http://daringfireball.net/2006/08/curious_case
Fascinating, IMHO. It's a long read but some people really get exposed here. I recommend reading it at the link because of the extensive quoting, a lot of formatting is lost in this post.
Fascinating, IMHO. It's a long read but some people really get exposed here. I recommend reading it at the link because of the extensive quoting, a lot of formatting is lost in this post.
The Curious Case of the Supposed MacBook Wi-Fi Hack
Monday, 21 August 2006
So remember a few weeks ago when Brian Krebs posted a report titled Hijacking a MacBook in 60 Seconds or Less on his Washington Post computer security weblog? He reported on a supposed Wi-Fi security exploit demonstrated at the Black Hat security conference, wherein security researchers Jon Ellch and David Maynor hacked into a MacBook via Wi-Fi.
Krebss shoddy reporting left several essential questions unanswered, which I raised on August 3. Namely:
Maynor and Ellchs demonstration video showed the MacBook the target of their attack using a USB-dongle Wi-Fi card. Given that every MacBook comes with a built-in AirPort Wi-Fi card, the central question of this entire saga is whether that built-in AirPort card is similarly vulnerable.
Krebs reported that they used a third-party card and driver in their demonstration because Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers. Who at Apple leaned on them? And what does leaned on them actually mean?
Before proceeding, its worth clarifying a few terms here: card, driver, and third-party.
A card is the wireless networking hardware; e.g. the AirPort card built into every Apple notebook, or the external USB dongle Maynor plugged into the MacBook in his demo.
A driver is software that allows an operating system to communicate with a piece of hardware. Modern operating systems Mac OS X, Windows, and Linux distributions all ship with standard drivers for all sorts of hardware. For any hardware that your operating system does not already have a driver for, however, you need to install a driver before the hardware will work. For example, Mac OS X ships with a USB mouse driver that just works with any standard USB mouse that you plug in, but Apple updated this driver when they shipped the Mighty Mouse to add support for its specific features. AirPort just works because Mac OS X ships with drivers for all of the various AirPort cards that Apple has ever shipped. When Mac users connect to a Wi-Fi network, they normally do so using the built-in AirPort card and the built-in AirPort driver, where by normally I mean almost always.
Third-party refers to a component hardware or software that is not produced or officially supported by your computer manufacturer or operating system supplier. In the case of the MacBook, a third-party card would be any Wi-Fi card other than the one pre-installed inside the machine by Apple. A third-party driver would be any software used to control a Wi-Fi card other than the drivers installed as part of Mac OS X. You might think this is a silly thing to clarify, but Krebs himself is creating confusion with his use of the term, on the grounds that some of the code in the drivers that Apple ships with Mac OS X are written by programmers at the companies that make the Wi-Fi chipsets used in Apples AirPort-brand cards. Do not be confused: if the driver is supplied by Apple and supported by Apple, it is not third-party software.
The central point here is that for this particular exploit to be of any concern whatsoever to MacBook users, it would have to work against the MacBooks built-in card using Mac OS Xs built-in driver. Using a third-party card as Maynor clearly and admittedly did in their video demonstration makes the issue moot to any Mac user using the built-in card. But the same goes for the driver if Maynor and Ellch can demonstrate an attack that works against the MacBooks built-in card, but which requires a third-party software driver, thats equally moot.
What We Know
SecureWorks (slogan: The Information Security Experts) is the security group where Maynor is employed as a researcher. As of Thursday, their web page devoted to this vulnerability contained the following disclaimer (emphasis added):
This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available.
Whats notable about this disclosure is that it is about the driver. We already know, just from watching the demonstration video, that it was also based on a third-party card. This means that either (a) the exploit they discovered uses neither the MacBooks built-in card nor Mac OS Xs built-in driver; (b) the exploit they discovered works against both the third-party driver demonstrated in the video and against Apples standard driver, and they have inexplicably decided to post this disclaimer to explicitly describe only what is being demonstrated in the video; or (c) that the experts at SecureWorks do not understand the difference between a driver and a card. My money is on (a).
The reason this is notable is that if (a) is true (that the vulnerability they discovered does not apply to the standard AirPort driver software from Apple) it entirely contradicts Brian Krebss original and much-publicized story. Krebs wrote (emphasis added):
The video shows Ellch and Maynor targeting a specific security flaw in the Macbooks [sic] wireless device driver, the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the MacBook and presently not publicly disclosed Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the Mac user base aura of smugness on security.
In response to SecureWorkss admission that their demonstration did not exploit the built-in driver, Apple on Friday released a statement regarding the supposed vulnerability. Lynn Fox, Apples director of Mac PR, told Macworld:
Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To the contrary, the SecureWorks demonstration used a third party USB 802.11 device not the 802.11 hardware in the Mac a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.
Foxs statement on behalf of Apple is unequivocal: Maynor and Ellchs exploit involves neither the MacBooks standard Wi-Fi hardware card or software driver. That, of course, does not mean that Apples standard driver isnt somehow similarly vulnerable, but if it is, Maynor and Ellch have not demonstrated such a vulnerability to Apple, according to Fox.
Further, Bill McFarland, the chief technical office of Atheros Communications, the company that produces the built-in AirPort chipsets Apple includes in every MacBook, sent the following message to Brian Krebs via email:
Atheros has not been contacted by SecureWorks and Atheros has not received any code or other proof demonstrating a security vulnerability in our chips or wireless drivers used in any laptop computers. We believe SecureWorks modified statement and the flaws revealed in its presentation and methodology demonstrates only a security vulnerability in the wireless USB adapter they used in the demo, not in the laptops internal Wi-Fi card.
Again, this statement is unequivocal. The chief technical officer of the company that makes the MacBook AirPort cards and, I believe, that writes at least some of the source code for the drivers that Apple uses says that Maynor and Ellch havent even contacted them, let alone disclosed any actual flaws in their card or driver.
But back on August 3, in a follow-up to his original Hijacking a MacBook in 60 Seconds or Less, Krebs wrote:
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.
So at the beginning of August, Maynor and Ellch told Krebs that the default MacBook drivers were exploitable, but would not, even on video, demonstrate an exploit against them publicly. As of last Thursday, however, their SecureWorks web site explicitly states that their video demonstration does not involve Apples default drivers, and both Apple and Atheros issued unequivocal statements that Maynor and Ellch have not provided Apple with any evidence showing a flow in Apples drivers.
The Central, as Yet Unanswered Question
This entire saga boils down to one simple question: Have Maynor and Ellch discovered a vulnerability against MacBooks using Apples built-in AirPort cards and drivers?
Given all the facts laid out in the previous section, you might at first think this question has been answered, and that the answer is no, but unless Im missing something, this is, inexplicably, still an open question.
Maynor and Ellchs recent statement on the SecureWorks web site declares that their video demonstration does not involve Apples driver; that is not the same thing as declaring that they have not also identified an exploit against Apples driver which is not demonstrated in the video. They have been conspicuously silent on this specific point, other than Maynors statement to Krebs earlier this month that Apples drivers are identically exploitable (which are Krebss words, not a direct quote from Maynor).
We do have enough facts, however, to know with certainty that some of our protagonists will not emerge with their reputations intact. Someone, clearly, is either lying or incompetent (or both).
For example, from Apples statement on Friday, we know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability which is both enormously irresponsible for ostensibly professional security researchers, and which contradicts statements they previously made to Brian Krebs that they had been in contact with Apple regarding their discoveries. Or, if they have contacted Apple, the statement issued by Apples Lynn Fox is flat-out false and Apple has committed an enormous, almost incomprehensibly foolish mistake, because such a mendacious lie will prove far worse for Apple than divulging a Wi-Fi exploit that, if it actually exists, is surely going to come to light soon anyway. I.e. why would Apple lie about this if Maynor could call them on it?
On the other hand, if Maynor and Ellch have not identified an exploit that works against Apples standard MacBook card and driver, then the only possible explanation for what Brian Krebs has reported that Maynor told him that the default MacBook drivers are identically exploitable to those used in their video is that either (a) Maynor and Ellch are liars and frauds; (b) Brian Krebs is an incompetent hack who grossly and utterly misquoted and misstated what Maynor had told him; or (c) Krebs was in over his head and did not understand the issues he was reporting on.
(A) seems the most likely explanation here; if (b) or (c) were the case i.e. that Maynor had not told Krebs that the MacBooks default driver was identically or even similarly vulnerable, surely Maynor would have spoken out to set the record straight and call Krebs out on his error a simple Hey, I didnt say what Brian Krebs has reported that I said would have sufficed. That hasnt happened.
I thus see no way out of this where Maynor and Ellch escape with their reputations intact, other than if they have in fact discovered a vulnerability against the stock MacBook card and driver, that they have disclosed their findings privately to Apple, and that the statement issued Friday by Apples Lynn Fox is in fact scurrilously false. But even in this scenario which as I see it is the best case for Maynor and Ellch if they know for certain that MacBooks, as shipped by Apple, are vulnerable, why have they not plainly said so? Im not saying they should have publicly described the nature of the vulnerability in any detail, but they certainly should have stated clearly that owners of whatever specific Macintoshes they have identified flaws against should be careful when turning on AirPort in any public or non-trusted environment.
In short, either Maynor and Ellch have discovered an exploit against stock MacBook and Apple has decided, incomprehensibly, to scurrilously besmirch their reputations with flat-out lies that will soon be disproved and will bring disgrace to Apple Computer, or, Maynor and Ellch have not discovered such an exploit and they are, at best, gross exaggerators, or, at worse (and more likely in my opinion), outright frauds.
Brian Krebs Has Dugg Himself a Mighty Deep Hole
The Washington Posts Brian Krebs seems to have painted himself into a particularly uncomfortable corner. It was Krebs who broke the original story, and it was Krebs who gave it the made-for-Digg headline Hijacking a MacBook in 60 Seconds or Less. It was Krebs who then wrote, in a follow-up:
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.
It is becoming more and more clear that the reporting Krebs stands by is false. Maynor and Ellch, I believe, have discovered no such exploit against a stock MacBook. And if Im right, not only has Krebs blown the story with regard to the security of the MacBook, he has also impugned the integrity of Apple by publishing the claim that the company leaned on Maynor and Ellch an accusation Krebs published without evidence, without details regarding what exactly constituted leaning on, and without comment from Apple.
Last week, on Tuesday August 15, Krebs published a third weblog entry on the topic, in which he began:
Ive received an overwhelming amount of hate mail from Mac enthusiasts over two previous posts on a wireless-device-driver presentation at the Black Hat hacker conference, with people accusing me of all kinds of nasty things.
Where by hate mail Krebs apparently means criticism, and where by nasty things he apparently means shitty reporting. This is one of the oldest tricks in the hack tech writer book: Because, yes, some small number of devoted Mac users are in fact kooks, when you begin receiving criticism after publishing some sort of false or inaccurate analysis regarding the Mac or Apple, you just dismiss it all on the grounds that all Mac users are irrational cultists who simply cant stand to see their beloved company or OS criticized.
Krebs continues:
Ive been asked this many times, so let me make this crystal clear: I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in.
And then he follows this undeniably bold claim with a transcript of a taped interview he conducted with Maynor, while Maynor performed this demonstration using the built-in AirPort card.
Krebs did not ask several very obvious questions regarding this demonstration. For example: Had Maynor diddled at all with the wireless drivers on the MacBook to make this work? Had he diddled with the default network settings? Could Maynor demonstrate this exploit on a MacBook supplied by Krebs?
Not asking these questions indicates that Krebs is incompetent to write about computer security issues. Its like watching a magician perform a trick using his own deck of cards, and then not only not asking to see the trick performed with a deck of cards as-yet untouched by the magician, but not even asking whether the cards had been tampered with.
The most interesting part of the transcript is this exchange (emphasis mine):
Krebs: Explain to me exactly what youre exploiting in here. Is it a flaw in the Macbook itself?
Maynor: Yes, its a device driver. The thing is, theres a flaw in the OS, but I dont want to specifically point to it, so in the video youll see I used a third-party USB device. What Im trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that when exploited give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbooks wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]
The bracketed section is an editorial aside from Krebs, who seems deeply confused as to what constitutes third-party drivers. Even if portions or the entirety of the MacBooks AirPort driver are written by engineers at a company other than Apple (like, say, Atheros, the producers of the chipset), if its the software that drives the built-in card, and it is installed as a standard component in Mac OS X, and Apple is the company that offers support for the driver then it is not third-party software. The built-in AirPort drivers are part of Mac OS X.1
Curiously, at the end of this transcript, Krebs provides a link to a PowerPoint file created by Maynor and Ellch, containing slides responding to some of the questions theyd heard from Mac users, which they apparently presented at DefCon, their second appearance to give this talk.
There are only six slides in the file, the last of which reads:
[Q:] I saw some people quote you as saying the bug is in the built-in in card and other people quote you as saying as its [sic] not, who is right?
[A:] They both are. The exploit shown in the video was targeting a specific third party driver and that same vulnerability does not affect the built in [sic] card. We are, however, doing ongoing research on the built-in card as well and have shared our findings with Apple.
So both are right, but they havent found an exploit against the Apple card and driver just ongoing research? Tell me that doesnt sound like, Were trying to find an exploit that works against the MacBooks built-in driver and card, but havent found one yet.
Krebs goes further off the rails in the comment thread attached to this article. After Macworld published Lynn Foxs statement on behalf of Apple, a reader named James Bailey called it out in the comments, asking Krebs to justify the discrepancy between what he had reported that Maynor and Ellch had discovered a vulnerability in Apples products and reported it to Apple (and had in turn been leaned on to keep quiet about it and Apples unequivocal statement they hadnt seen or heard squat from Maynor and Ellch regarding an exploit against the MacBook.
Krebs responded (Krebss weblog does not offer per-comment permalinks, alas):
James and you think that Macworld articles adds anything to this because why? You should spend a little bit of time looking at what Apple is actually claiming, and what theyre not talking about here. Apples PR people are basically pointing out exactly what Ive said for the past two posts on this issue that Maynor et. al indeed used a third-party USB card in the video.
What Krebs is doing here is accusing Apple spokesperson Lynn Fox of speaking in precise it depends what the meaning of the word is is-style legalese. But Foxs statement did not end with her reiteration of the fact that their video demonstration involved a third-party card (which is a fact that is not disputed by anyone who has watched the video Maynor makes it explicitly clear in the demonstration video that hes using a USB wireless card). Fox continued by adding: Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship. Thats the part of Apples statement that contradicts Krebss reporting.
Krebs continues:
SecureWorks is claiming that despite Apples claims to the contrary, that the company is shipping Mac products with vulnerable wireless device drivers. What Apple has not addressed in any kind of detail is whether or not the embedded drivers in the Macbook are vulnerable. All of their response so far is aimed at the demo showed in the video publicly.
Not true. The second part of Foxs statement is that Maynor and Ellch have not shared or demonstrated any code with Apple related to this supposed exploit.
As for why Apple has not addressed whether or not the embedded drivers in the Macbook are vulnerable its because they dont know, because, and Ill repeat this again, one last time, Apple says Maynor and Ellch havent shared a demonstration or code with them. If there is a vulnerability, Apple cant confirm it because Maynor and Ellch havent shared it with them. If there is not a vulnerability, Apple cant know for certain that this is the case for all Apple knows, Maynor and Ellch have identified an exploit against the MacBooks built-in driver and card, but have, for whatever reason, not yet come forward with it. And since they dont know, they cant say, There is no vulnerability in our product. What they do know is what they did say: that they havent seen code or a demo from Maynor and Ellch.
That this sort of basic middle-school-level logic should need to be painstakingly spelled out for the computer security columnist for the Washington Post is astounding.
Finally, on Friday, 16 days after his original post, the cracks began to show in Krebss I stand by my own reporting facade. He published this fourth post on the topic, headlined Follow-Up to the Macbook [sic] Post.2
After publishing the statement from Lynn Fox which he had callously dismissed as little more than devilish PR corporate ass-covering double-speak the day before, Krebs wrote:
I have several times now asked SecureWorks to share with me more specific information to back up their claims, but so far I have received no further details. If I hear back from SecureWorks with any more material information, I will update the blog.
Translation: I no longer stand by my own reporting.
Alternative translation: Oh boy am I ****ed.
Krebs then added this intriguing bit, which Ill return to later:
Apples Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apples OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine.
[ ] Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products.
SecureWorks has not be able to exploit this for us, Fox said. No one has been able to show us a way to exploit our internal [wireless] device drivers with that flaw.
So Krebs, albeit belatedly, finally now seems suspicious of the claims Maynor and Ellch had made to him previously, which claims he reported without verification.
But so is it just me, or does the headline Krebs chose for this mea culpa Follow-up to the Macbook Post seem slightly less provocative than the headline he chose for his original post in the series Hijacking a Macbook in 60 Seconds or Less? A more reciprocally sensational (and therefore reciprocally diggable) but yet completely accurate headline might have been, say, Losing My Journalistic Integrity in 60 Seconds or Less, or Im a Gullible Rube and Got So Excited I Nearly Stained My Pants at the Thought of Breaking a Story on a Major Mac Security Exploit.)
George Ou: Going Down With the Ship
Joining Krebs in line to flush his credibility and reputation down the journalistic toilet is ZDNets George Ou. Ou, who attended the Black Hat conference where Maynor and Ellch first presented their talk, almost had it right when he first wrote about the story on his weblog:
The truth of the matter is that this was a hack on a MacBook but it pertains to third party hardware and third party drivers. While this isnt a flaw on the part of Apple [UPDATE: The same flaw also seems to affect Apples drivers], it is an attack on a MacBook and it shouldnt be entirely dismissed either by the Mac community
But then he added the update which pointed to Krebss now-seemingly-discredited reporting that Maynor and Ellch had discovered a flaw in Apples own driver.
Ou continues:
This particular Wireless [sic] hack shouldnt be pinned on Apples products or Apples programming, but remember that just this week there were 26 flaws patched by Apple and many of the flaws were critical. In fact, there were months when Apple patched more than 30 vulnerabilities a month so its clear that security vulnerabilities on the Mac are abundant. David Maynor stated that he loves his Mac but it is a fact that the Mac has many security flaws. The point is that no one should not [sic] be dismissing security issues on Mac and claiming that they are invincible.
This is a straw-man argument; no one sane or knowledgeable has argued that Mac OS X is invincible, or that Mac security issues should be dismissed or ignored. What many Mac users pointed out regarding Maynor and Ellchs demonstration, however, is that if it doesnt work as an exploit against the MacBooks built-in card, then Mac users could dismiss this particular issue.
I detect an undertone of Some day you Mac users are going to get yours and Im going to rub it in your faces when it happens, but all told, this was not a particularly noteworthy weblog entry.
His follow-up published Sunday, however, is a doozy, starting right from the headline: Vicious Orchestrated Assault on MacBook Wireless Researchers. Ou begins:
There has been a vicious orchestrated assault on researcher David Maynor and the company SecureWorks claiming that the Maynor and SecureWorks falsified their research presented at Black Hat 2006.
Ous conspicuous use of the passive voice (There has been ) thinly veils the implication that the perpetrator of this vicious orchestrated assault is Apple Computer. E.g. that Apples Lynn Fox is maligning the reputations of Maynor and Ellch in the press. Ou, thankfully, is here to stand up for and defend their honor.
MacWorlds [sic]3 Jim Dalrymple was the first to regurgitate this bogus story on Thursday and followed up with MacBook Wi-Fi hack exposed by calling the original research a misrepresentation. David Chartier of The Unofficial Apple Weblog went as far as saying SecureWorks admits to falsifying MacBook wireless hack. Plenty of other media outlets were fed the same story but most of them knew better and refused to run this bogus story. But once Digg and Slashdot ran with this story on Friday, all hell broke loose and the story has infected the blogsphere [sic].
The regurgitated, bogus story that most media outlets knew better than to run that Ou refers to were stories simply publishing Lynn Foxs statement on behalf of Apple. Thats it.
Ou continues:
I was absolutely shocked when I ran across these stories on Digg.
Indeed, who wouldnt be shocked to find over-hyped sensational bullshit on Digg? What paragon of journalistic integrity is next? The New York Times? The Wall Street Journal?
I had personally video interviewed Maynor and his partner Jon Johnny Cache Ellch and these two gentlemen were very honest and straightforward. But as soon as I read the stories, the stench began to rise.
I was tempted to make a joke here about what Ou might have eaten for lunch, but decided against it.
Maynor and SecureWorks had been telling the truth the entire time and they had falsified nothing. The only falsification going on was the stories themselves!
(Boldface emphasis is Ous.) Even Brian Krebs isnt sticking with this line. Ou, on the other hand, seems determined to go down with the SecureWorks ship.
So what exactly are Maynor and SecureWorks accused of falsifying? They are accused of admitting that the wireless hack was an exploit of a third party device and a third party driver. The only problem with this accusation is that it isnt exactly news since this is precisely what Maynor and company have been saying all along. This was not only evident in my video interview, but it was even in Maynors original video demonstration along with every other news report earlier this month during Black Hat.
Yet another straw-man argument. No one who has actually watched their video is disputing that the exploit demonstrated by Maynor and Ellch in the video of a MacBook equipped with a third-party USB wireless card. The dispute is whether Maynor and Ellch had ever implied, explicitly or implicitly, that they had also discovered similar or identical vulnerabilities in the MacBooks built-in card and driver, and if they had, whether they had presented evidence of such to Apple.
Ou continues:
So Maynor and SecureWorks have been telling the truth about this being a third party driver and hardware from the very beginning and they never misrepresented anything. If anything, Maynor went out of his way to avoid implicating any issues on the part of Apple because Brian Krebs of The Washington Post reported that Apple had leaned on Maynor and SecureWorks not to disclose the fact that the default Mac wireless hardware and default drivers were in fact vulnerable as well.
Be careful here, because if you think about the contradictions in this single paragraph too hard, your head will hurt. Ou claims in the sentence that it was only ever about third-party cards and drivers, but then in the next sentence trumpets Maynors claim to Krebs that the default MacBook card and drivers were vulnerable as well. Uh, George, thats the part that its in dispute, not the external USB dongle demo in their video. And then theres lovely idea of Maynor going out of his way to avoid implicating any issues on the part of Apple followed immediately by Maynors unsubstantiated claim to Krebs that Apple had leaned on him to keep his mouth shut.
When I asked Maynor about this at Black Hat, Maynor would not confirm or deny whether Apple had leaned on him or not saying that he didnt want to discuss it at the moment.
He doesnt seem to have wanted to discuss this leaning-on incident since the conference, either.
The transcript clearly reveals that Maynor had demonstrated the same exploit on a Mac without any third party wireless hardware! It also turns out Maynor chose an external third party hardware wireless adapter to avoid focusing attention on possible Apple hardware and software issues which may endanger Mac users.
If a transcript from Brian Krebs says it happened, it must be true.
When I contacted David Maynor by email and later phoned him late Saturday night, Maynor was very disturbed by the whole incident.
Ill bet.
He had already been receiving hate mail and even death threats at the Black Hat convention but the threats had escalated with this latest fabricated story about him falsifying his research. In one such threat, the person stated Im going to f*ing kill you and your dog to which Maynor replied I dont have a dog.
Death threats are funny when they come from those wacky Mac kooks.
Maynor was even more disgusted with the despicable way this story was set up and then planted in the press though [ ]
This despicable story-planting method apparently being Apple spokesperson Lynn Foxs technique of calling reporters on the phone, going on the record, and issuing an unequivocal statement on the matter.
Ive been asked not to reveal any more details on this time. What I can tell you is that Maynor and SecureWorks will not be taking this laying down and the fireworks will start in the next couple of days.
Consider the fuses lit.
Conclusion
The principle of Occams Razor holds that the simplest explanation is the most likely to be true. By that guideline and the evidence at hand, it is my guess that Maynor and Ellch are disingenuous publicity hounds who studied a previously-identified vulnerability in a FreeBSD Wi-Fi driver and concluded that they could perhaps use this published vulnerability against Mac OS X. I think they tried and failed to find an exploit that works against the standard AirPort cards and drivers used by nearly all Mac users, and that they then realized they could, in a demo, exploit buggy drivers other than Apples on a doctored MacBook and draw much more attention to themselves and their firm than if their demo had been performed on any other computer, using Windows or an open source operating system. I believe the informed Apple about a FreeBSD wireless driver issue that Apple already knew about, so that they (i.e. Maynor and Ellch) could honestly claim to have approached about a I.e. that despite the fact that the exploit they had discovered is completely and utterly irrelevant to anyone using a MacBook with Apples default AirPort driver and card, which is to say all MacBooks other than the one that Maynor and Ellch modified specifically for their contrived demo, they chose to perform their demo using the MacBook.
When their supposed exploit was publicized by The Washington Posts Brian Krebs, who reported that they had found Apples own drivers to be identically exploitable, they said nothing to dispute Krebss report. I believe Maynor and Ellch cultivated the misconception that they had identified a vulnerability in the MacBooks built-in AirPort card and driver but had performed their demonstration using an external USB card for their video at the request of Apple. This made little sense, as I wrote at the time, but the misconception took root, and Maynor and Ellch said nothing to dispute it while their consulting firm racked up the media attention.
Now that the fireworks are starting, my guess is that Maynor and Ellch, if they choose to defend themselves rather than quietly walking away from the table, will do so by claiming that they never stated nor implied that they had found any vulnerabilities in the MacBooks built-in card and driver. But their prevarications were far too clumsy for them to get away with this.
(And thats the the best case scenario for how I see this working out. Jim Thompson, after obtaining and studying a high-resolution copy of their exploit demonstration video from which he can read the characters in the terminal windows on-screen, suggests that even their exploit of the third-party USB card was a fraud, based on discrepencies in the MAC addresses and networking interfaces.)
It is a simple yes or no question: Have Maynor and Ellch found a vulnerability that affects MacBooks using Apples built-in cards and drivers? That Maynor and Ellch havent answered it speaks volumes. Bring on the fireworks.
Theyre not part of the operating system in the academic computer science sense of the term, but theyre certainly part of Mac OS X as a product, in the same way that bundled applications such as the Finder and Safari are part of the system. ?
Will someone please tell Krebs that the B in MacBook is capitalized? Thanks. ?
Its *Macworld*, not *MacWorld*. Whats with these guys and their inability to get intercapped spellings right? ?