hacked the iPhone.

Clearly something had to be done.

Spreading the Headline

Jim Dalrymple was called in to publish the start piece. The contents of the article were not as important as the headline itself.

Once the article was written all that remained was to start spreading it. Here's where the magic of market manipulation comes in. Market manipulation isn't so much about the content of the article as it is about its headline. People don't read.

The article got spread all over the place - to over 100,000 sites. It made it of course to sister publication PC World. And Networkworld. And Security News Portal. And Computer Partner. And iPhone Topic. And Digital Arts. And NewzFire. And German PC Welt. And iPhone Tattler.

And teXpy. And PR Law. And Investor Village. And playTM. And SEO Chat. And Codewalkers. And ASP Free. And NEooWS. And iPhone2Die4. And Rootly. And Aperture Users Professional Network.

And Inform. And Newspaper Digest. And CNET's Alpha Forums. And BUMPzee. And iPhone Features. And Findory. And Flying Hamster. And Zicos. And FirewallSupport. And Inbox Robot. And German (and IDG) Central IT.

And Dilby. And JRP Support. And Kinja. And Yahoo. And Berkeley. And Australian Global Intellect. And Mac OS X Hints. And 1st Headlines. And Mac Daily News. And, according to Google, over 100,000 more.


And always the same story. Dalrymple's story.

And from there it spread to blogs and forums. And to digg. And Technorati. And Slashdot.

One story. Lots of legs. Four words. Welcome to New Millennium journalism.

Past the Headline

But what about the backstory? If you search for Dalrymple's predictably sole source for the killer piece - one 'Andrew Jaquith' - you'll find quite a few links too. But Andrew Jaquith doesn't have a Wikipedia page. Charlie Miller doesn't either but his boss Avi Rubin does.


So does Brian Krebs. But Jim Dalrymple doesn't. But no matter: the point is Dalrymple as a responsible journalist has to get facts from at least two separate sources - you can't just find a single sympathetic soul. You can't just walk out onto the street and talk to the new bricklayer and quote him.

You can't go to the county graveyard, pick names off gravestones, and make up quotes with their names.

You can't make up user names at Linux forums and then pretend they're real opinions and you can't use those gravestone names to petition the US government to drop the DoJ charges against you.

It's all suspect and it's all at least bordering on the criminal and it's all very very very deliberately misleading.

It doesn't matter much who Andrew Jaquith is - no one else came out and backed him up. There was no second source. But of course most people won't know this because people don't read.

Jaquith's name and quotes are needed only on the off chance someone actually reads the piece.

But what does this security genius Andrew Jaquith have to say? Evidently he was not at Black Hat where security geniuses congregate - no mention is given in Dalrymple's piece. What did he say?

Dalrymple cuts to the chase right away.

'I think it has been exaggerated', Dalrymple quotes Jaquith as saying about the iPhone security situation and describes Jaquith as a 'security analyst'. Note that's an opinion Jaquith is offering - not a fact.

'You have to start with the observation that many of the people that complain the loudest and say it's a security threat tend to be security companies themselves.'

Such as Jaquith himself. And again: that's only an opinion. But it's essentially saying that the only people one can rely on for educated opinions - people in the security business - are precisely the people one shouldn't trust.

Talk about fancy footsteps.

Dalrymple now goes on the attack against the enemies - with one embarrassing exception: Apple know better than to attack NASA. Apple may have strong brand recognition but it doesn't pay to push one's luck. So Dalrymple will leave venerable NASA out of it and concentrate on the other players - and hope no one saw the headlines about NASA nixing the iPhone.

(There were only two dozen links to the NASA story at Google News compared to the over 100,000 Dalrymple's about to get. So the odds are pretty good.)

One after the other - without mentioning Jaquith again yet or going into any further discussion of the issues at hand - he knocks them off.

- Andrew Storms of nCircle. Because he called the iPhone a 'our new security nightmare'.

- Ken Delaney of Gartner. Who told IT execs to stay away from the device eight days before it hit the shelves. The very fact this 'crime' is stated in such detail shows Apple are holding a grudge and handing the axe to Dalrymple.

But back to security. For despite this initially being about the device and the enterprise Charlie Miller is in Las Vegas and what everyone is buzzing about now is Charlie's exploit.

So it's time to do away with security concerns. This is done by dividing and conquering. Oh sorry - we don't do it ourselves. We're responsible journalists. We let our 'source' Jaquith do it. We hand him a copy of the screenplay and he can read back to us.

Divide and Conquer

There are two 'overblown' claims, says Dalrymple Jaquith.

  1. The iPhone is not enterprise ready.
  2. The iPhone is not secure.

OK, we've split the opposition; let's start attacking them.

As for Argument 1: we just push.

'While IT managers may not want to officially support the iPhone on their networks, it will make its way into the enterprise and corporations through the employees - whether they like it or not.'

In other words: even if security professionals are concerned, there is no reason to be concerned because they're going to have the device forced on them.

Something like the Anschluß. Why be concerned? The tanks are already here!

As for Argument 2: we just curtly and without explanation deny the issues exist.

Jaquith states: 'there is little sensitive data on the iPhone that needs to be encrypted'.

How's that for a curt denial?

But what does Dalrymple's Jaquith know? Has he radar vision and can see what each of the millions of users will have on their hard drives? It might come as a shock to Jaquith but these computers are made to store data and - another shocker - a lot of corporations have something called corporate data and a lot of this is secret and/or sensitive data that must not leak out.

The concern is that iPhones will fall into the wrong hands - that industry spies will even engage pickpockets to remove these devices from their target to get at the secrets of their competitors. Losing laptops is bad enough - but iPhones are a lot harder to hold onto. Even saved mail messages can provide too many clues. Or what's a boss supposed to do? Remember to not discuss top secret projects with employees who now use an iPhone?

The snag with the iPhone is that it's being opened up against its will.

The #iphone crew and Charlie Miller can more or less get at anything they want on the device. It's programmable. And if one of those gets lost - it's game over.

With an ordinary laptop you can - in theory and in practice - have security routines that run regularly and shred file slack and disk slack and see all deleted files are shredded as well - and this is necessary because laptops are programmable. Thieves could steal data otherwise.

The iPhone's a computer too - it's just a smaller computer. But it's a computer still the same and it does present a whole new world of security concern.

Which is what Ken Delaney of Gartner was harping about. Which is why Dalrymple had to sic Jaquith on him too.

'Again Jaquith said it just doesn't matter because of the type of data the iPhone has on it and none of the iPhone's processes require open TCP/IP ports.'

Which has got to be one of the dumbest security quotes ever and probably explains why Jaquith wouldn't attend Black Hat - he'd be laughed out of the state of Nevada.

Seriously: what the fuck does Jaquith know or pretend to know about the 'type of data' users are going to put on their phones? But it doesn't really matter for #1) most people won't read this far anyway (they'll only remember the word 'exaggerated' plastered over and over again 100,000 times on web) and #2) ordinary punters won't even try to understand this security shit.

Next Dalrymple Jaquith pulls out some statistics about Bad Bad Microsoft - always a good strategy when the fanboys are under attack. 'Microsoft are worse' or 'Microsoft are no better' always takes the pressure off.

Jaquith won't go on the record about Microsoft but he'll quote Symantec. About what ports a Windows mobile device has open and without even attempting to explain what this does or does not mean he merely says the 'underlying assumptions' about firewalls are wrong.

What assumptions?

Dalrymple Screws Up

Dalrymple's just about pulled it off. Which is why it's so shocking to see him suddenly ruin it all - really put his foot in it - and this isn't Jaquith ventriloquism any longer - this is a Real Dalrymple Quote™.

'All custom applications that run on the iPhone are web based and users do not have access to the underlying file system.'

Oh that's really funny. Dalrymple ought to get on #iphone right away. Or get over to the iPhone wiki. Or visit Hackint0sh. Or try out NerveGas' fantastic hack. Or try Charlie's hack.

Or work from there logically to see what's happened: Charlie didn't have physical access to the device like the #iphone crew do - and yet he could goddamned well access the underlying file system - he could get that file system to send data to a remote rogue site. That surely wasn't in Apple's or Dalrymple's plans. Or even Jaquith's if he had any of his own.

NerveGas just published a recipe for opening the iPhone to SSH communications. It involves overwriting sensitive system files on the iPhone. It sure seems NerveGas - and a lot of other people - have access to the 'underlying file system'.

His ethics worn thin, Dalrymple doesn't bother to check the facts. He's dead wrong.

It's a Fine Product!

But this article was never about refuting claims of security weaknesses. It was about getting a headline spread across the Internet. And regardless of the context one must end with a sales pitch. Dalrymple ends with the expected sound bite from Charlie McCarthy.

'It's the best phone and iPod I've ever used.'

How fortunate Dalrymple and Lynn Fox were able to find such a sympathetic security expert - the kind you can trust as opposed to all the rest - who is at the same time an iPhone fan and an iPod fan! What incredible luck!

Final Exam

These the lessons to be learned - did you learn them?

  1. Never trust Jim Dalrymple. He's a Lynn Fox Apple tool.
  2. Never stop at the headlines. Always read the entire article.
  3. Always do your own research. Always double check those stories.
  4. iPhone security concerns aren't exaggerated. No security concerns are.

See Also
Hacking the iPhone
'How I Hacked the iPhone'
Alpine Dottie
Effective UID: 0
iPhone and Security
iPhone and the Media
iPhone and Full Disclosure
iPhone Hack to be Patched
iPhone OS X System Architecture

Thanks to Devon at Pixel Groovy for the excellent artwork.

About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Copyright © Rixstep. All rights reserved.