I know the real vulnerability!

After reading about the MacBook Hijact and the resulting commentary from the highly-regarded (by more than me, honestly) John Gruber, the logic-mashing inanity of George Ou and the realistic-yet-still-easily-disproved sub-evaluation by Rich Mogull it’s quite easy to figure out and explain to you, dear reader what is really going on.

Read On for the Answer

First, let’s review what Mogull has to say. Mogull asserts that to “…show the attack on the built-in wireless device you instantly identify the vendor involved” and that’s apparently a bad thing. Mogull conveniently disregards that they made a point of telling everyone they were using a Mac. Um, hello? Apple would be the vendor, and thus, the first major cracks in the lynchpin of Mogull’s argument. The lynchpin breaks when you realize that anyone who shows you a video that can be summed up with “PAY NO ATTENTION TO WHAT’S BEHIND THE CURTAIN!” you’re not in Kansas anymore. So Mogull’s argument doesn’t wash.

To be clear, tho I admire Mogull for his obviously thinking and careful nature, and the fact that he does account for the possibility he might be wrong and doesn’t add flame, just a reasonable possibility to the discussion. I respect him for it, and while I don’t agree, and use a bit of humor to explain why, I in no way mean any disrespect to him.

As for Mr. Ou and his Legal Eagle David Burke, after reading the post four times, all I can hope is that they’ve both developed an immunity to Iocaine Powder, and that neither is ever involved in a land-war in Russia. Dave holds the illogical belief that “‘no’ means ‘yes’.” For example he says:

The statement made by Gruber relating to Fox on behalf of Apple simply indicates that the actual test performed to show the exploit only demonstrates it can be done with the third party drivers and hardware, it does not say that there has never been a claim made to Apple that such an exploit could be shown to them…

Quick review, Gruber said Fox said that Apple hasn’t been shown anything. Right, got it. Apple has no details, no hints, no phone calls, no contact, no nothing.Dave, dude, when are you going to learn that ‘no’ means ‘no’? But he continues:

… it does not say that there has never been a claim made to Apple that such an exploit could be shown to them, or was offered to be shown to them, or was told to them that such an exploit does exist on a stock Apple system, or that Apple had never been made aware of such an exploit on a stock Apple system or Apple never requested such a stock system exploit not be demonstrated at Black hat. Fox’s statement simply says; Maynor and Ellch have not demonstrated such a vulnerability to Apple.

Obviously, Dave needs to learn to check his sources, which would be the, *ahem*, logical thing to do. To whit:

SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship. — Lynn Fox, Director of Mac PR

Again, Dave, ‘no’ means ‘no’. You don’t date much, do you.

He goes on, apparently in full-on mouth-foaming mode:

At no point in Lynn Fox’s statement does she ever claim that Secureworks has never ‘told’ Apple such an exploit could be performed on a stock Apple so Lynn Fox has certainly not lied about what this blogger claimed she might have. Further there is absolutely no evidence shown by this blogger that Secureworks did not tell Apple such an exploit could be demonstrated on a stock Apple system or any denial that Apple asked them not to use a stock Apple system in their demonstration.

Dave, yes she did. If you can reasonably claim that “shared or demonstrated” does not cover “has told” you simultaneously claim the mantel of twit-hood. And George, wow, you suck. Whoever hired you at Z-D needs a good long vacation. As do you.

(Why is there no ‘digression’ element in XHTML?)
To be totally fair, yes a claim could have been made to Apple about a Wi-Fi exploit, but since these two SEs nor the company they work for have not done so it’s immaterial if someone else brought it up to Apple. I can call and leave a voice mail for the technology team at Apple telling them I can send a malformed packet to the Houston Galleria store and make an iPod nano suddenly obey my every command. Apple can safely ignore that issue as well, as it’s part of the business, because the malformed-packet is probably an Amex. (end digression)

And now, the real issue and solution:

DRUMROLL PLEASE!

The vulnerability does exist, but it has nothing to do with the computers. Nothing even to do with Wi-Fi. The vulnerability lies in the media. Here’s what happened:

  1. Persons S&E found a vulnerability in ObjectX
  2. Persons S&E attacked ObjectX using technologyQ.
  3. ObjectX is vulnerable to TechnologyQ and was therefore controlled by Persons S&E
  4. TechnologyQ gave Persons S&E SuperUser access to ObjectX
  5. ManufacturerA has no knowledge of TechnologyQ.

With most security holes the next steps would be “ManufacturerA reviews TechnologyQ and releases PatchX.1” but that won’t happen here. Why? Look at the variables in the list above and review them. I bet you’re not using the right values for the variables.

Persons S&E are the two Security Experts, Maynor and Ellch, obviously. TechnologyQ is the demonstration given and videotaped. (Did you notice I didn’t say the code used in the demo?) ObjectX is not a computer, it’s Krebs, the reporter. ManufacturerA is the WashingtonPost, and the actual breach is that Krebs was easily swayed because he, too, wanted “to stab one of those users in the eye with a lit cigarette or something”.

And thanks to Maynor and Ellch, he did.