Maynor goes for a do-over
Posted March 1, 2007
By The Macalope
The Macalope was supposed to have a week off and then this has to happen:
David Maynor demoed crashing a MacBook at Black Hat DC.
“I screwed up a bit [at last year’s Black Hat in Las Vegas]. I probably shouldn’t have used an Apple machine in the video demo and I definitely should not have discussed it a journalist ahead of time,” Maynor said in an interview after his demo.
“I made mistakes, I screwed up. You can blame me for a lot of things but don’t say we didn’t find this and give all the information to Apple.”
Glenn Fleishman has more.
Comments
Leave a Comment
Wow. So Maynor demoed crashing a MacBook to prove that he really could get root access? Because according to those two reports, he didn’t obtain a shell on the target machine.
It sounds a lot like he’s trying to rewrite history and pretend the debacle was about crashing a MacBook, rather than the root access he actually claimed…
Yeah, I’d say he saw the bugs Apple fixed, then went back and found a way to exploit (or at least crash) the MacBook, then say he found the exploit! A little convenient if you ask me.
Very much an “I told you so” seeing as how the exploit requires 10.4.6. What version of 10.4 is available to the world?
When does a guy realize he has totally lost creditability and should just walk away? He’s starting to sound like Nixon and a bit like Clinton.
So..umm…. let us see now; ah, he… last year he demonstrated how he got access to a Mac using a third party card and now, after Apple has patched up the OS, he demonstrates that he was right, by crashing a Mac using AirPort? And not getting access? Or? Getting access to crash? No? No access?
Does this man qualify as a mental acrobat? Or? Where? Who? Did I write something? Was it posted?
“You can blame me for a lot of things but don‚Äôt say we didn‚Äôt find this and give all the information to Apple.”
OK, I won’t. I’ll say this instead:
No one can tell who is lying, who is dissembling, or who did what or sent what to whom. And that, my friend, is also your screwup, because you didn’t demonstrate what you claimed at the time. In fact, you STILL haven’t demonstrated what you claimed at the time. Or what someone said you claimed at the time.
If you want to be taken seriously, you either put up or shut up. You don’t go around saying one thing and demo’ing another. If you have an exploit, you demo the exploit. If you have a crasher, you demo the crasher. But you don’t waffle around and say you have an exploit if you only have a crasher, and then blame other people when your statements are dissed for being unclear or possibly untrue.
And based on certain facts I can assert but not disclose, I have seen cold fusion in a coffee-cup sized container, using parts easily obtained at RadioShack. If that doesn’t set off alarm bells, then you still haven’t learned this simple lesson: put up or shut up.
Amazing.
SecurityFocus also has some coverage on this issue:
http://www.securityfocus.com/news/11445
and Maynor has a followup article here:
http://erratasec.blogspot.com/2007/02/more-on-apple-wifi-blunder-or-i-am-no.html
One thing I’ve always thought on this issue: if they wanted to demo it but were scared of people sniffing the wireless traffic at the Blackhat conference, why didn’t they build a large faraday cage and demo from inside it? (From what I’ve read they’re not that hard to construct and you can use a mesh so people could still see through.)
If I found a bug as large as they claimed to and wanted to go for all-out sensationalism, that’d make for an impressive demo.
(from the Fleishman post)
What’s funny about this is that it was a weakness if you used a third party wifi card. They used a flaw in the card to exploit the operating system. And I don’t know millions of people who use a third party wifi card in a laptop that already includes a wifi card built in. It’s liek a fish with a bicycle or a computer company making a music player or cell phone.
Wait, scratch that last one.
Manxstef: Putting them IN a Faraday cage on stage would keep them from sniffing traffic from the audience, but would not keep the audience from sniffing their traffic. You’d have to put the whole audience inside a Faraday cage to get the correct effect.
In other words: the point of a Faraday cage is to isolate the interior from EM fields outside.
Huh. It figures. I slave away hour after hour writing sarcastic bullshit, and this smartass punk who can’t even compose a simple sentence gets all the press.
I tell lies.
I make up stupid shit.
Where’s MY moment in the limelight?
This town needs an enema.
For what it’s worth, a proper Faraday cage prevents the entry *or* escape of an electromagnetic field.
Although you can optimize for either extreme if you can’t afford “a proper Faraday cage”.
reinharden
WH: “now, after Apple has patched up the OS, he demonstrates that he was right, by crashing a Mac using AirPort”: Not quite. He also has a number of emails, including some back from Apple, that he says show that he sent information to them about the precise nature of what he found.
BLATTAPUS: Maynor confirmed what has been known during this whole time. He had an exploit against the native driver that comes with OS X. He and Ellch screwed up. They had meant to show and discuss only a third-party hack, and they got too excited, let Krebs see what was going on, and then all hell broke loose.
This does boil down to just two things: Did Apple knowingly lie about a security issue, which is a significant lapse on their part, and I still think unlikely; did Maynor and Ellch try to help the user community by NOT releasing details, which I think is likely based on their subsequent actions.
Here’s one. Let someone who isn’t Maynor or Ellich provide the details. Right now, Maynor’s showing an exploit. Is it the same one he claimed he had originally? Well, he says it is, but he’s no credibiity. Where’s the proof that what he’s showing today is the EXACT SAME CODE he used then?
Even reading your article Glenn, you point out that he’s still not being straightforward about this.
So he has no credibility. At this point, he’s shot himself so badly that even *legitimate* work he’s done or will do will be questioned, because he’s demonstrated that he’s perfectly willing to dissemble to make himself look good.
Even now, he can’t stop. “Well, I can also take over a Mac, but i’m not going to show that…yet.” What’s he waiting for? More publicity so he can get more jobs as a l33t s3cur1tee d00d? Bullshit. He’s been playing this game since the beginning, and it’s just publicity hounding at this point.
the other issue is this statement:
“Maynor said this experience has led him to have no interest in providing information to Apple again about security flaws. That’s to all our detriment.”
No, it doesn’t. If he can’t handle the fact that sometimes things don’t work the way you want them too, and companies have a high asshole quotient, then he was never the kind of person you wanted doing security research. “I’m taking my ball and going home” is what seven year olds say when they don’t get their way. It’s not what grownups say. Waaah, Apple didn’t do what he wanted the way he wanted. Get over it.
Fake Steve
“The Mayntard is at it again.”
/Fake Steve
I’m not sure if “trying to find and not to fix” vulnerabilities isn’t considered hacking which is a felony.
Will I must say that Maynor has seemed more reasonable over the last few months than he did at first. If he keeps improving at this rate I may just trust something he says, oh, about another year from now. It takes a lot longer to build a reputation than to throw it away.
I also find it interesting that a proponent of responsible disclosure is so keen on asking people not to disclose stuff! If you can’t talk about it- don’t talk about it. Saying that you know something but you can’t tell anyone is useless to everyone and further obscures an already cloudy issue.
Maynor is now claiming that he had the ability to hack the Broadcomm drivers back in August — the Broadcom drivers are used in PPC Macs. Apple did release one of the wireless updates that patched the PPC Broadcom drivers. The problem is that Maynor DENIED that he had the ability to hack into Broadcom drivers when he first talked with Krebs.
Rus: Oh puh-lease. OS X isn’t open source; it’s not the security researcher’s/hacker’s responsibility to fix it. Even if it was, it wouldn’t necessarily be.
I still agree with other people here: Put up (the whole thing) or shut up. If Apple’s fixed the bug and made the fix freely and publicly available, let the exploit hang out there. If people don’t patch their systems, it’s their own damn fault at this point.
If you don’t have a full on rooting exploit, shut up and go away.
“Maynor said this experience has led him to have no interest in providing information to Apple again about security flaws. That’s to all our detriment.”
Maybe it is and maybe it isn’t. It depends on whether he keeps trying to break Mac OS X or not, and if he does, how he makes his findings public.
If Maynor stops trying to break Mac OS X, then that’s a minor loss. It means that one researcher has stopped trying to break Mac OS X. If he were the only person doing this, it would be a loss, but he’s not, so this seems like one of those “If you don’t, someone else will” situations.
If Maynor continues trying to break Mac OS X, and he reports all his results on any public forum, then that’s no worse than the Month Of Apple Bugs. Either Apple will monitor his public disclosures, or someone else will and send them to Apple. In other words, Maynor would just be switching from “responsible disclosure” (notify vendor first), to “full disclosure” (everyone is notified at the same time). If he does that, he can’t claim to be doing “responsible disclosure”, but so what? Other breaks of Mac OS X have been released as full disclosure and the world hasn’t ended.
If Maynor continues trying to break Mac OS X, and he only reports results or exploits privately, or only provides only partial reports, then that *IS* to all our detriment. But that’s because he’s gone from being a white-hat security researcher to being a black-hat malicious cracker. He’s the one to make that choice, and no one can stop him from doing that, not even Apple.
A good observation, Don.
If you wouldn’t object, I’d like to add that if the quality of his work, and the nature and intent of his disclosures is only what we’ve seen so far then he really doesn’t count as a white-hat or a black-hat. Just an asshat.
Bottom Line: He still has not confirmed that the the crash happened with a stock wifi card. I don’t care if it’s a third party card. Nobody puts in a hacked card. If it’s a third party card rigged to a macbook, is it still a mac? Or a hacked mac on purpose to exploit it. harumph.