Focus on Apple
Re: Bill Gates on Mac OS X security Feb 03 2007 02:29AM
Pat Plummer, MD (blacksun ix gotdns org) (1 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 05:02AM
David Maynor (dmaynor gmail com) (2 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 03:21PM
Dave Schroeder (das doit wisc edu) (2 replies)
Re: Bill Gates on Mac OS X security Feb 04 2007 11:42AM
Howard Oakley (h oakley btconnect com)
Re: Bill Gates on Mac OS X security Feb 03 2007 04:56PM
David Maynor (dmaynor gmail com) (1 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 05:17PM
Dave Schroeder (das doit wisc edu)

Thanks much for the followup and clarification on this. Again, I know
you weren't the ones who wrote the were the
researchers, not the journalists.

For what it's worth, Krebs was insistent on pointing out that,
according to his version of the story, you insisted that the
vulnerability you showed with the third party card was basically
identically exploitable on MacBook's own built-in wireless. That
meant that out of the whole thing, while it was a general driver
flaw, the only takeaway people got was that the "MacBook" was
vulnerable, and much of the news coverage (again, not your fault)
focused on this as only an Apple/Mac OS X/MacBook problem. The fact
that it also affected other drivers on other hardware and OS
platforms was at best briefly mentioned in news coverage, and usually
not at all. My own personal opinion is that I simply don't think that
is "fair" to Apple. Yeah, I know, life's not fair, and again, it
wasn't your (or Jon's) fault, but the end result was that Krebs
seemed obsessed with "proving" that Mac OS X was insecure in his
original story, and glossed over the actual gravity of the problem,
instead choosing to paint it the way he did.

The other issue is that many people still to this day believe that
Apple issued a legal threat (or attempted one) to prevent you from
talking about this at Black Hat (or afterward). It might be nice if
that could be clarified once and for all as well. (I see this as
separate from any agreement Apple and SecureWorks may have come to
after the fact for "collaboration".)

To your point about Apple security response: couldn't agree more. As
I said in my previous message, security response at Apple needs to
become a coordinated technical/engineering one, not run by product
marketing and PR. And actually, if they want to get the maximum
marketing and PR benefit out of Mac OS X security, that would
actually come from doing everything they can on the technical end to
ensure the product actually is secure, and respond directly, quickly,
and comprehensively to issues that are brought to their attention by
security researchers. What kind of disclosure is used is ultimately
moot: once something is out, it's out. All issues, including ones
kept under wraps, need to be handled.

I think one thing we have to recognize is that the "MacBook hijacked
in 30 seconds" stories that exclusively presented this as an Apple-
only issue (instead of the equal opportunity problem it essentially
was) resulted in what Apple interprets as immeasurable bad PR, which
is why it was a PR issue. Some might say, "So what? Tough." If the
story was handled fairly, it would have been something like "Serious
flaws found in popular wireless drivers," and the story would have
talked about it in generic terms, perhaps noting that this affected a
number of platforms, INCLUDING some of Apple's wireless chipsets and
Mac OS X, among others. But the way it was presented forced Apple's
response. Right or wrong, they don't want every security issue -
ESPECIALLY ones that affect multiple platforms - being blown up into
some huge exposé every time something hits. A lot of the goodwill
people have toward Apple right now comes from the generally correct
perception, from an actual real-world, practical impact standpoint,
that Mac OS X is less-affected by malware/spyware/exploits/etc. than
the major desktop alternative, i.e., Windows. That image is extremely
important for Apple to maintain, so it's not surprising that
marketing and PR gets involved. On the other hand, there needs to be
aggressive technical and engineering resources, as well as technical
communication with the community and security researchers, on
security issues, so that the *perception* that Mac OS X is "more
secure" than the alternatives is also the *reality*.

In sum, I don't think this is as black and white as some people paint
it. Again, thanks for your response and clarification on this.

- Dave

On Feb 3, 2007, at 10:56 AM, David Maynor wrote:

> Jon and I didn't discover a serious general 802.11 flaw, thats is
> where alot of confusion around this issue comes from. We discovered
> that in general 802.11 drivers didn't malformed frames very well. The
> flaws that were discovered (there were far more than one) were
> specific to certain types of chipsets (atheros, broadcom, etc...). As
> far as the articles go I didn't write you. If you look at mine and
> Jon's quotes in each article you will see something along the lines of
> "this is a systemic problem that affects the entire industry".
> As far as when we used a third party card for the video demo. Alot of
> Mac fans were very upset and felt that it wasn't fair because nobody
> uses a third party card. That was the entire point of the demo. If we
> had to do it live and someone got a copy of the working exploit we
> didn't want it to be in something that actually affected anyone. As
> far as confirmation you will see we never confirmed publicly which
> vendors were affected. And once again I never said I wanted to stab
> the mac community in the eye, I said that about the actors in a
> commerical.
> As a side note I have to mention the statement that Secureworks issued
> clarifying the video. She forgot to mention to reporters that
> statement was created in cooperation between Apple PR and Secureworks
> PR. Although Apple PR really wanted the statement to be extended to
> cover any demos given in person (Krebs, anonymous Blackhat employee)
> Secureworks couldn't do that. Minutes after this was posted Lynn Fox
> started pitching reporters a story that Secureworks had changed its
> story based on the update. If you actually read the Secureworks
> statement it just covers the video and says nothing I didn't say in
> the video twice. I suppose her omission of this information was
> designed to make it appear Jon and I were frauds and thus make a big
> story. I suppose the headlines "Apple asked Secureworks to clarify
> their video, Secureworks obliges" would not have been as sensational
> or given the Mac zealots ammunition to drag Jon and I through the mud
> for months. I also find it funny the only real news outlet that ran
> the Secureworks changes position story was Macword. Here is a funny
> note, the guy who wrote the story, Jim Dalrymple never contacted Jon,
> myself, or Secureworks for any reason during the entire fiasco.
> It doesn't matter much to me anymore as I have yet to met a client of
> Errata Security (the company i formed after leaving Secureworks) that
> thinks I faked it all. Also I am in the process of writing a book
> about horror stories of when responsible disclosure goes wrong with
> Apple being the flagship issues. Everything that happened will be
> detailed. As far as security research into Apple I haven't done much
> else in the last few months and I flat out refuse to report any issues
> to Apple security anymore because of two things. One is that i don't
> trust their PR department not to try and smear me again, i feel that
> their handling of the Secureworks statement pretty much proved this.
> The second reason is simple: Apple apparently has more leaks than a
> sinking ship. How do I know this? Several of the bloggers who were
> calling for my head on a platter had information I had given to just
> one person at Apple and that no-one else knew. Its almost like pro-mac
> bloggers have a hotline to the 2 or 4 person security group at Apple.
> If a company wants me to keep details of a vulnerability private, they
> can at least do the same.
> So what is the take away from this? It was a very poorly handled
> situation by everyone involved, except Jon. Jon had no real control of
> any of this and in the end I realized I didn't either. I lost all
> control when I allowed marketing people to make decisions about
> vulnerability disclosure. However I did make some mistakes. I should
> have never talked to a reporter about something we were not ready to
> make public. I should have realized Apple would have responded the way
> they did and just dropped full details of the exploit or not said
> anything at all. With that being said I have never been a fan of full
> disclosure, and I am still not, unless its a vendor that has acted in
> bad faith.
> How could it have been handled differently by Apple? I have reported
> alot of vulnerabilities to alot of vendors and never once have I had
> the PR department respond to something. Take the Dell and Toshiba
> Bluetooth stack issuse. We reported it to security, we worked with the
> engineers to fix it (and strangely information we gave to the
> engineers didn't end up on blogs), and only after everything was fixed
> (the process took about a month and a half) did we talk to their PR
> group to coordinate a joint release.
> With all this being said I am shopping for a new TV to make best use
> of my new Apple TV. I write this on a new Macbook Core Duo 2 while
> listening to my ipod play an audiobook (World War Z) that I bought
> from iTunes. If you didn't know better you could also say I am a
> walking commercial for Apple.
> On 2/3/07, Dave Schroeder <das (at) doit.wisc (dot) edu [email concealed]> wrote:
>> On Feb 2, 2007, at 11:02 PM, David Maynor wrote:
>> > If you don't like the rsponse don't be mad at me, email
>> > product-security (at) apple (dot) com [email concealed] and demand a timeline for when these
>> types
>> > of features will be added.
>> Right now, I'd even settle for a basic EOL schedule for OSes...
>> I do have some serious questions on this topic of Mac OS X security.
>> Fanboy issues and incorrect beliefs held by many about Mac OS X
>> security aside, I think there is a problem with the way Apple
>> security issues are dealt with, including your wireless
>> vulnerability.
>> You discovered a serious general 802.11 vulnerability that affected
>> many wireless chipset and driver combinations, and could affect Mac
>> OS X, Windows, and Linux. You chose to demo the issue on a MacBook
>> running Mac OS X - which is perfectly fine - in part, to show that
>> Mac OS X is indeed vulnerable to security issues, and even general
>> ones that affect multiple platforms at that. It's time people,
>> including Apple, wake up to a lot of these issues, or there *will* be
>> a rude awakening coming, reminiscent of the Microsoft of five years
>> ago. It took Microsoft *years* to pull itself out of that, and it's
>> still a work in progress.
>> However, that brings me to a question. When a general, severe 802.11
>> vulnerability is discovered and revealed, one which affects multiple
>> chipsets, drivers, and platforms, how is it fair, or even helpful to
>> any reasonable Mac OS X security discourse, to have IT and mainstream
>> press all over splash headlines like "MacBook hijacked in 30 seconds
>> - wirelessly", and generally make it appear to the casual reader that
>> this is ONLY an Apple problem, ONLY a Mac OS X problem, and a problem
>> with the new flagship consumer laptop to boot? I'm not saying YOU
>> wrote any of these articles; you're the researcher, not the
>> journalist. But I would like your opinion on the handling of that
>> issue, which was much broader than Mac OS X, in the media.
>> One corollary question to this would be, why was the third party USB
>> wireless card's brand and identity hidden because of what was stated
>> to be "responsible disclosure", while it was simultaneously asserted
>> that the MacBook's internal wireless was (essentially) identically
>> vulnerable? You can see why some people would find that seeming
>> discontinuity somewhat unfair. Again, this is NOT an accusation: it
>> is a legitimate question. I have since come to understand that maybe
>> the media was to blame for the handling and presentation of this
>> issue. However, I'm still wondering what your own personal thoughts
>> on this are, given that you were one of the codiscoverers and
>> presenters of the issue.
>> For some reason, I get interpreted as an Apple "fanboy" because I
>> defend Apple on issues like this. Me saying "hey, this affects way
>> more platforms than Mac OS X" or "targeting only Apple is a bit
>> unfair here" somehow gets construed as trying to "FUD" the issue
>> away, or somehow claim that Mac OS X is invulnerable (which I have
>> never remotely said, and is also wildly inaccurate to boot). Apple
>> has serious issues that need to be dealt with in regard to security
>> response and issue handling, the way big reporting is handled in
>> general, and the way it interacts with enterprise markets (of which
>> security is an integral part). What I'm concerned with is making sure
>> the debate is an intelligent and useful one, not having sky-is-
>> falling headlines splashed every time Mac OS X is vulnerable to
>> something, while, ironically, another Windows remote exploit
>> requiring no user interaction is making the rounds.
>> I don't think the "fanboys" are anything that really needs to be
>> worried about. What the concern should be is getting ordinary users
>> to understand that there are security issues to be aware of on Mac OS
>> X as any other OS. I believe that any changes at Apple with regard to
>> this will come from the enterprise marketplace. However, Apple really
>> isn't an enterprise company even though it occasionally dons
>> enterprise garb. Every positive change I have seen in Apple security
>> response to date has been a direct result of coordinated requests
>> made from the Mac "enterprise" community, which consists not really
>> of "enterprise", per se, but rather mostly of academic and government
>> research institutions. Some specific examples of these positive
>> changes were:
>> - More security issues began being handled in a more granular
>> fashion, instead of being reserved for the next major OS update. This
>> was done in direct response to feedback from the enterprise
>> community.
>> - Apple's descriptions of security updates were always incredibly
>> vague. After much feedback in this area, Apple began describing much
>> more explicitly what was fixed and changed, citing the appropriate
>> advisories and CVE numbers, and acknowledging discovery/reporting.
>> - Apple rarely interacted with external security advisory
>> clearinghouses like US-CERT, Secunia, MITRE, and so on. There has
>> been an improved effort to update these clearinghouses with
>> information pertaining to Apple on issues.
>> - Occasionally (instead of never) providing security updates for
>> recent point versions of the OS, instead of always mandating that it
>> be the latest in the series. E.g., 10.4.3 and 10.4.4 instead of
>> 10.4.4 only.
>> There's room for a LOT of improvement, but these are measurable
>> improvements nonetheless; my point here is that there has been
>> positive movement. So, how do we get more, and keep that going?
>> I see, a quasi-Apple-affiliated group of Mac
>> "enterprise" users as being the primary conduit for getting this kind
>> of information into Apple. I'm not saying the general userbase won't
>> have value...but how does the general userbase "get" Apple to
>> respond? By getting people all riled up and having a constant stream
>> of negative mainstream press about Apple security (and usually
>> inaccurate at that, or at least failing miserably to grasp the nuance
>> or particulars of the situation)? By slapping down "fanboys" in some
>> ridiculous back and forth where both sides accuse each other of
>> ridiculous conspiracies to either artificially prop Apple up or tear
>> it down?
>> I see this happening in Apple from the organizational side. Some see
>> it happening from a technical side. Organizational has to happen
>> first. Security response has to become primarily a technical
>> engineering group in Apple, not a product marketing one. Security
>> design and audit needs to be preemptive, proactive, and continuous.
>> Security technologies such as you speak of need to be integrated into
>> the operating system. Engineers need to be able to *directly
>> communicate*, *officially* with security researchers and others
>> reporting issues. Bug reporting and emailing product-security can't
>> be the black holes and one-way conduits they usually are.
>> So, as a technical security researcher, what is your opinion, on some
>> of what I'm bringing up here? You're intimately aware of these
>> issues, and have been a part of some of them yourself. Is anything
>> said here unreasonable?
>> Thanks,
>> Dave

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?,0?ô0?] DM0
0S1 0 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
150829160720Z0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z?? d£Áù'öTï¡*)ÿw~G²?¨ø
0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070921213052Z0¾1 0 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!U Faculty - Staff - Students10UDavid Schroeder1 0 *?H?÷
 das (at) doit.wisc (dot) edu0 [email concealed]?0
0????èöÆ?³G¡J[ ¨×
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?§0 *?H?÷
 1  *?H?÷
0 *?H?÷
070203171706Z0# *?H?÷
lÜÙ0¡ +?71?00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£ *?H?÷
  1? 0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
lUXhQ÷kÖ Mº?
;µ5ßW°4Ï?¶?ÿØÎ@+W¬ãtpïWÛ¹ë¹s"ôÉ.»?´gê|PáW?¦Pø±o]ëOQ+H fá¼ ó?+

[ reply ]
Re: Bill Gates on Mac OS X security Feb 03 2007 07:24AM
Pat Plummer, MD (blacksun ix gotdns org)


Privacy Statement
Copyright 2010, SecurityFocus