Johnny Cache Breaks Silence On Wi-Fi Exploit
Joe Barr writes, "Johnny Cache — aka Jon Ellch — is chafing under the cone of silence placed over him and co-presenter Dave Maynor about the Wi-Fi exploit they presented at Black Hat and DEFCON last month. So he has finally broken his silence on NewsForge in hopes of ending the personal attacks coming from what he implies is a smear campaign started by Apple." (Newsforge and Slashdot are both owned by OSTG.)
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
So, is he going to take Daringfireball's challenge or not? I think his whole thing has tarnished him, and he won't recover.
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
If that's just an 'implication', I'll eat my hat. It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him. He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples. It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out. This way no one can report about the 'insecurity' of the OSX platform - there are no exploits, see? As long as you're patched and up to date!
Event Management Solutions : http://www.stonekeep.com/
before they only threw dirt to make him look unreliable
Point me to the link where Apple threw dirt at him.
There are plenty of bloggers who did the research on their own and asked the right kind of questions, but I've never seen anything from Apple attacking him. Maybe you're referring to Apple pointing out that he used a third party USB device and didn't disclose any info to Apple about the exploit? I wouldn't exactly call that throwing dirt.
Read the EFF's Fair Use FAQ
Ellch misdirects attention very clearly. The "Mac bloggers," which include a lot of non-Mac bloggers, have generally said, look, if what Ellch and Maynor showed Brian Krebs is true, then just demonstrate the real Apple exploit without revealing details.
The article above states, "He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something." "
Thanks for the condescension! It's not necessary. I will note that no one sensible, including myself (over at wifinetnews.com) has asked for the code. Rather, we've asked for Maynor and Ellch to either state that they mislead Brian Krebs, that Apple lied when they stated the company wasn't presented with credible evidence, or that they have material that Krebs saw and Apple hadn't seen yet.
John Gruber did a face-off, not asking for the code, but asking for a simple demonstration with a $1,099 plus sales tax prize.
How does Gruber not understand the technical details when he isn't asking for them? He's asking for a black-box showdown.
Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
Umm... something having a bug isn't an incredible claim. Sure, it's not a good thing but it happens to everyone. It's nothing to be ashamed about. Just get the bastard fixed and stop dicking about.
This isn't about a perpetual motion machine or an entropy reducing device, or even P vs. NP or Riemann's Hypothesis. This is code. This isn't world changing. Bugs happen, then they get fixed. If they want to stay silent to dodge liability let them. If there is a bug it'll be patched, if there isn't they'll fade into obscurity.
"Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
When I published my OS X remote root (link-local remote root for the pedantic), a poorly chosen use for DHCP, Apple had advance notice of when I was going to release it, numerous avenues to attempt contact and I didn't hear one peep from Apple Legal. That this guy was suddenly chilled and can't produce evidence of it other than making vague insinuations just sounds hoakey to me.
If he doesn't feel okay about releasing details until they've patched the driver that's one thing. But insinuating that the big bad lawyers have silenced you is quite another. The only circumstance I can think of where they could actually be legitimately silenced is: they are/were being paid to do pen testing for Apple, they submitted this bug, they blabbed about it at a conference when they were under a contractual NDA, they're now claiming they didn't say enough violate the NDA and are remaining mum until the rest of the details go public.
Given the nature of this scenario (i.e. that they'd have to have violated an NDA to wind up where they are insinuating they are now), I'm not overwhelmed with trust for the researchers who are positing this security hole's existence. On the other hand, I was led on and on by Apple waiting for them to release a patch for my earlier security issue that had a similar attack vector and security impact to this posited new security hole. If these researchers are actually waiting, we may all have to sit around for a good long while before the proof is actually shown.
This dilemma is more evidence of why full disclosure is a good idea.