Debunktraq: More Mac Wireless Chaff Posts
Thomas Ptacek | August 5th, 2006 | Filed Under: Apple, Disclosure, Uncategorized
More Cache/Maynor “debunking”, from wireless expert Jim Thompson:
In summary I don’t think this is news, or newsworthy. Its “spin”, and nothing more. As a none-too-subtle point, you’re very very likely “safe” from this attack if your Mac only uses its Airport card, and you’ve located no other 802.11 cards in your Mac.
Here’s Jim’s resume. I don’t think he’s stupid. So I have to ask, what is it about Maynor’s talk that is eating into people’s brains? Read this:
I find it too likely that Ellch and Maynor wrote their own driver for the victim machine, and once they have their own AP (the other notebook in the video), they’re running their own code on both ends of the link.
Maynor’s talking to me on AIM as I write this. His quote sums the situation up nicely: “If this were fake, i would be finished in this business.”
So let me turn that around on Jim Thompson, Jon Gruber, and Rui Carmo (thus far). Do you really believe that it is so unlikely that there could be a remotely exploitable software error in 802.11 driver code that you’d stake your reputations on your claims?
If (or, I think more accurately, when) you’re proven wrong in this, are you even going to apologize?
dre
August 6th, 2006 12:44 amtom, you’re not only right - but it seems that you can also predict the future.
jim/ron/rui are obviously in tenent #1 of the kubler ross model of vulnerability management.
Matthew Brown
August 6th, 2006 4:26 pmI think “what is it about Maynor’s talk that is eating into people’s brains?” is the way the story was told. Too much of an appearance of sleight-of-hand, of mirrors and illusions. Too much of an appearance of showmanship and headline-grabbing. And some pretty ill-chosen things to say outside of the video.
Perhaps those in the “black-hat” community like showmanship; however, outside, it leaves a taste of falsehood, regardless of the underlying exploit.
I think for this reason every time something is not shown, or shown misleadingly, it’s easy to assume bad faith and the worst possible explanation of Maynor’s motives.
E.g. the external USB wireless device used. I don’t buy the explanation “Apple wouldn’t let us show the exploit with the internal wireless”. It could simply be that it was easier to craft an exploit for the external - not necessarily that the internal is safe - but if so, say so.
Thomas Ptacek
August 6th, 2006 5:09 pmMatthew, I think you’re going to find that if you read the coverage carefully, the “Apple pressure” accusations aren’t directly quoted. If you, like most Mac people, are deeply suspicious of Brian Krebs to begin with, I suggest you step back and consider whether there are alternate explanations.
It is very obviously “easy” to assume bad fath and poor motives; just read Mac blogging coverage of Maynor’s presentation.
The problem is this: lost in the shuffle here is the teeny, tiny little detail that Cache and Maynor’s presentation ISN’T ABOUT APPLE. It’s about vulnerabilities in wireless drivers, and how a remote attacker can figure out what chipset and drivers you’re running to target an attack.
Want to put this in perspective? Here’s some coverage Maynor got BEFORE THE WASHINGTON POST STORY:
http://www.darkreading.com/document.asp?doc_id=98989
Funny, I don’t see the Mac-baiting.
Jim Thompson
August 19th, 2006 4:31 amSure, if I’m wrong, I’ll apologize.
But pretty sure I’m not. After reviewing a high-resolution version of the video, its quite clear that the USB device was not in-use during the attack (at least, it wasn’t passing frames).
Its the internal Airport card (!!) that has the 192.168.1.50 IP address.
Details here: http://www.smallworks.com/archives/00000461.htm
Do I think that a highly similar attack is possible? Of course, but Maynor and Ellch haven’t demonstrated anything thats even close to what they claim.
Leave a reply