Toorcon: No Show

Jon Ellch and David Maynor were to tell all today at Toorcon 2006 in San Diego.

Get It Try It

SAN DIEGO (Rixstep) — SecureWorks have announced that their David Maynor will not be presenting at Toorcon 8. Maynor caused hysteria at Black Hat recently when he showed how to hijack an Apple computer through a wireless connection. Today he and Jon Ellch were to tell all.

SecureWorks vice president of corporate communications Elizabeth Clarke announced the change only hours before the scheduled show.

The SecureWorks statement is as follows.

SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC, that it is appropriate.

When questioned about the clampdown, Apple's Lynn Fox had the following to say.

We are working with SecureWorks, and we're always open to hearing from other security researchers on how to improve security on the Mac. We don't have any further comments.

Due Credit?

When previously questioned about the role of Ellich, Maynor, and SecureWorks in their recent batch of security fixes, Apple strongly denied they were in any way a part of the research that led to the fixes. Now suddenly they're all best buddies again and collaborating as always.

Others have seen duplicity even further back. David Burke wrote:

Something is up here with this whole packet capture issue. Lynn Fox says on the one hand Maynor only talked of one vulnerability, which didn't apply to Apple products, and on the other hand they got Maynor to repeatedly promise to send packet captures? Something is rotten in Denmark without further explanation on that.

The Real Thing

Brian Krebs is just as puzzled - and suspicious. He witnessed not only the recorded demo at Black Hat - he got a live presentation, the full transcript of which can be found here. Krebs explicitly reported:

The flaw is in fact in the Macbook's wireless device driver, which is made by a third party.

The Fanboy Attack

Shortly after David Maynor's presentation at Black Hat an orchestrated assault began on him and his company. Macworld's Jim Dalrymple started the attack off on 17 August, followed this up the day after with a new article with the amazing subheader 'a claimed security hole in Apple's MacBook has been exposed as a misrepresentation' - and this led into David Chartier's piece at TUAW which went so far as to claim SecureWorks admitted falsifying the whole story.

Meanwhile the 'gray shirts' located Maynor and started sending threats. One fanboy wrote to Maynor:

I'm going to fucking kill you and your dog!

To which Maynor replied:

I don't have a dog.

Maynor also revealed that the bogus stories were deliberately set up in the Apple fanboy press to result in this effect.

The Patches

Then on 19 September Apple nevertheless released the patches. The patches affected all Apple computers, both Intel and PowerPC: the Power Mac, the PowerBook, both iMacs, the Mac Pro, the Xserve, both Mac minis, the MacBook, and the MacBook Pro.

Said Apple spokesman Anuj Nayar:

Basically, what happened is SecureWorks approached Apple with a potential flaw that they felt would affect the wireless drivers on Macs, but they didn't supply us with any information to allow us to identify a specific problem. So we initiated our own internal product audit, and in the course of doing so found these flaws.

But this testimony goes against what Apple's Lynn Fox reported. And now SecureWorks, possibly without but more likely with assistance from Apple Computer, have closed down the show.

The Rant

David Maynor could not take stage - but his partner Jon Ellch could. And did. And although he did not answer questions about the incident, he did release the text of a file he called a 'rant' - aimed squarely at Apple and SecureWorks.

So, most of you know that we were supposed to be talking about exactly what happened with us regarding Apple and the Black Hat talk we gave. Most of you probably also saw that SecureWorks told a few reporters that they were not letting Dave give this talk.

I can not give this talk without Dave.

A lot of people think that Dave just flaked out and missed his flight or something. That is not the case.

Dave very much wanted to be here. The fact that SecureWorks/Apple managed to compel him not to means that they must have had something very compelling to stop him. I'm not supposed to talk about what that is.

Mac bloggers everywhere will view this as some sort of victory. There are already people writing that the SecureWorks stopped Dave because we were going to get up here and say that it was all fake.

Right.

We reserved an entire speaking slot just to tell people we pulled a fast one.

Let's recap this thing:

We give a talk saying that device drivers have lots of bugs. We demo one bug in Apple. A few days later, when Apple starts flaking on a patch, we tell them we are going to do a live demo of it at Toorcon, so it would be a good idea to get it patched before that.

Apple says that it doesn't exist, and we didn't talk to them about it.

A few weeks later (one week before Toorcon) they patch it and say we had nothing to do with it.

One day before [our Toorcon] talk, SecureWorks and Apple get together and manage to stop Dave from coming. They also issue this cutesy press release:

'SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC, that it is appropriate.'

That's funny, I thought there was no bug. And I thought SecureWorks provided no useful information to Apple.

Here's [Apple's] Lynn Fox on record with George Ou:

Q: Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?

No. Packet captures were promised repeatedly but never delivered.

Q: Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?

No. While SecureWorks did provide a driver disassembly, it did not indicate a Wi-Fi vulnerability in any Apple product.

Q: Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?

No. While we received crash dumps from SecureWorks, they didn't have anything to do with Mac OS X or any other Apple product.

Q: Did SecureWorks ever point to the location of the vulnerable code of said Wi-Fi vulnerabilities?

No.

Q: Do any of the current patches released by Apple match any of the characteristics of the information provided by SecureWorks?

No.

So, if SecureWorks provided them with virtually nothing useful, then what the hell could they have to coordinate with CERT? And why did they wait till one day before Toorcon to decide this?

People have called me and Dave a lot of things. First, we were total frauds that faked everything. After a patch was out, we were mostly upgraded from frauds to unprofessional.

Let's talk about unprofessional.

Apple and SecureWorks had 2 months to stop Dave and I from giving this talk. Why wait till the day before? Neither Dave or I found out about this till yesterday morning. How is that professional?