John Gruber flames out during cross examination

John Gruber at the Daring Fireball has done this super long analysis of the current Mac driver-gate fiasco. Gruber goes on record to state that "Brian Krebs has 'dugg' himself a mighty deep hole" and that I George Ou is "going down with the ship". At first glance when you read it without carefully examining the facts, Gruber sounds somewhat plausible. But one of my readers David Burke who is a very smart legal professional took it upon himself to cross examine Mr. Gruber's analysis and it appears that Gruber wouldn't even pass a collegiate course in "logic and critical thinking". Mr. Burke was kind enough to let me reprint it here and I thank him for it.

John Gruber at the Daring Fireball has done this super long analysis of the current Mac driver-gate fiasco.  Gruber goes on record to state that "Brian Krebs has 'dugg' himself a mighty deep hole" and that I George Ou is "going down with the ship".  At first glance when you read it without carefully examining the facts, Gruber sounds somewhat plausible.  But one of my readers David Burke who is a very smart legal professional took it upon himself to cross examine Mr. Gruber's analysis and it appears that Gruber wouldn't even pass a collegiate course in "logic and critical thinking".  Mr. Burke was kind enough to let me reprint it here and I thank him for it.

Here is David Burke's cross examination of John Gruber:

In response to John Gruber's analysis

It’s an interesting article, but there is an error students of logic and critical reasoning will discover when they read through it, and it is a very critical error in the bloggers main concern.  His main concern appears to be from the following quote;

We do have enough facts, however, to know with certainty that some of our protagonists will not emerge with their reputations intact. Someone, clearly, is either lying or incompetent (or both).

For example, from Apple’s statement on Friday, we know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability — which is both enormously irresponsible for ostensibly professional security researchers, and which contradicts statements they previously made to Brian Krebs that they had been in contact with Apple regarding their discoveries. Or, if they have contacted Apple, the statement issued by Apple’s Lynn Fox is flat-out false and Apple has committed an enormous, almost incomprehensibly foolish mistake, because such a mendacious lie will prove far worse for Apple than divulging a Wi-Fi exploit that, if it actually exists, is surely going to come to light soon anyway. I.e. why would Apple lie about this if Maynor could call them on it?

On the other hand, if Maynor and Ellch have not identified an exploit that works against Apple’s standard MacBook card and driver, then the only possible explanation for what Brian Krebs has reported — that Maynor told him that the default MacBook drivers are “identically exploitable” to those used in their video — is that either (a) Maynor and Ellch are liars and frauds; (b) Brian Krebs is an incompetent hack who grossly and utterly misquoted and misstated what Maynor had told him; or (c) Krebs was in over his head and did not understand the issues he was reporting on.”

By the bloggers own evidence this is incorrect unless he has left out some critical evidence he knows of to support his concern which appears unlikely.  Sorry for the following extended quotes, but this is the evidence he uses to support his concern, search the link if you would like to double check;

"Fox’s statement on behalf of Apple is unequivocal: Maynor and Ellch’s exploit involves neither the MacBook’s standard Wi-Fi hardware card or software driver. That, of course, does not mean that Apple’s standard driver isn’t somehow similarly vulnerable, but if it is, Maynor and Ellch have not demonstrated such a vulnerability to Apple, according to Fox.

Further, Bill McFarland, the chief technical office of Atheros Communications, the company that produces the built-in AirPort chipsets Apple includes in every MacBook, sent the following message to Brian Krebs via email:

'Atheros has not been contacted by SecureWorks and Atheros has not received any code or other proof demonstrating a security vulnerability in our chips or wireless drivers used in any laptop computers. We believe SecureWorks’ modified statement and the flaws revealed in its presentation and methodology demonstrates only a security vulnerability in the wireless USB adapter they used in the demo, not in the laptop’s internal Wi-Fi card.'

But back on August 3, in a follow-up to his original 'Hijacking a MacBook in 60 Seconds or Less', Krebs wrote:

'During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers — mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in MacBook drivers. But he also admitted that the same flaws were resident in the default MacBook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.

I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default MacBook drivers are indeed exploitable.'"

The statement made by Gruber relating to Fox on behalf of Apple simply indicates that the actual test performed to show the exploit only demonstrates it can be done with the third party drivers and hardware, it does not say that there has never been a claim made to Apple that such an exploit could be shown to them, or was offered to be shown to them, or was told to them that such an exploit does exist on a stock Apple system, or that Apple had never been made aware of such an exploit on a stock Apple system or Apple never requested such a stock system exploit not be demonstrated at Black hat.  Fox’s statement simply says; Maynor and Ellch have not demonstrated such a vulnerability to Apple. 

While Atheros appears not to have been contacted by Secureworks nobody has claimed that Secureworks has contacted Atheros, but in fact it is wholly possible that Apple has in fact been contacted by Secureworks as there is no denial by Fox or any other evidence supplied that Apple has not been told such an exploit exists and in fact Gruber does go so far to admit in his analysis of Foxe’s statement; “That, of course, does not mean that Apple’s standard driver isn’t somehow similarly vulnerable”  Apple may in fact fully well have been contacted by Secureworks and may be quite aware the exploit exists and are working on it.

At no point in Lynn Fox’s statement does she ever claim that Secureworks has never ‘told’ Apple such an exploit could be performed on a stock Apple so Lynn Fox has certainly not lied about what this blogger claimed she might have.  Further there is absolutely no evidence shown by this blogger that Secureworks did not tell Apple such an exploit could be demonstrated on a stock Apple system or any denial that Apple asked them not to use a stock Apple system in their demonstration.

So his main concern is garbage.  See why you need trained people to examine the evidence? Sometimes what looks obvious is not.
End of cross examination

 

I responded to David Burke with the following in email:
John Gruber -
"For example, from Apple’s statement on Friday, we know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability — which is both enormously irresponsible for ostensibly professional security researchers"

George Ou - I'm no lawyer, but this is a grossly incompetent assumption.  Fox never stated SecureWorks never contacted them, they only said that no code was shared.  You're not entitled to a researcher's code which they spent time developing.  Giving them the actual malformed packet that triggers the exploit and a pointer to the location of the flawed code is standard practice.

David Burke responded:
"Exactly George, all those kind of claims stick out like a sore thumb when you start reading through his extensive post to see what he is presenting for evidence of such claims.  At no point does he supply any evidence or quotes that indicate that Apple says they were not notified that such an exploit exists and the whole demonstration was a surprise to Apple.  In fact, the stories of Apple putting some pressures on them not to go with a stock Apple system may lend a possible indication to the way this unfolded.  Apple was told about the exploit and what was going to go down in the demonstration, Apple was surprised and at some point at least asked that it not be turned into a big "Apple Haters" demonstration and there was some level of compliance with Apples wish's and a third party card and driver was used, but the testers let it out to the reporter that there was more to the story and that the stock Apple could be hacked just the same.  I have no idea what actually happened, but I also know that what Gruber used as an explanation for his theory is groundless."

Again, thanks for your superb logic David.  While I know for a fact that Gruber is wrong and doesn't know what he is talking about since I'm sitting on sensitive information at this point, I'm amazed that you can take Gruber's own analysis and take it apart and get eerily close to what the truth is.

  • How did Atheros get pulled in to Mac wireless-gate?
  • John Gruber flames out during cross examination
  • Vicious orchestrated assault on MacBook wireless researchers
  • Newsletters

    You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
    See All
    See All