Blog

Maynor Pulled from ToorCon

By Rich

Statement from SecureWorks:

SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC , that it is appropriate.

I’ve been told Maynor is no longer speaking at ToorCon.

I’m disappointed, but it’s obvious there’s now something going on with CERT.

I stand by my statements that Maynor and Ellch are responsible security researchers that helped advance Mac security. At this point, I don’t have any other comments, this has dragged on far longer than it deserves.

My Mac is more secure today thanks to Dave and John. That’s the most important result of this entire debacle.

I expect we’ll all eventually learn more, but as of now this is officially buried.

Update: Ou is still headed to ToorCon and has some other points. I really doubt there will be any legal action, everyone wants this dog dead, but it will be interesting to see what happens at ToorCon.

No Related Posts
Comments

[...] The two researchers, David Maynor and Jon Ellch, who allege to have documented flaws in Apple’s Wi-Fi security no longer speaking at Toorcon: The description is still up, but Securiosis notes that SecureWorks has released a statement that the firm, Maynor’s employer, is working with the CERT Coordination Center and Apple. Neither firm will release more statements until CERT and the two firms agree, SecureWorks states. (Ellch (”Johnny Cache”) doesn’t work for SecureWorks, but has deferred to them because of his partner in research. I have been told that Ellch recently completed graduate school and took a job with another firm, although his Web page reveals little.) Update: Ellch told News.com that he wouldn’t deliver the talk without Maynor, and also confirmed with Apple that it is working with SecureWorks. Later update (see below): Ellch gives a rant at Toorcon. [...]

By Wireless news


Reasonable question, but a big difference.

The Firefox dudes are outright frauds, with no industry history, who admitted they have nothing.

Maynor and Ellch have solid industry reputations before this incident, showed a working demonstration on a third party adapter (which I witnessed), and have stated they are working with the vendor involved (Apple). Apple’s denied they provided useful information, yet Maynor was pulled at Toorcon, SecureWorks stated they are working with Apple and CERT (after Apple patched exactly what Maynor and Ellch demoed in the third party adapter, and stated SecureWorks wouldn’‘t provide them with information), and Ellch revealed he and Maynor were planning on demonstrating an exploit at Toorcon before Maynor was pulled and SecureWorks mentioned the CERT work.

I wish I wasn’‘t bound by confidentiality, but I can state confidently that there is NO relation between these incidents.

If Maynor and Ellch totally faked all of this I would condemn them, not defend them. I’‘ve seen enough to believe that Dave and John are excellent security researchers caught in a situation that spun out of control.

I believe they found real vulnerabilities, and know for a fact they found a real third party vulnerability. Apple’s statements corroborate that information was shared; there’s just (major) disagreement on the value of that information or exactly what was shared.

That is a heck of a lot different than bullshit claims of 30 Firefox flaws.

By rmogull


Hi Rich, The recent firefox hoax makes me think differently of your statement:

"My Mac is more secure today thanks to Dave and John. That’s the most important result of this entire debacle."

The firefox developers seem to be looking over their code based on this hoax. If they were to find a bug, should we thank the perpetrators of the hoax?

By dgtruckses


Rich;

I’‘m not one of the deniers;  I’‘ve always been on the open minded side of the possibility of an Apple vulnerability.  I just haven’‘t been impressed with SecureWorks’’ or Maynor’s and Ellch’‘s(M&E’‘s) behavior in this saga.

Yes, I know that they used two cards in the demo - but they should have mentioned that it was part of their methodology and why.  They should not have mentioned that the internal Airport was vulnerable, but now I think that’s because I don’‘t think they had the code for it ready at the Black Hat.

I am now of the opinion that they finished the code for the internal Airport exploit by a week of two after that, but held onto it for ToorCon.  It is easy to feel justified in something like that after the public scalding they received, but it was, I think, a mistake.

Why?  Because I think SecureWorks found out that they had it and hadn’‘t released it to Apple, but were going to release it at ToorCon.  That is why I think the ToorCon talk was pulled, because SecureWorks went to Apple with the code last week and convinced them to work with them to fix the issue.

Makes sense, and fits the public facts.

Of course, I don’‘t know what you and Ou or Krebs may have been told, so I could be wrong.  I don’‘t know either gentleman, so I don’‘t know if this would or would not be in character, but it wouldn’‘t be a surprise, given the slamming they got in the blogs. Other researchers have released code before, they call it full disclosure, and that often seems to come after they have been slighted in some way by the manufacturer, from what I’‘ve heard.

So I don’‘t really know, this is a guess, based upon what I’‘ve heard.  But it’s no worse than anybody else’s take on it.

By rahrens


[...] Securosis: Maynor Pulled from Toorcon [...]

By ToorCon: elmaradt Maynor és Ellch előadása - Wo


Rich:

As always, thanks for your answers.  Dead dog?  George Ou is loving the hits right now.

I give the washingtonpost.com points for caring about security issues.  However, my personal feelings about Krebs as part of the story aside, I’‘m not really sure "mainstream" publications can cover these subjects without resorting to excessive hype and shift facts.

See Jack Schaffer’s comments on the New York Times and identify theft as an example

http://www.slate.com/id/2150543/?nav=fix

I’‘d agree, by the way, that Apple does need to do a better job playing in the security sandbox.  However, they are what we call a "special" child and have problems playing with everyone.

By bkwatch


everyone wants this dog dead

Except the faux journalists like krebs and ou.

By dgtruckses


Heh. I’‘m always up for a good debate. I don’‘t think Krebs is all that bad, and when you get down to it he’s the only security reporter at a major newspaper.

No- I didn’‘t expect this development at all. It also now means what I did expect I can’‘t talk about.

There are plenty of cases where the vendor disagrees with the flaw or its implications. That’s actually pretty common, but it never makes it to the first page of Digg. Microsoft used to do it all the time but are actually pretty good these days.

So the saga continues… it’s kind of nuts at this point.

By rmogull


Rich:

I’‘m not sure how either Maynor or Ellch have helped MacOSX security, but I do think they helped the state of security research move forward generally.  You may be confident that they discovered something specific to the Mac, but now, two months after their annoucement, there is ZERO public evidence for the rest of us.  The crow is I was cooking after Apple released drivers is now on old—however I did find a really nice recpie with rosemary and thyme that should taste wonderful with the cold weather up ahead. *

You alluded this week to "interesting developments";  is this the interesting development you had in mind—and I am not asking you to share with us details if it is not.

Can you recall another instance where a security researcher and the company disagreed on whether anything was discovered?  Not a challenge, just am curious.  The Lynn case involved a patch that Lynn felt was not being pushed hard enough by Cisco?

*  Ok, I’‘ll grant you that the noise created after their demo appears to be the cause for the Apple security audit (if you take Apple’s word), however, that is not traditional security research, no?

As always, nice debating with you. I was going to say some nasty things about your comments on Krebster’s latest story, but I don’‘t want to be too much of a "hater"

By bkwatch


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.