Johnny Cache Breaks Silence On Wi-Fi Exploit

Joe Barr writes, "Johnny Cache — aka Jon Ellch — is chafing under the cone of silence placed over him and co-presenter Dave Maynor about the Wi-Fi exploit they presented at Black Hat and DEFCON last month. So he has finally broken his silence on NewsForge in hopes of ending the personal attacks coming from what he implies is a smear campaign started by Apple." (Newsforge and Slashdot are both owned by OSTG.)

Johhny Cache writes, "If you're going to post a news story that is a rehash of my post to a mailing list, I would much prefer it if people actaully just read the post in its entirety."

chafing

[Gary W. Longsine]

under the cone of silence... give me a break.

Re:

[RKBA]

I would guess that the video is real, but that Cache didn't want to implicate and thus anger Apple, so he falsely claimed he was accessing the Apple computer via an external card rather than Apple's built-in card. Too bad he wasn't totally honest (apparently).

Re:

[Lars T.]

Yeah, it makes so much sense that almost everything they said was a lie, just not that they actually cracked anything. All because they did not want to anger Apple - anymore than using an Apple, saying Apple's are vulnerable too, saying they want to put out a cigaret in Apple users' eyes, talking about Apple smear campaigns, et bloody cetera.

So..?

[ericdano]

So, is he going to take Daringfireball's [daringfireball.net] challenge or not? I think his whole thing has tarnished him, and he won't recover.

Re:

[RickHunter]

Of course not. There's no exploit. If there was, he'd be walking away with a free Macbook.

Re:So..?

[Who235]

Maybe he doesn't want one, seeing as how they're so easy to exploit. . .

Re:

[Anonymous Coward]

And some huge legal costs.

I mean, MacBooks are overpriced, but not that overpriced.

Re:So..?

[Thrip]

So, if I put on my blog that I challenge George Bush to provide some proof of [pick anything that's ever come out of his mouth], at a mall of his choosing, and I'll give him a free laptop if he does it, and he never shows up, that proves ... what exactly?

I'm sure John Gruber's blog is extremely important to John Gruber, but if some guys who are clearly dealing with a mountain of legal issues right now choose not to meet him at the mall, you can't take that as evidence of anything -- except that Gruber's pretty clever at diverting attention to himself.

Re:

[Rocketship Underpant]

The difference is that John Gruber is probably the most-read and most respected Mac technology pundit and blogger out there. His challenge is a high-profile one, certain to get the attention of the "journalists" and hoaxsters who started this whole thing. Heck, just look at how many Slashdotters here know about his challenge.

Re:

[schon]

You aren't even making a good argument, and bringing in a strawman (IE: Bush) isn't going to help you.

He's making a great argument - I'd say that the fact that you don't know what a strawman is stopping you from understanding it.

Re:

[droopycom]

Huge media ruckus ? They only did a presentation at a security conference... hardly a media ruckus...

Re:So..?

[mellon]

The way these things work is that when someone hacks your hardware, you get an injunction to stop them from talking about it. If they talk about it, they go to jail for contempt of court. If you were to RTFA, you might get the very strong impression that he's under an injunction of this type.

It's always fun to look for bad guys in situations like this, but both Apple and Mr. "Cache" here are wearing white hats. You want both of them to be doing what they're doing, and it's lame to make it into a flame war. You want Mr. Cache breaking drivers, because then they get fixed, and your Mac doesn't get 0wned when you're down at Starbucks watching YouTube videos.

And you want Apple to try to dissuade him from publishing his hack, because you want them to fix it before every random hacker figures it out, and the sooner he publishes, the sooner the black hats will have an exploit. So if Apple doesn't get him to stop talking, maybe your Mac will get 0wned down at *$$.

But you still want Apple to be paranoid about the information getting out, so that they release the bug fix quickly, not slowly. And so what he's done with this article is useful, because he's basically said how the hack works, and now presumably the black hats are working on trying to duplicate the hack. And Apple knows this, and so the patch release will probably come sooner. And so your laptop won't get 0wned at *$$. W00t!

What I don't see here is bluster. This isn't high school. People don't get up on stage at defcon and claim to have hacked something they didn't really hack. The reason they do these hacks is to improve security, not to count coup. You owe the guy your thanks, not your hopes that his reputation is ruined.

Re:

[ericdano]

False. I'm sure if he was selling snake oil that would protect you from spam and other nasty things you'd believe him as well.....

Re:

[dave562]

What I don't see here is bluster. This isn't high school. People don't get up on stage at defcon and claim to have hacked something they didn't really hack.

Very, VERY true. Ever since DefCon started it has been LEGIT. It isn't smoke and mirrors. It isn't your typical security conference where the guys on stage are just parrotting information to you that they learned from someone else. The guys on stage are the guys doing it. They're the modern day l0pht crew, the Mudges and Aleph Ones of the 21st cen

Re:So..?

[Reverberant]

The way these things work is that when someone hacks your hardware, you get an injunction to stop them from talking about it. If they talk about it, they go to jail for contempt of court. If you were to RTFA, you might get the very strong impression that he's under an injunction of this type.

Instead of letting us infer the facts, why not just say "because of a court order, we can't talk about it"? It happens all the time [google.com].

If there is a hack, I want to know. I'm not looking for details, I just want the answer to Jon Gruber's question [daringfireball.net]: "Have Maynor and Ellch found a vulnerability that affects MacBooks using Apple's built-in cards and drivers?"

If the answer is "yes" or "no" just say so! If they're under a gag order, just say "We're under a gag order." Asking us to read between the lines isn't cutting it.

Not to mention that the ad-homs aren't helping his credibility...

Re:

[mellon]

If you're under a gag order, there's a decent possibility that the gag order forbids you to talk about the gag order.

Re:

[WatertonMan]

If you're under a gag order, there's a decent possibility that the gag order forbids you to talk about the gag order.

The first rule of fight club is . . .

Oh, ok. I know it's cliche...

Re:

[dozer]

You're expecting him to spend at least a day, maybe two, just to win a $1200 computer?

If he really wants to call a big bluff, why doesn't "daring" fireball at least put up some decent stakes?

Re:

[ericdano]

Why? The original thing was supposedly in 60 seconds. $1200 for 60 seconds of work sounds pretty good to me.

Re:

[Sancho]

Did you read the relevant articles? The challenge didn't allow for more than one attempt, that I could see, whereas here's Johnny (heh) saying that it could take multiple attempts to exploit the race condition correctly (since it's timing based and they haven't implemented it with RTC).

It's interesting that we learn this now because it gives (another|the real) reason they didn't demo the exploit at Blackhat/Defcon: it might not have worked. I wonder how many takes they had to do to get the exploit to wor

Re:

[ericdano]

See, here is the problem. If you read the newsforge article [newsforge.com] they said "Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon Ellch -- demonstrated an exploit that allowed them to install a rootkit on an Apple laptop in less than a minute." In fact, Ellch's new company publically flaunts [secureworks.com] this. So, is it a real thing? Now, Ellch is backtracking, saying new things. Whatever. He's a Bullshit artist.

Re:

[Sancho]

How is he backtracking? The newsforge article you quoted even points out that it was a video. They could have tried a dozen times before they got it right, but once they get it right, it happens in under a minute. Now if that's the exploit, it's not really a great one or a particularly big deal--yet. But if his suspicions are true and the exploit can be made more precise, then it /could/ be a problem.

Also, the point of the Blackhat/Defcon talk was actually not about proving Macs are vulnerable--it was a

This guy really is full of himself

[Mononoke]

He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it,

Most of any community is not going to understand it, including this community. He comes across as nothing more than an attention-whoring little hacker with an axe to grind against Apple.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:This guy really is full of himself

[MrResistor]

So what if he is? If his hack works, it works. Period.

An attack on his personality doesn't invalidate that.

Re:

[Tim Browse]

An attack on his personality doesn't invalidate that.

You must be new here.

Re:

[MrResistor]

You got poor marks in reading comprehension in school, didn't you?

Nowhere did I assert that his hack works. That's what the "if" in that statement means. Here, let me highlight it for you in case you missed it:

" If his hack works, it works."

What I did assert is that his status as an Apple-hater has no bearing on the effectiveness of his hack.

Re:

[Anonymous Coward]

Ah, much like the slashdot community with Microsoft

The only difference is most of us don't need a rigged demo to break into a Windows machine...

Article text

[Anonymous Coward]

Johnny Cache breaks silence on Apple Wi-Fi exploit

Monday September 04, 2006 (01:07 PM GMT)

By: Joe Barr

Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now infamous "faux disclosure" at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them.

Ellch explains their silence since the presentations in his email by saying:

        Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.

He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something."

Ellch then breaks down the elements of the vulnerability and possible exploits, but in the context of Intel drivers rather than Apple's, asking and then answering the obvious question of why he did so when he wrote: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."

He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique.

Ellch notes that a crash caused this way doesn't guarantee a successful exploit, saying "If you're lucky, your UDP packet will end up on the stack. If you're less lucky, a beacon packet from a nearby network will end up on the stack. In the case where I successfully overwrote eip (Extended Instruction Pointer), the UDP packet was 1400 bytes."

He also responded to criticisms that he and Maynor have simply been "playing the media" instead of reporting an actual vulnerability and exploit, saying:

        You know, of all the comments I see, the ones that 'we played the media' make the least sense. Have you ever seen me in the news before? No. Have I ever talked to a reporter before? No. Am I doing a very good job of winning this PR smear campaign lynn fox ignited? No. If I was so deft at manipulating the media, would I be explaining myself on dailydave praying that a few technically competent people will actually get it?

I contacted Ellch by email after reading his post and asked if he was claiming Apple is the cause of their silence. He replied:

        Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about.

Re:

[rbannon]

I still don't see him coming clean on this one. Or maybe, like he says, people like me won't understand it anyway.

In any case, I think he's really not being forthcoming with respect to what the hack entails, and maybe that's due to Apple's aggressive lawyers. In any case I'd like to see more details.

Re:

[cHiphead]

my guess would be its another NSA exploit built into wireless cards. It'd make sense. Plus his reference to black helicopters in a seemingly innocent but suspect way.

*engage nutjob conspiracy theories*

Cheers. ;)

It's not tech details, it's proving it works

[eggboard]

Ellch misdirects attention very clearly. The "Mac bloggers," which include a lot of non-Mac bloggers, have generally said, look, if what Ellch and Maynor showed Brian Krebs is true, then just demonstrate the real Apple exploit without revealing details.

The article above states, "He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something." "

Thanks for the condescension! It's not necessary. I will note that no one sensible, including myself (over at wifinetnews.com) has asked for the code. Rather, we've asked for Maynor and Ellch to either state that they mislead Brian Krebs, that Apple lied when they stated the company wasn't presented with credible evidence, or that they have material that Krebs saw and Apple hadn't seen yet.

John Gruber did a face-off, not asking for the code, but asking for a simple demonstration with a $1,099 plus sales tax prize.

How does Gruber not understand the technical details when he isn't asking for them? He's asking for a black-box showdown.

Exploit is in the centrino driver

[mveloso]

The exploit is in the centrino driver. Everyone assumes that the Mac airport driver is based on Intel reference code, but it may not be. If it was, you would think that they would have talked about that more.

Note that for this exploit to work, the network needs to be active (ie: both cards need to be joined to a base station). Why? Because you can't send UDP packets to something with no IP address...unless they're blasting WiFi cards directly, which seems unlikely.

Re:

[eggboard]

It's tricky here because Maynor/Ellch made statements to Brian Krebs about it being a native exploit. They haven't repudiated that, and they won't comment on it. Apple's statement was about the "evidence" that Apple had received, which, at the time Apple made the statement was -- if you trust a multi-billion-dollar company familiar with shareholder lawsuits -- not evidence of an exploit.

The issue now is that Ellch won't (says he can't) talk about the Apple stuff, but says Apple will release a patch. But the

"Implies" my fanny. He says it right out.

[Shayde]

If that's just an 'implication', I'll eat my hat. It's pretty obvious that his going silent is the result of Apple putting the thumbscrews to him. He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples. It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out. This way no one can report about the 'insecurity' of the OSX platform - there are no exploits, see? As long as you're patched and up to date!

Re:"Implies" my fanny. He says it right out.

[rbannon]

If that's true, I think Microsoft should hire away Apple's lawyers.

Re:

[Mononoke]

So Apple is supposed to patch someone else's drivers for a wi-fi card that would never be used with a Mac?

Apple probably looked at these guys and laughed.

Next thing you know, these guys will be "discovering" cold fusion.

Re:"Implies" my fanny. He says it right out.

[Anonymous Coward]

<blockquote>So Apple is supposed to patch someone else's drivers for a wi-fi card that would never be used with a Mac?
Apple probably looked at these guys and laughed. </blockquote>

Silly rabbit! What the author is inplying, very transparently, is that they found an exploit in the Apple driver that is very similiar to the one in Intel's driver.

Due to his NDA with his company he can't say what he might know about Apple's driver, but he can certainly point out a similar bug and exploit with a similar Intel driver and let you infer what you will... namely that a very similar bug exists in the Apple driver.

Now, whether that's true or not... that's another story.

Re:

[Leto-II]

The reading comprehension skills you've exhibited in this post is not what I've come to expect from such a low userid.

When did 5 digit user ids become "low"? It's just recently that /. broke 1,000,000 so around 10% of the users have a 5 digit id or lower.

How is it "obvious" ?

[Infonaut]

It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks

If Apple's lawyers wrote a nastygram to these guys, don't you think we'd have seen it by now? The first thing anyone in a public situation like this does when they get pressure from the big players is to publicize the legal threats.

At the moment all we have is the word of someone who cast aspersions at Mac users, disingenuously claimed that he was exploiting Apple security flaws, and now claims (not so subtly) that Apple's lawyers are the reason he can't come clean.

Just paranoid delusions?

[masonbrown]

I still don't see any proof that Apple's lawyers have done anything.

I can imply very loudly that Microsoft has been threatening me for years, but that doesn't mean they even know I exist.

Re:How is it "obvious" ?

[Cysgod]

When I published my OS X remote root (link-local remote root for the pedantic), a poorly chosen use for DHCP [carrel.org], Apple had advance notice of when I was going to release it, numerous avenues to attempt contact and I didn't hear one peep from Apple Legal. That this guy was suddenly chilled [chillingeffects.org] and can't produce evidence of it other than making vague insinuations just sounds hoakey to me.

If he doesn't feel okay about releasing details until they've patched the driver that's one thing. But insinuating that the big bad lawyers have silenced you is quite another. The only circumstance I can think of where they could actually be legitimately silenced is: they are/were being paid to do pen testing for Apple, they submitted this bug, they blabbed about it at a conference when they were under a contractual NDA, they're now claiming they didn't say enough violate the NDA and are remaining mum until the rest of the details go public.

Given the nature of this scenario (i.e. that they'd have to have violated an NDA to wind up where they are insinuating they are now), I'm not overwhelmed with trust for the researchers who are positing this security hole's existence. On the other hand, I was led on and on by Apple waiting for them to release a patch for my earlier security issue that had a similar attack vector and security impact to this posited new security hole. If these researchers are actually waiting, we may all have to sit around for a good long while before the proof is actually shown.

This dilemma is more evidence of why full disclosure [wikipedia.org] is a good idea.

Re:

[bnenning]

It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks

Perhaps to you. To others, it's "blatantly obvious" that he has some weird issue with Apple and enjoys spreading FUD. His "clarification" provides no support either way.

He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples

Or maybe that's all he actually has an exploit for. I don't know, and neither do you.

Re:

[Scrameustache]

This way no one can report about the 'insecurity' of the OSX platform

Then what, pray tell, are you doing right there in that post of yours?

there are no exploits, see? As long as you're patched and up to date!

That's right, they get him to shut up about the how-to, they fix the hole, and voilà: no exploits in the wild! Everybody wins.

Re:

[WaltFrench]

> It's blatantly obvious that Apple's lawyers have
> come down on him like a ton of bricks, forcing
> him to be quiet until they get a patch out.

The least likely answer, actually. From the various info, this is not even an exploit of Apple hardware or software. What's to patch?

Any Apple lawyers parachuting from black helicopters (a rather calm, reasoned metaphor, wouldn't you say?) are probably telling him that claims about *Apple OSX* insecurity that are false would be defamation. While Americans a

Re:

[Dun Malg]

So THAT's why Apple's oh-so-vicious lawyers let them GO AHEAD AND USE A MAC IN THE FUCKING DEMO. Riiiiiiighhht. Puleeeze.

Last I checked, lawyers generally have fuck-all authority to prohibit your use of hardware that you own, genius.

Re:

[NMerriam]

Last I checked, lawyers generally have fuck-all authority to prohibit your use of hardware that you own, genius.

exactly, which is why his claims of Apple "leaning on him" not to use Apple hardware for the disclosure are such obvious bullshit.

Apple claims they've never heard from this guy and don't know what the hell he's talking about.

Obviously, somebody's lying, and right now there isn't a lot of evidence pointing at Apple.

Black helicopters? Even in metaphor?

[Sunburnt]

The classic defense of the madman or the liar: "What I say is true, but terrible, unspeakable things would happen were I to prove my assertion. You'll just have to take my inability to prove my assertion as evidence of its validity."

What a schmuck.

It took all of 2 paragraphs to go ad hominem...

[jpellino]

And insult the intelligence of Mac users.
That's the way to prove your point.
As someone said, show this on a "bog standard" Mac from and I'll pay attention.

Re:

[nathanh]

And insult the intelligence of Mac users.

Most Mac users insult their own intelligence.

I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent.

I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conferenc

Re:

[kithrup]

The only difference here is that Apple users are so goddamn fanatical that they'll rabidly attack anybody who says their platform is any less than perfect.

That may be the case... but in the circles I hang out in, the big question has been "Is this real?" Having them demonstrate using a hardware combination that is extremely unlikely to be encountered in the practicality -- that uses non-vendor drivers! -- while they imply (and nothing more) worse... is not very compelling.

Mac users are in for a rude sh

Re:

[bnenning]

I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent.

There are morons in every community. Note the guy in this thread comparing Mac users to fundamentalist Islamic terrorists.

I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conference but because of NDA the details remain under wraps until the manu

Re:

[diamondsw]

Most Mac users do not run AV, do not shutdown services, and run with wide-open wifi and bluetooth settings.

No viruses, check. No services running on a default install, check. Airport doesn't join unknown networks by default and Bluetooth off by default, check.

Mac OS X as an operating system is not secure - nothing is. It's default settings, however, are. Name one remote attack vector on a default system and get back to me.

Respected and intelligent people have offered huge incentives for something as simple

You just proved his point

[Namarrgon]

No viruses, check.

You're already wrong [viruslist.com].

Promoting the myth of invulnerability is not going to help anyone except Apple's PR department.

Stop now - you're embarrasing me

[sjonke]

"I have a Mac and it's great. Unfortunately the majority of Mac users are an embarrassment. I sometimes cringe when I read the comments on Mac blogs - the Mac users make Linux fans look humble and Windows users look intelligent."

Do "Mac bloggers" make up "the majority of Mac users"? Assuming that your assertion about "Mac bloggers" is true (I don't know), can such a specific and small subset of a much larger group really be representative of the group as a whole? What's more embarrassing - a blogger or blog

Re:

[99BottlesOfBeerInMyF]

I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal: the exploit will be demonstrated at a conference but because of NDA the details remain under wraps until the manufacturer releases a patch.

I am a mac user and work in security as well. Let me show the ways in which this "exploit" is unusual and dubious:

• They did not demo the exploit, but instead showed a mockup of what the exploit would do were they to run it.
• They

Honestly weird

[jackjeff]

I watched that video. He says it's smth in the driver... and then shows a Mac also says it would work on a PC. Then, all Intel mac laptops have WIFI now, but he choses to use an external WIFI PC-Card, huh.. sorry Express Card. I know Apple are not angels, but I just can't help be suspicious about it:
- how can a driver have the same bug on windows and macos x?
- why use this stupid external card? what are the chances it did have the same chipset as the internal one?
- and odds are the bug is a buffer overrun..

Re:

[Jeff DeMaagd]

I think it's probably a USB network part, not Express Card. There are not many ExpressCards available, and I don't remember seeing any of them for wireless networking.

Given that almost nobody will be using an external USB card on a Centrino or MacBook, I need to see that it's a bug that affects what's internal to to Centrino and MacBook families.

I don't understand how Intel's drivers have anything to do with it, it doesn't make sense that they will write drivers for OS X. I'm not totally certain that Inte

Re:

[PygmySurfer]

It's definitely a USB network part, the MacBook doesn't have ExpressCard slots, only the MacBook Pro does :)

Re:Honestly weird

[Inoshiro]

"- how can a driver have the same bug on windows and macos x?"

Quite simply; the Intel card is, in both cases, doing things like UDP and TCP offload from the main system. This means the card and driver together have an internal state in software to manage it, and (due to the asynchronus nature of networking) you can get the hardware and driver software's core into a situation where they don't agree on the state.

The small glue layer that deals with the OS hooks is a static translation layer that wouldn't be involved. The SB Live! and Audigy drivers in Linux are the same driver as the Windows Creative driver (well, they were about 6 years ago when they contributed the code). nVidia uses the same driver code on all platforms as well. For anyone who's written a driver, this is easy to understand.

"- why use this stupid external card? what are the chances it did have the same chipset as the internal one?"

He uses it because it's a timing race, and because it's easier to demonstrate with 2 cards in the system. With a 4000 microsecond delay, this means it's likely taking a bit longer for the OS to service the interrupts between the two cards; enough that the driver bug can show itself. There are likely other ways to tickle this bug that don't require multiple cards, but then you'd have to have something running on the OS. Still, If you setup a machine to throw packets around, you could make an intermittent crash bug appear on an OS -- that's not cool.

"- and odds are the bug is a buffer overrun... does it take a SO LONG for apple to fix a stupid memory overrun?"

A stupid memory overrun? Man, you haven't programmed ever, have you? A timing related bug in device driver code is probably the second hardest bug you'll ever encounter to debug (the first would be the core of the OS itself). Concurrent programming is difficult [computer.org].

It's responses like these that show why this person had been light on detail. Most people lack the technical background in OS design to understand this issue.

Re:Honestly weird

[Doctor_Jest]

Then he should post the details for those of us who understand what he's talking about, and leave the other people to wallow in their own ignorance.

Deliberately withholding information because of some nebulous "threat" that has never been proven smacks of misdirection and just more "shell-game" antics by some folks who have a personal beef with Apple.

I don't really care if they hate Apple's userbase with all the bile of Hell... if they're serious about this and are not just faking the results to be pissy children, then come out with it. Otherwise, they just need to STFU.

Claiming that he won't reveal details because "no one understands" sounds like HE doesn't understand most likely.

Re:

[MrResistor]

- how can a driver have the same bug on windows and macos x?

Perhaps both drivers are derivd from the same codebase? Or perhaps the developers of both drivers made the same faulty assumtion that leads to this bug?

- This guy did overrate some minor problem in a misleading way for Apple laptops. Oh.. a third party driver with a bug. Or it's Apple driver with only a thirdparty card. In that case, he's discredited in the domain of security for the rest of his life.

What if the third-party driver is behaving exact

Checking driver security

[Space cowboy]

I don't know about even if it is a bad driver, it's still the OS's fault for letting the driver take the whole system down, so it's still the OS writer's problem

Consider a video-card driver. That's blasting several hundred megabytes of data across the bus at any one time (say you're playing a full-screen MPEG4 with no gfx-card support for decode). Would you want the OS to validate and check every one of those transactions ? Whoops, there goes the frame-rate. Still, slow-motion is fun...

Or a SCSI-driver, con

Go Work Somewhere Else

[smack.addict]

If he does not like it, he should go work for another company. It's not like the government is telling him to be silent.

Re:

[Goaway]

Yes, obviously proving himself right on the Internet is far more important than having a job.

Broke silence, revealed nothing...

[Nijika]

He pretty much followed up with "uh huh, it's like, so real!" And then there was silence again. I could make it real too if I manipulated all the variables in my favor, including not actually using Apple hardware or software to perform an exploit.

So don't demo on a Mac!

[Cid Highwind]

At BlackHat Johnny Cache claimed this alleged exploit is not platform-specific, he only picked a Macbook for the demo to piss off Apple fanboys. If that's so, and the exploit really works, why not demonstrate rooting Linux or Windows or if you really want to stir up security trolls on slashdot, NetBSD?

Is the exploit real? Who knows, I've seen video of someone cracking a Mac through a wireless driver. Then again I've also seen video of a virus written on a Mac taking down a fleet of invading alien spaceships...

Right or wrong, that's a lousy bet to take

[wethion]

What kind of a idiot would you have to be to take that challenge? There is no *way* I would take that bet, whether I knew I was right or not. If they lose, DF wins 2x: 1) DF gets a free macbook 2) DF gets notoriety for calling a bluff. They lose 2x: 1) they cough up significant cash 2) they are humiliated before their peers. Should they win, they win 2X: 1) a free macbook ( psst.. there are 2 of them) 2) they are vindicated However DFireball /still/ wins by gaining recogniti

Re:

[Cid Highwind]

The problem with that assessment is that the DaringFireball guy has *already* won. He gets ad impressions from gazillions of slashdotters and diggers visiting his blog, he gets to look like a hero to his readers for standing up to the mean anti-mac bile spewing hacker, and he gets to make Johnny Cache look like a blowhard with code that only works on one flaky USB adapter (if it works at all), all while knowing that his $1000 is reasonably safe for the reasons you already listed.

Re:

[wootest]

The ads from the network Daring Fireball is using are paid by a flat fee, so Gruber has no vested interest in getting "impressions" (of which I think he already gets plenty). Claiming that it's a whoring move for ad moolah (if that's what you did) is wrong - the alternative would be a long drawn-out back-and-forth, and I have a feeling we'd all bore of that very quickly, because we're already in midst of such a circus. That said, for your reasons, I wouldn't want to be Johnny Cache right now, but I can't sa

Re:

[kongjie]

You're confusing this with some kind of bizarre accounting.

If they know they can win the challenge--and it's easy enough for them to test it out, isn't it?--then they win a MacBook (pstt...which they can sell and split the funds) and they are vindicated.

DF getting recognition is not a negative thing for them. WTF do they care? They defend themselves against those who have called their claims "anti-Apple" and bullshit, and they get $500 each.

Sometimes things are a lot simpler than people make them out to be.

It's all so obvious

[lullabud]

At least, that's the message I'm getting from this thread. Everything about this episode is obvious. Each contradicting story is just, like, so totally obvious.

Fucking Slashdot...

[rincebrain]

Just RTFA and decide on your own whether or not you believe him, or wait for dozens of users to flood /. with stories about whether they triggered an exploit on an Intel driver or not.

Either way, stop complaining in ways that are irrelevant to the article.

Pathological liar

[Trillan]

Right from the top of his post, you can tell he's lying:

Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch.

Were that the case, this would still be handled behind closed doors and wouldn't have involved a demonstration. Either they have nothing, or they've already violated their own protocols. Either way, "Johnny Cache" is a liar.

OK...

[PhoenixK7]

So he says this at the end of the Linux.com article:

"Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about."

The problem here is not that he can't show people anything that will make them shut up. Saying that he's unwilling to talk about it partly because he's worried about apple legal, and partly because the mac bloggers wont understand is garbage. Making the second sort of statem

Neat

[pbjones]

An intel hack for Macs. I knew that it was a mistake to move away from the 68000 line.

Wait a second...

[the pickle]

Lemme get this straight.

According to Johnny's own post, this bug a) requires a netcat UDP listener on the victim box; and b) requires TWO Wi-Fi cards to be installed on the victim box.

Oh, and c) can only be used (so far as we know right now) to trigger a crash, nothing more.

So how is this news again? Honestly, what are the odds the above configuration can be achieved, either by malicious attack or by social engineering? I'll be the first to admit I'm no security expert, but from what he's just described, th

He hasn't just broken his silence

[sjonke]

He ought to have his cerebellum checked out too.

Cache doesn't really say anything

[LKM]

It should be noted that Cache still didn't come out and say whether Macs with Apple's AirPort cards are vulnerable. Gruber Specifically asks him about this on the list [immunitysec.com], and he doesn't answer it [immunitysec.com]. He does say that he expects a patch from Apple, which clearly implies that AirPort cards are vulnerable, but he doesn't say it, instead claiming that Apple is legally threatening him and running a "PR smear campaign" against him - again without giving any specifics.

This whole episode is just insane. If Macs are vulnerable out of the box, why not say so (especially if you're "waiting for an patch from Apple")? If they aren't, why implying that they are?

It's entirely possible that Macs are vulnerable. Macs aren't magically secure and save from bugs. The issue with this whole thing isn't that Mac users believe that Macs can't possibly be hacked. The issue is that the people who ostensibly found the security problem don't seem to be capable of telling us what the heck they actually found and whether Macs are vulnerable, instead making vague accusations and implying stuff without giving any specifics or even a demonstration.

Re:

[ryanr]

So, are you not familiar with EIP, then?

Re:

[jdb8167]

What are you going to point EIP to? Not code on the stack since OS X uses the NX bit on the stack by default. Some code in a buffer? How do you find the address of the buffer? How do you inject the code into the buffer in the first place? I'm not saying it is impossible but it sure does sound difficult to find a useful hack with merely the return address overwritten on the stack.

Re:

[ryanr]

What are you going to point EIP to?

All kinds of fun places.

Not code on the stack since OS X uses the NX bit on the stack by default

So, is NX support enabled on kernel pages?

Some code in a buffer? How do you find the address of the buffer? How do you inject the code into the buffer in the first place?

Right, so you want to know some basic buffer overflow exploitation techniques. I think I've got a book somewhere that some friends and I wrote, it covers that...

Apple threw dirt at him?

[Infonaut]

before they only threw dirt to make him look unreliable

Point me to the link where Apple threw dirt at him.

There are plenty of bloggers who did the research on their own and asked the right kind of questions, but I've never seen anything from Apple attacking him. Maybe you're referring to Apple pointing out [macworld.com] that he used a third party USB device and didn't disclose any info to Apple about the exploit? I wouldn't exactly call that throwing dirt.

Re:

[Hercules Peanut]

I think you're exacty right.

The worst thing about the dirt throwing smear campaign concept is that they (he?) fired first with the "Mac user base aura of smugness on security." comment. Sorry folks, that couldn't be taken as flattery by anyone. In fact, given Apple's lawyers, you might not be surprised if they considered that the proverial throwing down of the gauntlett. It was a poor choice of words in any event and could in no way be expected to endear them to Apple.

I can hear it now: (Entering Johny

Apple has done nothing

[YesIAmAScript]

They keep stating Apple is pressuring them, but Apple says they have not contacted Apple with any info.

They state they won't say anything until Apple patches the problem? It would speed up the process of getting it patched if they would tell Apple about it!

From what I can tell, they are pretending Apple is pressuring them because it makes them look more important.

Addtional note, what is this stuff about Intel's drivers? Apple doesn't use Intel's chipset, they use an Atheros or Broadcam WiFi chipset. Additio

Re:

[Mononoke]

Really now, can anybody come up with a good reason for him to fake something like this?

He's playing the "bash Apple" game, and enjoying the publicity? Notice his comment about Mac bloggers "not understanding" his explanations. He just wants to bash Apple, and nothing more. Probably had an employment application ignored or something. Who knows what his true motive is behind this. He sure makes it obvious that it's more about hating Apple than actually helping the security community. If Apple were actuall

Re:

[Mononoke]

smears, cones and chafing? sounds just like apple

Or a hot date.

Re:

[gardyloo]

smears, cones and chafing? sounds just like apple

      Funny. I was thinking of Madonna in the 80's.

Re:

[Reverberant]

Great - so the next time we see an Airport update, everyone will be screaming "Maynor and Ellch were right!" despite the fact that Apple has released Airport client & base station updates before [apple.com].

Mac Jihad...

[bigtallmofo]

The analogy is actually pretty apt. You have a group of people that basically run the world - "The West" (in this case, non-Apple users) and a downtrodden ragtag group of extremely proud people convinced that their way is better - "The Islamist Fascists" (in this case, Apple users).

It's very common for them to lash out at everyone because of their true feelings of inferiority and lack of understanding as to why everyone doesn't see the world like they do.

Case in point - I'll be modded -9 Troll in about

Re:Mac Jihad...

[aonic]

If I had mod points, I would mod you down. Not only do you demonstrate a complete disdain for whoever you think is "inferior," you show a complete lack of understanding for the issues in the middle east.

There is no "inferiority complex" in the middle east. They aren't emo kids running around threatening to slit their wrists. It just so happens that their standards of living are ridiculously low compared to the standards of living of "the west," not directly due to us, but partially. If you grew up there, you'd be looking for someone to blame, and their government provides "the great satan" as a convenient scapegoat. Further proving their point, "the great satan's puppet in the region," (aka israel) has just rampaged through lebanon, destroying civilian targets like bridges, hospitals, and airports, further degrading their quality of life. it's lack of understanding of the kind that you have just demonstrated that has brought us into the current situation in iraq and afghanistan, as well as the US unspoken nod to israel to rampage across the middle east.

this in no way relevant to the situations of mac users, who just happen to have a different OS preference. your above statement would be like saying that whenever an african american person acts stereotypically black (whatever you might define that as) they are acting out of a feeling of self-inferiority.

think about it.

Re:Macjihad

[OmnipotentEntity]

Umm... something having a bug isn't an incredible claim. Sure, it's not a good thing but it [microsoft.com] happens [apache.com] to [ibm.com] everyone. [apple.com] It's nothing to be ashamed about. Just get the bastard fixed and stop dicking about.

This isn't about a perpetual motion machine or an entropy reducing device, or even P vs. NP or Riemann's Hypothesis. This is code. This isn't world changing. Bugs happen, then they get fixed. If they want to stay silent to dodge liability let them. If there is a bug it'll be patched, if there isn't they'll fade into obscurity.

Re:

[wootest]

Yes, they probably will.

It's the thorough lack of details and crummy reporting mixed with derogatory comments that makes it hard to discern if there is an exploit to speak of at all. I know I'd have nothing to worry about if the guys would have presented their exploit neutrally (without shit-flinging Mac users for "being smug"), been detailed in exactly what the target of the attack is (they can do that without revealing details on the exact nature of the exploit) and told us that they're working with Apple

Re:

[BKWatch]

Well, what really set the stuff ablaze was the "cigarette in the eye" comment. What puzzles me is I can't find where that came from. In Brian Krebs's first article, he says: http://blog.washingtonpost.com/securityfix/2006/08 /hijacking_a_macbook_in_60_seco.html [washingtonpost.com] ""We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "The main problem here is th

Re:

[wootest]

That's just the thing: if Maynor did say that, it was ridiculously unprofessional of him. He's of course entitled to his own opinion, but it's not a wise move to connect it to coverage regarding the exploit because it lowers his credibility - "is he just out to zing Apple?" - especially since the other comments by Maynor in that article are technically correct and his description of drivers ring true. But the other side of the coin, as you say, is that Krebs made it up, which would have been ridiculously un

Re:

[MrResistor]

Who cares where the problem originates? If a USB network adapter allows someone to hijack your macbook, it IS and OSX problem, regardless of where it originates.

A secure system cannot be so trusting of third party drivers as to allow that kind of access to the system. If you're going for security, you have to assume anything you don't have direct control over is wrong and bad, and you have to account for that. Anything else is worse than a bug: it's a serious design flaw.

Re:

[ryanr]

I'm curious about what OSes you're using that are protected from buggy or hostile device drivers...

Re:

[MrResistor]

Nice strawman.

The numerical superiority of flawed implementations does not magically make this one unflawed.

Re:

[MrResistor]

Uh-huh.

And everything that's going to be discovered in physics already has been.

And there's no reason an average consumer could possibly want a computer in their home.

And...

So basically you're saying we should limit ourselves to only what small-minded individuals can concieve of, and we should expect no better from the tools that are available to us?

No matter what, it IS an OSX issue. OSX is allowing a USB network adapter to be used to hijack the system, and this points to a fundamental flaw in their securi

Re:I can make my Mac crash too!

[csirac]

Hint to everyone: OSes do weird things

Hint to everyone: RTFA for yourself and ignore uninformed slashdot comments masquerading as authoritative ones.

as install two wireless cards

He speculates that triggering the race condition with a single NIC is possible, two NICs makes it easier. He was just telling the community what he found, and that steps should be taken by the vendors to fix it (and they did, if you read his message). Just because he couldn't trigger it with a single NIC, doesn't mean 1) We should ignore the issue 2) someone else can't

and a netcat listener.

The exploit would work on a machine that has any sort of UDP listener running on the interface being attacked. Netcat is merely useful for demonstration purposes, otherwise we'd have people concerned that e.g. a bug in Skype (if that UDP service was targeted instead) is the real vector for the exploit rather than the Intel NIC driver.

I'm sure Apple will fix it asap.

And if you had read his message, you'd see that 1) Apple has patched it already, 2) it's an Intel bug, not Apple's.