If you wouldn’t object, I’d like to add that if the quality of his work, and the nature and intent of his disclosures is only what we’ve seen so far then he really doesn’t count as a white-hat or a black-hat. Just an asshat.

Maybe it is and maybe it isn’t. It depends on whether he keeps trying to break Mac OS X or not, and if he does, how he makes his findings public.

If Maynor stops trying to break Mac OS X, then that’s a minor loss. It means that one researcher has stopped trying to break Mac OS X. If he were the only person doing this, it would be a loss, but he’s not, so this seems like one of those “If you don’t, someone else will” situations.

If Maynor continues trying to break Mac OS X, and he reports all his results on any public forum, then that’s no worse than the Month Of Apple Bugs. Either Apple will monitor his public disclosures, or someone else will and send them to Apple. In other words, Maynor would just be switching from “responsible disclosure” (notify vendor first), to “full disclosure” (everyone is notified at the same time). If he does that, he can’t claim to be doing “responsible disclosure”, but so what? Other breaks of Mac OS X have been released as full disclosure and the world hasn’t ended.

If Maynor continues trying to break Mac OS X, and he only reports results or exploits privately, or only provides only partial reports, then that *IS* to all our detriment. But that’s because he’s gone from being a white-hat security researcher to being a black-hat malicious cracker. He’s the one to make that choice, and no one can stop him from doing that, not even Apple.

I still agree with other people here: Put up (the whole thing) or shut up. If Apple’s fixed the bug and made the fix freely and publicly available, let the exploit hang out there. If people don’t patch their systems, it’s their own damn fault at this point.

If you don’t have a full on rooting exploit, shut up and go away.

“The Mayntard is at it again.”

/Fake Steve

Even reading your article Glenn, you point out that he’s still not being straightforward about this.

So he has no credibility. At this point, he’s shot himself so badly that even *legitimate* work he’s done or will do will be questioned, because he’s demonstrated that he’s perfectly willing to dissemble to make himself look good.

Even now, he can’t stop. “Well, I can also take over a Mac, but i’m not going to show that…yet.” What’s he waiting for? More publicity so he can get more jobs as a l33t s3cur1tee d00d? Bullshit. He’s been playing this game since the beginning, and it’s just publicity hounding at this point.

the other issue is this statement:

“Maynor said this experience has led him to have no interest in providing information to Apple again about security flaws. That’s to all our detriment.”

No, it doesn’t. If he can’t handle the fact that sometimes things don’t work the way you want them too, and companies have a high asshole quotient, then he was never the kind of person you wanted doing security research. “I’m taking my ball and going home” is what seven year olds say when they don’t get their way. It’s not what grownups say. Waaah, Apple didn’t do what he wanted the way he wanted. Get over it.

BLATTAPUS: Maynor confirmed what has been known during this whole time. He had an exploit against the native driver that comes with OS X. He and Ellch screwed up. They had meant to show and discuss only a third-party hack, and they got too excited, let Krebs see what was going on, and then all hell broke loose.

This does boil down to just two things: Did Apple knowingly lie about a security issue, which is a significant lapse on their part, and I still think unlikely; did Maynor and Ellch try to help the user community by NOT releasing details, which I think is likely based on their subsequent actions.