« Jenny Got Her Mini | Main | I wonder... »
There's something about the statements in the whole Secureworks controversy that had been bothering me, (aside from everything else), and I just now put my finger on it. It's the illogic shown in this statement:
I was given assurances that Maynor would publicly demonstrate the exploit I saw in person in Las Vegas, wherein he used a Windows laptop to remotely compromise a Macbook by targeting what he said were vulnerabilities in the Mac's wireless device drivers. He demonstrated the flaw publicly in August, but he used an Apple laptop equipped with a third-party wireless card (a step he said he took to give Apple time to look into the vulnerability).
The reasons given for this make no sense in light of the fact that the "exploit" was videotaped. The reason given for that was to avoid people with packet sniffers being able to suss out the exploit.
But if that's the case, then videotaping a third party driver did nothing to enhance the security of the system. They didn't show enough to duplicate the hack, and if, as they claimed, the built-in MBP drivers had the EXACT SAME VULNERABILITY, then how did using a third party card give Apple more of a chance to fix things? If it's the same, then the risk to Apple was identical.
If you were worried about people sniffing it out, then the videotape took care of that, why not show the stock drivers?
I know I'm not the first person to realize this, but it's the illogic behind the explanations that has been bothering me.
Again:
If the third party card drivers are the same as the MacBook drivers, then performing the attack on them did nothing for Apple, since, by that theory, if the problem could be duplicated from the videotape, the stock MBP drivers were just as vulnerable as the third party drivers.
If the demo was videotaped to keep people from sniffing it out, then there was no extra risk in using a stock MBP out of the box as the victim. At that point, the third party drivers merely introduced an extra element into things that was unverifiable, and raised doubt as to the veracity of the test.
Even then, why not demo the hack to their worst critics? Convincing someone on your side already, while easy, is merely preaching to the choir. That's like getting Bill Gates to testify that Windows is the best OS in the world. Sure, he can sound good, but he's biased. However, showing the hack to John Gruber, or Glenn Fleishman? If you convince someone who is against you that you're right, then you gain FAR more credibility, because they gain nothing by admitting they're wrong.
The whole "Oh, they aren't going to understand it" thing is stupid. If Ou is capable of getting it, so're John and Glenn. They're pretty smart fellers.
But every time I read the explanation behind the reason for the setup of the videotaped demo, I add 1 + 1, but I'm getting 3.5, and that means there's something missing from that explanation, and I've yet to see that missing element.
Technorati Tags: Apple, George Ou - Idiot, Logic, Security
Categories: Mac Matters
Posted by John C. Welch at 18:29 | Permalink
©2003-until I'm fucking dead and then some. you steal my shit, and I will fuck with you like you were a lonely shepherd's slowest sheep.
Comments
Warning for Notes users: The commenting system uses HTML.I know this will be scary for some of you, especially Notes fans. However, open standards, rah-rah.
If you want to use less-than or greater-than signs, or other similar characters that HTML reserves,
you'll simply have to learn to do it the HTML way. Luckily, HTML is kind of popular, no matter what
your re-educators have told you, and you can easily find help on the intertubes.
