After Black Hat; The Apple Airport exploit debate
There has been a great deal written in articles and blogs around the internet regarding the video taped exploit on a third party wireless card and driver installed in a Macbook which was shown at a demonstration at the Black Hat convention held in August. What has made even larger waves, for those who are aware of the sequence of events; were the claims, as reported by Washington post reporter Brian Krebs, in which SecureWorks researcher David Maynor claimed a stock Macbook is subject to a similar exploit out of the same class of vulnerabilities. Krebs has also reported that he and one unnamed Black Hat employee privately witnessed the stock Apple exploit first hand the day before the public third party demonstration took place at Black Hat.
There are a number of very important issues that have come to light as a result of theses claims. Interestingly enough, whether Maynor and his partner Ellch discovered a vulnerability in the stock Apple hardware and drivers is the least of my personal interests in the matter. Although that is still a live question to be sure, it’s possible that if even if Maynor did have an exploit for a stock Macbook it’s also a possibility in that instance that the most recent patch for Apples airport card and drivers fixes it.
Some of the other issues that have found a home in this whole debate over the veracity of the claims Maynor apparently made to Krebs have brought Krebs reporting skills into question, have brought industry standard practices of reporting IT security issues into question (particularly as related to SecureWorks in this case), have brought into question the willingness to make completely transparent statements to the public by vendors (particularly as related to Apple in this case), and the general public reaction of many Apple computer enthusiasts which have also been brought into question, and that is in fact one of the things I personally find the most interesting.
The particular Apple enthusiasts that have caught my interest, and there appears to be a lot of them, are the ones who have taken an extraordinarily hard stance that there is little to no possibility that SecureWorks discovered an exploitable vulnerability in stock Apple airport cards. This hardened stance which I am referring to is typically accompanied by claims such as; Maynor and SecureWorks are liars and/or frauds, and extraordinarily insulting commentary directed towards anyone who would so much as point out that there is no evidence yet that shows Krebs report on Maynors claims are unfounded.
The interesting thing is that because neither SecureWorks nor Maynor and Ellch have come out with further information on the claims about the stock Macbook exploit, is that this has been taken by many of these particular kind of Apple enthusiasts to mean; not that the exploit remains unproven but that the SecureWorks participants are liars. This is usually reasoned out as ‘Apple would not lie so SecureWorks and Maynor must be the liars because they have provided no proof’. Of course Apple has not provided proof that such a hack does not exist either. And that point is usually attacked with ‘you cannot disprove a negative’ or ‘ why should Apple have to prove or disprove anything, Maynor and SecureWorks are the accuser, they should provide the proof’.
Those claims have some merit, but only in so far as the balance of probabilities will only be swayed one way or the other when one side or the other supplies some measure of proof. Of course it makes no sense to believe such an exploit exists if no evidence is provided, and as such there would be no reason to believe it. On the other hand, a simple lack of evidence, without anything else, does not prove the exploit does not exist, simply that there is no reason to believe it. For example, I certainly do not yet believe that such an exploit exists without more evidence that it does, but I cannot discount that it may because there is no evidence that it does not exist.
It is the peculiarities of the afore mentioned Apple enthusiasts, who are so quick to form such strong and adamant opinions that the exploit cannot exist and that anyone who points out that it may is some kind of lunatic, which I find to be of such interest. How and why do such people justify abandoning reality so quickly to defend a position without question that has not been established? Why is it unfair or lunacy to investigate the possibility of such claim’s or to assert that the current information so far supports the possibility that the claim of a stock exploit might still be true?
The primary claims that people have relied on as proof to reach their unshakable opinion that the story of a stock Apple exploit is a fraud, along with some explanation why such claims cannot be relied on as proof of anything yet is as follows;
1. Apple wouldn’t lie, why would Apple lie? If Apple isn’t lying then there is no exploit.
The problem here is, first we do not know for a fact Apple would not lie. I am of the suspicion that they would avoid an outright lie at all costs as the truth about this is likely to emerge and any lies would only make it worse if the exploit does exist. So, although it is unlikely that Apple would lie we do not know this for a fact. And why would Apple lie? If they were foolish enough to lie in this case it could be due to them not wanting to admit an outside source discovered a vulnerability in an Apple product. There may be other reasons that the public is not privy to that might induce lies from any company, it is rather conceited for anyone to assume they know the intimate workings of any large company they are not affiliated with that they can say as a fact there is no reason for a company to lie.
But here is the most salient point that directly counters the above supposition that if Apple is not lying, then there is no exploit; Apple so far has made no statements that would have to be a lie even if the exploit does exist. Apple has released a number of statements and even recently answered some important questions, and be it by accident or design, what Apple has said so far has in no way backed them into any kind of corner that would inevitably result in them having lied if Maynors exploit exists. In fact it is reaching a point where some suspicions can be reasonably raised that the avoidance of any language so strong that it would have to be a lie if the exploit does exist, this might be more then coincidental and might be coming as a result that Apple themselves do not know if such an exploit exists. Therefore that would mean that if this is true, then even Apple themselves recognize the possibility Maynors exploit might exist. If that is why Apple has not taken a strong stand themselves, then the overly harsh stance’s many Apple enthusiasts have taken up until now are not warranted.
2. It’s been weeks and weeks since the Black Hat conference and neither Maynor nor SecureWorks has come up with any proof that the claimed exploit exists. As there is no reasonable excuse for such a delay the only logical explanation is that the claimed exploit is a fraud.
The problem here is that from the very beginning of this, even in video taped interviews at Black Hat Maynor had made it plain that there would be no further descriptions or releases of information about this class of exploits until the appropriate vendors had patched up. It’s my understanding that this is not an unusual policy for an IT security company to hold and from some things I have read it appears that SecureWorks is particularly fussy about this policy. Further I have also read that SecureWorks apparently had some complex business dealings going on that would have made diving into an IT media frenzy problematic. Now lets be real here, it is one thing if you think the policy sucks, or that it was poorly implemented or whatever, the question is, is it possible that this explains the delay in providing further information? After all, now this patch is released by Apple, and Maynor claims to be explaining all at the Toorcon convention this week, so it certainly appears that following policy was very likely the reason for the delay. The fact that this is a reasonable explanation for the dely, even if one does not like the policy, negates it as any kind of proof that delay proves the exploit does not exist and certainly removes any excuse for a rabid attack on the possibility the exploit may exist.
3. There is absolutely no other evidence, besides the Krebs interview, that Maynor had an exploit for a stock Apple laptop, and without any further evidence of any kind it’s safe to say that no exploit exists.
The problem with this line of thinking, it’s simply incorrect. There is at least some more evidence, and it would be given some reasonable credibility by anyone, outside of a person with a vested interest in dismissing it. While the additional evidence does not constitute proof, it is further evidence.
First of all, there has been very wide discussion of this issue on the net. Maynor, Ellch and SecureWorks all know this very well and while policy may prevent them from discussing names of specific vendors affected by exploits they discover I find it hard to believe that in a case such as this that policy would prevent them from excluding a specific vendor not affected by an exploit. If there was error or misunderstanding in the Krebs interview it is unthinkable that SecureWorks or Maynor would not have cleared this up by now. If there is no stock Apple exploit that Krebs claimed Maynor demonstrated to him then SecureWorks is doubly in the wrong for not getting things straightened out with Krebs so the original story could be corrected. So not only has there been weeks and weeks to provide proof, there has been exactly the same amount of time for a retraction. With no retraction in all this time it is a strong indication that the assertion of the stock exploit made by Maynor to Frebs still stands. As I said, this is by no means proof the exploit exists, but it is additional evidence that it may.
Plus, Maynor and Krebs are not standing alone on this. Other IT professionals, who were at the Black Hat convention such as George Ou and popular blogger mogull for two examples, both claim to know the exploit is real and to have interviewed Maynor and to understand claims made and Maynor himself as credible. Once again, not proof, but further evidence that this is not just Brian Krebs of the Washington Post blowing in the wind by himself.
The sorry fact is, even now we do not know if the stock Macbook exploit Krebs reported that Maynor told him of exists or not, but there appears to be no question that it is possible that it may exist. Maynor himself is claiming all will be told shortly at Toorcon. And this also means the fact exists that all those who are screaming and jumping around claiming that Maynor and SecureWorks are liars and frauds are relying on nonsense, and best wishes for Apple and for some reason are cutting common sense loose to the wind in favor of vigorously defending a hardware/software vendor that is poorly served by overzealous fanatics that have too much of their self esteem tied into their choice of computer hardware and operating system.
There has been a great deal written in articles and blogs around the internet regarding the video taped exploit on a third party wireless card and driver installed in a Macbook which was shown at a demonstration at the Black Hat convention held in August. What has made even larger waves, for those who are aware of the sequence of events; were the claims, as reported by Washington post reporter Brian Krebs, in which SecureWorks researcher David Maynor claimed a stock Macbook is subject to a similar exploit out of the same class of vulnerabilities. Krebs has also reported that he and one unnamed Black Hat employee privately witnessed the stock Apple exploit first hand the day before the public third party demonstration took place at Black Hat.
There are a number of very important issues that have come to light as a result of theses claims. Interestingly enough, whether Maynor and his partner Ellch discovered a vulnerability in the stock Apple hardware and drivers is the least of my personal interests in the matter. Although that is still a live question to be sure, it’s possible that if even if Maynor did have an exploit for a stock Macbook it’s also a possibility in that instance that the most recent patch for Apples airport card and drivers fixes it.
Some of the other issues that have found a home in this whole debate over the veracity of the claims Maynor apparently made to Krebs have brought Krebs reporting skills into question, have brought industry standard practices of reporting IT security issues into question (particularly as related to SecureWorks in this case), have brought into question the willingness to make completely transparent statements to the public by vendors (particularly as related to Apple in this case), and the general public reaction of many Apple computer enthusiasts which have also been brought into question, and that is in fact one of the things I personally find the most interesting.
The particular Apple enthusiasts that have caught my interest, and there appears to be a lot of them, are the ones who have taken an extraordinarily hard stance that there is little to no possibility that SecureWorks discovered an exploitable vulnerability in stock Apple airport cards. This hardened stance which I am referring to is typically accompanied by claims such as; Maynor and SecureWorks are liars and/or frauds, and extraordinarily insulting commentary directed towards anyone who would so much as point out that there is no evidence yet that shows Krebs report on Maynors claims are unfounded.
The interesting thing is that because neither SecureWorks nor Maynor and Ellch have come out with further information on the claims about the stock Macbook exploit, is that this has been taken by many of these particular kind of Apple enthusiasts to mean; not that the exploit remains unproven but that the SecureWorks participants are liars. This is usually reasoned out as ‘Apple would not lie so SecureWorks and Maynor must be the liars because they have provided no proof’. Of course Apple has not provided proof that such a hack does not exist either. And that point is usually attacked with ‘you cannot disprove a negative’ or ‘ why should Apple have to prove or disprove anything, Maynor and SecureWorks are the accuser, they should provide the proof’.
Those claims have some merit, but only in so far as the balance of probabilities will only be swayed one way or the other when one side or the other supplies some measure of proof. Of course it makes no sense to believe such an exploit exists if no evidence is provided, and as such there would be no reason to believe it. On the other hand, a simple lack of evidence, without anything else, does not prove the exploit does not exist, simply that there is no reason to believe it. For example, I certainly do not yet believe that such an exploit exists without more evidence that it does, but I cannot discount that it may because there is no evidence that it does not exist.
It is the peculiarities of the afore mentioned Apple enthusiasts, who are so quick to form such strong and adamant opinions that the exploit cannot exist and that anyone who points out that it may is some kind of lunatic, which I find to be of such interest. How and why do such people justify abandoning reality so quickly to defend a position without question that has not been established? Why is it unfair or lunacy to investigate the possibility of such claim’s or to assert that the current information so far supports the possibility that the claim of a stock exploit might still be true?
The primary claims that people have relied on as proof to reach their unshakable opinion that the story of a stock Apple exploit is a fraud, along with some explanation why such claims cannot be relied on as proof of anything yet is as follows;
1. Apple wouldn’t lie, why would Apple lie? If Apple isn’t lying then there is no exploit.
The problem here is, first we do not know for a fact Apple would not lie. I am of the suspicion that they would avoid an outright lie at all costs as the truth about this is likely to emerge and any lies would only make it worse if the exploit does exist. So, although it is unlikely that Apple would lie we do not know this for a fact. And why would Apple lie? If they were foolish enough to lie in this case it could be due to them not wanting to admit an outside source discovered a vulnerability in an Apple product. There may be other reasons that the public is not privy to that might induce lies from any company, it is rather conceited for anyone to assume they know the intimate workings of any large company they are not affiliated with that they can say as a fact there is no reason for a company to lie.
But here is the most salient point that directly counters the above supposition that if Apple is not lying, then there is no exploit; Apple so far has made no statements that would have to be a lie even if the exploit does exist. Apple has released a number of statements and even recently answered some important questions, and be it by accident or design, what Apple has said so far has in no way backed them into any kind of corner that would inevitably result in them having lied if Maynors exploit exists. In fact it is reaching a point where some suspicions can be reasonably raised that the avoidance of any language so strong that it would have to be a lie if the exploit does exist, this might be more then coincidental and might be coming as a result that Apple themselves do not know if such an exploit exists. Therefore that would mean that if this is true, then even Apple themselves recognize the possibility Maynors exploit might exist. If that is why Apple has not taken a strong stand themselves, then the overly harsh stance’s many Apple enthusiasts have taken up until now are not warranted.
2. It’s been weeks and weeks since the Black Hat conference and neither Maynor nor SecureWorks has come up with any proof that the claimed exploit exists. As there is no reasonable excuse for such a delay the only logical explanation is that the claimed exploit is a fraud.
The problem here is that from the very beginning of this, even in video taped interviews at Black Hat Maynor had made it plain that there would be no further descriptions or releases of information about this class of exploits until the appropriate vendors had patched up. It’s my understanding that this is not an unusual policy for an IT security company to hold and from some things I have read it appears that SecureWorks is particularly fussy about this policy. Further I have also read that SecureWorks apparently had some complex business dealings going on that would have made diving into an IT media frenzy problematic. Now lets be real here, it is one thing if you think the policy sucks, or that it was poorly implemented or whatever, the question is, is it possible that this explains the delay in providing further information? After all, now this patch is released by Apple, and Maynor claims to be explaining all at the Toorcon convention this week, so it certainly appears that following policy was very likely the reason for the delay. The fact that this is a reasonable explanation for the dely, even if one does not like the policy, negates it as any kind of proof that delay proves the exploit does not exist and certainly removes any excuse for a rabid attack on the possibility the exploit may exist.
3. There is absolutely no other evidence, besides the Krebs interview, that Maynor had an exploit for a stock Apple laptop, and without any further evidence of any kind it’s safe to say that no exploit exists.
The problem with this line of thinking, it’s simply incorrect. There is at least some more evidence, and it would be given some reasonable credibility by anyone, outside of a person with a vested interest in dismissing it. While the additional evidence does not constitute proof, it is further evidence.
First of all, there has been very wide discussion of this issue on the net. Maynor, Ellch and SecureWorks all know this very well and while policy may prevent them from discussing names of specific vendors affected by exploits they discover I find it hard to believe that in a case such as this that policy would prevent them from excluding a specific vendor not affected by an exploit. If there was error or misunderstanding in the Krebs interview it is unthinkable that SecureWorks or Maynor would not have cleared this up by now. If there is no stock Apple exploit that Krebs claimed Maynor demonstrated to him then SecureWorks is doubly in the wrong for not getting things straightened out with Krebs so the original story could be corrected. So not only has there been weeks and weeks to provide proof, there has been exactly the same amount of time for a retraction. With no retraction in all this time it is a strong indication that the assertion of the stock exploit made by Maynor to Frebs still stands. As I said, this is by no means proof the exploit exists, but it is additional evidence that it may.
Plus, Maynor and Krebs are not standing alone on this. Other IT professionals, who were at the Black Hat convention such as George Ou and popular blogger mogull for two examples, both claim to know the exploit is real and to have interviewed Maynor and to understand claims made and Maynor himself as credible. Once again, not proof, but further evidence that this is not just Brian Krebs of the Washington Post blowing in the wind by himself.
The sorry fact is, even now we do not know if the stock Macbook exploit Krebs reported that Maynor told him of exists or not, but there appears to be no question that it is possible that it may exist. Maynor himself is claiming all will be told shortly at Toorcon. And this also means the fact exists that all those who are screaming and jumping around claiming that Maynor and SecureWorks are liars and frauds are relying on nonsense, and best wishes for Apple and for some reason are cutting common sense loose to the wind in favor of vigorously defending a hardware/software vendor that is poorly served by overzealous fanatics that have too much of their self esteem tied into their choice of computer hardware and operating system.
posted by David Burke | 4:09 PM
0 Comments:
Post a Comment
<< Home