Slashdot Mirror
Johnny Cache Breaks Silence On Wi-Fi Exploit
Joe Barr writes, "Johnny Cache — aka Jon Ellch — is chafing under the cone of silence placed over him and co-presenter Dave Maynor about the Wi-Fi exploit they presented at Black Hat and DEFCON last month. So he has finally broken his silence on NewsForge in hopes of ending the personal attacks coming from what he implies is a smear campaign started by Apple." (Newsforge and Slashdot are both owned by OSTG.)
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
So, is he going to take Daringfireball's challenge or not? I think his whole thing has tarnished him, and he won't recover.
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
NetInfo connection failed for server 127.0.0.1/local
Johnny Cache breaks silence on Apple Wi-Fi exploit
Monday September 04, 2006 (01:07 PM GMT)
By: Joe Barr
Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now infamous "faux disclosure" at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them.
Ellch explains their silence since the presentations in his email by saying:
Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.
He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something."
Ellch then breaks down the elements of the vulnerability and possible exploits, but in the context of Intel drivers rather than Apple's, asking and then answering the obvious question of why he did so when he wrote: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."
He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique.
Ellch notes that a crash caused this way doesn't guarantee a successful exploit, saying "If you're lucky, your UDP packet will end up on the stack. If you're less lucky, a beacon packet from a nearby network will end up on the stack. In the case where I successfully overwrote eip (Extended Instruction Pointer), the UDP packet was 1400 bytes."
He also responded to criticisms that he and Maynor have simply been "playing the media" instead of reporting an actual vulnerability and exploit, saying:
You know, of all the comments I see, the ones that 'we played the media' make the least sense. Have you ever seen me in the news before? No. Have I ever talked to a reporter before? No. Am I doing a very good job of winning this PR smear campaign lynn fox ignited? No. If I was so deft at manipulating the media, would I be explaining myself on dailydave praying that a few technically competent people will actually get it?
I contacted Ellch by email after reading his post and asked if he was claiming Apple is the cause of their silence. He replied:
Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about.
If that's just an 'implication', I'll eat my hat. It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him. He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples. It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out. This way no one can report about the 'insecurity' of the OSX platform - there are no exploits, see? As long as you're patched and up to date!
Event Management Solutions : http://www.stonekeep.com/
If that's true, I think Microsoft should hire away Apple's lawyers.
The classic defense of the madman or the liar: "What I say is true, but terrible, unspeakable things would happen were I to prove my assertion. You'll just have to take my inability to prove my assertion as evidence of its validity."
What a schmuck.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
Apple probably looked at these guys and laughed.
Next thing you know, these guys will be "discovering" cold fusion.
NetInfo connection failed for server 127.0.0.1/local
And insult the intelligence of Mac users.
That's the way to prove your point.
As someone said, show this on a "bog standard" Mac from and I'll pay attention.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
I watched that video. He says it's smth in the driver... and then shows a Mac also says it would work on a PC. Then, all Intel mac laptops have WIFI now, but he choses to use an external WIFI PC-Card, huh.. sorry Express Card. I know Apple are not angels, but I just can't help be suspicious about it:
- how can a driver have the same bug on windows and macos x?
- why use this stupid external card? what are the chances it did have the same chipset as the internal one?
- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?
That story won't finish well foro someone. The smoke screen is too thick. Either:
- This guy did overrate some minor problem in a misleading way for Apple laptops. Oh.. a third party driver with a bug. Or it's Apple driver with only a thirdparty card. In that case, he's discredited in the domain of security for the rest of his life.
- Apple did really pressure him (as he tends to hint). They're then not only legal jackasses (we know that already) but also incompetent to fix a bug (and that suprises me). In that case the company he's discredited in the domain of security for a while, and they can quit the "virus ads.. mac is secure" for a while.
Future will tell.
It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks
If Apple's lawyers wrote a nastygram to these guys, don't you think we'd have seen it by now? The first thing anyone in a public situation like this does when they get pressure from the big players is to publicize the legal threats.
At the moment all we have is the word of someone who cast aspersions at Mac users, disingenuously claimed that he was exploiting Apple security flaws, and now claims (not so subtly) that Apple's lawyers are the reason he can't come clean.
Read the EFF's Fair Use FAQ
before they only threw dirt to make him look unreliable
Point me to the link where Apple threw dirt at him.
There are plenty of bloggers who did the research on their own and asked the right kind of questions, but I've never seen anything from Apple attacking him. Maybe you're referring to Apple pointing out that he used a third party USB device and didn't disclose any info to Apple about the exploit? I wouldn't exactly call that throwing dirt.
Read the EFF's Fair Use FAQ
It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks
Perhaps to you. To others, it's "blatantly obvious" that he has some weird issue with Apple and enjoys spreading FUD. His "clarification" provides no support either way.
He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples
Or maybe that's all he actually has an exploit for. I don't know, and neither do you.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
NetInfo connection failed for server 127.0.0.1/local
NetInfo connection failed for server 127.0.0.1/local
smears, cones and chafing? sounds just like apple
Funny. I was thinking of Madonna in the 80's.
If a job's not worth doing, it's not worth doing right.
At BlackHat Johnny Cache claimed this alleged exploit is not platform-specific, he only picked a Macbook for the demo to piss off Apple fanboys. If that's so, and the exploit really works, why not demonstrate rooting Linux or Windows or if you really want to stir up security trolls on slashdot, NetBSD?
Is the exploit real? Who knows, I've seen video of someone cracking a Mac through a wireless driver. Then again I've also seen video of a virus written on a Mac taking down a fleet of invading alien spaceships...
0 1 - just my two bits
Ellch misdirects attention very clearly. The "Mac bloggers," which include a lot of non-Mac bloggers, have generally said, look, if what Ellch and Maynor showed Brian Krebs is true, then just demonstrate the real Apple exploit without revealing details.
The article above states, "He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something." "
Thanks for the condescension! It's not necessary. I will note that no one sensible, including myself (over at wifinetnews.com) has asked for the code. Rather, we've asked for Maynor and Ellch to either state that they mislead Brian Krebs, that Apple lied when they stated the company wasn't presented with credible evidence, or that they have material that Krebs saw and Apple hadn't seen yet.
John Gruber did a face-off, not asking for the code, but asking for a simple demonstration with a $1,099 plus sales tax prize.
How does Gruber not understand the technical details when he isn't asking for them? He's asking for a black-box showdown.
Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
What kind of a idiot would you have to be to take that challenge? There is no *way* I would take that bet, whether I knew I was right or not. If they lose, DF wins 2x: 1) DF gets a free macbook 2) DF gets notoriety for calling a bluff. They lose 2x: 1) they cough up significant cash 2) they are humiliated before their peers. Should they win, they win 2X: 1) a free macbook ( psst.. there are 2 of them) 2) they are vindicated However DFireball /still/ wins by gaining recognition for making the challenge.
Sorry, only a moron whose balls ruled their brains would take that bet, and that's not a way to bet and win.
Jon Postel, R.I.P. You are missed.
At least, that's the message I'm getting from this thread. Everything about this episode is obvious. Each contradicting story is just, like, so totally obvious.
The analogy is actually pretty apt. You have a group of people that basically run the world - "The West" (in this case, non-Apple users) and a downtrodden ragtag group of extremely proud people convinced that their way is better - "The Islamist Fascists" (in this case, Apple users).
It's very common for them to lash out at everyone because of their true feelings of inferiority and lack of understanding as to why everyone doesn't see the world like they do.
Case in point - I'll be modded -9 Troll in about 30 seconds as every Mac user with mod points steps on their own mother to mod be down.
I'm a big tall mofo.
Yes, they probably will.
It's the thorough lack of details and crummy reporting mixed with derogatory comments that makes it hard to discern if there is an exploit to speak of at all. I know I'd have nothing to worry about if the guys would have presented their exploit neutrally (without shit-flinging Mac users for "being smug"), been detailed in exactly what the target of the attack is (they can do that without revealing details on the exact nature of the exploit) and told us that they're working with Apple to resolve it (because I don't believe for a second that Apple would tell them to put a sock in it rather than work to fix the issue). You know, the way these things are done professionally. But perhaps it's too easy to cast blame, especially since a number of reporters aside from Ellch and his collaborator have been reporting different facts.
Well, what really set the stuff ablaze was the "cigarette in the eye" comment. What puzzles me is I can't find where that came from. In Brian Krebs's first article, he says: http://blog.washingtonpost.com/securityfix/2006/08 /hijacking_a_macbook_in_60_seco.html
""We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "The main problem here is that device drivers are a funny mix of stuff put together by hardware and software developers, and these guys are often under the gun to produce the code that will power products that the manufacturer is often in a hurry to get to market."
Now everyone else who quoted that was just referring to Kreb's article. Did anyone actually hear (besides Krebs) Maynor make this statement? Why did only Krebs report it? Did he make that quote up? Maynor is appartenly a Mac user himself.
Umm... something having a bug isn't an incredible claim. Sure, it's not a good thing but it happens to everyone. It's nothing to be ashamed about. Just get the bastard fixed and stop dicking about.
This isn't about a perpetual motion machine or an entropy reducing device, or even P vs. NP or Riemann's Hypothesis. This is code. This isn't world changing. Bugs happen, then they get fixed. If they want to stay silent to dodge liability let them. If there is a bug it'll be patched, if there isn't they'll fade into obscurity.
"Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
> It's blatantly obvious that Apple's lawyers have
> come down on him like a ton of bricks, forcing
> him to be quiet until they get a patch out.
The least likely answer, actually. From the various info, this is not even an exploit of Apple hardware or software. What's to patch?
Any Apple lawyers parachuting from black helicopters (a rather calm, reasoned metaphor, wouldn't you say?) are probably telling him that claims about *Apple OSX* insecurity that are false would be defamation. While Americans are welcome to spout their opinions, false claims of fact can be found to be libel and he could be subject enforecement of damages.
If indeed that were Apple's response, I'd keep my fat trap shut before I found out that I'd stuck not just my foot, but most of my anatomy down it. Uncomfortable.
"Inquiring Minds Want to Know!"
They keep stating Apple is pressuring them, but Apple says they have not contacted Apple with any info.
They state they won't say anything until Apple patches the problem? It would speed up the process of getting it patched if they would tell Apple about it!
From what I can tell, they are pretending Apple is pressuring them because it makes them look more important.
Addtional note, what is this stuff about Intel's drivers? Apple doesn't use Intel's chipset, they use an Atheros or Broadcam WiFi chipset. Additionally, what good is getting your packet on the stack? Apple uses the NX bit, so you can't get code on the stack to execute.
http://lkml.org/lkml/2005/8/20/95
The exploit is in the centrino driver. Everyone assumes that the Mac airport driver is based on Intel reference code, but it may not be. If it was, you would think that they would have talked about that more.
Note that for this exploit to work, the network needs to be active (ie: both cards need to be joined to a base station). Why? Because you can't send UDP packets to something with no IP address...unless they're blasting WiFi cards directly, which seems unlikely.
Hint to everyone: OSes do weird things
Hint to everyone: RTFA for yourself and ignore uninformed slashdot comments masquerading as authoritative ones.
as install two wireless cards
He speculates that triggering the race condition with a single NIC is possible, two NICs makes it easier. He was just telling the community what he found, and that steps should be taken by the vendors to fix it (and they did, if you read his message). Just because he couldn't trigger it with a single NIC, doesn't mean 1) We should ignore the issue 2) someone else can't
and a netcat listener.
The exploit would work on a machine that has any sort of UDP listener running on the interface being attacked. Netcat is merely useful for demonstration purposes, otherwise we'd have people concerned that e.g. a bug in Skype (if that UDP service was targeted instead) is the real vector for the exploit rather than the Intel NIC driver.
I'm sure Apple will fix it asap.
And if you had read his message, you'd see that 1) Apple has patched it already, 2) it's an Intel bug, not Apple's.
I don't know about even if it is a bad driver, it's still the OS's fault for letting the driver take the whole system down, so it's still the OS writer's problem
Consider a video-card driver. That's blasting several hundred megabytes of data across the bus at any one time (say you're playing a full-screen MPEG4 with no gfx-card support for decode). Would you want the OS to validate and check every one of those transactions ? Whoops, there goes the frame-rate. Still, slow-motion is fun...
Or a SCSI-driver, connected to a high-end RAID. Again, we're transferring hundreds of megabytes/second. Your throughput just dropped "through" the floor... Hope that wasn't crucial.
Or, a network driver in a department server, serving several fibre-channel connections. Again, throughput is the victim.
My point is that sometimes you need the driver to be performing at its optimum. You can make the argument that an exploit could bring the whole machine down, and that people lose more time/work/money that way, but that's a hard argument to make, when the video-artists in the post-production suite can't transfer their video over the gigabit network fast enough any more and the clients are walking out the door...
I can see what you're saying - that the OS ought not be vulnerable to bad drivers, but to insist on verification as part of each driver transaction with the OS is broken-by-design, IMHO. Perhaps it just needs more R&D before pushing it out the door, and pen-testing ought to be part of that R&D. I very much suspect at the moment, that any driver that adheres to a spec will be sold as "working"...
Simon
Physicists get Hadrons!
What are you going to point EIP to?
All kinds of fun places.
Not code on the stack since OS X uses the NX bit on the stack by default
So, is NX support enabled on kernel pages?
Some code in a buffer? How do you find the address of the buffer? How do you inject the code into the buffer in the first place?
Right, so you want to know some basic buffer overflow exploitation techniques. I think I've got a book somewhere that some friends and I wrote, it covers that...
It should be noted that Cache still didn't come out and say whether Macs with Apple's AirPort cards are vulnerable. Gruber Specifically asks him about this on the list, and he doesn't answer it. He does say that he expects a patch from Apple, which clearly implies that AirPort cards are vulnerable, but he doesn't say it, instead claiming that Apple is legally threatening him and running a "PR smear campaign" against him - again without giving any specifics.
This whole episode is just insane. If Macs are vulnerable out of the box, why not say so (especially if you're "waiting for an patch from Apple")? If they aren't, why implying that they are?
It's entirely possible that Macs are vulnerable. Macs aren't magically secure and save from bugs. The issue with this whole thing isn't that Mac users believe that Macs can't possibly be hacked. The issue is that the people who ostensibly found the security problem don't seem to be capable of telling us what the heck they actually found and whether Macs are vulnerable, instead making vague accusations and implying stuff without giving any specifics or even a demonstration.