Re: This guy cracks me up. (MindsX)

[John Gruber <gruber () daringfireball net>]

johnycsh wrote on 9/3/06 at 12:37 PM:

>     1) Secureworks absolutely insists on being exceedingly
>     responsible and doesn't want to release any details about
>     anything until Apple issues a patch. Whether or not this
>     position was taken after a special ops team of lawyers
>     parachuted in out of a black helicopter is up for
>     speculation.

This implies that Apple will be issuing "a patch" (or at least
that you think they should be). What for? For something you and
David Maynor discovered and reported to them?

Is it something that affects stock MacBooks?

If so, do you have an exploit against the built-in AirPort card
and driver that even vaguely resembles the video demonstration you
showed at the Black Hat conference?

Are you therefore saying that Lynn Fox's statement that you'd
shown them "no evidence" was an outright lie?


>     2) Responding to mac bloggers isn't my idea of a good time.
>     Nothing I could say would ever convince them.

You could easily convince me by showing me, or someone I trust, a
stock MacBook getting hijacked or otherwise attacked.


> This isn't even a personal attack against them; it's that they
> lack the technical skills required to understand this problem.
> In short, anyone qualified to sit and discuss the look and
> feel of changes of Mail.app probably has no idea what ring0
> code execution means.

Letting aside for now the idea that I couldn't possibly understand
the details of "this problem", I fail to see why that would
prevent you from answering a few basic questions about your
findings. The details certainly matter, but what matters more are
the basic implications. I'm interested primarily from the
perspective of a black box -- if you know how to successfully
attack a stock MacBook simply because its AirPort driver is on,
that fact alone is interesting, regardless of *how* it works.

My frustration is that neither you nor Maynor have answered the
simple yes/no question of whether you've found an exploit against
the stock MacBook AirPort card and driver.


>   1) set up a netcat udp listener on the victim centrino
>   box. (Why you actually need a listener is beyond me, but
>   it seems to help)

I don't understand what this means. Does it mean that the victim
computer *must* be running a netcat udp listener for the attack to
work? If so, how would this be exploited in the wild?


>   3) start flooding the victim machine with disassociation
>   requests. A BSOD should follow very shortly.

So this attack crashes the machine?


>   The reason this bug takes two cards to exploit is that the
>   race condition you are trying to win seems to be so small
>   that a single card can't win it.

Who needs two cards -- the victim or the attacker?


> You know, of all the comments I see, the ones that 'we played
> the media' make the least sense. Have you ever seen me in the
> news before? No.  Have I ever talked to a reporter before? No.
> Am I doing a very good job of winning this PR smear campaign
> lynn fox ignited?

How exactly did she smear you? Why is that you feel free to say
that you've been smeared, but won't state how you've been smeared?

Even if you've been threatened, legally, by Apple, and thus feel
you can't or shouldn't reveal any technical details regarding what
you have found, why not at least state specifically the nature of
the legal threat(s) against you?

-J.G.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave