更新MacBook Wi-Fi漏洞利用挑战

我的“通过Wi-Fi劫持这款全新的MacBook,这是你的“David Maynor和Jon Ellch的挑战尚未被接受,但我还有一些额外的要点需要解决。

加倍要约

吉姆汤普森如果Maynor和Ellch在我的挑战中取得成功,我已经多次与这个问题进行了自己的报道,提供了第二个匹配的MacBook。这不仅会使奖金增加一倍,而且还应该让Maynor和Ellch更容易分割他们的奖金 - 无论如何,分割单​​个MacBook并不会有多大乐趣。

把钱放在我的嘴里

如果我失去这一挑战,数十名DF读者会通过电子邮件向我们提供捐款以支付MacBook费用这既慷慨又令人鼓舞,我衷心感谢所有提供的人但是,现在,请保留你的钱如果我输了 - 在我看来是一个很大的“如果” - 我会设置一个DropCash为人们做出贡献的运动但是,如果我失败,我完全愿意承担这项挑战。

但我很确定它不会那样事实上,我很确定我可以在此时加注镀金的MacBook。1

为什么我认为这个挑战是公平的

一些批评者通过电子邮件声称这一挑战对Maynor和Ellch不公平,理由是他们从未声称MacBook的股票易受此攻击。

事实并非如此华盛顿邮报的Brian Krebs打破了局面本事,写了以下内容在第二天的后续行动中

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers — mainly because Apple had not fixed the problem yetMaynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook driversBut he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitableAnd that is what I reported.

I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.

这肯定是克雷布斯的一个错误,但是,如果是这样的话,那就是我的克雷布斯如此严重错误报道的结果,我会发布纠正措施SecureWorks,Maynor和Ellch显然没有与任何其他声明联系Krebs在他最近关于这个主题的更新中,克雷布斯写道:

I have several times now asked SecureWorks to share with me more specific information to back up their claims, but so far I have received no further detailsIf I hear back from SecureWorks with any more material information, I will update the blog.

并在自己的幻灯片上个月的第二次演讲(由Krebs联系),Maynor和Ellch发表了以下问答:

[Q:] I saw some people quote you as saying the bug is in the built-in in card and other people quote you as saying as its [SIC] not, who is right?

[答:]他们俩都是The exploit shown in the video was targeting a specific third party driver and that same vulnerability does not affect the built in [SIC]卡We are, however, doing ongoing research on the built-in card as well and have shared our findings with Apple.

显然,这不是一个简单的答案,但“它们都是”当然意味着“虫子”(即在“内置卡”中存在他们的视频中利用通过Wi-Fi控制MacBook的错误下一句话说它在内置卡片中不存在,然后他们对他们正在进行的研究喋喋不休。

When repeatedly asked different formations of the obvious question as to why they chose to demonstrate their exploit against a third-party wireless card and driver, they have never responded by saying “Because we have not found a way to perform this exploit against the built-in MacBook card and driver.” Instead, they’ve said, more or less, that they don’t want to demonstrate this exploit against the built-in card.

拒绝回答是/否“您是否发现了对内置MacBook卡和驱动程序的这种攻击?”只是愚蠢如果答案是肯定的,那么他们就没有,这与已经报道的情况相反,而且与许多人的观点相反如果答案是肯定的,那么确认他们发现了这样的缺陷并不会透露任何有关其如何运作的技术细节。

对我来说没有任何意义,他们甚至不会确认存在对股票MacBook驱动程序和卡的类似漏洞利用Why not? So that some malfeasant wouldn’t get the idea to investigate and discover the details for himself? Surely that is no less likely to happen given what has actually transpired.

为什么拒绝说“是”或“不”,而是暗示那里威力be one? Their ambiguity makes it every bit as likely that a malfeasant would investigate on his own than if they had came right out and said, “We have identified a vulnerability in the default MacBook Wi-Fi driver and card, but we are not releasing any details of this vulnerability until Apple has time to issue a patch.” “We have found an exploit” is not much different than “we may or may not have found an exploit” in this regard.

简单地说“是”,如果确实如此,也会让MacBook用户受到警告。

法律威胁

还有一种猖獗的猜测,即Maynor和Ellch现在对此问题一无所知,因为他们受到Apple Legal的威胁例如,最初的“苹果已经倾向于Maynor和Ellch很难不将这个问题视为关于Mac驱动程序”的克雷布斯报道的指控。

但是,正如所指出的那样MDJ上周(作为他们关于传奇的优秀专题文章的一部分),当克雷布斯随后发布他对Maynor采访的“逐字逐句”成绩单它没有提到这种威胁来自MDJ 2006.08.30:

For example, at one point in the transcript, Maynor says that to do the raw packet injection that the exploit requires, “we had to build our own custom kernel.” Krebs, distressingly, does not ask if that means the MacBook is running a modified kernel, one that might be more vulnerable than the one everyone else is runningAlso missing from the transcript: the part of the interview where Maynor says that Apple, or in fact any vendor, pressured him not to demonstrate the exploitIn the “verbatim” transcript that Krebs posted, Maynor mentions Apple only twice: once to say that it’s “cool” they can demonstrate the problem on an Apple computer, and once to say that he and Ellch “talked to Apple today.” Even that’s not clear, as we’ll see shortly.

上周末,在“Dailydave”邮件列表中,Jon Ellch打破了他对传奇的沉默并写道

As everyone has noticed by now, we haven’t said anything in public about this attack yet有两个原因。

1) Secureworks absolutely insists on being exceedingly responsible and doesn’t want to release any details about anything until Apple issues a patchWhether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.

毫无疑问,怀疑在这个传奇中,Maynor / Ellch / SecureWorks在某些时候被Apple Legal联系了However, if they were, why the elliptical allusions to the threat? If they know about an exploit and can’t say anything about it because they’ve been threatened by Apple Legal, they should at least be able to say “We can’t say anything because Apple has filed an injunction against us.” An injunction prohibiting them from commenting on the exploit wouldn’t disallow them from acknowledging that they’d received such an injunctionApple Legal不能简单地强加“你不会谈论这个漏洞,你甚至不会说你不被允许谈论这个漏洞利用”gag命令对他们说堵嘴订单只能由法院签发,而且很难找到当他们发布,它们适用于双方,而不仅仅是苹果发言人两周前林恩福克斯的陈述,这似乎极不可能在这里发行。

SecureWorks等安全研究公司是否应该为供应商的欺凌策略做好准备?

如果Maynor / Ellch / SecureWorks被Apple公正欺负,那真是太遗憾了,当谈到光明时,我会像任何人一样愤怒这肯定不是我第一次来批评苹果对安全问题的反应然而,到目前为止,我们还没有看到证据证明是这种情况。

与此同时,问题仍然比答案更快不过,我想我们很快就会赶上来。


  1. 比黑色的还贵。↩︎