Slashdot Mirror
Johnny Cache Breaks Silence On Wi-Fi Exploit
Joe Barr writes, "Johnny Cache — aka Jon Ellch — is chafing under the cone of silence placed over him and co-presenter Dave Maynor about the Wi-Fi exploit they presented at Black Hat and DEFCON last month. So he has finally broken his silence on NewsForge in hopes of ending the personal attacks coming from what he implies is a smear campaign started by Apple." (Newsforge and Slashdot are both owned by OSTG.)
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
NetInfo connection failed for server 127.0.0.1/local
I still don't see him coming clean on this one. Or maybe, like he says, people like me won't understand it anyway.
In any case, I think he's really not being forthcoming with respect to what the hack entails, and maybe that's due to Apple's aggressive lawyers. In any case I'd like to see more details.
The classic defense of the madman or the liar: "What I say is true, but terrible, unspeakable things would happen were I to prove my assertion. You'll just have to take my inability to prove my assertion as evidence of its validity."
What a schmuck.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
Apple probably looked at these guys and laughed.
Next thing you know, these guys will be "discovering" cold fusion.
NetInfo connection failed for server 127.0.0.1/local
It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks
If Apple's lawyers wrote a nastygram to these guys, don't you think we'd have seen it by now? The first thing anyone in a public situation like this does when they get pressure from the big players is to publicize the legal threats.
At the moment all we have is the word of someone who cast aspersions at Mac users, disingenuously claimed that he was exploiting Apple security flaws, and now claims (not so subtly) that Apple's lawyers are the reason he can't come clean.
Read the EFF's Fair Use FAQ
NetInfo connection failed for server 127.0.0.1/local
If a job's not worth doing, it's not worth doing right.
At BlackHat Johnny Cache claimed this alleged exploit is not platform-specific, he only picked a Macbook for the demo to piss off Apple fanboys. If that's so, and the exploit really works, why not demonstrate rooting Linux or Windows or if you really want to stir up security trolls on slashdot, NetBSD?
Is the exploit real? Who knows, I've seen video of someone cracking a Mac through a wireless driver. Then again I've also seen video of a virus written on a Mac taking down a fleet of invading alien spaceships...
0 1 - just my two bits
So, if I put on my blog that I challenge George Bush to provide some proof of [pick anything that's ever come out of his mouth], at a mall of his choosing, and I'll give him a free laptop if he does it, and he never shows up, that proves ... what exactly?
I'm sure John Gruber's blog is extremely important to John Gruber, but if some guys who are clearly dealing with a mountain of legal issues right now choose not to meet him at the mall, you can't take that as evidence of anything -- except that Gruber's pretty clever at diverting attention to himself.
I'm awake! The answer is BONK!
What kind of a idiot would you have to be to take that challenge? There is no *way* I would take that bet, whether I knew I was right or not. If they lose, DF wins 2x: 1) DF gets a free macbook 2) DF gets notoriety for calling a bluff. They lose 2x: 1) they cough up significant cash 2) they are humiliated before their peers. Should they win, they win 2X: 1) a free macbook ( psst.. there are 2 of them) 2) they are vindicated However DFireball /still/ wins by gaining recognition for making the challenge.
Sorry, only a moron whose balls ruled their brains would take that bet, and that's not a way to bet and win.
Jon Postel, R.I.P. You are missed.
The way these things work is that when someone hacks your hardware, you get an injunction to stop them from talking about it. If they talk about it, they go to jail for contempt of court. If you were to RTFA, you might get the very strong impression that he's under an injunction of this type.
It's always fun to look for bad guys in situations like this, but both Apple and Mr. "Cache" here are wearing white hats. You want both of them to be doing what they're doing, and it's lame to make it into a flame war. You want Mr. Cache breaking drivers, because then they get fixed, and your Mac doesn't get 0wned when you're down at Starbucks watching YouTube videos.
And you want Apple to try to dissuade him from publishing his hack, because you want them to fix it before every random hacker figures it out, and the sooner he publishes, the sooner the black hats will have an exploit. So if Apple doesn't get him to stop talking, maybe your Mac will get 0wned down at *$$.
But you still want Apple to be paranoid about the information getting out, so that they release the bug fix quickly, not slowly. And so what he's done with this article is useful, because he's basically said how the hack works, and now presumably the black hats are working on trying to duplicate the hack. And Apple knows this, and so the patch release will probably come sooner. And so your laptop won't get 0wned at *$$. W00t!
What I don't see here is bluster. This isn't high school. People don't get up on stage at defcon and claim to have hacked something they didn't really hack. The reason they do these hacks is to improve security, not to count coup. You owe the guy your thanks, not your hopes that his reputation is ruined.
You aren't even making a good argument, and bringing in a strawman (IE: Bush) isn't going to help you.
He's making a great argument - I'd say that the fact that you don't know what a strawman is stopping you from understanding it.
If I had mod points, I would mod you down. Not only do you demonstrate a complete disdain for whoever you think is "inferior," you show a complete lack of understanding for the issues in the middle east.
There is no "inferiority complex" in the middle east. They aren't emo kids running around threatening to slit their wrists. It just so happens that their standards of living are ridiculously low compared to the standards of living of "the west," not directly due to us, but partially. If you grew up there, you'd be looking for someone to blame, and their government provides "the great satan" as a convenient scapegoat. Further proving their point, "the great satan's puppet in the region," (aka israel) has just rampaged through lebanon, destroying civilian targets like bridges, hospitals, and airports, further degrading their quality of life. it's lack of understanding of the kind that you have just demonstrated that has brought us into the current situation in iraq and afghanistan, as well as the US unspoken nod to israel to rampage across the middle east.
this in no way relevant to the situations of mac users, who just happen to have a different OS preference. your above statement would be like saying that whenever an african american person acts stereotypically black (whatever you might define that as) they are acting out of a feeling of self-inferiority.
think about it.
- how can a driver have the same bug on windows and macos x?
Perhaps both drivers are derivd from the same codebase? Or perhaps the developers of both drivers made the same faulty assumtion that leads to this bug?
- This guy did overrate some minor problem in a misleading way for Apple laptops. Oh.. a third party driver with a bug. Or it's Apple driver with only a thirdparty card. In that case, he's discredited in the domain of security for the rest of his life.
What if the third-party driver is behaving exactly as it's supposed to, per the API, and the problem is actually in the OS itself? I mean, seriously: how else does a network card exploit crash the system?
- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?
You really have no idea what you're talking about, do you?
Under capitalism man exploits man. Under communism it's the other way around.
> It's blatantly obvious that Apple's lawyers have
> come down on him like a ton of bricks, forcing
> him to be quiet until they get a patch out.
The least likely answer, actually. From the various info, this is not even an exploit of Apple hardware or software. What's to patch?
Any Apple lawyers parachuting from black helicopters (a rather calm, reasoned metaphor, wouldn't you say?) are probably telling him that claims about *Apple OSX* insecurity that are false would be defamation. While Americans are welcome to spout their opinions, false claims of fact can be found to be libel and he could be subject enforecement of damages.
If indeed that were Apple's response, I'd keep my fat trap shut before I found out that I'd stuck not just my foot, but most of my anatomy down it. Uncomfortable.
"Inquiring Minds Want to Know!"
Then he should post the details for those of us who understand what he's talking about, and leave the other people to wallow in their own ignorance.
Deliberately withholding information because of some nebulous "threat" that has never been proven smacks of misdirection and just more "shell-game" antics by some folks who have a personal beef with Apple.
I don't really care if they hate Apple's userbase with all the bile of Hell... if they're serious about this and are not just faking the results to be pissy children, then come out with it. Otherwise, they just need to STFU.
Claiming that he won't reveal details because "no one understands" sounds like HE doesn't understand most likely.
It's the Stay-Puft Marshmallow Man.
Most Mac users insult their own intelligence.
I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent.
I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conference but because of NDA the details remain under wraps until the manufacturer releases a patch. I've seen delays of 12-18 months before details are released for Windows exploits, despite seeing the exploit demonstrated in person at blackhat conferences. A delay of a few weeks for an Apple exploit doesn't even raise my eyebrows.
The only difference here is that Apple users are so goddamn fanatical that they'll rabidly attack anybody who says their platform is any less than perfect. They don't know the security field, they don't understand the technical discussion - those quotes Johnny provided of clueless Mac users were riotous - yet they feel qualified to give opinion. I used to work with this guy who was brilliant at finding and exploiting security holes. He took a G3 Mac running stock standard OSX and proceeded to demonstrate exploit after exploit; not based on his OSX skill but purely on his knowledge of the underlying free software. I was at a blackhat conference where they demonstrated a local privilege escalation exploit that existed all the way up to Tiger - they had told Apple about it years previously but it wasn't until they broke their NDA and went public that Apple fixed the fault. The same presentation at that conference demonstrated an OSX kernel exploit that still exists today.
Mac users are in for a rude shock. They've told each other their platform is secure. The rumor mills repeated the "OSX is secure" mantra. But the mantra has no foundation in reality. Most Mac users do not run AV, do not shutdown services, and run with wide-open wifi and bluetooth settings. They have an undeserved complacency regarding security and it will lead to a fall.
The way these things work is that when someone hacks your hardware, you get an injunction to stop them from talking about it. If they talk about it, they go to jail for contempt of court. If you were to RTFA, you might get the very strong impression that he's under an injunction of this type.
Instead of letting us infer the facts, why not just say "because of a court order, we can't talk about it"? It happens all the time.
If there is a hack, I want to know. I'm not looking for details, I just want the answer to Jon Gruber's question: "Have Maynor and Ellch found a vulnerability that affects MacBooks using Apple's built-in cards and drivers?"
If the answer is "yes" or "no" just say so! If they're under a gag order, just say "We're under a gag order." Asking us to read between the lines isn't cutting it.
Not to mention that the ad-homs aren't helping his credibility...
How is he backtracking? The newsforge article you quoted even points out that it was a video. They could have tried a dozen times before they got it right, but once they get it right, it happens in under a minute. Now if that's the exploit, it's not really a great one or a particularly big deal--yet. But if his suspicions are true and the exploit can be made more precise, then it /could/ be a problem.
/drivers/ are vulnerable. They chose a Mac because they were tired of all the "Macs are secure" bullshit, and thus the huge media backlash has really distorted the original message: that with wireless getting longer and longer range, it's going to be easier and easier to root insecure drivers without even necessarily being connected to a network.
Also, the point of the Blackhat/Defcon talk was actually not about proving Macs are vulnerable--it was about proving that
That may be the case... but in the circles I hang out in, the big question has been "Is this real?" Having them demonstrate using a hardware combination that is extremely unlikely to be encountered in the practicality -- that uses non-vendor drivers! -- while they imply (and nothing more) worse... is not very compelling.
No doubt. But how does what continues to reek of being a false alarm help in any way? Right now, this whole incident has conveyed nothing but a sense of, "Well, they had an axe to grind, so they used some other vendor's code, and then lied about how Mac OS X was insecure."
It very well may be the case that the Apple driver is vulnerable. But they've honestly done everything they possibly can to convince the multitudes that it isn't.
And that is a huge disservice to the community they claim they are trying to help.
And speaking from a technical aspect, here is the question I asked before: if the Apple driver is vulnerable... how do they get a network-connected shell from the kernel? It is not easy -- at the very least, it would involve having a process be created, from the kernel. And that is a significant amount of code, as you could tell by looking how the first process is created during boot.
(Again, I am trying to give them the benefit of the doubt, that the vulnerability is real. But they're doing what they can to imply otherwise.)
If you're under a gag order, there's a decent possibility that the gag order forbids you to talk about the gag order.
The difference is that John Gruber is probably the most-read and most respected Mac technology pundit and blogger out there. His challenge is a high-profile one, certain to get the attention of the "journalists" and hoaxsters who started this whole thing. Heck, just look at how many Slashdotters here know about his challenge.
He who lights his taper at mine, receives light without darkening me.
I don't know about even if it is a bad driver, it's still the OS's fault for letting the driver take the whole system down, so it's still the OS writer's problem
Consider a video-card driver. That's blasting several hundred megabytes of data across the bus at any one time (say you're playing a full-screen MPEG4 with no gfx-card support for decode). Would you want the OS to validate and check every one of those transactions ? Whoops, there goes the frame-rate. Still, slow-motion is fun...
Or a SCSI-driver, connected to a high-end RAID. Again, we're transferring hundreds of megabytes/second. Your throughput just dropped "through" the floor... Hope that wasn't crucial.
Or, a network driver in a department server, serving several fibre-channel connections. Again, throughput is the victim.
My point is that sometimes you need the driver to be performing at its optimum. You can make the argument that an exploit could bring the whole machine down, and that people lose more time/work/money that way, but that's a hard argument to make, when the video-artists in the post-production suite can't transfer their video over the gigabit network fast enough any more and the clients are walking out the door...
I can see what you're saying - that the OS ought not be vulnerable to bad drivers, but to insist on verification as part of each driver transaction with the OS is broken-by-design, IMHO. Perhaps it just needs more R&D before pushing it out the door, and pen-testing ought to be part of that R&D. I very much suspect at the moment, that any driver that adheres to a spec will be sold as "working"...
Simon
Physicists get Hadrons!
What are you going to point EIP to?
All kinds of fun places.
Not code on the stack since OS X uses the NX bit on the stack by default
So, is NX support enabled on kernel pages?
Some code in a buffer? How do you find the address of the buffer? How do you inject the code into the buffer in the first place?
Right, so you want to know some basic buffer overflow exploitation techniques. I think I've got a book somewhere that some friends and I wrote, it covers that...
It should be noted that Cache still didn't come out and say whether Macs with Apple's AirPort cards are vulnerable. Gruber Specifically asks him about this on the list, and he doesn't answer it. He does say that he expects a patch from Apple, which clearly implies that AirPort cards are vulnerable, but he doesn't say it, instead claiming that Apple is legally threatening him and running a "PR smear campaign" against him - again without giving any specifics.
This whole episode is just insane. If Macs are vulnerable out of the box, why not say so (especially if you're "waiting for an patch from Apple")? If they aren't, why implying that they are?
It's entirely possible that Macs are vulnerable. Macs aren't magically secure and save from bugs. The issue with this whole thing isn't that Mac users believe that Macs can't possibly be hacked. The issue is that the people who ostensibly found the security problem don't seem to be capable of telling us what the heck they actually found and whether Macs are vulnerable, instead making vague accusations and implying stuff without giving any specifics or even a demonstration.