The Devil's in the Details!

[gunug]

David Maynor, the guy who "revealed" a security weakness in the Apple Wireless setup,  tells all in an article at this website:

http://uninformed.org/?v=8&a=4

QUOTE

The vulnerability featured in this paper is a flaw in Apple's wireless device driver. This flaw was discovered through ``beacon'' and ``probe response'' fuzzing. Beacons are the packets that wireless access points broadcast several times a second to announce their presence to the world. They are also the packets that your notebook computer uses in order to build a list of nearby access-points. Probe-responses are similar packets that are used when a notebook computer probes for access points that are not otherwise broadcasting.

The bug described in this paper was found by the author while performing fuzzing experiments against other machines. During this time, one of the Macbooks in the vicinity running OS X 10.4.6 crashed unexpectedly. This crash produced a file called panic.log in /Library/Logs. A panic.log file contains information to help debug a kernel panic or crash on OS X. This includes the output of all the registers, a stack trace and the load address of the offending module and the address of its dependent modules. This information provides a great starting place to help track down a driver problem. However, in its default form, there are several shortcomings. The most apparent shortcoming is that the stack trace does not include symbol information. As such, one sees addresses rather than function names. In order to begin to track down a problem, one needs to do some basic math to manually discover the names of the functions. Luckily, the loading offsets did not change much on the test machine when reproducing this issue.

I don't know that I'll ever understand all of that and the other stuff in the article but I suspect someone here will know whether it's b.s. or not!

I just saw the whole article was available as a PDF download at this page:

http://uninformed.org/index.cgi?v=8&a=4&t=pdf

[sandbox]

It would seem that the hackers are good at what they do.
http://www.securityfocus.com/archive/1/479861

QUOTE

http://www.uninformed.org/?v=8

About Uninformed:

Uninformed is a non-commercial technical outlet for research in areas
pertaining to security technologies, reverse engineering, and low level
programming. The goal, as the name implies, is to act as a medium for
providing informative information to the uninformed. The research
presented in each edition is simply an example of the evolutionary
thought that affects all academic and professional disciplines.

- The Uninformed Staff
staff [at] uninformed.org

[gunug]

There's more info about this at Computerworld:

http://www.computerworld.com.au/index.php/...90;fp;4;fpid;16

Apparently he just came off of a Non-Disclosure Agreement about this subject!

[sandbox]

QUOTE

Apple patched the bug in September 21 without crediting Maynor for discovering the problem. Instead, Apple's engineers found the bug during an internal audit, the company said.


So why publish the Mac hack now?

Maynor said that he had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack. The security researcher wouldn't say who his NDA was with, but that agreement is no longer in force, allowing him to talk about the exploit. "I published it now because I can publish it now," he said.

This is not something that gives one a lot of confidence. If your not the sort that subscribes to automatic updates or spends a lot of time studying the Mac Media you could in affect be vulnerable without knowing it for a very long time.

A year is far to long to keep this sort of information from the public.

[swhitset]

I am sorry, but anyone using a computer on the internet that does not keep it updated is irresponsible.  This is just as important for macs as it is for PC's.  To suggest that having a specific knowledge of this particular exploit would somehow make a difference is a bit naive.  All computers, macs included, are subject to software vulnerabilities such as buffer overflows etc...  While it is true that as of now, there are no OS X viruses or Trojans in the wild, this does not mean we do not need to keep our software updated.  The more recent trend for malware has been to exploit specific vulnerabilities in software... especially web browsers.  Consider how many "Security Updates" Apple has released for the various versions of OS X, Safari, Quicktime etc...  This is evidence that Apple software is not immune to these attacks.

My point is that anybody using a mac or a PC needs to keep it updated and that that is where the responsibility lies.  In fact, many times these software vulnerabilities are not even exploited until after the patch has been issued.... that is often how the malware authors find out about them.  The bottom line is that on a mac, you should enable software update to, at the very least, notify you of any updates, and on Windows, in the case of most people... have automatic updates turned on.

Steve

[sandbox]

So Steve, let me see if I understand your logic. You feel that Apple should take credit for finding something they didn't find. Silencing someone with a nondisclosure agreement for a year or more and place the responsibility for any adverse consequence of this flaw on the computer operator. Is that assessment correct?

[gunug]

I think that there is a problem with using NDA's to do other than protect Intellectual Property.  I think people have a certain "right to know" in this sort of case that shouldn't be superseded by the company not wanting to look bad.  We've been slapping Microsoft around pretty well over the past years over this situation and if Apple has done the same thing then they should be open to criticism about it.  It wasn't clear to me that the NDA was with Apple in this case but it's hard to see that it could be anyone else.

[sandbox]

Gunug, as I see it there was not only a 1 year NDA on the Flaw, there is a unlimited NDA on exposing the party that squelched the data. Now what would justify such covert action? What if it's not Apple, what if the flaw is not a flaw?

[swhitset]

Well...

Let's see...  I don't believe I ever said anything about giving Apple any credit for finding anything.  Furthermore it seems from the article that the NDA terms have not been disclosed.  Most importantly, your ASSUMPTION that it was an NDA with Apple is just that... an Assumption.

As far as the rest of what I wrote... I stand by it.  Your focus, in my opinion is too narrow.  The world has changed and malware is everywhere.  It is no longer possible to simply go about your business ignorant to the many ways one can now get into trouble on the internet.  I guess what I am saying is that you may be right.... but who cares.  It is not (again in my opinion) the relevant issue.

Steve

[gunug]

Steve - I don't bury my head in the sand over this stuff and I spend a great deal of time dealing with updating an protecting systems from the blackhats as a lot of what I have to deal with are Windows XP systems.  I also "never" leave any of my systems running if I'm not using them directly; none of this leaving it on 24/7 that others seem to dwell on!  I still think that if a company wants to be in this business they have some responsibility in making flaw information available ASAP especially if it a flaw that opens up holes in system security!

[swhitset]

Well... that is a debate that will never end.  Remember that the release of that information is often what leads to its exploitation.  At that point, the people who are least capable of defending themselves against it are ironically the only people then vulnerable.... i.e. those that are not installing updates.

Steve

[sandbox]

My first statement:

QUOTE

This is not something that gives one a lot of confidence.

Steve's opening statement:

QUOTE

I am sorry, but anyone using a computer on the Internet that does not keep it updated is irresponsible. This is just as important for macs as it is for PC's. To suggest that having a specific knowledge of this particular exploit would somehow make a difference is a bit naive.

From this statement I assumed that you were expressing that people who think that this information could've been useful were a bit naïve.

From the article:

QUOTE

Apple patched the bug in September 21 without crediting Maynor for discovering the problem. Instead, Apple's engineers found the bug during an internal audit, the company said.

According to the article Apple engineers did not find the bug. Why would they say they did? Who would pay Maynor for his silence and then give Maynor's work-product to Apple so that they could make it their own?

QUOTE

On Tuesday, Maynor said that at the time of the Black Hat demonstration, he had found similar wireless bugs in a number of wireless cards, including Apple's AirPort and that he had been told to use the third-party card in the video because it was deemed "the least offensive to people."

Whose interest is protected here, certainly not the third parties. My money is on Apple with the NDA. As I suggested to Gunug, there is a slight possibility that this was a backdoor for global security purposes, but a long shot indeed.

QUOTE

I guess what I am saying is that you may be right.... but who cares. It is not (again in my opinion) the relevant issue.

If I were not concerned that this tactic could undermine consumer confidence I wouldn't have bothered to reply. It's relevant to me, my network, my NetBarrier firewalls, our public Wifi system on Treasure Island, and those who think that having information relayed to them in a timely manner is a responsible avenue to take.

I want to know, when my system is threatened by a flaw in the products I purchase. And I want to know that, because, as a responsible consumer I can take the necessary steps to avoid loss.

We all play in different sandboxes.

[Xairbusdriver]

While I agree with your opinions that we should keep our software up-to-date, it is sometimes hard to generate any enthusiasm for doing so when Apple quite often breaks the compatibility of its own software with its OS updates. Many times the only fix to get iTunes/QuickTime/iWeb/etc. working again is to downgrade either the upgraded app or the OS.

If and when Apple gets its testing procedures up to speed, it will be much easier to convince everyone to simply let Software Update not only check for but install what it finds. As things stand now, their inability to verify compatibility has created a fairly large need for places like TS, MacFixIt, etc.

As far as the NDA goes, it is quite conceivable that many other companies are involved besides Apple (the hardware maker, a software security developer). Nor do I think Apples WIFI devices are the only ones that issue these 'broadcasts'. That's assuming I even know what the article is talking about! OTOH, the way the quote talks about a "panic.log" file appears to me, to indicate a less than complete and thorough understanding of what OS X is capable of and does 24/7. I would assume that any Unix-based OS does the same thing. "Kernal Panics" are supposed to be recorded in the panic log, if possible. The fact that they are hard to read (no symbolic translations) is beside the point, those who can read them at least have something to start with. Frankly, they are much more useful than the pre-X messages that "Error -56187" has occurred!

[swhitset]

Sandbox,
I really don't disagree with you, but I am simply a bit more of a pessimist than you I suppose.  I am coming from the mindset that simply assumes these flaws exist, and that more will be found in the future.  Since we really have no control over that aspect, the best we can do is keep updated.  I do however, think it is best to keep the details of most exploits obscure in order to limit the extent of their exploitation.

Steve

[swhitset]

QUOTE(Xairbusdriver @ Sep 20 2007, 03:00 PM) <{POST_SNAPBACK}>

While I agree with your opinions that we should keep our software up-to-date, it is sometimes hard to generate any enthusiasm for doing so when Apple quite often breaks the compatibility of its own software with its OS updates. Many times the only fix to get iTunes/QuickTime/iWeb/etc. working again is to downgrade either the upgraded app or the OS.

I agree with this.  I am not suggesting that every update needs to be installed, however, Apple and Microsoft both release "security updates" and these should always be installed regardless of the risk of breaking something.

Steve