[Dailydave] This guy cracks me up. (MindsX)

[H D Moore]

John,

Your arrogance and complete naivete in all things security has finally 
gotten to me. Replies are inline:

On Monday 04 September 2006 17:41, John Gruber wrote:
> If so, do you have an exploit against the built-in AirPort card
> and driver that even vaguely resembles the video demonstration you
> showed at the Black Hat conference?

If he had one, he can't share it, since it is owned by Secureworks, not by 
Johnny. I saw their Black Hat presentation, I know both of them 
personally, and I would stake my reputation that neither one of them is 
blowing smoke when they say they have a working exploit. More than 
likely, you will never see this exploit, but the bug details will be 
posted by Secureworks once the patch is released by Apple. Secureworks 
sells IDS services, sharing exploit code goes against their own 
disclosure policy (just like sharing bug details before a patch does).

> Are you therefore saying that Lynn Fox's statement that you'd
> shown them "no evidence" was an outright lie?

Who cares? The only entities with real information about the Apple driver 
bug are Johnny, David, Secureworks, and Apple. This is how it will stay 
until the patch is released. Johnny published the technical details to 
reproduce the bugs he personally found. If this doesn't display some 
level of "evidence", no amount of bloggery and "challenges" will.

> >     2) Responding to mac bloggers isn't my idea of a good time.
> >     Nothing I could say would ever convince them.
>
> You could easily convince me by showing me, or someone I trust, a
> stock MacBook getting hijacked or otherwise attacked.

Lets try a different scenario.

You could easily convince me that you aren't a moron by flying to Austin 
(TX) and taking a standard IQ test in front of me. If you don't show up 
by next week, I will have proved that you indeed are a moron, and will 
post to my blog to make it seem credible. If you do show up and score 100 
or higher, I will pay for your airfare, otherwise you walk home. 

Sound fair?

> > This isn't even a personal attack against them; it's that they
> > lack the technical skills required to understand this problem.
>
> Letting aside for now the idea that I couldn't possibly understand
> the details of "this problem", I fail to see why that would
> prevent you from answering a few basic questions about your
> findings. 

> The details certainly matter, but what matters more are 
> the basic implications.

The implications are obvious if you understand the details. If you don't 
understand what remote code execution at ring-0 means, its not Johnny's 
job to educate you (nor mine). It also not Johnny's job to feed you with 
quotes to post on your blog.

> My frustration is that neither you nor Maynor have answered the
> simple yes/no question of whether you've found an exploit against
> the stock MacBook AirPort card and driver.

Welcome to the world of vulnerability disclosure, disclosure policies, and 
corporate politics. Johnny posted enough details to back his claim about 
the Centrino driver issues (a flaw that probably affects more systems 
than Apple has actually shipped). The Apple driver bugs will have to wait 
for public patch release. If you don't like it, tell Apple to fix their 
code faster.

> So this attack crashes the machine?

Code execution at ring-0, do you understand it?

> Even if you've been threatened, legally, by Apple, and thus feel
> you can't or shouldn't reveal any technical details regarding what
> you have found, why not at least state specifically the nature of
> the legal threat(s) against you?

Gee, if a large company made legal threats against you, and one of the 
terms of out-of-court settlement was to not comment on it publicly, what 
would you do? Rise to the challenge of some self-righteous blogger and be 
sued into oblivion? I don't know whether this is the case, but use some 
common sense please.

-HD