George Ou Goes All-In On Dave Maynor’s WiFi Findings
Thomas Ptacek | March 20th, 2007 | Filed Under: Apple, Disclosure, Uncategorized
In a ZDNet post today on Dave Maynor’s wireless finding from last year’s Black Hat, George writes about the “length Apple would go to and try to destroy the reputation of two security researchers.” Apple PR Director Lynn Fox, “the puppetmaster from start to finish”, demanded a “public confession” from Dave Maynor —- and George has her in email to Dave’s employer at the time, SecureWorks:
Please confirm that you’ve received this and will post it without text changes on your blog and front and center on SecureWorks’ news & events page tonight. The placement of this post should be as prominent as the initial announcement of the exploit demo at Black Hat.
The money quote from what Maynor, Fox, SecureWorks and Apple apparently “agreed” on is this:
The MacBook is not inherently vulnerable to the attack, and I [Maynor] never said that it was.
George tracked Lynn Fox down. “Fox refused to speak on the record. But the bottom line is that Lynn Fox played […] the Mac press/blogosphere like a violin…”. Apple infamously went on to publish an out-of-band patch for their wireless drivers, “presumably for vulnerabilities that didn’t actually exist”.
The “smoking gun” here is the email message from Lynn Fox. Running in the manner of a news story on ZDNet.com, private email between SecureWorks and Apple does seem like a bombshell. But this mail doesn’t actually say anything.
George has now repeatedly gone on record arguing Apple orchestrated an unethical attack on innocent researchers. I happen to be on record agreeing with those points. But the sustaining confusion regarding last year’s Black Hat debacle lingers around Apple and SecureWorks refusal to document precisely what happened. That hasn’t changed:
Apple hasn’t confirmed that Maynor and Ellch provided them with documentation of the vulnerability they found.
Apple hasn’t published anything that can be directly traced back to a finding by Maynor and Ellch.
Maynor and Ellch have yet to verifiably repeat the demonstration they taped for Black Hat in 2006.
What we have confirmation of today is that Apple pressured SecureWorks to suppress Maynor’s claims. But that doesn’t actually mean anything. The pressure Apple brought to bear is exactly what you’d expect —- demand, in fact —- of the PR group at a public company that believed it was being damaged by slander.
There remain several crucial unanswered questions about this episode:
Precisely what information did SecureWorks provide to Apple in order to document their finding, and when was it provided? Apple could simply be lying. Apple’s internal communication could be awful, disconnecting Security from PR. Maynor and Ellch could have found something, but communicated it so poorly that nobody at Apple could verify it.
Why did Maynor agree to deny that he had a finding in the native Apple drivers, when he’s clearly documenting having those findings today? The crux of Ou’s article today is that Apple slandered Maynor and Ellch by orchestrating a backlash based on a phony “admission” —- that the Black Hat talk relied on third-party drivers —- that SecureWorks had been saying all along. But that obviously isn’t what Maynor actually believed.
If Dave Maynor and John Ellch didn’t find the driver vulnerabilities Apple patched, who did? Ou states outright that these are Maynor and Ellch’s findings, uncredited by Apple. But that’s not the only possible explanation. Take Maynor’s own talk at its word —- like I do —- and there are a myriad of vulnerabilities in driver code; findings in Apple’s (relatively complex) 802.11 drivers were thus inevitable.
Why hasn’t the 2006 presentation been repeated and verified by experts? At every step of the way since Black Hat 2006, new disclosures about Maynor and Ellch’s presentation have left more questions than answers. For example, the most recent authoritative disclosure, Maynor’s “once and for all” presentation at Black Hat, crashed his target instead of taking control over it. Sometimes that’s a relevant distinction, and sometimes it isn’t.
The most damning evidence against Apple uncovered so far is the patch, which appears to corroborate Dave and John, resisting Dave’s scripts only many weeks after his Black Hat talk. I believe Dave, but as a professional, I have to acknowledge that other people could have found those problems as well, in the window of time between Dave’s talk and the patch. After Black Hat, HD Moore wrote a trivial Ruby 802.11 fuzzer and crashed his PPC Mac drivers (with a different vulnerability) in a manner of minutes.
What bugs me most here is this: if Apple acted on Maynor’s advisory by patching flaws but slandering the researchers, they’ve acted disgracefully. But if Apple acted on their own internal research, and, in the middle of a PR maelstrom over wireless security flaws managed to expedite important patches anyways, they acted nobly —- far exceeding the standards set by the most responsive vendors today.
So, which is it, George? I’m asking point-blank: do you have further evidence to suggest that Lynn Fox should have known she was acting dishonestly when she coerced SecureWorks into posting a release so that she could have Apple pundits attack it? Or could a reasonable person instead conclude that Fox was acting to minimize the damage from a false security announcement?
You’ve directly accused Apple of unethical behavior. You might be right (it’s easy to see the case we’ve made about this). But making this accusation ups the stakes. I call. Show your cards.
Hal B
March 21st, 2007 1:47 amAnother question might be:
If Apple’s modus operandi is to try to deny the existence of vulnerabilities and smear security researchers, why is it that only Maynor and Ellch seem to be victims of this policy?
Has anyone else complained of similar treatment by Apple?
If anyone (besides Maynor/Ellch) who is reading this has reported a vulnerability to Apple, how did your experience compare?
Nectar
March 21st, 2007 10:06 amYou wrote:
> The most damning evidence against Apple uncovered
> so far is the patch, which appears to corroborate Dave and
> John, resisting Dave’s scripts only many weeks after his Black
> Hat talk.
What are these “Dave’s scripts” ? As I understand it, the crash he demonstrated at Black Hat DC 2007 only works on Mac OS X versions previous to 10.4.7, which was released in July: well *before* Black Hat USA 2006.
Thomas Ptacek
March 21st, 2007 10:51 amPlease be precise. He demonstrated the crash against 10.4.6. That doesn’t mean the crash doesn’t work against 10.4.7: you have no way of knowing that, because he didn’t give you the script.
Nectar
March 21st, 2007 11:20 amYou wrote: “Please be precise.”
I’m requesting a clarification from you. You cite “Dave’s scripts” as “damning evidence”. We have available the scapy script from Dave’s presentation, but that is clearly not the script to which you refer (it doesn’t crash MacBooks). For all we know, Dave used one of the Metasploit scripts created long after Black Hat USA 2006 in his demo.
To reiterate, you have written that Apple’s patch “many weeks” after Black Hat USA 2006 “appears to corroborate Dave” since it “resists” “Dave’s scripts”. Please be precise: What are these “Dave’s scripts” ? Inquiring minds want to know (^_^)
Thomas Ptacek
March 21st, 2007 11:28 amI’m referring to “Dave’s scripts” in the abstract, but I can see why that’s confusing.
Clearly, to take Dave at his word, he can do more than crash 10.4.7: he can bind a root shell and take over a machine.
My point is, Dave has demonstrated that he can crash 10.4.6, and has demonstrated that he can’t crash 10.4.8. He has not demonstrated that he cannot crash 10.4.7, and, indeed, is asserting that he can. Do you have evidence to the contrary?
Johnny
March 21st, 2007 1:31 pmThere is no burden on Nectar or anyone else to show “evidence to the contrary.” The burden is on you to offer evidence that Maynor can crash 10.4.7.
Nectar’s original point was to call this line into question:
“The most damning evidence against Apple uncovered so far is the patch, which appears to corroborate Dave and John, resisting Dave’s scripts only many weeks after his Black Hat talk.”
In order for this to be “damning evidence,” Maynor’s scripts must have been able to crash 10.4.7. Otherwise, as Nectar rightly pointed out, your timeline does not work, as 10.4.7 was released well before Black Hat USA 2006. (About a month before, to be more specific.)
To support the apparent underlying assumption that Maynor can crash 10.4.7, you submit these two rationales:
1. “He has not demonstrated that he cannot crash 10.4.7″
2. “[He] is asserting that he can.”
The double-negative line of reasoning is meaningless to any rational observer. I have not demonstrated that I cannot crash 10.4.7, either. Shall we assume that I can?
As for the second rationale, we are beyond the point in this debate where “assertions” matter one whit. Isn’t that the entire spirit of the post above (a spirit with which I wholeheartedly agree)? Enough of innuendo and inference. Show the damn cards.
In order for your argument about the Apple patches as “damning evidence” to make any sense, we must have reason to believe that Maynor’s scripts could crash 10.4.7. We have no objective reason to believe that he can or cannot.
You say that you take Maynor at his word. That’s fine, but it doesn’t qualify as objective evidence. Don’t ask commenters to “be precise” and provide “evidence to the contrary” when you are forming an argument based on what boils down to a personal hunch.
Brian Krebs Watch
March 21st, 2007 1:33 pmMy understanding of the sample script Maynor points to in his presentation is directed at the Broadcom drivers, not ther Atheros chipset inside of a MacBook. However, I would like to clear that up if anyone has any proof either way.
Thomas Ptacek
March 21st, 2007 1:39 pmJohnny, you say this is a double negative:
1. “He has not demonstrated that he cannot crash 10.4.7″
2. “[He] is asserting that he can.”
I’m not sure the words “double negative” mean what you think they do.
Perhaps you can explain your logic more precisely, and then I’ll answer your points in more detail. Thanks, though.
David Maynor
March 21st, 2007 1:45 pm@Nectar
I think you are getting ahead of yourself. Why not just start simple. Does the scapy script that has already been distributed have anything to do with one of the broadcom flaws that apple patched…
David Maynor
March 21st, 2007 2:04 pm@Johnny
http://www.erratasec.com/10_4_7.png
Wasn’t much of a burden.
Chris_B
March 21st, 2007 9:15 pmAs TP said, at best this new “revelation” just muddies the waters more. George Ou looks like even less of a journalist than before and Lynn Fox has new catch copy to add to her resume.
Nectar
March 22nd, 2007 9:53 amDavid wrote:
> I think you are getting ahead of yourself. Why not just start
> simple. Does the scapy script that has already been distributed
> have anything to do with one of the broadcom flaws that apple
> patched…
Are you saying it does? It doesn’t appear to. In any case, you
continue to play the shell game. MacBooks do not use Broadcom.
David wrote:
> http://www.erratasec.com/10_4_7.png
>
> Wasn’t much of a burden.
Haha, why be so obvious as you continue to invent “evidence”?
After all this time, can you not even reverse engineer Apple’s
patches and publish a proof-of-concept that others can verify? I
like how you carefully covered up the stack trace in an effort to
hide your misrepresentations. If this is the kind
of “information” you provided Apple, it is no wonder that you
find yourself in the position you are in.
But that’s hardly even the point. You seem to avoid talking
about your faked Black Hat USA 2006 video, prefering to focus on
unrelated issues like Broadcom or Bluetooth or he said she said.
Despite the fact that you “are no longer gagged”, it is clear
that you cannot reproduce the scenario in the video, nor even
give a technical explanation of the so-called vulnerability and
how you exploited it.
If you can, now is your chance. You may be able to snow some
unfortunate journalists, but I think the readers of *this* blog
are well-equipped to understand your detailed elucidation.
ivan
March 22nd, 2007 10:51 amI will add my humble request to Maynor & co.
1) SHOW THE EXPLOIT CODE, or;
2) SHOW THE TECHNICAL DETAILS, or;
3) SHOW THE ENTIRE EMAIL TRAIL,
xor
4) STFU
Thomas Ptacek
March 22nd, 2007 12:13 pmI’m still taking Dave’s word for it, but I’ve gotta ask: you got 10.4.7 running and a script to repro this with, can you please get us a screen shot with a visible stack trace in it? Should take you like 2 minutes.
Steve
March 22nd, 2007 12:58 pmAnother screen shot? I agree with ivan. Show us something definitive, or just go away. No more videos, screen shots, friends in the press firing away. Just nice simple data. Code, details, full email thread.
Thomas Ptacek
March 22nd, 2007 1:16 pmThat’s not really fair; if he just posted the stack trace, you’d just say he typed it up himself.
Steve
March 22nd, 2007 1:24 pmPerhaps I was a bit too brusque. At this point, I think the only thing Maynor can do is release enough detail so that other people can reproduce his findings. Whether it’s fair or not, his credibility has been in question for a while now, and the only way to repair it is full disclosure of the orginal flaw. Since he claims that Apple fixed it without crediting him, their should be no danger in release at this time.
Of course, he doesn’t owe anything to anybody, but I’m shocked that he still seems to think that people will take him at his word, when there is so much skepticism surrounding his demonstration.
Brian Krebs Watch
March 22nd, 2007 2:29 pmI think Tom made an excellent point a long time ago that what Gruber and other pundits were upset about was not Maynor per se; but how Brian Krebs of the Post blew this story up. There is a a linkage, of course; Dave Maynor may be enjoying the PR he is reaping, or he may be hating it. You’d have to ask him.
This is the same thing; it’s not about what we in the public may think of Maynor — that is irreleveant — but the problems of George Ou attacking Apple with very flimsy evidence. That certainly doesn’t help security researchers, either. Two stories is not “vast”, and so far the only evidence Ou has of a conspriacy is a reporter talking to Apple PR. That is what PR does, after all.
David Maynor
March 22nd, 2007 5:00 pm@Nectar
What do you mean “It doesn’t appear to.” Since you represent yourself as an expert, please enlighten us why it has nothing to do with the two Broadcom vulnerabilities?
Josh
March 22nd, 2007 6:51 pmThis is like watching a dog chase its own tail. I’ve never seen so much “song and dance” and redirection/misdirection.
Obviously if there were something solid it would have been produced and reproduced by now to save reputations. It isn’t like people are not looking into this.
I can take over a Mac using only a piece of tinfoil and my mind…screen captures and misleading information to follow.
Thomas Ptacek
March 22nd, 2007 7:00 pmDefinitely waiting to hear a vuln researcher speak up and say they DON’T want Maynor to clear this up by proving the exploit. Dave, can you just come up with something here?
David Maynor
March 22nd, 2007 7:11 pm@Thomas
The point of my last speech wasn’t to prove the vulnerabilities real, Apple already did that. My goal was to prove we did indeed know about them and that we told Apple about them. I can’t help but notice the fact that I already provided code to trigger one of the vulnerabilities patched by Apple and claimed had nothing to do with me keeps getting ignored by alot of pundits.
JohnGruberIsARobot
March 22nd, 2007 7:21 pmConvenient how after a Broadcom patch came out, you also found that vuln. Too bad you didn’t demo on a Powerbook, it might have actually been believable.
AConcernedResearcherInDenver
March 22nd, 2007 8:01 pmThis question still remains: what did Maynor demo for Brian Krebs here(http://blog.washingtonpost.com/securityfix/2006/08/the_macbook_wireless_exploit_i.html) and why hasn’t he demoed it ever again? Brian Krebs states that he saw DM get a shell from a macbook *without* a third party card plugged in. Demoing that live, *even after Apple’s patches were released*, instead of a remote panic, would really clear the air a bit. The legitimacy of the first video and Krebs demo is still called into question.
I’m going to play devil’s advocate and argue something that I haven’t seen elsewhere. David did not fake the video nor the demo for Brian Krebs. But he also didn’t exploit a vulnerability in the wireless drivers shipped w/ OSX.
In OSX 10.4.8, Apple fixed an integer overflow bug in an API for third party driver developers to use. It’s probably a safe bet to assume that the API is in userland. The third-party card that DM used at some point left some process that still used that API. The exploit for the video and Brian Krebs exploited *that* vulnerability. This may explain why there was no evidence in the video of a third-party USB card being plugged in (i.e. nothing in the ifconfig output). This may explain why the shell in the video started from the logged-in user’s home directory and why DM hasn’t shown us his ninja-like kernel connect-back-and-exec shellcode. It also could explain why Dave has been backtracking and misdirecting since then, because he can’t/won’t admit that the original exploit demoed was not actually in a device driver.
We can even assume that Maynor was not aware that he was exploiting a bug in a third-party application at the time of the demos or conference. Perhaps it was only afterwards when it couldn’t be reproduced elsewhere that the panic and cover-up started. At that point, the media frenzy was on, and even a seasoned Public Relations company would have had trouble saving face and setting the story straight.
Potential lessons to be learned: Double-check and verify your results. Keep good notes. Write fuzzers that record replayable test cases. Let’s all try to make security research something trustworthy rather than a media circus or another cold fusion story.
Steve
March 22nd, 2007 8:12 pm@David
You know what people would believe? The original code that triggered the vulnerability August. Everything else is just inference and obfuscation at this point.
Feel free to move on to new projects with your new company. I’ve mentioned before that you owe nothing to anyone. However, unless you provide actual information related to the Apple flaw from August, there are many, many people that will dismiss your claims to date. I’m not sure why you blame pundits, though….I see huge numbers of actual security professionals that remain unconvinced by your claims. Not that Mac OS X was vulnerable, but that you actually developed a working exploit.
David Maynor
March 22nd, 2007 8:53 pm@Steve
The importance of the code that has already been released is that it proves that I knew about at least one of the vulnerabilities before the patches were released. This is important because any code dropped now will be written off by people as coming from me reversing the patches after they were released.
As far as huge numbers of security professionals doubting my claims? I must know different people than you, because I don’t. I see that claim a lot, “those guys are laughing stocks now”. I still write books, articles, and speak at conferences as well as provide services to my customers (which is the most important thing after all).
What part is hard to believe, that there were vulnerability in Apple (that’s not up for debate thanks to Apple) or that I can muster up a few brain cells to write an overflow. If people feel that after 3 years of being an X-Force researcher I couldn’t cobble enough code together to get a working exploit then nothng will convince them. But then again this doesn’t explain away how I managed to tell Apple about at least one of the vulnerabilities months ahead of the patches.
Steve
March 22nd, 2007 9:02 pmBest of luck to you, Dave.
David Maynor
March 22nd, 2007 9:34 pmThank you, sir.
Thomas Ptacek
March 22nd, 2007 9:55 pmOk, I’m glad you’ve satisfied Steve, but I’m in your corner here and without saying that “everyone says you’re a laughingstock” (demonstrably not the case), can I again ask you just to put this thing to rest and demo the exploit again?
Ryan Russell
March 22nd, 2007 11:35 pmMaynor could post the full exploit to full-disclosure right now, and it wouldn’t make a bit of difference to the people I care about convincing: the Mac zealots.
I’ve waded into the discussion generated by Ou a little, and they all think Maynor got the vuln from the patch.
The stupid, it burns.
Anonytagonist
March 23rd, 2007 12:05 amummmm…
Apple says that Maynor didn’t find a flaw, and so anything he claims to the contrary is wrong. So, he should publish all his code and ask us where he went wrong.
Surely Apple would allow such a thing to save their good name.
Ryan - the Mac zealots will face reality in due time, one way or another. The taste of truth will be bittersweet at best.
WiFi Tester
March 23rd, 2007 12:13 am@David Maynor
“…it proves that I knew about at least one of the vulnerabilities before the patches were released.”
Apple patched the aforementioned vulnerability on September 21st. Your presentation at DC was on March 1st. That is not before.
“…please enlighten us why it has nothing to do with the two Broadcom vulnerabilities?”
I tried targeting my PowerBook (with Broadcom chipset and a fresh 10.4.6 install) with the scapy script from the slide titled “The pre-encrypted version” of your DC presentation. Nothing happend. The script sends the packets, but PowerBook doesn’t seem to mind. This script has nothing to do with any vulnerabilities.
“What part is hard to believe…”
That you can muster up a few brain cells to write an overflow.
Question?
March 23rd, 2007 1:11 amI’ve read that there is not one, single, solitary, exploitable piece of Mac OS X malware in the wild.
Is this still true?
Thomas Ptacek
March 23rd, 2007 1:41 amNo.
Another Question?
March 23rd, 2007 1:54 amWhere can I find an updated list of malware that affects Mac OS X and read about them?
Thanks!
Thomas Ptacek
March 23rd, 2007 2:18 amYou caught me. You’re right. No Mac malware.
JohnGruberIsARobot
March 23rd, 2007 3:00 am@Thomas
I’m afraid you misunderstood “one, single, solitary, exploitable piece of Mac OS X malware”…. Poster is looking for _exploitable_ Mac malware. That’s right, malware itself containing vulnerabilities.
Ryan Russell
March 23rd, 2007 4:07 amI’m attempting to maintain a list of OS X-specific malware here:
http://ryanlrussell.blogspot.com/2006/10/os-x-malware.html
Those are my standards for “malware”, and they are documented in the post.
Yes, this list is pathetically small. All you malware authors out there disappoint me. So far, KF is winning, big time.
Sorry, I haven’t looked into which ones are exploitable.
David Maynor
March 23rd, 2007 6:47 am@Wifi Tester
So how does that explain I sent them email on August 9th, 2006 with details, before the patches were released?
David Maynor
March 23rd, 2007 6:50 am@Wifi Tester
If you are having problems triggering it, try running
airport -s -r 10000
matt
March 23rd, 2007 9:03 amOK, I´m just a lousy Mac fanboi (more or less), - certainly no security expert whatsoever) and I take the freedom to copy paste a comment I wrote at George Ou´s latest article on that “affair”.
As Mr Maynor is reading/posting here, maybe he can comment on the following posting.
Thanks
Matt
PS.: I am not sure if I misrepresent anything in that posting, in that case, I´d be thankful for any clarification…
___
maynor says he found an exploit in the original apple driver.
did he back up that claim? - no!
he said he sent all the info to apple.
did he backup that claim? - no!
apple fixes a wireless vulnerability.
was it the one maynor reported? - who knows?
can maynor prove it was the one he reported? i guess so.
did he prove it? - no!
will he prove it? - no idea.
why doesn´t he prove it? - Good question.
apple says it didn´t receive any “usable” (significant or whatever the expression was) documentation of a vulnerability.
can they prove that not having received the documentation? - I don´t think so.
Can Maynor prove having sent the documentation? - If he indeed sent it, he can prove it, but why the hell doesn´t he do it?
So, talking really slow here so that even George gets it:
- Maynor says: Apple is bad, they fixed a bug but didn´t give credit, and they started a smear campaign against me and all the respectable bloggers who support me aka George Ou.
–> You George, take that at face value, and support this position (May you even have proof, but neither you show us)
- Apple says: We´re not evil (sorry for the pun ;), at least not in this particular case, Maynor didn´t show us significant evidence, because of all the hubbub we started looking and voila we found something and fixed something.
–> You George, take that at as an outright lie. May you even have proof, but neither you nor Maynor show that proof.
That´s where most Mac Users get angry.
Most very well know that
- the Mac is not unhackable.
- vulnerabilities exist.
- Apple could improve A LOT in communication.
etc etc
As long as there
a) aren´t hundreds of viruses, trojans and exploits made for Mac OS X in the wild and
b) hundreds of thousands of Macs taken over in order to serve botnets sending spam or launching DDOS´s,
I continue to consider a Mac much more secure.
There´s no problem of researchers
a.) finding holes,
b.) reporting them to the public
c.) and to Apple,
d.) and after a security fix is issued,
e.) documenting the entirety of the possible exploit.
In this case:
e.) has never happened. (AFAIK)
Therefore, we don´t know if
d.) is actually correct, i.e. did Apple fix a bug Maynor reported
And last but not least, regarding
c.) No matter if Apple is right or wrong on this one saying they didn´t receive significant data regarding the Apple wireless drivers: ONLY Maynor CAN PROOVE they in fact did receive the info, but he doesn´t come clean.
Thomas Ptacek
March 23rd, 2007 9:18 amNobody really cares whether you use a Mac or not. I use a Mac. I think this idea of the security of Macs that the Mac zealots have is a fiction. I don’t know why people with no exposure or experience to information security and vulnerability research insist that they can win arguments in those fields by sheer force of will and passion.
Thomas Ptacek
March 23rd, 2007 9:20 amJGIAR: I know what the original requestor meant, which is why I didn’t simply name the OSX hypervisor rootkit we wrote as an obvious counterexample.
At the same time, wow, what a double standard. The overwhelming majority of “malware” found on Windows doesn’t contain embedded vulnerabilities.
Not sure who the Mac people think they’re convincing here. Do their Mac zealot friends read vuln research blogs to get their info? Because nobody who does security — I say this with some confidence — is swayed by these silly arguments.
Steve
March 23rd, 2007 10:34 amI thought I was going to bow out of this discussion, but now I have to ask, Are there really Mac zealots out there that believe the Mac is impregnable? That Maynor made up the whole thing, and that there are no flaws?
It seems like a huge straw man to me, since the Month of Apple Bugs racked up plenty of documented flaws in Mac OS X. Are there people out there that are really that oblivious, or is it just a convenient target to knock down whenever Maynor’s presentation is questioned?
It’s not an exclusively Apple/Mac Zealots vs. Maynor/Krebs/Ou situation. There are the Full Disclosure zealots(*) as well, who don’t have a stake in the flaws themselves, only in their complete disclosure and documentation. From that side, we still don’t have the documented flaw in Mac OS X.
*Yeah, that one’s me. Full disclosure (pun intended) and all that.
David Maynor
March 23rd, 2007 10:46 am@Matt
It sounds like the same type of comment I hear from people all the time. Statements are made as if they are fact by people who don’t have nor want all the information on what happened.
Take the Wifitester guy who posted above. His intention wasn’t to test the script; he wanted to call me a liar. You can tell this because in his haste to prove me wrong he didn’t ask any of the important details like “what state is the machine in” or “is there anything I have to do to trigger the bug”. Nope instead he declared he setup a machine and ran the script and nothing happened thus proving his point I am a liar and it doesn’t matter what I say or provide, people like that will never believe it.
Take a similar incident that happened the year that I was also involved in as a member of the X-Force, the Cisco incident. Mike Lynn demoed a Cisco exploit that no one saw. Where is your outrage there? Who has duplicated that work since and released it, and that’s been almost 2 years now. Oh right, its Cisco, not Apple, therefore fan boys need not apply. Cisco later released an advisory for the problem and didn’t credit Mike and in fact went out of there way to promote their new security architecture. It’s the same situation but Cisco does not have overzealous fan boys that take offense anytime anybody dares to say that their machine of choice.
And for the record, I don’t care if Apple credits me. I see so many quotes saying I am upset that I didn’t get credit. Who cares? I clearly say in the last slide of my presentation that its Apples decision who to credit.
I have grown weary of this subject and should have adhered to my own “this is the last time I am talking about it” because every Mac fan boy will come out of the woodwork to try and stump me with their own self proclaimed “facts” and conspiracy theories about how this was all paid for by MS or some other such nonsense.
I am done talking about this.
ivan
March 23rd, 2007 11:36 am@David
ok, so now that you’re done talking. How about producing some proof-of-concept code that demonstrates remote code execution in kernel on an unpatched OS X? There’s no need for a full shell just an int 3 will suffice. Or baring that how about a detailed description of the bug and an analysis of where the vulnerable code is and why it is exploitable.
Or, if you’re not willing to do so, how about disclosing the email exchanges between you and Apple so the rest of the security community can see what really went on and derive conclusions on their own? You see, the vulnerability research and disclosure process needs transparency and to produce testable, peer review-able results if we ever hope to be considered part of a scientific community and your particular instance of the process is not helping. On the contrary, it hurts the whole community because it questions the legitimacy of our work.
Sorry but your appeal to authority (3-years @Xforce) will not suffice to convince many of you peers, including me.
What we needed here is something that will let someone else reproduce your experiment. That’s how modern science works, didn’t you hear about scientific research during those wonderful years at X-Force?.
Ohhh btw, Michael Lynn did not need to show anything because FX demonstrated exploit ability of Cisco several years before him and because Cisco advisories have been acknowledging remote code execution possibilities since then
Thomas Ptacek
March 23rd, 2007 12:26 pmAgain, Dave, while you’re going to respond to Ivan on this and not me (fairly enough): the issue with me at this point is, we’re STILL TALKING about this Airport bug (you gave a talk about it in DC), but we’re not simply PUTTING IT TO BED with a repeat of the demo.
You can kill this whole discussion in a manner of minutes. You’ve taken the time to get 10.4.7 and 10.4.6 up and running on the vulnerable hardware. You have the tools together. You scripted this demo, professionally, for Black Hat. Just come up with a way to repeat it for us.
That way, when the Mac people get on my blog and yell at me, I can say, “Hey loser! 10 security researchers with nothing to gain from lying vetted this demo. You were wrong!”
That would rule a lot. Will you do this for us? I know it’s a pain, and that everyone you care about impressing already believes you, as they should. But not everyone we care about does. We’ll keep sticking up for you regardless. But helping clear this up would be a valuable favor.
Question?
March 23rd, 2007 3:58 pmSorry for the confusion…I wasn’t trying to trip anybody up with the wording, I’m trying to get clarification.
I’ve heard that so far all the Malware for OS X that is typically counted and that Ryan Russel lists is just proof of concept laboratory viruses created by anti-virus researchers. They don’t exist in the wild and never have and most were patched and voided very quickly so they don’t work anymore.
Is this true?
Are there any known malware for Mac OS X in the wild? If so how many of these are real and not just “concepts”. Any that actually still work?
The second part is that even though some flaws have been found, not a single flaw has yet to lead to a workable exploit of the Mac OS X system.
It this true?
If so isn’t that a huge indication of the inherent security of BSDs?
Again sorry for any confusion, trying to get clarity about some facts I’ve heard.
Thanks again.
Remember Cold Fusion?
March 23rd, 2007 4:14 pmThey did it! Cold Fusion had been accomplished and was even validated by a second laboratory!. The scientific journals in their haste all published articles. Oh wait they might have got close and made progress but in their haste they “stretched the truth”. Our energy problems were not solved.
I dunno why I was reminded of that…
There is a certain type of logic and reasoning that that is intelligent, solid, and sensical, but it is covering rather then reveling the truth of something. The key indicator is that it uses a lot of redirection and reasoning as to why they don’t have to prove something. People who really already have the information to back up what they are saying never resort to these symantec dances or these lines of reasoning. It is only used by those avoiding or covering the truth.
Thomas Ptacek
March 23rd, 2007 4:34 pmIt’s as if Mac people think security people haven’t ever used BSD, or even seen it, before OS X came on the scene. When, in fact, many of us have had the commit bit on BSD projects. Myself included.
Here’s a hint: many hundreds of blind remote exploitable security vulnerabilities have been found in BSD operating systems.
What “inherent security of BSD” are you trying to teach us BSD developers about? I really want to understand this argument better.
Questions?
March 23rd, 2007 4:49 pmSorry, my wording keeps getting in the way of me getting the info I’m after. My question is simply.
Are there any known malware for Mac OS X in the wild that aren’t just “proof of concept” and if so how many?
Have any of these flaws lead to a workable exploit of the Mac OS X system?
Thomas Ptacek
March 23rd, 2007 4:51 pmThe problem you have is the words “proof of concept”. Exactly what does that mean? Is an executable that I run with an IP address that gives me a bound root shell on that IP address, as long as it’s running OS X 10.4.7, a “proof of concept”?
If you’re asking me, “are there any documented instances of criminals USING the vulnerabilities you find in OS X”, I have no way to answer that question. Not being a criminal and all.
one.miguel
March 23rd, 2007 5:10 pm“Inherent security”? Thomas, I think the anonymous poster is trying to get you (or someone else) to say that Macs are more secure.
Look, as far as I know, the Cook Islands have never had a terrorist attack. Does that mean they are more secure than the US? No, it means they were never targeted. Is the US more secure (i.e. have more defenses and is prepared to handle an attack) than the Cook Islands? Yes.
Non security people going on about how secure an OS is just plain crazy.
Thomas Ptacek
March 23rd, 2007 5:13 pmBack to “Safety” versus “Security”:
http://www.matasano.com/log/644/safety-vs-security-2/
Questions?
March 23rd, 2007 5:58 pmTo Thomas, by “proof of concept” I mean that it only ever existed in an anti-virus or security experts testing lab, and that there is no actively circulating version of the code or program or malware in the wild. Is my term incorrect?
What you answered wasn’t one of my questions.
To one.miguel, no sorry about your guess. I am trying to ascertain if certain statements I’ve been told are correct and to find specific numbers and get to the bottom of some facts. So much info on the net is just this same runaround back and forth as I’m seeing here. Having trouble finding where to look. Losing hope of getting direct answers here, as apparently I am asking in a way that is confusing.
Questions?
March 23rd, 2007 6:01 pmJust to clarify, I am needing help finding that information. Are my questions clear enough to understand even if my terms are not all correct?
Different Logic
March 23rd, 2007 6:06 pmEvery operating system is different and hence has different strengths and weaknesses and hence different levels of security. Each were written by many different developers with widely varying security experience and checked for security, how could they all be the same. The “Cook Island”, it is not just a matter of how attractive the target is, part of what makes a target attractive is how easy it is to exploit.
Thomas Ptacek
March 23rd, 2007 6:23 pmThat’s an impressively circular argument, “Different Logic”: OSX is hard to break into because it’s an unattractive target, and it’s an unattractive target because it’s hard to break in to.
You win! Us compiler-theoretic security types should just give up; OSX, with virtually no runtime security protections, is vastly more secure than any of the operating systems that do provide those protections.
Also, most secure OS ever? SunOS 4.1.3U1. No worms, ever.
one.miguel
March 23rd, 2007 6:47 pmMy Commodore 64 and TRS-80 are “inherently” more secure than XP, Vista and OSX.
“Questions?”: So far, you’ve stated that you’ve read that “there is not one, single, solitary, exploitable piece of Mac OS X malware in the wild” and that you are looking for factual answers. Wording aside, the question is irrelevant unless it’s to be used for marketing or zealoting. Better questions: Which operating system has more built-in security features? Which OS vendor is more security conscious? Vulnerability counts and malware tallies are not relevant to these questions.
Questions?
March 23rd, 2007 7:19 pmCan someone just tell me where to find this info myself if you aren’t willing to tell me. Sometimes people just know too much to help…
Questions?
March 23rd, 2007 7:35 pmone.miguel, i understand there is a difference between how theoretically secure an OS is by design, and how safe the end user is because there aren’t many activly developed exploits. I also understand that one is a possible indicator of the other. Need more information, not runaround. I’ve heard big claims, like the ones I’m trying to verify and get real facts on. I think you think I’m making them.
Thomas Ptacek, are you saying that all os are the same as far as security? Or are you just arguing the reasoning? Hard to tell. Are certain OS more secure then others?
ivan
March 23rd, 2007 7:57 pm@Questions:
Is this http://www.milw0rm.com/exploits/3064 good enough for you? Now shut up and go do your homework. The above link is the FIRST HIT of a Google search with the terms “milw0rm OS X”.
Besides all technical facts about the built-in security capabilities (or the lack thereof) of OS X vs. other operating systems I’m starting to think that OS X is becoming a more juicy target because most OS X users seem to be BLIND AND DEAF but, regrettably, not mute.
Thomas Ptacek
March 23rd, 2007 8:38 pmAs an OSX user since 10.0 — coming to it from Linux and BSD, not Windows — I think what pisses me off most is that the Mac “advocates” are hypnotizing developers into not taking security seriously.
Questions?
March 23rd, 2007 8:57 pmThanks for the link not the attitude. I will do my homework. Good thing you already knew the name to search for. Why is everyone so bitter as to rip on anyone asking questions. Thats helpful…
Thomas Ptacek
March 23rd, 2007 9:17 pmBlame your fellow Mac advocates.
Johnny
April 8th, 2007 12:36 amForgot about this thread. Obviously, it’s quite late, but I thought for Thomas’s edification I would note that the term “double-negative line of reasoning” was referring to this gem:
“He has NOT demonstrated that he CANNOT crash 10.4.7″ [emphasis added]
Thomas, you used two negatives to insinuate a positive. I wonder, what do _you_ think the term “double negative” means?
I hope this is “precise” enough for you. You’re such a stickler for precision! Except when formulating your own arguments, of course.
Thomas Ptacek
April 8th, 2007 11:58 amI still have no idea what that “double-negative” statement means. The fact that Maynor didn’t demonstrate a 10.4.7 crash did not establish his inability to crash 10.4.7.
Leave a reply