Double Standards

Monday, 2007-04-23; 17:33:00

analysis regarding the differences between the Maynor & Ellch Wi-Fi hack saga and the new CanSecWest Java-QuickTime hack saga

It's not your typical day when I go out of my way to defend a guy who's pissed all over the Mac community, but I guess today's not your typical day. So here I go..

If you've been keeping up on the news in the Mac community, you probably know most of the whole saga about David Maynor and Jon Ellch, who supposedly found a vulnerability in the stock drivers of AirPort cards on MacBooks, but who still have yet to prove their claims despite making them a year earlier. I posted a summary about the situation as it was unfolding, an update regarding the video demonstrating the hack, and, to be complete, I've made a snarky remark about Maynor and Ellch with regards to another troller for hits, Kaspersky Labs.

Well, last weekend, the CanSecWest 2007 conference in Vancouver offered two MacBook Pros to any user who could successfully compromise either of the two laptops, both of which had completely up-to-date operating systems. (There's some contention as to whether Security Update 2007-004 was installed given that it was only released on Thursday.) Well, after upping the ante and offering a $10,000 prize as well as the laptops themselves, one of them was successfully compromised on Friday.

So one of the MacBook Pros was compromised, and one of the first to pick up on it was Daring Fireball. John Gruber posted to his Linked List about the upping of the ante, a link to a crappy summary article about the challenge, a note about the win which included speculation as to the vector of the attack, and then an update indicating that Java had something to do with the attack and that it was browser-agnostic.

Well, Maynor had to go and stick his little head into this whole mess, despite the fact that he was rightly kicked to the curb and laughed off the web for his lame-ass claims about the hack (which, by the way, he still hasn't proven), about Apple threatening legal action, etc., etc., etc. He had this to say (ignore the update for now):

The badass guys at Matasano, namely Dino, just pocketed a cool 10k and a Macbook in the CanSecWest challenge to own a Mac. Tom is right, brace your self for the flood of Mac faithfully posts about why this doesn’t count. I can hear John Gruber tapping away and silent sobbing in the distance…

Now, first off, let's ignore the fact that not one single Mac user has claimed that Mac OS X is invulnerable. So Maynor's claim about the "Mac faithfully [sic] posts about why this doesn't count" is completely lame and unsubstantiated.

Gruber responded on Daring Fireball by saying this:

In my world, I look for proof and evidence. Maynor and Ellch’s supposed MacBook Wi-Fi exploit? Still unproven. Dino Dai Zovi’s winning exploit in the CanSecWest contest? Proven. It’s that simple.

I'm sorry, but I have to call bullshit. At the time when Gruber posted this article (more on that in a minute), this bug was just as much vaporware as Maynor and Ellch's claim was. The only available information about the bug at that time was that it was Java-related, it used a web browser as the vector for an attack, and it was browser-agnostic. This is just as vague as Maynor and Ellch's original claim that it was a bug in the stock AirPort driver that allowed them to gain control of the MacBook they supposedly were able to hack.

Up to this point, there were no details about the hack, no proof to anybody that the hack actually worked (besides the people running the CanSecWest challenge), and no proof-of-concept demonstration of the exploit on the web. So how can Gruber honestly say that he's looking for proof and evidence when he has none?

Moreover, if Gruber was provided inside details about the hack, then he's just as good as Brian Krebs was when Krebs first initially "unveiled" the information about Maynor and Ellch's hack. He's telling his readers to take his word for it that there's an exploit that allows someone to take over a MacBook Pro. Are we supposed to just believe him? In my world, I look for actual proof and evidence, not claims of proof and evidence. How is Gruber any different from Krebs in this situation?

(In the interest of full disclosure, I have e-mailed Gruber regarding these questions. I haven't received a response, but I only e-mailed him a few hours ago, so I'll give him the benefit of the doubt. In e-mailing him before, he usually doesn't get back to me immediately, anyway.)

It's kind of ironic, then, that Gruber previously railed on about how vaporware is vaporware no matter what. To quote:

But just because a pre-announced product isn’t pure hype that never actually sees the light of day – like, say, Duke Nukem Forever, or the “native Mac port” of the suite that I took flak for calling vaporware four years ago – doesn’t mean it isn’t vaporware.

I'm stretching the term "vaporware" to include this supposed Java-related browser attack, but the argument remains the same. Just because this hack isn't pure hype doesn't mean it's not vaporware. And as such, shouldn't Gruber be applying the same standard to the CanSecWest vulnerability as he initially did to Maynor and Ellch?

Later, David Maynor himself posted an update to the same weblog entry, where he said this:

From Gruber: “Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference. Update: A good source says it’s not “Open ‘Safe’ Files”. My next guess is that it’s a pseudo-URL protocol handler.” Wow, that’s one super educated guess. I’ll go one further in the security version of can you be more vague…Its [sic] probably in something that handles DATA.

Putting aside that Maynor doesn't know how to change double-quotes to single-quotes when making citations, he has a completely valid point. Why the heck is Gruber going on speculating about this bug, accepting that it exists as fact, whereas at the same point in the Maynor and Ellch scenario, he was deriding them for not posting more details about the hack?

The story about Maynor and Ellch's hack broke on August 2, before they demonstrated their video at the Black Hat conference in 2006. Krebs updated the article the following day, and Gruber commented on the update with numerous questions about the hack:

But did Krebs see the exploit work against a MacBook’s built-in AirPort card? He says he stands by his reporting, but he did not report that the exploit works against the MacBook’s built-in AirPort driver; he reported that Maynor and Ellch told him that it works against the MacBook’s built-in AirPort driver. “I stand by that they told me the built-in driver is expoitable” is very different than “I stand by that the built-in driver is exploitable”.

But did Gruber see the exploit work against a MacBook Pro's stock operating system? He says he looks for proof and evidence, but he did not report that the exploit works against the stock operating system; he reported that Thomas Ptacek reported that it works against the stock OS.

It would have been nice to have a little bit more lead time in posting this, because actual details are already coming out about the hack. The problem affects QuickTime, has supposedly been confirmed in FireFox and Safari on Intel-based Macs, and is a possible vector on Windows if QuickTime is installed. So, as it is now, the vaporware slider is moving towards a proven and documented hack. [UPDATE: Apple has released a fix for the bug, and exploit code has also been released.]

But it still leaves a question unresolved: why was Gruber willing to give these guys the benefit of the doubt, when he immediately jumped on Maynor and Ellch and denounced them for their supposed hack?

Isn't that a double-standard?

Technological Supernova   Intarweb   Older   Newer   Post a Comment