I’m catching up from being out (or sick) most of the holidays, so this is a bit of old news.
Dave Maynor is no longer with SecureWorks (his decision) and has joined us in the blogosphere over at Errata Security (his new employer).
I suspect he’s still bound to keep details of the Mac WiFi fiasco under wraps, so don’t expect any new insight on that issue. He also got a bit of fame in this article.
Dave’s a good guy who got caught in an extremely bad position. It’s nice to see him in public again, and nice to see another professional researcher hit the blogs. In the past he’s been against full disclosure, so it will be interesting to see how he reacts to the Month of Apple Bugs after his recent experiences.
Reader interactions
10 Replies to “Maynor is Free… And Blogging”
DM: I don’‘t personally care about Cisco. If they were replaced by Juniper next month (yes, I know it couldn’‘t happen next month), my life would be unaffected. I’‘m sure there’s a boatload of sludge in Vista, and that it will be more secure than XP. Not nearly as important or interesting to me as MOSX, Macs, & Apple, and neither of those outfits was the centerpiece in CBS.
And TiVo Series 1 requires no DRM hacking, because the ‘‘encryption’’ (I think it’s an XOR with the serial number) was added in S2, so I watch most of my TV on the Treo via TCPMP—trivial commercial skipping, and no cost per episode.
PS-I didn’‘t read all your posts, sorry—I read a few and checked to see what the blog said about the MoAB, which is what I was looking for.
I can transfer from my TiVo to my PSP- which is widescreen 🙂 and if you hack it, no DRM. And it’s free (depending on your TiVO subscription).
I’‘ve been avoiding iTunes for TV because of the DRM- it just irks me. My lack of a video iPod might be the other reason…
iTunes is better than tivo becasue I can sync my videos to my ipod. Plus if I am watching something then paus e it and sync my ipod I can pick up on the ipod from the paused location.
itunes + ipod > tivo
Dude. TiVo 🙂
I tested it on Tuesday. I haven’‘t mentioned it on my blog because I tested it on Tuesday and I haven’‘t blogged about it since I have not written anything about the MoAB since Monday. I don’‘t really think this is a big deal since I work with 0day all the time.
As for my companies alignment you might be right. I find it curious how you over looked my obvious alignment against Cisco, or Microsoft (with the zune bashing and the Vista crack analysis), or Bittorrent…the point is just because I am critical of something doesn’t mean I have a hidden agenda. I am critical of almost everything in the security community, that’s my job. I am happy to say nice things about Apple when its not security related (I am writing this while watching the latest episode of The Office I downloaded from iTunes a few minutes ago…I can’t see how anybody watched commercials before iTunes).
Maynor: No, I don’‘t know you. And I don’‘t have any reason to dislike or disbelieve you, although Rich’s confidence that you’‘re legit is a strong argument for me.
But again: I don’‘t know you. You have no special credibility with me. I believe you’‘re certainly capable of finding a major 802.11 exploit, and I’‘m sure you found something, but the evidence that’s reached me (second, third, and fourth hand) is FUBAR, so I don’‘t have an informed opinion, and I know it.
On the other hand, you were in the middle of a shitstorm. I’‘m quite certain you got screwed by at least one of the players, but I don’‘t know you—so I have no conviction that you’‘re an honest crypto-knight jousting against the windmills in Cupertino, either.
FWIW, there’s nothing personal in my opinions of you—I have no basis for personal opinions. This means “you just don’t like me” is not it, and I don’‘t want to hold you to a double standard. Nobody came out of “Security Bitch Watch’’ smelling of attar of roses, although I thought John Moltz was pretty funny.
I wasn’‘t at Defcon. I do perceive an alignment of your outfit against Apple in the posts I cited, though.
And I still don’‘t know your connection with the MoAB VLC exploit.
Dave- you should put some of this up on your blog, rather than getting it lost in our comments…
@PEPPER
Let me explain how I feel about the MoAB. I have never been and will never be a fan of full disclosure. I don’t see how full disclosure helps many people. It is in odd situations like the way Apple deals with security that necessity makes strange bedfellows.
I often get asked that being a researcher if I feel that what I do makes the job of sysadmins and network admins harder. The argument is that if I hadn’t found the problems there would be nothing to patch. This really stuns me because often these people who are insulting me in a way have just told me they think I am the smartest researcher to ever load a binary into a disassembler. This may seem odd to some people but if I found the bug there is a very, very good likelihood that someone else hasas well. With organized crime families and foreign governments paying for exploits it also seems likely that people look for exploits for malicious gain have more incentives than people that do it as a hobby or someone who has 15% of their job dedicated to it. I suspect the need to eat motivates people harder than the bragging rights around the office to find new vulnerabilities.
With all that being said I find it hard to swallow that some companies go out of their way to convince people that they don’t have security problems. If you want a comparison to how Apple is doing, look at how researchers treat Oracle. Both Oracle and Apple take about the same amount of time to patch bugs (sometimes years). So no, I don’t have a grudge against Apple, I have a grudge against Apple PR. I will say this once and for all: I never said I wanted to stick a lit cigarette in any Mac user’s eye. I said I wanted to stick a cigarette in the eyes of the actors in the commercials (and if you have ever seen Jeepers Creepers I would assume you would as well…I am just kidding, I loved that movie). In addition to that I also apologized publicly at Defcon in a packed room for any confusion by the quote.
As far as my blog trashing Apple: the three posts you mentioned, I only wrote one of them, my partner wrote the other two. As far as self promotion what blogger do you know that doesn’t mention talks they have given in the past or about their company? Of the security related blogs I read it is a fairly regular occurrence. Isn’‘t a blog suppose to be a way to keep people informed about what you are doing, have done, and plan to do?
Maybe you just don’t like me and want to hold me to a different standard than everyone else, if so…good for you!
Yeah- it’s a corporate blog so I’‘ll give him a little slack on the self promotion. Also, I suspect he might have a bit of a grudge with Apple for some strange reason.
They’‘ll realize soon enough that the best corporate blogs provide inciteful information, and I expect to see more of that as they settle in. Matasano is a good example.
I hope he blogs some of his techniques and research- I was privy to some during the Mac WiFi thing, and it’s some good work.
Rich,
Based on the content of that blog, it looks to me like Maynor has already decided how he feels about the MoAB. Of 6 relevant posts, 3 take pokes at Apple, and 3 plug Errata Security and/or Maynor & Ellch.
The confusing thing for me is that Maynor is credited with the (original?) Windows flavor of their VLC exploit, but doesn\\\’‘t mention it in their posts linking to the MoAB.
http://projects.info-pull.com/moab/MOAB-02-01-2007.html