The Evolution Of A Controversy
The day the IT world first began to take serious notice of the claim; August 2nd 2006 approximately sometime around 7:30 a.m. ET when Brian Krebs made his first post regarding the issue in his blog on the Washington Post website. There is little doubt that this is the event that surprisingly lit the fire that eventually became the Macbook wireless exploit controversy. The title of his post was more then enough to catch the attention of many; “Hijacking a Macbook in 60 Seconds or Less”. In his blog Brian Krebs made the following claims;
“The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook… Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS.”
The report that followed by Brian Krebs in the same blog, about a comment made by David Maynor, the SecureWorks researcher who was about to present a video taped demonstration of the wireless exploit at the Blackhat conference, became a critical focal point for many pro-Apple users. Maynor had apparently said;
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,"
This comment by Maynor was, from this point on, frequently referred to as the evidence that Maynor and Ellch were ‘out to get’ Apple and Apple computer users. The fact that Maynor had repeatedly said that this was not an Apple specific exploit, but instead was one of a class of wireless exploits across all the major operating systems, and the fact that Maynor himself owns a Macbook (apparently Ellch owns a Macbook as well) did nothing to assuage the fervor of Apple users that were bound and determined to have evidence that Maynor was perpetrating a fraud against those he hated.
The actual video taped demonstration presentation that took place at Blackhat actually ended up using a Macbook alright, but with a third party wireless card and drivers which were clearly pointed out by Maynor and made obvious to those who saw the actual video taped demonstration. After the public demonstration at Blackhat, things really started to cook. Brian Krebs immediately blogged again to clarify what he had said in his original posting about what Maynor had said to him in private and what had actually happened at Blackhat. The only real comment of significant importance in Krebs updated post was;
“During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.”
This meant there was no doubt that Brian Krebs was sticking to his version of what he said Maynor showed and told him the day before the Blackhat presentation took place. It was sometime shortly after this that the story ‘exploded’ in terms of IT issues on the internet. Already plenty of sites were reporting on the Blackhat presentation Maynor had given on the day of the actual event, such as pcadvisor, infoworld, security.itworld, usatoday.com and many more had similar reports on the event. A problem that some of these reports had was that there was little or no mention of the fact that Maynor had obviously made the publicly demonstrated video with third party wireless hardware and drivers, not stock Macbook wireless hardware and drivers, and he had made it quite plain in the demonstration video that this was the case.
This of course set the stage for a real debate a little later when other web reports explained the public demonstration at Blackhat was not done on stock Mac hardware and drivers the way Brian Krebs had reported Maynor showing him in private in his first blog, that he said he had seen privately demonstrated the day before the public Blackhat demonstration. This was an issue of considerable confusion. While the IT world first began to take significant notice of the issue after Brian Krebs first report in his blog, the issue didn’t really explode until after David Maynor gave the video presentation at Blackhat and the immediate subsequent reporting after that took place. Because many of the reports failed to explicitly mention that the Blackhat video demonstration used third party hardware and drivers, and many reports were working with information gleaned from Krebs first blog that talked of a stock Macbook exploit, the later reports that followed that explained the exploit had not been demonstrated on a stock Macbook made it appear the original reports from Blackhat may have been the result of a fraudulent claim made by Maynor; which of course they were not. Some of the first reports were just not an accurate reflection of what had taken place at the Blackhat conference as many of these reports were apparently written on second hand information by people who had not seen the video demonstration.
When the video demonstration is actually viewed it’s made very plain by Maynor that the wireless hardware is not a stock Apple component and there is never any suggestion or inference that would indicate otherwise. None the less, many people took the seemingly new revelations in reports in the following days after Blackhat that the stock hardware and drivers were not in fact used, as an indication that an attempted fraud had taken place at Blackhat and this started a firestorm. This turned into a very problematic situation. Many who were calling ‘fraud’ on Maynors demonstration actually knew very little about the actual sequence of events leading up to the demonstration at Blackhat and had never seen the actual demonstration video or were familiar with the claims Brian Krebs was responsible for through his Washington Post blogs.
There were some pro-Apple bloggers who had pretty much declared open war on Maynors credibility at this point, and plenty of pro-Apple readers were quick to jump onboard that premature bandwagon. As the debate began to intensify many of the more uninformed bloggers and readers of those blogs became better informed of who had, or had not, actually said or done what particular things. This meant that many of the uninformed gradually came to realize that Maynor had made obvious the use of third party hardware and drivers in the Blackhat demonstration and that the demonstration had never implied it was a stock Macbook exploit, and that Brian Krebs had been the one who reported that Maynor had ‘privately demonstrated’ a stock Macbook exploit to him the day before the Blackhat demonstration, and this is what had caused confusion in so much of the web reporting on the matter.
By now some who were already in the know about the part Brian Krebs had played in the build up to this point were seeking some degree of vengeance against him, after all, he was the one who dared to ‘publicly’ claim you could “hack a Macbook in 60 seconds or less”. But so many of the pro-Apple community had committed themselves in a very serious way to the idea that Maynor and Ellch had perpetrated a fraud and that meant for them, what Brian Krebs had posted on his blog was simply proof that Maynor had made the claim a stock Macbook could be exploited in 60 seconds, and that, in their Apple loyal minds this still represented proof that Maynor and Ellch were frauds for even making such a claim to Krebs. Additional claims of irresponsible behavior on the part of Maynor, Ellch and Maynors employer, SecureWorks came about as soon as Apples public relations representative released their initial statements on the matter. Lyn Fox had stated;
“SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”
This statement was taken by some rather prominent bloggers to mean that Apple was saying that there had in fact been absolutely no contact from Maynor or SecureWorks at all in regard to potential stock wireless card vulnerabilities on Apple laptops. Subsequent posts by bloggers and their readers, based on this kind of erroneous interpretation of Lynn Fox's statement, such as by blogger John Gruber, only added fuel to the fire. Gruber’s misdirected analysis of the situation at this point asserted that if indeed Maynor had a stock Macbook exploit, this meant that Apple would have had to have lied about contact from SecureWorks on the vulnerability (which Apple fanatics would never believe) because they had said there had been absolutely no contact about such a flaw, ( Gruber’s interpretation of Lynn Fox’s statement ) or Maynor and SecureWorks were incredibly negligent for not contacting Apple about the vulnerability if there was such a vulnerability. Gruber asserted there was no way out of this predicament where all parties could retain their reputations intact. Someone had to be crooked, and the implication was that Maynor and SecureWorks were the culprits because it was so unthinkable that Apple would have lied about having zero contact from Maynor or SecureWorks.
A realistic reading of Lynn Fox’s statement simply indicates what kind of contact Apple said they “did not” have with Maynor or SecureWorks, not what kind of contact they may have had with SecureWorks about such an exploit. Gruber’s reckless remarks simply provided a compelling pile of fuel for the fire that the Apple fanatics were now looking to pour some gasoline on. Many Apple fanatics used the same kind of incorrect logic behind Gruber’s analysis of the situation to cement their stance that Maynor and SecureWorks were, without a doubt, liars or at the very least horribly negligent for not contacting Apple so that Apple could patch the flaw.
The world found out on September 21st just how wrong John Gruber’s interpretation of Lynn Fox’s statement was when reports of a new statement from Apple emerged on the release of a patch for their wireless drivers. Some of the vulnerabilities covered by the patch sounded like very similar flaws to what Maynor and SecureWorks had apparently told Brian Krebs existed on stock Macbook Airport wireless drivers and had subsequently demonstrated in a similar fashion by way of video at Blackhat on a third party wireless card. An Apple representative released the following statement about the wireless patch;
“In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs," …"They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit.”
The point being; once many pro Apple bloggers and readers drew together in a consolidated and hardened opinion that Maynor, his partner Ellch and SecureWorks had to have lied somewhere along the line about all this, all analysis of the situation by the Apple fanatic crowd evolved out of that opinion virtually to the exclusion of any other possibility. And clearly some of their earliest thinking on the matter was dead wrong because even Apple eventually admitted that contact had been made by SecureWorks about potential vulnerabilities in Apple wireless drivers. I had explained in some detail on George Ou’s blog that Lynn Fox’s statement had never stated that no contact had been made about Maynors exploit, and as such; any argument that if such an exploit did exist, Apple would have to be lying about contact was incorrect. Apple had never said they had not been contacted about such an exploit, just that they had not received code or seen a demonstration of such an exploit.
The Apple fanatics hated that line of thought with a passion. Again and again any attempt to point out that Apple did not say there had been ‘no contact’ about the exploit typically met with a hostile response from the pro Apple fanatics. One can only assume this is because in the Apple fanatics analysis of the situation; Apple had said there was zero contact from SecureWorks about such an exploit and this was very appealing for the pro Apple zealots because if there was such a flaw it would only make sense that SecureWorks would have contacted Apple about it. In fact in the Krebs interview, Krebs reports that Maynor said plainly Apple was contacted as well as Microsoft about the wireless driver flaws and if that contact actually never occurred it would establish an outright lie by Maynor and that’s what the Apple fanatics were looking for. If one removes the possibility that Apple would have lied if there was contact with SecureWorks, given Lynn Fox’s statement, and thus implies that contact might have been made about the exploit; this provides a more compelling argument that the exploit indeed might have existed and Apple was given at least some form of warning. One reader of George Ou’s blog, who appears to be variously pro Apple, went so far as to say;
“Blatant lies versus being disingenuous
I do understand your point, that the words Apple chose leave ambiguity, that you're saying it's a total weasel job, rather than an outright lie.
What is Apple's motivation for being a weasel here? Why would they deliberately release such a statement when they didn't have to? Why not just say, we don't think there's a problem, we're investigating further, instead of releasing this firm statement that can be twisted?”
The implication from this poster, along with other related posts from the same person and others like him is that it would make no sense if Apples statement meant anything other then there was zero contact from SecureWorks to Apple about such an exploit because any other interpretation would be a weaselly parsing of words that Apple would never engage in. The Apple fanatics literally fought my line of reasoning to death. They were inconsolable about any notion that Apple had stated anything less then SecureWorks had absolutely not brought a stock wireless vulnerability to their attention in any way. The common argument from the Apple fanatics was that Apple had been quite clear in Lynn Fox’s statement in that Apple had never been contacted about the exploit at all and to interpret Fox’s statement differently would constitute claiming Apple was being ‘weaselly’ in parsing their words. In the Apple fanatics mind that just couldn’t be. This had become a stock line of reasoning that had provided them with what they felt was strong ammunition that SecureWorks and Maynor must have done something terribly wrong, and in their mind it was most likely going to be that stories of a stock Macbook exploit were a lie.
The interesting thing is; once Apple admitted that contact about the exploit had been made to them by SecureWorks, and the contact had prompted them into action to do an internal audit where they discovered vulnerabilities in their airport drivers and developed a patch, all of the talk that Apples original press release would be ‘weaselly’ if it didn’t mean SecureWorks never made contact about the exploit evaporated. Not a one of the pro-Apple fanatics that fought tooth and nail about the interpretation of Lynn Fox’s original statement ever seemed to look back once and ask themselves why Apple had released a statement using the careful wording they did. Wording that in fact influenced them along with the likes of John Gruber into believing that Maynor both had no stock exploit and had lied about it, or he was just wickedly negligent in not informing Apple that there was such an exploit possible. What once was declared to be acting like a weasel if it was true that Apple had been warned of the exploit, quickly devolved into ‘Apple is just fine’ once it was proven as a fact that contact had been made about the exploit between Apple and SecureWorks, despite John Gruber’s assertion that it was impossible for Apple to keep their reputation intact if they had been contacted.
This kind of situation exemplified the tone of the whole debate in the controversy. Those who were clearly Apple apologists and zealots had long since hardened their opinion at this point that any story of a Macbook being hacked in 60 seconds was fraudulent. There was literally no issue or unanswered question that caused them reason for concern that this was actually an unresolved issue; in their mind it was a given that Maynor and SecureWorks (and for some Brian Krebs) were all a bunch of crooked liars and all evidence had to be interpreted in that light and any evidence that ran counter to their hardened stance was always to be considered as irrelevant or simply unimportant.
It has to be mentioned here that SecureWorks at this point was beginning to bear a significant load in regard to responsibility for the lack of information forthcoming about the possible reality of such an exploit on a stock Macbook. One has to look at the players in this situation at this point in time and what information had been forthcoming and what was being discussed in public forums. From what had transpired to this point and what we now know, it appears that SecureWorks has some level of massive complicity in obscuring what was and what was not true in this whole debate.
First off, SecureWorks employed David Maynor, and the exploits Maynor and his freelance partner, Johnny ‘Cache’ Ellch developed and presented at Blackhat were seemingly going to be credited to the SecureWorks firm. If there was a problem with the accuracy of statements made in blogs by Washington Post reporter Brian Krebs about what SecureWorks employee, David Maynor, had told him, professional responsibility on the part of SecureWorks should have alerted Krebs to the fact that he should immediately work to correct those inaccuracies. This is a no brainer. If there was any inaccuracy in what Krebs was reporting to the entire world about what he was saying Maynor had told him or demonstrated to him, as Maynors employer it was up to SecureWorks to find out what had gone wrong, if anything. Yet SecureWorks held a position of silence during the whole public debate. We have got to assume logically that without further evidence to the contrary that SecureWorks had no serious problem with reports of a stock Macbook exploit being discovered by on of their employees.
This is without a doubt the most peculiar part of this whole event. It should be considered a severe oddity by anyone with an interest in this issue. Admittedly, while the pro-Apple fanatics jumped all over the fact that both Maynor and SecureWorks never came out with verifiable proof of the stock Macbook exploit that Krebs claimed Maynor told him about, those same Apple fanatics explained the inaction on SecureWorks part away as virtual proof there was no such exploit and the whole thing was a hoax. This explanation is entirely hollow, as it would leave far too much inexplicably impossible to explain. If SecureWorks indeed found out that Krebs was reporting on the internet that a SecureWorks employee was claiming a controversial exploit existed, and they knew or suspected it did not exist, this would only serve to put their reputation and very business at risk if such misrepresentations were left unaddressed. This is especially true where the controversial exploit in question involved a company with the high profile, financial resources and technical expertise of Apple.
It is particularly troubling given the fact that Apple was coming under some considerable critical scrutiny from those on the other side of the issue who recognized that despite there was a lack of proof that the exploit existed there was a similar lack of evidence that the exploit did not exist. Its potential existence was never even disputed outright by Apple, instead there were just a series of PR statements from Apple that comprised a careful parsing of words that would allow Apple to adapt their stance if such an exploit was publicly proven. Given that Apples press releases were being picked at as a 'careful parsing of words' on Apples part, it should have been quite clear to SecureWorks that if they knew the exploit did not exist that Apple would be very unhappy about some of the implications being made regarding their complicity in the matter. If SecureWorks knew that Krebs had it wrong in his blog, there is no rational reason or excuse for having let his misunderstanding go on for so long if SecureWorks knew or suspected otherwise. If SecureWorks found out that Maynor and Ellch had mislead Krebs it would have been far less risky for them to get rid of Maynor, or at least do something to put some kind of spin on the situation that would reduce the possible fallout that might cripple them in such a situation with a company the size of Apple. Instead, SecureWorks held silent, never once indicating that a stock Macbook was not subject to the class of flaws Maynor had apparently said it was. Instead SecureWorks remained silent and fearless; just like a poker player with an ace in the hole.
The pro Apple crowd still fell back to the point that if indeed Maynor and Ellch had found a vulnerability in the stock Apple hardware and drivers there was no forthcoming explanation why SecureWorks didn’t just come out eventually and ‘DROP THE BOMB’ so to speak. Why didn’t SecureWorks just release all the relevant proof showing that Apple had remained evasive about the whole issue and had never given Maynor, Ellch and SecureWorks their proper due for discovering the vulnerability? Would this have not boosted SecureWorks credability?
There do appear to be some very compelling explanations for the mute SecureWorks response on the whole issue. Once again, these likely explanations for SecureWorks lack of interest in ‘dropping the bomb’ on Apple are completely ignored or dismissed by the Apple zealots despite the clear possibility that they make very reasonable sense out of an otherwise incomprehensible situation. Keep in mind; if a stock Macbook wireless card exploit never existed and SecureWorks knew or suspected this, and Apple felt this was likely the case, Apple certainly would have very good reason for holding a grudge against SecureWorks for not clarifying the issue at some point, and it's hard to see where a silent SecureWorks would be a better off or more profitable SecureWorks in such a case.
The first piece of information that explains why SecureWorks might not have wanted to get deep into what had become an IT security public relations nightmare is because they were already deep into a merger with another company. It is not unusual for most companies in that kind of situation, who are concerned about such things going smoothly, to be reticent to get involved in public dung throwing matches with major companies in their industry when the appearance of professional conduct is paramount to completing the deal. It’s just a simple question of if there was any real mileage to be gained by SecureWorks by publicly embarrassing Apple in any way when SecureWorks was trying to get through a merger right in the middle of the relevant time period.
What is even a more compelling possibility is that as things began to unfold, and it became apparent that Apple was not prepared to address the situation in a straightforward manner and be forthcoming about what exactly they had been told by SecureWorks, SecureWorks might have seen a very real likelihood of leveraging Apple to some degree in the future because of the issue if they did nothing to cause serious public animosity between the two of them. Let it slide, see how it plays out, and if Apple gets themselves backed into a corner public relations wise eventually, then make it easy for Apple to work with SecureWorks in some fashion that might be profitable for both parties to sort it out. A rather simple plan that would involve doing nothing until the opportunity presented itself.
As it turns out, something must have happened along those lines in some respect as Apple and SecureWorks are now working together in some fashion along with CERT, apparently in relation to this whole issue. This startling turn of events came about after Maynor and Ellch decided to ‘DROP THE BOMB’ about the stock Macbook exploit on Apple on their own initiative. They had planned to do this at the Toorcon conference and had apparently informed Apple as such that this was going to happen. Needless to say the timeline indicates it wasn’t terribly long after this that Apple released the patch for the wireless exploits, and made strong implications that this was completely unrelated to anything that had occurred at Blackhat. It was just one more peculiarly worded statement by Apple as they plainly stated to a CNET reporter;
“But Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday. Instead, the company itself hunted for bugs in its wireless software and uncovered the vulnerabilities, the representative said.”
Of course the actual Blackhat demonstration had been on third party wireless hardware and drivers so unless Apple is in the habit of creating patches for third party hardware, the question of what relationship the patch had to the “Blackhat” demonstration was a moot point from the word go. That statement added just one more perplexing question as to why Apple was continuing to release statements like this that would be obviously misinterpreted by the masses to mean something different then what they were actually saying. For some reason Apple never actually said ‘the patch had no relationship to stock Macbook wireless exploits rumored to have been reported to Brian Krebs by David Maynor’. But of course shortly after the time of the release of this statement it appeared that Maynor and Ellch had had enough of Apples evasiveness when they announced publicly they would give a presentation at the Toorcon conference about the whole Apple wireless exploit and answer questions in detail from anyone who wanted to ask. But that dream didn’t last long.
Shortly there after word came down that Maynor was being held back from talking at Toorcon about the exploit by his employer SecureWorks and Johnny ‘Cache’ Ellch apparently was completely reluctant to give the presentation without Maynors support. This news came about literally on the Friday before the weekend of the planned presentation. Ellch did attend Toorcon and gave a rather scathing public statement (known as the rant) on the altered situation, which of course was dismissed as nonsense by the Apple apologists who still claimed that there was no real possibility of a stock Macbook exploit at all.
Now we are stuck with nothing as far as a resolution to the question of whether Maynors stock Macbook exploit ever existed at all or not because Apple refuses to say that they do not believe such an exploit ever existed, only that they never had the exploit demonstrated to them by an outside source. Clearly due to their patch on their wireless drivers they managed to at least demonstrate some wireless vulnerability to themselves. Further, SecureWorks refuses to say that reports by Krebs of such an exploit were in error, nor are they willing to allow their employee David Maynor to expose what he knows about such a possible stock Macbook exploit. Maynors outside partner on the research, Johnny Ellch is also unwilling to expose exactly what he knows without Maynors go ahead so at this point between Apple and SecureWorks they have decided that the public is better off not knowing the truth.
The end result is that the Apple apologists win this one by a very fair default in my opinion. As I have always said, if there is a possibility that it may not be true, and those who should know if it is true cannot back up their claims then there is no good reason to believe it is true. So at this point it is a done deal. For now.
The last interesting thing that one might look to was a rather curious pair of links provided on SecureWorks home web page. The links, now removed from the home page, still reside at this date within the SecureWorks news page on their website. Those two links along with a few more similar news links connect to reports about the release of Apples wireless patch. All the reports have strong accusatory language against Apples refusal to give credit to SecureWorks for discovering the exploit and largely imply that the patch is likely a direct response to the exploit Maynor had told Brian Krebs existed in a stock Macbooks wireless hardware and drivers. SecureWorks is saying nothing about the implications or claims in those news reports, apparently willing to let them speak for themselves. With SecureWorks and Apple publicly stating that they are working with each other it seems more then a little out of place that SecureWorks would post links to news stories with such a negative slant towards Apples part in the controversy. It certainly appears that SecureWorks may be showing (on the side) to the world exactly what their ‘ace in the hole’ is for those who care to look and then actually ‘get it’. But you are not likely to ‘get it’ so long as you are wearing Apple colored glasses.
The day the IT world first began to take serious notice of the claim; August 2nd 2006 approximately sometime around 7:30 a.m. ET when Brian Krebs made his first post regarding the issue in his blog on the Washington Post website. There is little doubt that this is the event that surprisingly lit the fire that eventually became the Macbook wireless exploit controversy. The title of his post was more then enough to catch the attention of many; “Hijacking a Macbook in 60 Seconds or Less”. In his blog Brian Krebs made the following claims;
“The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook… Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS.”
The report that followed by Brian Krebs in the same blog, about a comment made by David Maynor, the SecureWorks researcher who was about to present a video taped demonstration of the wireless exploit at the Blackhat conference, became a critical focal point for many pro-Apple users. Maynor had apparently said;
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,"
This comment by Maynor was, from this point on, frequently referred to as the evidence that Maynor and Ellch were ‘out to get’ Apple and Apple computer users. The fact that Maynor had repeatedly said that this was not an Apple specific exploit, but instead was one of a class of wireless exploits across all the major operating systems, and the fact that Maynor himself owns a Macbook (apparently Ellch owns a Macbook as well) did nothing to assuage the fervor of Apple users that were bound and determined to have evidence that Maynor was perpetrating a fraud against those he hated.
The actual video taped demonstration presentation that took place at Blackhat actually ended up using a Macbook alright, but with a third party wireless card and drivers which were clearly pointed out by Maynor and made obvious to those who saw the actual video taped demonstration. After the public demonstration at Blackhat, things really started to cook. Brian Krebs immediately blogged again to clarify what he had said in his original posting about what Maynor had said to him in private and what had actually happened at Blackhat. The only real comment of significant importance in Krebs updated post was;
“During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.”
This meant there was no doubt that Brian Krebs was sticking to his version of what he said Maynor showed and told him the day before the Blackhat presentation took place. It was sometime shortly after this that the story ‘exploded’ in terms of IT issues on the internet. Already plenty of sites were reporting on the Blackhat presentation Maynor had given on the day of the actual event, such as pcadvisor, infoworld, security.itworld, usatoday.com and many more had similar reports on the event. A problem that some of these reports had was that there was little or no mention of the fact that Maynor had obviously made the publicly demonstrated video with third party wireless hardware and drivers, not stock Macbook wireless hardware and drivers, and he had made it quite plain in the demonstration video that this was the case.
This of course set the stage for a real debate a little later when other web reports explained the public demonstration at Blackhat was not done on stock Mac hardware and drivers the way Brian Krebs had reported Maynor showing him in private in his first blog, that he said he had seen privately demonstrated the day before the public Blackhat demonstration. This was an issue of considerable confusion. While the IT world first began to take significant notice of the issue after Brian Krebs first report in his blog, the issue didn’t really explode until after David Maynor gave the video presentation at Blackhat and the immediate subsequent reporting after that took place. Because many of the reports failed to explicitly mention that the Blackhat video demonstration used third party hardware and drivers, and many reports were working with information gleaned from Krebs first blog that talked of a stock Macbook exploit, the later reports that followed that explained the exploit had not been demonstrated on a stock Macbook made it appear the original reports from Blackhat may have been the result of a fraudulent claim made by Maynor; which of course they were not. Some of the first reports were just not an accurate reflection of what had taken place at the Blackhat conference as many of these reports were apparently written on second hand information by people who had not seen the video demonstration.
When the video demonstration is actually viewed it’s made very plain by Maynor that the wireless hardware is not a stock Apple component and there is never any suggestion or inference that would indicate otherwise. None the less, many people took the seemingly new revelations in reports in the following days after Blackhat that the stock hardware and drivers were not in fact used, as an indication that an attempted fraud had taken place at Blackhat and this started a firestorm. This turned into a very problematic situation. Many who were calling ‘fraud’ on Maynors demonstration actually knew very little about the actual sequence of events leading up to the demonstration at Blackhat and had never seen the actual demonstration video or were familiar with the claims Brian Krebs was responsible for through his Washington Post blogs.
There were some pro-Apple bloggers who had pretty much declared open war on Maynors credibility at this point, and plenty of pro-Apple readers were quick to jump onboard that premature bandwagon. As the debate began to intensify many of the more uninformed bloggers and readers of those blogs became better informed of who had, or had not, actually said or done what particular things. This meant that many of the uninformed gradually came to realize that Maynor had made obvious the use of third party hardware and drivers in the Blackhat demonstration and that the demonstration had never implied it was a stock Macbook exploit, and that Brian Krebs had been the one who reported that Maynor had ‘privately demonstrated’ a stock Macbook exploit to him the day before the Blackhat demonstration, and this is what had caused confusion in so much of the web reporting on the matter.
By now some who were already in the know about the part Brian Krebs had played in the build up to this point were seeking some degree of vengeance against him, after all, he was the one who dared to ‘publicly’ claim you could “hack a Macbook in 60 seconds or less”. But so many of the pro-Apple community had committed themselves in a very serious way to the idea that Maynor and Ellch had perpetrated a fraud and that meant for them, what Brian Krebs had posted on his blog was simply proof that Maynor had made the claim a stock Macbook could be exploited in 60 seconds, and that, in their Apple loyal minds this still represented proof that Maynor and Ellch were frauds for even making such a claim to Krebs. Additional claims of irresponsible behavior on the part of Maynor, Ellch and Maynors employer, SecureWorks came about as soon as Apples public relations representative released their initial statements on the matter. Lyn Fox had stated;
“SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”
This statement was taken by some rather prominent bloggers to mean that Apple was saying that there had in fact been absolutely no contact from Maynor or SecureWorks at all in regard to potential stock wireless card vulnerabilities on Apple laptops. Subsequent posts by bloggers and their readers, based on this kind of erroneous interpretation of Lynn Fox's statement, such as by blogger John Gruber, only added fuel to the fire. Gruber’s misdirected analysis of the situation at this point asserted that if indeed Maynor had a stock Macbook exploit, this meant that Apple would have had to have lied about contact from SecureWorks on the vulnerability (which Apple fanatics would never believe) because they had said there had been absolutely no contact about such a flaw, ( Gruber’s interpretation of Lynn Fox’s statement ) or Maynor and SecureWorks were incredibly negligent for not contacting Apple about the vulnerability if there was such a vulnerability. Gruber asserted there was no way out of this predicament where all parties could retain their reputations intact. Someone had to be crooked, and the implication was that Maynor and SecureWorks were the culprits because it was so unthinkable that Apple would have lied about having zero contact from Maynor or SecureWorks.
A realistic reading of Lynn Fox’s statement simply indicates what kind of contact Apple said they “did not” have with Maynor or SecureWorks, not what kind of contact they may have had with SecureWorks about such an exploit. Gruber’s reckless remarks simply provided a compelling pile of fuel for the fire that the Apple fanatics were now looking to pour some gasoline on. Many Apple fanatics used the same kind of incorrect logic behind Gruber’s analysis of the situation to cement their stance that Maynor and SecureWorks were, without a doubt, liars or at the very least horribly negligent for not contacting Apple so that Apple could patch the flaw.
The world found out on September 21st just how wrong John Gruber’s interpretation of Lynn Fox’s statement was when reports of a new statement from Apple emerged on the release of a patch for their wireless drivers. Some of the vulnerabilities covered by the patch sounded like very similar flaws to what Maynor and SecureWorks had apparently told Brian Krebs existed on stock Macbook Airport wireless drivers and had subsequently demonstrated in a similar fashion by way of video at Blackhat on a third party wireless card. An Apple representative released the following statement about the wireless patch;
“In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs," …"They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit.”
The point being; once many pro Apple bloggers and readers drew together in a consolidated and hardened opinion that Maynor, his partner Ellch and SecureWorks had to have lied somewhere along the line about all this, all analysis of the situation by the Apple fanatic crowd evolved out of that opinion virtually to the exclusion of any other possibility. And clearly some of their earliest thinking on the matter was dead wrong because even Apple eventually admitted that contact had been made by SecureWorks about potential vulnerabilities in Apple wireless drivers. I had explained in some detail on George Ou’s blog that Lynn Fox’s statement had never stated that no contact had been made about Maynors exploit, and as such; any argument that if such an exploit did exist, Apple would have to be lying about contact was incorrect. Apple had never said they had not been contacted about such an exploit, just that they had not received code or seen a demonstration of such an exploit.
The Apple fanatics hated that line of thought with a passion. Again and again any attempt to point out that Apple did not say there had been ‘no contact’ about the exploit typically met with a hostile response from the pro Apple fanatics. One can only assume this is because in the Apple fanatics analysis of the situation; Apple had said there was zero contact from SecureWorks about such an exploit and this was very appealing for the pro Apple zealots because if there was such a flaw it would only make sense that SecureWorks would have contacted Apple about it. In fact in the Krebs interview, Krebs reports that Maynor said plainly Apple was contacted as well as Microsoft about the wireless driver flaws and if that contact actually never occurred it would establish an outright lie by Maynor and that’s what the Apple fanatics were looking for. If one removes the possibility that Apple would have lied if there was contact with SecureWorks, given Lynn Fox’s statement, and thus implies that contact might have been made about the exploit; this provides a more compelling argument that the exploit indeed might have existed and Apple was given at least some form of warning. One reader of George Ou’s blog, who appears to be variously pro Apple, went so far as to say;
“Blatant lies versus being disingenuous
I do understand your point, that the words Apple chose leave ambiguity, that you're saying it's a total weasel job, rather than an outright lie.
What is Apple's motivation for being a weasel here? Why would they deliberately release such a statement when they didn't have to? Why not just say, we don't think there's a problem, we're investigating further, instead of releasing this firm statement that can be twisted?”
The implication from this poster, along with other related posts from the same person and others like him is that it would make no sense if Apples statement meant anything other then there was zero contact from SecureWorks to Apple about such an exploit because any other interpretation would be a weaselly parsing of words that Apple would never engage in. The Apple fanatics literally fought my line of reasoning to death. They were inconsolable about any notion that Apple had stated anything less then SecureWorks had absolutely not brought a stock wireless vulnerability to their attention in any way. The common argument from the Apple fanatics was that Apple had been quite clear in Lynn Fox’s statement in that Apple had never been contacted about the exploit at all and to interpret Fox’s statement differently would constitute claiming Apple was being ‘weaselly’ in parsing their words. In the Apple fanatics mind that just couldn’t be. This had become a stock line of reasoning that had provided them with what they felt was strong ammunition that SecureWorks and Maynor must have done something terribly wrong, and in their mind it was most likely going to be that stories of a stock Macbook exploit were a lie.
The interesting thing is; once Apple admitted that contact about the exploit had been made to them by SecureWorks, and the contact had prompted them into action to do an internal audit where they discovered vulnerabilities in their airport drivers and developed a patch, all of the talk that Apples original press release would be ‘weaselly’ if it didn’t mean SecureWorks never made contact about the exploit evaporated. Not a one of the pro-Apple fanatics that fought tooth and nail about the interpretation of Lynn Fox’s original statement ever seemed to look back once and ask themselves why Apple had released a statement using the careful wording they did. Wording that in fact influenced them along with the likes of John Gruber into believing that Maynor both had no stock exploit and had lied about it, or he was just wickedly negligent in not informing Apple that there was such an exploit possible. What once was declared to be acting like a weasel if it was true that Apple had been warned of the exploit, quickly devolved into ‘Apple is just fine’ once it was proven as a fact that contact had been made about the exploit between Apple and SecureWorks, despite John Gruber’s assertion that it was impossible for Apple to keep their reputation intact if they had been contacted.
This kind of situation exemplified the tone of the whole debate in the controversy. Those who were clearly Apple apologists and zealots had long since hardened their opinion at this point that any story of a Macbook being hacked in 60 seconds was fraudulent. There was literally no issue or unanswered question that caused them reason for concern that this was actually an unresolved issue; in their mind it was a given that Maynor and SecureWorks (and for some Brian Krebs) were all a bunch of crooked liars and all evidence had to be interpreted in that light and any evidence that ran counter to their hardened stance was always to be considered as irrelevant or simply unimportant.
It has to be mentioned here that SecureWorks at this point was beginning to bear a significant load in regard to responsibility for the lack of information forthcoming about the possible reality of such an exploit on a stock Macbook. One has to look at the players in this situation at this point in time and what information had been forthcoming and what was being discussed in public forums. From what had transpired to this point and what we now know, it appears that SecureWorks has some level of massive complicity in obscuring what was and what was not true in this whole debate.
First off, SecureWorks employed David Maynor, and the exploits Maynor and his freelance partner, Johnny ‘Cache’ Ellch developed and presented at Blackhat were seemingly going to be credited to the SecureWorks firm. If there was a problem with the accuracy of statements made in blogs by Washington Post reporter Brian Krebs about what SecureWorks employee, David Maynor, had told him, professional responsibility on the part of SecureWorks should have alerted Krebs to the fact that he should immediately work to correct those inaccuracies. This is a no brainer. If there was any inaccuracy in what Krebs was reporting to the entire world about what he was saying Maynor had told him or demonstrated to him, as Maynors employer it was up to SecureWorks to find out what had gone wrong, if anything. Yet SecureWorks held a position of silence during the whole public debate. We have got to assume logically that without further evidence to the contrary that SecureWorks had no serious problem with reports of a stock Macbook exploit being discovered by on of their employees.
This is without a doubt the most peculiar part of this whole event. It should be considered a severe oddity by anyone with an interest in this issue. Admittedly, while the pro-Apple fanatics jumped all over the fact that both Maynor and SecureWorks never came out with verifiable proof of the stock Macbook exploit that Krebs claimed Maynor told him about, those same Apple fanatics explained the inaction on SecureWorks part away as virtual proof there was no such exploit and the whole thing was a hoax. This explanation is entirely hollow, as it would leave far too much inexplicably impossible to explain. If SecureWorks indeed found out that Krebs was reporting on the internet that a SecureWorks employee was claiming a controversial exploit existed, and they knew or suspected it did not exist, this would only serve to put their reputation and very business at risk if such misrepresentations were left unaddressed. This is especially true where the controversial exploit in question involved a company with the high profile, financial resources and technical expertise of Apple.
It is particularly troubling given the fact that Apple was coming under some considerable critical scrutiny from those on the other side of the issue who recognized that despite there was a lack of proof that the exploit existed there was a similar lack of evidence that the exploit did not exist. Its potential existence was never even disputed outright by Apple, instead there were just a series of PR statements from Apple that comprised a careful parsing of words that would allow Apple to adapt their stance if such an exploit was publicly proven. Given that Apples press releases were being picked at as a 'careful parsing of words' on Apples part, it should have been quite clear to SecureWorks that if they knew the exploit did not exist that Apple would be very unhappy about some of the implications being made regarding their complicity in the matter. If SecureWorks knew that Krebs had it wrong in his blog, there is no rational reason or excuse for having let his misunderstanding go on for so long if SecureWorks knew or suspected otherwise. If SecureWorks found out that Maynor and Ellch had mislead Krebs it would have been far less risky for them to get rid of Maynor, or at least do something to put some kind of spin on the situation that would reduce the possible fallout that might cripple them in such a situation with a company the size of Apple. Instead, SecureWorks held silent, never once indicating that a stock Macbook was not subject to the class of flaws Maynor had apparently said it was. Instead SecureWorks remained silent and fearless; just like a poker player with an ace in the hole.
The pro Apple crowd still fell back to the point that if indeed Maynor and Ellch had found a vulnerability in the stock Apple hardware and drivers there was no forthcoming explanation why SecureWorks didn’t just come out eventually and ‘DROP THE BOMB’ so to speak. Why didn’t SecureWorks just release all the relevant proof showing that Apple had remained evasive about the whole issue and had never given Maynor, Ellch and SecureWorks their proper due for discovering the vulnerability? Would this have not boosted SecureWorks credability?
There do appear to be some very compelling explanations for the mute SecureWorks response on the whole issue. Once again, these likely explanations for SecureWorks lack of interest in ‘dropping the bomb’ on Apple are completely ignored or dismissed by the Apple zealots despite the clear possibility that they make very reasonable sense out of an otherwise incomprehensible situation. Keep in mind; if a stock Macbook wireless card exploit never existed and SecureWorks knew or suspected this, and Apple felt this was likely the case, Apple certainly would have very good reason for holding a grudge against SecureWorks for not clarifying the issue at some point, and it's hard to see where a silent SecureWorks would be a better off or more profitable SecureWorks in such a case.
The first piece of information that explains why SecureWorks might not have wanted to get deep into what had become an IT security public relations nightmare is because they were already deep into a merger with another company. It is not unusual for most companies in that kind of situation, who are concerned about such things going smoothly, to be reticent to get involved in public dung throwing matches with major companies in their industry when the appearance of professional conduct is paramount to completing the deal. It’s just a simple question of if there was any real mileage to be gained by SecureWorks by publicly embarrassing Apple in any way when SecureWorks was trying to get through a merger right in the middle of the relevant time period.
What is even a more compelling possibility is that as things began to unfold, and it became apparent that Apple was not prepared to address the situation in a straightforward manner and be forthcoming about what exactly they had been told by SecureWorks, SecureWorks might have seen a very real likelihood of leveraging Apple to some degree in the future because of the issue if they did nothing to cause serious public animosity between the two of them. Let it slide, see how it plays out, and if Apple gets themselves backed into a corner public relations wise eventually, then make it easy for Apple to work with SecureWorks in some fashion that might be profitable for both parties to sort it out. A rather simple plan that would involve doing nothing until the opportunity presented itself.
As it turns out, something must have happened along those lines in some respect as Apple and SecureWorks are now working together in some fashion along with CERT, apparently in relation to this whole issue. This startling turn of events came about after Maynor and Ellch decided to ‘DROP THE BOMB’ about the stock Macbook exploit on Apple on their own initiative. They had planned to do this at the Toorcon conference and had apparently informed Apple as such that this was going to happen. Needless to say the timeline indicates it wasn’t terribly long after this that Apple released the patch for the wireless exploits, and made strong implications that this was completely unrelated to anything that had occurred at Blackhat. It was just one more peculiarly worded statement by Apple as they plainly stated to a CNET reporter;
“But Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday. Instead, the company itself hunted for bugs in its wireless software and uncovered the vulnerabilities, the representative said.”
Of course the actual Blackhat demonstration had been on third party wireless hardware and drivers so unless Apple is in the habit of creating patches for third party hardware, the question of what relationship the patch had to the “Blackhat” demonstration was a moot point from the word go. That statement added just one more perplexing question as to why Apple was continuing to release statements like this that would be obviously misinterpreted by the masses to mean something different then what they were actually saying. For some reason Apple never actually said ‘the patch had no relationship to stock Macbook wireless exploits rumored to have been reported to Brian Krebs by David Maynor’. But of course shortly after the time of the release of this statement it appeared that Maynor and Ellch had had enough of Apples evasiveness when they announced publicly they would give a presentation at the Toorcon conference about the whole Apple wireless exploit and answer questions in detail from anyone who wanted to ask. But that dream didn’t last long.
Shortly there after word came down that Maynor was being held back from talking at Toorcon about the exploit by his employer SecureWorks and Johnny ‘Cache’ Ellch apparently was completely reluctant to give the presentation without Maynors support. This news came about literally on the Friday before the weekend of the planned presentation. Ellch did attend Toorcon and gave a rather scathing public statement (known as the rant) on the altered situation, which of course was dismissed as nonsense by the Apple apologists who still claimed that there was no real possibility of a stock Macbook exploit at all.
Now we are stuck with nothing as far as a resolution to the question of whether Maynors stock Macbook exploit ever existed at all or not because Apple refuses to say that they do not believe such an exploit ever existed, only that they never had the exploit demonstrated to them by an outside source. Clearly due to their patch on their wireless drivers they managed to at least demonstrate some wireless vulnerability to themselves. Further, SecureWorks refuses to say that reports by Krebs of such an exploit were in error, nor are they willing to allow their employee David Maynor to expose what he knows about such a possible stock Macbook exploit. Maynors outside partner on the research, Johnny Ellch is also unwilling to expose exactly what he knows without Maynors go ahead so at this point between Apple and SecureWorks they have decided that the public is better off not knowing the truth.
The end result is that the Apple apologists win this one by a very fair default in my opinion. As I have always said, if there is a possibility that it may not be true, and those who should know if it is true cannot back up their claims then there is no good reason to believe it is true. So at this point it is a done deal. For now.
The last interesting thing that one might look to was a rather curious pair of links provided on SecureWorks home web page. The links, now removed from the home page, still reside at this date within the SecureWorks news page on their website. Those two links along with a few more similar news links connect to reports about the release of Apples wireless patch. All the reports have strong accusatory language against Apples refusal to give credit to SecureWorks for discovering the exploit and largely imply that the patch is likely a direct response to the exploit Maynor had told Brian Krebs existed in a stock Macbooks wireless hardware and drivers. SecureWorks is saying nothing about the implications or claims in those news reports, apparently willing to let them speak for themselves. With SecureWorks and Apple publicly stating that they are working with each other it seems more then a little out of place that SecureWorks would post links to news stories with such a negative slant towards Apples part in the controversy. It certainly appears that SecureWorks may be showing (on the side) to the world exactly what their ‘ace in the hole’ is for those who care to look and then actually ‘get it’. But you are not likely to ‘get it’ so long as you are wearing Apple colored glasses.
posted by David Burke | 4:59 AM
0 Comments:
Post a Comment
<< Home