Wow, time flies by when you're dozing in the sun. I'm now (temporarily) back in Lisbon, having exchanged the sunny south for the big city just in time to watch Autumn start to set in, raindrops pelting the glass as I scan my mailboxes and wonder where to go next (given last week's events, I don't want to be anywhere near my office during the next fortnight, lest someone think it would be suitable for me to pop in to a meeting in dressing-gown and bunny slippers...).
Anyway, for those of you living under a rock for the past week or so, here's a run down of interesting (or noteworthy) stuff:
- Mira now lets you use an infra-red remote with any Mac. Yes, that's right, folks, any Mac. You can go over to the features page and take a look (kudos to Bruno Fernandes for the profile sharing feature, which increases the application's usefulness along with the "network effect" of having more users).
- Om Malik has an interesting piece on the possibility of using Flash as a VoIP client - which, considering that Flash is already capable of both sound and video output and input, is a most entertaining notion. After all, have you checked the Flash plugin privacy settings lately? Right-click on this site's header, pick Settings... and take a look...
- Dean Bubley has a short, but thought-provoking piece where it regards SIP's bleeding-edge troubles and general flakiness in real networks, something I would not have mentioned if I weren't on vacation. Then again, he does like to tease...
- Jamie Zawinsky kicked XScreenSaver 5.01 out the door.
- Apple issued a few AirPort updates that conspiracy theorists will love to fret about. Like I pointed out, Apple releasing patches would only clarify the situation if they explicitly credited Maynor and Ellch. Guess what, they didn't (and explicitly said why), so all the old arguments are being re-hashed and thrown around - with the result that things are getting fuzzier and fuzzier.
Ah, I Thought You'd Ask...
My take? Well, I have mostly tuned out the whole thing, since I'm not into commenting stuff to boost my page views (unlike plenty of other folk). That may yet be the undoing of this site (balanced approaches don't attract eyeballs, neither here nor in real-life press), but like I said to those that brought the Dailydave post to my attention -
There are several ways of proving yourself right technically, and many more ways of proving yourself wrong in the way you handle this kind of thing.
So I will stick to my guns and say that Maynor and Ellch ought to have published before talking to the press (which was, looking back, the loci where the whole thing started spiraling out of proportion). I am still willing to entertain the notion that the press went for "selective quotation" to drive page views, but there are a few things to consider with the benefit of hindsight:
Even with the presentation slides out there, independent commentary on the base technique hasn't been forthcoming.
There are a lot of ummms, aaaahs and maybes in several security blogs (remember, the approach seems feasible), but in general nobody else seems to have popped their heads out and said "I did this too" (regardless of whether the target is a Mac or not).
That, of course, does not mean it isn't possible, but it is an angle of approach to the whole issue that I haven't seen mentioned anywhere yet (Security zealots are free to correct me on this point, since I freely admit to not reading the same news they do).
Maybe it's one that the Mac zealots don't pursue, because it's not juicy enough. Which is an attitude that brings me to my next point:
Neither side came across as having particularly lucid responses.
I think this one is self-explanatory to anyone who can use Google. After all, another thing I said to people in the meantime is -
The non-technical stuff, the finger-pointing (either way) or public baiting (again, either way) seem a bit too childish for me to get involved beyond what I already wrote on the matter.
There are exceptions, of course, and one is Matt Deatherage's post (via John Gruber), who has a systematic (and far more measured) take on the whole thing than most people, although I was half-expecting to see a mention towards suspension of disbelief near the end.
Because, you see, there is a diametrically opposite notion, that I refer to as "suspension of bias", which is something I haven't seen from most people regarding this topic - and which, incidentally, brings us to the third thing I've been considering:
Apple did not get any information that allowed them to identify a specific problem.
Obviously, lots of people will point out that, in a travesty of the "everything looks like a nail" parable, searching for a certain kind of issue will always help you find something similar. Others will claim it's a lie. Me, I think either answer is wrong - and yes, it's a very fine line.
Anyway, it's something that I would personally love to know more about, considering the fuzziness regarding the claims that followed the demo. Allow me to wind up the time machine and quote from Brian Krebs's followup post -
... Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
Now, if the exploit was, in fact, identical, how hard would it be to demo it to Apple? And what sort of tortuous constraints could prevent them from doing so?
I have no idea, and like many other folk, am waiting for some details on their upcoming talk at ToorCon 7.
But, unlike most of those folk, I won't heed the matter much - there are far more interesting things to do in the two remaining weeks of my vacation.
Next stop, somewhere out of town.