"Jon Ellch was one of the presenters of the now infamous 'faux disclosure' at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them."
Post a Comment
Member since:
2005-07-06
This guy is full of it. Just because someone uses a Mac does not mean they don't have the knowledge to understand the explanation. I think if he really had one he would have given it. It has been my experience that the ratio of people able to understand this sort of thing is pretty constant regardless of OS. The only reason you would have less people of the OS X or Linux persuasion is because you have fewer people using them. But it does make a nice smokescreen to say the intended target is not capable of understanding the details.
Member since:2005-11-13
This guy is full of it. Just because someone uses a Mac does not mean they don't have the knowledge to understand the explanation.
I think people are taking what he is saying out of context, I don't think he meant the mac community specifically but something more along the lines of everyday users who are not technically involved enough with the subject to really grasp what he is talking about.
The group of people he is talking about are on any platform, the non tech users.
Member since:2006-03-06
I think people are taking what he is saying out of context, I don't think he meant the mac community specifically but something more along the lines of everyday users who are not technically involved enough with the subject to really grasp what he is talking about.
.
.
Would that include the audience watching this "big news" on public television channels ?
If so - why then go on public-TV with it ? - and in addition to that - why NOT answering ANY questions from the tech-skilled people ?
Is this more than a mere and simple PR stunt ?
Member since:2005-07-06
Member since:2005-07-06
i wonder, was it he who went public tv, or was it the press that jumped at a potential apple "flaw" in their image of security and "just works"?
This all started with a public demonstration at Black Hat 2006. So they definitely wanted attention and to show off this vulnerability in the public eye. They did the public demonstration with a third party wifi dongle however claimed the same exploit exists in the internal wifi as well and that they'd warned Apple. Apple later denies such exploit and more importantly denies having heard from them either. Now push come to shove they aren't providing any evidence of this exploit that has everyone in an uproar.
Member since:
2006-01-14
This is a good reason to have anonymous posts to security sites. This isnt the first time that big business has squashed a bug announcement to save face. All the while exposing their customers, who they are supposed to be looking out for, to a serious security threat. Another reason for a free and open source code base. bugs get fixed in a timely manner, especially when they are serious.
Member since:
2005-11-06
Full post:
http://www.802.11mercenary.net/slashdot/
Quote: "Responding to mac bloggers isn't my idea of a good time. Nothing
I could say would ever convince them. This isn't even a personal
attack against them; it's that they lack the technical skills required
to understand this problem. In short, anyone qualified to sit and
discuss the look and feel of changes of Mail.app probably has no idea
what ring0 code execution means."
Ohh, "ring0 code execution", that is such a complicated technical term (???) no Mac user would even know what it is. Patronizing a bit?
Member since:2005-07-06
Member since:2006-09-04
Quote: "In short, anyone qualified to sit and discuss the look and feel of changes of Mail.app probably has no idea what ring0 code execution means."
I'm not saying everyone knows what "ring 0" refers to exactly, but you could just as easily say "kernel-level code execution" and save the jargon for your security consulting job.
Member since:2006-01-16
I think the sentence "Nothing I could say would ever convince them." is the important one. He could explain to them why they are wrong, but by his experience of their behaviour, talking (and topics, like look & feel), he believes they just wouldn't understand his explanation.
This is reasonable. Although I myself (not a Mac user) care about user interfaces and also know how a decent OS kernel works. But I guess even if I would be a Mac user, I wouldn't flame in a blog about some hackers who showed what I just don't want to believe...
Member since:2005-07-06
I think that's not really that reasonable honestly. I mean the position is that if you decided to actually prove your claims the opposition would just deny reality in the face of your evidence. Which while that in itself is indeed quite a possibility and comes up in many arguments these days concerning topics such as religion.. it doesn't seem to fly that well when we're talking about something this simple. If you have something pretty fantastic but refuse to prove it because you don't think anyone will believe you, typically you just look like a nut. As a Mac user and a rather big fan honestly, if he can prove this I want to freaking know. I don't care about Apple's rep on this. If the problem's real I want a fix. However this story just keeps getting more convoluted and harder to believe.
Member since:2006-01-24
Member since:2005-07-06
I'd happily buy that if they were kind enough to specifically lay out the legal threats and not just imply them. If they even showed proof that Apple was threatening them with more than raw slander I'd take that as some evidence in favor of their claims. But just general "I'd prove it too you, but the results would just be too bad" just doesn't do it for me.
Member since:2005-07-13
So you wouldn't mind giving these guys access to your crack legal team? We cannot over look the possibility of legal encumberments placed to full disclosure. Read what he says about the involvement of legal elements.
That's the part that seems overlooked, we're talking about Apple here. The company that litigates bloggers. Whether justified or not is moot, Apple has worked hard at generating a mentality of fear when it comes to discussing that which should not be discussed.
Certainly I would agree that any reported security exploit should be taken with a grain of salt unless the researchers can document it and it can be reproduced. I can also understand the risks with releasing critical vulnerability information without providing time for manufacturers to patch and release, so for something like this I'd be satisfied for now if it could at least be reproduced by a trusted and objective third-party without necessarily providing full disclosure. As "researchers", they also slightly shot themselves in the foot with the offhand remarks they initially made about smug Mac users since that impacts the perception of their objectiveness and hence their credibility.
But Apple deserves a bit of a cloud hanging over them until this is resolved one way or the other, since the researchers have a very legitimate concern for legal repercussions given Apple's own history. The researchers imply they can't discuss for fear of legal retaliation from Apple, and Apple won't actually state emphatically that the flaw does not exist. For that reason alone I'll give the researchers the benefit of the doubt. For now, at least.
If Apple's concerned that public information on the flaw puts their customers at risk, I can live with that though it at least deserves an acknowledgement that they're taking it seriously and assessing it. But if they're simply worried about their image being tarnished and hoping to simply slide in a future update to address it without anybody noticing, well then their customers deserve better.
Anyways, just my 2c.
EDIT: Ok, so after a little more googling I see now that Apple has firmly stated that they have not received any exploit code or proof of concept from Secureworks, and Atheros has stated the same. So maybe I'm leaning more towards Apple in this one, though with Apple's crack legal team I'm still willing to give the researchers some benefit of the doubt, just incrementally less than I originally was.
But I will admit that short of an NDA they may have had in place previously with Secureworks or some loophole they're exploiting by claiming EULA or DMCA or some such violation, I'm not even sure I could imagine exactly what legal hold Apple could have. But then again, IANAL. So I guess I just don't trust Apple more than I don't trust the researchers.
Edited 2006-09-05 03:20
Member since:
2005-07-06
What better way to clear your name than provide proof in the form of "I can't prove it to you without bad things happening, isn't that proof enough?" and taking a pot shot at the community which you feel has demonized you. (Way to keep the zealots burning by the way.)
Honestly when I first heard this my immediate reaction was pretty much, "Oh crap, that's big." But as time goes on and story gets muddier and muddier it sounds more and more like a crock.
Member since:
2005-06-29
Member since:
2005-11-21
Member since:
2006-03-06
When is this farce going to end ?
1) First they go on public Television with it, expecting everyone to believe "what they showed" on the "show".
2) And now this "email" saying no one understands them it you don't believe them, or if you are not a PhD in computer science
I remember the days when Tass served fresh USSR TV-news to the West, expecting us to believe what we saw.
Are these men fully grown up ?
Please give us the clear non-hay-ball explanation. The very same explanation they so very much wanted to give to the "public" in the first instance. Prove your points!
People are even still questioning the Apollo 11 Moon landing in 1968, -> because it only "happened on the TV"
Please !
Member since:
2005-11-23
http://www.varbusiness.com/sections/news/breakingnews.jhtml?article...
"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers," the disclaimer says. "Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver--not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."
A responsible demonstration policy would have forbidden the installation of flawed drivers to make a point.
And what we see here ? They hacked a third party driver software. How Apple can be responsible for code they didn't write ?
It is just another article from an anti apple zealot ....
Member since:
2006-06-12
So they hide the guilty party, but advertise apple laptops as hackable. Are they getting any money from Microsoft through back-channels? I mean seriously, this is almost as bad as a political campaign.
If they actually HAD exploit code for the built in apple driver, i would say that they are reasonably protected to claim such. What they did, by not having code and implying they did, warrants legal action. If someone did that type of phony negative advertising to my business, i would sue.
Not being able to explain a concept to an educated party, no matter how technical, is just conceding to laziness, lack of intelligence, or lack of mastery of the subject.
Member since:
2005-10-15
"*Rui deserves some credit here because he is the only mac blogger who was actually
genuinely interested in learning how this worked enough to email us
and read a copy of the slides."
he dosent seem to have it in for all macusers
it could be a point to read his intire post instead of just a draft.
Edited 2006-09-05 10:51
Member since:
2005-11-16
Ellch then breaks down the elements of the vulnerability and possible exploits, but in the context of Intel drivers rather than Apple's, asking and then answering the obvious question of why he did so when he wrote: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."
Simple questions:
- Is there a bug in the Apple Driver?
- Is this an exploit ONLY in the Intel driver?
- Does he understand that if the bug is ONLY in the intel driver, that does not ship with the MacBook that he demo'ed on, it looks like a CHEAP SHOT?
Secondly, I don't know ANYONE in the Apple community, blogger or otherwise, that says OS X is Invincible. Bloggers are allowed to say OS X is Better then Windows, because that's the fact.
Member since:2005-07-06
Honestly I have met a handful of Mac users that before I opened my mouth thought that OS X meant they were completely from the possibility of a virus or serious security problem. (And they may not have believed me when I said no!) I actually do thing there is a level of Mac user that needs to be taken down a peg on this very subject and the original goal of this hack with either to do just that or get a great deal of attention. Of course if this was indeed a stretched out farce as it's looking like it may be, than not only has this completely backfired but I'm sure it's inflated some egos all the more!
Member since:2006-09-01
"OS X is better than Windows, because that's the fact."
I don't like Windows any more than you do, but it's not "the fact," as you put it, it's your opinion. Lots of people love Windows and think OS X looks gay. It's not my opinion, and it's obviously not yours. But 'the fact' is that OS X and Windows are pretty much equally bloated; with their next iterations coming out early next year, both will soon only run on the latest and greatest hardware. The only great thing OSX has over Windows is that OSX comes with a bunch of extra software you'll never use. Oooh, Final Cut and Garage Band. BFD.
Member since:
2005-11-16
Member since:
2006-09-01
First, a lot of IT guys have the 'I'm smarter than you non-technical people' attitude. This surprises you people? I'd try and separate what he says from how he says it. Second, Mac zealots are ZEALOTS, in the same way that I'm a Linux zealot, only much, much more rude. Their reputation is notorious, and the posts on this article pretty much prove his point.
Third, you're actually defending Apple? With exploding batteries just like Dell, Nanos with screens that scratch when you look at them wrong, MacBooks with processors that overheat constantly? Please. You all think you buy Macs for hardware quality, and you're all living in la-la land. You buy them because you like the way it looks, from the casing to the GUI, not how it works. You buy them so you feel better and more enlightened than PC users, when all you really did was blow an extra $1000 to boost your self-esteem.
Yes, this is a troll. Sorry. But if I were that guy, you all are the last people I'd martyr myself for.
Member since:
2005-11-16
- Apple users don't run as root or admin.
- Apple users don't have services on by default.
- Apple email apps don't allow applications to run all by themselves.
Vista will have some of these things, but, until then it's still valid to say OS X, by default, is More Secure then windows. That is just a fact.
As for buying a Mac: Good software installed by default. An Unix core, that you can ignore or use as a learning tool. With some things a Linux user could learn from.
The OPEN command for one, the Ditto command also comes to mind. But, the point is Apple is a unique machine that allows you to use a Unix machine and learn it as time permits, and that's worth every penny.
Member since:
2006-09-01
Yes, but you can set replicate those security conditions under Windows very easily, and then an OSX and Windows machine, running under the same circumstances, are probably about secure as each other. As a Linux user, I hate to admit that. But, as you say, 'that is just a fact.'
Hmmmmm....good software installed by default. Bought a new PC recently? Plenty of good, working, free stuff, and the argument is moot with me, since I use freely available programs anyway. iTunes/Quicktime vs. Windows Media is like choosing between the lesser of two evils; it's a matter of preference.
A Unix core...um...who cares? I mean, I care and you care, but does Joe Average care? A Unix core, as far as Apple is concerned, is just a marketing catch phrase that the average user, if they get it at all, associates with security, which isn't unequivocally true, and the association wouldn't exist in the minds of the general public were it not for the Windows/Linux battles. Besides, does the Mach-based kernel really qualify as Unix-based?
Member since:2005-11-23
Besides, does the Mach-based kernel really qualify as Unix-based?
It will.
"Mach and BSD
Leopard Server is designed to be UNIX compliant and fully compatible with existing UNIX software. Apple intends to submit Leopard Server to The Open Group for certification against the UNIX 03 product standard."
http://www.apple.com/server/macosx/leopard/more.html
Member since:
2005-11-16
Member since:
2006-09-01
I guess the reality is that, while I think OSX is nice, I just don't see the reason to be such a quack over it. Not you, necessarily, just this hubbub over an exploit that may or may not exist. It's not like I freak out to the nth degree when a vulnerability is discovered in a Linux driver. I think if the same thing happened in the Linux community, most of us would get annoyed for about a week and then think 'big f***ing deal.'
And while I have actually set up a lot of unix-like security conditions on many friends' Win2k and XP boxes, and I think it's pretty easy, you'll never catch me using Windows, so I think we actually have a lot of common ground.
Edited 2006-09-05 20:25
Member since:2006-06-19
