The State of Affairs

Tuesday, November 14, 2006

The Evolution Of A Controversy

The day the IT world first began to take serious notice of the claim; August 2nd 2006 approximately sometime around 7:30 a.m. ET when Brian Krebs made his first post regarding the issue in his blog on the Washington Post website. There is little doubt that this is the event that surprisingly lit the fire that eventually became the Macbook wireless exploit controversy. The title of his post was more then enough to catch the attention of many; “Hijacking a Macbook in 60 Seconds or Less”. In his blog Brian Krebs made the following claims;

“The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook… Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS.”

The report that followed by Brian Krebs in the same blog, about a comment made by David Maynor, the SecureWorks researcher who was about to present a video taped demonstration of the wireless exploit at the Blackhat conference, became a critical focal point for many pro-Apple users. Maynor had apparently said;

"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,"

This comment by Maynor was, from this point on, frequently referred to as the evidence that Maynor and Ellch were ‘out to get’ Apple and Apple computer users. The fact that Maynor had repeatedly said that this was not an Apple specific exploit, but instead was one of a class of wireless exploits across all the major operating systems, and the fact that Maynor himself owns a Macbook (apparently Ellch owns a Macbook as well) did nothing to assuage the fervor of Apple users that were bound and determined to have evidence that Maynor was perpetrating a fraud against those he hated.

The actual video taped demonstration presentation that took place at Blackhat actually ended up using a Macbook alright, but with a third party wireless card and drivers which were clearly pointed out by Maynor and made obvious to those who saw the actual video taped demonstration. After the public demonstration at Blackhat, things really started to cook. Brian Krebs immediately blogged again to clarify what he had said in his original posting about what Maynor had said to him in private and what had actually happened at Blackhat. The only real comment of significant importance in Krebs updated post was;

“During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.”

This meant there was no doubt that Brian Krebs was sticking to his version of what he said Maynor showed and told him the day before the Blackhat presentation took place. It was sometime shortly after this that the story ‘exploded’ in terms of IT issues on the internet. Already plenty of sites were reporting on the Blackhat presentation Maynor had given on the day of the actual event, such as pcadvisor, infoworld, security.itworld, usatoday.com and many more had similar reports on the event. A problem that some of these reports had was that there was little or no mention of the fact that Maynor had obviously made the publicly demonstrated video with third party wireless hardware and drivers, not stock Macbook wireless hardware and drivers, and he had made it quite plain in the demonstration video that this was the case.

This of course set the stage for a real debate a little later when other web reports explained the public demonstration at Blackhat was not done on stock Mac hardware and drivers the way Brian Krebs had reported Maynor showing him in private in his first blog, that he said he had seen privately demonstrated the day before the public Blackhat demonstration. This was an issue of considerable confusion. While the IT world first began to take significant notice of the issue after Brian Krebs first report in his blog, the issue didn’t really explode until after David Maynor gave the video presentation at Blackhat and the immediate subsequent reporting after that took place. Because many of the reports failed to explicitly mention that the Blackhat video demonstration used third party hardware and drivers, and many reports were working with information gleaned from Krebs first blog that talked of a stock Macbook exploit, the later reports that followed that explained the exploit had not been demonstrated on a stock Macbook made it appear the original reports from Blackhat may have been the result of a fraudulent claim made by Maynor; which of course they were not. Some of the first reports were just not an accurate reflection of what had taken place at the Blackhat conference as many of these reports were apparently written on second hand information by people who had not seen the video demonstration.

When the video demonstration is actually viewed it’s made very plain by Maynor that the wireless hardware is not a stock Apple component and there is never any suggestion or inference that would indicate otherwise. None the less, many people took the seemingly new revelations in reports in the following days after Blackhat that the stock hardware and drivers were not in fact used, as an indication that an attempted fraud had taken place at Blackhat and this started a firestorm. This turned into a very problematic situation. Many who were calling ‘fraud’ on Maynors demonstration actually knew very little about the actual sequence of events leading up to the demonstration at Blackhat and had never seen the actual demonstration video or were familiar with the claims Brian Krebs was responsible for through his Washington Post blogs.

There were some pro-Apple bloggers who had pretty much declared open war on Maynors credibility at this point, and plenty of pro-Apple readers were quick to jump onboard that premature bandwagon. As the debate began to intensify many of the more uninformed bloggers and readers of those blogs became better informed of who had, or had not, actually said or done what particular things. This meant that many of the uninformed gradually came to realize that Maynor had made obvious the use of third party hardware and drivers in the Blackhat demonstration and that the demonstration had never implied it was a stock Macbook exploit, and that Brian Krebs had been the one who reported that Maynor had ‘privately demonstrated’ a stock Macbook exploit to him the day before the Blackhat demonstration, and this is what had caused confusion in so much of the web reporting on the matter.

By now some who were already in the know about the part Brian Krebs had played in the build up to this point were seeking some degree of vengeance against him, after all, he was the one who dared to ‘publicly’ claim you could “hack a Macbook in 60 seconds or less”. But so many of the pro-Apple community had committed themselves in a very serious way to the idea that Maynor and Ellch had perpetrated a fraud and that meant for them, what Brian Krebs had posted on his blog was simply proof that Maynor had made the claim a stock Macbook could be exploited in 60 seconds, and that, in their Apple loyal minds this still represented proof that Maynor and Ellch were frauds for even making such a claim to Krebs. Additional claims of irresponsible behavior on the part of Maynor, Ellch and Maynors employer, SecureWorks came about as soon as Apples public relations representative released their initial statements on the matter. Lyn Fox had stated;

“SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”

This statement was taken by some rather prominent bloggers to mean that Apple was saying that there had in fact been absolutely no contact from Maynor or SecureWorks at all in regard to potential stock wireless card vulnerabilities on Apple laptops. Subsequent posts by bloggers and their readers, based on this kind of erroneous interpretation of Lynn Fox's statement, such as by blogger John Gruber, only added fuel to the fire. Gruber’s misdirected analysis of the situation at this point asserted that if indeed Maynor had a stock Macbook exploit, this meant that Apple would have had to have lied about contact from SecureWorks on the vulnerability (which Apple fanatics would never believe) because they had said there had been absolutely no contact about such a flaw, ( Gruber’s interpretation of Lynn Fox’s statement ) or Maynor and SecureWorks were incredibly negligent for not contacting Apple about the vulnerability if there was such a vulnerability. Gruber asserted there was no way out of this predicament where all parties could retain their reputations intact. Someone had to be crooked, and the implication was that Maynor and SecureWorks were the culprits because it was so unthinkable that Apple would have lied about having zero contact from Maynor or SecureWorks.

A realistic reading of Lynn Fox’s statement simply indicates what kind of contact Apple said they “did not” have with Maynor or SecureWorks, not what kind of contact they may have had with SecureWorks about such an exploit. Gruber’s reckless remarks simply provided a compelling pile of fuel for the fire that the Apple fanatics were now looking to pour some gasoline on. Many Apple fanatics used the same kind of incorrect logic behind Gruber’s analysis of the situation to cement their stance that Maynor and SecureWorks were, without a doubt, liars or at the very least horribly negligent for not contacting Apple so that Apple could patch the flaw.

The world found out on September 21st just how wrong John Gruber’s interpretation of Lynn Fox’s statement was when reports of a new statement from Apple emerged on the release of a patch for their wireless drivers. Some of the vulnerabilities covered by the patch sounded like very similar flaws to what Maynor and SecureWorks had apparently told Brian Krebs existed on stock Macbook Airport wireless drivers and had subsequently demonstrated in a similar fashion by way of video at Blackhat on a third party wireless card. An Apple representative released the following statement about the wireless patch;

“In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs," …"They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit.”

The point being; once many pro Apple bloggers and readers drew together in a consolidated and hardened opinion that Maynor, his partner Ellch and SecureWorks had to have lied somewhere along the line about all this, all analysis of the situation by the Apple fanatic crowd evolved out of that opinion virtually to the exclusion of any other possibility. And clearly some of their earliest thinking on the matter was dead wrong because even Apple eventually admitted that contact had been made by SecureWorks about potential vulnerabilities in Apple wireless drivers. I had explained in some detail on George Ou’s blog that Lynn Fox’s statement had never stated that no contact had been made about Maynors exploit, and as such; any argument that if such an exploit did exist, Apple would have to be lying about contact was incorrect. Apple had never said they had not been contacted about such an exploit, just that they had not received code or seen a demonstration of such an exploit.

The Apple fanatics hated that line of thought with a passion. Again and again any attempt to point out that Apple did not say there had been ‘no contact’ about the exploit typically met with a hostile response from the pro Apple fanatics. One can only assume this is because in the Apple fanatics analysis of the situation; Apple had said there was zero contact from SecureWorks about such an exploit and this was very appealing for the pro Apple zealots because if there was such a flaw it would only make sense that SecureWorks would have contacted Apple about it. In fact in the Krebs interview, Krebs reports that Maynor said plainly Apple was contacted as well as Microsoft about the wireless driver flaws and if that contact actually never occurred it would establish an outright lie by Maynor and that’s what the Apple fanatics were looking for. If one removes the possibility that Apple would have lied if there was contact with SecureWorks, given Lynn Fox’s statement, and thus implies that contact might have been made about the exploit; this provides a more compelling argument that the exploit indeed might have existed and Apple was given at least some form of warning. One reader of George Ou’s blog, who appears to be variously pro Apple, went so far as to say;

Blatant lies versus being disingenuous
I do understand your point, that the words Apple chose leave ambiguity, that you're saying it's a total weasel job, rather than an outright lie.

What is Apple's motivation for being a weasel here? Why would they deliberately release such a statement when they didn't have to? Why not just say, we don't think there's a problem, we're investigating further, instead of releasing this firm statement that can be twisted?”

The implication from this poster, along with other related posts from the same person and others like him is that it would make no sense if Apples statement meant anything other then there was zero contact from SecureWorks to Apple about such an exploit because any other interpretation would be a weaselly parsing of words that Apple would never engage in. The Apple fanatics literally fought my line of reasoning to death. They were inconsolable about any notion that Apple had stated anything less then SecureWorks had absolutely not brought a stock wireless vulnerability to their attention in any way. The common argument from the Apple fanatics was that Apple had been quite clear in Lynn Fox’s statement in that Apple had never been contacted about the exploit at all and to interpret Fox’s statement differently would constitute claiming Apple was being ‘weaselly’ in parsing their words. In the Apple fanatics mind that just couldn’t be. This had become a stock line of reasoning that had provided them with what they felt was strong ammunition that SecureWorks and Maynor must have done something terribly wrong, and in their mind it was most likely going to be that stories of a stock Macbook exploit were a lie.

The interesting thing is; once Apple admitted that contact about the exploit had been made to them by SecureWorks, and the contact had prompted them into action to do an internal audit where they discovered vulnerabilities in their airport drivers and developed a patch, all of the talk that Apples original press release would be ‘weaselly’ if it didn’t mean SecureWorks never made contact about the exploit evaporated. Not a one of the pro-Apple fanatics that fought tooth and nail about the interpretation of Lynn Fox’s original statement ever seemed to look back once and ask themselves why Apple had released a statement using the careful wording they did. Wording that in fact influenced them along with the likes of John Gruber into believing that Maynor both had no stock exploit and had lied about it, or he was just wickedly negligent in not informing Apple that there was such an exploit possible. What once was declared to be acting like a weasel if it was true that Apple had been warned of the exploit, quickly devolved into ‘Apple is just fine’ once it was proven as a fact that contact had been made about the exploit between Apple and SecureWorks, despite John Gruber’s assertion that it was impossible for Apple to keep their reputation intact if they had been contacted.

This kind of situation exemplified the tone of the whole debate in the controversy. Those who were clearly Apple apologists and zealots had long since hardened their opinion at this point that any story of a Macbook being hacked in 60 seconds was fraudulent. There was literally no issue or unanswered question that caused them reason for concern that this was actually an unresolved issue; in their mind it was a given that Maynor and SecureWorks (and for some Brian Krebs) were all a bunch of crooked liars and all evidence had to be interpreted in that light and any evidence that ran counter to their hardened stance was always to be considered as irrelevant or simply unimportant.

It has to be mentioned here that SecureWorks at this point was beginning to bear a significant load in regard to responsibility for the lack of information forthcoming about the possible reality of such an exploit on a stock Macbook. One has to look at the players in this situation at this point in time and what information had been forthcoming and what was being discussed in public forums. From what had transpired to this point and what we now know, it appears that SecureWorks has some level of massive complicity in obscuring what was and what was not true in this whole debate.

First off, SecureWorks employed David Maynor, and the exploits Maynor and his freelance partner, Johnny ‘Cache’ Ellch developed and presented at Blackhat were seemingly going to be credited to the SecureWorks firm. If there was a problem with the accuracy of statements made in blogs by Washington Post reporter Brian Krebs about what SecureWorks employee, David Maynor, had told him, professional responsibility on the part of SecureWorks should have alerted Krebs to the fact that he should immediately work to correct those inaccuracies. This is a no brainer. If there was any inaccuracy in what Krebs was reporting to the entire world about what he was saying Maynor had told him or demonstrated to him, as Maynors employer it was up to SecureWorks to find out what had gone wrong, if anything. Yet SecureWorks held a position of silence during the whole public debate. We have got to assume logically that without further evidence to the contrary that SecureWorks had no serious problem with reports of a stock Macbook exploit being discovered by on of their employees.

This is without a doubt the most peculiar part of this whole event. It should be considered a severe oddity by anyone with an interest in this issue. Admittedly, while the pro-Apple fanatics jumped all over the fact that both Maynor and SecureWorks never came out with verifiable proof of the stock Macbook exploit that Krebs claimed Maynor told him about, those same Apple fanatics explained the inaction on SecureWorks part away as virtual proof there was no such exploit and the whole thing was a hoax. This explanation is entirely hollow, as it would leave far too much inexplicably impossible to explain. If SecureWorks indeed found out that Krebs was reporting on the internet that a SecureWorks employee was claiming a controversial exploit existed, and they knew or suspected it did not exist, this would only serve to put their reputation and very business at risk if such misrepresentations were left unaddressed. This is especially true where the controversial exploit in question involved a company with the high profile, financial resources and technical expertise of Apple.

It is particularly troubling given the fact that Apple was coming under some considerable critical scrutiny from those on the other side of the issue who recognized that despite there was a lack of proof that the exploit existed there was a similar lack of evidence that the exploit did not exist. Its potential existence was never even disputed outright by Apple, instead there were just a series of PR statements from Apple that comprised a careful parsing of words that would allow Apple to adapt their stance if such an exploit was publicly proven. Given that Apples press releases were being picked at as a 'careful parsing of words' on Apples part, it should have been quite clear to SecureWorks that if they knew the exploit did not exist that Apple would be very unhappy about some of the implications being made regarding their complicity in the matter. If SecureWorks knew that Krebs had it wrong in his blog, there is no rational reason or excuse for having let his misunderstanding go on for so long if SecureWorks knew or suspected otherwise. If SecureWorks found out that Maynor and Ellch had mislead Krebs it would have been far less risky for them to get rid of Maynor, or at least do something to put some kind of spin on the situation that would reduce the possible fallout that might cripple them in such a situation with a company the size of Apple. Instead, SecureWorks held silent, never once indicating that a stock Macbook was not subject to the class of flaws Maynor had apparently said it was. Instead SecureWorks remained silent and fearless; just like a poker player with an ace in the hole.

The pro Apple crowd still fell back to the point that if indeed Maynor and Ellch had found a vulnerability in the stock Apple hardware and drivers there was no forthcoming explanation why SecureWorks didn’t just come out eventually and ‘DROP THE BOMB’ so to speak. Why didn’t SecureWorks just release all the relevant proof showing that Apple had remained evasive about the whole issue and had never given Maynor, Ellch and SecureWorks their proper due for discovering the vulnerability? Would this have not boosted SecureWorks credability?

There do appear to be some very compelling explanations for the mute SecureWorks response on the whole issue. Once again, these likely explanations for SecureWorks lack of interest in ‘dropping the bomb’ on Apple are completely ignored or dismissed by the Apple zealots despite the clear possibility that they make very reasonable sense out of an otherwise incomprehensible situation. Keep in mind; if a stock Macbook wireless card exploit never existed and SecureWorks knew or suspected this, and Apple felt this was likely the case, Apple certainly would have very good reason for holding a grudge against SecureWorks for not clarifying the issue at some point, and it's hard to see where a silent SecureWorks would be a better off or more profitable SecureWorks in such a case.

The first piece of information that explains why SecureWorks might not have wanted to get deep into what had become an IT security public relations nightmare is because they were already deep into a merger with another company. It is not unusual for most companies in that kind of situation, who are concerned about such things going smoothly, to be reticent to get involved in public dung throwing matches with major companies in their industry when the appearance of professional conduct is paramount to completing the deal. It’s just a simple question of if there was any real mileage to be gained by SecureWorks by publicly embarrassing Apple in any way when SecureWorks was trying to get through a merger right in the middle of the relevant time period.

What is even a more compelling possibility is that as things began to unfold, and it became apparent that Apple was not prepared to address the situation in a straightforward manner and be forthcoming about what exactly they had been told by SecureWorks, SecureWorks might have seen a very real likelihood of leveraging Apple to some degree in the future because of the issue if they did nothing to cause serious public animosity between the two of them. Let it slide, see how it plays out, and if Apple gets themselves backed into a corner public relations wise eventually, then make it easy for Apple to work with SecureWorks in some fashion that might be profitable for both parties to sort it out. A rather simple plan that would involve doing nothing until the opportunity presented itself.

As it turns out, something must have happened along those lines in some respect as Apple and SecureWorks are now working together in some fashion along with CERT, apparently in relation to this whole issue. This startling turn of events came about after Maynor and Ellch decided to ‘DROP THE BOMB’ about the stock Macbook exploit on Apple on their own initiative. They had planned to do this at the Toorcon conference and had apparently informed Apple as such that this was going to happen. Needless to say the timeline indicates it wasn’t terribly long after this that Apple released the patch for the wireless exploits, and made strong implications that this was completely unrelated to anything that had occurred at Blackhat. It was just one more peculiarly worded statement by Apple as they plainly stated to a CNET reporter;

“But Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday. Instead, the company itself hunted for bugs in its wireless software and uncovered the vulnerabilities, the representative said.”

Of course the actual Blackhat demonstration had been on third party wireless hardware and drivers so unless Apple is in the habit of creating patches for third party hardware, the question of what relationship the patch had to the “Blackhat” demonstration was a moot point from the word go. That statement added just one more perplexing question as to why Apple was continuing to release statements like this that would be obviously misinterpreted by the masses to mean something different then what they were actually saying. For some reason Apple never actually said ‘the patch had no relationship to stock Macbook wireless exploits rumored to have been reported to Brian Krebs by David Maynor’. But of course shortly after the time of the release of this statement it appeared that Maynor and Ellch had had enough of Apples evasiveness when they announced publicly they would give a presentation at the Toorcon conference about the whole Apple wireless exploit and answer questions in detail from anyone who wanted to ask. But that dream didn’t last long.

Shortly there after word came down that Maynor was being held back from talking at Toorcon about the exploit by his employer SecureWorks and Johnny ‘Cache’ Ellch apparently was completely reluctant to give the presentation without Maynors support. This news came about literally on the Friday before the weekend of the planned presentation. Ellch did attend Toorcon and gave a rather scathing public statement (known as the rant) on the altered situation, which of course was dismissed as nonsense by the Apple apologists who still claimed that there was no real possibility of a stock Macbook exploit at all.

Now we are stuck with nothing as far as a resolution to the question of whether Maynors stock Macbook exploit ever existed at all or not because Apple refuses to say that they do not believe such an exploit ever existed, only that they never had the exploit demonstrated to them by an outside source. Clearly due to their patch on their wireless drivers they managed to at least demonstrate some wireless vulnerability to themselves. Further, SecureWorks refuses to say that reports by Krebs of such an exploit were in error, nor are they willing to allow their employee David Maynor to expose what he knows about such a possible stock Macbook exploit. Maynors outside partner on the research, Johnny Ellch is also unwilling to expose exactly what he knows without Maynors go ahead so at this point between Apple and SecureWorks they have decided that the public is better off not knowing the truth.

The end result is that the Apple apologists win this one by a very fair default in my opinion. As I have always said, if there is a possibility that it may not be true, and those who should know if it is true cannot back up their claims then there is no good reason to believe it is true. So at this point it is a done deal. For now.

The last interesting thing that one might look to was a rather curious pair of links provided on SecureWorks home web page. The links, now removed from the home page, still reside at this date within the SecureWorks news page on their website. Those two links along with a few more similar news links connect to reports about the release of Apples wireless patch. All the reports have strong accusatory language against Apples refusal to give credit to SecureWorks for discovering the exploit and largely imply that the patch is likely a direct response to the exploit Maynor had told Brian Krebs existed in a stock Macbooks wireless hardware and drivers. SecureWorks is saying nothing about the implications or claims in those news reports, apparently willing to let them speak for themselves. With SecureWorks and Apple publicly stating that they are working with each other it seems more then a little out of place that SecureWorks would post links to news stories with such a negative slant towards Apples part in the controversy. It certainly appears that SecureWorks may be showing (on the side) to the world exactly what their ‘ace in the hole’ is for those who care to look and then actually ‘get it’. But you are not likely to ‘get it’ so long as you are wearing Apple colored glasses.

Labels:

Wednesday, October 11, 2006

The War Rages On!

I actually say “the war rages on” with more then a touch of sarcasm in my voice. I am of course talking about the claimed Apple wireless exploit. The truth is, while I see it as a fairly interesting mystery; does the exploit exist or not, as I have mentioned in the past I find the real story lies within the reactions of many of the pro-Apple public. And while the reactions of such people hardly qualify as a war, one might think by the reactions of some that war had been declared against them.

I have recently began to consider, in a more detailed way, why is it that so many pro-Apple people have taken such exception to reported claims of such a vulnerability on their beloved computer hardware. Many people immediately point to Maynors statement in his explanation for choosing an Apple laptop for the public ‘third party’ wireless card demonstration. Maynor apparently said that the recent commercials depicting the ‘Apple Guy’ talking down to the ‘Windows Guy’ made him want to put a lit cigarette in either the ‘characters’ eye, or an Apple users eye in general, depending on which version of Maynors statement you believe. That statement, many of the pro-Apple people claim has driven them to be outraged and to go after Maynor and SecureWorks with a vengeance.

Now, I am quite prepared to agree that the SecureWorks side of this whole equation have certainly not produced anything near the kind of evidence I would need to see before I would say I believe that claims of a stock Apple notebook are valid. And that makes perfect sense to me, that anyone who cares about the issue for any reason would point out that Maynors reported claims have never been proven or established as valid in any public forum so they should not be relied on as accurate unless that changes. But, to say that this somehow translates into guaranteeing Maynor is a vicious liar who is simply out to besmirch Apples reputation in a vain attempt to aggrandize his own reputation does not logically follow from the facts or events.

Both Maynor and his sidekick Ellch use Apple computers and one would hardly expect, whatever words were literally used, that they had an interest in putting a lit cigarette into their own eye, so the implication of what Maynor actually meant should be clear. Maynor’s statement was not offered up as some kind of answer to a tough question where possible evasiveness or misleading intentions would come into play; it was just a simple off the cuff comment of the kind often given in casual conversation, not to be taken too literally, but to be taken with a grain of salt. Certainly sane people should never take that kind of comment as a good reason to vilify anyone and refuse to accept that lack of proof doesn’t translate into evidence of a lie. As such it doesn’t rationally explain what has made many pro-Apple users so angry to the suggestion that such an exploit might exist.

When one really dips into this peculiar kind of response from many of the pro-Apple crowd a definite and disturbing pattern emerges. I recently got into a bit of back and forth banter online at Zdnet with a few people responding to one of George Ou’s blogs where I had explained that I had become aware of reports of Apple viruses in the past, I even hunted down the sources of these reports and posted links, and they were quite reliable, being from major newspapers and IT security websites and such. But of course, those who are of that particular “pro-Apple” mindset that says Apple can do no wrong simply chose to refute the claim of an OSX virus deciding instead that a designation of trojan was much better. They then of course took me to task for relying on sources that didn’t agree with them. And I mean seriously chewed me out, really bad.

I finally decided to try something. Because the ‘Apple Heads’ in question were obviously so ready to take this OSX virus issue right to the mat, no holds barred kind of thing. I became very curious as to how long they would endure attacks directed back at them about this virus issue, that were just as ludicrous as their own attacks on me. Now of course, they do not take their attacks to be ludicrous at all, and of course they would take mine to be ludicrous, but I kind of had some learned friends collaborate with me on the composition of my posts to ensure I didn’t venture beyond the same kind of nonsense they were writing. So what ever they think, I am quite comfortable in the knowledge that they were every bit as ridiculous as I was in the exchange. And it appears that no matter how far I pushed it, even well beyond the point where a sane person would have just said “forget it, who cares” they just wouldn’t let it go. I got the felling I could have strung them along for weeks simply by spewing the same kind of contradictory nonsense at them that they were spewing at me. One of these bizarre individuals even said they had a PHD. Perhaps they do, but obviously no self esteem.

Even after I let the ‘cat out of the bag’ so to speak and finally brought the debacle to an end admitting I really didn’t care about the virus/Trojan question and it was all just a little experiment, they kept on going, trying to get that one last dig in. Why? Because someone pointed out that there were some reliable sources around the internet that say OSX has had at least one virus in the wild? Really? Does that make sense, that what we are supposed to believe is an otherwise rational person, with a PHD…is willing to go on endlessly to assert that Apple does not have viruses but does have trojans?? This truly is ridiculous. And tell me; this is so important you feel free to get foolish about it because……?

What is going on with some of these Apple users? I even gave them hints that going on and on about just made them look worse, and I even hinted they could shut me down by admitting that it was all a question of definition; but they wanted none of that, they wanted to be right. How is it that a computer has so captured the mind and soul of some people to the point where they are willing to make fools of themselves over the thing? Just one more question this whole controversy has spawned I guess.

Labels:

Monday, October 02, 2006

The Never Ending Story


My recent personal opinion on this whole issue hasn’t really altered much if any at all. My personal opinion was, as I posted in regard to Toorcon, which you might have read;

“its time for Maynor and SecureWorks to spill and let it all out. It is their big chance and if they fail to deliver that’s their problem. It would take a massive new twist on the whole controversy to recapture my imagination on this.”

Well there we go eh. I do not know if SecureWorks and Apple, working together in conjunction with CERT, and then SecureWorks suddenly putting the nix on Maynors presentation at Toorcon qualifies as a massive new twist, but it has to be close; but then again this has dragged on so long I do not know if it can really hold my attention much longer anyway.

The thing is in law, you do not get very far if you let your personal opinions get in the way of observing troubling facts and considering possibilities those facts may present. I have to laugh a little at many online posts as they only look at the situation from a narrow focus that precludes any chance that a stock Macbook exploit could be a possibility. The way I approach such a situation is quite different.

Of course anyone who is a decent reader and has even minimal deductive reasoning abilities can see right off; the possibility that the story told by Krebs in his blog for the Washington Post could have any number of problems with it. There are some very simple conclusions one could come up with that would explain why there never was a stock Macbook exploit. Krebs might have misunderstood exactly what Maynor told and or demonstrated to him in regard to the stock Macbook and he just keeps insisting he is right. Krebs might be some kind of journalistic suicide daredevil who simply made it up to draw attention to himself, of course that’s a little hard to believe. Maynor might have misspoke in some way not realizing that he said something that would naturally be taken the wrong way, or Maynor might have been a fraud and purposely deceived Krebs for any number of reasons.

This type of simple and off the cuff observation can be made by anyone with even half a brain. And this is pretty much where the state of analysis began and ended for the some of the pro-Apple crowd who stop at nothing to ignore any other possability then a stock Macbook exploit is a hoax. The problem is; with each of these quick and simple explainations or any similar type of possibility that imples negligence or fraud to explain away a possible Macbook exploit, one would expect certain other events to follow, or subsequent information to come out that would begin a gradual tilt towards pointing out that at least one of the afore mentioned events happened. I actually entered this debate awhile after the original Black Hat event took place and I realized on reading of this whole controversy that if any of the above simple explanations were what had actually occurred, that some subsequent event or events should have also occurred, which they had not, and that is a problem of a type that raises a red flag on a strictly simple analysis of any situation.

For example, if Krebs just plain and simply misunderstood what Maynor had shown and told him, or he was lying about it; he was in the process of making things very embarrassing for Maynor and SecureWorks and it would almost be sheer insanity to allow Krebs to keep insisting he got it right if Maynor and SecureWorks knew he got it wrong. SecureWorks would have surly insisted Maynor set Krebs straight, particularly as Krebs was insisting that he was trying to get more out of Maynor and SecureWorks yet they were not responding to him. Common sense tells you that SecureWorks is not going to let some reporter from the Post mess them over and then get them in deep water with Apple and the IT public if Krebs is misinformed or is lying himself about what Maynor told him. When I got into this whole mess it was quite clear that Maynor and SecureWorks were not saying Krebs had it wrong for any reason. In fact the silence from SecureWorks regarding Krebs publicly reported claims were deafening. This raises a massive red flag on all the afore mentioned simplistic explanations that would exclude the possibility of the stock Mac exploit existing.

Further, once a story like this breaks, depending on the specifics of the interested parties and facts of the case one can expect any number of different possible responses from the interested parties. In this case that includes Apple. Considering, that I am informed that Apple is apparently claiming that there are no reported viruses for OSX, although Sophos begs to differ, Apple would reasonably have some concern that there are unsubstantiated reports of an exploit on their airport card. One would expect some kind of public demand by Apple that they be given the appropriate evidence so they could retain their spotless record. Failing the production of such evidence one would expect them to make it plain which exploits they were asking for evidence about and to make it plain that no evidence for the apparent exploits had been forthcoming.

One of the most unusual aspects of this whole event was Apples rather restrictive public statements about “not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit”. It was peculiar for at least two important reasons. First because their public statement really didn’t identify in any significant way which particular exploit they were claiming ‘no code or exploit demonstrated’ was in relation too. This of course left some of the public to wonder if it was the demonstrated third party hardware exploit shown at Black Hat or the stock vulnerability Krebs claimed Maynor told him about or both. That lack of clarity in such an important public statement also raises red flags if one is hoping to rely on the above simplistic explanations.

Secondly the original press release given as a whole was read by some that there had in fact been no contact about anything Maynor had talked about in regard to Apple computers, and we know for an ABSOLUTE EMPERICAL FACT that this is precisely what a significant part of the public understood the statement to mean. We know this because John Gruber went to great lengths on his blog at DaringFireball interpreting Lynn Fox’s statement to mean exactly that, and we know from endless postings on Zdnet and elsewhere around the net that large numbers of the public agreed that this is what it meant. Yet we now know that whatever it might have meant it did not mean there had been no contact between SecureWorks and Apple. In fact we know there was some contact of significance involving at least some delivery of information by SecureWorks to Apple from subsequent statements from Apple PR reps. This reality also raises more red flags on the simplistic explanations of what might have happened at Black Hat.

For anyone at this juncture, who was more interested in what might actually be going on as opposed to affirming the validity of their own personal interests, such a person would expect any number of things might happen if the simplistic explanations were valid. For one thing George Ou was making strongly worded arguments on Zdnet, along with a few other bloggers and websites, that Apple was not being forthcoming enough and that Maynor was a reliable security expert who was likely telling the truth. Large numbers of people were arguing and posting around the net and the whole issue was creating a significant buzz in the IT world. It is at this point that one can see the possibility of reputations of weaker parties completely ruined if it even turned out they were just mistaken or let an error in reporting go on for too long. It is a critical moment, not to be underestimated by anyone who has never had to live through such an experience, and as such it is very typical for people who find themselves in such a position to begin finding a way to back out of the maelstrom at this point if they are unsure of their position. Yet, with Maynor being the obviously weaker party, one would have to assume he has nerves of steel to let something he knew was a falsehood, or was the result of a significant misunderstanding to simply continue on indefinitely. Further, one has just got to suspect that SecureWorks would be asking Maynor piles of questions long before things got this far, and if they had any hint of subterfuge on Maynors part it would seem ludicrous for them to let any fraudulent situation continue. This also keeps the red flags flying.

The story is almost endless in many respects. I personally found a response particularly interesting from someone who calls themselves mvora, to one of my posts on George Ou’s Zdnet blog in relation to Lynn Fox’s answers about the information SecureWorks gave them;
“But that's not exactly what Fox said
She didn't say they only had contact about the FreeBSD issue. She said that's the only (actual) vulnerability that was mentioned. Without any proof, I dont think she would refer to Secureworks' alleged hack as a vulnerability. So considering what Ou asked, the only actual vulnerability Secureworks disclosed to Apple was the FreeBSD one.”

So, even the proponents of Apple find that tough questions are coming up with some tough realities. Even mvora notes that Apples rep Lynn Fox may parse answers to fair questions in such a way that allows her to avoid stating all the information SecureWorks might have given Apple. I have got to believe that even mvora didn’t realize he/she had just shown once again how Apple might have told the truth without establishing the reality of the situation. I mean, if you choose to ignore these red flags that is fine if you fully realize that is what you are doing. Despite the fact there is clear evidence that explanations beyond those of personal self interest might exist, if you honestly believe that you have enough evidence then fine. Conversation over. But if you really want the truth, even if it ends up being something not particularly conducive to supporting your personal opinions then you continue to ask the hard questions so long as there are red flags draped over the easy answers.

Now we find out that Apple has released a patch on the same hardware that Krebs reported Maynor claimed had a vulnerability, SecureWorks and Apple are “working together” in “conjunction” with CERT and SecureWorks apparently has restrained Maynor from doing his Toorcon presentation which he claimed would be detailed and answer questions from those who wanted to ask. It’s like this story never ends. I am now at the point where I am saying fine, whatever SecureWorks and Apple want the public to know and to believe is fine by me because in the end all this is just a little mysterious curiosity. One of those interesting debates one might dive into from time to time. In some respects I worry that that is just the attitude that the major players in this were hoping the public would take, but seriously, this just isn’t important enough to spend ones life solving.

I have even chatted with a number of friends about this and surprisingly enough not even a one had the slightest clue such a debate was going on, even though there was always some minor limited interest in how it might play out. The one person I did talk to about this who owns a Macbook asked me “so is there an exploit?” I told him that I have no clue. And I also told him at any rate it probably wasn’t anything he was going to have to ever get very concerned about one way or the other, as these things seldom are.

He said “don’t worry, one way or the other I’m not concerned in the least.”

I think that about says it all. The world really doesn’t care.

Wednesday, September 27, 2006

After Black Hat; The Apple Airport exploit debate

There has been a great deal written in articles and blogs around the internet regarding the video taped exploit on a third party wireless card and driver installed in a Macbook which was shown at a demonstration at the Black Hat convention held in August. What has made even larger waves, for those who are aware of the sequence of events; were the claims, as reported by Washington post reporter Brian Krebs, in which SecureWorks researcher David Maynor claimed a stock Macbook is subject to a similar exploit out of the same class of vulnerabilities. Krebs has also reported that he and one unnamed Black Hat employee privately witnessed the stock Apple exploit first hand the day before the public third party demonstration took place at Black Hat.

There are a number of very important issues that have come to light as a result of theses claims. Interestingly enough, whether Maynor and his partner Ellch discovered a vulnerability in the stock Apple hardware and drivers is the least of my personal interests in the matter. Although that is still a live question to be sure, it’s possible that if even if Maynor did have an exploit for a stock Macbook it’s also a possibility in that instance that the most recent patch for Apples airport card and drivers fixes it.

Some of the other issues that have found a home in this whole debate over the veracity of the claims Maynor apparently made to Krebs have brought Krebs reporting skills into question, have brought industry standard practices of reporting IT security issues into question (particularly as related to SecureWorks in this case), have brought into question the willingness to make completely transparent statements to the public by vendors (particularly as related to Apple in this case), and the general public reaction of many Apple computer enthusiasts which have also been brought into question, and that is in fact one of the things I personally find the most interesting.

The particular Apple enthusiasts that have caught my interest, and there appears to be a lot of them, are the ones who have taken an extraordinarily hard stance that there is little to no possibility that SecureWorks discovered an exploitable vulnerability in stock Apple airport cards. This hardened stance which I am referring to is typically accompanied by claims such as; Maynor and SecureWorks are liars and/or frauds, and extraordinarily insulting commentary directed towards anyone who would so much as point out that there is no evidence yet that shows Krebs report on Maynors claims are unfounded.

The interesting thing is that because neither SecureWorks nor Maynor and Ellch have come out with further information on the claims about the stock Macbook exploit, is that this has been taken by many of these particular kind of Apple enthusiasts to mean; not that the exploit remains unproven but that the SecureWorks participants are liars. This is usually reasoned out as ‘Apple would not lie so SecureWorks and Maynor must be the liars because they have provided no proof’. Of course Apple has not provided proof that such a hack does not exist either. And that point is usually attacked with ‘you cannot disprove a negative’ or ‘ why should Apple have to prove or disprove anything, Maynor and SecureWorks are the accuser, they should provide the proof’.

Those claims have some merit, but only in so far as the balance of probabilities will only be swayed one way or the other when one side or the other supplies some measure of proof. Of course it makes no sense to believe such an exploit exists if no evidence is provided, and as such there would be no reason to believe it. On the other hand, a simple lack of evidence, without anything else, does not prove the exploit does not exist, simply that there is no reason to believe it. For example, I certainly do not yet believe that such an exploit exists without more evidence that it does, but I cannot discount that it may because there is no evidence that it does not exist.

It is the peculiarities of the afore mentioned Apple enthusiasts, who are so quick to form such strong and adamant opinions that the exploit cannot exist and that anyone who points out that it may is some kind of lunatic, which I find to be of such interest. How and why do such people justify abandoning reality so quickly to defend a position without question that has not been established? Why is it unfair or lunacy to investigate the possibility of such claim’s or to assert that the current information so far supports the possibility that the claim of a stock exploit might still be true?

The primary claims that people have relied on as proof to reach their unshakable opinion that the story of a stock Apple exploit is a fraud, along with some explanation why such claims cannot be relied on as proof of anything yet is as follows;

1. Apple wouldn’t lie, why would Apple lie? If Apple isn’t lying then there is no exploit.

The problem here is, first we do not know for a fact Apple would not lie. I am of the suspicion that they would avoid an outright lie at all costs as the truth about this is likely to emerge and any lies would only make it worse if the exploit does exist. So, although it is unlikely that Apple would lie we do not know this for a fact. And why would Apple lie? If they were foolish enough to lie in this case it could be due to them not wanting to admit an outside source discovered a vulnerability in an Apple product. There may be other reasons that the public is not privy to that might induce lies from any company, it is rather conceited for anyone to assume they know the intimate workings of any large company they are not affiliated with that they can say as a fact there is no reason for a company to lie.

But here is the most salient point that directly counters the above supposition that if Apple is not lying, then there is no exploit; Apple so far has made no statements that would have to be a lie even if the exploit does exist. Apple has released a number of statements and even recently answered some important questions, and be it by accident or design, what Apple has said so far has in no way backed them into any kind of corner that would inevitably result in them having lied if Maynors exploit exists. In fact it is reaching a point where some suspicions can be reasonably raised that the avoidance of any language so strong that it would have to be a lie if the exploit does exist, this might be more then coincidental and might be coming as a result that Apple themselves do not know if such an exploit exists. Therefore that would mean that if this is true, then even Apple themselves recognize the possibility Maynors exploit might exist. If that is why Apple has not taken a strong stand themselves, then the overly harsh stance’s many Apple enthusiasts have taken up until now are not warranted.

2. It’s been weeks and weeks since the Black Hat conference and neither Maynor nor SecureWorks has come up with any proof that the claimed exploit exists. As there is no reasonable excuse for such a delay the only logical explanation is that the claimed exploit is a fraud.

The problem here is that from the very beginning of this, even in video taped interviews at Black Hat Maynor had made it plain that there would be no further descriptions or releases of information about this class of exploits until the appropriate vendors had patched up. It’s my understanding that this is not an unusual policy for an IT security company to hold and from some things I have read it appears that SecureWorks is particularly fussy about this policy. Further I have also read that SecureWorks apparently had some complex business dealings going on that would have made diving into an IT media frenzy problematic. Now lets be real here, it is one thing if you think the policy sucks, or that it was poorly implemented or whatever, the question is, is it possible that this explains the delay in providing further information? After all, now this patch is released by Apple, and Maynor claims to be explaining all at the Toorcon convention this week, so it certainly appears that following policy was very likely the reason for the delay. The fact that this is a reasonable explanation for the dely, even if one does not like the policy, negates it as any kind of proof that delay proves the exploit does not exist and certainly removes any excuse for a rabid attack on the possibility the exploit may exist.

3. There is absolutely no other evidence, besides the Krebs interview, that Maynor had an exploit for a stock Apple laptop, and without any further evidence of any kind it’s safe to say that no exploit exists.

The problem with this line of thinking, it’s simply incorrect. There is at least some more evidence, and it would be given some reasonable credibility by anyone, outside of a person with a vested interest in dismissing it. While the additional evidence does not constitute proof, it is further evidence.

First of all, there has been very wide discussion of this issue on the net. Maynor, Ellch and SecureWorks all know this very well and while policy may prevent them from discussing names of specific vendors affected by exploits they discover I find it hard to believe that in a case such as this that policy would prevent them from excluding a specific vendor not affected by an exploit. If there was error or misunderstanding in the Krebs interview it is unthinkable that SecureWorks or Maynor would not have cleared this up by now. If there is no stock Apple exploit that Krebs claimed Maynor demonstrated to him then SecureWorks is doubly in the wrong for not getting things straightened out with Krebs so the original story could be corrected. So not only has there been weeks and weeks to provide proof, there has been exactly the same amount of time for a retraction. With no retraction in all this time it is a strong indication that the assertion of the stock exploit made by Maynor to Frebs still stands. As I said, this is by no means proof the exploit exists, but it is additional evidence that it may.

Plus, Maynor and Krebs are not standing alone on this. Other IT professionals, who were at the Black Hat convention such as George Ou and popular blogger mogull for two examples, both claim to know the exploit is real and to have interviewed Maynor and to understand claims made and Maynor himself as credible. Once again, not proof, but further evidence that this is not just Brian Krebs of the Washington Post blowing in the wind by himself.

The sorry fact is, even now we do not know if the stock Macbook exploit Krebs reported that Maynor told him of exists or not, but there appears to be no question that it is possible that it may exist. Maynor himself is claiming all will be told shortly at Toorcon. And this also means the fact exists that all those who are screaming and jumping around claiming that Maynor and SecureWorks are liars and frauds are relying on nonsense, and best wishes for Apple and for some reason are cutting common sense loose to the wind in favor of vigorously defending a hardware/software vendor that is poorly served by overzealous fanatics that have too much of their self esteem tied into their choice of computer hardware and operating system.