My Response To Rui Carmo’s Response To Me, or, “We Need Threaded Blog Readers”

Thanks for following me. You huge dork. Anyways.

Rui Carmo’s followup arguments, and my responses:

  1. Rui was “bridge writing” about Mac security (so that non-security-experts could understand it). I was not.

    My response:

    Apparently, Rui’s writing objectives excuse him from being correct or fair. I’ll keep that in mind. Meanwhile, we write unrepetentantly for an audience of security experts. There are plenty of other places for laypeople to read about security, and I encourage Rui to peruse them to come up to speed.

  2. Maynor and Cache talked to a reporter about something they only showed a video to him about, which renders my post null and void.

    My response:

    No, it doesn’t. Rui’s isn’t a real argument. Researchers can explain things one way to Rui Carmo and another way to the Washington Post. And they can brag about it, whether Rui likes it or not. No amount of criticism about the style of Maynor’s presentation changes the substance of what he has to say, and, at this point, the substance is a lot more important than the style, given the severity of the vulnerability.

    The substance of what David Maynor has to say is that driver code, even 802.11 driver code, which is exposed to attackers on machines that don’t even have IP configured, has security vulnerabilities, and that one of those vulnerabilities is devastating to the integrity of some shipped Mac platforms.

    Rui has recently acknowledged some of that substance (“device drivers are, in more than a few cases, very poorly written and tested”). His previous point did the opposite: by saying that the bug Maynor and Cache found should result in someone’s termination, he forcefully implied that the finding was anomalous.

    Rui continues to be wrong about many other facets of the substance of Maynor and Cache’s work. He has not apologized for facets that he has acknowledged.

  3. The argument that running the exploit would compromise the vulnerability, while showing a video wouldn’t, is childish.

    My response:

    Running an exploit over a wireless network in a room full of people who probably have Wireshark set up to start automatically when their machines boots up would, in fact, disclose the exploit, in that it would give several hundred security practioners a packet trace which, when replayed, would probably cause Macbooks to generate connectback shells to them.

    Giving a video of the same exploit would not disclose the exploit, in that there is no currently known technique for inferring the contents of packets travelling over a wireless network from the past, on film.

    I feel like this is a pretty coherent argument and await Rui’s response to it.

  4. Because my argument is childish, it’s legitimate to call into question whether I’m a Mac user who really does security.

    My response:

    Rui is correct. It is legitimate to call into question whether I am a Mac person who “really does security”. I can only offer in response these two things:

    1. That I have been a Mac user, exclusively, since 10.0, and have never once even run Parallels —- and, as a bonus fact, that I work for a company that has standardized on the Mac —- and,

    2. My bio, an old copy of my resume, and this blog.

    You will all have to make up your own minds on this one. Rui is welcome to demonstrate his reading comprehension and integrity to us with his response.

  5. I glossed over his points on the Intel monoculture, which is evidence of the fact that I’m quoting Rui selectively and out of context.

    My response:

    Let’s do this backwards; here’s my post, here’s Rui’s. You make the call about whether I’m quoting him out of context.

    Regarding the Intel monoculture: Rui’s argument is a stupid argument. If you do security professionally, you should not take Rui’s stupid argument seriously. Without harping on the specifics, I’ll address the broad strokes of it: that there’s an Intel monoculture, and that it impacts security.

    • First, given the amount of MIPS, SPARC, ARM, PowerPC, and ARC assembly I’ve had to wade through over the last 12 months, I feel confident in saying that whatever Intel monoculture Rui is talking about exists only in the narrow strata of computing that he thinks about on a daily basis. Since he thinks about mobile phone infrastructure on a daily basis, I think he’s just being disingenuous; is he going to tell me he’s never had to look at ARM code?

    • The average exploit writer, even the talented ones, do not write PowerPC or Intel assembly for each exploit they build. A large subset of them couldn’t write assembly, for any processor. Instead, they download shellcode. As evidence of this, I offer the first fucking links on Google for “Intel Shellcode” and “PowerPC Shellcode”, with the caveat that the PowerPC shellcode that my partner Dino Dai Zovi wrote is both more popular and better than the first link for PowerPC.

      Whether a vulnerabity exists on a platform running on one extremely popular, well-documented CPU, or another, has absolutely no relevance to security whatsoever.

    • Short of cryptographic compilation and execution of code for a general-purpose processor (because there are non-general-purpose processors that do this) that exists only in Rui’s and my mind, no amount of CPU diversity will make a dent in security. With the possible exception of split I- and D- caches, no architectural difference I’ve seen to date has slowed down buffer overflow exploitation. Unless Rui proposes a world in which there are hundreds, not tens, of target CPU architectures, he’s not even creating a speed bump in the hypothetical.

    So, in this post, I have fully dignified and confronted Rui’s stupid argument. I feel like I owe him that much. Rui should be aware that both his and my pages will sit around the Internet for many years to come, poking each other in the eyes, persuading or not persuading many thousands of readers. Also, that I am right, that his argument is silly, and that it was a mistake for him to bring it up again.

  6. By accusing Rui of being in a “blind, sweaty panic”, I am trying create FUD. To be charitable, I’ll assume the FUD I am alleged to be creating is not “don’t use a Mac” FUD (since I’m a Mac user), but rather, “keep listening to me, I know more about security than Rui” FUD.

    My response:

    Guilty as charged.

Now, here are the points I made that Rui has not responded to:

  1. That the Black Hat conference was not itself scheduled to coincide with WWDC, but rather was scheduled at approximately the same time time as it is every year, and that Black Hat is the premier venue for work like Maynor and Cache’s, which makes the argument that Maynor timed it against WWDC sound both hollow and petty.

  2. That last year’s “model” disclosure of Cisco vulnerabilities was dramatically less professional than Maynor’s, in that Maynor’s was coordinated with Apple and did not violate contacts, while Mike Lynn’s, much as I admire him, did, meaning that someone well-informed, evaluating Mike Lynn against Dave Maynor for “professionalism”, would not come up with the answer Rui did.

  3. That remote code execution vulnerabilities inside drivers are not, under any circumstances, considered “bog standard”, and that the “bog standardization” of vulnerabilities is in any case not a useful risk assessment metric.

  4. That the “impressiveness” of Maynor’s video was not abetted by the POSIX API, but rather the fact that it results in a Macbook being owned as a result of it’s simply being turned on.

  5. That talking about the level of userland privilege obtained by a driver exploit calls into question Rui’s comprehension of the implementation of that POSIX API, which is a long-winded way of again pointing out that it’s a kernel bug.

  6. That far from evading the topic of remotely identifying the “myriad” of different wireless chipsets and driver implementations, that task was the principal focus of Maynor and Cache’s presentation, which Rui clearly has not taken the time to learn about, despite feeling comfortable using that presentation as a basis for calling Maynor’s professionalism and integrity into question.

I eagerly await Rui’s response to this post, especially because between Rui Carmo, John Gruber, and Jim Thompson, Rui’s arguments are those least likely to involve casting me as an anthropomorphized list selection behavior playing the part of a washed-up hair metal rhythm guitarist (that’s Gruber, if you don’t get the joke [1]) or scrambling to read and cite standards documents.

[1] which joke, while paying obvious respect to Gruber’s tremendous talent for writing, is not intended to condone his argument about Maynor’s finding, which is as (x) irresponsible as it is (y) counterproductive to Mac security, where (x) is “grossly” and the solution for (y) is left as an exercise for the reader. But, thank you for Markdown.

Who We Are

Matasano is a team of internationally respected security experts who have led security efforts at @stake, Microsoft, ISS, Secure Computing, Arbor Networks, Secure Networks, Bloomberg, Sandia Labs, and others. Read more about our team and how we can help you today.