关于布莱恩·克雷布斯的报告应该MacBook wi - fi利用

布莱恩·克雷布斯写了一个后续关于昨天的“劫持的Macbook 60秒或更少“在华盛顿邮报“安全修复”博客:

我想对那些评论的人昨天的文章about the video’s depiction of the use of a third-party wireless card on the Macbook [原文如此]I spent more than an hour with Dave Maynor watching this exploit in action and peppering him with questions about it.

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers — mainly because Apple had not fixed the problem yet.

What does this mean, that Apple “leaned on Maynor and Ellch pretty hard”? Were they threatened? By whom at Apple, exactly? And how? With a lawsuit? With violence?

And, if Apple did in fact “lean on” them, why didn’t Apple ask them not to use a Mac in the demo at all? What was Apple’s request, exactly? “Go ahead and show it on a MacBook, but use a third-party wireless card? And it’s OK for you to confirm to reporters that the built-in AirPort drivers are also exploitable, we just don’t want you to show it in a video.” What sense does that make?

如果他们愿意说内置的司机是可利用的,为什么他们不愿意证明吗?

Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook driversBut he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitableAnd that is what I reported.

I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.

但克雷布斯看到the exploit work against a MacBook’s built-in AirPort card? He says he stands by his reporting, but he did not report that the exploit works against the MacBook’s built-in AirPort driver; he reported that Maynor and Ellch告诉他它不利于MacBook的内置机场司机“我袖手旁观他们告诉我内置的司机是expoitable”非常不同”我袖手旁观,内置的司机是可利用的。”

如果这是真的,这利用司机对苹果笔记本电脑内置的机场,这是迄今为止发现的一个最严重的安全漏洞对Mac OS X他们的演示视频基于第三方卡很重要更糟糕的是,而不是更好,因为它创造了认为大多数的苹果笔记本电脑用户是安全的,因为他们没有使用第三方卡。

克雷布斯的劣质报告树叶几乎所有有关此利用回答的重要问题What about other models? Are MacBook Pros exploitable as well? PowerBooks? iBooks? Desktop Macs that use AirPort? Is a Mac vulnerable in its default out-of-the-box configuration? For example, by default, Mac OS X is configured to ask for confirmation before joining an unknown open Wi-Fi networkDoes this exploit require that this setting (in the Network panel in System Preferences) be changed to allow joining unknown open networks automatically? Are any other changes to the default networking configuration required to allow this exploit to work? Is there anything Mac users can do to protect themselves other than completely disabling AirPort?

难道这些问题完全明显吗?

Again, the whole point of this story was not to pick on Macs, but to point to a security issue that affects multiple operating systems and one that is long overdue for some serious code review by the companies that OEMs rely upon to produce this software.

With a headline like “Hijacking a Macbook in 60 Seconds or Less”, or his quote from exploit co-discoverer David Maynor saying “if you watch those ‘Get a Mac’ commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,” where would anyone get the idea that the point of Krebs’s post was to pick on Macs? Or, more accurately, to generate a sensational amount of attention by playing off the Mac’s sterling reputation for security?