Five Hackers Who Left a Mark on 2006

espera un momento writes "eweek.com picks the five hackers who made a significant impact on security and vulnerability research in 2006. These are some interesting choices of the guys (and gal) who dominated the media headlines. The topics covered included Wi-Fi bugs, browser flaws and rootkits."

Hackers?

[lecithin]

Hackers - meaning people involved with information security.

No, the real folks that really 'left their mark' in 2006 are yet unidentified.

Re:Hackers?

[multisync]

Too bad the actual article merely (mis-?)used the word "hacker" in a "security professional" sort of sense

That's funny. I was impressed with the fact that e-week didn't (mis-?)use the word "hacker" in a "criminal whose crime is in some way (or possibly not) related to technology" sort of sense.

Re:Ellch and Manor??? RTFA!

[MysticOne]

From what I understand, Apple performed an audit of their code and found a few bugs that could potentially be used to exploit a Mac in a similar fashion. However, I don't think such an exploit was ever demonstrated. I think it was a good thing that Apple performed the audit and fixed the problems, but that doesn't say that the "vulnerability" Ellch and Manor "demonstrated" was legitimate. Possible, yes, but still unconfirmed.

no list of evil hackers

[BrentRJones]

We will never know about the top evil hackers of the Internet, they will not leave a single fingerprint. All we will find is the results of their "exploits."

An addendum

[lightyear4]

I think Dan Kaminsky deserves at least an honorable mention in this list. Russinovich broke the story -- Kaminsky drove it home. He's the guy who did some amazing research regarding Sony's rootkit and its spread. (Using dns cache to ferret out statistical data was ingenious.) Now, the rootkit debacle did indeed occur in 2005; however, he published his studies on the brink of the new year. This enabled (very successful) class action lawsuits to go forward against Sony in 2006 and undeniably helped educate the general public about drm nastiness.

At the very least, Kaminsky is on my list.

Wow, talk about missing some details

[daveschroeder]

At the Black Hat Briefings in Las Vegas, Jon "Johnny Cache" Ellch teamed up with former SecureWorks researcher David Maynor to warn of exploitable flaws in wireless device drivers. The presentation triggered an outburst from the Mac faithful and an ugly disclosure spat that still hasn't been fully resolved.

Um, yeah, because nearly all of the news coverage of the vulnerability didn't describe it as the general 802.11 vulnerability that it was, affecting multiple chipsets and drivers and multiple operating systems, including Windows, Mac OS X, and Linux; it described it, and indeed trumpeted it, as vulnerability that affected Apple MacBooks and Mac OS X, with most articles making at best a passing reference that it could affect other platforms, if they even said that. Stories ran under headlines like "MacBook hijacked in 30 seconds -- wirelessly", and made it appear to be exclusively an Apple problem.

While this was made clear in their demo, they chose to demo on a MacBook with a third party wireless card whose identity was hidden - because of "responsible disclosure" - but then in the next breath tell Brian Krebs at the Washington Post that the MacBook's own integrated wireless is exploitable in the exact same way. How is that "responsible disclosure"? And to top it off, we have a SecureWorks "Senior Researcher" saying that he wants to fix Mac users' "smug" attitude about security (and this helps Mac OS X security in a meaningful way how?) and that many of these people apparently need lit cigarettes jammed into their eyes (to paraphrase). Even if said in jest or in fun, how is that professional? How does that do anything to better Mac OS X security?

How would a change in "user attitude" change the actual security situation on Mac OS X? I don't see a change in user attitude changing anything. Many Windows users know, at least marginally, that they are the target of innumerable attacks and thousands of pieces of malware. How does that change in any meaningful way the security situation on Windows?

More to the point: how does the press making a general and serious 802.11 vulnerability affecting numerous chipsets, drivers, and operating systems appear as only a MacBook problem serve a meaningful, or even truthful or accurate, security purpose?

For Ellch and Maynor, the controversy offered a double-edged sword. In many ways, they were hung out to dry by Apple and SecureWorks, two companies that could not manage the disclosure process in a professional manner. In some corners of the blogosphere, they were unfairly maligned for mentioning that the Mac was vulnerable.

No. They were maligned for saying they espoused "responsible disclosure", even carefully hiding the third party wireless card, but then saying that the MacBook's integrated wireless was vulnerable in the same way. NO OTHER AFFECTED VENDOR OR OS was treated that way. Only Apple.

They were maligned for being party to a Washington Post article that made outrageous accusations, like alleging that Apple "leaned on" them to not show this exploit, when there is no proof of that whatsoever.

They were maligned because after working with Apple engineers for almost a week at Black Hat, they could not provide any information directly to Apple on how, precisely, Apple's integrated drivers were vulnerable. Should they "do Apple's work for them"? No. But these weren't hobbyists. These were people presenting under the guise of an enterprise security company with responsible disclosure, and when you unleash a firestorm of bad PR on one and only one company's new flagship consumer portable, you'd better be prepared to have a little higher degree of interaction with that one vendor.

However, security researchers who understood the technical nature--and severity--of their findings, Ellch and Maynor were widely celebrated for their work, which was the trigger for the MoKB (Month of Kernel Bugs) project that launched with exploits for Wi-Fi driver vulnerabilities.

Yes. It was great that the

Re:Wow, talk about missing some details

[daveschroeder]

No, it's not true and that's what the exploit shows. There's a perception that they are invulnerable because there's just not that many exploits in the wild, but that's clearly false. They are vulnerable. Arguably not *as* vulnerable as a comparable Windows system, but vulnerable nonetheless.

No, it is true. Security isn't just whether or not exploits can or do exist. Security is a much larger issue, which includes how often people in real-life, practical, day-to-day usage situations are actually affected by issues that cause compromises, data loss, recovery and remediation time, and so on. To date, Mac OS X has required virtually none of these, and asserting that it's only because of marketshare is false. This is also not "security through obscurity"; Mac OS X has been out for over five years, and has high market penetrations in "target rich" environments, such as academic, research, and other institutional settings. They do indeed receive scrutiny - no, not as much as Windows, and not as much as open source OSes such as Linux - but plenty of scrutiny nonetheless. These claims that the only or primary reason Mac OS X hasn't been significantly affected to date are only because of marketshare are bogus, not to mention unprovable.

And this rtsp exploit doesn't "show" anything. There have been NUMEROUS other exploits that can affect Mac OS X (and Windows, and other OSes) in a similar way simply by just visiting a malicious web site. Some of these have been SPECIFICALLY targeted at Mac OS X, and have allowed arbitrary code execution simply by visiting a malicious web site. Are these vulnerabilities severe? Yes. Am I saying this is a good thing? No. I'm saying this is NOTHING NEW, and doesn't prove anything other than Mac OS X, like any other operating system or large software product, has bugs, some of which can be exploited as vulnerabilities. No sensible person claims otherwise. What matters is how Apple responds to the issue.

No, this is twisting my words and attacking a straw man. Small marketshare does not equate to lack of software. [...]

No, I'm not saying you said that, and not doing the strawman thing at all. What I'm saying is exactly what I said: that the "Macs have only been relatively trouble free because of low marketshare" is virtually identical to the "Macs have no software [presumably because so few people use them]" argument: they're both at the same time false and passively insulting, as well as untrue.

But marketshare does contribute to how fast a virus propagates. There's a critical mass associated with epidemics and virus propagation. Too few and the incidences get caught within the first few systems. It's ridiculous to claim that userbase and marketshare is not important.

Wow. I didn't. I said: "Sure, [low marketshare] doesn't hurt, and probably helps a great deal." Elsewhere, I have said the same thing. Marketshare is absolutely a great protector against the kind of critical mass it's relatively much easier to accomplish on Windows.

But that is not the only thing that protects the platform! There are other factors as well, such as Mac OS X shipping in a reasonably secure state by default, and not providing facilities and vectors for spread of malware as easily and sometimes ridiculously as they have on Windows. Does this mean it's impossible on Mac OS X? Of course not.

But I also take issue with this use of "from remote" in security nomenclature in general. There is a HUGE difference between a worm that spreads and/or owns machines completely remotely and externally, with no user interaction of any kind, and someone having to visit a malicious web site (and yes, I know there is precedent for inserting something into, say, advertising on popular sites). As we sit here and talk about this rtsp exploit, dozens (hundreds?) of affected Windows machines at my location alone are being cleaned up from the latest completely remote and automated Windows worm.

Which is a preposterous statement giving your

Re:Enlightening, but not much Impact

[Timesprout]

It doesn't. All the quality tools and books Mark has produced earned him that title.

Ellch and Maynor are a joke.

[DaggertipX]

Exactly, I can point at any OS and say "Hey, I bet there's a security issue there". I can also promise you that if a researcher with talent and skill looks at it, they will find one. This does not mean that I've found a vulnerability, only that I can state the obvious.
Maynor and Ellch have lost all credibility as far as I, and many others, are concerned. They behaved in an irresponsible and unprofessional manner, and I don't think I'll be able to trust any information they release in the future because of this publicity grabbing stunt.
If you want to work in this type of field, you can't make fantastic claims and then back out on providing proof if you want to be taken seriously.
On a sidenote: I also think having them on this list is an insult to the others that are included.

It's how he found it...

> How does discovering the Sony rootkit earn one the title of 'hacker'.

He found it with a rootkit detector he made on his own.