Dear Apple Pundits, Please Stop Writing About Security.

Thomas Ptacek | August 5th, 2006 | Filed Under: Apple, Disclosure, New Findings, Uncategorized

Gruber burns a whole post ranting about Maynor and Cache’s WiFi exploit. At their talk, they showed a video of the attack, instead of actually demonstrating it.

If they’re willing to say that the built-in driver is exploitable, why are they not willing to prove it?

… because if they actually demonstrated the vulnerability, Gruber, they’d effectively be publishing the exploit. Wireless, get it?

Rui Carmo uses Gruber’s post as a jumping-off point for a really weird rant. For instance:

This was timed to lead up on the WWDC next week

… or, maybe, just maybe, timed to be released at Black Hat, the most important conference in vulnerability research.

Last year’s Cisco exploits (which were a whole lot more serious) were far more professionally presented.

… which demos violated employment contracts, NDAs, and work-for-hire commitments and almost got Lynn sued. (“actually, it did get me sued” —- comment)

The technique looks (despite their claims) like a pretty bog-standard buffer overflow + shell access exploit.

… we’ll remember that next time someone finds a “bog standard” vulnerability in another piece of critical, exposed code. “That doesn’t count —- the exploit isn’t complicated enough!”

The reason the demo is so “impressive” (not my words) is that, unlike Windows, UNIX-based operating systems make it somewhat easier to gain useful remote access…

… well, no, I think the reason the demo is so “impressive” is that you open up your MacBook, and then you’re owned.

That stuff about Windows vs. Unix exploits? I have no idea what that even means.

so the myth that PowerPCs are immune to this kind of thing is, well… a myth, fostered by the hacker community’s single-minded focus on Intel CPUs and more than a bit of ignorance.

… I don’t know about any “myths”, but you could just download the PPC shellcode Dino wrote here.

If you start out from a driver’s executable context, chances are you’re either root or some other entity able to do whatever you want.

… sometimes, when you exploit a vulnerability in a device driver, you even wind up in the kernel.

there is absolutely no way an attacker can know the driver version in use from “outside” - so their claim of being able to recognize 13 different wireless device drivers is, well, just a claim [post]:

… or, it’s the focus of about half of their talk, and it’s about active and passive profiling of drivers and chipsets from behavior that emerges from the way both are implemented.

Still, there is something here of interest.

… really?

Thanks for clearing that up, guys.

Can you go back to writing about the button shapes in the next version of Mail.app now? Because you are making the Mac people who really do security look kinda dumb. Your arguments don’t come off as skepticism. They come off as blind, sweaty panic. Worse still, the only people who are taking them seriously don’t know enough to understand that you’re not qualified to give advice about security. By muddying the waters around this issue, you are making people less likely to update, and making Mac users less secure.

25 Comments so far

  • Pretending to Be Mike Lynn

    August 5th, 2006 12:27 pm

    Actually, it did get me sued.

  • Kevin Johnson

    August 5th, 2006 4:42 pm

    It continues to amaze me that people are so focused on their idea of invulnerableness, (did I make up that word?) that they will do anything to shoot holes in things.

    Kevin

  • chan

    August 5th, 2006 6:00 pm

    read, understand, learn: http://www.smallworks.com/archives/00000455.htm

  • Rui Carmo

    August 5th, 2006 6:10 pm

    Actually, I never said the Mac was invulnerable, nor am I in a blind panic.

    I have just published a rebuttal to Thomas’ piece, since I find this post to be a rather selective (and, in my view, rushed and mis-guided) quotation of my own article and wish to set the matter straight, re-focusing on what I think is important and debunking a few of his arguments (which, in my view, are simply not valid).

    I tried to explain the issues raised by that “exploit” (and, just as importantly, the way it was covered by the media) in layman’s terms precisely to try to avoid the sort of “blind panic” that articles like this seem to _expect_ that would happen, and Thomas completely ignored the points I tried to make.

    As to Maynor and Cache’s conduct, I am appalled that they would harp on about their success without publishing the details and subjecting them to proper peer review - a point which I think is valid for many other exploits and the way they came to light.

    Security is not about the limelight, guys. It’s about doing things the right way and making sure there are no loose ends. By rushing that video out the way they did and leaving margin for so many questions, they pretty much tainted their research.

  • Thomas Ptacek

    August 5th, 2006 7:23 pm

    At the risk of alienating a lot of smart people who read this blog in order to make myself feel better with a smart-ass response, I’m going to say that until such time as Rui Carmo starts producing security results in any of the literature or practicing security in any capacity, it will be a lot more about what we say it is than about what Rui says it is.

    You can read my response to Rui’s comments at http://www.matasano.com/log/rui-argument

  • Thomas Ptacek

    August 5th, 2006 7:25 pm

    Chan, I responded to Jim, insofar as I claimed that Maynor’s presentation was something that had “eaten into [Jim’s] brain”. I argue not that Jim doesn’t understand wireless networking, but that he hasn’t offered a single fact to tilt the “argument” about Maynor’s research in any direction, and that he should be prepared to apologize to Maynor when he’s proven wrong, as I am prepared to apologize to him if I’m shown wrong instead.

  • M

    August 5th, 2006 8:07 pm

    Rui Carmo “not qualified to give advice about security. ” no obviosuly not. Despite his years in information and mobile information security.

    Quite correct, those that will simply deny this was an issue need taking to task. However I thought the points of Rui’s and John’s posts were that this wasn’t just about a WiFi hack the dudes doing this were using it to have a pop at the mac, quite unreasonably, singling out that machine and then not even using the on board hardware. I don’t believe using the Airport would have exposed any more information than they did using third party stuff.

    It all seems a bit contrived, in fact in one interview they described that they demo’d it on a mac to attack the “smugness” that mac user allegedly hold. Somewhat unfairly. Let’s face it the headline “macbook hacked in 60 seconds” is clearly scaremongering and could even allow normal PC wifi users to htink this exploit doesn’t apply to them and it clearly does.

    If they are going to cover the idea that vendors are “under the gun” that applies far more explicitly to PC users since their chips can come from anywhere, Apples WiFi chips as far as the end user is concerned come from Apple.

    Just my 2 cents worth

  • Daniel

    August 6th, 2006 4:40 am

    Ok lets put aside the technical aspects of this, Maynor did spend a huge chunk of his career at the PR firm called ISS

    Yes he fucked up with some serious PR headlining, owning a mac in 60 seconds. I mean christ you see HDM making a video over the browser bugs, NO. You see Halvar getting out the handycam when he finds yet another windows patch which has quietly fixed a serious hole in Windows 2003, NO

    The thing for me which ruined it for this was:

    a: not having the balls to do it live at BH (hello, your telling me they couldnt have done some extra security to ensure that no-one could eavesdrop on the packets between the two laptops?
    b: going all gung ho and publically stating “it eventually makes you want to stab one of those users in the eye with a lit cigarette or something”
    yeah really mature kids, i mean well done on acting like a professional and not like some spotty nerd who just had his c64 taken away

    It’s no wonder why big companyes cannot stand security researchers. Its not about the fact they find holes, its the way they go about telling the world

    By admitting that they want to “stab one of those users in the eye..” is hardly grown up is it?

    David, if you want the world to believe this, then have the balls to go public on what you have found and dont use silly PR tactics and stupid comments

    Nothing is secure, if its been developed by a human being

    /rant over

  • Thomas Ptacek

    August 6th, 2006 10:26 am

    I don’t know what ISS’s PR machine has to do with Maynor’s findings. Maybe you think the PR department at ISS “rubs off” on people after they’ve left the company. What I do know is that ISS has and continues to employ some of the smartest researchers in the industry. Money buys talent. ISS has money.

    Regarding doing it live — what “extra security measure” would you suggest?

    Regarding his comments — what does that have to do with his findings?

    I’ve been doing this stuff professionally since 1994, and I’ve been paying attention to dave for about 5 years now, and everything Dave Maynor himself has actually said so far, I believe.

  • Daniel

    August 6th, 2006 11:38 am

    since 95 for me, so yeah also getting on a bit.

    Right its been nearly a week since the announcement, yet have we any further information about this “remote” whole?

    Doing further analysis on the video it seems he only gets local access, does he then use a known local issue to gain root? How does this affect the whole entire Mac range? We talking only Intel here or the PPC generation as well.

    So many questions from a person i would have expected a more grown up and responsible approach, rather than the “gobbles” style comments.

    His comments help justify the findings surely? If your a business manager who has just been told of this issue and then told that the researcher wants to “put cigarettes out in a mac user’s eye”, do you take him/her seriously or start asking questions?

    Thomas you for one should have experience of how hard it is to sell security and what we do to the board level without this kind of immature attitude when it comes to legitimate research. The sec industry is young still and its hard enough changing the perception that everyone has of a security professional (we arent all wearing leather pants with black hair and refusing to speak to anyone who isnt l33t)

  • Daniel

    August 6th, 2006 11:43 am

    oh and im not taking anything away from the issue, its a bloody brilliant finding and he’s done well.

    now get on with the fix :0)

  • ivan

    August 6th, 2006 10:44 pm

    looks like I missed all the fun at BH, while hanging around with the academics at USENIX. So I will just ask: did Maynor produce some code to support the talk.?
    I do remember his presentation about “USB insecurity” at CanSecWest and i was quite dissapointed that no actual code was shown (As oppossed to the excelent talk, demo and code from
    The best way to shutdown all this apple dogmatism is to quit ranting and start coding.
    ok now, where’s PoC?

  • ivan

    August 6th, 2006 10:48 pm

    oops, I mutilated my own post and left a sentence unfinished. I meant to say “as opposed to the excelent talk and demo about Firewire DMA owneage from Maximillian Dornseif (who actually showed his code and did the whole think in a professional and to the point manner)”

  • Thomas Ptacek

    August 6th, 2006 10:56 pm

    To be fair, Ivan, we didn’t show or demo anything at our talk, and we named tens of vulnerabilities in it.

  • Chris_B

    August 7th, 2006 1:20 am

    so many words wasted in so many places

    rather than ” Dear Apple Pundits, Please Stop Writing About Security.” I’d just say “Dear Pundits, blah blah”

    not entirely sure who deserves the car battery hooked up to their nipples, but someone sure does.

  • Daniel

    August 7th, 2006 2:05 am

    Thats a pretty kinky punishment and knowing most security peeps, they enjoy it

  • ivan

    August 7th, 2006 1:03 pm

    Tom: That is fair, but fair does not make it right :)
    The general thinking among many at CSW 2005 was that USB owneage was theoretically possible but that Maynor did not show he had actually done it, so the value of his presentation dropped to near zero among technical people while it stayed quite high for non-techies and, most importantly, the press. Anybody can claim that this or that is insecure or flawed, the real hard work is proving it.

    It’s been over a year since CSW 2005 and I still haven’t seen a technical paper or sample code that demostrastes the problem beyond any reasonable doubt. Modern research requires that you allow your peers to scrutinize your methodology and the results of your work otherwise its just a makreting campaign.
    You mentioned tens of vulnerabilities in your talk and I am confident that the details about them will eventually see the light so anybody will be able to say that you’re not full of it. I don’t need the details because I’ve known you guys and your work for many years but most others do need proof to take anybody seriously

  • Thomas Ptacek

    August 7th, 2006 1:35 pm

    Fair enough, Ivan. I’ve been paying attention to Dave Maynor for the past couple years and have pretty much the same take on him as you seem to for us.

    Thank you, though!

  • dagmar

    August 23rd, 2006 7:42 pm

    “I’ve been paying attention to Dave Maynor”

    Does this translate into “I’m Dave Maynor’s buddy”?

  • Thomas Ptacek

    August 24th, 2006 12:20 am

    No.

  • Daniel

    August 26th, 2006 5:55 pm

    Thomas,

    Now that they have admitted there WAS ZERO issue with OS X drivers, do you still stand by your quote “and everything Dave Maynor himself has actually said so far, I believe.”

    I’ll quote from his site: “Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook”

    And then you said “Maybe you think the PR department at ISS “rubs off” on people after they’ve left the company.”

    Yes, i do think it rubs off. David used the macbook for 1 simple reason, its all the buzz with the media at the moment and he knew that it would get a shitload more airtime than using Windows XP

    “Regarding his comments — what does that have to do with his findings?”

    Loads, his findings weren’t as brilliant as he made out to be “owning a macbook in 60 seconds”, as long as you use a 3rd party wireless card and also connect to a rogue wireless connection

    Yup, you can tell he worked at ISS for years!

  • Daniel

    August 26th, 2006 5:57 pm

    On a side note, do you think he would have got as much coverage as he did if he used the following title?

    “Owning a Dell with XP in 60 seconds”

  • Thomas Ptacek

    August 26th, 2006 6:56 pm

    I don’t think that’s what they’ve admitted.

    I’m going to withhold comment for a variety of reasons, with the promise that I will apologize and retract, in a seperate post (not a comment thread), if the rest of this story breaks in a way I don’t expect it to.

  • Jim Thompson

    August 29th, 2006 1:37 pm

    Yeah, I’ll retract and apologize if it turns out that I’m wrong.

    But I don’t expect that there will be any need here.

    Can they smackdown a Mac with a foreign device driver? Sure thing.

    Is that what they showed?

    No way.

  • Brian Krebs Watch

    September 2nd, 2006 8:27 pm

    Query: SecureWorks has said “Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook”

    Do people think that this is referring to the mythical USB driver (which is my mind, Jim Thompson has shown through the video doesn’t exist) or that they have a custom driver with the standard airport hardware?

    • Leave a reply