A Post-Mortem on ZDNet’s Smear Campaign

A few days after I gave a talk at the HOPE/X conference titled, “Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices”, ZDNet published what their senior editor has described privately to me as an opinion piece, however passed it off as a factual article in an attempt to make headlines at my expense. Now that things have had time to settle down, I’ve taken the time to calmly write up a post-mortem describing what actually happened as well as some behind-the-scenes details that may shed some light on the drama we’ve seen from ZDNet and one of its writers over the past couple of weeks. Let me say first that this is the last time I will address this matter, and have no desire to continue to discuss it, or engage with ZDNet or their writer. In fact, I haven’t engaged with either parties since this all transpired a week or so after my talk, in spite of repeated attempts to bait me with more personal attacks and false claims of harassment.

At HOPE/X, I gave a very carefully-worded talk describing a number of “high value forensic services” that had not been disclosed by Apple to the consumer (some not even to developers), such as the com.apple.mobile.file_relay service, which I admitted to the audience as having “no better word for” to describe than as a “backdoor” to bypass the consumer’s backup encryption on iOS devices; this doesn’t necessarily mean a nefarious backdoor, but can simply be an engineering backdoor, like how supervisor passwords or other mechanisms work – a simple bypass to make things convenient. A number of news agencies reached out to me, and I took time to explain to each journalist that this was nothing to panic about, as the threat models were very limited (specifically geared towards law enforcement forensics and potentially foreign espionage). Also, that I did not believe there was any conspiracy here by Apple. Reporters from ARS Technica, Reuters, The Register, Tom’s Guide, InfoSec Institute, and a number of others spoke to me and got all the time they wanted. You can see that these journalists each published relatively balanced and non-alarmist stories; even The Register, who prides themselves on outlandish headlines, if you read their story, was actually quite level headed about the matter. A number of other news agencies, who had not reached out to me, published sensationalist stories with crazy claims of an NSA conspiracy, secret backdoors, and other ridiculous nonsense. I tried very hard to throw cold water on those ideas both in my talk and in big letters on my first blog entry, with”DON’T PANIC” and instructions for journalists.

ZDNet was among the news agencies that had initially published a sensationalist story without approaching me first for questions.

About the Research

My talk was based on research that I had recently submitted to, and had gotten accepted and published, in The International Journal of Digital Forensics and Incident Response. The research paper was fully peer-reviewed by Editor-in-Chief Eoghan Casey, now with the Department of Defense. The editorial board for this journal consists of leading researchers from Google, Microsoft, a number of universities, and defense contractors. The journal publishes solid, academic quality research covering a wide range of disciplines within the digital forensics field. My research paper goes into thorough detail about the threat models and risks that apply to this research, explains a number of the caveats, and outlines the technical details in a very thorough presentation. During the blind review process, I received feedback from the reviewers, and the research paper was refined and brought to consensus as worthy of publication.

The findings of my research were later validated by a number of researchers, the most prominent of which was a paper published by Stroz Friedberg.

The Second ZDNet Story

A few days after their first story, ZDNet ran a second, this time by a freelance reporter going by the name Violet Blue. As was with the first reporter, this one also failed to contact me to ask any questions. She ran a smear story with the sole intent of trying to discredit my claims and fabricate a narrative that my research had been debunked. ZDNet already had egg on their face from their first sensationalist story, so perhaps this was an attempt to save face from that article, which was also irresponsibly written without my input. In ZDNet’s story, a number of personal attacks were made against me, and over 30 falsehoods were published in a mere 20 or so sentences. I’ll document these at the end of this blog post. I initially ignored the smear piece and moved on, however within a few hours, the reporter (Violet Blue) resorted to demeaning taunts and baiting tactics on her Twitter account to get my attention. It was at this time I decided to contact ZDNet’s senior editor. In waiting for a reply, tension flared a bit and I made a few comments (via tweets) to Ms. Blue about the substandard quality of her journalism and lack of principles (which I do not apologize for), as well as two comments about ZDNet’s desire to publish what I deemed rubbish (again, which I do not apologize for, because it was). Additionally, a number of other well respected members of the InfoSec and iOS hacking communities made comments to Ms. Blue about inaccuracies in her story and the poor taste in which it was written. Here is one example. Here is another. Here is yet another.

Outside of a few comments and an email to ZDNet’s editors, I have made absolutely no attempts to engage with, contact, or address Ms. Blue.

Somewhere in the midst of this, I even offered Ms. Blue $100 (via Twitter) to find me one journalist who would say that I led them to panic. She never claimed this bounty.

Motivations

During this time, a few things were made known to me privately, by many individuals who had dealt with Ms. Blue and her tactics before. It was explained to me that Blue is a manipulator, and that this type of baiting and manipulation was commonplace. I was told that she had subjected a number of other innocent individuals to the same harassment; baiting them, taunting them, using her position to make personal attacks… and then falsely claiming harassment when they responded. This manipulation tactic is referred to as DARVO (Deny, Attack, Reverse Victim and Offender), and is a technique often employed by abusers. A number of credible journalists also contacted me privately to corroborate her tactics. I was specifically told by one journalist that Ms. Blue “attacks people in an underhanded way and when they respond screams harassment” and that she “makes my profession harder”. A different journalist expressed frustration that Ms. Blue had also misrepresented his piece as sensationalist in her own smear piece. Yet another journalist had some very not nice things to say about her at all, which do not bear repeating.

Another thing that had been told to me by a few different people privately, were that they had first-hand knowledge that Ms. Blue’s piece on me had more to do with the fact that I was a Christian (alleging she is very discriminating against those with my beliefs – plausible, given: link, link), and because I had previously written an essay criticizing Mozilla for ousting Brendan Eich as CEO merely due to public opinion about his personal contributions to Proposition 8. Given the reliability of the people who provided this information, it seems like a plausible explanation. On the other hand, I haven’t ruled out misandry all together, or perhaps just sheer ignorance of tech.

After learning about Ms. Blue’s tactics, and seeing her begin to already falsely claim harassment, I immediately decided to stop engaging with her altogether. While Ms. Blue had claimed publicly that she blocked my Twitter account, this was just one of many lies she’d made up, and so even while seeing her attacks continue, I have since continued to ignore her attempts to bait me – up to and including her posting derogatory comments about me on a tumblr account in the form of an “interview” that never took place (a reporter sent me the same questions for a followup). During this period where Ms. Blue had alleged I had “harassed” her, she was making numerous personal attacks against me, accused me of attacking her using a troll account (which I hadn’t, and never would do), hurled insults at me such as “creepy” and suggested I had psychological issues, and continued to attempt to discredit me and my character. My only attempts to engage her, as I said, were to contact her editor and fire back with a few comments of my own about her journalism. I’ve never been one to mince words. While I admit my comments, in the heat of her slander, were mildly sarcastic, they were certainly not abusive or personal in any way – as her own comments had been toward me. Nothing I ever said or did would have ever constituted harassment. If you write a smear piece about someone, you should expect to get at least a little bit of feedback from those you harmed. Journalism comes with a degree of accountability, which is why I had approached her editor to file a complaint.

The Editor Responds

ZDNet’s senior editor (David Grober) eventually responded back amidst the mess that Ms. Blue had created and insisted that her piece was a “commentary on the relationship between your presentation and media reports/interpretations of your work” and that her article should have been labeled as “opinion”. Mr. Grober also acknowledged that Ms. Blue should have reached out to me for comment, as a courtesy. In spite of this, Mr. Grober made no attempt to retract or correct the article, or any of the 30 falsehoods I had pointed out – in spite of my request for him to do so. I had even provided Mr. Grober my personal cellphone number in hopes that we could walk through the article. He never called, and instead decided to ignore my ethics complaint. Mr. Grober instead asked me to provide a rebuttal, however it appeared to me that he was only interested in the headlines and website traffic it would generate. I declined, refusing to even acknowledge their article as an act of journalism. Of course, by this time the damage had already been done anyway, and in many cases, the article was written in a way to make any attempts at a rebuttal ineffective.

The Fallout

The damage Ms. Blue had attempted to cause – whatever her motivation – was in fabricating a story and the illusion that somehow my research had been debunked, or was even being questioned; she introduced doubt where there was none, and this could have put Apple’s response to correcting the issue at risk. Additionally, as someone who has testified as an expert in high profile criminal cases, and has consulted on cases for the federal government, military, and even internationally on matters as important as national security – my credibility is important. In fabricating the idea that my research had somehow been debunked (without any evidence to back up her claim), Ms. Blue had made a direct attack at my credibility, and could have recklessly put many cases at risk. With such a strong and outrageous accusation, Ms. Blue provided absolutely no evidence from anyone in the community of anyone questioning the validity of these security issues.

Following Ms. Blue’s article, there had been limited debate about the semantics of the term “backdoor”, and some understandably disagree that the file_relay fits the technical definition of such… however, even among those who disagree with the wording have also publicly stated that the underlying security issues should be addressed. Some of the community’s well-respected researchers posted public summaries, such as Dino Dai Zovi’s TL;DR writeup (which had originally even used the term “backdoor”, but then decided that using Apple’s term would be less controversial); Ms. Blue’s tweet history shows that she even attempted to attack Mr. Dai Zovi for “validating” my work (validating was her choice of words). Among others who found value in the research were Andrew Case, Josh Hill (p0sixninja), Matthew Green, and many others. MobileIron and Good Technologies both noted my research and published articles citing ways to protect your mobile data in light of this research. Many also jumped to my defense including Anthony Vance, Frederic Jacobs, and more. In addition to this, Apple themselves have validated my research by already beginning to address the security issues in their latest beta, which was released shortly after my talk had received national attention. So while there has since been a semantics debate about use of the term “backdoor” (a term the media has inaccurately attributed to conspiracy theories), the research and the threats these vulnerabilities pose have not been undermined or discredited in any way, and quite the contrary have been deemed valid enough that Apple is addressing them quickly and two major countries (Russia and China) are raising all of the right questions.

I cannot speak as to Ms. Blue’s true motivation for running such a fabricated smear piece. Perhaps it is related to my religion, or to save face at ZDNet, or perhaps it is just because those types of sensationalist headlines sell. What I do know is that her piece was entirely fabricated, written in a vacuum, and is strongly disputed by the reputable journalists who took the time to discuss the technical details with me (and read the full white paper as well). Ms. Blue’s unfounded personal attacks have caused me great personal stress and upset.

Ms. Blue has continued to take every opportunity to harass and abuse me without provocation. On several occasions since these events, I’ve seen my name appear cited in news articles by reputable sources on Twitter, with tweets from Ms. Blue trailing in the replies, attempting to smear me all over again. In anything that I do, Ms. Blue continues to slander and harass me. I have long since moved on from this awful experience, however my professional life is now subject to cyber stalking by this individual, who takes every opportunity to cause damage to my reputation.

ZDNet’s management staff eventually went through a turnover, and the new staff found Ms. Blue’s article so embarrassing that they have since disavowed themselves of it entirely with a boilerplate at the top, even to the degree of citing that Violet Blue no longer writes for them.

Conclusion

This is the end of the matter as far as I am concerned. I have not engaged with Ms. Blue since, and will not engage with her in the future, regardless of her ongoing harassment. Any attempts to taunt or bait me recently have gone and will continue to go unanswered, and I have made it clear that I think it is best for both of us to ignore each other and move on. I have at no time harassed Ms. Blue in any way, nor do I intend to; people who know me know that I’m not capable of that. If Ms. Blue wants to continue baiting me in an attempt to garner attention, that is her personal character issue to deal with. I do find her work to lack any semblance of principles in journalism, but in this day and age, this is hard to come by.

Several individuals (including some from ZDNet) have recommended I pursue a libel suit against Ms. Blue, however I am not the litigious type. Needless to say, I may one day revisit that thought should her harassment continue.

After it was published, Ms. Blue had initially asked me to point out inconsistencies in her article. I have included 31 fabrications or falsehoods below, which I had previously placed on pastebin for her review, and sent to her editor as well. Many of her statements are outrightly libelous and actionable.

List of ZDNet Fabrications

The following is an overview of the fabrications in the ZDNet article “The Apple Backdoor That Wasn’t”; I’m including for review the referenced write-up I’d done previously, as my blog is a more permanent home than pastebin. Please note I’ve made some minor edits.

Source: http://www.zdnet.com/the-apple-backdoor-that-wasnt-7000031781/

Before the iPhone came out, and long before anyone heard the name “Ed Snowden,” the most common use of the word “backdoor” was relegated to an industry that applied the term as a colorful anatomical descriptive, helping potential customers select the preferred access point for their adult entertainment.

FALSEHOOD 1. In fact, Ms. Blue proves herself wrong later on in the article when she links to OWASP’s paper (https://www.owasp.org/images/a/ae/OWASP_10_Most_Common_Backdoors.pdf) which outlines definitions longly held in technology for decades that a backdoor is defined as 1. “a hidden entrance to a computer system that can be used to bypass security policies”, 2. “an undocumented way to get access to a computer system or the data it contains”, or 3. “a way of getting into a guarded system without using the required password”. The use of the term “backdoor” in the public eye can be traced as early as 1983 in the motion picture “Wargames”. For Ms. Blue to equate a” backdoor” as having a pre-Snowden meaning solely relevant the porn industry is not only categorically false, but intentionally misleading as an overt attempt to discredit anyone who uses the term “backdoor” in a technological way as a conspiracy theorist. She does just this further into her article.

Last weekend, a hacker who’s been campaigning to make a point about Apple security by playing fast and loose with the now widely-accepted definition of “backdoor” struck gold when journalists didn’t do their homework and erroneously reported a diagnostic mechanism as a nefarious, malfeasant, secret opening to their private data.

FALSEHOOD 2 There has been no campaign to make any point about Apple security, and Ms. Blue offers no evidence to back up that claim. There has, however, been an accepted, peer-reviewed journal paper, in a reputable forensics journal reviewed by members of the forensics community. Ms. Blue has falsely attempted to re-label an accepted academic journal paper as “campaign” to smear Apple, and has provided no proof whatsoever that I have attempted to do so. A look at my former blog posts and Twitter stream, quite the contrary, show many attempts to prevent embarrassment of Apple or accusations of conspiracy. All of these facts are ignored as the false opinion is expressed that I wanted to embarrass Apple.

FALSEHOOD 3 Accusing me of “playing fast and loose”; Ms. Blue here is using loaded language to attempt to discredit me (the author of this peer-reviewed academic paper and all relevant research). She refers to as a “campaign”, without any facts or statements of proof as to my motivation or prolonged “campaigning”, and is already, by the second sentence, attempting to discredit me with accusatory and derogatory terminology.

FALSEHOOD 4 “struck gold”. Here, Ms. Blue is falsely suggesting, without any proof provided, that I consider it some type of reward or positive outcome that journalists have misrepresented my research, which helps her set the stage to judge my personal character by suggesting within the second sentence that my intent was apparently to have journalists misled / misreport the research. Again, without presenting any proof; proof to the contrary is all over my website and Twitter feed.

FALSEHOOD 5. “secret opening”. Ms. Blue makes the false statement that I attempted to mislead journalists to believe that these services were intentionally conspired as secret, however she cannot and does not attempt to back this accusation up with any facts or proof to show that I had conspired to do this. In fact, my conference talk, blog entries, Twitter feed, and conversations with reporters all demonstrate attempts to rule out the idea of conspiracy.

Speaking at the Hackers On Planet Earth conference in New York, Jonathan Zdziarski said that Apple’s iOS contains intentionally created access that could be used by governments to spy on iPhone and iPad users to access a user’s address book, photos, voicemail and any accounts configured on the device.

FALSEHOOD 6. I did specifically say that the services were intentionally placed by Apple (and even maintained), however the article is accusing me of suggesting that Apple’s intent in creating them was so that they could be used by governments to spy, and that is very different from what I said. I said the code was clearly maintained by Apple, and created by Apple. I never made accusations of conspiracy. Ms. Blue offered no proof to substantiate her accusation, and in fact I’ve gone on record numerous times denying that sensationalist point of view.

As he has been doing since the Snowden documents started making headlines last year, Mr. Zdziarski re-cast Apple’s developer diagnostics kit in a new narrative, turning a tool that could probably gain from better user security implementation into a sinister “backdoor.”

FALSEHOOD 7. Ms. Blue has accused me of “re-casting” Apple’s developer diagnostics, however the file_relay service – the focal point of the talk – had never previously been disclosed by Apple until after my talk; therefore, how could I possibly attempt to re-cast anything? This is another attempt at discrediting my character by introducing the suggestion that my motives were somehow corrupt.

FALSEHOOD 8. Ms. Blue accused me of “doing [this] since the Snowden documents started making headlines”, however offers no proof of this; in fact, my first contribution occurred only months prior to the talk, with the acceptance of an academic paper outlining this research.

FALSEHOOD 9. Ms. Blue refers to a “developer diagnostics kit”. There is no such thing. In fact, of all three services outlined in the talk, only pcapd is even disclosed to developers or its use documented (which I do not dispute). Ms. Blue has offered no proof that this “developer diagnostics kit” even exists; the other two services: file_relay and house_arrest, are used exclusively and internally by Apple, and are not intended for developers. Apple has since clamped down on access to house_arrest (and pcapd) following my talk.

FALSEHOD 10. Ms. Blue accuses me of implying a “sinister backdoor”; quite the contrary, I have always maintained that the technical definition of a backdoor has absolutely nothing to do with conspiracy or intent; but rather an undisclosed technological bypass. I also used very careful wording in both the paper and the talk to be sure to diffuse any attempts to draw a conspiracy theory of any kind out of the research. Ms. Blue offered no quotes or other proof whatsoever that I attempted to turn this research into a conspiracy accusation toward Apple.

The “Apple installed backdoors on millions of devices” story is still making headlines, despite the fact that respected security researchers started debunking researcher Jonathan Zdziarski’s claims the minute people started tweeting about his HopeX talk on Sunday.

FALSEHOOD 11. “debunking” No security researcher has debunked the technological points of this research; in fact, many have confirmed the vulnerabilities and weaknesses, including author and well respected reseracher Dino Dai Zovi, who wrote a TL;DR on the subject. MobileIron, a well respected security company, even published a “how to protect yourself from backdoors” article as a followup. Good Technology, well respected for enterprise security solutions in the industry, also wrote an article, citing it in a Tweet titled, “Apple has a backdoor problem. Here’s how to protect your mobile data”. TripWire recently published an article, “Why You Should Care About The Apple Backdoor”. Apple, themselves, have validated the research by beginning to restrict access to these interfaces wirelessly. A number of other researchers, CEOs, and other technology-savvy members of the community have stepped up publicly to support my research with articles, blog postings, and tweets. The only point that has been argued, actually, has been an argument about semantics and whether the technical definition of “backdoor” should apply to the file_relay service outlined in the research. Ms. Blue has taken a discussion about semantics (which did not begin until after her article was published) and somehow used it to attempt to convince her readers that the research has been debunked, falsely, and without any proof. This is very clearly an attempt to establish some form of a scientific judgment by means of journalism, rather than science. This kind of public dismissal, even without proof, can be damaging to the reputation of a researcher, no matter how unfounded, and Ms. Blue should know this given her background.

FALSEHOOD 12. “the minute people started tweeting about it”. Ms. Blue has attempted to falsely, and without any evidence, make this research appear as already debunked, when in reality there has been absolutely no such thing whatsoever. The technological points made in the research still stand, are acknowledged by many security researchers, and their existence even caused Apple to disclose what they claim was their original intent in a knowledge base article. Incidentally, the validity of research is not determined via “Twitter” as Ms. Blue claims. It is determined during the peer review process, which took place prior to my paper being published in a reputable journal. And it is determined by followup papers to either reaffirm or dispute the research. Not on social networking websites.

Since Mr. Zdziarski presented “Identifying back doors, attack points, and surveillance mechanisms in iOS devices”, his miscasting of Apple’s developer diagnostics as a “backdoor” was defeated on Twitter, debunked and saw SourceClear calling Zdziarski an attention seeker in Computerworld, and Apple issued a statement saying that no, this is false.

FALSEHOOD 13. “miscasting”s. Again, the article attempts to make me appear to intentionally be miscasting a “developer diagnostic kit” – that does not exist – as a sinister conspiracy theory, without any proof or statements to back up her claims whatsoever.

FALSEHOOD 14. defeated on Twitter. Without a single quote cited from Twitter, Ms. Blue attempts to make the argument that the collective of Twitter has rejected the notion of “backdoor”, when in fact the security community is quite torn in half about whether or not the file_relay technologically meets the criteria of being a backdoor. Twitter has, however, shown a significant amount of public support for fixing these issues, as well as criticizing Ms. Blue’s article for its inaccurate reporting.

In fact, this allegedly “secret backdoor” was added to diagnostic information that has been as freely available as a page out of a phone book since 2002.

FALSEHOOD 15 “secret backdoor”; again, Ms. Blue attempts to paint a conspiracy theory without any proof that I attempted to infer that Apple had conspired to allow government to spy on its devices. I have been noted on record – repeatedly – as denying this conspiracy likely exists, and has warned journalists in writing, through my blog, not to sensationalize on a conspiracy notion.

FALSEHOOD 16 “diagnostic information… 2002”. Here, Ms. Blue outlined old documentation describing pcapd, and has completely missed the point that I was referring to a completely different service when describing the undisclosed file_relay service. Ms. Blue appears to be working very hard here to attempt to discredit me by ignoring the actual service that was central to the talk and research. I am well aware, and have acknowledged publicly, that pcapd has been around for a very long time, however pcapd is not the service I was referring to as a backdoor around backup encryption. Ms. Blue has completely missed the point of this portion of the research.

The packet capture software used for diagnostics referenced by Mr. Zdziarski in support of his claims is similar in functionality as the one that’s installed on every Apple laptop and desktop computer for diagnostics. So his numbers of “backdoors” allegedly installed by Apple for wide-ranging nefarious purposes are off by like, a billion.

FALSEHOOD 17. Regurgitation of the last sentence; here again attempts to pass off the “packet capture” as the service I was alleging to be associated with the backdoor; she clearly here is either completely lying or has made a grave error in completely misunderstanding the nature of my intent to disclose file_relay as the service appearing to be a backdoor around encryption.

It appears that no one reporting Zdziarski’s claims as fact attended his talk, watched it online, and less than a handful fact-checked or consulted outside experts.

FALSEHOOD 18. Ms. Blue has provided no proof or examples of any claims of “fact” by anyone, nor made any attempt to determine whether anyone had attended the talk or watched it online. In fact, I interviewed with Paul Wagensale (Tom’s Guide) who attended the talk, and ran a piece on the talk. A number of other reporters and researchers also attended the talk, many who later wrote about it. Ms. Blue makes a completely unsubstantiated argument here, in an attempt to single me out and insult anyone who supports my research.

Which is, incidentally, what I did. I saw the talk begin to gain momentum on Twitter, then quickly flushed the idea of a story when the researchers I consulted kindly told me there was no “there” there.

FALSEHOOD 19. Violet provided no statements from researchers that she consulted to confirm her claims, and did not establish that anyone had said there was no “there”. Additionally, Ms. Blue completely failed to attempt to contact me to ask questions or obtain clarification on any of the points to her story.

Regardless of the problems with Mr. Zdziarski’s sermon, the (incorrect) assertion that Apple installed backdoors for law enforcement access was breathlessly reported this week by The Guardian, Forbes, Times of India, The Register, Ars Technica, MacRumors, Cult of Mac, Apple Insider, InformationWeek, Read Write Web, Daily Mail and many more (including ZDNet).

FALSEHOOD 20. “Sermon”. Here, the article attempts to further discredit/embarrass/chastise me by referring to this research (which again began with a peer-reviewed academic paper) as a “sermon”, and has voted down my assertions as incorrect without a shred of evidence or technical backing posted in the article.

FALSEHOOD 21. Ms. Blue made the false statement that every other news agency that reported on this research as anything having an opinion that did not match her own as wrong. Further, Ms. Blue provided absolutely no specific citations of any of those articles and what was wrong with them, made non arguments, and provided no proof that any of the other articles were wrong.

People were told to essentially freak out over iPhones allowing people who know the passcode and pairing information to use the device.

FALSEHOOD 22 Without providing ANY proof here, she has wrongly accused me of leading all journalists to “freak out” over my research. In fact, I had provided via a number of quoted tweets from journalists I spoke with, that every single one of them had been given a level-headed “don’t panic” talk from myself. What’s more, the original blog post began with the words “DONT PANIC” right underneath the link to the slides, followed by a stern warning to journalists not to “freak out” about it, and further attempted to clarify why they shouldn’t. I had since offered Ms. Blue $100 (via Twitter) to find one single journalist who would publicly say that I attempted to mislead them into panicking, and She has not come forward to collect the bounty.

If you’re the kind of person that walks into a public library, plugs in your iPhone and gives the public computer and every rando who accesses it permission to access everything on your phone forever, then okay, maybe you should freak out.

FALSEHOOD 23. Here, Ms. Blue attempts to patronize me further while simultaneously showing that she has no technical grasp of the threat models outlined in my research, which did not involve any type of scenario where the general public would be threatened in any way.

‘I meant a different kind of backdoor’ The researcher erroneously stated that Apple “confirmed” his allegations when in fact the company had done the opposite.

FALSEHOOD 24. Here, she attempts to accuse me of backpedaling, or changing my story with regards to my allegations of a potential backdoor, again without showing any proof whatsoever. I have been consistent in my definition of a backdoor since giving the talk, and in fact has attempted to clarify my definition of a backdoor as “technological” and not based on “conspiracy”. Those who attended the talk heard the phrase “undocumented services” rather than backdoor, and when backdoor was used one time, it was only used to explain that I could find no other word that fit the technological definition he was referring to. I have since joked that we could call it a “chicken wing” or a “UFO” but that it doesn’t change the security threats outlined in the research.

In light of much debunking in security communities and Apple’s statement, Zdziarski published a blog post backpedaling on the interpretation of “backdoor” — yet still affirmed his narrative.

FALSEHOOD 25. Here, Ms. Blue attempts to continue dismissing my research as “debunked” when, in fact, the security community by and large has accepted the research’s technical findings of weaknesses in Apple’s security, and additionally so has Apple as evidenced by their latest work to address them. Ms. Blue shows no proof whatsoever that any of the research has been debunked, except by her own personal opinion, which has essentially amounted to lying about it. This in an attempt to assume that the scientific community has reached any such conclusion – or at least to suggest that there is debate, when in fact there has been no debate about the validity of the security issues.

FALSEHOOD 26. Backpedaling. Here, Ms. Blue continues to accuse me of changing my position with regards to backdoor, when in fact Ms. Blue herself does not appear to have a firm grasp on the definitions I have always used, as she did not attend my talk nor did she ever attempt to contact me with questions for the story.

According to OWASP, a “backdoor” is defined as: A hidden entrance to a computer system that can be used to bypass security policies (MS definition). An undocumented way to get access to a computer system or the data it contains. A way of getting into a guarded system without using the required password.

FALSEHOOD 27. Here, she contradicts the very first sentence of her own story by establishing that the terminology of “backdoor” in fact did have significant technical merit in a pre-Snowden era.

When Apple explained the diagnostics toolset and published a detailed support document, Zdziarski said that Apple’s acknowledgement of its not-secret developer tools only proved him right, and that this meant Apple was admitting to his claims of making iOS vulnerable to authorities’ snooping by design.

FALSEHOOD 28. Here, she refers to the tools as “not-secret”, however the file_relay service (the service in question) had never been previously disclosed until this document by Apple, after my talk. Additionally, house_arrest had never been properly documented, and it had never been disclosed that pcapd was capable of running on all non-development iOS devices. Ms. Blue attempts to, without any proof, falsely establish that all three of these services have been well documented by Apple in the past, which is not the case.

Zdziarski says he “doesn’t believe for a minute that these services are intended solely for diagnostics.”

FALSEHOOD 29. An out-of-context quote; placed in context, this was dismissing my believed downplaying of these services as being “solely” for diagnostics; the pure personal nature of the data they relay makes them unsuitable for diagnostics only, based on the slides from my talk which had already debunked that general notion prior to Apple’s response, for a number of reasons.

And with one word — “believe” — we have the nut of what’s becoming a big problem in the state of security and journalism for everyone.

FALSEHOOD 30. Here, Ms. Blue is taking an out of context quote and trying to become abusive with it, and insult both the security industry and journalism, when in reality it is Ms. Blue who has not provided a single shred of proof to back up any of her outrageous claims against me or my character.

FALSEHOOD 31. This quote is actually a misquote; the word “believe” was never actually uttered by me. Ms. Blue invented it herself to attempt to make a more sensationalist end to her story. The original quote follows:

“I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption.”