Email Delivery

Receive new posts as email.

Email address

Syndicate this site

RSS | Atom


About This Site
Contact Us
Privacy Policy


November 2010
Sun Mon Tues Wed Thurs Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Stories by Category

Basics :: Basics
Casting :: Casting Listen In Podcasts Videocasts
Culture :: Culture Hacking
Deals :: Deals
Future :: Future
Hardware :: Hardware Adapters Appliances Chips Consumer Electronics Gaming Home Entertainment Music Photography Video Gadgets Mesh Monitoring and Testing PDAs Phones Smartphones
Industry :: Industry Conferences Financial Free Health Legal Research Vendor analysis
International :: International
Media :: Media Locally cached Streaming
Metro-Scale Networks :: Metro-Scale Networks Community Networking Municipal
Network Types :: Network Types Broadband Wireless Cellular 2.5G and 3G 4G Power Line Satellite
News :: News Mainstream Media
Politics :: Politics Regulation Sock Puppets
Schedules :: Schedules
Security :: Security 802.1X
Site Specific :: Site Specific Administrative Detail April Fool's Blogging Book review Cluelessness Guest Commentary History Humor Self-Promotion Unique Wee-Fi Who's Hot Today?
Software :: Software Open Source
Spectrum :: Spectrum 60 GHz
Standards :: Standards 802.11a 802.11ac 802.11ad 802.11e 802.11g 802.11n 802.20 Bluetooth MIMO UWB WiGig WiMAX ZigBee
Transportation and Lodging :: Transportation and Lodging Air Travel Aquatic Commuting Hotels Rails
Unclassified :: Unclassified
Vertical Markets :: Vertical Markets Academia Enterprise WLAN Switches Home Hot Spot Aggregators Hot Spot Advertising Road Warrior Roaming Libraries Location Medical Public Safety Residential Rural SOHO Small-Medium Sized Business Universities Utilities wISP
Voice :: Voice


November 2010 | October 2010 | September 2010 | August 2010 | July 2010 | June 2010 | May 2010 | April 2010 | March 2010 | February 2010 | January 2010 | December 2009 | November 2009 | October 2009 | September 2009 | August 2009 | July 2009 | June 2009 | May 2009 | April 2009 | March 2009 | February 2009 | January 2009 | December 2008 | November 2008 | October 2008 | September 2008 | August 2008 | July 2008 | June 2008 | May 2008 | April 2008 | March 2008 | February 2008 | January 2008 | December 2007 | November 2007 | October 2007 | September 2007 | August 2007 | July 2007 | June 2007 | May 2007 | April 2007 | March 2007 | February 2007 | January 2007 | December 2006 | November 2006 | October 2006 | September 2006 | August 2006 | July 2006 | June 2006 | May 2006 | April 2006 | March 2006 | February 2006 | January 2006 | December 2005 | November 2005 | October 2005 | September 2005 | August 2005 | July 2005 | June 2005 | May 2005 | April 2005 | March 2005 | February 2005 | January 2005 | December 2004 | November 2004 | October 2004 | September 2004 | August 2004 | July 2004 | June 2004 | May 2004 | April 2004 | March 2004 | February 2004 | January 2004 | December 2003 | November 2003 | October 2003 | September 2003 | August 2003 | July 2003 | June 2003 | May 2003 | April 2003 | March 2003 | February 2003 | January 2003 | December 2002 | November 2002 | October 2002 | September 2002 | August 2002 | July 2002 | June 2002 | May 2002 | April 2002 | March 2002 | February 2002 | January 2002 | December 2001 | November 2001 | October 2001 | September 2001 | August 2001 | July 2001 | June 2001 | May 2001 | April 2001 |

Recent Entries

In-Flight Wi-Fi and In-Flight Bombs
Can WPA Protect against Firesheep on Same Network?
Southwest Sets In-Flight Wi-Fi at $5
Eye-Fi Adds a View for Web Access
Firesheep Makes Sidejacking Easy
Wi-Fi Direct Certification Starts
Decaf on the Starbucks Digital Network
Google Did Snag Passwords
WiMax and LTE Not Technically 4G by ITU Standards
AT&T Wi-Fi Connections Keep High Growth with Free Service

Site Philosophy

This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.


Entire site and all contents except otherwise noted © Copyright 2001-2010 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.

Powered by
Movable Type

« Podcast Transcripts | Main | MetroFi, EarthLink Given the Business »

August 21, 2006

And Thus I Entered a Kurosawa Movie (Hint: Rashomon)

Is there a MacBook hack that uses its native, built-in driver and hardware, or isn't there? I have been talking to many colleagues via email about the Black Hat 2006 presentation and its precursors and aftermath. Researchers David Maynor and Jon Ellch first stated that there was an exploit on multiple platforms with multiple drivers that would allow remote attacks and potential escalation of privilege--taking over a computer--via a Wi-Fi connection. This would not require the Wi-Fi network to be connected to a network for the attack to work.

I have not, in fact, spoken to Maynor and Ellch, which may be an oversight, but when colleagues have offered to get me in touch, it has come with a proviso that I will learn non-disclosable information. I'd rather not be in that position (yet).

Part of the confusion over whether this is a real exploit against a limited set of Macintosh computers--ostensibly MacBooks and MacBook Pros with specific Apple-installed adapters and drivers--stems from the researchers' decision to record a videotape that used a third-party adapter and drivers. Since this is uncommon and they wisely didn't show or explain which adapter was in use--to avoid releasing information about the exploit before it could be patched--the demonstration was not significant.

Their statements before, during, and after the event are, however, because they stated to Brian Krebs of Security Fix and demonstrated to him that there is an exploit that works on certain Macs. I can find no other person on the record who has seen this exploit demonstrated or to whom Maynor and Ellch provide the same statements. No one has publicly admitted to having seen the mechanics of the exploit--what kind of frames? what's the sequence?--and it would be irresponsible for anyone to reveal these exploits before they were patched.

Apple has denied that any material supplied by Maynor and Ellch shows a vulnerability. (I haven't heard anything about Microsoft or other vendors, except for Atheros, which said it hasn't seen anything that can be exploited, either, but it's unclear whether Atheros received the code and exploit details from the researchers or received them and found them lacking.) They have not denied that there is a possible exploit, which is wise, because this category of exploit is certainly possible.

There appear now to be two camps of pundits and commentators following the matter.

The first camp, which George Ou is the leading member of, says that the researchers clearly stated at Black Hat 2006 that they were demonstrating a third-party hack on the video that they showed. What's confusing here is that Ou was never told directly by Maynor or Ellch that they had a native Mac exploit. Ou cites Brian Krebs and points to Krebs's transcript and other reportage on this matter. On the video of his interviews, Ou quotes a snipped in which Maynor specifically states that they are not showing an Apple exploit. Ou can't get more out of Maynor at this point, he writes, about the Apple issue.

Ou believes there is an orchestrated attempt to discredit Maynor and Ellch. Brian Krebs at Security Fix stated on Aug. 3 that Apple had leaned on the researchers to not "make this an issue" about the Macintosh drivers. I'm not sure I can buy that. Rather, I think Apple released a press release that specifically has a point in time mentioned: nothing Apple has seen to date shows a native exploit, and the exploit demonstrating was using third-party equipment.

Rich Mogull, a computer security expert, is also a member of this camp, in that--as he writes on his personal blog on security issues--that Maynor and Ellch will "emerge with their reputations intact." He also says they've been trying to do the right thing from the start. He can't speak directly to all the issues as he's under nondisclosure (as is George Ou) with the researchers. However, he's pretty strongly implying that Maynor and Ellch were generally avoiding talking about the Apple exploit they mention to Krebs.

The other camp now believes there is no such native Mac exploit, and is stating it pretty unequivocally. Jon Gruber of Daring Fireball sends out this Molotov cocktail today. Here's his stance in a nutshell, but read the whole article: "...[W]e know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability--which is both enormously irresponsible for ostensibly professional security researchers, and which contradicts statements they previously made to Brian Krebs that they had been in contact with Apple regarding their discoveries. Or, if they have contacted Apple, the statement issued by Appleā€™s Lynn Fox is flat-out false and Apple has committed an enormous, almost incomprehensibly foolish mistake, because such a mendacious lie will prove far worse for Apple than divulging a Wi-Fi exploit that, if it actually exists, is surely going to come to light soon anyway. I.e. why would Apple lie about this if Maynor could call them on it?"

Gruber answers the question: Have Maynor and Ellch made contradictory or ambiguous statements that appear straightforward at first and then less and less so each time you read it. In fact, as I review statements and read Rich Mogull's post particularly, it's clear that the researchers are generally avoiding talking about a native Mac exploit. In the interview with George Ou, they talk about their third-party wireless hack. In the slides they prepared for DefCon, Gruber notes that they state, that "we are, however, doing ongoing research on the built-in card," which doesn't say, "We have an exploit," but nor does it disclaim that they have found such an exploit.

Jim Thompson, formerly of Wayport and Vivato, and currently a designer of wireless ISP-oriented gear, has posted a series of analyses of the exploit and how it might work. (Note that he does not disclaim, and neither do I, that such exploits are clearly possible.) Thompson writes in a fairy scathing manner, and Maynor tried to scathe him in return. Jim is fireproof, and he's since written even more analysis after seeing the high-resolution video of the Black Hat 2006 demonstration in which he thinks he's finding all kinds of continuity problems, red herrings, and other suspect pieces of information. (I have not seen this high-res version.) He wrote about this on Aug. 3 (general thoughts), Aug. 18 (specific details about how adapter MAC addresses don't add up, among other items), and Aug. 20 (what's up with the shell path).

(There's another camp that seems to maintain that the researchers said they were demonstrating a native Mac weakness, but instead showed a third-party adapter and driver. That is clearly not the case, although it's being used as a strawman. The Unofficial Apple Weblog took that stance, for instance, but they are misreading SecureWorks's note attached to the video demonstration. The note doesn't say there is no native Mac exploit; rather, it states that the demonstration didn't show it. Which the demonstration video never claimed.)

Where does this leave us? George Oh says that those of us reporting on this issue are judging Maynor and Ellch by a standard that other security researchers aren't held to. That Maynor and Ellch are trying to be responsible and provide the exploit to the relevant parties for them to deal with. But given that Apple and Atheros have released statements denying any problems with the specific situation the two of them say they have proven, this releases the researchers from the very high level of restraint they've shown, doesn't it?

There's one more possibility that I was just alerted to. It involves timing and accidental disclosure. I'll write more about this as soon as more is purposely disclosed.


Its clear that the larger message is lost because Maynor and Ellch decided to go after Apple because of their "smug" commercials and garner more media attention. Which brings to attention the completely ineptness of the Washington Post reporter.

To me, it doesn't look good for Apple. Folks under NDA, claiming to have talked to M&E are giving us hints that the flaw does exist.

Furthermore, it's my understanding that Windows (they borrow heavily from BSD's IP stack, no?) and other BSD varients are also susceptible.

One wonders what Theo has to say.

[Editor's note: The FreeBSD stack that feeds into the Wi-Fi driver was patched some time ago; see Jim Thompson's comments on this, as he goes into some detail.--gf]

We can all be sure of several things:

* Accusations about the existence of a dangerous Wireless Macbook Driver (WMD) are being flung around at high speed.

* Failure to produce source code (of exploit or patch) is being mistaken for proof by some of the existence of the above-mentioned WMD's.

* Someone was either mistaken, irresponsible, unclear, or confused.

* The blog-o-sphere burns brightly in the dusky evening light, fueled by the heady fumes of speculations, scoops, and overdoses of poetic license.

* Lines are drawn, camps are formed, emotions run high. Someone will rename a common term to contain the word "Freedom" and not notice how silly they look.

Feel free to assign roles as you see fit. A twelve-sided die is included for your use. Or, you could wait for a real development.