Hacker Publishes Notorious Apple Wi-Fi Attack

inkslinger77 writes "It's been about a year since David Maynor claimed to have found a way to take over a Mac using a flaw in a Wireless driver. He's now published his work for public scrutiny. Maynor had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack, but the NDA is over now and by going public with the information, Maynor hopes to help other Apple researchers with new documentation on things like Wi-Fi debugging and the Mac OS X kernel core dumping facility."

Link to the actual paper

[langelgjm]

Here's a link to the actual paper.

And here's the important part:

Getting Code Execution

The result of this flaw is that many things beyond the Extended Rate buffer in the ieee80211_scan_entry structure are corrupted. In a traditional stack overflow, control of execution flow is obtained directly by overwriting an important value, such as the return address. The corruption caused by the ``Extended Rate'' bug is more complicated due to the apparent lack of adjacent control structures.

The most promising avenue for getting execution can be found in a function named ath_copy_scan_results. This function uses the fields that are overwritten to copy memory. An attacker can control the size of the copy and the source of the copy. In addition to crashing reliably on the same data, the size of the memcpy is two bytes wide meaning that up to 65535 bytes can be copied. Since the destination of the memcpy is a structure that ends with a function pointer, the hope is that enough data can written outside of the destination buffer to the point where the function pointer is overwritten. In this way, the next time the function pointer is called, the caller would instead jump to whatever address is now stored in the function pointer. In other words, this represents a two-stage overwrite. The first overwrite does not provide direct code execution, but it allows an attacker to create a second overwrite that will. The Beacon packet contains a number of buffers one can use for this second-stage overwrite. Thus, an overflow in one buffer in the packet (the Extended Rate IE) allows an attacker to control how a second buffer is copied (in this case, the Robust Security Network (RSN) IE). It is the copying of the second buffer that will permit code execution.

Responsible disclosure

[packetmon]

Love him or hate him Maynor did the right thing waiting to come out with his paper. Even with an NDA, anyone can publish something anonymously which he didn't do. Its sinful that corporations don't take this into consideration when dishing out credits to security researchers. As for the NDA, I'm going to guess it was probably with Atheros. For those looking for the page with Maynor's attack, its here OS X Kernel-mode Exploitation in a Weekend... Don't know why contributor didn't link it.

Re:Responsible disclosure

[shird]

Microsoft will only credit you in a bulletin if you disclose a security flaw responsibly. Don't know about other corporations, but I would've thought MS were fairly significant.

Re:Responsible disclosure

Don't know why contributor didn't link it.

Probably had his own NDA with Cowboy Neal.

Re:Responsible disclosure

[A+non-mouse+Coward]

Love him or hate him Maynor did the right thing waiting to come out with his paper.

That may be, but I'm really dreading his second paper:

"Maynor will soon publish a second paper on [some unimportant website] explaining how to write software that will run on a compromised system"

What exactly is the ethical and economical model that David Maynor operates within?

Really good sleuthing

[BadAnalogyGuy]

What gets me most of all is how the wifi stack was able to be crashed with just data.

First he bombards the network with random packets. Then the actual packet in question may not cause a crash for up to 5 minutes. Then he tracks down which packet it was and how using the contents of that packet he can use another packet to set up a code execution exploit.

Really good work. And no cookie for Apple whose driver choked on data.

Re:Really good sleuthing

[daveschroeder]

This affected more than the just the chipsets and drivers in use in Apple laptops. It could be used in the same fashion on any affected chipset, potentially under various drivers on multiple OSes. The MacBook was just chosen as a point of principle to show that Macs, too, can be vulnerable to such attacks. This was noted in the initial coverage in the IT press at the time, but was quickly ignored in favor of a neverending flow of sensationalist articles claiming that any attacker could now easily take over MacBooks - and only MacBooks - at will in less than 30 seconds, and wirelessly to boot.

Unfortunately, the opposing storm of FUD was just as bad, making it appear that the whole wireless vulnerability was a hoax, when in reality it was probably one of the more important general WiFi/driver vulnerabilities in recent memory. The choice of how to disclose was extremely poorly managed, and to make statements to the effect that you essentially wanted to stick it to Mac users when working under the guise of a supposedly professional and reputable security firm was what caused the problems. He embarrassed the hell out of SecureWorks by ending up with a firestorm of press that was massively bad PR for Apple.

So what, you say? It was bad press for Apple, and ONLY Apple. No other vendor of manufacturer got nailed by this in any substantive way. With Apple having such low marketshare, how is it fair for only Apple to be targeted in press articles about this? Not Maynor's fault? No, not exactly, but some of his initial choices for handling are absolutely what led to the situation. I'm sure he had little idea this would occur and just got caught up in the world between security research and disclosure on one side, and corporations and mainstream media on the other.

Re:Really good sleuthing

The MacBook was just chosen as a point of principle to show that Macs, too, can be vulnerable to such attacks.

But that's unpossible! Macs have cool ads, and they make fun of that PC guy who is always crashing with security problems.

So what, you say? It was bad press for Apple, and ONLY Apple. No other vendor of manufacturer got nailed by this in any substantive way. With Apple having such low marketshare, how is it fair for only Apple to be targeted in press articles about this?

Apple denied the problem existed, and threatened them - that's why this made the news. Compare this with the well-known similar flaw in some broadcom wireless chipsets (used by many vendors, including Dell & Linksys) that came out last fall. A fix came out, and the problem was solved.

How Apple handled the problem is the issue. Similar to Oracle claiming that their database is "unbreakable". Oracle is a solid product, but certainly not unreakable.

Re:Really good sleuthing

Note that the crash was not repeatable in the open-source drivers which Apple based theirs on, because they had added bounds checking in the relevant places.

Re:Really good sleuthing

[daveschroeder]

Apple denied the problem existed, and threatened them - that's why this made the news. Compare this with the well-known similar flaw in some broadcom wireless chipsets (used by many vendors, including Dell & Linksys) that came out last fall. A fix came out, and the problem was solved.

Apple denied the problem existed because - and I'm not saying this can be proven, but it's what was said at the time - Maynor couldn't show Apple engineers who were at the conference how the exploit worked with the MacBook's integrated wireless; certainly not in any practical way. The fix Apple ended up deploying was essentially, from what I can tell, by applying Maynor's theoretical claims about the vulnerability and then independently discovering the vulnerability in their own code. Some might say that is enough. I'd argue that when you are a security researcher working under the guise of responsible disclosure for a reputable enterprise security research firm and telling the Washington Post directly and explicitly that the MacBook was vulnerable as-is with the stock integrated wireless, today, you have an OBLIGATION to give the vendor the information to solve the problem.

I take very serious exception to the "threat" issue. It was insinuated and implied that Apple "threatened" them. There is NO PROOF that ever occurred, and, on top of that, threatened them how? Legally? Physically? I mean, come on. An Apple engineer saying, "Uh, I don't think you should frame your demo this way...it could be bad news," if something like that occurred, isn't a "threat". And if Apple substantively threatened them in any other way, there will be proof...a letter, an email, a voicemail, anything. If someone is going to claim that Apple threatened them in any meaningful way "off the record", I'm sorry, but that's bullshit.

How Apple handled the problem is the issue. Similar to Oracle claiming that their database is "unbreakable". Oracle is a solid product, but certainly not unreakable.

No, nothing is unbreakable and Macs are vulnerable just like anything else.

Re:Really good sleuthing

[himself]

Dave wrote, in part:
>
> This affected more than the just the chipsets and drivers in use in Apple laptops. It could be used in the same fashion on any affected chipset,
> potentially under various drivers on multiple OSes. The MacBook was just chosen as a point of principle to show that Macs, too, can be
> vulnerable to such attacks. This was noted in the initial coverage in the IT press at the time, but was quickly ignored in favor of a neverending
> flow of sensationalist articles claiming that any attacker could now easily take over MacBooks - and only MacBooks - at will in less than 30
> seconds, and wirelessly to boot.
>

      I am reminded of the story about "iPhones kill WLANs" some time ago, featuring Cisco & Apple gear, which ultimately turned out to be more along the lines of "Interference From Devices On Unregulated Bands Interferes!" But you know, tht's not qute as sexy, is it?

- Will

Re:Really good sleuthing

[daveschroeder]

I am reminded of the story about "iPhones kill WLANs" some time ago, featuring Cisco & Apple gear, which ultimately turned out to be more along the lines of "Interference From Devices On Unregulated Bands Interferes!" But you know, tht's not qute as sexy, is it?

That was an interesting story. Actually, the headline would have been "Bug In Cisco's Own Wireless Hardware Brings Down Same". It turned out that it wasn't an iPhone issue at all, and was a bug in Cisco's code. Unfortunately, the story had already made it out to everyone, including AP again which equates to hundreds of hundreds of local news outlets, that iPhones "brought down" a major university's network. When it was discovered that it was really exclusively Cisco's fault and had nothing to do with the iPhone (except perhaps for the iPhone exposing the problem in a way), were there any retractions or corrections? Outside of the very narrow IT and networking press, nope, not at all.

Re:Really good sleuthing

[Tim+Browse]

What gets me most of all is how the wifi stack was able to be crashed with just data.

As opposed to..?

I don't know if you've been keeping up, but an awful lot of vulnerabilities are triggered by providing 'just data' to the target.

NDA?

[10Ghz]

Isn't it against the NDA to say that you are/were under an NDA?

Re:NDA?

[Alphager]

Isn't it against the NDA to say that you are/were under an NDA? Depends on the NDA.

Re:NDA?

[StarfishOne]

The first rule about and NDA: "You don't talk about an NDA". The second rule about an NDA is: " You don't talk about an NDA".

Re:NDA?

[nine-times]

I'd tell you the answer to that, but I'm under and NDA.

Re:NDA?

[bkr1_2k]

No. I've signed several NDAs and none of them had a stipulation that I not speak of the fact that I was bound by the NDA. It all depends upon the wording of the specific agreement.

Re:NDA?

[Nazlfrag]

I'd tell you, but I'd have to NDA you first.

Re:NDA?

[Bearhouse]

Ah yes, but which NDA? He could always claim, (if sued under NDA 1) that he actually was talking about (non-existant) 'NDA 2' under the terms of which he could talk about the NDA restrictions but nothing else...

*brain explodes*

Re:NDA?

[mollymoo]

Isn't it against the NDA to say that you are/were under an NDA?

I can neither confirm nor deny that.

An object lesson

Everything about this -- from the initial announcement, to the ensuing controversy, to the eventual publication of the attack -- goes to show the futility of security-through-obscurity. Only open source systems like Unix can be made reasonably secure. Closed source systems are inherently much more likely to be compromised.

Re:An object lesson

Not to mention the futility of security-through-fanboyism. How's the fuckhead Gruber gonna weasel his way out of this one?

Re:An object lesson

"Only open source systems like Unix.."

The naïveté of this post made me laugh! +2 Humor of Stupidity!

Author: If you didn't get that, let me explain. Traditional Unix(TM) based operating systems are notorious for being highly proprietary, and their sources closely guarded secrets. Recently, of course, some unix-like vendors such as Sun have decided to open-source those OSes, but this is the exception, not the rule.
    Let me further inform you that Apple's OS X most definitely *IS* a unix-like OS as well, being based on the Mach kernel hosting Darwin, which is a variant of BSD and thus open-source. Thus, Apple's kernel, at least, is open-sourced to a degree, though the overlying GUI, and probably the network driver involved here, are not. What you probably meant to refer to in your elitist rant was GNU/Linux, and/or BSD. To that end, vulnerabilities in both do arise occasionally, so don't think that FLOSS is a magic safe-guard against imperfect code.

Re:An object lesson

[TheCoelacanth]

Traditional Unix(TM) based operating systems are notorious for being highly proprietary, and their sources closely guarded secrets. Recently, of course, some unix-like vendors such as Sun have decided to open-source those OSes, but this is the exception, not the rule.

The original Unix sources were widely available. Only later did Unix and most derivatives have secret source code. I agree that it's silly to call all Unix operating systems open source though.

Re:An object lesson

[SplatMan_DK]

Only open source systems like Unix can be made reasonably secure. Ahemm... the flaw is not platform or OS related. It is related to a specific series of Wifi chips and drivers, regardless of which OS is installed on the host computer.

This flaw can be exploited on Unix, Linux, BSD, Windows, OS X. If the Olsen-twins made an OS using the same hardware and code base for network drivers, their Olsen-twin-OS would have the same flaw as well. In fact, the wide application of this flaw is the main reason it is truly newsworthy.

I politely recommend reading the article, and studying the problem in more depth before your next post.

Re:So does this mean

neither, since iirc it was a hardware driver problem

Re:So does this mean

[Teifion]

That Micro$oft still sucks, or it's just attacked more because it has more installations? If you believe CAD, it'd be the latter

This WASN'T an "Apple WiFi hack"!

[daveschroeder]

Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux!

That's the whole point of why people took issue with this, and it's still being perpetuated here!

The way it was presented, even if Maynor didn't intend it as such, especially in all of the press coverage - first IT press, then mainstream, CNN, hundreds of local papers via AP, you name it - was that it was an "Apple" WiFi hack only, and that anyone could easily and quickly completely take over your MacBook remotely.

The stories just got repeated and regurgitated over and over, even though it was a flaw that affected a lot more than Apple; indeed, the most interesting thing about the vulnerability was its universal nature and applications!

Also, in the initial reports, Maynor and Ellch hid the brand and vendor of external wireless adapter they used for the demo because of, according to them, "responsible disclosure", but then had no problems saying the exploit worked identically on a stock MacBook. So if it was important to hide the brand of the wireless adapter they used for the demo, why was it not equally important to hide the fact that the chipset in a MacBook was vulnerable? How is it fair for this to appear as an exploit affecting only Apple, appearing under headlines like "MacBook hacked in 30 seconds - remotely via wireless!"

Given that Mac users apparently needed to have "lit cigarettes stuck in their eyes" - and whether that was a joke or not, I don't see how that's professional coming from someone who is a "security researcher" presenting findings under the guise of what purports to be a professional security outfit - it appeared that the choice to use a MacBook for the demo and the ensuing firestorm of publicity was done exactly for that reason.

Would this have been news if they had used a Dell or Lenovo laptop running Windows or Linux, even if they also still said that this affected multiple platforms, including Mac OS X?

Re:This WASN'T an "Apple WiFi hack"!

[CaymanIslandCarpedie]

Would this have been news if they had used a Dell or Lenovo laptop running Windows or Linux, even if they also still said that this affected multiple platforms, including Mac OS X?

It wasn't even all that interesting of news being OS X. Sure it was an interesting attack and would have had been carried by some security and trade publications and probably would have shown up on /. etc, like all interesting attacks do.

What made this story interesting and thus gave it legs (and why we are still discussing it today all this time later) is the reaction it got from Apple devotees. Consider it a parrallel to the Mohammad cartoon. It never would have been widely reported because it isn't all that interesting. What made it a huge worldwide story was the insane reaction it got from raging devotees of Mohammad. Same thing here. It was the insane reaction from so many of those who worship at the alter of Jobs which made this story interesting and thus have legs.

Re:This WASN'T an "Apple WiFi hack"!

[GaryPatterson]

Come on, it looked pretty suspicious. He demonstrated a security hole, refused to detail it, it turns out he used a third-party WiFi card instead of the built-in card... Who would just accept that and say "well, it's a fair cop?"

Some Apple fans got a bit rabid. Not because a security flaw was found - there have been a good number of those since OS X started, and resposible disclosure has never caused users to go apeshit before - but because of the way the flaw was publicised without any real information. On top of that, he made that crack about stabbing Mac users in the eye with a pencil. What was that about? Who says these things and expects no reaction whatsoever?

Then he started saying he'd had death threats. Still haven't seen the threats and apparently they were serious enough to publicise but not enough to call the police in. I lost touch with the story when it seemed to be just poor reporting with low information content and pissy blog wars.

And now a secret NDA is up and he can talk about it. Well, good for him. It's about a year too late, but there's still publicity to be made I see.

Re:This WASN'T an "Apple WiFi hack"!

Don't let the facts get in the way of a good bash of Apple users. :) Most people, still... even on /., cling to the mistaken notion that the mere _use_ of a macbook was the reason for the flap. I know there are zealots... there are nutjobs... hell, there are even cultish morons who wear turtlenecks in veneration... but this was not about them... this was about a jerk who had his little moment in the sun backfire on him because he neither thought things through nor was truthful in his disclosure.... feeling more inclined to make fun of Apple users than showing a true security problem.... if there was one, focus on the _problem_ and not "sticking a pencil in the eye of Mac users"....

His asshat behavior and comments, his use of, as you said, a 3rd party card, and his subsequent bull regarding "death threats" and some sort of Apple conspiracy to "silence" him that made him the butt of ridicule... only those still clinging to the Apple user stereotype can miss that.

He tried some publicity stunt... and it backfired. Pure and simple... but this is /., so you still get the "cult of Jobs" and "apple worshiper" flap with each and every response. :)

Stories like this make /. look like Digg.com with better grammar.

Re:This WASN'T an "Apple WiFi hack"!

[CaymanIslandCarpedie]

he made that crack about stabbing Mac users in the eye with a pencil

Granted, I certainly think he was trying to maximize the publicity and that statement certainly set the stage for the reaction that was to come. However, at least to me (and I'd assume many others) it was the reaction which was a bit surreal and made it interesting.

And now a secret NDA is up and he can talk about it. Well, good for him. It's about a year too late

I have seen many saying the same basic thing in response to this release of information, which I find a bit strange. A bit simplified view of what happened (at least in my eyes):

David Maynor: We found a successful attack which effects Mac OS X and this deomonstration will show it to you!!!! BTW you Apple guys are losers.
Apple supporters: Give us details on the attack or you are a liar!!!!!
David Maynor: I'm legally unable to at this time.
Apple supporters: Your a dirty liar!!! I knew it!!!! My Mac isn't vulnerable!
David Maynor: It is but I really cannot talk about it right now. I've shown it in action but cannot yet release details
Apple supporters: Shut up and die you lieing maggot!!!!!
....... David Maynor: OK, I'm now legally free to discuss the details of the attack and here are all the details. Enjoy!
Apple supporters: We don't care about your stupid details! Shut up and go away!!!!

Re:This WASN'T an "Apple WiFi hack"!

On top of that, he made that crack about stabbing Mac users in the eye with a pencil.

Who doesn't? I use a Mac and most members of the "Mac community" makes me want to do exactly that.

Re:This WASN'T an "Apple WiFi hack"!

[pla]

Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux! That's the whole point of why people took issue with this, and it's still being perpetuated here!

Linux folks readily admit when kernel modules have bugs in serious need of repair. Windows users pretty much accept poor security as a fact of daily life.

But Mac users... They would call a dead pixel a "feature intended to relieve eye-strain from prolonged use - Not that the gorgeous appearance of OS-X could ever cause eye strain, but Steve just loves us all that much, always looking out for us".

So when an actual, undeniable vulnerability appears, well, you'll have to forgive us for rubbing a bit of salt in the wound.

Re:This WASN'T an "Apple WiFi hack"!

[squiggleslash]

You know Dave, I'm really disappointed in this reaction and the reaction of most others in the Mac community on this news.

To address your point first: The hack was an Apple WiFi hack. It was presented that way because that was the news. The fact one could use the same exploit as a basis of a means to hack other operating systems was really not news - Windows is hackable, everyone knows that, and even GNU/Linux doesn't have a reputation for being invulnerable. Meanwhile Mac OS X, the operating system with the second highest mindshare, was promoted by most of its supporters, including at times Apple, has being free of the viruses and malware that plague Windows, and suddenly Maynor found there was a massive hole in that. So what was news was that this hack affected that operating system. To claim otherwise would be like to claim news that a thirty floor building suddenly being underwater in the middle of New Orleans is not a story, because the same flood affected all the single floor buildings surrounding it.

More importantly though, the Mac community spent an enormous amount of time trying to destroy Maynor's credibility, including misrepresenting his video and claiming there was no such bug, and that he was lying when he claimed to be unable to reveal the hack due to an NDA. It would be nice to see people who fed into that smear campaign at least acknowledge that the chief allegations against Maynor et al were wrong: he really did have an exploit, it was serious, he was unable to give details out due to an NDA, you may not understand the reasons why he presented it the way he did but there really is no evidence whatsoever of dishonesty on his part. He really does deserve an apology.

Re:This WASN'T an "Apple WiFi hack"!

[daveschroeder]

squigglesquash,

I'm not apologizing for the behavior of the Mac fanboys afterward, and I already said that in one of my other posts.

But the very initial coverage stated that other WiFi drivers for similar chipsets on other platforms were already proven vulnerable. This wasn't some pie-in-the-sky theoretical claim; it was specifically stated that drivers Linux and Windows WERE vulnerable to the SAME exploit mechanism, and that the MacBook was chosen to just show that "Macs can be vulnerable too".

FUDing the story they way they did was wrong, but the damage was already done. If this were on Windows or Linux, this NEVER would have gotten picked up in the mainstream press. I say "mainstream" because that is an important distinction. The story was covered with none of the technical nuance or accuracy required, and left MILLIONS more people with the impression, even if only in passing, that "MacBooks" could be owned wirelessly in 30 seconds. Not any laptop. Not Windows. Not Linux. Just MacBooks.

If you can tell me how that's fair to Apple or how that helps Apple users, I'd appreciate it.

Also, I will say that the FUD reaction from the fanboy crowd did NOT help Apple users, and in fact did lasting damage to the Mac security situation. But if you can explain to me how the coverage, or saying that smug Mac users need lit cigarettes jammed in their eyes, or making it appear that the vulnerability ONLY affected MacBooks, or hiding the third party wireless card they used in the initial demo because of "responsible disclosure", but then immediately turning around and saying the integrated wireless in a MacBook was identically vulnerable - if you can explain to me how any of those "helped" the Mac community, I'd appreciate it.

Re:This WASN'T an "Apple WiFi hack"!

[GaryPatterson]

I'd write it a little differently:

DM: We found an attack which affects OS X and demonstrated it at a security conference. Also, you Mac users deserve a lit cigarette in your eyes.
AS: Give us details or admit you're lying!
DM: No details, because someone (aside, stage whisper hey George Ou - tell everyone it's Apple) won't let me speak. Legal eagles make me go hush now.
AS: You're a dirty liar! What's all this about using a non-Apple WiFi card? This proves you engineered a fake hack!
DM: I'd love to tell you why you're all wrong, but can't because I'm being leaned on by a company I can't name. I wonder who could be doing that..? Besides, someone sent me an anonymous email with a vague threat, which proves Mac users are all rabid dogs.
AS: Put up or shut up. Admit you're lying!
DM:...

A year passes, seasons come and go, the planet traces a circle of about 450M km around the Sun, people fall in and out of love, some are born, some die, interests change and people forget the whole thing.

DM: Hey everyone! It turns out I can talk now because an NDA (won't say who with, but you can probably guess) is over! My reputation is intact because here are all the documents I've held onto for a year! But I don't care what any of you think.
AS: O... kay... Would've been nice to know this all back then, and if you played it better you may have looked less like a publicity-seeking asshat and more like a responsible researcher with real information. The flaw was real, but you never reported it to Apple, Microsoft or any other OS vendor. People suspect the NDA was with Atheros but you haven't even said this much. It's still very suspicious, and you've never accounted properly for the use of that WiFi card.

And why did he sign an NDA and then play it up for the crowds so much? He knew he couldn't talk, but he dropped hints and made veiled references. Wouldn't the right thing, the responsible thing, have been to not make lots of public statements about something he signed an NDA not to detail?

Maynor played the publicity game with a hand he couldn't reveal for a year. By the time he could show his hand, the game had ended and everyone else had left the table. We all moved on. He could've done things a lot better, but he seems to have wanted shock and awe. It still stinks, and he's in no way off the hook for the farrago that whole incident became.

Re:This WASN'T an "Apple WiFi hack"!

[Vokkyt]

David Maynor: OK, I'm now legally free to discuss the details of the attack and here are all the details. Enjoy! Apple supporters: We don't care about your stupid details! Shut up and go away!!

Okay, but that's not entirely in context. Yeah, a lot of Apple Folk aren't going to care about this anymore for one reason and one reason alone; at this point, it is irrelevant to most end users. Why? Well, the vulnerability has since been patched; the only thing that drudging something like this up does is spread more garbage about the "insecurity" of the Macbook, OS X, etc. The story, as it is and as it was, is more about OS X than the actual bug that was found in that chipset/driver. It's true; OS X may only be mentioned once, but it's THE brand name mentioned, and when it comes down to it, a lot of journalists are looking for the quickest way to attach a name to an item.

Truth be told, I doubt that many actual publications could run a full story on Maynor's findings because simply put, he's getting way too technical. A responsible publication would opt to not publish, as they really can't do much more than associate the flaw (wiFi hack) with the name (Apple). Unfortunately, we don't always have the most responsible journalists.

I think that Apple folk have some what of a right to be pissed at his presentation method. If he thinks that he needs to stick it to the Apple folk for believing that they don't need to live in constant threat of their computers being overtaken by *insert virus/malware of the week*, fine, but truthfully, at that point, releasing data and associating it with Apple is just douchebaggery and somewhat sullies the reputation of the researcher, who should theoretically be above such nonsense. (Before anyone comments, yes, calling his actions douchebaggery or using the word in general sullies my reputation, but I'm not presenting as an expert is the difference)

What Maynor has is a wonderful research project; I just wish he'd understand that he messed up a little in his choice of actions when citing Apple in specific. Demonstrating the effect on just one more laptop model (Dell D620, for example), would have made all his problems go away.

Re:This WASN'T an "Apple WiFi hack"!

[shinma]

You don't hang out on mac boards much, do you?

The whining over how "awful" the black level on the new iPod Touch is, the "I'm unimpressed," attitude every time Apple releases something, simply because the mac rumors community builds every announcement up to be the second coming... Much of the Apple Faithful are disappointed when it's only revolutionary.

Apple fanatics are vicious to Apple. They devour their god, and their bloated bellies are never full.

Re:This WASN'T an "Apple WiFi hack"!

[DurendalMac]

What I'm still wondering about was Maynor's video where he plugged in the disguised USB stick, then claimed to hack it...even though the MAC address he hacked was registered to Apple. Why not just say he was hacking the Airport? And why not demonstrate this hack when he had the chance instead of just KPing the machine remotely? It almost sounds like he never had the hack and had to dig for it for a while to make it work. Maybe I'm wrong. Can anyone clarify?

Re:This WASN'T an "Apple WiFi hack"!

[russotto]

Does this hack indeed work in a stock Macbook, and if so why wouldn't he just use the stock Macbook WiFi card?

My cynical suspicion is that he hadn't gotten the exploit to work on the MacBook stock WiFi card at the time, and rather than wait until he could and risk being "scooped", he tried to bluff.

Even more cynically, it's possible he had nothing on Apple at the time, later reverse-engineered his exploit from Apple's patch, and the exploit on the third-party card was something else entirely.

Re:This WASN'T an "Apple WiFi hack"!

http://www.wifinetnews.com/archives/007121.html

Doesn't the D620 use a Broadcom card? Didn't Jon Ellch release that code?
Seems like it was demostrated on other notebook models.

Re:This WASN'T an "Apple WiFi hack"!

[stewbacca]

Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux!

Considering it was a third party wireless device, it would only be logical that Macs would be the least affected by this hack, because very few Mac users (less than 1%?) would ever bypass the built in wireless for a third party solution. So this hack is more of a danger to Windows machines, which are far more likely to be sold without built-in wireless, thus requiring the user to puchase and install the device that allowed the hack in the first place. Correct me if I'm wrong, but that is my recollection of the hack.

If this guy ever hacks a MacBook's built in wireless with typical user settings, then this would be an Apple story. As it is now, it is a story about how insanely obsessed the anti-Mac crowd is with trying to break OS X and only lends further credence to Apple's claim of OS X's excellent security (good enough for the Department of Defense and the NSA, in some cases).

Re:This WASN'T an "Apple WiFi hack"!

[stewbacca]

Your post sounds convincing enough, but please correct my memory, in case I've forgotten something. He hacked a third party wireless adapter. EVERY Mac sold comes preinstalled with their own flavor of wireless adapter. This guy couldn't (or at least didn't) hack the Mac's built in wireless, he hacked a third party. Since nobody that uses a Mac buys third party wireless adapters, then this hack is no threat and is not Apple specific. What am I missing here?

Re:This WASN'T an "Apple WiFi hack"!

[curty]

I'm not familiar with the background to this story, but his paper suggests to me that it was Apple specific, viz:

Apple based their driver on [the Madwifi and net80211] open-source projects.

All research to this point showed that the Extended Rate buffer [overflowing] was the culprit but the madwifi source code had a check for a maximum length before the copy happened.

The code found within the driver shows that although there is a length check in the open source driver, it's not actually present in the OS X binary driver. Have I missed something?

Re:This WASN'T an "Apple WiFi hack"!

[stewbacca]

You are rubbing salt into the wrong wound. You need to find out what third pary wireless adapter he used, and rub salt into their wounds. Find me 5 Mac users who use that specific wireless adapter...no wait, find me 5 Mac users who use ANY wireless adapter other than the one that ships preinstalled, or find me somebody who can hack the Apple wireless adapter and I slit a big wound for you anywhere on my body, and you can pour as much salt in as you like.

Re:This WASN'T an "Apple WiFi hack"!

[LWATCDR]

Well while I don't think his pencil in the eye comment was in any way useful the reaction to it was just as useless. Apple fans like way to many Linux fans make comments about the security of there OS that are just silly to the point of dangerous. I am a Linux user and while it is my experience that Linux systems tend to be much more secure than Windows systems they are not perfect. The same is true for OS/X.
The NDA does bother me. I think he should have at least been able to say. This card has a security issue and the manufacture has been notified and given an example of the exploit.
It would then be up to the manufacture to produce a fix in a reasonable amount of time and then identify the exploit.
As to publicity? Well Apple users should understand the value of publicity, Apple sure does.

Re:This WASN'T an "Apple WiFi hack"!

[stewbacca]

There is no cynicism in your post, just truth. This whole conversation is wrapped up with your post. Thank you! I still don't see what's so hard to understand that this guy hacked a third party device that was plugged into a Mac that NOBODY uses anyway, so it's a non-issue. Had he hacked the stock WiFi, he'd have a point. Hell, even suggesting that the same technique WOULD work on the built-in WiFi (but without actually doing it) would have more credibility than this. It is scary that all the anti-Mac crowd has to do is get catch a wiff of the words "vulnerable" and "Mac OS X" in the same sentence to be sent into a frenzy like they always do. Get back to me when you actually have something...thanks.

Re:This WASN'T an "Apple WiFi hack"!

[daveschroeder]

Yes...this Apple WiFi hack IS Apple specific, because, well, it has to be.

But the vulnerability they discovered was a general one, and they explicitly stated that it could be applied to affected WiFi drivers and chipsets under other OSes, including Windows and Linux. Their discovery resulted in patches for this flaw in various WiFi drivers on various OSes. They picked Apple to make the point that "Macs can also be vulnerable" to such things.

So while the Apple exploit is specific to Apple, it is an application of the more general important vulnerability they discovered, at least as far as they claimed both in the presentation and in the subsequent interviews with Brian Krebs of the Washington Post.

Re:This WASN'T an "Apple WiFi hack"!

"To claim otherwise would be like to claim news that a thirty floor building suddenly being underwater in the middle of New Orleans is not a story, because the same flood affected all the single floor buildings surrounding it. "

In this case, I'd say the flood is the story, and not just the one building (no matter how tall it may be).

I think the analogy is applicable to this wifi hack as well.

Re:This WASN'T an "Apple WiFi hack"!

[Joe+U]

On top of that, he made that crack about stabbing Mac users in the eye with a pencil

That's really uncalled for. I always recommend a kick in the groin instead.

http://www.thebestpageintheuniverse.net/c.cgi?u=macs_cant

Re:This WASN'T an "Apple WiFi hack"!

[0123456789]

You are such a troll.
Pot, meet kettle...

Re:This WASN'T an "Apple WiFi hack"!

[nine-times]

My cynical suspicion is that he hadn't gotten the exploit to work on the MacBook stock WiFi card at the time, and rather than wait until he could and risk being "scooped", he tried to bluff.

Well I don't know whether that's true, but I just think the choice is curious. I don't know why I got modded "flamebait". It's just strange to make part of the point of your demonstration be that Apple's stock hardware is vulnerable but refuse to demonstrate using Apple's stock hardware. I was hoping that, in hindsight, someone might have something more than suspicions.

Re:This WASN'T an "Apple WiFi hack"!

[E+IS+mC(Square)]

The MacPlanet. You see, the force is strong there and hence the 450M km.

Re:This WASN'T an "Apple WiFi hack"!

[nine-times]

From my reading various stories at the time, I'd put the conversation more like this:

Maynor: I have this way that I can hack any Mac in 30 seconds, using stock Apple hardware and a normal install of OSX. I'm doing this because all Mac users are horrible people and morons who deserve to be tortured. By the way, I'm only going to demonstrate this using 3rd party hardware and 3d party drivers. And I won't disclose any details. And this hack also works on other platforms who have the same hardware and drivers, but let's not talk about that...

People with any sense: Um.... WTF are you talking about. Your methods are suspicious, your comments are inflammatory, and if you're a decent security expert, you should disclose enough information so that people can fix the bug. We don't trust you.

A couple random people: This guy's an asshole and a liar.

Anti-Mac crowd: Look at all the Apple fanboys, foaming at the mouth. They're insane!!!

Maynor: I won't respond to anything people are saying, because... um... I'm not allowed to.

People with any sense: Ok, screw it. You're being useless so we'll ignore you.

Some random Mac user: You suck. Shut up and die.

Maynor: But pay attention to me!!! I'm getting death threats!!!

People with any sense: What the hell is wrong with you?.

Anti-Mac crowd: Look at all the Apple fanboys, foaming at the mouth. They're insane!!!

...Months pass...

Maynor: Ok, now I'm allowed to talk about all this, so I'll inform you all that I was disclosing a bug that was fixed a long time ago, and that has already been documented.

People with any sense: Whatever... This isn't really a story anymore.

Anti-Mac crowd: Look at all the Apple fanboys, foaming at the mouth. They're insane!!!

Re:This WASN'T an "Apple WiFi hack"!

[bjsadler]

Funny, I was thinking the same exact thought as I was reading the posts here...

Re:This WASN'T an "Apple WiFi hack"!

[JoshNorton]

If he's not ready to disclose responsibly (or at least without talk of lit cigarettes in eyes), maybe he should wait.

That much of the Macintosh user community responded poorly to him shouldn't be surprising - sensationalist ass-hattery usually does not go over well.

Also, if his NDA is such an issue then maybe he shouldn't have jeopordized his professional reputation by not being able to ... well, disclose ... what he's claiming.

He just came out as exceptionally immature and unprofessional. (And having Krebs and Ou trumpeting didn't help, that's for sure.)

Re:This WASN'T an "Apple WiFi hack"!

[JoshNorton]

Hey, now. If YOU knew how delicious gods were, you'd not blame us for gorging ourselves.

Nummy gods.

Re:This WASN'T an "Apple WiFi hack"!

[blast3r]

During the actual exploit didn't you notice the MAC address was not a third party but was one for Apple? IP Address was 192.168.1.50 MAC address was 00:17:F2:41:31:6D MAC Address Prefix Vendor 0017F2 Apple Computer This was covered but a lot of people either didn't see it or just chose to ignore it. I am going to bet he did that ifconfig on purpose knowing that people that really pay attention will see that. Or he did that to just throw confusion in the whole deal. http://www.smallworks.com/archives/00000461.htm http://www.smallworks.com/~jim/maynor_exploit_video.mov And for a little humour me$ whois microsoftie.com Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFTIE.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080

Re:This WASN'T an "Apple WiFi hack"!

[Vokkyt]

The D620 had several different chipsets that it could end up using, IIRC. I may be thinking of the earlier D6xx models, but I thought that the D620s were on the same chipset. And though the demonstration had different models, his focus was on the Macbook, even though he was supposedly being fair and not naming names, which is a little back-asswards in my opinion. If he was really that concerned, he wouldn't have even put a mac on screen, as simply put, as much as a lot of people hate Macs, they are still iconic, to the degree that a complete tech-newb could probably spout out a few statistics on the Macbook without ever having handled one.

My point wasn't so much that he's picking on Mac; it's that his presentation originally was in bad taste, and when the public commented on it, he sort of went into a fit on it. A tiny fit, but it was enough to really sully his reputation and make what should have been a great research video into a bunch of FUD. The approach he probably should have done was to show the proof of concept on other machines as well as the Macbook, which would have incited less of a response, and a little more understanding in the matter.

Re:This WASN'T an "Apple WiFi hack"!

Looks like 'people with security knowledge' and 'people who understand the terms of a legally binding contract' don't fit in the subset of 'people with any sense'.

pity that.

Re:This WASN'T an "Apple WiFi hack"!

[GaryPatterson]

Apple fanatics are vicious to Apple. They devour their god, and their bloated bellies are never full.

Best single line on Slashdot today. It almost sounds like some kind of ancient Greek myth, or a line from a particularly good Penny Arcade comic.

Re:This WASN'T an "Apple WiFi hack"!

[martinX]

Apple fanatics are vicious to Apple. They devour their god, and their bloated bellies are never full.

Fantastic imagery. Love it. And I say that as an Apple fan, though not quite a fanatic.

Re:This WASN'T an "Apple WiFi hack"!

[GaryPatterson]

Okay, I forgot my basic trigonometry. And I got my AU wrong (not by much)

C = 2 x pi x R
      = 2 x pi x 149,597,870,691 m
      ~ 939,951,143,111 m

I was out by a factor of two-and-a-little-bit, and the Earth's orbit isn't perfectly circular anyway, but the thing I was trying to get at was the sense of scale, the sense of proportion.

Simpsons Quote

[GaryPatterson]

"Great! Send it to last year, when I might have cared."

Okay, I changed "week" to "year."

The reaction was AFTER the news coverage

[daveschroeder]

Yes, it did get a huge reaction.

That was AFTER it had already been picked up by the press, including mainstream non-IT press, under sensationalist headlines, and with no mention in the article that anything BUT Apple's new flagship portable was affected.

This was in the first two days before there was any rabid or insane reaction that anyone in any of these news outlets knew about (except for maybe Krebs at the Washington Post, who seemed determined to give this story legs at any cost).

The story ran under headlines like "New Mac laptops vulnerable" and "MacBook hacked in 30 seconds - wirelessly". The story ran not only in the traditional IT rags, which sometimes had the journalistic accuracy to also say the vulnerability could affect other hardware platforms and OSes just the same, but in national mainstream press outlets, including AP, which gets picked up by hundreds and hundreds of local news papers and other local media, and gets seen by millions more people than will ever see anything in Network World or The Register.

All at a time when more people than ever were considering a move to Mac OS X after the switch to Intel. Their only takeaway as they scanned the morning paper or caught a segment on the local morning news? That the "MacBook" can be "taken over" in "30 seconds", wirelessly, and all without you knowing. Hmm, might as well stay with Windows after all.

So yeah...as I already noted in another post, the reaction from the Mac crowd was even worse, FUDing the story into oblivion. However, the initial coverage wasn't because of that. At all. In any way, shape or form. It was because a security vulnerability affecting Macs is interpreted by many to be BIG NEWS, whether they're the kind of journalist (as a few in the IT press are) who want to trumpet negative Apple stories, or just simply some guy at AP who sees it as a unique story. NONE of the original coverage, which was the only substantive coverage and what had already caused the damage, was because of the Mac fanboy reaction. Rather, it was the opposite.

Don't whitewash Maynor

[argent]

the Mac community spent an enormous amount of time trying to destroy Maynor's credibility

Maynor did everything he could to destroy his own credibility.

He misrepresented the nature of the vulnerability. Not because he was under an NDA, mind you, but because

[OSX was promoted as] being free of the viruses and malware that plague Windows,

It still is. Because it still is free of them. Not because it's "invulnerable" (people who talk about it being invulnerable - pro or con - shouldn't be trusted... and that includes you), but because it's a competently designed UNIX based OS that takes advantage of layered security. There's some aggravating design flaws that are bigger problems than a fixable bug in Wifi (yes, really), but the bottom line is that it's got a fundamentally more secure design than Windows in many areas that really matter, and THAT has a huge effect.

and even GNU/Linux doesn't have a reputation for being invulnerable

Wrong. Linux has been promoted as being a virus free haven for Windows users for at least as long as OS X has, and it's been pushed harder. And, yes, it ALSO has the advantage of a good traditional UNIX design.

But if Maynor REALLY wanted to show off, he'd have attacked OpenBSD.

and suddenly Maynor found there was a massive hole in that

So? People find holes in OSX regularly. And I mean ACTUAL holes unique to OS X, not holes shared by a lot of common devices. ACTUAL cases of the SAME KIND of hole (buffer overrun), even. This is not a "massive hole in OS X" at all, and if he hadn't turned around and (a) attacked Apple specifically, and (b) refused to disclose the bug itself (and I don't believe in an NDA that would have kept him from telling Apple about a buffer overflow in a Wifi driver), nobody would have said boo to him.

But he didn't act responsibly. He wanted to grandstand and he wanted to hurt Apple, specifically. I mean, he said he had a grudge against Apple right there on his web page. That's not responsible, and has nothing to do with any NDA. Even it's not actually lying and even arguably not honest, it sure ain't honorable.

So here we have someone who's acting irresponsibly, and implying he's being paid to find security holes he's not allowed to talk about (and he still hasn't explained that bit), and who's specifically targeting one company... what kind of reaction should he expect?

Correct me if I'm wrong..

[stewbacca]

If you click the link to the original story, it clearly indicates that this guy hacked a third party wireless card. If you click on the link to this story, however, the story claims that he found a way to hack the built-in AirPort wireless adapter. Shoddy journalism?

So what happened? The original story was a lie? The new story doesn't have their facts straight? IF this guy hacked an AirPort driver, like the NEWEST link claims, then this is a story. However, since the past year has been filled with nothing but discrediting proof that he hacked a third-party adapter, and his video shows him inserting a third party wireless USB adapter, then I would have to guess that the Apple AirPort wireless adapter was never, and still isn't, threatened by hacking.

Re:Correct me if I'm wrong..

[Clirion]

Actually, it looks like it was the Atheros chipset he hit. So any card that uses this chipset is at risk. MacBooks use Atheros wireless chipset. So the same exploit that works on the third party card (presumably using the Atheros chipset) works on the Macbook (using the Atheros Chipset).

Re:Correct me if I'm wrong..

[stewbacca]

Then why didn't he conduct the hack without the third party USB adapter? I can take your word that it is technically feasible, but as a non-technical person, I'd rather see it in action rather than taking a technical person's theoretical explaination of how it "would" work had we used the stock wireless. It's kind of the staple of good research to make the assumption that it would work because it is the same chipset, but you still have to test those assumptions. Anything short makes the work biased. After reading the findings in the links of the article, I'm shocked at what passes as "research" in the technical field (if this is at all representative of technical research).

In short, the only way this guy could clear up his lack of credible research findings would be to have hacked the actual built-in wireless card, or some other extremely popular (or stock) configuration AND removed all the cutesy, gimmicky biased remarks about Mac users in general. Instead, he used a third-party work-around to get in, then put all his eggs in the basket that assures us all it could be done without the work-around, as well...I promise...no seriously!

Too bad Apple patched it and he hid behind the NDA, because now we'll never know for sure if a stock MacBook could have been hacked.

Re:Correct me if I'm wrong..

That's kinda surprising, seeing as I've been running KisMAC using its Broadcom card driver, and the Atheros driver can't find a wifi card.

Re:So does this mean

[Cid+Highwind]

Look at the huge volume of frothing anti-Apple hate Maynor stirred up with this exploit (and the overreaction to his non-demonstration and insinuations that Apple's lawyers pressured him to shut up).

Anyone who creates a real self-propegating worm for OSX that infects end-users' machines would be revered as a god among men, or at least among Windows fanboys. The fact that a year later after Maynor's exploit and two years after the first smarmy "I'm a Mac" ad nobody has done it tell me there's more to OSX security than Windows having 90% market share.

When does Jon "Daringfireball" Gruber apologize?

[Argyle]

Apple cultist Jon Gruber offered a MacBook to David Maynor and Jon Ellch if the wifi hack was true.

It was true. He owes them a laptop...

Did you hurt yourself?

[Argyle]

Did you hurt yourself with the elaborate contortions and twists you'd made to somehow justify the flaying Maynor took at the hands of the Mac Fanbois?

It's very simple. Maynor said there was a direct wifi hack on Macs, he was right, the Apple cultists were wrong.

All the FUD then or now doesn't change that fact.

Re:Did you hurt yourself?

BZZT! Sorry.. thanks for playing.

3rd party wifi adapter != Mac exploit. It == WIFI EXPLOIT.

Do I need to write it in crayon for you to get it?

Re:Did you hurt yourself?

Maynor demo'd the exploit using a 3rd party wifi adapter, but the exploit worked with the built in wireless that ships with the MacBook. Pretty much everyone, including Apple, acknowledges this now.

Mods on crack

Parent is +4 informative. GP is 0? I guess I should just thank the mods for not shooting GP down even after he slightly criticized Apple.

Apple fanboism is the main reason Apple is losing at least one customer for sure.

Re:Mods on crack

The parent (GP to this post) is informative, asshat, because it actually contains factual, informative information, and started out at +2 because it wasn't an AC.

The GP (GGP to this post) is at 0 as it deserves to be because it has no meaningful content, and accuses Apple of things that didn't occur, like ignoring a legitimate bug when the discoverer himself couldn't show Apple it worked with the MacBook integrated wireless at the conference, or of "threatening" them, when if there had been any meaningful "threat" (e.g., legal), there would be some proof or substantiation.

So if you're saying Apple will "lose you" as a customer, dickwad, because a post with actual correct information got modded up on slashdot, and isn't a "fanboi" (anyone who uses that term is the biggest fucking faggot ever) post in any sense of the term, then good riddance, cocksucker.

Re:When does Jon "Daringfireball" Gruber apologize

[JoshNorton]

I see no evidence that they have fufilled any of the terms of the challenge as yet.
In any case, he set a time frame for taking the challenge that ended just over a year ago at this point.

No, this really doesn't earn them any apology from him.

Re:When does Jon "Daringfireball" Gruber apologize

[stewbacca]

So when, exactly did they meet to accomplish this challenge? Nice try, but still wrong.

Apple's track record is contradictory to the lie..

[gsfprez]

i'm sorry, but this WHOLE THING became a kerfuffle when Maynor stated that Apple threatened him... and not a second before that.

And i have a very very hard time believing that Maynor is telling the truth about that because Apple has an incredible track record on not only accepting information, but giving credit where credit is due to people that find problems and exploits

Here are 28 examples between 10.4.1-10.4.3 where Apple gave credit to security researchers, organizations, and individuals.

So, Maynor found something, acted very suspiciously, made lame comments, hid information, and blamed Apple for all of it.

He's a choad.

Re:When does Jon "Daringfireball" Gruber apologize

[zukinux]

A. he will get 2 macs :
http://daringfireball.net/2006/09/challenge_update


And B, he would lose since it's not out of the box hack, since it has to contains a specific 3rd party drivers.

Re:Apple's track record is contradictory to the li

By my account it went tits up .001 seconds after an apple fan saw the first story and started yelling that it was fake while there were no details available at the time.

If you want a timeline go back and look at the orginal Krebs story that was posted 5 hours before Ellch and Maynor talked and look at the times for the comments.

Your "hid information" theory doesn't hold water since Maynor showed at lackhat DC how he had actually sent them information on at least 3 difrrent bugs.

BUt hey, you don't like Maynor so hate away.

Re:Apple's track record is contradictory to the li

[makomk]

Of course, I bet all of those 28 kept the existence of the vulnerability hush-hush until Apple got around to releasing a fix. This means that they are basically irrelevant when it comes to the question of whether or not Apple threatened him because he was publicising the vulnerability.

Re:So does this mean

[Mister+Whirly]

That is like saying "New Zealand has never been invaded. That tells me they must have one hell of a strong army defense."
Or it could just be that nobody cares enough to invade New Zealand...

Re:When does Jon "Daringfireball" Gruber apologize

[iluvcapra]

The offer expired in September 2006. Besides, if they did it today, Apple has patched the vulnerability.

Maynor & Ellch - no MacBook for you!

[beer_maker]

If you had read the page you linked to, you would have seen that Gruber offered them a week's time just to agree to the challenge ... and they failed to take him up on it. Inasmuch as

1. they failed (for a year) to demonstrate the hack they originally claimed to be able to do at the conference, and
2. they were unable to explain the hack to Apple engineers in anything but the theoretical sense (as proved by Apple having to resolve the issue themselves - which Apple's developers rapidly did), and
3. claimed repeatedly to have been coerced by Apple lawyers (while offering no evidence of the same) ...

I have lost all confidence in their claims of last year. I will admit they seem to come up with the theory of the hack sometime prior to the conference, and that they NOW seem to have a working hack ... of something Apple fixed last year, that was broken for ALL Operating Systems which use 3rd party drivers.

I'm also saddened by their stated reasons for claiming Apple was particularly vulnerable (OMG, those Mac users are snobs!11!1!), and the comments about eyes and cigarettes ... that's not just hyperbole, that's fanboi-style hate - hardly the stuff an "objective" security researcher ought to be espousing.

They hardly seem deserving of a free computer, or even the news coverage they will undoubtedly receive. Too bad, they seemed like such bright guys ...

Re:Maynor & Ellch - no MacBook for you!

they seemed like such bright guys

Not really. I recall one of them saying a person who argued about the look and feel of Mail.app would not be capable of understanding the concept of privileged execution. What an idiotic false dichotomy. I personally know people capable of understanding and working on kernel-level code while still having strong opinions on UI design. They seem like a couple of dopes who cling to the juvenile and outdated philosophy that clunky/ugly UIs are somehow more "advanced".

Re:When does Jon "Daringfireball" Gruber apologize

[not_anne]

He has no reason to apologize to them. This was a challenge, not an "if it's true you get a free laptop" contest.

The challenge was for Maynor and Ellch to hack a fresh out of the box MacBook using their wifi exploit a year ago. They didn't accept the challenge and so they don't deserve a laptop.

Maynor is still a liar

His original "hack" video showed him getting a shell to connect back to a second system by exploting a "third party wireless card" in a MacBook. This is the "hack" that got him all the media attention, and all evidence still points to that video being a hoax, and this paper does nothing to change that fact. It's entirely possible he got a kernel panic by fuzzing beacons or probe responses, and its entirely possible that he got such a packet to overwrite a function pointer, but that is still a long long long long way from manipulating the system in such a way to make a shell connect back to a second system. Of course, once you overwrite a function pointer anything is possible, but I don't for a second believe Maynor has the reversing skills to pull off such hack. So while you're reading this paper, don't forget that until Maynor releases the details of the original attack demostrated in his dramatic video, he is still a liar and fraud.

No comment, but a question

Here is a question for you:

Is there a way to set static ARP settings on an Airport Extreme? Because of the
simplicity of ARP, a replay attack using WEP would be possible with it right? Is there
a way to let the access point proxy ARP?

However...

If Maynor had had a clue he would not have provided the platform he did for counter-arguments. If he wanted to be treated seriously in this case he couldn't have gone about it in a worse or more stupid manner. I think in future I'll just think of him as "Stubby."

Consider yourself corrected...

If you click the link to the original story, it clearly indicates that this guy hacked a third party wireless card. Yes, because the original story (the one a *year* ago), for which he was villified, was about him claiming he could do the same thing with the internal card too.

If you click on the link to this story, however, the story claims that he found a way to hack the built-in AirPort wireless adapter. yes. There is no disconnect here - they can both be true.

Shoddy journalism? No, just a /. user who lacks logic skills.

You seem to be claiming that because he found a vulnerability in a third-party card, that automatically means it's impossible for him to have also found a vulnerability in the built-in one. How you arrive at that conclusion baffles me.

Here's what happened (as plainly as I can, because your IQ seems to be lower than room temperature in december):

1. A year ago, he found a vulnerability in the air-port *AND* the third-party card.
2. when he presented the findings, he got attacked by rabid mac zealots because he only demonstrated it with the third-party card, because he was not allowed to do it with the built-in one.
3. Now that his NDA is up, is releasing the details on the built-in card vulnerability.

Now, assuming you understand these points, go back and read both articles. You will find they make a lot more sense.

OT:NDA?

[SonnyJimATC]

It's more fun if you substitute the word "wank" for "fight". "The first rule of Wank Club is - you do not talk about Wank Club. The second rule of Wank Club is you DO NOT talk about Wank Club. Third rule of Wank Club, someone yells 'stop', goes limp, taps out, the wank is over. Fourth rule, only two guys to a wank. Fifth rule, one wank at a time, fellas. Sixth rule, no shirts, no shoes. Seventh rule, wanks will go on as long as they have to. And the eighth and final rule, if this is your first night at Wank Club, you have to wank."

how to hack a mac (or a linux box)

[overcaffein8d]

1. somehow find out someone's password. 2. SSH in.

Re:Apple's track record is contradictory to the li

Which is still several steps above the average Apple fan. Perhaps if you could pry your lips off of Job's cock long enough to look around you'd realize that Apple is a tech company, not a religion.

Re:So does this mean

[Kalriath]

I assure you. The one thing we DON'T have is an actual defence force. Our Minister of Disarmament ... er, Prime Minister ... disbanded most of that years ago.

Our defence is the crap tons of water surrounding the country. It works, really.

Re:When does Jon "Daringfireball" Gruber apologize

WOW YOU ARE AN IDIOT.
The paper details a bug in the BUITIN Atheros driver that affected EVERY Intel based Mac that was shipping at the time.

GOOD GOD read something before blindly hitting the reply button to remove any doubt of your stupidity.

Not just that, but...

[podperson]

The hack only affected MacBooks with specific third-party wireless hardware attached -- something almost no-one would be affected by, since MacBooks come with wireless that wasn't vulnerable.

So it was especially bad that Apple got all the bad press.

Re:So does this mean

[westyx]

The british invaded new zealand, although not with total success.