Slashdot Mirror
Johnny Cache Breaks Silence On Wi-Fi Exploit
Joe Barr writes, "Johnny Cache — aka Jon Ellch — is chafing under the cone of silence placed over him and co-presenter Dave Maynor about the Wi-Fi exploit they presented at Black Hat and DEFCON last month. So he has finally broken his silence on NewsForge in hopes of ending the personal attacks coming from what he implies is a smear campaign started by Apple." (Newsforge and Slashdot are both owned by OSTG.)
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."
So, is he going to take Daringfireball's challenge or not? I think his whole thing has tarnished him, and he won't recover.
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
Johnny Cache breaks silence on Apple Wi-Fi exploit
Monday September 04, 2006 (01:07 PM GMT)
By: Joe Barr
Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now infamous "faux disclosure" at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them.
Ellch explains their silence since the presentations in his email by saying:
Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.
He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something."
Ellch then breaks down the elements of the vulnerability and possible exploits, but in the context of Intel drivers rather than Apple's, asking and then answering the obvious question of why he did so when he wrote: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."
He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique.
Ellch notes that a crash caused this way doesn't guarantee a successful exploit, saying "If you're lucky, your UDP packet will end up on the stack. If you're less lucky, a beacon packet from a nearby network will end up on the stack. In the case where I successfully overwrote eip (Extended Instruction Pointer), the UDP packet was 1400 bytes."
He also responded to criticisms that he and Maynor have simply been "playing the media" instead of reporting an actual vulnerability and exploit, saying:
You know, of all the comments I see, the ones that 'we played the media' make the least sense. Have you ever seen me in the news before? No. Have I ever talked to a reporter before? No. Am I doing a very good job of winning this PR smear campaign lynn fox ignited? No. If I was so deft at manipulating the media, would I be explaining myself on dailydave praying that a few technically competent people will actually get it?
I contacted Ellch by email after reading his post and asked if he was claiming Apple is the cause of their silence. He replied:
Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about.
If that's just an 'implication', I'll eat my hat. It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him. He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples. It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out. This way no one can report about the 'insecurity' of the OSX platform - there are no exploits, see? As long as you're patched and up to date!
Event Management Solutions : http://www.stonekeep.com/
If that's true, I think Microsoft should hire away Apple's lawyers.
The classic defense of the madman or the liar: "What I say is true, but terrible, unspeakable things would happen were I to prove my assertion. You'll just have to take my inability to prove my assertion as evidence of its validity."
What a schmuck.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
Apple probably looked at these guys and laughed.
Next thing you know, these guys will be "discovering" cold fusion.
NetInfo connection failed for server 127.0.0.1/local
It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks
If Apple's lawyers wrote a nastygram to these guys, don't you think we'd have seen it by now? The first thing anyone in a public situation like this does when they get pressure from the big players is to publicize the legal threats.
At the moment all we have is the word of someone who cast aspersions at Mac users, disingenuously claimed that he was exploiting Apple security flaws, and now claims (not so subtly) that Apple's lawyers are the reason he can't come clean.
Read the EFF's Fair Use FAQ
before they only threw dirt to make him look unreliable
Point me to the link where Apple threw dirt at him.
There are plenty of bloggers who did the research on their own and asked the right kind of questions, but I've never seen anything from Apple attacking him. Maybe you're referring to Apple pointing out that he used a third party USB device and didn't disclose any info to Apple about the exploit? I wouldn't exactly call that throwing dirt.
Read the EFF's Fair Use FAQ
At BlackHat Johnny Cache claimed this alleged exploit is not platform-specific, he only picked a Macbook for the demo to piss off Apple fanboys. If that's so, and the exploit really works, why not demonstrate rooting Linux or Windows or if you really want to stir up security trolls on slashdot, NetBSD?
Is the exploit real? Who knows, I've seen video of someone cracking a Mac through a wireless driver. Then again I've also seen video of a virus written on a Mac taking down a fleet of invading alien spaceships...
0 1 - just my two bits
Ellch misdirects attention very clearly. The "Mac bloggers," which include a lot of non-Mac bloggers, have generally said, look, if what Ellch and Maynor showed Brian Krebs is true, then just demonstrate the real Apple exploit without revealing details.
The article above states, "He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something." "
Thanks for the condescension! It's not necessary. I will note that no one sensible, including myself (over at wifinetnews.com) has asked for the code. Rather, we've asked for Maynor and Ellch to either state that they mislead Brian Krebs, that Apple lied when they stated the company wasn't presented with credible evidence, or that they have material that Krebs saw and Apple hadn't seen yet.
John Gruber did a face-off, not asking for the code, but asking for a simple demonstration with a $1,099 plus sales tax prize.
How does Gruber not understand the technical details when he isn't asking for them? He's asking for a black-box showdown.
Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
Ah, much like the slashdot community with Microsoft
The only difference is most of us don't need a rigged demo to break into a Windows machine...
The analogy is actually pretty apt. You have a group of people that basically run the world - "The West" (in this case, non-Apple users) and a downtrodden ragtag group of extremely proud people convinced that their way is better - "The Islamist Fascists" (in this case, Apple users).
It's very common for them to lash out at everyone because of their true feelings of inferiority and lack of understanding as to why everyone doesn't see the world like they do.
Case in point - I'll be modded -9 Troll in about 30 seconds as every Mac user with mod points steps on their own mother to mod be down.
I'm a big tall mofo.
So what if he is? If his hack works, it works. Period.
An attack on his personality doesn't invalidate that.
Under capitalism man exploits man. Under communism it's the other way around.
"- how can a driver have the same bug on windows and macos x?"
Quite simply; the Intel card is, in both cases, doing things like UDP and TCP offload from the main system. This means the card and driver together have an internal state in software to manage it, and (due to the asynchronus nature of networking) you can get the hardware and driver software's core into a situation where they don't agree on the state.
The small glue layer that deals with the OS hooks is a static translation layer that wouldn't be involved. The SB Live! and Audigy drivers in Linux are the same driver as the Windows Creative driver (well, they were about 6 years ago when they contributed the code). nVidia uses the same driver code on all platforms as well. For anyone who's written a driver, this is easy to understand.
"- why use this stupid external card? what are the chances it did have the same chipset as the internal one?"
He uses it because it's a timing race, and because it's easier to demonstrate with 2 cards in the system. With a 4000 microsecond delay, this means it's likely taking a bit longer for the OS to service the interrupts between the two cards; enough that the driver bug can show itself. There are likely other ways to tickle this bug that don't require multiple cards, but then you'd have to have something running on the OS. Still, If you setup a machine to throw packets around, you could make an intermittent crash bug appear on an OS -- that's not cool.
"- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?"
A stupid memory overrun? Man, you haven't programmed ever, have you? A timing related bug in device driver code is probably the second hardest bug you'll ever encounter to debug (the first would be the core of the OS itself). Concurrent programming is difficult.
It's responses like these that show why this person had been light on detail. Most people lack the technical background in OS design to understand this issue.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Umm... something having a bug isn't an incredible claim. Sure, it's not a good thing but it happens to everyone. It's nothing to be ashamed about. Just get the bastard fixed and stop dicking about.
This isn't about a perpetual motion machine or an entropy reducing device, or even P vs. NP or Riemann's Hypothesis. This is code. This isn't world changing. Bugs happen, then they get fixed. If they want to stay silent to dodge liability let them. If there is a bug it'll be patched, if there isn't they'll fade into obscurity.
"Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
Then he should post the details for those of us who understand what he's talking about, and leave the other people to wallow in their own ignorance.
Deliberately withholding information because of some nebulous "threat" that has never been proven smacks of misdirection and just more "shell-game" antics by some folks who have a personal beef with Apple.
I don't really care if they hate Apple's userbase with all the bile of Hell... if they're serious about this and are not just faking the results to be pissy children, then come out with it. Otherwise, they just need to STFU.
Claiming that he won't reveal details because "no one understands" sounds like HE doesn't understand most likely.
It's the Stay-Puft Marshmallow Man.
Most Mac users insult their own intelligence.
I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent.
I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conference but because of NDA the details remain under wraps until the manufacturer releases a patch. I've seen delays of 12-18 months before details are released for Windows exploits, despite seeing the exploit demonstrated in person at blackhat conferences. A delay of a few weeks for an Apple exploit doesn't even raise my eyebrows.
The only difference here is that Apple users are so goddamn fanatical that they'll rabidly attack anybody who says their platform is any less than perfect. They don't know the security field, they don't understand the technical discussion - those quotes Johnny provided of clueless Mac users were riotous - yet they feel qualified to give opinion. I used to work with this guy who was brilliant at finding and exploiting security holes. He took a G3 Mac running stock standard OSX and proceeded to demonstrate exploit after exploit; not based on his OSX skill but purely on his knowledge of the underlying free software. I was at a blackhat conference where they demonstrated a local privilege escalation exploit that existed all the way up to Tiger - they had told Apple about it years previously but it wasn't until they broke their NDA and went public that Apple fixed the fault. The same presentation at that conference demonstrated an OSX kernel exploit that still exists today.
Mac users are in for a rude shock. They've told each other their platform is secure. The rumor mills repeated the "OSX is secure" mantra. But the mantra has no foundation in reality. Most Mac users do not run AV, do not shutdown services, and run with wide-open wifi and bluetooth settings. They have an undeserved complacency regarding security and it will lead to a fall.
Hint to everyone: OSes do weird things
Hint to everyone: RTFA for yourself and ignore uninformed slashdot comments masquerading as authoritative ones.
as install two wireless cards
He speculates that triggering the race condition with a single NIC is possible, two NICs makes it easier. He was just telling the community what he found, and that steps should be taken by the vendors to fix it (and they did, if you read his message). Just because he couldn't trigger it with a single NIC, doesn't mean 1) We should ignore the issue 2) someone else can't
and a netcat listener.
The exploit would work on a machine that has any sort of UDP listener running on the interface being attacked. Netcat is merely useful for demonstration purposes, otherwise we'd have people concerned that e.g. a bug in Skype (if that UDP service was targeted instead) is the real vector for the exploit rather than the Intel NIC driver.
I'm sure Apple will fix it asap.
And if you had read his message, you'd see that 1) Apple has patched it already, 2) it's an Intel bug, not Apple's.