Slashdot Mirror
Johnny Cache Breaks Silence On Wi-Fi Exploit
Joe Barr writes, "Johnny Cache — aka Jon Ellch — is chafing under the cone of silence placed over him and co-presenter Dave Maynor about the Wi-Fi exploit they presented at Black Hat and DEFCON last month. So he has finally broken his silence on NewsForge in hopes of ending the personal attacks coming from what he implies is a smear campaign started by Apple." (Newsforge and Slashdot are both owned by OSTG.)
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
under the cone of silence... give me a break.
If you mod me down, I shall become more powerful than you could possibly imagine.
Chief! If we are to talk about something top secret, we must use the cone of silence!
Time to move with the times people.
So, is he going to take Daringfireball's challenge or not? I think his whole thing has tarnished him, and he won't recover.
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
NetInfo connection failed for server 127.0.0.1/local
Johnny Cache breaks silence on Apple Wi-Fi exploit
Monday September 04, 2006 (01:07 PM GMT)
By: Joe Barr
Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now infamous "faux disclosure" at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them.
Ellch explains their silence since the presentations in his email by saying:
Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.
He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something."
Ellch then breaks down the elements of the vulnerability and possible exploits, but in the context of Intel drivers rather than Apple's, asking and then answering the obvious question of why he did so when he wrote: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."
He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique.
Ellch notes that a crash caused this way doesn't guarantee a successful exploit, saying "If you're lucky, your UDP packet will end up on the stack. If you're less lucky, a beacon packet from a nearby network will end up on the stack. In the case where I successfully overwrote eip (Extended Instruction Pointer), the UDP packet was 1400 bytes."
He also responded to criticisms that he and Maynor have simply been "playing the media" instead of reporting an actual vulnerability and exploit, saying:
You know, of all the comments I see, the ones that 'we played the media' make the least sense. Have you ever seen me in the news before? No. Have I ever talked to a reporter before? No. Am I doing a very good job of winning this PR smear campaign lynn fox ignited? No. If I was so deft at manipulating the media, would I be explaining myself on dailydave praying that a few technically competent people will actually get it?
I contacted Ellch by email after reading his post and asked if he was claiming Apple is the cause of their silence. He replied:
Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about.
If that's just an 'implication', I'll eat my hat. It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him. He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples. It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out. This way no one can report about the 'insecurity' of the OSX platform - there are no exploits, see? As long as you're patched and up to date!
Event Management Solutions : http://www.stonekeep.com/
I know the feeling. If you even dare to suggest that an Apple might even have the slightest imperfection, the crazy Appleist Fundementalist Extremists will start a Jihad against you.
Hacking is not just throwing a bunch of 1400 byte UDP packets at a stack. For gods sake, this "hack" is not exploitable. It is a denial of service attack at the most.
So THAT's why Apple's oh-so-vicious lawyers let them GO AHEAD AND USE A MAC IN THE FUCKING DEMO.
Riiiiiiighhht.
Puleeeze.
If that's true, I think Microsoft should hire away Apple's lawyers.
He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique.
He said "butt".
1 voice in a sea of voices
The classic defense of the madman or the liar: "What I say is true, but terrible, unspeakable things would happen were I to prove my assertion. You'll just have to take my inability to prove my assertion as evidence of its validity."
What a schmuck.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
Apple probably looked at these guys and laughed.
Next thing you know, these guys will be "discovering" cold fusion.
NetInfo connection failed for server 127.0.0.1/local
the way I know apple, they are going to sue him now
before they only threw dirt to make him look unreliable, but now they'll be throwing lawyers to stop him from proving he's right (or as they would say - to stop him from damaging their business)
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
And insult the intelligence of Mac users.
That's the way to prove your point.
As someone said, show this on a "bog standard" Mac from and I'll pay attention.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
http://lists.immunitysec.com/pipermail/dailydave/2 006-September/003459.html
http://lists.immunitysec.com/pipermail/dailydave/2 006-September/003459.html
I watched that video. He says it's smth in the driver... and then shows a Mac also says it would work on a PC. Then, all Intel mac laptops have WIFI now, but he choses to use an external WIFI PC-Card, huh.. sorry Express Card. I know Apple are not angels, but I just can't help be suspicious about it:
- how can a driver have the same bug on windows and macos x?
- why use this stupid external card? what are the chances it did have the same chipset as the internal one?
- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?
That story won't finish well foro someone. The smoke screen is too thick. Either:
- This guy did overrate some minor problem in a misleading way for Apple laptops. Oh.. a third party driver with a bug. Or it's Apple driver with only a thirdparty card. In that case, he's discredited in the domain of security for the rest of his life.
- Apple did really pressure him (as he tends to hint). They're then not only legal jackasses (we know that already) but also incompetent to fix a bug (and that suprises me). In that case the company he's discredited in the domain of security for a while, and they can quit the "virus ads.. mac is secure" for a while.
Future will tell.
It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks
If Apple's lawyers wrote a nastygram to these guys, don't you think we'd have seen it by now? The first thing anyone in a public situation like this does when they get pressure from the big players is to publicize the legal threats.
At the moment all we have is the word of someone who cast aspersions at Mac users, disingenuously claimed that he was exploiting Apple security flaws, and now claims (not so subtly) that Apple's lawyers are the reason he can't come clean.
Read the EFF's Fair Use FAQ
..is poseur.
This clown went to great lengths to make himself out to be among the leaders and it backfired. The facts of the presentation and the press he received don't match the reality of the situation, and he was called on it. He deserves 100% of the ostracization he is getting from the black hat/hacker community. He's knowledgeable and very smart; but the only exploit was his ego issuing a denial of service attack against his common sense.
Johnny, add a little sugar to your steaming hot cup of sit down and STFU. And please please please, adhere closely to the STFU part.
Really now, can anybody come up with a good reason for him to fake something like this? It should be obvious that Apple has declared him a hazard to the company and is threatening to wipe out the rest of his life with lawsuits if he so much as peeps.
The government can't save you.
before they only threw dirt to make him look unreliable
Point me to the link where Apple threw dirt at him.
There are plenty of bloggers who did the research on their own and asked the right kind of questions, but I've never seen anything from Apple attacking him. Maybe you're referring to Apple pointing out that he used a third party USB device and didn't disclose any info to Apple about the exploit? I wouldn't exactly call that throwing dirt.
Read the EFF's Fair Use FAQ
I think he will be vindicated in the future if Apple "quietly" releases an update to the wireless driver. Else, who knows.
It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks
Perhaps to you. To others, it's "blatantly obvious" that he has some weird issue with Apple and enjoys spreading FUD. His "clarification" provides no support either way.
He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples
Or maybe that's all he actually has an exploit for. I don't know, and neither do you.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
This way no one can report about the 'insecurity' of the OSX platform
Then what, pray tell, are you doing right there in that post of yours?
there are no exploits, see? As long as you're patched and up to date!
That's right, they get him to shut up about the how-to, they fix the hole, and voilà: no exploits in the wild! Everybody wins.
You can't take the sky from me...
I'm also guessing that we'll never see anything revealed from him because it was a fake, he'll always have excuses. If he was approached by lawyers, publish the documents. There is nothing against the law doing that. What he wants is to slander apple for doing something they didn't do. This guy clearly hates apple for whatever reason.
If apple did rattle his cage, that's more of a story than the actual exploit itself, if he's looking to actually make a name for himself that is legit, go open with that.
smears, cones and chafing? sounds just like apple
Always back up, never back down. ---- Think you're cool 'cos your uid is prime? Take mine, modulo the one digit integers
What is he 8 years old?
Or is that his secret l33t hax0r name? Is his erstwhile companion Hadji? Or the redoubtable Race Bannon? Or perhaps,
Race Condition Charles. And his female companion Dolly Partition. Well hmmm, he's a geek, so scracth the female.
How is anyone going to take him, his cone of silence, or his I'm soooo technical, and now it can be told pitch.
Oooh I hacked a mac laptop WHICH COMES WITH A BUILT in WIFI card, by plugging in an EXTERNAL WIFI card.
Its unsafe! If you do it you would get haxor'd! Oh wait. I'd use my built in wifi or my 1000Mbit ethernet jack.
Next from the Token Ring of Fire, installing windows XP via bootcamp and leaving it without a firewall or antivirus or popup blocker can have your Macintosh HACKED in minutes! Oh the Humanity.
All available studies show that not only are Mac users (excluding recent switchers) smarter than PC users, they're more creative, discerning, and artistic, too.
Not that I think you'll believe those statistics, anyway. Denial of science (e.g. Bible-thumping anti-evolutionism) is characteristic of PC users.
If he does not like it, he should go work for another company. It's not like the government is telling him to be silent.
The reading comprehension skills you've exhibited in this post is not what I've come to expect from such a low userid.
...if Apple releases a highly critical security patch for their builtin WIFI drivers three months from now as a part of some new "mega-patch", will all you people who have been slagging this guy off for a month now STFU finally?
Didn't someone from Apple state that they never heard from those guys shortly after their Black Hat demonstration?
If they don't will you people who worship Johnny Cakes STFU?
Seriously, get a room and suck each other already.
If a job's not worth doing, it's not worth doing right.
He pretty much followed up with "uh huh, it's like, so real!" And then there was silence again. I could make it real too if I manipulated all the variables in my favor, including not actually using Apple hardware or software to perform an exploit.
Luck favors the prepared, darling.
OK, they are under heavy "legal" pressure by Apple. So the bug belongs to Apple -- and not to the third party wifi driver that the video shown at Blackhat refers to? Let's be clear -- the problem is not Maynor and Ellch. It's the reporting on this -- starting from Brian Krebs at the Washington Post. http://blog.washingtonpost.com/securityfix/2006/08 /hijacking_a_macbook_in_60_seco.html
At BlackHat Johnny Cache claimed this alleged exploit is not platform-specific, he only picked a Macbook for the demo to piss off Apple fanboys. If that's so, and the exploit really works, why not demonstrate rooting Linux or Windows or if you really want to stir up security trolls on slashdot, NetBSD?
Is the exploit real? Who knows, I've seen video of someone cracking a Mac through a wireless driver. Then again I've also seen video of a virus written on a Mac taking down a fleet of invading alien spaceships...
0 1 - just my two bits
Zzzzzzzz....
I still don't see any proof that Apple's lawyers have done anything.
I can imply very loudly that Microsoft has been threatening me for years, but that doesn't mean they even know I exist.
Ellch misdirects attention very clearly. The "Mac bloggers," which include a lot of non-Mac bloggers, have generally said, look, if what Ellch and Maynor showed Brian Krebs is true, then just demonstrate the real Apple exploit without revealing details.
The article above states, "He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something." "
Thanks for the condescension! It's not necessary. I will note that no one sensible, including myself (over at wifinetnews.com) has asked for the code. Rather, we've asked for Maynor and Ellch to either state that they mislead Brian Krebs, that Apple lied when they stated the company wasn't presented with credible evidence, or that they have material that Krebs saw and Apple hadn't seen yet.
John Gruber did a face-off, not asking for the code, but asking for a simple demonstration with a $1,099 plus sales tax prize.
How does Gruber not understand the technical details when he isn't asking for them? He's asking for a black-box showdown.
Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
What kind of a idiot would you have to be to take that challenge? There is no *way* I would take that bet, whether I knew I was right or not. If they lose, DF wins 2x: 1) DF gets a free macbook 2) DF gets notoriety for calling a bluff. They lose 2x: 1) they cough up significant cash 2) they are humiliated before their peers. Should they win, they win 2X: 1) a free macbook ( psst.. there are 2 of them) 2) they are vindicated However DFireball /still/ wins by gaining recognition for making the challenge.
Sorry, only a moron whose balls ruled their brains would take that bet, and that's not a way to bet and win.
Jon Postel, R.I.P. You are missed.
At least, that's the message I'm getting from this thread. Everything about this episode is obvious. Each contradicting story is just, like, so totally obvious.
The analogy is actually pretty apt. You have a group of people that basically run the world - "The West" (in this case, non-Apple users) and a downtrodden ragtag group of extremely proud people convinced that their way is better - "The Islamist Fascists" (in this case, Apple users).
It's very common for them to lash out at everyone because of their true feelings of inferiority and lack of understanding as to why everyone doesn't see the world like they do.
Case in point - I'll be modded -9 Troll in about 30 seconds as every Mac user with mod points steps on their own mother to mod be down.
I'm a big tall mofo.
sorry, didn't read the linked article and misunderstood this one
;)
my bad
still i don't like apple
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples.
They didn't seem to mind talking about how Apple "leaned on them pretty hard" back when they were claiming that the exploit worked on the Apple-supplied driver. You know -- before they admitted that the vulnerability demonstrated used a third-party driver, and not the one that Apple ships?
It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out.
How? On what grounds could they do this?
Also note where Ellch says: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."
I admit that I do not understand a lot about kernel code and security but i believe i am a pretty good judge of character and somebody who is saying nothing but implying a lot so he can always weasel him self out of it like this guy is doing is not to be trusted but it may also be that all security guy's are like that and that is why they are into security ?
One thing we can be sure of is that there will be a hell of a lot less bugs found in OS X after this, seeing what kind of treatment you get if you discover one.
Just RTFA and decide on your own whether or not you believe him, or wait for dozens of users to flood /. with stories about whether they triggered an exploit on an Intel driver or not.
Either way, stop complaining in ways that are irrelevant to the article.
It's only an insult if it's not true.
Do NOT DO BUSINESS with this guy or Secureworks. They are fakes. All they have is excuses and a PR machine trying to generate hype.
Its sad, but nothing in this post lends any credibility to this kid's claim. There is a HUGE difference between overwritting EIP and causing a crash, and overwritting EIP with the address of a code segement you injected onto the stack or heap, executing that code (which must do *something* like send back user credentials or somehow connect back to the attacker with a shell, probably by creating a process in userland), and then jump back to the driver without causing a kernel panic or other unexpected behavior.
I'm sorry Johnny, but you are going to have to hit me with more than a few hacker buzz words to convince me you did this on a MacBook, in less than 2 months, with only Atheros net80211 driver source code, and only ppc kernel sources. Either you really have no hack, or you really are a slave to your corporate masters at SecureWorks. Either way, like I said above, its sad. A little Nick Burns essay on how you know what EIP and ring zero means, and how you overwrote EIP on some contrived setup that requires a udp lister on the victim machine isn't going to fix your reputation.
Right from the top of his post, you can tell he's lying:
Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch.
Were that the case, this would still be handled behind closed doors and wouldn't have involved a demonstration. Either they have nothing, or they've already violated their own protocols. Either way, "Johnny Cache" is a liar.
> It's blatantly obvious that Apple's lawyers have
> come down on him like a ton of bricks, forcing
> him to be quiet until they get a patch out.
The least likely answer, actually. From the various info, this is not even an exploit of Apple hardware or software. What's to patch?
Any Apple lawyers parachuting from black helicopters (a rather calm, reasoned metaphor, wouldn't you say?) are probably telling him that claims about *Apple OSX* insecurity that are false would be defamation. While Americans are welcome to spout their opinions, false claims of fact can be found to be libel and he could be subject enforecement of damages.
If indeed that were Apple's response, I'd keep my fat trap shut before I found out that I'd stuck not just my foot, but most of my anatomy down it. Uncomfortable.
"Inquiring Minds Want to Know!"
They keep stating Apple is pressuring them, but Apple says they have not contacted Apple with any info.
They state they won't say anything until Apple patches the problem? It would speed up the process of getting it patched if they would tell Apple about it!
From what I can tell, they are pretending Apple is pressuring them because it makes them look more important.
Addtional note, what is this stuff about Intel's drivers? Apple doesn't use Intel's chipset, they use an Atheros or Broadcam WiFi chipset. Additionally, what good is getting your packet on the stack? Apple uses the NX bit, so you can't get code on the stack to execute.
http://lkml.org/lkml/2005/8/20/95
When did 5 digit user ids become "low"? It's just recently that
Do not anger the worm.
So he says this at the end of the Linux.com article:
"Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about."
The problem here is not that he can't show people anything that will make them shut up. Saying that he's unwilling to talk about it partly because he's worried about apple legal, and partly because the mac bloggers wont understand is garbage. Making the second sort of statement basically up the alley of anyone who is trying to sell snake oil. The "I won't explain it because you're not smart enough", just makes you seem like that much more like a liar. Hand waving, especially in a public forum will get you nowhere unless people are interested in the illusion. The underlying issue here is not really he's wounded the pride of Mac users, or that Apple is supposedly threatening him (the former is the reason for some of the stir in the community, the latter nobody will believe until there's some evidence), it is that there is precisely zero evidence demonstrating that they've done what they've said they did. Until there is documented evidence of that, nobody is going to believe this guy, and it is going to hurt his reputation and the reputations of all those around him. You cannot win a PR battle without something demonstrable. I honestly can't see why Apple would go after him if he had made the original video with a stock macbook and using Apple's drivers, that's really all people want at this point. Maybe even have a 3rd party involved, with a newly opened fresh out-of-the-box macbook, so that there's documentation that there's nothing shady going on behind the scenes. Also, he really can't complain that much here about people being whiny and wanting more information since he announced this exploit in a public manner. Show us the goods, or shut up. Apple can't sue for defamation if the claim is legitimate. So, there are two possible conclusions to draw here: either this guy is a liar or completely spineless. I'm entirely sure he cares about what everyone is saying, the fact that this is all he can offer up leads me to think that he's a liar.
An intel hack for Macs. I knew that it was a mistake to move away from the 68000 line.
There was an unknown error in the submission.
We shouldn't have let this happen to you. What? You think you're the first?
(Mods: Do me a favor, at least don't mod this down. Trust me, Johnny will know exactly what I'm talking about, but I don't want him to know who this is.)
Lemme get this straight.
According to Johnny's own post, this bug a) requires a netcat UDP listener on the victim box; and b) requires TWO Wi-Fi cards to be installed on the victim box.
Oh, and c) can only be used (so far as we know right now) to trigger a crash, nothing more.
So how is this news again? Honestly, what are the odds the above configuration can be achieved, either by malicious attack or by social engineering? I'll be the first to admit I'm no security expert, but from what he's just described, the absolute worst-case we're looking at here is a crash, and even triggering that requires me to run untrusted software AND hardware on my machine!
This is a complete crock. There's no news story here. Hell, the uproar that drunkenbatman caused a while back with his Safari Image of Doom was more warranted.
p
In Korea, long hair is for old people!
Last I checked, lawyers generally have fuck-all authority to prohibit your use of hardware that you own, genius.
exactly, which is why his claims of Apple "leaning on him" not to use Apple hardware for the disclosure are such obvious bullshit.
Apple claims they've never heard from this guy and don't know what the hell he's talking about.
Obviously, somebody's lying, and right now there isn't a lot of evidence pointing at Apple.
Recursive: Adj. See Recursive.
Apple state that there is no such binding on him. If he still fails to show what the problem with the Apple code, then you know he is lying.
At the moment, he has an out, because such NDA's are common and often backed by legal threat.
My work has been posted at /. before and has been publically attacked, ridiculed, and made fun of. Unfortunately, this is what I have come to expect from a group of people who are quick to insult what they do not understand. Ironically, after talking with some of the very same people via email, I have found that they change their tune DRASTICALLY.
:)
Remember that these guys who demonstrated this new attack vector are people - just like you. Think about what you are posting and that there is a real person who could be that guy next to you on the subway or on the plane. Just because you don't know the guy doesn't mean you should slander him or insult him...
Johnny, should this post find its way into your hand...please know that there are people out here who are rooting for you and your cause. I understand the principles of the attack and appreciate the delicate balance you have to maintain. Keep on doing your job and know that there are those who understand what you are up against
If I hibernate my G4 Alumabook with a pcmcia card inserted, close it, remove the card, and then un-suspend it, it crashes every time. That is about as interesting of a thing for a user to do as install two wireless cards and a netcat listener. Should I show that at Defcon or would I be laughed at? Hint to everyone: OSes do weird things when the user does things outside of the realm of any programmer's expectations. No platform is 100% secure (OpenBSD) just like some products never had security even in mind (Win32). This entire thing has been blown way out of proportion by everybody involved; if an exploit really was discovered, one that does not require 3rd party software, I'm sure Apple will fix it asap.
It's almost time for somebody to 're-roll the game' here. It gets all musty like an old-farts convention when the people clinging to their 'low UID accounts' start getting haughty.
'Mae Ling Mak, Naked and Petrified,' by the way, dood.
He is just trying to get publicity for his employer Secure Works a seller of network security products. Why is their name even mentioned in this?
The exploit is in the centrino driver. Everyone assumes that the Mac airport driver is based on Intel reference code, but it may not be. If it was, you would think that they would have talked about that more.
Note that for this exploit to work, the network needs to be active (ie: both cards need to be joined to a base station). Why? Because you can't send UDP packets to something with no IP address...unless they're blasting WiFi cards directly, which seems unlikely.
indeed.. if by 'found' you mean 'reported to Apple'.
Security work of this kind has always been dangerous, politically.. There's always a chance that you'll be arrested (or villified) for the crime of trying to stop other people using the exploit you've discovered, and there are countless examples of this occuring.
Just stop shooting the messenger. There is absolutely no benefit to reporting an exploit erroneously, and i'm sure neither Ellch or Maynor expected (or wanted) this kind of attention. If they did, they would have had something prepared.
http://www.xkcd.com/354/
Report your exploits anonymously. Then they won't know whose balls to put in the vise, but they will be under fire to fix it.
-fb Everything not expressly forbidden is now mandatory.
"I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent."
Do "Mac bloggers" make up "the majority of Mac users"? Assuming that your assertion about "Mac bloggers" is true (I don't know), can such a specific and small subset of a much larger group really be representative of the group as a whole? What's more embarrassing - a blogger or bloggers who writes something stupid, or a person who equates Mac bloggers with Mac users? Both?
--- What?
He ought to have his cerebellum checked out too.
--- What?
No viruses, check.
You're already wrong.
Promoting the myth of invulnerability is not going to help anyone except Apple's PR department.
Why would anyone engrave "Elbereth"?
It's pretty obvious that his company is not allowing him to speak. Now whether they are under duress from Apple Legal is another matter...
Just junk food for thought...
That has to be the lamest hack I have ever seen. First of all, he was using a 3rd party wireless device, not the wireless radio actually built into the Mac. If he was so sure that his hack exploits a hole in the Apple, why didn't he just hack it through the AirPort built-in radio? How many people are actually going to go out and buy an external wireless device for a notebook that already has it built-in?
.0001 % of the Mac population actually owns (and will use religiously).
Your only reason for actually purchasing a second wireless radio would be for sniffing or packet reinjections. This is nothing but a stunt to put his name out there for people to notice. Of course, you're going to get some technologically challenged bonehead to believe him and run with it. He knows that and so do we.
Most Mac users have an arrogance about them, however, as "stupid" as you think they are, they know the difference between a serious security hole and one to yawn about. If you ask me, turning on FTP would be a bigger threat than having your Mac hacked through a wireless radio that probably
Also, the point of the Blackhat/Defcon talk was actually not about proving Macs are vulnerable--it was about proving that /drivers/ are vulnerable.
That is not very exciting, as we all know drivers CAN be vulnerable.
At question is which drivers ARE specifically vulnerable at this time? Again, it would not be an utter surprise if the Apple drivers were vulnerable - but as they get much heavier use (and therefor more testing) it is less likley than a third-party driver that is hardly used having a weakness.
Why can this simple question of the exact driver that holds a weakness cannot be answered?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him.
So here you have ether said he is a coward or a lier. Lets say you had proof it was an Apple driver, what thumbscrews could Apple provide that would keep you quiet? There is nothing Apple could do to you legally, especially if you released the proof anonymously.
Thus either Apple has applied pressure which he has bowed to for unknown reasons, or he's simply lying. Which is the simpler answer? Some complex coverup involving Black Helicopters and Apple or that the default drivers have good test coverage?
Use Sturgeon's law, use common sense until other evidence comes forth.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real.
Like you, I am a Mac user with primary emplyment in the IT security field. In fact in the (distant) past I have even worked briefly on repairing ethernet drivers in Linux.
I am also willing to believe there is a vulnerability. But there is not a tremendous amount of code in these drivers. With the coverage of testing and use the default Airport drivers receive I would find it much less likley that they would have a flaw than a third party device driver that was not used my many people at all and probably written by one person who had done little device driver programming before.
That's why proof, or at least a clear statement that "yes these drivers are defective" is in order. Because while it's easy to believe there may be a problem, the context of the current argument does not make it easy at all for me, and my informed opinion. I am not sure why you have reached a different conlusion based on evidence at hand.
Mac owners are of course going to have some kind of spyware or vulnerabilty affect them someday but it does not seem today is that day.
Also something else for you to much on... does this exploit work on both the PPC and Intel platforms? If it's any kind of instruction insertion then it has to work against one platform. So an actual virus writer, which would you choose? The Mac PPC platform which offers more numbers or the Intel platform which is where all new machines are headed? If PPC is your choice why has no-one made that choice so far, and if Intel why would you proceed with such a low yield.
Apple switching binary platforms has bought most Mac owners a few years of smugness yet as it's made writing exploits that much more difficult.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I don't know about even if it is a bad driver, it's still the OS's fault for letting the driver take the whole system down, so it's still the OS writer's problem
Consider a video-card driver. That's blasting several hundred megabytes of data across the bus at any one time (say you're playing a full-screen MPEG4 with no gfx-card support for decode). Would you want the OS to validate and check every one of those transactions ? Whoops, there goes the frame-rate. Still, slow-motion is fun...
Or a SCSI-driver, connected to a high-end RAID. Again, we're transferring hundreds of megabytes/second. Your throughput just dropped "through" the floor... Hope that wasn't crucial.
Or, a network driver in a department server, serving several fibre-channel connections. Again, throughput is the victim.
My point is that sometimes you need the driver to be performing at its optimum. You can make the argument that an exploit could bring the whole machine down, and that people lose more time/work/money that way, but that's a hard argument to make, when the video-artists in the post-production suite can't transfer their video over the gigabit network fast enough any more and the clients are walking out the door...
I can see what you're saying - that the OS ought not be vulnerable to bad drivers, but to insist on verification as part of each driver transaction with the OS is broken-by-design, IMHO. Perhaps it just needs more R&D before pushing it out the door, and pen-testing ought to be part of that R&D. I very much suspect at the moment, that any driver that adheres to a spec will be sold as "working"...
Simon
Physicists get Hadrons!
I'm a non-geek Mac user. I've been running Macs for 20 years. I don't own a MacBook yet. I will soon. If I did, I would have questions that would require answers that I could hang my white earbuds on. 1. Is this a viable hack that I need to be concerned about? 2. How will I protect myself from it? 3. What is being done about it in places where the geeks live? That's all. I don't really care much about who is right or wrong. I do care about the security of hardware I intend to purchase. Later on I'll decide who I should or should not listen to based on the accuracy of predictions and prognostications when compared against actual events.
In theory there is no difference between theory and practice. In practice there is.
There are plenty of bloggers who did that for Apple
Here's my translation of what you typed:
"Bloggers who called Maynor and Ellch to task for inconsistencies in their story did so because they were mysteriously being controlled by Apple and didn't have the ability to think for themselves."
Read the EFF's Fair Use FAQ
It should be noted that Cache still didn't come out and say whether Macs with Apple's AirPort cards are vulnerable. Gruber Specifically asks him about this on the list, and he doesn't answer it. He does say that he expects a patch from Apple, which clearly implies that AirPort cards are vulnerable, but he doesn't say it, instead claiming that Apple is legally threatening him and running a "PR smear campaign" against him - again without giving any specifics.
This whole episode is just insane. If Macs are vulnerable out of the box, why not say so (especially if you're "waiting for an patch from Apple")? If they aren't, why implying that they are?
It's entirely possible that Macs are vulnerable. Macs aren't magically secure and save from bugs. The issue with this whole thing isn't that Mac users believe that Macs can't possibly be hacked. The issue is that the people who ostensibly found the security problem don't seem to be capable of telling us what the heck they actually found and whether Macs are vulnerable, instead making vague accusations and implying stuff without giving any specifics or even a demonstration.
Hilarious.
Remember those old exploits for win95 that would crash people's machines on IRC? This "exploit" is just about as useful as that. How many mac users are going to have a wacky configuration with two wireless cards? I bet about the same number of people running unpatched Windows 95 machines. Have fun crashing those macs Johnny Cake.
He broke the silence but still isn't saying anything. Clever.... cleverrrrr!
Please read the following:
http://en.wikipedia.org/wiki/Ring_0
On any monolithic kernel, all drivers have supervisor access. I don't know of anything that you can do in the OS to protect yourself against these.
Hell, most of Windows Bluescreens were because of shonky drivers for this same reason.
If they're disclosing information to a third-party then they'd be in direct violation of any gag order. An NDA or a promise not to talk doesn't cut it. If they can't talk, they can't talk.
Instead we get "hints" about "black-suited lawyers" and just how fed up the poor victim is in all this.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him.
He said he was working with Apple to solve the problem before releasing the exploit. Apple said, they had never heard from him. Maybe Apple was lying or mistaken, but if they had taken legal action to get a gag order, then that statement to the press was libel and Apple will lose when he takes them to court. The alternative is that he was lying or overstating his case and that he had not contacted Apple and he was just trying to get attention. In which case he is a liar and his credibility is shot.
First off, I think that it is awesome that he released a fairly nondescript step-by-step of what you have to do to exploit the wireless drivers. It is something that now you can go out and try and go 'hey this DOES work' or 'hey this DOESN'T work'. Once you manage to establish that, then you can be bitter and cynical and every other word that you can think of in a negative sense.
As for the Mac zealots out there, they make me laugh sometimes. They are always like 'oh, Mac is better than PC' blah blah blah, same shit different day. The fact if the matter is is that sooner or later, you are going to have to deal with the fact that nothing is perfect. Especially in the tech industry. That being the case, I don't think that you should be saying 'oh, the Mac is better than the PC, look at the statistics'. Fact of the matter being is that you make up 15% of the entire Computer User Base. Just think about that for a second then the the math. That is 85% of people that are using PCs. If I were to write something for a system, I'd be more likely to write it for a PC only because it's user-base is almost 5x larger. And that is my two cents.
If he had a hack that works against the standard OS X drivers/hardware, he would have used a standard Mac. The fact that he used a third-party wi-fi setup speaks volumes. This vulnerability does not exist in standard Apple gear - ergo there is nothing to patch.
If there has been any pressure from Apple, I'm willing to bet that it's libel-type threats (IANAL, and certainly not an Americain lawyer).
in the old days some slashdot reader would have used the information in his post to reproduce this bug in notime. now, it seems, most slashdot readers prefer bitching and dissing.