Without any detailed disclosure, sure, the craftiest people will determine how to perform said exploits. However, there are very, very few of these compared to the script kiddies that will show up if you hand out the source and/or a road map to every Tom, Dick, and Harry. At least they're giving Apple (and others) a chance to address the problem by pointing out that there IS a problem.
I'm not buying the people who are upset at a lack of full disclosure because they are "unable to protect themselves". If there was a way to protect yourself, sure, perhaps you could tell people how to do it. However, judging from the presentation itself (at Defcon), there really IS no way other than mutilation of the driver itself (see the slide with the nintendo DS) to quickly defend one's system. Not only would this significantly break a lot of things, most users wouldn't know the first thing about doing it.
The root causes as outlined in the presentation were a combination of a poorly planned and thought out protocol (802.11) and a quick-to-market rash of sloppy driver implementations, and it's going to take nothing less than at least a driver patch (or in a fantasy world, an overhaul of existing wireless protcools...802.11 lite if you will).
So quit accusing the presenters of being motivated by greed, stupidity, or other such notions - the best way to secure users at this point is to speak with the manufacturers directly and attempt to achieve a patch, not to detail how to break in to every last miscreant on the planet. The authors are starting to do this by their dealings with Apple.
Oh, and for those of you that missed the FAQ at the end of the presentation:
-Yes, it affects the kernel, which means it's >= root/Administrator on any system
-It's a driver/spec implementation issue, which means it's not an OS-specific problem. The use of an Apple machine in order to show that "any" platform is at risk was meant to illustrate this.
-The money slide was a joke meant to show how lightly many people were taking this issue. I have no way of proving the intentions of the presenters, of course, but I believe this was the case - they stated their intention was to get this problem addressed through discussion, not money.
All in all, easily my favorite defcon session (unless you count the shots of 151 distilled through peppers). Thanks, guys!
The point here is sure it's copyright violation (I'm not sure if illegal is the pure right word here). BUT it's an example of people going overboard in law enforcement efforts.
I guess so long as no public funds are used to help them, more power to them. But I'd personally rather not have the cops/FBI wasting their time arresting people with video cameras and 12 year olds with kazaa when they could be preventing real crimes.
Well, I dutifully headed out to the site of the protest, only to find absolutely nobody around. Granted I was fashionably late, about 10:30ish, but if you're going to say 9-12, then by all means do it. Showing up only to find swarms of tourists getting their pictures taken in front of the Grant memorial and that pool west of the capitol is rather depressing. Oh well...next time!
Just to add my.02, I'll be there, even if it's just to check out the turnout. I'll be snapping digital camera pictures like a monkey on crack, so if the slashdot folks will be kind enough to post a link to them, I'll send one when they're done. I know there's been a dress code dispute, but I can't resist wanting to wear my copyleft "total world domination" shirt either. *grin*
I've had limited success dropping in on my favorite congressperson/senator, but I suppose it's worth a try. Anyone else from Indiana? (hahaha)
If anyone has any questions about directions/places to eat/whatnot, feel free to give me an email. I'm only here for the semester (student), but I'll do my best!
Slashdot Mirror
Without any detailed disclosure, sure, the craftiest people will determine how to perform said exploits. However, there are very, very few of these compared to the script kiddies that will show up if you hand out the source and/or a road map to every Tom, Dick, and Harry. At least they're giving Apple (and others) a chance to address the problem by pointing out that there IS a problem.
I'm not buying the people who are upset at a lack of full disclosure because they are "unable to protect themselves". If there was a way to protect yourself, sure, perhaps you could tell people how to do it. However, judging from the presentation itself (at Defcon), there really IS no way other than mutilation of the driver itself (see the slide with the nintendo DS) to quickly defend one's system. Not only would this significantly break a lot of things, most users wouldn't know the first thing about doing it.
The root causes as outlined in the presentation were a combination of a poorly planned and thought out protocol (802.11) and a quick-to-market rash of sloppy driver implementations, and it's going to take nothing less than at least a driver patch (or in a fantasy world, an overhaul of existing wireless protcools...802.11 lite if you will).
So quit accusing the presenters of being motivated by greed, stupidity, or other such notions - the best way to secure users at this point is to speak with the manufacturers directly and attempt to achieve a patch, not to detail how to break in to every last miscreant on the planet. The authors are starting to do this by their dealings with Apple.
Oh, and for those of you that missed the FAQ at the end of the presentation:
-Yes, it affects the kernel, which means it's >= root/Administrator on any system
-It's a driver/spec implementation issue, which means it's not an OS-specific problem. The use of an Apple machine in order to show that "any" platform is at risk was meant to illustrate this.
-The money slide was a joke meant to show how lightly many people were taking this issue. I have no way of proving the intentions of the presenters, of course, but I believe this was the case - they stated their intention was to get this problem addressed through discussion, not money.
All in all, easily my favorite defcon session (unless you count the shots of 151 distilled through peppers). Thanks, guys!
The point here is sure it's copyright violation (I'm not sure if illegal is the pure right word here). BUT it's an example of people going overboard in law enforcement efforts.
I guess so long as no public funds are used to help them, more power to them. But I'd personally rather not have the cops/FBI wasting their time arresting people with video cameras and 12 year olds with kazaa when they could be preventing real crimes.
Well, I dutifully headed out to the site of the protest, only to find absolutely nobody around. Granted I was fashionably late, about 10:30ish, but if you're going to say 9-12, then by all means do it. Showing up only to find swarms of tourists getting their pictures taken in front of the Grant memorial and that pool west of the capitol is rather depressing. Oh well...next time!
-Rav
Just to add my .02, I'll be there, even if it's just to check out the turnout. I'll be snapping digital camera pictures like a monkey on crack, so if the slashdot folks will be kind enough to post a link to them, I'll send one when they're done. I know there's been a dress code dispute, but I can't resist wanting to wear my copyleft "total world domination" shirt either. *grin*
I've had limited success dropping in on my favorite congressperson/senator, but I suppose it's worth a try. Anyone else from Indiana? (hahaha)
If anyone has any questions about directions/places to eat/whatnot, feel free to give me an email. I'm only here for the semester (student), but I'll do my best!
-Rav
ravenium at bigfoot.com