"We give a talk saying that device drivers have lots of bugs. We demo one bug in Apple. A few days later, when Apple starts flaking on a patch, we tell them we are going to do a live demo of it at Toorcon, so it would be a good idea to get it patched before that."

Nonsense. They demo'd no such thing. They demo'd a third party card on video for reasons that fall apart if you really look at them closely. Had they done a proper demo for recognized Mac OS X experts, this wouldn't be a controversy at all.

It's been their continued shady behavior in all of this that has turned even people giving them the benefit of the doubt initially, like me, into deciding that they didn't have what they wanted everyone to think they have.

He most certainly is physically able to do the talk without Maynor. He's chosing not to. There is in fact, a difference.

There are so many holes in Ellch's statements that he makes it hard for me to believe a thing he says.

"People have called me and Dave a lot of things. First, we were total frauds that faked everything. After a patch was out, we were mostly upgraded from frauds to unprofessional. Lets talk about unprofessional."

I used to believe that they actually had something, but now Maynor and Ellch are in the "fraud" and "unprofessional" category.

Ellch, why can't you tell-all? You're not a secureworks employee. You're just blowing hot air.

This whole thing stinks to high heaven. I wish the truth would come out! Something tells me Apple is not completely inculpable here either!

It would also be nice to know why on earth did Maynor and Ellch play hide and seek with Apple? Why didn't they deliver the packet captures or point the location of vulnerable code? If they were able to show the vulnerability in 60 seconds, why they didn't do the same demo for Apple?

One reason why the story stinks is that both Brian and George have failed to ask the big questions from both Maynor and Ellch. Whatever these two have said, they have taken as fact. That is not the way how a journalist works - and there is a reason for that.

It would also be nice to know why on earth did Maynor and Ellch play hide and seek with Apple? Why didn't they deliver the packet captures or point the location of vulnerable code? If they were able to show the vulnerability in 60 seconds, why they didn't do the same demo for Apple?

One reason why the story stinks is that both Brian and George have failed to ask the big questions from both Maynor and Ellch. Whatever these two have said, they have taken as fact. That is not the way how a journalist works - and there is a reason for that.

What I don't understand is why anyone would bother to doubt this. Why is it so hard for some people to believe that Apple has driver vulnerabilities, especially given that they, uh, just issued patches...? for the wireless driver...? to fix an arbitrary code exploit in frame handling...? Hello?

Generally, if someone with Johnny Cache's credibility says there's a vulnerability, there's a vulnerability. It's usually sufficient for a reporter to simply document a vulnerability and leave it to the vendor to find the problem code and fix it. It's never up to the reporter to prove the vulnerability exists--with the complexity of modern operating systems, it's up to the vendor to prove that it doesn't. The notion that these cats would have to demo the exploit to be taken seriously is completely absurd. That they bothered to demonstrate a related vulnerability at all is gravy.

Only a marketron will deny a vulnerability exists; anyone with a clue will investigate, and keep his mouth shut until he's sure either way. It's sad to see how a once-innovative company like Apple has been taken over so completely by marketing types. I guess they don't want the simple fact that yes, MacOS has vulnerabilities too, to undermine their expensive advertising campaign. Even Microsoft seems more clueful these days--a little, anyway.

Also, to respond to something Brian posted in a previous blog entry, US-CERT does release vulnerability information eventually; they don't sit on it forever. It's not as exciting as showing off a new 0-day at Black Hat, but if you report vulnerabilities to US-CERT, they will communicate securely with the vendor and develop a patch and reporting schedule. Sometimes it takes a long time--I've waited for up to a year for vulnerabilities I've reported to go public, but it happens in due time.

A benefit to this approach is that you don't get into legal battles with the vendors, since US-CERT insulates you. You can even ask US-CERT not to provide your contact information to the vendor. Of course, you don't get famous that way, but you also don't have to hire lawyers when you're dealing with a vendor as arrogant as Apple is proving to be.

the reason poeple have a hard time believing that apple has driver flaws is that dave maynor is a liar.

This is turning into quite a saga.

AFAICT, only one thing is certain. Johnny Cache is guilty of bad grammar:

"Apple and SecureWorks had two months to stop Dave and I from giving this talk."

Sorry, Johnny, the first person pronoun there is governed by the preposition "to". IOW, you want the sense "to stop us" not "to stop we". It should be "Dave and me".

:-)

So, let see if I get this right. In a last minute twist, SecureWorks did stab its own researcher in the back because they were threatened by Apple?

Johnny "Cache" Ellch is not a SecureWorks employee and can still talk about this, but not enough to flat out tell us what's really going on, because his mentor David Maynor is tied to SW.

antibozo: cache has close to zero credibilty right now. and reporters need to correct their mistakes......

Quite extraordinary. If nothing else they -Maynor and Ellch- are truly incompetent when it comes to public relations.

I get the feeling that Apple have stepped in to help save what they can of the reputation of SecureNetworks which is falling apart completely because of these two clowns.

They've pulled a few fast ones too many in my opinion.

"If nothing else they -Maynor and Ellch- are truly incompetent when it comes to public relations."

that may be true. both of them are used to interacting with the security community (which isn't shocked when someone finds a vuln on a platform). their intended audience for research has been the sec community, not the fanatical mac community (not that the entire mac user base is fanatical, but the discovery of a vuln certainly brought these folks out the woodwork).

something that doesn't seem to be brought up in these conversations regarding credibility - past actions. credibility is built up (credibility and reputation are closely related). both of these researchers have a body of impressive research - this work has *earned* them the respect and reputation they currently hold within the security community. I'm not certain they should care about what the 'mac community' thinks of them.

Someone said "Had they done a proper demo for recognized Mac OS X experts..." As I said, their audience has been (and should continue to be) for security experts.

contrast this disclosure with M Lynn's disclosure. the debate was not about the existence of a bug, even though there was not even a video available, but about disclosure issues and politics.

I can imagine that Maynor/Ellch used some poor judgment in relationship to this issue, but if they did it would have to do with appropriate disclosure. As with the Lynn case, I'm certain there are many things going on which are outside of public view and which are impacting the decisions of Maynor/Ellch. Lynn straightforwardly declared as he released the Cisco bug that he would not be releasing the information if he had a family to support or a job he needed to retain.

"I get the feeling that Apple have stepped in to help save what they can of the reputation of SecureNetworks which is falling apart completely because of these two clowns." - Yeah, this makes sense, large multinational 'steps in' out of the kindness of their hearts to help save the reputation of a small security research company [fails absurdity test].

"Ellch, why can't you tell-all? You're not a secureworks employee. You're just blowing hot air." Well, it seems pretty reasonable that Ellch would not do anything to overtly jeopardize his friend and collaborator who is a secureworks employee.

If you think Maynor is being overcautious, and wonder why I bring up these comparisons with Lynn, it is worth noting that Maynor used to work at ISS with Lynn and has seen firsthand how a company is happy to screw over its employees.

I do agree that Ellch may use bad grammar. But I live in a glass house myself.

All I can figure here is that Apple has a lot of sock puppets posting to this blog.

Again, Apple just patched the wireless driver for exactly the kind of vulnerability that Maynor and Cache described. How anyone can claim that Maynor is a liar, or that Cache has zero credibility is beyond me. It's patently obvious that they were correct.

It amazes me how the Windows fanboys come out of the woood work to grasp at any straw to help them feel less incompetent for using their OS of choice. They even hang on to the twisted logic of this whole crazy incident and ignore basic college logic class material. Apple has already publicly stated that with all the talk about WiFi security and in the absence of any proof from our crazy friends here, Apple did a careful study of it's own code and found some potential issues which they have fixed. Simple as that! No one has EVER claimed the Mac OS is without bugs or can not be hacked. Once day it will happen...I guess...but when it does and Apple users demand proof I hope we get more than the run around we have here. Sorry Windows fanboys!

Let's go right to Ellch's words, he said, "We demo one bug in Apple."

Uhm.... let's stop right there. Did hd and David not show a video with a reputed bug in a 3rd-party wireless card with a 3rd-party wireless driver? As far as I know, the only person to whom he showed a reputed bug in an Apple card and driver is to WP's own Brian Krebs. Seeing as he is clearly referencing the public display of the video at BH, then one can only conclude that Ellch is confused and/or a liar. One need not read any further in this charade, if he cannot get his own facts straight.

KenC: he said, "We demo one bug in Apple." He did not say "We publicly demo one bug in Apple." Obviously the demo he is referring to is the one they did for BK.

Yes, their public demonstration was of a related vulnerability in a third party driver. Perhaps demonstrating the vulnerability in the AirPort driver was unreliable. Perhaps they didn't want to run afoul of any reverse-engineering EULA in the AirPort, which may also be why they never provided a disassembly to Apple. For whatever reason, they didn't feel comfortable demoing the AirPort vulnerability in public.

And so what? Since when is a public demonstration a requirement of vulnerability reporting?

Apple's response in this case--to deny the vulnerability even existed, and then patch it--was pathetic. Where is the harm to anyone's credibility, other than Apple's? Who's the liar here?

To antibozo:

You state as fact that Apple patched the vulnerability that M & E demo'ed. That remains to be seen. All we know so far is that Apple denies it is.

Could Apple be lying? Sure. But what would be the point? The truth will out, sooner or later. The damage to their credibility would be much more than if they just said the patch was to the same vulnerability.

V-Train: so you're saying that, yes, Apple patched against a vulnerability in the AirPort driver, but it's conceivable that this was a vulnerability different from the one which M&E demoed, which Apple denied even existed, and which they just happened to discover while this fiasco was going on. Fine, but why would that mean we should suspect that Maynor and Cache were lying about the vulnerability they found? When have they lied about a vulnerability before?

Contrary to your argument, it's plain to see why Apple--or at least their marketing department, which appears to have taken over the company--would lie. They've invested millions in an extensive advertising campaign predicated largely on the perceived security of their platform. You're asking the question backwards--you should be asking what would be the point of Maynor and Cache lying. The truth will out, as you say, so their lie would be exposed and they would lose credibility. At worst one might suspect they were mistaken, but you see we have this new AirPort patch from Apple which sorta undermines that theory, dontcha know?

Antibozo posits the idea that any credible source demonstrating a vulnerability should be inherently trusted, and that journalists have no obligation to verify the truth of the "facts" they report.

This is absurd and dangerous.

How does anyone ever gain credibility if one never has to prove they are correct?

Ellch (once again) didn't answer the two crucial questions: Did he (and Maynor) manage to manipulate the Apple drivers, and did they provide proof of that to Apple? Apple says no for the second question (they never said that there is no vulnerability) and insists on that. Ellch neither says yes or no.
So, I'm no expert, but the outcome here seems obvious: While Ellch and Maynor did manage to manipulate something, they didn't manage to manipulate the Apple drivers. They misled Brian Krebs (and others) into believing the opposite, and Krebs, very keen on getting the "Hacking a Mac in 60 Seconds"-headline, reported false information. It's time for Krebs to set the record straight, if he wants to keep some journalistic credibility.

In no particular order, comments received contain:

Speculation out the wazoo.
Personal Attacks.
Personal opinion presented as fact.
Grammar analysis.
PR skills analysis.
and
I want to know now, boo hoo.

SK> Antibozo posits the idea that any credible source demonstrating a vulnerability should be inherently trusted, and that journalists have no obligation to verify the truth of the "facts" they report.

Hm, I wonder where I posited that. I don't see where I've said anything about the responsibilities of journalists.

The first part I more or less agree with: that vulnerability reports from credible sources should be trusted, but that's something of a tautology.

As for Brian Krebs, I think that, given that he is in fact a journalist and not (as far as I know) a kernel hacker, he went far, far beyond the level of investigation I've seen from your average technology reporter in attempting to verify the veracity of Maynor and Cache's claim. You would put poor BK in an absurd position--having witnessed the exploit once and reported what he saw, now, what? you would have somehow force people who may be under the threat of firing or legal action to demonstrate it again because it's too difficult for you to imagine that the AirPort driver had a vulnerability in it, even though Apple just issued a patch for exactly the same sort of vulnerability BK reported in the first place?

SK> How does anyone ever gain credibility if one never has to prove they are correct?

By proving to be correct over and over again, and generally doing the sort of work that Maynor and Cache have been doing for some time.

I suggest, if you want to better understand how this vulnerability reporting business works, you go slog through full-disclosure for a few hours. All I can conclude from all this foofaraw is that a lot of Mac users were traipsing merrily through dreamlike meadows of contentment and have suddenly been plunged into a deep state of angst and denial by this:

http://docs.info.apple.com/article.html?artnum=304420

"Two separate stack buffer overflows exist in the AirPort wireless driver's handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into a wireless network. When the AirPort is on, this could lead to arbitrary code execution with system privileges...

"A heap buffer overflow exists in the AirPort wireless driver's handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network. This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges...

"An integer overflow exists in the Airport wireless driver's API for third-party wireless software. This could lead to a buffer overflow in such applications dependent upon API usage. No applications are known to be affected at this time. If an application is affected, then an attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into the wireless network. This may cause crashes or lead to arbitrary code execution with the privileges of the user running the application."

Posted by: antibozo:

"All I can conclude from all this foofaraw is that a lot of Mac users were traipsing merrily through dreamlike meadows of contentment and have suddenly been plunged into a deep state of angst and denial by this:

http://docs.info.apple.com/article.html?artnum=304420"

... those Mac users were especially frightened by that: "There is no known exploit for this issue." (From the linked Apple document, you somehow forgot to include that in your post)

This is sounding like there's something going on that nobody is hearing and because it's all about keeping the alleged flaws from anyone, it seems we will never hear anything concrete from SecureWorks. It almost sounds like they are trying to blackmail Apple into paying them for the claimed flaw info? (Just a SWAG)

The rats we are smelling are getting more and more pungent every day. I went to apple.com/pr and looked for ANYTHING like what was mentioned here and found nothing. HOWEVER, I did find that there was said announcement from SecureWorks (which wasn't cited clearly as the "they" that announced the confab was SecureWorks). Speaking of SW, they must have muzzled Maynor. So, more FUD from Ellch, anyone?

The picture I have in my mind is Maynor was called by Ellch who, on his own, decided to come up with a crack for MacOS X as he was wanting to stick it to the smug Mac users. He found some potential holes, but couldn't work out a full exploit. He decided to go with a USB WiFi device because he knew he could exploit that. Maynor came along for the ride. All just guesses on my part, of course.

The discussion with Ou above really speaks volumes.

Apple is LOADED with money (these days). Why don't they fly Maynor & Ellch out to Cupertino and have them bring ALL their fun toys EXCEPT the USB WiFi device and do a demo on campus? Then, Apple wipes the MacBook drive, reinstalls the OS, and they can do the demo again.

Heck, Krebs, why don't you take the role of Apple and do just that if you can't talk Apple into it? (And no booting off an external after wiping.)

Simple, huh?

As for Brian Krebs, I think that, given that he is in fact a journalist and not (as far as I know) a kernel hacker, he went far, far beyond the level of investigation I've seen from your average technology reporter in attempting to verify the veracity of Maynor and Cache's claim.

What "investigation" has Brian Krebs done? He is posting press releases and prepared speeches as evidence.

And Brian's insistence that he saw a hack on the native airport drivers -- which NOBODY AT SECURE WORKS WILL ADMIT EVER EXISTED -- makes his part of this story.

Martin> ... those Mac users were especially frightened by that: "There is no known exploit for this issue."

Reasonable people with no emotional investment in Apple's being all shiny and perfect would conclude that there is, in fact, a known exploit--the one Brian Krebs witnessed. But even if the exploit Maynor and Cache demonstrated doesn't target the vulnerabilities Apple patched against, there are two more reasonable conclusions:

1. There will be a known exploit before very long.

2. There's a good chance that the vulnerability Maynor and Cache targeted still exists.

What's funny to me about this is the perseverance you guys have to try to stay focused on whether two guys with no reason to lie simply *must* be lying. The practical fact is that Apple had vulnerabilities in their wireless driver. This is true regardless of whether M&C were making it all up for some obscure reason. So what are you defending?

Welcome to the wonderful world of computing. Most code is crap. Apple's no different, except their crap is shinier and comes in bright, friendly colors. What you *should* be frightened of is the arrogance with which Apple has reacted to this. "They never proved to us that this exploit worked against our driver. And they never gave us enough details to identify exactly where in the driver the problem was. But, uh, we looked at our driver code and we just *happened* to find these UNRELATED vulnerabilities that most DEFINITELY are NOT the ones they didn't give us enough details to identify. These aren't the droids you're looking for. Move along." Sorry, but those Jedi mind tricks don't work on everyone.

Norm Whitestone> What "investigation" has Brian Krebs done?

I defy you to name *one* journalist who takes technology reporting more seriously than Brian Krebs. He actually goes to Black Hat, Toorcon, Defcon, etc. when nearly everyone else outside a few trade rags just reprints whatever blurb comes out of AP. He interviews real computer criminals, hackers, hats of all colors. He does methodical, detailed technical investigation (see for example his document on the timeline of unpatched vulnerabilities in various browsers). He brings important patch notifications to the front page of washingtonpost.com. He's doing a great job of reporting highly technical and sometimes very esoteric information in a way the general population comprehends, and that's a rare skill.

So go ahead--tell me who's doing a better job.

Gasp!

Apple isn't infallable? They're not perfect? They're not the best thing since sliced bread?

I'll stick with my Bannana 2000, thank you.

Brian is not a journalist, he is a blogger. He works for washingtonpost.com, not the paper.

In terms of better coverage, I usually rely on Joe Barr. Other bloggers usually provide more info. Even George Ou has better info.

Judith Miller wrote a lot too. But that doesn't mean she was good.

Someone said Apple was threatening SecureWorks with revealing source code. There is no "Apple" source code. The MacOSX has been a semi-open code base since its introduction. No need to reverse engineer, and no threat of law suits.
The driver for the native Airport card was written by Atheros, not Apple. I don't know if that is also open source, but I believe it is.

toolsRtools:

Bang for buck? So that's why M&E tried to get the big publicity for their hack of the MacBook! Yeah, you're right, they're writing a book together! Great publicity!

I think that they really did have a hack for the MacBook, but the code wasn't ready for the Black Hat; they almost admit this when Krebs quotes them as still researching this issue.

BUT, I also think that they finished it, and were holding back to hit Apple with it at Toorcon, Secureworks found out last week, and pulled the plug. SecureWorks then called Apple, offered the code, and Apple agreed to work with them.

Apple has never tried to deny any vulnerability, all they did was deny that SecureWorks or M&E had supplied them with any code to prove it.

Hence, when SecureWorks provides it, Apple says, "Sure, lets fix this thing!"

Simple, fits all the publicly known evidence and follows Occum's Razor.

And for your information, plenty of people, in business and out, have information worth stealing. There are upwards of 19 million people using Macs out there, and probably most of them have credit cards, at least.

So loose the hostile crap attitude, dude, you just make yourself look as bad as those "Mac Zealots" you seem to hate so much!

Apple performed a security audit of their code during which they found and patched three (3) bugs.

Ellch and his believers keep referring to "the" bug, claiming he discovered "it" first. Which one (1) of the three (3) would that be?

Could we agree to refrain from talking about "the" bug until someone is willing to answer that question?

Eg "Maynard and Ellch claim to have discovered a bug. Apple has patched three bugs ..."

AntiBozo: Ellch was not referring to the exploit he only showed to WP's own Brian Krebs. The statement was released at Toorcon, a public venue, with lots of folks who know diddly about what Ellch and Maynor showed Krebs, unless they read Krebs' blog. What most of those Toorcon attendees would know is the video Ellch and Maynor showed at BH. By Ellch saying:

"Let's recap this thing.

"We give a talk saying that device drivers have lots of bugs. We demo one bug in Apple."

He's clearly referring to a "talk", ie the video at BH, not his private demo to Krebs. And, by stating "one bug in Apple" he's clearly lost the plot, and doesn't even remember what the video showed, nor the disclaimer that the supposed exploit was in a 3rd party card and 3rd party driver, not "in Apple". Duh!

After that, everything else Ellch says is just gibberish, if he can't get his basic facts right. Too much dope, apparently.

Wouldn't be surprised if Apple prevented the talk because the hack required reverse engineering of Apple source code. That would not be unprecedented. Microsoft is going after the developer of FairUse4WM because they believe the vulnerability couldn't be exploited without illegal access to the source code. Spare me the Apple is better than MS morally stuff, too. Apple is suing people for using the word Pod. Apple is protecting its IP all over the planet, and that is probably the case here.

The lesson here is that vendors will go after 'researchers' for exploits that are published as a result of access to source code. The EULA for Apple's OS clearly states as much. Surely this is what is going here. Apple is protecting it's IP.

Whatever the case, the idea that Apple's OS is inherently more secure erodes daily. Their heavy-handedness in this matter will further motivate black hats to go after the OS with renewed passion, despite the impish target base. That is the opposite affect I am sure Apple intended here.

toolsRtools:

Bang for buck? So that's why M&E tried to get the big publicity for their hack of the MacBook! Yeah, you're right, they're writing a book together! Great publicity!

I think that they really did have a hack for the MacBook, but the code wasn't ready for the Black Hat; they almost admit this when Krebs quotes them as still researching this issue.

BUT, I also think that they finished it, and were holding back to hit Apple with it at Toorcon, Secureworks found out last week, and pulled the plug. SecureWorks then called Apple, offered the code, and Apple agreed to work with them.

Apple has never tried to deny any vulnerability, all they did was deny that SecureWorks or M&E had supplied them with any code to prove it.

Hence, when SecureWorks provides it, Apple says, "Sure, lets fix this thing!"

Simple, fits all the publicly known evidence and follows Occum's Razor.

And for your information, plenty of people, in business and out, have information worth stealing. There are upwards of 19 million people using Macs out there, and probably most of them have credit cards, at least.

So loose the hostile crap attitude, dude, you just make yourself look as bad as those "Mac Zealots" you seem to hate so much!

I find this whole thing to be a testament to how secure a Mac really is.

Just look at how much attention is given to the possibility that two guys may have found ONE security flaw in a Mac (by means of using 3rd party software and hardware).

The very reason everyone is jumping all over this issue is because this is the ONLY purposed security issue a hacker has claimed to have found.

Are there more security issues in a Mac. Of course. It's a computer, silly. With code written by human beings.

But if Macs had the huge number of security flaws that Windows has, no one would waste their time focusing on just this one issue. They'd be too busy running virus protection, spyware, adware, and all the umpteen other things Windows user have to do. But the fact is: We don't! So we DO have the time to scrutinize this ONE report.

Whether the report from these two guys is true or not, it still shows the security of a Mac over Windows by the mere fact that a single report of a possible exploit can cause such a fuss.

BTW, I heard that Vista may be delayed due to security flaws found in the beta. If true, Windows users have their own headaches to worry about. Let us Mac users fret over this ONE report.