http://enterprise.linux.com/article.pl?sid=06/09/04/138253 By Joe Barr September 04, 2006 Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now infamous "faux disclosure" [1] at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list [2] over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them. Ellch explains their silence since the presentations in his email by saying: Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation. He also went on to explain that while the debate was centered in the Mac blogger community, it made no sense to discuss it because most of them wouldn't understand the explanation if he gave it, adding, "Since this conversation has moved into a venue of people who can actually grasp the details of this, I'm ready to start saying something." Ellch then breaks down the elements of the vulnerability and possible exploits, but in the context of Intel drivers rather than Apple's, asking and then answering the obvious question of why he did so when he wrote: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one." He buttressed his explanation of how he crashed the Intel Centrino driver by creating a race condition by flooding it with UDP packets and disassociation requests with links to dumps of crashes he caused using this technique. Ellch notes that a crash caused this way doesn't guarantee a successful exploit, saying "If you're lucky, your UDP packet will end up on the stack. If you're less lucky, a beacon packet from a nearby network will end up on the stack. In the case where I successfully overwrote eip (Extended Instruction Pointer), the UDP packet was 1400 bytes." He also responded to criticisms that he and Maynor have simply been "playing the media" instead of reporting an actual vulnerability and exploit, saying: You know, of all the comments I see, the ones that 'we played the media' make the least sense. Have you ever seen me in the news before? No. Have I ever talked to a reporter before? No. Am I doing a very good job of winning this PR smear campaign lynn fox ignited? No. If I was so deft at manipulating the media, would I be explaining myself on dailydave praying that a few technically competent people will actually get it? I contacted Ellch by email after reading his post and asked if he was claiming Apple is the cause of their silence. He replied: Let's just say its pretty obvious I'm not happy about being silent. So much so that i'm releasing non-apple bugs to convince people that we do in fact know what we're talking about. [1] http://software.newsforge.com/article.pl?sid=06/08/08/1351256 [2] http://lists.immunitysec.com/mailman/listinfo/dailydave _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/
This archive was generated by hypermail 2.1.3 : Mon Sep 04 2006 - 22:34:45 PDT