Johnny Cache Breaks Silence On Wi-Fi Exploit

Joe Barr writes, "Johnny Cache — aka Jon Ellch — is chafing under the cone of silence placed over him and co-presenter Dave Maynor about the Wi-Fi exploit they presented at Black Hat and DEFCON last month. So he has finally broken his silence on NewsForge in hopes of ending the personal attacks coming from what he implies is a smear campaign started by Apple." (Newsforge and Slashdot are both owned by OSTG.)

Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."

chafing

[Gary+W.+Longsine]

under the cone of silence... give me a break.

Re:chafing

[AchiIIe]

Ok, I submitted a story, but in case it gets rejected, here you go:

Jon Ellch and Dave Maynor have raised quite some noise about ther recent wifi exploits. But some clever sleuthing from a blogger has dug up some some damning evidence. Most notably a high resolution version of the video (2) where you can see Maynor claiming he is using an external card. He further states that he got an ip 192.168.1.50, but according to the ifconfig output, the mac address associated with that ip is 00-17-F2-41-31-6D. According to the IEEE OUI that mac address belongs to apple. The problem here is that Secureworks claims they he did not hack the apple driver but an external card's driver. Thus the video was faked.

Re:chafing

[RKBA]

I would guess that the video is real, but that Cache didn't want to implicate and thus anger Apple, so he falsely claimed he was accessing the Apple computer via an external card rather than Apple's built-in card. Too bad he wasn't totally honest (apparently).

Re:chafing

[AchiIIe]

I woud say it's extremely unlikely that they hacked the apple drivers and lied about it, Maynor has been quoted as saying

...If you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something

I think it's the oposite, a lie is a lie.

Re:chafing

[Lars+T.]

Yeah, it makes so much sense that almost everything they said was a lie, just not that they actually cracked anything. All because they did not want to anger Apple - anymore than using an Apple, saying Apple's are vulnerable too, saying they want to put out a cigaret in Apple users' eyes, talking about Apple smear campaigns, et bloody cetera.

Re:chafing

[Fordiman]

All that shows is that he sucessfully hacked an Apple card, and used another card in an effort to not get Apple's sleek white helecopters to come in and fill him fully of well-designed bullets.

To which all the mac fanboys cover their ears and say 'No! No! Just go away! -1 Flamebait! -1 Flamebait!'

Re:chafing

[Bretai]

We have no way of knowing what it shows. The video cuts to the close up - it should have zoomed instead. I wouldn't trust anyone who claims to know how the video was edited. If there were many takes, the mismatched scene may have been unintentional.

Obviously a video taped demo is better for promotion than as proof of an exploit. I don't condone the practice.

So..?

[ericdano]

So, is he going to take Daringfireball's challenge or not? I think his whole thing has tarnished him, and he won't recover.

Re:So..?

[pfrankenstein]

Agreed. He should put his money where his mouth is. As for the comments about the lawyers, that's pure FUD.

Re:So..?

[RickHunter]

Of course not. There's no exploit. If there was, he'd be walking away with a free Macbook.

Re:So..?

[Who235]

Maybe he doesn't want one, seeing as how they're so easy to exploit. . .

Re:So..?

And some huge legal costs.

I mean, MacBooks are overpriced, but not that overpriced.

Re:So..?

[bealzabobs_youruncle]

Yea, the whole debate really had no where to go until DFB came up with that challenge, no Johnny just looks like so much weak sauce (I think the community digs it when I get down verbally)...

Re:So..?

[Thrip]

So, if I put on my blog that I challenge George Bush to provide some proof of [pick anything that's ever come out of his mouth], at a mall of his choosing, and I'll give him a free laptop if he does it, and he never shows up, that proves ... what exactly?

I'm sure John Gruber's blog is extremely important to John Gruber, but if some guys who are clearly dealing with a mountain of legal issues right now choose not to meet him at the mall, you can't take that as evidence of anything -- except that Gruber's pretty clever at diverting attention to himself.

Re:So..?

[mellon]

The way these things work is that when someone hacks your hardware, you get an injunction to stop them from talking about it. If they talk about it, they go to jail for contempt of court. If you were to RTFA, you might get the very strong impression that he's under an injunction of this type.

It's always fun to look for bad guys in situations like this, but both Apple and Mr. "Cache" here are wearing white hats. You want both of them to be doing what they're doing, and it's lame to make it into a flame war. You want Mr. Cache breaking drivers, because then they get fixed, and your Mac doesn't get 0wned when you're down at Starbucks watching YouTube videos.

And you want Apple to try to dissuade him from publishing his hack, because you want them to fix it before every random hacker figures it out, and the sooner he publishes, the sooner the black hats will have an exploit. So if Apple doesn't get him to stop talking, maybe your Mac will get 0wned down at *$$.

But you still want Apple to be paranoid about the information getting out, so that they release the bug fix quickly, not slowly. And so what he's done with this article is useful, because he's basically said how the hack works, and now presumably the black hats are working on trying to duplicate the hack. And Apple knows this, and so the patch release will probably come sooner. And so your laptop won't get 0wned at *$$. W00t!

What I don't see here is bluster. This isn't high school. People don't get up on stage at defcon and claim to have hacked something they didn't really hack. The reason they do these hacks is to improve security, not to count coup. You owe the guy your thanks, not your hopes that his reputation is ruined.

Re:So..?

[ericdano]

False. I'm sure if he was selling snake oil that would protect you from spam and other nasty things you'd believe him as well.....

Re:So..?

[schon]

You aren't even making a good argument, and bringing in a strawman (IE: Bush) isn't going to help you.

He's making a great argument - I'd say that the fact that you don't know what a strawman is stopping you from understanding it.

Re:So..?

[Thrip]

I'm not bringing in a strawman, I'm making an analogy. Sigh, I guess I need to stop doing that, since there's always someone who doesn't get it and calls me a troll. Let me make it perfectly clear for you: someone who has more important things to do than respond to an unrelated person's challenge, will not respond to said challenge. Follow me so far?

Yes, Gruber is calling them out on it. Which is a clever publicity move for Gruber, but does not have any bearing on whether their exploit is real. Unless you think these guys are more concerned over Gruber's readership's opinion than any of the other things they have on their plate right now. Maybe that's so.

Re:So..?

[dozer]

You're expecting him to spend at least a day, maybe two, just to win a $1200 computer?

If he really wants to call a big bluff, why doesn't "daring" fireball at least put up some decent stakes?

Re:So..?

[droopycom]

Huge media ruckus ? They only did a presentation at a security conference... hardly a media ruckus...

Re:So..?

[ericdano]

Why? The original thing was supposedly in 60 seconds. $1200 for 60 seconds of work sounds pretty good to me.

Re:So..?

[dave562]

What I don't see here is bluster. This isn't high school. People don't get up on stage at defcon and claim to have hacked something they didn't really hack.

Very, VERY true. Ever since DefCon started it has been LEGIT. It isn't smoke and mirrors. It isn't your typical security conference where the guys on stage are just parrotting information to you that they learned from someone else. The guys on stage are the guys doing it. They're the modern day l0pht crew, the Mudges and Aleph Ones of the 21st century. Up until DT decided to make EvenMorePhatLoot with BlackHat, Defcon was THE public venue for proving that you truly are a legit hacker and not some Internet loudmouth. I still remember sitting in the Sands listening to Ludwig talk about polymorphic ASM code and thinking to myself, "I'm wasting my time NOPing out copy protection routines and this guy is doing WHAT?!?!"

Re:So..?

[Sancho]

Did you read the relevant articles? The challenge didn't allow for more than one attempt, that I could see, whereas here's Johnny (heh) saying that it could take multiple attempts to exploit the race condition correctly (since it's timing based and they haven't implemented it with RTC).

It's interesting that we learn this now because it gives (another|the real) reason they didn't demo the exploit at Blackhat/Defcon: it might not have worked. I wonder how many takes they had to do to get the exploit to work on camera....

Re:So..?

[Reverberant]

The way these things work is that when someone hacks your hardware, you get an injunction to stop them from talking about it. If they talk about it, they go to jail for contempt of court. If you were to RTFA, you might get the very strong impression that he's under an injunction of this type.

Instead of letting us infer the facts, why not just say "because of a court order, we can't talk about it"? It happens all the time.

If there is a hack, I want to know. I'm not looking for details, I just want the answer to Jon Gruber's question: "Have Maynor and Ellch found a vulnerability that affects MacBooks using Apple's built-in cards and drivers?"

If the answer is "yes" or "no" just say so! If they're under a gag order, just say "We're under a gag order." Asking us to read between the lines isn't cutting it.

Not to mention that the ad-homs aren't helping his credibility...

Re:So..?

[ericdano]

See, here is the problem. If you read the newsforge article they said "Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon Ellch -- demonstrated an exploit that allowed them to install a rootkit on an Apple laptop in less than a minute." In fact, Ellch's new company publically flaunts this. So, is it a real thing? Now, Ellch is backtracking, saying new things. Whatever. He's a Bullshit artist.

Re:So..?

[Sancho]

How is he backtracking? The newsforge article you quoted even points out that it was a video. They could have tried a dozen times before they got it right, but once they get it right, it happens in under a minute. Now if that's the exploit, it's not really a great one or a particularly big deal--yet. But if his suspicions are true and the exploit can be made more precise, then it /could/ be a problem.

Also, the point of the Blackhat/Defcon talk was actually not about proving Macs are vulnerable--it was about proving that /drivers/ are vulnerable. They chose a Mac because they were tired of all the "Macs are secure" bullshit, and thus the huge media backlash has really distorted the original message: that with wireless getting longer and longer range, it's going to be easier and easier to root insecure drivers without even necessarily being connected to a network.

Re:So..?

[Gideon+Fubar]

Thanks for injecting some much needed sanity into this debate.

Too much speculation, not enough exploit patching.

Re:So..?

[bealzabobs_youruncle]

You are correct sir, and for next feat I shall pount a nail through a board with my penis.

Re:So..?

[mellon]

If you're under a gag order, there's a decent possibility that the gag order forbids you to talk about the gag order.

Re:So..?

[WatertonMan]

If you're under a gag order, there's a decent possibility that the gag order forbids you to talk about the gag order.

The first rule of fight club is . . .

Oh, ok. I know it's cliche...

Re:So..?

[Reverberant]

If you're under a gag order, there's a decent possibility that the gag order forbids you to talk about the gag order.

Considering that they are willing to talk about the issue with some people, I don't think that excuse is applicable here.

Re:So..?

[Rocketship+Underpant]

The difference is that John Gruber is probably the most-read and most respected Mac technology pundit and blogger out there. His challenge is a high-profile one, certain to get the attention of the "journalists" and hoaxsters who started this whole thing. Heck, just look at how many Slashdotters here know about his challenge.

Re:So..?

[Bing+Tsher+E]

For some people, unfortunately, it's enough to be not-Microsoft. And there is a LOT of pro-Apple astroturfing that goes on. It's been that way for decades, though.

Re:So..?

[gruber]

Did you read the relevant articles? The challenge didn't allow for more than one attempt, that I could see, whereas here's Johnny (heh) saying that it could take multiple attempts to exploit the race condition correctly [...]

I updated the stipulations to allow for an entire hour to delete the file on the desktop. If they want more time than that, I'd be willing to extend it.

Re:So..?

[Sancho]

Cool. That closes that particular loophole.

Re:So..?

[mellon]

Here's the second paragraph from the WifiNetNews article you referenced:

I have not, in fact, spoken to Maynor and Ellch, which may be an oversight, but when colleagues have offered to get me in touch, it has come with a proviso that I will learn non-disclosable information. Id rather not be in that position (yet).

That seems to confirm my theory, not your rebuttal. :'/

Re:So..?

[Cruise_WD]

Why are you wearing that thing on your head?

Re:So..?

[Paradise+Pete]

Did you read the relevant articles? The challenge didn't allow for more than one attempt

He gets an hour. He can try as many times as he likes within that hour.

Re:So..?

[Fordiman]

*shhh*

Look, don't tell the mac fanboys, but they caused the ruckus, being so angry about their preh-shee-us status symbols vulnerability. This guy was just demonstrating an exploit.

Re:So..?

[Sancho]

Yes, now. Originally, the challenge did not grant an hour.

Re:So..?

[yalla]

Why should jc react at all? The only one who'll draw attention will be John Gruber himself.

Re:So..?

[ericdano]

Which, if Fucktard Ellch would fess up to, nobody who owns an Apple Macbook would put in. Ellch rigged the whole thing. It's FUD.

Re:So..?

[99BottlesOfBeerInMyF]

If you're under a gag order, there's a decent possibility that the gag order forbids you to talk about the gag order.

This is possible but unlikely. Also, since he stated he was working with Apple to fix the vulnerability and Apple said they had never heard from him, one of them is mistaken or lying. A gag order doesn't protect Apple from losing a slander/libel case for lying to discredit him. Since he hasn't brought such a lawsuit perhaps he was stretching the truth in the first place?

Re:So..?

[Paradise+Pete]

Yes, now. Originally, the challenge did not grant an hour.

Oh, ok, that makes sense. I read the challenge as it is today. If he modified it without noting that he modified it that's a little sneaky.

By the way, your web site looks exactly like mine!

Re:So..?

[Fordiman]

It would be fud if he somehow implied that it's a problem in OSX. He didn't. He, in fact, went so far as to specifically state that the issue is not with OS-X at all, but with the third-party driver for the WiFi card, and made sure it was known that this issue affects all OS'es with support for that card. The fact that he used a mac was to prove that, yes, even the most 'secure' of the OSes is still vulnerable, because IT'S NOT AN ISSUE WITH THE OS.

Pay some fucking attention.

Re:So..?

[bealzabobs_youruncle]

Your mother sews license plates into your underwear? How do you sit?

Re:So..?

[Bretai]

You want both of them to be doing what they're doing

No, I don't want them to be bragging to the Washington Post ahead of a patch. I think we can agree on that one.

I don't want demos on video. I don't want phantom exploits, and on the off chance that there is an exploit I don't want Apple unfairly attacking people who report security flaws.

I'd say there's plenty here that we didn't want. I see you get a +5 for pretending otherwise.

Re:So..?

[tacocat]

I won't pretent to be an expert but if you can use card A to crash the kernel stack without relying on some defect within the card A driver then it stands to reason that card B will crash as well. RTFA and you will see that his attack it against the kernel stack by way of the net socket. He's way past the drivers on this exploit.
This is not the same as some esoteric MSIE/javascript/activex exploit that depends upon so many software layers to line up. He's boinking the kernel.

Re:So..?

[Fordiman]

Yes. I'm sure you're right. I'm certain that anyone that says anything negative about Apple as a company and Mac as a platform is pathologically confrontational.

Or, perhaps, he picked the platform that is percieved by its users to be most secure in order to alert everyone to the dangers of 'mystery blob' drivers.

God, watch the video. The man says that it's not a problem with OSX, and that the problem exists in the reference drivers for both Linux and Windows as well. Using a Mac was just to make a point that even the most secure can be compromised by using unknown code.

Course, you, being a zealot, obviously see any criticism of the source of your gonads to be a particularly nasty slight and an insult to your intelligence. Unlike this, which, while not criticizing of Apple, is a well deserved belittling of your barely-active noggin.

Twit.

This guy really is full of himself

[Mononoke]

He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it,

Most of any community is not going to understand it, including this community. He comes across as nothing more than an attention-whoring little hacker with an axe to grind against Apple.

Re:This guy really is full of himself

[houghi]

He comes across as nothing more than an attention-whoring little hacker with an axe to grind against Apple.

You make it sound as if that would be a bad thing.

Re:This guy really is full of himself

Ah, much like the slashdot community with Microsoft

The only difference is most of us don't need a rigged demo to break into a Windows machine...

Re:This guy really is full of himself

[MrResistor]

So what if he is? If his hack works, it works. Period.

An attack on his personality doesn't invalidate that.

Re:This guy really is full of himself

[Mononoke]

So what if he is? If his hack works, it works. Period.

It does? On a Mac? Using the internal wi-fi?

Go ahead and show us, then.

.

.

We'll wait.

Re:This guy really is full of himself

[Tim+Browse]

An attack on his personality doesn't invalidate that.

You must be new here.

Re:This guy really is full of himself

[MrResistor]

You got poor marks in reading comprehension in school, didn't you?

Nowhere did I assert that his hack works. That's what the "if" in that statement means. Here, let me highlight it for you in case you missed it:

" If his hack works, it works."

What I did assert is that his status as an Apple-hater has no bearing on the effectiveness of his hack.

Re:This guy really is full of himself

[Bing+Tsher+E]

Well, we'd have to know for sure he was adept with a sharp axe first, wouldn't we?

Re:This guy really is full of himself

[bonaldi]

" If his hack works, it works."
And? Tautology is all very nice, but it doesn't actually mean anything. What were your marks for writing in school?

Re:This guy really is full of himself

[MrResistor]

Quite high, thank you, largely due to the fact that I'm able to take in the entire arguement rather than focusing on pedantic details.

Re:This guy really is full of himself

[bonaldi]

Not that high, spelling-kid. What I did assert is that his status as an Apple-hater has no bearing on the effectiveness of his hack.
Yes, and why did you think that was? Because if his hack exists, it exists. So if he has a hack, then he has a hack. And because he has the hack that he has, if he has the hack that he has, then even if he hates Apple, he still has the hack that he has.

Jesus, this place used to be full of tech types who were so up for precision in language that they'd never let something like "IF X then X" past. Tautology isn't being pedantic -- it's using words to say precisely nothing.

Either way -- your argument is still rubbish. Until such times as he releases a single concrete detail, we have an Apple hater who claims to have a hack. That has a bearing on the likelihood of there being an effective real hack. Sure, if he has a hack then his Apple-hate status doesn't matter; while it's all smoke and mirrors, that status very much does.

AC: Even after he pointed out your poor reading comprehension
He pointed out someone else's poor reading comprehension, numbnuts.

Re:This guy really is full of himself

[rbarreira]

Did they ever claim that the damned hack works on the internal wi-fi? I saw the video and they emphasized at least three times that the attack was being made using a third party wifi card! What else do you want?

Re:This guy really is full of himself

[rbarreira]

Jesus, this place used to be full of tech types who were so up for precision in language that they'd never let something like "IF X then X" past. Tautology isn't being pedantic -- it's using words to say precisely nothing.

Even though it sometimes doesn't seem like it (such as when I read your post), before being tech types we're humans. Sometimes humans say things such as "if X then X", which despite being tautological can still fire up the wanted reaction in non-blind/autistic listeners. But since you don't seem to have what it takes to understand this (or you're just a troll), here it is spelled out for you:

When people say "if X then X" they usually mean "if X, then X is what is important".

Have a good day.

Re:This guy really is full of himself

[bonaldi]

When people say "if X then X" they usually mean "if X, then X is what is important".
Yes, granted. In fact, if the OP had said "If it works, his opinions about Apple don't matter" or something similar, I wouldn't be complaining. I only *am* complaining because his next post got on his high horse about reading comprehension, when he himself can't string a logical sentence together.

Re:This guy really is full of himself

[Fordiman]

Even Elich doesn't claim it work on internal wifi.

Why the fuck must mac zealots be such zea-

Shit, answered my own question.

Re:This guy really is full of himself

[Bretai]

If it is undetermined if it works, then the character of the source is relevant, as is the magnitude of his claim.

Article text

Johnny Cache breaks silence on Apple Wi-Fi exploit

Monday September 04, 2006 (01:07 PM GMT)

By: Joe Barr

Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now infamous "faux disclosure" at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them.

Ellch explains their silence since the presentations in his email by saying:

        Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.

He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something."

Ellch then breaks down the elements of the vulnerability and possible exploits, but in the context of Intel drivers rather than Apple's, asking and then answering the obvious question of why he did so when he wrote: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."

He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique.

Ellch notes that a crash caused this way doesn't guarantee a successful exploit, saying "If you're lucky, your UDP packet will end up on the stack. If you're less lucky, a beacon packet from a nearby network will end up on the stack. In the case where I successfully overwrote eip (Extended Instruction Pointer), the UDP packet was 1400 bytes."

He also responded to criticisms that he and Maynor have simply been "playing the media" instead of reporting an actual vulnerability and exploit, saying:

        You know, of all the comments I see, the ones that 'we played the media' make the least sense. Have you ever seen me in the news before? No. Have I ever talked to a reporter before? No. Am I doing a very good job of winning this PR smear campaign lynn fox ignited? No. If I was so deft at manipulating the media, would I be explaining myself on dailydave praying that a few technically competent people will actually get it?

I contacted Ellch by email after reading his post and asked if he was claiming Apple is the cause of their silence. He replied:

        Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about.

Re:Article text

[rbannon]

I still don't see him coming clean on this one. Or maybe, like he says, people like me won't understand it anyway.

In any case, I think he's really not being forthcoming with respect to what the hack entails, and maybe that's due to Apple's aggressive lawyers. In any case I'd like to see more details.

Re:Article text

[cHiphead]

my guess would be its another NSA exploit built into wireless cards. It'd make sense. Plus his reference to black helicopters in a seemingly innocent but suspect way.

*engage nutjob conspiracy theories*

Cheers. ;)

"Implies" my fanny. He says it right out.

[Shayde]

If that's just an 'implication', I'll eat my hat. It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him. He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples. It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out. This way no one can report about the 'insecurity' of the OSX platform - there are no exploits, see? As long as you're patched and up to date!

Re:"Implies" my fanny. He says it right out.

So THAT's why Apple's oh-so-vicious lawyers let them GO AHEAD AND USE A MAC IN THE FUCKING DEMO.

Riiiiiiighhht.

Puleeeze.

Re:"Implies" my fanny. He says it right out.

[rbannon]

If that's true, I think Microsoft should hire away Apple's lawyers.

Huh huh huh huh/ Heh heh heh

[10100111001]

He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique.

He said "butt".

Black helicopters? Even in metaphor?

[Sunburnt]

The classic defense of the madman or the liar: "What I say is true, but terrible, unspeakable things would happen were I to prove my assertion. You'll just have to take my inability to prove my assertion as evidence of its validity."

What a schmuck.

Re:Hacking...

[ryanr]

So, are you not familiar with EIP, then?

Re:"Implies" my fanny. He says it right out.

[Mononoke]

So Apple is supposed to patch someone else's drivers for a wi-fi card that would never be used with a Mac?

Apple probably looked at these guys and laughed.

Next thing you know, these guys will be "discovering" cold fusion.

the way I know apple

[AlgorithMan]

the way I know apple, they are going to sue him now
before they only threw dirt to make him look unreliable, but now they'll be throwing lawyers to stop him from proving he's right (or as they would say - to stop him from damaging their business)

It took all of 2 paragraphs to go ad hominem...

[jpellino]

And insult the intelligence of Mac users.
That's the way to prove your point.
As someone said, show this on a "bog standard" Mac from and I'll pay attention.

Re:It took all of 2 paragraphs to go ad hominem...

[nathanh]

And insult the intelligence of Mac users.

Most Mac users insult their own intelligence.

I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent.

I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conference but because of NDA the details remain under wraps until the manufacturer releases a patch. I've seen delays of 12-18 months before details are released for Windows exploits, despite seeing the exploit demonstrated in person at blackhat conferences. A delay of a few weeks for an Apple exploit doesn't even raise my eyebrows.

The only difference here is that Apple users are so goddamn fanatical that they'll rabidly attack anybody who says their platform is any less than perfect. They don't know the security field, they don't understand the technical discussion - those quotes Johnny provided of clueless Mac users were riotous - yet they feel qualified to give opinion. I used to work with this guy who was brilliant at finding and exploiting security holes. He took a G3 Mac running stock standard OSX and proceeded to demonstrate exploit after exploit; not based on his OSX skill but purely on his knowledge of the underlying free software. I was at a blackhat conference where they demonstrated a local privilege escalation exploit that existed all the way up to Tiger - they had told Apple about it years previously but it wasn't until they broke their NDA and went public that Apple fixed the fault. The same presentation at that conference demonstrated an OSX kernel exploit that still exists today.

Mac users are in for a rude shock. They've told each other their platform is secure. The rumor mills repeated the "OSX is secure" mantra. But the mantra has no foundation in reality. Most Mac users do not run AV, do not shutdown services, and run with wide-open wifi and bluetooth settings. They have an undeserved complacency regarding security and it will lead to a fall.

Re:It took all of 2 paragraphs to go ad hominem...

[kithrup]

The only difference here is that Apple users are so goddamn fanatical that they'll rabidly attack anybody who says their platform is any less than perfect.

That may be the case... but in the circles I hang out in, the big question has been "Is this real?" Having them demonstrate using a hardware combination that is extremely unlikely to be encountered in the practicality -- that uses non-vendor drivers! -- while they imply (and nothing more) worse... is not very compelling.

Mac users are in for a rude shock.

No doubt. But how does what continues to reek of being a false alarm help in any way? Right now, this whole incident has conveyed nothing but a sense of, "Well, they had an axe to grind, so they used some other vendor's code, and then lied about how Mac OS X was insecure."

It very well may be the case that the Apple driver is vulnerable. But they've honestly done everything they possibly can to convince the multitudes that it isn't.

And that is a huge disservice to the community they claim they are trying to help.

And speaking from a technical aspect, here is the question I asked before: if the Apple driver is vulnerable... how do they get a network-connected shell from the kernel? It is not easy -- at the very least, it would involve having a process be created, from the kernel. And that is a significant amount of code, as you could tell by looking how the first process is created during boot.

(Again, I am trying to give them the benefit of the doubt, that the vulnerability is real. But they're doing what they can to imply otherwise.)

Re:It took all of 2 paragraphs to go ad hominem...

[bnenning]

I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent.

There are morons in every community. Note the guy in this thread comparing Mac users to fundamentalist Islamic terrorists.

I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conference but because of NDA the details remain under wraps until the manufacturer releases a patch.

Fine, but the exploit that was demonstrated is not what's being questioned. They showed an exploit of a third-party wireless card, and I accept that. The key question about which they have been extremely vague is whether a similar vulnerability exists in the built-in hardware and software. This is not just a theoretical concern; I use Airport in my MacBook Pro in my apartment, and if it's vulnerable to anyone within wireless range I want to know.

Re:It took all of 2 paragraphs to go ad hominem...

[LordRobin]

I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent.

"Comments on Mac blogs" != "majority of Mac users"

Re:It took all of 2 paragraphs to go ad hominem...

[diamondsw]

Most Mac users do not run AV, do not shutdown services, and run with wide-open wifi and bluetooth settings.

No viruses, check. No services running on a default install, check. Airport doesn't join unknown networks by default and Bluetooth off by default, check.

Mac OS X as an operating system is not secure - nothing is. It's default settings, however, are. Name one remote attack vector on a default system and get back to me.

Respected and intelligent people have offered huge incentives for something as simple as a blackbox presentation of the exploit, with no technical details, and have not had their generous offer accepted. Apple has said pont-blank they have not been contacted in any way regarding the exploit, despite the bloggings of being "leaned on hard by Apple". The "security experts" keep changing their story, from something that impacts Apple's drivers and hardware, to something that only hits third party hardware/drivers, to something that only might hit third-party drivers/hardware.

Show any evidence whatsoever to a reliable third party and I'll pay some attention. Until that point, they have utterly no credibility.

Re:It took all of 2 paragraphs to go ad hominem...

[Bing+Tsher+E]

It very well may be the case that the Apple driver is vulnerable. But they've honestly done everything they possibly can to convince the multitudes that it isn't.

And that is a huge disservice to the community they claim they are trying to help.

Very honestly, what it's starting to sound like to me is that Apple is doing everything they possible can to prevent these guys from proving the vulnerability exists.

Which, ummmm, is a real disservice to their customer base.

Re:It took all of 2 paragraphs to go ad hominem...

[fishbowl]

>That may be the case... but in the circles I hang out in, the big question has been "Is this real?"

The way to convince them is to use the flaw to root their box. Since you can't do that, they don't really feel motivated to respond.

Re:It took all of 2 paragraphs to go ad hominem...

[ryanr]

Name one remote attack vector on a default system and get back to me.

Didn't you get the DHCP patch?

Re:It took all of 2 paragraphs to go ad hominem...

[MrMickS]

Most Mac users insult their own intelligence.

[snip]

Most Mac users do not run AV, do not shutdown services, and run with wide-open wifi and bluetooth settings.

Once upon a time IT professionals would know better than to make wide range generalisations of this sort.

Re:It took all of 2 paragraphs to go ad hominem...

[99BottlesOfBeerInMyF]

I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conference but because of NDA the details remain under wraps until the manufacturer releases a patch.

I am a mac user and work in security as well. Let me show the ways in which this "exploit" is unusual and dubious:

• They did not demo the exploit, but instead showed a mockup of what the exploit would do were they to run it.
• They claimed to be working with Apple to fix it, but Apple publicly stated they'd never heard of these guys or seen the supposed exploit.
• They have not submitted their exploit to review by any credible third party that anyone knows of.
• They have hinted that they are under legal pressure, but have not actually said so, or shown any evidence that is the case.

I used to work with this guy who was brilliant at finding and exploiting security holes. He took a G3 Mac running stock standard OSX and proceeded to demonstrate exploit after exploit; not based on his OSX skill but purely on his knowledge of the underlying free software.

There are a number of people who can easily find local escalations on OS X, using knowledge of the BSDs. There are some people who can remotely hack OS X boxes using unpublished exploits. OS X is not some super-secure solution. It is in the same boat as your average Linux distro. It is fairly secure against automated attacks which is what the average user is worried about.

I was at a blackhat conference where they demonstrated a local privilege escalation exploit that existed all the way up to Tiger - they had told Apple about it years previously but it wasn't until they broke their NDA and went public that Apple fixed the fault. The same presentation at that conference demonstrated an OSX kernel exploit that still exists today.

Citations please.

Mac users are in for a rude shock. They've told each other their platform is secure.

Secure means different things to different people. By comparison to Windows, which is all the average user knows, OS X is a fortress. The message that "OS X is secure" is a drastic oversimplification, but it is a clear message and a beneficial one. The more users that switch away from the security nightmare that is Windows, the better for the security of the general population. Now you could try to tell the average person that OS X is sorta secure, but not perfect and it is better than Windows but worse than this OpenBSD thing that can't run any mainstream software they need. In doing so you'd be more accurate. You'd also probably convince a lot of people that it doesn't matter if they are running OS X or Windows and thus contribute to making the general population less secure.

As for this particular exploit, the verdict is still out. Maybe it is the real deal that has a reasonable chance of being a usable remote exploit. To characterize this as a normal vulnerability, is very misleading. There is a reasonable concern in the security industry that these people either were wrong, overstated their case, or were outright trying to be deceptive. There is also the possibility that Apple is completely lying, but that is rather unlikely. They have a pretty good track record of fixing exploitable vulnerabilities the community brings to them and of working well with the security community. They are one of the few companies that provides credit for discovery in their security patches. As time goes on and we learn more and more about this, I have more and more doubts that this particular exploit is on the level.

Re:It took all of 2 paragraphs to go ad hominem...

[monkbent]

do not shutdown services

You're right - I haven't shutdown services. After all, they were all already disabled by default.

And to think you had such a good rant going...

link to Cache's Dailydave post

[yermej]

http://lists.immunitysec.com/pipermail/dailydave/2 006-September/003459.html

Honestly weird

[jackjeff]

I watched that video. He says it's smth in the driver... and then shows a Mac also says it would work on a PC. Then, all Intel mac laptops have WIFI now, but he choses to use an external WIFI PC-Card, huh.. sorry Express Card. I know Apple are not angels, but I just can't help be suspicious about it:
- how can a driver have the same bug on windows and macos x?
- why use this stupid external card? what are the chances it did have the same chipset as the internal one?
- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?

That story won't finish well foro someone. The smoke screen is too thick. Either:
- This guy did overrate some minor problem in a misleading way for Apple laptops. Oh.. a third party driver with a bug. Or it's Apple driver with only a thirdparty card. In that case, he's discredited in the domain of security for the rest of his life.
- Apple did really pressure him (as he tends to hint). They're then not only legal jackasses (we know that already) but also incompetent to fix a bug (and that suprises me). In that case the company he's discredited in the domain of security for a while, and they can quit the "virus ads.. mac is secure" for a while.

Future will tell.

Re:Honestly weird

[Jeff+DeMaagd]

I think it's probably a USB network part, not Express Card. There are not many ExpressCards available, and I don't remember seeing any of them for wireless networking.

Given that almost nobody will be using an external USB card on a Centrino or MacBook, I need to see that it's a bug that affects what's internal to to Centrino and MacBook families.

I don't understand how Intel's drivers have anything to do with it, it doesn't make sense that they will write drivers for OS X. I'm not totally certain that Intel's wireless chip is in the Apple notebooks. If Intel's firmware is a culprit, then saying "drivers" is disingenuous.

Then we aren't really sure that the Intel wireless chip is in the Apple product family. I think it's known that the iMac Core Duo uses a Broadcom chip. My system seems to indicate that it's using an Atheros chip, at least I don't see any other wireless driver on my MacBook Pro.

Re:Honestly weird

[BKWatch]

If the MacBook in the video was really hacked as SecureWorks says, then it has to be a USB part -- MacBooks don't have ExpressCard slots. Apple doesn't support any USB 802.11 adaptors.....why would Apple presure them if the flaw was only in the USB... My growing sense is they found a minor flaw in a USB driver but then faked the demo (for simplicity's sake) or faked the private demo to Brian Krebs. Or Krebs just made the whole thing up....

Re:Honestly weird

[Inoshiro]

"- how can a driver have the same bug on windows and macos x?"

Quite simply; the Intel card is, in both cases, doing things like UDP and TCP offload from the main system. This means the card and driver together have an internal state in software to manage it, and (due to the asynchronus nature of networking) you can get the hardware and driver software's core into a situation where they don't agree on the state.

The small glue layer that deals with the OS hooks is a static translation layer that wouldn't be involved. The SB Live! and Audigy drivers in Linux are the same driver as the Windows Creative driver (well, they were about 6 years ago when they contributed the code). nVidia uses the same driver code on all platforms as well. For anyone who's written a driver, this is easy to understand.

"- why use this stupid external card? what are the chances it did have the same chipset as the internal one?"

He uses it because it's a timing race, and because it's easier to demonstrate with 2 cards in the system. With a 4000 microsecond delay, this means it's likely taking a bit longer for the OS to service the interrupts between the two cards; enough that the driver bug can show itself. There are likely other ways to tickle this bug that don't require multiple cards, but then you'd have to have something running on the OS. Still, If you setup a machine to throw packets around, you could make an intermittent crash bug appear on an OS -- that's not cool.

"- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?"

A stupid memory overrun? Man, you haven't programmed ever, have you? A timing related bug in device driver code is probably the second hardest bug you'll ever encounter to debug (the first would be the core of the OS itself). Concurrent programming is difficult.

It's responses like these that show why this person had been light on detail. Most people lack the technical background in OS design to understand this issue.

Re:Honestly weird

[MrResistor]

- how can a driver have the same bug on windows and macos x?

Perhaps both drivers are derivd from the same codebase? Or perhaps the developers of both drivers made the same faulty assumtion that leads to this bug?

- This guy did overrate some minor problem in a misleading way for Apple laptops. Oh.. a third party driver with a bug. Or it's Apple driver with only a thirdparty card. In that case, he's discredited in the domain of security for the rest of his life.

What if the third-party driver is behaving exactly as it's supposed to, per the API, and the problem is actually in the OS itself? I mean, seriously: how else does a network card exploit crash the system?

- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?

You really have no idea what you're talking about, do you?

Re:Honestly weird

[PygmySurfer]

It's definitely a USB network part, the MacBook doesn't have ExpressCard slots, only the MacBook Pro does :)

Re:Honestly weird

[Doctor_Jest]

Then he should post the details for those of us who understand what he's talking about, and leave the other people to wallow in their own ignorance.

Deliberately withholding information because of some nebulous "threat" that has never been proven smacks of misdirection and just more "shell-game" antics by some folks who have a personal beef with Apple.

I don't really care if they hate Apple's userbase with all the bile of Hell... if they're serious about this and are not just faking the results to be pissy children, then come out with it. Otherwise, they just need to STFU.

Claiming that he won't reveal details because "no one understands" sounds like HE doesn't understand most likely.

Re:Honestly weird

[kannibal_klown]

What if the third-party driver is behaving exactly as it's supposed to, per the API, and the problem is actually in the OS itself? I mean, seriously: how else does a network card exploit crash the system?

True, it is a possibility. However, on the other side my old Dell laptop had bad drivers that came standard. They kept performing illegal operations (and blue-screening) Windows 2000. When I found updated drivers, the illegal operations went away.

So it's possible that poor drivers can do something screwy to the system by doing something non-standard.

Re:Honestly weird

[MrResistor]

True, it is a possibility. However, on the other side my old Dell laptop had bad drivers that came standard. They kept performing illegal operations (and blue-screening) Windows 2000. When I found updated drivers, the illegal operations went away.

That doesn't mean it was the fault of the driver manufacturer. Maybe they had to do some non-standard stuff in order to make win2k behave properly? You don't know that isn't the case.

This highlights the problem I've spent most of my other posts to this article discussing: even if it is a bad driver, it's still the OS's fault for letting the driver take the whole system down, so it's still the OS writer's problem.

Yes, there are some situations where this isn't true: if your northbridge stops functioning, for whatever reason, you're hosed. But there should be no way that a non-critical piece of hardware, like a soundcard or network card, can crash the system, and that goes double for a USB peripheral. If it can, then you've found a flaw in the OS, regardless of how bad the driver might be.

Re:Honestly weird

[guet]

He never tried to get the technical illiterals of the mac community or the slashdot trolls involved,

Oh really?

What was the video, presented in layman's terms and using a macbook (albeit in an unusual config), for then?
The newspaper interview which hinted at more and claimed Apple was 'leaning on him' without giving details?
The snide asides like makes you want to stab one of those (mac) users in the eye with a lit cigarette or something?

If he didn't want to troll or be trolled, those are a few things he could have avoided doing. If he had quietly posted this to a security list and not made unsubstantiated claims of legal interference, I'd understand your position. As it is he's provoking a lot of people and fanning the flames by refusing to substantiate claims of legal pressure (where are the letters, why would Apple lie if they know it will all come out?) and hinting at more serious and widespread vulnerabilities without revealing them.

I feel sorry for him now, because it's very difficult for him to do anything without provoking more uninformed debate, which must be frustrating.

PS This has nothing to do with any US policy on science.

Re:Honestly weird

[Holmwood]

As the coverage has said, the primary reason not to release details of an exploit that Apple hasn't yet patched is that it would be irresponsible to do so.

I'm sure Apple's attorneys are not invisible in the process either. They'd have to be, whether or not the problem is real.

In a few months time, it will either be evident that these guys are telling the truth, and that Apple was at best spinning, or it will be evident that the security researchers were initially spinning, and then lied about the vulnerability being also present in a Macbook with no USB wireless card.

My own impressions, having looked at their work, (and other things they've published) is that the problem is real, but that both Apple and its supplier are having some serious trouble not just finding it, but even replicating it. Race timing problems in driver/OS code are notoriously hard to replicate, and often even harder to solve.

These researchers appear to have behaved in a reasonable, responsible manner. I'm a little stunned at the level of anger and hate that's come spewing out. Either we have two guys willing to self-immolate just to momentarily make Apple look bad, or we've got people who've done solid research in the past who've done some more.

Holmwood.

Re:Honestly weird

[jackjeff]

I did not realize the slashdot article was edited after I posted and provided a link to Johnny cache e-mail. It explains far better the issue than this stupid news publication (please fire the reporter)... I was wondering how you could know/guess so much about the method involve, because the article is "scarce" at best.

And since no informtion was available, I was supposing the issue was linked to a buffer overflow. :)

How is it "obvious" ?

[Infonaut]

It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks

If Apple's lawyers wrote a nastygram to these guys, don't you think we'd have seen it by now? The first thing anyone in a public situation like this does when they get pressure from the big players is to publicize the legal threats.

At the moment all we have is the word of someone who cast aspersions at Mac users, disingenuously claimed that he was exploiting Apple security flaws, and now claims (not so subtly) that Apple's lawyers are the reason he can't come clean.

Re:How is it "obvious" ?

[Cysgod]

When I published my OS X remote root (link-local remote root for the pedantic), a poorly chosen use for DHCP, Apple had advance notice of when I was going to release it, numerous avenues to attempt contact and I didn't hear one peep from Apple Legal. That this guy was suddenly chilled and can't produce evidence of it other than making vague insinuations just sounds hoakey to me.

If he doesn't feel okay about releasing details until they've patched the driver that's one thing. But insinuating that the big bad lawyers have silenced you is quite another. The only circumstance I can think of where they could actually be legitimately silenced is: they are/were being paid to do pen testing for Apple, they submitted this bug, they blabbed about it at a conference when they were under a contractual NDA, they're now claiming they didn't say enough violate the NDA and are remaining mum until the rest of the details go public.

Given the nature of this scenario (i.e. that they'd have to have violated an NDA to wind up where they are insinuating they are now), I'm not overwhelmed with trust for the researchers who are positing this security hole's existence. On the other hand, I was led on and on by Apple waiting for them to release a patch for my earlier security issue that had a similar attack vector and security impact to this posited new security hole. If these researchers are actually waiting, we may all have to sit around for a good long while before the proof is actually shown.

This dilemma is more evidence of why full disclosure is a good idea.

Re:How is it "obvious" ?

[Infonaut]

I can think of a number of reasons why he wouldn't post any possible correspondence that he got from Apple's lawyers. Most of them having to do with preserving his financial well-being.

That's a good point. However, I find the heavy-handed hints of Apple legal involvement to be rather self-serving. If Apple is leaning on them, they ought to simply come out and say they've been told by Apple not to say anything more. If they're not being harrassed by Apple legal, they should make that clear.

As it stands now, I feel like the whole manner in which SecureWorks has dealt with this story leaves a lot to be desired. Instead of illuminating a problem, they've created a swarm of controversy. They may be very technically capable, but they don't exactly strike me as being transparent in their business dealings, which isn't a good thing for a security company.

Nothing about this story seems obvious to me.

Re:How is it "obvious" ?

[schon]

If he doesn't feel okay about releasing details until they've patched the driver that's one thing. But insinuating that the big bad lawyers have silenced you is quite another.

If you read the article, he says that it's the former, and not the latter.

Specifically, his employer (who would have paid him to do the work, and thus owns the exploit code in question) has said that they won't release the exploit until Apple has had a chance to release a fix.

The "apple lawyer" crap is pure ungrounded speculation.

Re:How is it "obvious" ?

[Cysgod]

If you read the article, he says that it's the former, and not the latter.

Specifically, his employer (who would have paid him to do the work, and thus owns the exploit code in question) has said that they won't release the exploit until Apple has had a chance to release a fix.

The "apple lawyer" crap is pure ungrounded speculation.

I did, in fact, read the article. We agree on the first point, whether it his him or his employer making a call on releasing the details is not particularly relevant (except to his employment status). And they may not be able to release details because they may have been under contract to Apple to find the problems.

Upon reviewing the quote in question again, I'm going to have to disagree with you about "ungrounded speculation". From both the article and the mailing list post (see the article above for the links):

Secureworks absolutely insists on being exceedingly responsible and doesn't
want to release any details about anything until Apple issues a patch.
Whether or not this position was taken after a special ops team of lawyers
parachuted in out of a black helicopter is up for speculation.

There is no reason to include the comment about special ops lawyers parachuting out of black helicopters except to drive speculation about Apple Legal (or Secureworks Legal). In either case, it is a device to fuel speculation that lawyers have intervened to force the "exceedingly responsible" "position was taken" absolving him of the burden of disclosing further details.

Again, the "exceeding responsibility" of this position on full disclosure can be fairly debated, but inserting a sentence to try and deflect blame through insinuating you were forced into the position is disingenuous. Either you provide evidence that your hand was forced or take responsibility for your actions. You don't say you're being responsible, and then when people disagree point at someone else and say "it's her fault."

Further, "doesn't want to release any details about anything until Apple issues a patch" could turn out to be inconsistent with the actions taken later on in that same email. He gives specific detail on how to try and trigger a timing attack on the Centrino driver. If it's a related attack that is the posited Apple security hole, then it would appear to be some details about something. On top of what we already know about the posited problem, which is a lot more than nothing.

And lastly, there is the debatable point on full disclosure. Waiting until Apple issues a patch is not exceedingly responsible. It is exceedingly irresponsible. It leaves users hanging in the breeze, potentially vulnerable to a remote root for as long as the vendor cares to take to correct the issue, which could be several months. For instance, your Ford truck may explode, but we're not going to tell you how or why until Ford issues a service bulletin and recall.

Re:"Implies" my fanny. He says it right out.

So Apple is supposed to patch someone else's drivers for a wi-fi card that would never be used with a Mac?
Apple probably looked at these guys and laughed. </blockquote>

Silly rabbit! What the author is inplying, very transparently, is that they found an exploit in the Apple driver that is very similiar to the one in Intel's driver.

Due to his NDA with his company he can't say what he might know about Apple's driver, but he can certainly point out a similar bug and exploit with a similar Intel driver and let you infer what you will... namely that a very similar bug exists in the Apple driver.

Now, whether that's true or not... that's another story.

Apple threw dirt at him?

[Infonaut]

before they only threw dirt to make him look unreliable

Point me to the link where Apple threw dirt at him.

There are plenty of bloggers who did the research on their own and asked the right kind of questions, but I've never seen anything from Apple attacking him. Maybe you're referring to Apple pointing out that he used a third party USB device and didn't disclose any info to Apple about the exploit? I wouldn't exactly call that throwing dirt.

Re:Apple threw dirt at him?

[Hercules+Peanut]

I think you're exacty right.

The worst thing about the dirt throwing smear campaign concept is that they (he?) fired first with the "Mac user base aura of smugness on security." comment. Sorry folks, that couldn't be taken as flattery by anyone. In fact, given Apple's lawyers, you might not be surprised if they considered that the proverial throwing down of the gauntlett. It was a poor choice of words in any event and could in no way be expected to endear them to Apple.

I can hear it now: (Entering Johny Cache dream sequence)

Lynn Fox: Hey Steve, these hackers just announced an exploit and demoed it on one of our new Macbooks. They thought we would appreciate it because of our current Mac user base aura of smugness on security.

Steve jobs: Wow! That's great. Hey Lynn, how about calling the legal department and having them issue a letter of congratulations on my behalf to these very helpful young men.

Lynn Fox: I'll take care of it immediately. Would you like for me to acknowledge our failure as a company on Macworld too?

Steve Jobs: Sure Lynn, that would be swell. Oh, we might want to contact one of our programmers to see if there is any possibility of fixing this.

Lynn Fox: Good idea Steve.

Steve Jobs: Maybe we should give these guys a grant.

Lyn Fox: I'm sure our guys in legal will take care of that too.

Steve Jobs: I have a really good feeling about this.

Re:Apple threw dirt at him?

[Bing+Tsher+E]

Point me to the link where Apple threw dirt at him.

There are plenty of bloggers who did the research on their own and...

Here's my translation of what you typed:

"Point me to the link where Apple threw dirt at him.

There are plenty of bloggers who did that for Apple."

time will tell..

[Superfarstucker]

I think he will be vindicated in the future if Apple "quietly" releases an update to the wireless driver. Else, who knows.

Re:time will tell..

[Reverberant]

Great - so the next time we see an Airport update, everyone will be screaming "Maynor and Ellch were right!" despite the fact that Apple has released Airport client & base station updates before.

Re:"Implies" my fanny. He says it right out.

[bnenning]

It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks

Perhaps to you. To others, it's "blatantly obvious" that he has some weird issue with Apple and enjoys spreading FUD. His "clarification" provides no support either way.

He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples

Or maybe that's all he actually has an exploit for. I don't know, and neither do you.

Re:"Implies" my fanny. He says it right out.

[Scrameustache]

This way no one can report about the 'insecurity' of the OSX platform

Then what, pray tell, are you doing right there in that post of yours?

there are no exploits, see? As long as you're patched and up to date!

That's right, they get him to shut up about the how-to, they fix the hole, and voilà: no exploits in the wild! Everybody wins.

something funny is going on here

[cheftw]

smears, cones and chafing? sounds just like apple

Re:something funny is going on here

[Mononoke]

smears, cones and chafing? sounds just like apple

Or a hot date.

Re:something funny is going on here

[gardyloo]

smears, cones and chafing? sounds just like apple

      Funny. I was thinking of Madonna in the 80's.

Re:Really Now!

Really now, can anybody come up with a good reason for him to fake something like this?

Fame? Or as they said when they did the initial "hack" they didn't like the "Get a Mac" commercials from apple? He was hoping to get away with no one asking any hard questions and he lost the bet. Plain and simple.

Re:Really Now!

[Mononoke]

Really now, can anybody come up with a good reason for him to fake something like this?

He's playing the "bash Apple" game, and enjoying the publicity? Notice his comment about Mac bloggers "not understanding" his explanations. He just wants to bash Apple, and nothing more. Probably had an employment application ignored or something. Who knows what his true motive is behind this. He sure makes it obvious that it's more about hating Apple than actually helping the security community. If Apple were actually threatening him, he'd have a registered letter or two from real lawyers he'd be happy to share with us.

Go Work Somewhere Else

[smack.addict]

If he does not like it, he should go work for another company. It's not like the government is telling him to be silent.

Re:Go Work Somewhere Else

[Goaway]

Yes, obviously proving himself right on the Internet is far more important than having a job.

Re:"Implies" my fanny. He says it right out.

[Dun+Malg]

So THAT's why Apple's oh-so-vicious lawyers let them GO AHEAD AND USE A MAC IN THE FUCKING DEMO. Riiiiiiighhht. Puleeeze.

Last I checked, lawyers generally have fuck-all authority to prohibit your use of hardware that you own, genius.

Broke silence, revealed nothing...

[Nijika]

He pretty much followed up with "uh huh, it's like, so real!" And then there was silence again. I could make it real too if I manipulated all the variables in my favor, including not actually using Apple hardware or software to perform an exploit.

So it an Apple Bug or a 3rd party bug?

[BKWatch]

OK, they are under heavy "legal" pressure by Apple. So the bug belongs to Apple -- and not to the third party wifi driver that the video shown at Blackhat refers to? Let's be clear -- the problem is not Maynor and Ellch. It's the reporting on this -- starting from Brian Krebs at the Washington Post. http://blog.washingtonpost.com/securityfix/2006/08 /hijacking_a_macbook_in_60_seco.html

Re:So it an Apple Bug or a 3rd party bug?

[MrResistor]

Who cares where the problem originates? If a USB network adapter allows someone to hijack your macbook, it IS and OSX problem, regardless of where it originates.

A secure system cannot be so trusting of third party drivers as to allow that kind of access to the system. If you're going for security, you have to assume anything you don't have direct control over is wrong and bad, and you have to account for that. Anything else is worse than a bug: it's a serious design flaw.

Re:So it an Apple Bug or a 3rd party bug?

[BKWatch]

The reason it is critical is, to quote Dave Maynor, "No, normally most Macs come with a built in Airport card, so you really don't have much use for a third party wireless card."

http://briankrebswatch.blogspot.com/2006/09/day-17 -of-brians-watch.html

Re:So it an Apple Bug or a 3rd party bug?

[ryanr]

I'm curious about what OSes you're using that are protected from buggy or hostile device drivers...

Re:So it an Apple Bug or a 3rd party bug?

[MrResistor]

Uh-huh.

And everything that's going to be discovered in physics already has been.

And there's no reason an average consumer could possibly want a computer in their home.

And...

So basically you're saying we should limit ourselves to only what small-minded individuals can concieve of, and we should expect no better from the tools that are available to us?

No matter what, it IS an OSX issue. OSX is allowing a USB network adapter to be used to hijack the system, and this points to a fundamental flaw in their security. There may also be some blame for the writer of the drivers, but from Apple's standpoint that should be a side issue.

Re:So it an Apple Bug or a 3rd party bug?

[MrResistor]

Nice strawman.

The numerical superiority of flawed implementations does not magically make this one unflawed.

Re:So it an Apple Bug or a 3rd party bug?

[GaryPatterson]

I don't think it was a straw man. I understand that device drivers have to have root-level access to function, and that applies to all operating systems. I may well be wrong, but that's the way I read the poster above. Given that, a buggy device driver can be lethal for the system (which is probably why Microsoft started the WHQL certification for drivers).

Re:So it an Apple Bug or a 3rd party bug?

[MrResistor]

Can you give me a good reason why a network driver absolutely has to have enough low level access that it can hijack the system? If not, then I still call that arguement a strawman. Just because everyone does it that way doesn't mean it's the right way to do it.

Re:So it an Apple Bug or a 3rd party bug?

[BKWatch]

I'm starting to think that problem may not be Apple at all....

From Krebster's interview of Maynor

BK: But you're saying in addition to this you've found multiple problems? You're saying that in addition to this flaw [present in the Macbook drivers] there were three others that you've been able to find?

Maynor: Right.

BK: And, so I'm clear: Two of [these] were Windows-based, one Linux-based, and one of those Windows exploits is actually in a third-party external wireless card designed for Windows?

What Mac users want to know if the exploit is for the built in airport. Maynor/Ellch have said it's only for a 3rd party card, which affects maybe in one in a 100,000 mac users (intel mac with atheros chipsets that have a particular third party USB card attached). But they can't say anything until they fix these three other flaws, which could really take a while....

As they said, there's no such thing as bad publicity....

So don't demo on a Mac!

[Cid+Highwind]

At BlackHat Johnny Cache claimed this alleged exploit is not platform-specific, he only picked a Macbook for the demo to piss off Apple fanboys. If that's so, and the exploit really works, why not demonstrate rooting Linux or Windows or if you really want to stir up security trolls on slashdot, NetBSD?

Is the exploit real? Who knows, I've seen video of someone cracking a Mac through a wireless driver. Then again I've also seen video of a virus written on a Mac taking down a fleet of invading alien spaceships...

Re:So don't demo on a Mac!

[BKWatch]

David Maynor was the one in the video, and the one sticking cigarettes into Mac user's eyes...ouch. That hurt.

Just paranoid delusions?

[masonbrown]

I still don't see any proof that Apple's lawyers have done anything.

I can imply very loudly that Microsoft has been threatening me for years, but that doesn't mean they even know I exist.

It's not tech details, it's proving it works

[eggboard]

Ellch misdirects attention very clearly. The "Mac bloggers," which include a lot of non-Mac bloggers, have generally said, look, if what Ellch and Maynor showed Brian Krebs is true, then just demonstrate the real Apple exploit without revealing details.

The article above states, "He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something." "

Thanks for the condescension! It's not necessary. I will note that no one sensible, including myself (over at wifinetnews.com) has asked for the code. Rather, we've asked for Maynor and Ellch to either state that they mislead Brian Krebs, that Apple lied when they stated the company wasn't presented with credible evidence, or that they have material that Krebs saw and Apple hadn't seen yet.

John Gruber did a face-off, not asking for the code, but asking for a simple demonstration with a $1,099 plus sales tax prize.

How does Gruber not understand the technical details when he isn't asking for them? He's asking for a black-box showdown.

Right or wrong, that's a lousy bet to take

[wethion]

What kind of a idiot would you have to be to take that challenge? There is no *way* I would take that bet, whether I knew I was right or not. If they lose, DF wins 2x: 1) DF gets a free macbook 2) DF gets notoriety for calling a bluff. They lose 2x: 1) they cough up significant cash 2) they are humiliated before their peers. Should they win, they win 2X: 1) a free macbook ( psst.. there are 2 of them) 2) they are vindicated However DFireball /still/ wins by gaining recognition for making the challenge. Sorry, only a moron whose balls ruled their brains would take that bet, and that's not a way to bet and win.

Re:Right or wrong, that's a lousy bet to take

[Cid+Highwind]

The problem with that assessment is that the DaringFireball guy has *already* won. He gets ad impressions from gazillions of slashdotters and diggers visiting his blog, he gets to look like a hero to his readers for standing up to the mean anti-mac bile spewing hacker, and he gets to make Johnny Cache look like a blowhard with code that only works on one flaky USB adapter (if it works at all), all while knowing that his $1000 is reasonably safe for the reasons you already listed.

Re:Right or wrong, that's a lousy bet to take

[wootest]

The ads from the network Daring Fireball is using are paid by a flat fee, so Gruber has no vested interest in getting "impressions" (of which I think he already gets plenty). Claiming that it's a whoring move for ad moolah (if that's what you did) is wrong - the alternative would be a long drawn-out back-and-forth, and I have a feeling we'd all bore of that very quickly, because we're already in midst of such a circus. That said, for your reasons, I wouldn't want to be Johnny Cache right now, but I can't say he didn't set this one up himself either.

Re:Right or wrong, that's a lousy bet to take

[kongjie]

You're confusing this with some kind of bizarre accounting.

If they know they can win the challenge--and it's easy enough for them to test it out, isn't it?--then they win a MacBook (pstt...which they can sell and split the funds) and they are vindicated.

DF getting recognition is not a negative thing for them. WTF do they care? They defend themselves against those who have called their claims "anti-Apple" and bullshit, and they get $500 each.

Sometimes things are a lot simpler than people make them out to be.

Re:Right or wrong, that's a lousy bet to take

[Cid+Highwind]

"Whoring" is such a judgemental word. I would call it "generating buzz"... :D

Re:Right or wrong, that's a lousy bet to take

[wootest]

If you generate buzz especially to attract ad impressions, it's more "whoring" than "buzz generation". :)

It's all so obvious

[lullabud]

At least, that's the message I'm getting from this thread. Everything about this episode is obvious. Each contradicting story is just, like, so totally obvious.

Mac Jihad...

[bigtallmofo]

The analogy is actually pretty apt. You have a group of people that basically run the world - "The West" (in this case, non-Apple users) and a downtrodden ragtag group of extremely proud people convinced that their way is better - "The Islamist Fascists" (in this case, Apple users).

It's very common for them to lash out at everyone because of their true feelings of inferiority and lack of understanding as to why everyone doesn't see the world like they do.

Case in point - I'll be modded -9 Troll in about 30 seconds as every Mac user with mod points steps on their own mother to mod be down.

Re:Mac Jihad...

[aonic]

If I had mod points, I would mod you down. Not only do you demonstrate a complete disdain for whoever you think is "inferior," you show a complete lack of understanding for the issues in the middle east.

There is no "inferiority complex" in the middle east. They aren't emo kids running around threatening to slit their wrists. It just so happens that their standards of living are ridiculously low compared to the standards of living of "the west," not directly due to us, but partially. If you grew up there, you'd be looking for someone to blame, and their government provides "the great satan" as a convenient scapegoat. Further proving their point, "the great satan's puppet in the region," (aka israel) has just rampaged through lebanon, destroying civilian targets like bridges, hospitals, and airports, further degrading their quality of life. it's lack of understanding of the kind that you have just demonstrated that has brought us into the current situation in iraq and afghanistan, as well as the US unspoken nod to israel to rampage across the middle east.

this in no way relevant to the situations of mac users, who just happen to have a different OS preference. your above statement would be like saying that whenever an african american person acts stereotypically black (whatever you might define that as) they are acting out of a feeling of self-inferiority.

think about it.

Re:Mac Jihad...

[YomikoReadman]

There is no "inferiority complex" in the middle east. They aren't emo kids running around threatening to slit their wrists. It just so happens that their standards of living are ridiculously low compared to the standards of living of "the west," not directly due to us, but partially. If you grew up there, you'd be looking for someone to blame, and their government provides "the great satan" as a convenient scapegoat. Further proving their point, "the great satan's puppet in the region," (aka israel) has just rampaged through lebanon, destroying civilian targets like bridges, hospitals, and airports, further degrading their quality of life. it's lack of understanding of the kind that you have just demonstrated that has brought us into the current situation in iraq and afghanistan, as well as the US unspoken nod to israel to rampage across the middle east.

While partly accurate, so much of this is offbase it boggles my mind.

First off, the GP said absolutely nothing about an inferiority complex. He stated that they're downtrodden and ragtag, which is true. I'm currently in Afghanistan, and the people here live in broken down mudhuts, and the vast majority of them are without electricity, indoor plumbing and running water. There's a few cars and the occasional motorcycle, but the vast majority of them walk or ride bikes to get where they're going.

Second, the vast majority of the local populations don't hate americans. There are disagreements, and there are plenty of things they don't like about us. I'm not going to deny that. However, bear in mind that this is a culture that defines itself by a religion that they take very seriously. If you look at the reality of that matter, practically every major war fought in the middle east, up until the US retaliatory invasion of Iraq for the invasion of Kuwait has centered around religion in one way or another. These people take it very seriously, and rightfully so. That does not mean the majority of them view us as 'The Great Satan' as you put it. They certainly disagree with our views on religion, however they are still very respectful of our personal views, even as they view them as strange. Case in point on this; I'm LDS, and as such don't drink tea, coffee or any of that. When offered tea/coffee, which is very much a national beverage, we're instructed by our legal teams to decline, and simply state that it's against our religion. In all cases that this has occured to my knowledge, the host has apologized for not knowing that, and things have gone on as you'd expect between two respectful individuals.

The militants and insurgents and their point of view on the west is very much in the minority, both in Iraq and Afghanistan. The problem in all of this is really the western media and their obsession with putting such a negative slant on everything, regardless of all the positive that is really being done over here.

So, since you have shown me, someone who's been over here and talked with real Afghans, I'd implore you to 'think about it' and educate yourself on what things are really like.

Cheers.

Re:My question is...

[wootest]

Yes, they probably will.

It's the thorough lack of details and crummy reporting mixed with derogatory comments that makes it hard to discern if there is an exploit to speak of at all. I know I'd have nothing to worry about if the guys would have presented their exploit neutrally (without shit-flinging Mac users for "being smug"), been detailed in exactly what the target of the attack is (they can do that without revealing details on the exact nature of the exploit) and told us that they're working with Apple to resolve it (because I don't believe for a second that Apple would tell them to put a sock in it rather than work to fix the issue). You know, the way these things are done professionally. But perhaps it's too easy to cast blame, especially since a number of reporters aside from Ellch and his collaborator have been reporting different facts.

my bad

[AlgorithMan]

sorry, didn't read the linked article and misunderstood this one
my bad

still i don't like apple ;)

Re:my bad

[Infonaut]

still i don't like apple ;)

Fair enough. There are plenty of companies I instinctually mistrust. I appreciate your follow-up post, given that so many Slashdotters focus only on winning the argument.

Re:My question is...

[BKWatch]

Well, what really set the stuff ablaze was the "cigarette in the eye" comment. What puzzles me is I can't find where that came from. In Brian Krebs's first article, he says: http://blog.washingtonpost.com/securityfix/2006/08 /hijacking_a_macbook_in_60_seco.html ""We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "The main problem here is that device drivers are a funny mix of stuff put together by hardware and software developers, and these guys are often under the gun to produce the code that will power products that the manufacturer is often in a hurry to get to market." Now everyone else who quoted that was just referring to Kreb's article. Did anyone actually hear (besides Krebs) Maynor make this statement? Why did only Krebs report it? Did he make that quote up? Maynor is appartenly a Mac user himself.

Re:Macjihad

[OmnipotentEntity]

Umm... something having a bug isn't an incredible claim. Sure, it's not a good thing but it happens to everyone. It's nothing to be ashamed about. Just get the bastard fixed and stop dicking about.

This isn't about a perpetual motion machine or an entropy reducing device, or even P vs. NP or Riemann's Hypothesis. This is code. This isn't world changing. Bugs happen, then they get fixed. If they want to stay silent to dodge liability let them. If there is a bug it'll be patched, if there isn't they'll fade into obscurity.

character

[grrrgrrr]

I admit that I do not understand a lot about kernel code and security but i believe i am a pretty good judge of character and somebody who is saying nothing but implying a lot so he can always weasel him self out of it like this guy is doing is not to be trusted but it may also be that all security guy's are like that and that is why they are into security ?

Fucking Slashdot...

[rincebrain]

Just RTFA and decide on your own whether or not you believe him, or wait for dozens of users to flood /. with stories about whether they triggered an exploit on an Intel driver or not.

Either way, stop complaining in ways that are irrelevant to the article.

Pathological liar

[Trillan]

Right from the top of his post, you can tell he's lying:

Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch.

Were that the case, this would still be handled behind closed doors and wouldn't have involved a demonstration. Either they have nothing, or they've already violated their own protocols. Either way, "Johnny Cache" is a liar.

Re:Pathological liar

[Bing+Tsher+E]

All I can tell from that sentence up at the top of his post is that Apple probably has his balls in a vice, and the twitchy Apple lawyer has his hand on the handle of the vice.

Re:Pathological liar

[Trillan]

Really? So you don't find it funny that he went to the public (and keeps doing so) when Secureworks policy says not to talk about a vulnerability until it has been patched?

Re:"Implies" my fanny. He says it right out.

[WaltFrench]

> It's blatantly obvious that Apple's lawyers have
> come down on him like a ton of bricks, forcing
> him to be quiet until they get a patch out.

The least likely answer, actually. From the various info, this is not even an exploit of Apple hardware or software. What's to patch?

Any Apple lawyers parachuting from black helicopters (a rather calm, reasoned metaphor, wouldn't you say?) are probably telling him that claims about *Apple OSX* insecurity that are false would be defamation. While Americans are welcome to spout their opinions, false claims of fact can be found to be libel and he could be subject enforecement of damages.

If indeed that were Apple's response, I'd keep my fat trap shut before I found out that I'd stuck not just my foot, but most of my anatomy down it. Uncomfortable.

Re:My question is...

[wootest]

That's just the thing: if Maynor did say that, it was ridiculously unprofessional of him. He's of course entitled to his own opinion, but it's not a wise move to connect it to coverage regarding the exploit because it lowers his credibility - "is he just out to zing Apple?" - especially since the other comments by Maynor in that article are technically correct and his description of drivers ring true. But the other side of the coin, as you say, is that Krebs made it up, which would have been ridiculously unprofessional of *him*.

Apple has done nothing

[YesIAmAScript]

They keep stating Apple is pressuring them, but Apple says they have not contacted Apple with any info.

They state they won't say anything until Apple patches the problem? It would speed up the process of getting it patched if they would tell Apple about it!

From what I can tell, they are pretending Apple is pressuring them because it makes them look more important.

Addtional note, what is this stuff about Intel's drivers? Apple doesn't use Intel's chipset, they use an Atheros or Broadcam WiFi chipset. Additionally, what good is getting your packet on the stack? Apple uses the NX bit, so you can't get code on the stack to execute.

Re:My question is...

[BKWatch]

I suspect Maynor said it to Krebs in a "joking" manner, and that Krebs, knowing it would make good copy, put it into his final posting. Which could also explain why Maynor/Ellch stopped talking to Krebs after the story broke -- they are a bit mad at him for throwing that in there.

Maynor is right -- Apple should get a new actor to play that dude in the ads -- he was annoying in Dodgeball and is annoying now.

But got to go back to the point -- is Krebs going to retract his claim that this exploit can be done on the native airport hardware and driver?

Re:"Implies" my fanny. He says it right out.

[Leto-II]

The reading comprehension skills you've exhibited in this post is not what I've come to expect from such a low userid.

When did 5 digit user ids become "low"? It's just recently that /. broke 1,000,000 so around 10% of the users have a 5 digit id or lower.

OK...

[PhoenixK7]

So he says this at the end of the Linux.com article:

"Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about."

The problem here is not that he can't show people anything that will make them shut up. Saying that he's unwilling to talk about it partly because he's worried about apple legal, and partly because the mac bloggers wont understand is garbage. Making the second sort of statement basically up the alley of anyone who is trying to sell snake oil. The "I won't explain it because you're not smart enough", just makes you seem like that much more like a liar. Hand waving, especially in a public forum will get you nowhere unless people are interested in the illusion. The underlying issue here is not really he's wounded the pride of Mac users, or that Apple is supposedly threatening him (the former is the reason for some of the stir in the community, the latter nobody will believe until there's some evidence), it is that there is precisely zero evidence demonstrating that they've done what they've said they did. Until there is documented evidence of that, nobody is going to believe this guy, and it is going to hurt his reputation and the reputations of all those around him. You cannot win a PR battle without something demonstrable. I honestly can't see why Apple would go after him if he had made the original video with a stock macbook and using Apple's drivers, that's really all people want at this point. Maybe even have a 3rd party involved, with a newly opened fresh out-of-the-box macbook, so that there's documentation that there's nothing shady going on behind the scenes. Also, he really can't complain that much here about people being whiny and wanting more information since he announced this exploit in a public manner. Show us the goods, or shut up. Apple can't sue for defamation if the claim is legitimate. So, there are two possible conclusions to draw here: either this guy is a liar or completely spineless. I'm entirely sure he cares about what everyone is saying, the fact that this is all he can offer up leads me to think that he's a liar.

Neat

[pbjones]

An intel hack for Macs. I knew that it was a mistake to move away from the 68000 line.

Wait a second...

[the+pickle]

Lemme get this straight.

According to Johnny's own post, this bug a) requires a netcat UDP listener on the victim box; and b) requires TWO Wi-Fi cards to be installed on the victim box.

Oh, and c) can only be used (so far as we know right now) to trigger a crash, nothing more.

So how is this news again? Honestly, what are the odds the above configuration can be achieved, either by malicious attack or by social engineering? I'll be the first to admit I'm no security expert, but from what he's just described, the absolute worst-case we're looking at here is a crash, and even triggering that requires me to run untrusted software AND hardware on my machine!

This is a complete crock. There's no news story here. Hell, the uproar that drunkenbatman caused a while back with his Safari Image of Doom was more warranted.

p

Re:Wait a second...

[spinja]

No, you misread. The timing attack is easiest to do if the *attacker* has two WiFi cards and the victim is running some service or another (to help with the timing). All Mac's expose port 5353 to the world, regardless of firewall setting (mDNS/Bonjour), so the listener requirement is met by default. All Windows systems listen on port 137 by default (even through XP SP2 firewall default policy). Read a little closer next time.

Re:"Implies" my fanny. He says it right out.

[NMerriam]

Last I checked, lawyers generally have fuck-all authority to prohibit your use of hardware that you own, genius.

exactly, which is why his claims of Apple "leaning on him" not to use Apple hardware for the disclosure are such obvious bullshit.

Apple claims they've never heard from this guy and don't know what the hell he's talking about.

Obviously, somebody's lying, and right now there isn't a lot of evidence pointing at Apple.

Re:Hacking...

[jdb8167]

What are you going to point EIP to? Not code on the stack since OS X uses the NX bit on the stack by default. Some code in a buffer? How do you find the address of the buffer? How do you inject the code into the buffer in the first place? I'm not saying it is impossible but it sure does sound difficult to find a useful hack with merely the return address overwritten on the stack.

I can make my Mac crash too!

[Dryanta]

If I hibernate my G4 Alumabook with a pcmcia card inserted, close it, remove the card, and then un-suspend it, it crashes every time. That is about as interesting of a thing for a user to do as install two wireless cards and a netcat listener. Should I show that at Defcon or would I be laughed at? Hint to everyone: OSes do weird things when the user does things outside of the realm of any programmer's expectations. No platform is 100% secure (OpenBSD) just like some products never had security even in mind (Win32). This entire thing has been blown way out of proportion by everybody involved; if an exploit really was discovered, one that does not require 3rd party software, I'm sure Apple will fix it asap.

Re:I can make my Mac crash too!

[csirac]

Hint to everyone: OSes do weird things

Hint to everyone: RTFA for yourself and ignore uninformed slashdot comments masquerading as authoritative ones.

as install two wireless cards

He speculates that triggering the race condition with a single NIC is possible, two NICs makes it easier. He was just telling the community what he found, and that steps should be taken by the vendors to fix it (and they did, if you read his message). Just because he couldn't trigger it with a single NIC, doesn't mean 1) We should ignore the issue 2) someone else can't

and a netcat listener.

The exploit would work on a machine that has any sort of UDP listener running on the interface being attacked. Netcat is merely useful for demonstration purposes, otherwise we'd have people concerned that e.g. a bug in Skype (if that UDP service was targeted instead) is the real vector for the exploit rather than the Intel NIC driver.

I'm sure Apple will fix it asap.

And if you had read his message, you'd see that 1) Apple has patched it already, 2) it's an Intel bug, not Apple's.

Re:I can make my Mac crash too!

[pthomsen]

And if you had read his message, you'd see that 1) Apple has patched it already, 2) it's an Intel bug, not Apple's.

Read it again. Intel has patched the bug, that's why he's talking about the Intel bug. Apple has not patched anything, let alone acknowledged the bug.

Re:"Implies" my fanny. He says it right out.

[Bing+Tsher+E]

It's almost time for somebody to 're-roll the game' here. It gets all musty like an old-farts convention when the people clinging to their 'low UID accounts' start getting haughty.

'Mae Ling Mak, Naked and Petrified,' by the way, dood.

Exploit is in the centrino driver

[mveloso]

The exploit is in the centrino driver. Everyone assumes that the Mac airport driver is based on Intel reference code, but it may not be. If it was, you would think that they would have talked about that more.

Note that for this exploit to work, the network needs to be active (ie: both cards need to be joined to a base station). Why? Because you can't send UDP packets to something with no IP address...unless they're blasting WiFi cards directly, which seems unlikely.

Re:Exploit is in the centrino driver

[eggboard]

It's tricky here because Maynor/Ellch made statements to Brian Krebs about it being a native exploit. They haven't repudiated that, and they won't comment on it. Apple's statement was about the "evidence" that Apple had received, which, at the time Apple made the statement was -- if you trust a multi-billion-dollar company familiar with shareholder lawsuits -- not evidence of an exploit.

The issue now is that Ellch won't (says he can't) talk about the Apple stuff, but says Apple will release a patch. But then he tries to bitch slap John Gruber who has put up $1,099 plus tax of his money in the proposition that without revealing any source code Ellch or Maynor would 0wn a stock MacBook.

Ellch is trying to push around the real issue here. He claims to not have been savvy enough to manipulate coverage or play with the story. Doesn't seem like it to me. He's really good at redirection and misdirection.

Re:Exploit is in the centrino driver

[BKWatch]

Glenn: I have a lot of respect for your views on this -- your reporting on the issue has been very sane.

Going back and looking at exactly what Maynor told Krebs is helpful:

Yes, it's a device driver. The thing is, there's a flaw in the OS, but I don't want to specifically point to it, so in the video you'll see I used a third-party USB device. What I'm trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that -- when exploited -- give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbook's wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]

http://blog.washingtonpost.com/securityfix/2006/08 /the_macbook_wireless_exploit_i.html

So, really, we don't know what Maynor told Krebs because Krebs is covering himself up with the "misspoke" clause. I blame Krebs. It's very possible that Maynor felt burned by Krebs's story and that's why he is refusing to talk with Krebs, which gives Krebs space NOT to retract his story and say he got it wrong.

I'm really starting to think the demo had a lot of "shortcuts", but if it wasn't for Kreb's introduction on the exploit being done on the native Airport hardware, and his "cigarette" quote the story would be going to sleep....

Re:"Implies" my fanny. He says it right out.

[Gideon+Fubar]

indeed.. if by 'found' you mean 'reported to Apple'.

Security work of this kind has always been dangerous, politically.. There's always a chance that you'll be arrested (or villified) for the crime of trying to stop other people using the exploit you've discovered, and there are countless examples of this occuring.

Just stop shooting the messenger. There is absolutely no benefit to reporting an exploit erroneously, and i'm sure neither Ellch or Maynor expected (or wanted) this kind of attention. If they did, they would have had something prepared.

So report anonymously

[fishbowl]

Report your exploits anonymously. Then they won't know whose balls to put in the vise, but they will be under fire to fix it.

Stop now - you're embarrasing me

[sjonke]

"I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent."

Do "Mac bloggers" make up "the majority of Mac users"? Assuming that your assertion about "Mac bloggers" is true (I don't know), can such a specific and small subset of a much larger group really be representative of the group as a whole? What's more embarrassing - a blogger or bloggers who writes something stupid, or a person who equates Mac bloggers with Mac users? Both?

He hasn't just broken his silence

[sjonke]

He ought to have his cerebellum checked out too.

Re:Macjihad

[rwhiffen]

This isn't about a perpetual motion machine or an entropy reducing device, or even P vs. NP or Riemann's Hypothesis. This is code. This isn't world changing. Bugs happen, then they get fixed

Have you been to your Doctors office lately? Code bugs can be a serious issue with a cost in human lives. The Therac-25 debacle was just one infamous example. Google 10 worst software bugs for some others. Software bugs can have more serious implications than the annoyance of getting pw0ned. In short, yes it can be world changing. Cheers, Rich

You just proved his point

[Namarrgon]

No viruses, check.

You're already wrong.

Promoting the myth of invulnerability is not going to help anyone except Apple's PR department.

Re:You just proved his point

[WatertonMan]

You're already wrong.

There's not a description for any of those. Just because something has the words OSX doesn't imply it is an OSX virus. I'm not saying there aren't OSX viruses (although I strongly doubt it). However outside of a rather contrived trojan horse I've not seen any evidence for anything.

Re:How about

[Sunburnt]

A non-disclosure agreement has to be signed by the person bound to keep quiet. He couldn't be pressured into signing an NDA if the initial claim was valid - no matter how good and numerous Apple's lawyers might be, he would simply need to reproduce his initial results to escape a finding of liability. For that matter, he'd have the grounds for a massive countersuit brought by lawyers willing to work on contingency - who wouldn't love to get a piece of Apple for a First Amendment violation?

Of course, if his results were invalid, then why would Apple feel compelled to pressure him into signing anything? They might get an injunction filed against him for libel (as opposed to an NDA, which is entirely different in application), but that would be a matter of public record, and nobody would be paying attention to this schmuck and his "cone of silence" if a court had determined that he was a libeller.

Re:"Implies" my fanny. He says it right out.

[Doctor+Memory]

If you'd RTFA, you'd have seen where he clearly spells it out:

Why am I switching the subject from Apple's bug to intel's? Because it's patched,
and Secureworks has no influence over what I say regarding this one.

It's pretty obvious that his company is not allowing him to speak. Now whether they are under duress from Apple Legal is another matter...

Pointless Attention-Getter

[iMouse]

That has to be the lamest hack I have ever seen. First of all, he was using a 3rd party wireless device, not the wireless radio actually built into the Mac. If he was so sure that his hack exploits a hole in the Apple, why didn't he just hack it through the AirPort built-in radio? How many people are actually going to go out and buy an external wireless device for a notebook that already has it built-in?

Your only reason for actually purchasing a second wireless radio would be for sniffing or packet reinjections. This is nothing but a stunt to put his name out there for people to notice. Of course, you're going to get some technologically challenged bonehead to believe him and run with it. He knows that and so do we.

Most Mac users have an arrogance about them, however, as "stupid" as you think they are, they know the difference between a serious security hole and one to yawn about. If you ask me, turning on FTP would be a bigger threat than having your Mac hacked through a wireless radio that probably .0001 % of the Mac population actually owns (and will use religiously).

Re:Pointless Attention-Getter

[keteague]

Johny Cache wrote:

Why am I switching the subject from Apple's bug to intel's? Because it's patched...

iMouse wrote:

you're going to get some technologically challenged bonehead to believe him and run with it...

And where do you stand in that arena? You not only appear to be challenged with technology, but with reading and understanding material.

Drivers as a class vs instance

[SuperKendall]

Also, the point of the Blackhat/Defcon talk was actually not about proving Macs are vulnerable--it was about proving that /drivers/ are vulnerable.

That is not very exciting, as we all know drivers CAN be vulnerable.

At question is which drivers ARE specifically vulnerable at this time? Again, it would not be an utter surprise if the Apple drivers were vulnerable - but as they get much heavier use (and therefor more testing) it is less likley than a third-party driver that is hardly used having a weakness.

Why can this simple question of the exact driver that holds a weakness cannot be answered?

Re:Drivers as a class vs instance

[Sancho]

Well, in all fairness, they've answered it. They just haven't proven it.

Submission

[SuperKendall]

It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him.

So here you have ether said he is a coward or a lier. Lets say you had proof it was an Apple driver, what thumbscrews could Apple provide that would keep you quiet? There is nothing Apple could do to you legally, especially if you released the proof anonymously.

Thus either Apple has applied pressure which he has bowed to for unknown reasons, or he's simply lying. Which is the simpler answer? Some complex coverup involving Black Helicopters and Apple or that the default drivers have good test coverage?

Use Sturgeon's law, use common sense until other evidence comes forth.

Belief

[SuperKendall]

I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real.

Like you, I am a Mac user with primary emplyment in the IT security field. In fact in the (distant) past I have even worked briefly on repairing ethernet drivers in Linux.

I am also willing to believe there is a vulnerability. But there is not a tremendous amount of code in these drivers. With the coverage of testing and use the default Airport drivers receive I would find it much less likley that they would have a flaw than a third party device driver that was not used my many people at all and probably written by one person who had done little device driver programming before.

That's why proof, or at least a clear statement that "yes these drivers are defective" is in order. Because while it's easy to believe there may be a problem, the context of the current argument does not make it easy at all for me, and my informed opinion. I am not sure why you have reached a different conlusion based on evidence at hand.

Mac owners are of course going to have some kind of spyware or vulnerabilty affect them someday but it does not seem today is that day.

Also something else for you to much on... does this exploit work on both the PPC and Intel platforms? If it's any kind of instruction insertion then it has to work against one platform. So an actual virus writer, which would you choose? The Mac PPC platform which offers more numbers or the Intel platform which is where all new machines are headed? If PPC is your choice why has no-one made that choice so far, and if Intel why would you proceed with such a low yield.

Apple switching binary platforms has bought most Mac owners a few years of smugness yet as it's made writing exploits that much more difficult.

Re:Belief

[louarnkoz]

Actually, there is a lot of code in a Wi-Fi driver. I just verified that the driver for my Centrino card (NETw2v32.sys) weights at 3,704,320 bytes. (That's on Vista RC1, but I suspect Intel will use similar code on many platforms.) Maybe Intel is on the high side. It is certainly possible to write a Wi-Fi driver in less code than that, maybe 300K. But did you read Johny's black hat paper? He points out that the 802.11 family of standard is very complex. The parsing of 802.11 frames is tricky. Given the history of other parsers, from SNMP to JPEG, it is not hard to imagine that a slip here or there could result in a failure.

Checking driver security

[Space+cowboy]

I don't know about even if it is a bad driver, it's still the OS's fault for letting the driver take the whole system down, so it's still the OS writer's problem

Consider a video-card driver. That's blasting several hundred megabytes of data across the bus at any one time (say you're playing a full-screen MPEG4 with no gfx-card support for decode). Would you want the OS to validate and check every one of those transactions ? Whoops, there goes the frame-rate. Still, slow-motion is fun...

Or a SCSI-driver, connected to a high-end RAID. Again, we're transferring hundreds of megabytes/second. Your throughput just dropped "through" the floor... Hope that wasn't crucial.

Or, a network driver in a department server, serving several fibre-channel connections. Again, throughput is the victim.

My point is that sometimes you need the driver to be performing at its optimum. You can make the argument that an exploit could bring the whole machine down, and that people lose more time/work/money that way, but that's a hard argument to make, when the video-artists in the post-production suite can't transfer their video over the gigabit network fast enough any more and the clients are walking out the door...

I can see what you're saying - that the OS ought not be vulnerable to bad drivers, but to insist on verification as part of each driver transaction with the OS is broken-by-design, IMHO. Perhaps it just needs more R&D before pushing it out the door, and pen-testing ought to be part of that R&D. I very much suspect at the moment, that any driver that adheres to a spec will be sold as "working"...

Simon

Re:Checking driver security

[MrResistor]

I'm not saying every transaction has to be verified, I'm saying things should maybe be a bit more compartmentalized so when, for example, there's a buffer overflow on your network card it doesn't take down the whole system.

Your video example is pretty contrived, but you had no way of knowing that I spent 2 years repairing video servers at Grass Valley Group. And actually, the way the Profile works is a perfect illustration of my point. The user interface is some flavor NT (3.1, 4, or 2k, depending on age) running on a COTS PC card, but it's seperated from the video system. I saw several situations where Windows was hosed, even BSODed, but the video kept rolling (albeit with a potential loss of human control). Of course, it doesn't use ethernet for transfering video generally, it uses dedicated fibrechannel or one of the standard video distribution methods, like SDI.

The only time I ever saw gigabit used for video transfer was with the M-Series, and honestly there was no discernable difference from standard 100b ethernet, even over short distances with no cross traffic. But then you're really limited by the PCI bus, which is barely up to the task of saturating a 100b connection anyway. IMO, a post house that's using gig-e for video transfer is using low-end equipment anyway, and not likely to be serving the kind of customers who can afford to pay for "right here, right now" speeds. And that's fine, not everyone needs or even wants to deal with a technicolor level post house.

Re:Checking driver security

[demallien2]

To elaborate, drivers run inside the kernel (for the performance reasons cited by the parent post). They don't have all the nice protection that an OS can give in the application space. Incidently, this is one of the reasons Macs are more secure. Apple is much more of a control-freak about stuff being installed in a Mac. You can expect that the drivers for buses, harddrives, networking gear and graphics cards has been gone over by Apple engineers (testing as well as code valuations). In the PC "open system" world this simply isn't possible, leaving PCs far more vulnerable to exploits...

Enough already

[ripragged]

I'm a non-geek Mac user. I've been running Macs for 20 years. I don't own a MacBook yet. I will soon. If I did, I would have questions that would require answers that I could hang my white earbuds on. 1. Is this a viable hack that I need to be concerned about? 2. How will I protect myself from it? 3. What is being done about it in places where the geeks live? That's all. I don't really care much about who is right or wrong. I do care about the security of hardware I intend to purchase. Later on I'll decide who I should or should not listen to based on the accuracy of predictions and prognostications when compared against actual events.

Cause and effect

[Infonaut]

There are plenty of bloggers who did that for Apple

Here's my translation of what you typed:

"Bloggers who called Maynor and Ellch to task for inconsistencies in their story did so because they were mysteriously being controlled by Apple and didn't have the ability to think for themselves."

Re:Cause and effect

[Bing+Tsher+E]

The OS/2 movement had an even more zealous independent 'brigade' than Apple does.

Re:Hacking...

[ryanr]

What are you going to point EIP to?

All kinds of fun places.

Not code on the stack since OS X uses the NX bit on the stack by default

So, is NX support enabled on kernel pages?

Some code in a buffer? How do you find the address of the buffer? How do you inject the code into the buffer in the first place?

Right, so you want to know some basic buffer overflow exploitation techniques. I think I've got a book somewhere that some friends and I wrote, it covers that...

Cache doesn't really say anything

[LKM]

It should be noted that Cache still didn't come out and say whether Macs with Apple's AirPort cards are vulnerable. Gruber Specifically asks him about this on the list, and he doesn't answer it. He does say that he expects a patch from Apple, which clearly implies that AirPort cards are vulnerable, but he doesn't say it, instead claiming that Apple is legally threatening him and running a "PR smear campaign" against him - again without giving any specifics.

This whole episode is just insane. If Macs are vulnerable out of the box, why not say so (especially if you're "waiting for an patch from Apple")? If they aren't, why implying that they are?

It's entirely possible that Macs are vulnerable. Macs aren't magically secure and save from bugs. The issue with this whole thing isn't that Mac users believe that Macs can't possibly be hacked. The issue is that the people who ostensibly found the security problem don't seem to be capable of telling us what the heck they actually found and whether Macs are vulnerable, instead making vague accusations and implying stuff without giving any specifics or even a demonstration.

so...

[Pliep]

He broke the silence but still isn't saying anything. Clever.... cleverrrrr!

Ring 0 and supervisor mode

[Builder]

Please read the following:
http://en.wikipedia.org/wiki/Ring_0

On any monolithic kernel, all drivers have supervisor access. I don't know of anything that you can do in the OS to protect yourself against these.

Hell, most of Windows Bluescreens were because of shonky drivers for this same reason.

Ummm, no

[TheConfusedOne]

If they're disclosing information to a third-party then they'd be in direct violation of any gag order. An NDA or a promise not to talk doesn't cut it. If they can't talk, they can't talk.

Instead we get "hints" about "black-suited lawyers" and just how fed up the poor victim is in all this.

Re:"Implies" my fanny. He says it right out.

[99BottlesOfBeerInMyF]

It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him.

He said he was working with Apple to solve the problem before releasing the exploit. Apple said, they had never heard from him. Maybe Apple was lying or mistaken, but if they had taken legal action to get a gag order, then that statement to the press was libel and Apple will lose when he takes them to court. The alternative is that he was lying or overstating his case and that he had not contacted Apple and he was just trying to get attention. In which case he is a liar and his credibility is shot.

Re:My question is...

[Fahrenheit+450]

If you get mad a at a reporter for publishing something you said to them that was not agreed to be off the record, then you are a dumbass. The quote was in context, and one would hove to assume that it was actually said by Maynor.

If you were man enough to say it, then be man enough to live with it being printed. Temper tantrums should be reserved for little children.

Re:Hacking...

[jdb8167]

So, is NX support enabled on kernel pages?

As far as I know, just on the stack by default. I'm pretty sure you can call vm_protect() on kernel pages. I haven't done enough OS X kernel hacking to know all the details.

Right, so you want to know some basic buffer overflow exploitation techniques. I think I've got a book somewhere that some friends and I wrote, it covers that...

Yes, those weren't rhetorical questions. I am genuinely interested. If you can supply the name of a book that covers Mach and BSD hacking as it relates to OS X (even partially) I would be grateful. It seems to me that it would be very difficult to find the addresses of allocated pages.

Re:Really Now!

[Apotsy]

Maynor fired the first shot with his cigarette-stab quote. Without that, this would have been a non-story. Now it's a giant clusterfuck.

Kudos

[kaddeh]

First off, I think that it is awesome that he released a fairly nondescript step-by-step of what you have to do to exploit the wireless drivers. It is something that now you can go out and try and go 'hey this DOES work' or 'hey this DOESN'T work'. Once you manage to establish that, then you can be bitter and cynical and every other word that you can think of in a negative sense.
As for the Mac zealots out there, they make me laugh sometimes. They are always like 'oh, Mac is better than PC' blah blah blah, same shit different day. The fact if the matter is is that sooner or later, you are going to have to deal with the fact that nothing is perfect. Especially in the tech industry. That being the case, I don't think that you should be saying 'oh, the Mac is better than the PC, look at the statistics'. Fact of the matter being is that you make up 15% of the entire Computer User Base. Just think about that for a second then the the math. That is 85% of people that are using PCs. If I were to write something for a system, I'd be more likely to write it for a PC only because it's user-base is almost 5x larger. And that is my two cents.

Re:"Implies" my fanny. He says it right out.

[demallien2]

If he had a hack that works against the standard OS X drivers/hardware, he would have used a standard Mac. The fact that he used a third-party wi-fi setup speaks volumes. This vulnerability does not exist in standard Apple gear - ergo there is nothing to patch.

If there has been any pressure from Apple, I'm willing to bet that it's libel-type threats (IANAL, and certainly not an Americain lawyer).