谎言,诅咒谎言和MacBook Wi-Fi黑客

正如我所料,我的“MacBook Wi-Fi黑客挑战赛“David Maynor或Jon Ellch没有接受So what have we proven? Nothing about whether or not stock MacBooks are currently vulnerable to a Wi-Fi based exploit, of course — that they didn’t accept the challenge does not mean they haven’t found an exploit that works against the built-in MacBook AirPort card and driver.

Rich Mogull有几个好点他批评我的挑战并且继续呈现我见过的Maynor / Ellch / SecureWorks最合理和最有说服力的辩护 - 但它似乎归结为认为像这样的特技不是进行技术论证的公平方式。但当然这不公平 - 不公平是挑战的全部要点。我发表的时候,我尝试了公平和平衡的路线“假设的MacBook Wi-Fi Hack的奇怪案例“,并在回应中没有得到答案。

有时它只能用火来对抗火灾,并且对此没有任何影响,Maynor和Ellch的MacBook利用黑帽会议的演示视频是一个便宜的特技对于这些挑战的廉价反击显然更有效地引起人们对他们最初的陈述和公告所提出的问题和未解答的问题的关注,而不是我的详尽分析。

莫格尔的一些具体言论值得关注或反驳Mogull在描述他认为我应该取消挑战的原因时写道:

我知道Black Hat的演示是真实的。Why? Aside from being at the presentation I had a personal demo (over live video) of exactly what they showed in the videoI got to ask detailed questions and walk through each stepMaynor and Ellch haven’t bullshitted anyone — their demo, as shown in the video and discussed in their presentation, is absolutely realEnd of story.

I’ll admit that I’m still dubious that even their exploit using the third-party wireless card works, in the wild, exactly as shown in the demo video, but my main point all along has been the question of whether they’ve found a similar exploit against a stock MacBook using only the built-in AirPort card and driver.那是我的主要问题,一个月后仍未得到答复,是我挑战的核心前提。

使用第三方卡进行演示负责:Why? Because their goal was to show a class of attack across multiple platforms without disclosing an unpatched vulnerabilityBy using an anonymous card no single platform is exposedWhy the Mac? Because it demonstrates that a poorly written device driver can expose even a secure system to exploit.

I never argued that their using a third-party card for the demo was irresponsibleIt was their use of a MacBook (or as Maynor called it, “an Apple”) combined with their refusal to state whether they also found an exploit against the stock AirPort card and driver that was irresponsibleBefore I explain why, I’ll quote Mogull’s next reason:

Responsible disclosure encourages staying silent until a patch is released, or an exploit appears.

如果我们假设Maynor和Ellch也发现了对内置MacBook卡和驱动程序的攻击,那么如何在MacBook上执行演示?尽管演示使用了第三方卡,但围绕着他们的公告和演示的初始媒体报道的喧嚣集中在普通现实世界的MacBook用户是否容易遭受类似攻击的问题上许多人从最初的报道中得出结论(而不仅仅是布莱恩“劫持MacBook在60秒或更短时间内”Krebs的博客条目)Maynor和Ellch宣布发现对普通MacBook的攻击,这反过来是为什么这么多人认为 - 错误 -Maynor和Ellch陷入了困境当SecureWorks澄清他们的网站时,强调原始演示是针对第三方卡和驱动程序的。

即if it would be “irresponsible” to announce publicly that they’d found an exploit against the default MacBook card and driver, because such an announcement would clue malfeasants in to the possibility that they could duplicate the exploit before Apple released a software update to fix it, then it was just as irresponsible to publicize their demo using a MacBook in a way that left many (if not most) people with the impression that they发现了对内置MacBook AirPort卡的攻击即使是细心,知情的观察者也会得出Maynor和Ellch的结论可能有发现了这样的漏洞对我而言,这种不确定性远远超过了他们发现对内置MacBook AirPort卡的攻击的完整声明。

如果他们没有找到类似于普通MacBook的漏洞,那么他们就是平等的更多这是不负责任的,因为他们留下了很多人 - 尤其是布莱恩克雷布斯 - 给他们带来了完全错误的印象。1

关于Maynor和Ellch发现并向Apple报告的内容,我可能会或者可能还没有被证明是错误的,但是我认为他们没有办法看出他们的行为是“负责任地”。

这个挑战对任何人都没有帮助完全没有。Is my MacBook Pro vulnerable? I don’t know, but even if it is there’s not a damn thing I can do about it until Apple issues a patchIt’s not like I’m turning off my wireless until I hear there’s some well-known exploit floating aroundIf Maynor and Ellch respond to the challenge all they do is satisfy people’s curiosity — it does NOTHING to improve security.

不是这样可能确实Mogull不会关闭他的AirPort卡,即使他知道它很容易受到这样的攻击,但是这样的声明不会有帮助。任何人许多MacBook用户禁用他们的AirPort卡,直到苹果公司关闭了这样一个漏洞 - 不仅是那些偏执或过于谨慎的人,而是那些可以选择通过以太网连接的人,但他们通常仅通过AirPort连接,因为它更方便。


这将我们带到威廉卡雷尔和完全披露的概念三年前,卡雷尔发现了一个Mac OS X 10.2和10.3中的DHCP安全漏洞这是一个糟糕的攻击 - 一种攻击可以让攻击者访问您的网络完全控制您的计算机(我倾斜地写了一篇关于它的文章,“易燃易爆?2。)

Carrel最初遵循通常被认为是“负责任的披露”指南:他私下向Apple报告了所有相关细节。

然后他等了。

After a series of system updates and security updates came and went, none of which addressed this issue, and during which period he warned Apple that he planned to go public if they didn’t soon address it, Carrel released it as a public advisory — an utterly reasonable 48 days after initially reporting the problem to Apple二十四天后,Apple发布了一个安全更新,修复了该问题整个时间表是记录在Carrel的网站上。

这个Slashdot线程关于Jon Ellch上周在“Dailydave”邮件列表上的公开声明,Carrel解释了Ellch和Maynor不能说什么的猜测,因为他们被卑鄙的老Apple Law欺负:

When I published my OS X remote root (link-local remote root for the pedantic),用于DHCP的选择不当, Apple had advance notice of when I was going to release it, numerous avenues to attempt contact and I didn’t hear one peep from Apple Legal. That this guy was suddenlyand can’t produce evidence of it other than making vague insinuations just sounds [hokey] to me.

If he doesn’t feel okay about releasing details until they’ve patched the driver that’s one thingBut insinuating that the big bad lawyers have silenced you is quite anotherThe only circumstance I can think of where they could actually be legitimately silenced is: they are/were being paid to do pen testing for Apple, they submitted this bug, they blabbed about it at a conference when they were under a contractual NDA, they’re now claiming they didn’t say enough violate the NDA and are remaining mum until the rest of the details go public.

[...]

这种困境更能证明原因全面披露是个好主意。

Carrel将“完全披露”链接到维基百科一如既往的爆炸性进入在这个问题上,它是如此定义的:

全面披露requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit itThe theory behind全面披露is that releasing vulnerability information immediately results in quicker fixes and better securityFixes are produced faster because vendors and authors are forced to respond in order to save faceSecurity is improved because the曝光的窗口, the amount of time the vulnerability is open to attack, is reduced.

进一步在Slashdot的帖子中,在讨论了Ellch和Maynor模糊且不那么模糊的暗示他们的手被律师束缚之后,Carrel总结

And lastly, there is the debatable point on full disclosure. Waiting until Apple issues a patch is not exceedingly responsible这是非常的不负责任It leaves users hanging in the breeze, potentially vulnerable to a remote root for as long as the vendor cares to take to correct the issue, which could be several monthsFor instance, your Ford truck may explode, but we’re not going to tell you how or why until Ford issues a service bulletin and recall.

爆炸卡车的类比可能只是略有夸张,取决于硬盘内容对您的重要程度(有些人可能会问,“我们谈论的爆炸有多大?”如果被要求选择坐在爆炸卡车中并将其笔记本电脑硬盘的全部内容丢失到星巴克的恶作剧剧本小说中。)

关于什么构成合理和公平的“完全披露”政策,存在很大的争论空间我想说,例如,关于如何利用新发现的漏洞的详细信息仍然应该从公共咨询中扣留,至少在相当长的时间内极端情况下,真正“完整”的披露将成为攻击的一个秘诀。

但总的来说,我同意Carrel(我认为他在2003年凭借他的DHCP发现向后倾向于公平对待Apple)And this isn’t just about Maynor/Ellch/SecureWorks — Apple, too, is still on the hook, because they could easily clear this saga up with a straightforward statement that, yes, they’re currently investigating a threat along these lines — whether it was or was not reported to them by Maynor and Ellch3- 或者说不,他们目前还没有发现任何影响股票MacBook的漏洞。

I’m not going so far as to say that Apple should release a full list of any and all known as-yet-unpatched security problems in Mac OS X (not that I think it would be disastrous, but that’s simply not going to happen — Apple’s management quite obviously wants to remain as secretive as possible with regard to security)但在这种情况下,如果问题是真的,他们的手已被Maynor和Ellch逼迫(并且,我们不要忘记,Krebs)如果问题不真实,他们仍然会遇到很多人都有这种问题的问题。

简而言之,双方都保持沉默,这意味着双方至少在某种程度上仍然存在错误。


  1. Mogull还包括有关克雷布斯最初报道的有趣消息,而Maynor臭名昭着的“让你想用点燃的香烟或其他东西刺伤眼睛中的一个[Mac]用户”评论:

    Maynor已经在Defcon面前道歉,在Black Hat之后两天可能会有一千多名与会者,Krebs的文章中的垃圾话语Mac引用只不过是开玩笑而且从未打算出版打电话给这两个骗子并亲自攻击他们而不通过报纸报道和博客文章以外的任何其他方式进行验证并不公平。

    我当然对Brian Krebs对这个传奇的报道抱有很大的抱怨,但我对他的报道的批评是事实性的。我不怀疑他打算把这个故事弄好 - 问题在于他没有至少根据莫格尔的说法,Maynor在这里所宣称的更糟糕,我不相信根据我的经验,报纸记者非常清楚地记录您的记录和记录时间I find it very hard to believe that Maynor was not aware that these statements were on the record. ↩︎

  2. One of my favorite fireball titles ever. ↩︎

  3. Mac PR的Apple总监林恩福克斯的声明上个月,SecureWorks“没有提供任何证据证明”存在涉及内置MacBook卡和驱动程序的这种缺陷与说苹果是不一样的没意识到of any such flaw. ↩︎