Saturday, February 10, 2007

Apple vs. Maynor update

I had a great time chatting with people at the security bloggers meetup the other night. There were any number of "I didn't know you blogged" moments all around. Two of the guys I spent some time talking with were David Maynor and Robert Graham who have recently formed Errata Security. And yes! they are blogging too.

We chatted about all kinds of things. We chatted about Robert moving on after IBM acquired ISS. It seems that David found some reason to move on from his position at Secureworks, too. And then we went to dinner at some mediterranian tapas food place, and chatted some more. They bought. Thanks for the dinner, guys!

So when I got back home, I tracked down their blog, and there's some good stuff there. Hey look, there's this one particular entry from David. Looks like he's tired of keeping his mouth shut about the Mac wireless hack thing. Short version of my take on the issue: I believe David and Johnny.

But at this point, I do have to agree that some opportunities have been lost. The Matasano guys propose some hoops that researchers should be going through. Frankly, I thought that was a little silly and totally unnecessary. Even in David's case. I never thought for a second that Apple would ship the patch while still claiming that David and Johnny found nothing. I was wrong on both counts.

So unfortunately, this leaves room for the next bit of stupidity. If/when David ever decides to demo owning the built-in wireless, or release an exploit, etc... then the Mac zealots will claim that he must have reverse-engineered the Apple patch, and that he never found anything ahead of time.

Because David can reverse engineer the patch and write a working exploit, but he's not capable of finding the hole in the first place, right? And the hole that Apple fixed just coincidentally is in the area that the original Black Hat talk covered. And the holes in other OSes that they found of the same class aren't related. And HD Moore using their fuzzer and finding a similar hole in OS X has nothing to do with it.

One of these days, I hope David drops more info. At this point though, it looks like Apple has been largely successful. They have managed to drag things out long enough and tell enough half-truths that their customers believe Apple. So it's likely that few zealots will be swayed when David finally presents proof. There will just be further dismissals from people who really don't understand security very well. I still look forward to it, though.

Hey look, David is speaking a couple of times at Black Hat Federal later this month.


one.miguel said...

I've actually been following David Maynor closely since the whole Black Hat debacle. I watched the video when it was released and read everything I could find about what was happening. David's a really laid back guy (it seems - haven't met him in person yet). The problem is that he never anticipated the zealot response as well as the Apple PR machine. It's simply amazing. You had (and still have) people like John Gruber arguing about security with someone like Maynor. There's even a Canadian guy who recently outright called Maynor a moron while dismissing the "technical mumbo jumbo" that comes with security. Simply Amazing.

The Matasano guys and other like them are trying very hard to legitimize the security industry. I can't blame them, but what ends up happening is that they take some very unusual stances, like coming out against LMH and the whole MOxB thing (unless it's someone like HD Moore doing it, then it's OK).

Apple and the zealots will always continue to do what they do because well, that's what they do. You can argue with them, you can't debate them. In their eyes, they are above the fray of mindless, small-minded computer users who don't worship Steve Jobs. It's really sad. Ever try to look for a solution to a Mac problem on the web? 99% of the hits you get are "experts" who end every recommendation with "take it back to Apple." Or worse, "take it to a genius bar!" So, naturally when you point out a problem with their sacred Mac OS, they will fight you tooth and nail because they fear being dragged into the dirty mess below them.

Sorry, I just needed to get that out. :-)

hdm said...

FWIW, I used my own fuzzer to find the MOKB-001 Airport bug (David never confirmed or denied it was the same vulnerability). That whole situation is a mess and I believe Secureworks shares some of the blame...

Ryan Russell said...

one.miguel: Yes, they likely won't learn, I'm not sure why I care anymore.

HD: Thanks for the correction. David probably said something like "used our research", and I read too much into it. If memory serves, they patched David and Johnny's bug before yours was out, and yours affected a different set of machines. So, not the "same" bug in that sense.

But it demonstrates that Apple didn't do a very good audit, did they? Maybe they didn't discover it independently in-house after all. You think?

As for Secureworks, do you mean the company or David? (Johnny never worked for them, I believe.) If you mean the company excluding David, then yes, they deserve lots of blame. But then, I need to not pass on things told to me in confidence.

Chris_B said...

I've said this in alot of place since this first came up; its not really about if David & John really had something real or not, its not about if vendor A produces better product than vendor B, its about how the whole thing was handled.

What Secureworks did, like many other little companies in this space who need some market attention, amounted to tossing a steaming cow pie into the fan. If they expected a large publicly traded company with a reputation for aggressively protecting its public image to respond with something other than PR, they deserved what they got.

If we as an industry can not act like professionals, we will never be treated as such. Credit to Matasano for at least suggesting a way that certain forms of public disclosure can be handled while maintaining credit to the discoverer.

Ryan Russell said...

Hi Chris,

I don't see what they did differently than half the talks at Black Hat. They went out of their way to keep details private, and Apple screwed them for it.

SecureWorks (the company) deserves blame for hanging their researcher out to dry.

Did you not get that Matasano's suggestion is supposed to be a way to protect yourself when Apple lies to the press about you?

Chris_B said...


So your reasoning is if everyone acts like a clown then its totally OK?

And if by "going out of their way to keep details private" you mean whooping it up to the nation through an easily deceived Washington Post reporter, then OK I concede the point.

I saw that Matasano's suggestion could be interpreted that way, but I also see that it is a way for a professional researcher to correctly claim credit for a finding. As far as what the actual intent was, lets ask and find out. (of course if its been stated elsewhere, feel free to correct me)

Surely you realize that a published hash is not a PR defense and never could be? The press caters to those who dont know what a hash is and wont be convinced by what looks like a long string of gobbledygook.

The point never was about Apple. IIRC Cisco has also taken what amounts to PR actions against researchers as well. The point remains that its not just the finding but how it is presented. To put it country simple, if you act like an idiot, thats how people will treat you.

Ryan Russell said...

I claim they acted like all security researchers. So you think that all security researchers are clowns? You're welcome to that opinion, and I know a few other who think that as well. But we won't have much to discuss if that's the case.

By keeping details private, I mean they didn't disclose even which NIC they exploited. They said "we found unspecified bugs in pretty much all wireless drivers." What sensitive information did they leak in their Black Hat talk?

Are we unclear on the word "details"?

It's looking like what you object to is the hype, and not anything to do with the technical aspect.

Yes, the hash is a way to claim credit at a later date. And why would the credit ever be in question? It's extremely rare that a researcher's claim of discovery cames into question. Who raised the question?

So, Apple PR'd their way out of admitting that David and Johnny found the bug Apple patched. How would they prove they really found it in the first place? At this point, they would have had to publish some proof ahead of time. Sounds like the hash is a PR defense to me.

Sure, lots of clueless people will still not believe it. Those aren't the people that David and Johnny care about knowing the truth.

I agree that if you act like an idiot, you will often be treated like one. Witness how the researchers have been treating Apple lately.

Chris_B said...


Your right. I dont like the hype on either side. However, it is completely normal for publicly traded corporations with active PR departments to engage in hype. In effect it is their duty to do so in order to maximize shareholder revenue.

I dont think all security researchers act like clowns. I think someone worth being called a researcher acts professionally. For a professional a hash is of use. Not all companies behave "well" when presented with notice of flaws or vulnerabilities. A hash is a public notice in advance which may also serve to back up the seriousness of the professional's claim.

The heart of the matter is how do we define a "security researcher"? What differentiates a researcher from the pack? Just as a kid with a Radio Shack 101 kit is not a circuit designer, at what point can one put down the acts of childhood and claim to be professional?

one.miguel said...

chris_b: I assume we are still talking about Maynor and Ellch, right? What exactly is it that they did that was childish and unprofessional? As Ryan pointed out, they went out of their way NOT to release a dangerous exploit and Maynor showed emails and openly discussed what happened with Apple ONLY AFTER he was legally allowed to. Nothing they have done amounts to being unprofessional. In fact, I would argue that they acted MOST professionally out of everyone involved, not even responding when openly challenged by fanboys (see Gruber). Personally, after reading the flames out of the daring flameboy, I would have taken Gruber's laptop after showing him the exploit and then broken it in half front of him. But of course, THAT would be childish.

Dave G. said...

@one.miguel: Speaking as a representative of Matasano, let me say a couple of things (sorry i didnt see this sooner). We aren't trying to legitimize the security industry. We don't have the time, and it's not our job. Sometimes, when we disagree with someone, we talk about it. If we wrote about everytime we saw doing something we disagreed with, we would barely have time to do anything else.

I also think there are differences between MOAB and MOBB besides who did it.

Now, onto the second part that relates to us. Our recommendation. It was really to get to the truth. It would have helped everyone out if Maynor had done this. Mostly, it protects the researcher from claims that they reverse engineered the patch or borrowed someone else's find. The idea that there would only be one bug in untested code is silly.

In general, the industry trusts the researcher and doesn't trust the vendor. We shouldn't trust either when neither is revealing information. Even if a researcher can't release the information itself, a hash should be sufficient.

This whole thing never made sense to me. Apple isnt new to security researchers. I have reported many a vulnerability to them without the threat of lawsuit. I assume David isn't new to reporting findings to companies. I don't know which one is wrongerer, but both sides clearly made mistakes that contributed to this mess.