Slashdot Mirror
MacBook Wi-Fi Hijack Details Finally Released
Wick3d Gam3s writes "Hacker David Maynor attempted to put the strange tale of the Macbook Wifi hack to rest, and offered an apology for mistakes made. All this and a live demo of the takeover exploit was made at a Black Hat DC event yesterday. Maynor promised to release e-mail exchanges, crash/panic logs and exploit code in an effort to clear his tarnished name. Said Maynor: 'I screwed up a bit [at last year's Black Hat in Las Vegas]. I probably shouldn't have used an Apple machine in the video demo and I definitely should not have discussed it a journalist ahead of time ... I made mistakes, I screwed up. You can blame me for a lot of things but don't say we didn't find this and give all the information to Apple.'"
...that he could gain complete access over the machine? Frankly, I wouldn't even be surprised if he did some old-fashioned reverse-engineering of the patch to create the exploit for the older boxes.
Apple came out with a patch that addresses this issue:
i jack+flaws/2100-1002_3-6118245.html
http://news.com.com/New+Apple+patch+plugs+Wi-Fi+h
The article doesn't mention if the machine he used in the demo had this patch. And if so, that may imply that the patch has holes.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I await the promised publishing of the email exchanges with Apple on his blog. If he shows that he actually did provide Apple with details on the exploit, then he might restore some credibility. As it stands, however, his demo yesterday sounds like more of the same obfuscation that has characterized this whole incident.
1) In the original demo, he gained command-line access to the target machine (using a third-party wireless card). The claim was made to Brian Krebs in the Washington Post that the built-in wireless was similarly vulnerable (which would be far more relevant, since all MacBooks have built-in wireless). Yesterday's demo showed a crash of the target machine. That's bad, but he still has not demonstrated a takeover of the MacBook using the built-in wireless after all this time.
2) The fact that Apple's patch addresses the flaw that caused the crashing does not prove that Maynor engaged in responsible disclosure. Apple has said that Maynor provided them with no code or other details about the exploit, and that they did their own investigation. The investigation, according to Apple, revealed a flaw, leading to the patch. The issue is NOT whether a flaw existed. All Maynor demonstrated was that Apple's security patch works, which is really not that enlightening.
Why didn't he simply show a repeat of the same thing he demonstrated before--a takeover of the machine?
Because "a magician never repeats a trick."
"How to Do Nothing," kids activities, back in print!
So, let me get this straight
1) he finds a bug, but he can't quite manage to exploit it. He can crash the machine (and that's a bad thing) but it doesn't *necessarily* mean he can exploit it.
2) There's a big conference coming up, and he knows he'll get the headlines if he announces anything bad about Apple. That's just the way of the world. Dammit, he *still* can't find the exploit.
3) The deadline arrives, he can't exploit the machine, but he goes ahead and gives the demo (faking the evidence with a different machine), confident that he'll get there eventually.
4) He hides behind "legal issues" (even now, he won't reveal emails) to prevent himself from being exposed as the liar he appears to be.
This series of events is just about the worst thing a researcher can do. It's like an athlete taking steroids - there will be no forgiveness, no olive-branch will be offered; his reputation is irredeemably tarnished, because he lied for personal gain. We *need* to be able to trust people publishing exploits, and if this means his career is in ruins, I say "Hurrah!" The less people like this around in the business, the better.
I just want to also point out that I don't recall any lawyers being involved at any time in this dispute - neither party claimed lawyers were involved (he said Apple "leaned on" his employers, whatever that means, but lawyers were never mentioned.)
Apple claim he released insufficient technical details to them to help them in their investigation, so they had to go to the trouble of doing a full internal audit of a large source tree (and all the time, he's spreading disinformation and tarnishing their name). They find and fix some bugs, and now he's in an even worse position - his crash "exploit" won't work.
So, now, he releases the "details" - he's given up trying to exploit the original OS, and brushes that small point aside in the "details". He tries to save as much face as possible instead of admitting he was just plain wrong - he's basically covering his ass. Does anyone else think "details" ought to actually show the information he claimed to have (like being able to take control of a Mac in 60 seconds) ?
In science, there are two fundamental maxims
1) Don't falsify the data.
2) Extraordinary claims require extraordinary evidence. (*)
He failed, on both of these, as far as the world can tell.
(*) "Extraordinary" here means in the technical sense - the first exploit of any kind requires unequivocal proof. I don't care if it's OSX, Windows XP, or Linux - show the data. Prove the case. Don't wave your hands around and babble.
Simon.
Physicists get Hadrons!
Apple admitted the vulnerability WAS a root exploit.
No, Apple said it could be used to run arbitrary code with system privileges.
Just like I could step outside my door and find $10,000 rolled up in a neat little ball. Doesn't mean it is likely to happen, but it could.
Theory and practice are two completely different things.
So he just demoed (and thus released) the DoS, not the root exploit - which he DID have the code to perform but didn't want to release (by demoing). Except that the patch for this vunerability was released months ago. Yet that didn't stop him from (trying) to do the demo at Black Hat 2006, when there would have been just as many sniffers in the audience.
From someone who already threw out their credibility, that really doesn't inspire confidence.
I was at that Black Hat talk in Vegas. They didn't do the demo--they showed a video of it. They did it this way PRECISELY because there were sniffers in the audience.
No. That is a link to a story with a great lack of details and a number of still unsubstantiated claims.
There is still no public supporting evidence for his clams -- he hasn't even posted his personal correspondence with Apple yet, something he'd been free to do since day one.
Maybe he'll get around to it someday... who knows. But for now it's still just a lot of words with no support.
-30-
Theory and practice are two completely different things.
not in theory.
It really kills you that somebody who saw his presentation now believes him doesn't it.
Not at all. Though it does bother me that someone is willing to call something truth when there is still no evidence made public to substantiate it.
And regardless of how reputable The Register is, the article provides no information that support the reporter's conclusions. And until Maynor publishes those emails, there won't be any. He's already posted two updates to the blog since his presentation, including one that pertains to why he can't release his old work emails, but he hasn't yet made the personal ones available (nor has he even claimed that his old company won't allow him to release the old emails, just that they aren't his property and that releasing them without permission could be bad -- has he even asked for permission?).
Cases like this call for as much disclosure as is possible, and he hasn't come close to that yet. It's still a bunch of "oh, I plan to do this" and "oh, I could do that" with no backup. Either provide all of the info that you can, or shut up. That's all that's been asked since day one.
-30-
I refer the honourable gentleman to the reply I gave some moments ago - if he can do it, he ought to do it. Until he does it, I don't believe he can do it.
So, here's your example: the exact "exploit" he's claiming to be able to perform.
No, it's not. Which is why I used "in the technical sense" in the original comment. "Extraordinary" means "out-of-the-ordinary" - the claim is not run-of-the-mill, it's the first remote exploit of an Apple laptop. The proof should also be bulletproof (actually, right now I'd settle for just proof, not incontrovertible evidence!) At the moment, all we have is a load of hot air and bluster.
Simon.
Physicists get Hadrons!
I'm still waiting for a demo of this phantom exploit on a Windows machine:
"Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said." -- Hijacking a Macbook in 60 Seconds or Less
Actually, what I'm really waiting for is for Maynor to stop opening his mouth.
Don't become a regular here -- you will become retarded.