All Eyes On ToorCon

Dave G. | September 28th, 2006 | Filed Under: Apple

We are days away from Dave Maynor and Johnny Cache’s ToorCon talk. There is no doubt that their talk is going to be interesting. There are a couple of ways this could go down:

  1. They don’t talk about the Apple situation at all. Certainly the easiest option. Let people think what they are going to think. Would be hard on the ego if they had something. Would be easy on the reputation if they had nothing.

  2. They insinuate but do not prove. Also easy. Tell a story about how bad Apple is/was to deal with. Easy for people to believe that vendors are bad.

  3. They prove they have/had a vulnerability. A little harder. Brings up a lot more questions. Did they provide enough information to Apple? Is it fixed? Did they reverse the patch and write proof of concept code?

  4. They prove they have an exploit. Pretty much the same as #3. Only the question is whether they could have reversed and written a remote kernel (heap) overflow in ~9 days.

Hopefully, whatever happens at ToorCon will end things, and we can move past the Perfect Storm of Disclosure.

12 Comments so far

  • Adam Shostack

    September 28th, 2006 10:28 pm

    Great post, but are you making book?

  • Nate

    September 29th, 2006 12:36 am

    Insinuate, not prove. They had vulnerabilities in Apple’s drivers, but maybe not the ones fixed. This is going to be yet another general talk about widespread flaws in all 802.11, not a specific exploit.

  • Dan Moniz

    September 29th, 2006 5:41 am

    There’s another “why it’s good” angle to option #1: saying nothing about Apple saves them from any gag orders or legal entanglements.

  • Kenneth F. Belva

    September 29th, 2006 7:56 am

    Hopefully if demonstrate anything technical they will use full disclosure to avoid potential confusion this time around:

    http://www.bloginfosec.com/?p=26

  • Ryan Russell

    September 29th, 2006 3:14 pm

    Option 4.5 or 5:

    Their exploit still works because it’s not the one that Apple fixed, since Apple swears that they haven’t been given any details. Maybe David and Johnny will pick volunteers from the audience and pop their Macbooks. I can hope, can’t I?

  • Nate

    September 30th, 2006 5:04 pm

    I WIN. PAY UP, ADAM. ;-)

  • Adam Shostack

    September 30th, 2006 8:56 pm

    Nate,

    No problem! Payment at the agreed-apon odds in the agreed-apon and committed amounts is en route to you in the form of Chaumian gold-denominated Burmese opium futures. If you can certify your non-reciept, I’ll happily re-issue.

  • Nate

    September 30th, 2006 9:09 pm

    Well, since you didn’t state which side you were betting on in your post, you can just send me your bank details in a smart card.

    Back on topic — this is the most boring, uneventful disclosure ever. To spice things up in the future, I have a business model for you:

    1. Get together productive security researchers and form a non-profit corporation, “Researchers Committed to Advancing Full Disclosure”.

    2. Members’ dues go to 2 purposes: funding a large insurance policy to pay for legal defense and patenting the solutions to any flaws the researchers find.

    3. Others who support FD but aren’t security researchers can join too as a “non-publishing member” or “vendor member”.

    4. Researchers agree to release all findings as soon as they can be written up, no selling exploits or otherwise. Vendors agree to not sue in return for 7 day advance notice of flaws in their products. (Don’t like it? Tough, you can find out publicly along with everyone else then.)

    5. Everyone in the world is granted a royalty-free license to all solutions in the patent pool.

    6. Said license is immediately terminated and a patent lawsuit (and breach of contract) is filed, funded by the insurance policy, if any vendor sues a researcher who disclosed a finding according to the rules.

    It’s not about full versus responsible disclosure. It’s merely about power, namely vendors using theirs to threaten. Security researchers are at fault for letting themselves get pushed back this far. It’s time for things to get more balanced.

  • ErikC

    October 1st, 2006 12:22 pm

    >Security researchers are at fault for letting
    >themselves get pushed back this far.

    Yes yes, everything is the fault of security researchers, we’ve all heard that blame game before.

    Good luck trying to get hackers to uniformly adhere to any disclosure model. It has been tried many times before and each time it failed miserably. There are no rules in disclosure since the researchers make the rules up and only laws can tell them to do it any other way http://www.zdnet.com.au/news/security/soa/Publishing_exploit_code_ruled_illegal_in_France_/0,130061744,139183862,00.htm

  • Ryan Russell

    October 1st, 2006 12:39 pm

    And we continue to have to read between the lines in order to get small pieces of the story. Johnny appears to have sent the text of his prepared speech to BoingBoing.

    http://craphound.com/cache_toorcon_2006.txt

    It contains this bit:
    “A few weeks later (one week before ToorCon) they patch it, and say we had nothing to do with it.”

    So Johnny says that Apple patched their hole.

    I now agree with Dave on the need for them to have published a hash of something ahead of time. I can’t believe how weird this thing gets.

  • Daniel

    October 2nd, 2006 4:00 am

    Ryan, i swear we should make this into a movie.

  • Brian Krebs Watch

    October 2nd, 2006 1:24 pm

    I’d read Jim Thompson’s latest post:

    http://www.smallworks.com/archives/00000466.htm

    Maynor claims that there is a problem with FreeBSD as well, but the maintainer of the FreeBSS drivers says Maynor has not contacted him.

    • Leave a reply