Yes, Device Drivers Are Buggy, And Everyone Kept Missing The Point

Now that there's more information available, I guess it's time to re-visit the MacBook exploit break-down that I churned out nearly a week ago. Or, to the purists that will again criticize me for the way I try to make tech simple, my breakdown of the way the news broke.

Was it the best writing I've ever done? Highly unlikely - I make no claims of perfection either way.

But it was my train of thought at the time, based on the mess the WP article made of the issues. The mistakes I made (again, no claims to perfection here) are as good a reminder as any that everyone can be swayed by hype - and sometimes in non-obvious ways.

Knee-Jerk Reactions All Around

Most of the controversy stemmed from the fact that there was very little background information to go on.

For instance, at the time, the presentation slides weren't widely available. They are still pretty hard to find, but all that there was to comment upon at the time was the video, Brian Krebs's rather sketchy reporting and a lot of, well, nothing regarding both the exploit and why it was presented that way.

As to what people perceived as bias on my side, well... Years dealing with academia and many sorts of different research (not all of it technical) made me a firm believer in the "publish first, answer questions later" method. I still think that David Maynor and Jon Ellch shouldn't have talked to Brian Krebs before publishing anything or giving his presentation, but I wasn't there, and, again, nobody's perfect.

The use of a MacBook, the pre-WWDC hype, the press quotes, it all made people even remotely associated with the Mac community go ballistic - yep, me included. Which reminds me that there are a few collateral issues that need to be mentioned before we move on.

I was suddenly faced with a lot of bias both against the Mac and regarding what those people perceived to be my technical skills. A lot of it revolved around my approach to writing here - I pare down the technical aspects and try to explain them in the simplest possible terms, which has, time and again, irked those people who would rather have everything explained in their own (sometimes rather hermetic) terms and vocabulary.

And there is, of course, the minor point of my actually saying that yes, it was a valid issue and that the technique seemed feasible, but those who flamed me didn't care.

None of my critics seems to actually have bothered to go through the About page, the FAQ, or to glean from, say the HOWTOs or the Archives that I don't use Macs exclusively. In fact, the Mac is probably the platform I use the least on an hourly basis (regretful, but true). Having a site called The Tao of Mac does tend to cast me in a Mac-centric light, but I suspect people will always have trouble adjusting to the idea that it has absolutely nothing to do with what I do or what I am. So they were chastising me for what is, essentially, my hobby.

On the second count (my technical skills), I don't subscribe to the notion that everything I do, know or purport to know should be public (or at least plastered on the web). I'm not part of the MySpace generation. Anyone who looks for reassurance regarding what I am, know or do using Google is being amazingly naïve, to say the least.

And on the third count, my point with this site has always been to "make tech simple". Security is not the sole field where people become so immersed in their work that they cannot explain what they do without a complex (often self-referencing) combination of vocabulary, metaphors and previous art. But it is one where people ought to be able to communicate the issues to laymen without any ambiguity whatsoever.

It is also one of the fields that I have steadfastly tried to avoid working in ever since I stopped deploying commercial firewall software many years ago.

And yet, I keep getting embroiled in it.

No, I don't do security research. But that does not mean I don't do enough security-related work (as well as dealing with Wi-Fi and other newfangled ways to push bits through the ether) to understand the issues and (occasionally) get some things fixed.

But there will be no trace of those things anywhere on the Internet, ever, unless I write some sort of memoir when I retire. If I do so, it will probably open with my Blue Packet piece. And won't that be fun...

The Mainstream Press

Getting back on topic, many people have taken Brian Krebs to task, but he was not the only reporter writing (or re-writing, or quoting, or re-posting) about this and perpetuating the nastier aspects of the hype cycle. Pretty much any press coverage of Ellch and Maynor's presentation included (or even finished with) some neat, catchy phrases.

Here are a few, starting with the relatively sensible ones and going quickly downhill:

ITWire -

"According to the Maynor and Ellch, a MacBook was used for the demo because demonstrating a hack on Mac OSX, which boasts a higher level of security than Windows, would create a greater impact than another type of computer."

...and this one re-posted at Mercury News -

"Maynor said during his presentation that he and Cache did not provide technical details of the attack to Intel but couldn't rule out a connection between the findings and the Intel patch. "It's pretty interesting, the timing of it," Maynor said. "It seemed a bit suspicious."

Actually, the "suspicious" bit is the way the quote above doesn't quite match this one over at Techworld -

It is possible that the Intel patches were released in anticipation of their talk, the researchers said. Still, both men praised Intel for addressing driver security. "You have to admire a company that would proactively fix things before a talk instead of waiting until afterward," Ellch said.

And the most often re-posted one, which I found, for instance, at Seattle Pi -

"But in part because of the Apple TV spots, they decided to make the MacBook the subject of their demo. The ads are "a little smug," Ellch said afterward."

...Ellch later confirmed saying this to Todd Bishop near the Black Hat press room, but there is still some confusion as to other quotes attributed to the presenters. Then again, as Jon put it, some of the media can't tell him and David Maynor apart despite the fact that Jon has blue hair.

Judging from the rest of the press "coverage" I combed, that particular quote seems to have become a favorite and spawned several variants, like this one re-posted at Macworld UK, PC Advisor and CIO Tech Informer -

The idea of poking a hole in Apple's current advertising campaign, which smugly boasts that Mac OS X is more secure than Windows, also appears to have been a factor. "I've got to be honest, those Mac commercials they just jump right out at you," Maynor told attendees during his presentation.

...and a milder variant of the one I found at Gizmodo -

"They did it on the MacBook because the "smugness on security" that most Mac users have and the fact that Maynor wants to "stab one of those users in the eye with a cigarette" regarding the actors in the latest Apple commercials."

...which was, in turn, another twist on this one re-posted at Flexbeta -

"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "The main problem here is that device drivers are a funny mix of stuff put together by hardware and software developers, and these guys are often under the gun to produce the code that will power products that the manufacturer is often in a hurry to get to market."

Now, I'm very predisposed towards a certain way of dealing with the press, especially when the likelihood of their not being able to actually understand what you're saying and emphasize the wrong bit are concerned. Not to mention being cogent enough about the topic to ask the right questions.

And like I wrote before, neither Brian Krebs' original article nor his follow-up asked the right questions or conveyed the right bits of information.

And neither did the video, since it was completely de-coupled from the presentation, and even declared as being the presentation itself.

But the quotes above are more than enough evidence than whatever was going on in the minds of attending journalists, it wasn't reporting. It's not just about whether or not David and Jon said these things as a side joke (which the attending techies would "get" but not take seriously and the reporters grab as sound bites to quote out of context). It's about the likelihood of those not even being the same words.

Now, what does that tell you about the way the actual issue was reported? That they pretty much all missed the point, really.

Maybe David and Jon let their guard down too much. Maybe the reporters were just dumb. I wasn't there - someone who actually was may well set this straight at some point, but I see no purpose in harping on about it.

Somehow, I don't think there was any way they could have filled in all the gaps that people pointed out later, even if the reporters had actually paid attention.

Go to the Source, Luke

The good thing about the Internet is that you can go straight to the source, so I asked Thomas Ptacek (in between trying to point out that he was confusing an explanation meant for laymen with ignorance on my part) to introduce me to David Maynor via e-mail.

Zealots (and those who cast me as a Mac Zealot) should take note -

Rather than sit around and bitch about things, I actually went and talked to people.

And I'm across the Atlantic, several time-zones away, in what is likely to be the smallest territory populated by Mac users with the exception of Malta or Liechtenstein (Asterix jokes aside).

Besides spending the past few days discussing things with Maynor and Ellch by e-mail (a rather tense discussion at first, truth be told), I also pored over the slides at Jon's site and made an effort to put things into some sort of perspective.

Over the course of our correspondence, David pointed out this interview over at ZDNet (warning, Windows Media, upgrade your Flip4Mac install, since mine crashed until I did so), which paints a much more coherent picture regarding the whole affair.

Like I pointed out to him, these two videos would have made a lot of difference if they had been posted before the demo video. And I don't think there would have been as much of a ruckus if the demo video itself had been published alongside the presentation slides, after the presentation.

I will stick to my guns where it relates talking to the press before doing anything - but, again, nobody's perfect.

Things did get out of hand, though, messing up the issues, sidetracking the actual arguments, and overall, painting a much less defined picture than what one can glean from the ZDNet videos (which are only an overview, but have enough background information to quell most critics).

As to the slides themselves, they too could have contributed significantly to deflate the issue if they had surfaced earlier (or gotten more exposure). It's interesting to see that none of the press (even the technical one) seems to have linked to or re-published the slides - at least none that I noticed until this weekend, which is when I found Jon's URL and I stopped looking.

My assumption at this point is that the "press" simply didn't care enough to even ask for the slides - they had their scoop, were drowning in eyeballs, and every site that posted what passed as "news" probably had a bumper day for banner advertising (which is more of a driver for news selection these days than what you'd expect).

Yes, It's a Definite Risk, But It's Going To Be Fixed

The slides clarified pretty much all the points I raised on my first post, even though I am not usually enlightened by slide presentations - I much prefer a structured paper detailing things than try to reconstruct decent sentences from what usually are rather bleak sets of PowerPoint bullets, but these did the trick (as an example, the layer 2 fingerprinting techniques are more clear to me now, and even brought to mind subtle 802.11b hassles that I had with early cards' reticence to actually say they were still alive).

But since I don't want to annoy the hermetic purists with my take on them (in layman's terms or otherwise) other than say that blind faith in standards doesn't mean you should implement the standard without taking into account error conditions, I'll go back to one of my points during my correspondence with David, which is that having the slides available allows for independent confirmation of the soundness of the technique.

Now that I've published the URL, and even considering that the actual exploit isn't there, I'm positive that the work that lead up to it can be reviewed by people who can infer and validate the principle by which it works, further clarifying things.

Now all we have to do is wait for vendors to acknowledge the issue, patch it, and move on. That might well be the trickier thing.

All the Mac zealots (with whom I don't side, which should be plain considering the ruckus that my take on .Mac caused) are likely to keep harping "But did the exploit actually work on a MacBook's internal AirPort?"

I won't get into that, since the argument is pointless - regardless of what anyone says, the only thing that will settle this to everyone's satisfaction is seeing patches pop up in the next few weeks. The only risk here is if Apple issues a patch that doesn't credit Maynor and Ellch - sadly, Security Updates don't usually provide all the details on what they fix...

The Thorny Future

One thing's for sure: Wireless technology being what it is, this kind of thing will keep coming back. Remember (analogue) mobile phone cloning? Bluetooth pairing vulnerabilities? or how WEP proved to be pretty much useless?

There's a lot more out there to explore, and I don't really think it will be just about PCs - or Macs.

Yes, Macs are more secure, but only in some senses, and largely because they ship with more sensible defaults (and this is the real point) for the vulnerabilities that have become trivial by now.

So all that "smugness" that "vanilla" Mac users are said to have ought to be tempered with some Common Sense - the Mac isn't invulnerable. It isn't Swiss cheese like other platforms, but it too has a soft center.

For instance, all those new cross-platform gaming libraries that have surfaced of late may well spawn a rash of cross-platform attacks on network games (and yes, the Intel "monoculture" is going to make it a lot easier for the "cut & paste", garden-variety script kiddies out to 0wn their pimply peers).

Again, having UNIX underneath helps the Mac in a lot of ways, but any time you add a new form of connectivity (i.e., a new kind of network interface or a new network service) to something as pervasive as a personal computer (which can be opened, inspected and fiddled with by millions of people), you open Pandora's box all over again.

Sometimes it just takes some longer, more patient fiddling with the lock, but History is full of examples that show that there is no communication technique that can't be taken over for other purposes.

Disregarding for the moment the possibilities of extending Ellch and Maynor's techniques to brand new (and completely untested) standards like WiMax (which intends to be as pervasive as Wi-Fi in the coming years), my personal concern is that mobile phones are becoming more and more like PCs in many regards.

But then again, mobile operators and manufacturers aren't asleep at the helm - and that's where my Disclaimer kicks in.

See Also: