Krebster, Krebster, Krebster.

Will you never learn?

I am a fat lonely slob who sits at work all day and fantasizes about you. Really. It's true.

And my angst is directed at you because I personally dislike you, not because you are a crappy wanna-be journalist.

So you should really learn that nobody besides you ever reads this blog. I don't even read it.

So here's a hint: When you little pal Maynor finally says something in public, the first thing you should do is NOT come here and leave a self serving comment.

To wit:

United States, 72.205.11.34 [ 1/1 ]
ip72-205-11-34.dc.dc.cox.net

Client:
WinVista [1280x800x32]
Firefox 2.0[JavaScript: 1.3, Cookie: Yes, Java: Yes]

Path:
12:32:28 — http://briankrebswatch.blogspot.com/

Oh, who is this?

Two things jumps out.

First, it is someone who typed the name of this website in directly. Now, although I am a proud daddy, when I try to find my little baby even I have to go to google to remember how it works. But this is someone where the address is burned into memory -- or at least bookmarks, since I havne't made a post here in over six months.

Second, it is listed as dc.cox.net. That is funny. DC doesn't have Cox cable. Only Fairfax County does.

and now this:

United States, 72.205.11.34 [ 1/1 ]
ip72-205-11-34.dc.dc.cox.net

Client:
WinXP [800x600x32]
Firefox 2.0[JavaScript: 1.3, Cookie: Yes, Java: Yes]

Path:
18:40:54 — http://briankrebswatch.blogspot.com/

Wow. How interesting. Looks like the same visitor. Except this time they are on a WinXP box, with a much smaller screen.

Who could this be?


And then this: my gmail account sounds an alarm. An email after months!


Anonymous 


6:42 pm (3 hours ago)
Anonymous has left a new comment on your post "Maynor speaks! (but from Feb)":

Well, given today's developments, I'm guessing you're willing to apologize to Brian Krebs about his reporting of the very real flaw discovered by Maynor.

Publish this comment.

Reject this comment.

Moderate comments for this blog.

Posted by Anonymous to Brian Krebs Watch at 6:42 PM


Wow! How exciting! Who could this be!

Well, it had to be the visitor from Cox -- as that is the only person logging in around 6.

And who lives in Cox Country??

None other than Brian Krebs!

So good to have you around, Krebster.

But no -- I am not going to apologize. More to come on that...first we have to see what we think of Maynor's story.

(oh, and Krebster: you have your own blog. If you want to say "I was right!" please go ahead and say so. Ridicule will follow.)

Maynor speaks! (but from Feb)

Macalope reader WH has discovered a new post by Maynor:


Errata Security: More on the Apple wifi blunder OR i am no longer gagged


dated from February 3, a month before the Blackhat DC presentation.

This is by far the most rational and lucid explantion of Maynor and Ellch's behavior that I've seen.

Some new points that come out:

1) "Although Apple PR really wanted the statement to be extended to cover any demos given in person (Krebs, anonymous Blackhat employee)Secureworks couldn't do that. Minutes after this was posted Lynn Fox started pitching reporters a story that Secureworks had changed its tune based on the update."

2) "Also I am in the process of writing a book about horror stories of when responsible disclosure goes wrong with Apple being the flagship issues. Everything that happened will be detailed"

3) "One is that i don't trust their PR department not to try and smear me again, i feel that their handling of the Secureworks statement (which again was done at their request) pretty much proved this"

(ED NOTE: it should tell you something about how bad George Ou is as a writer that Maynor makes a more cognizant claim of a vast conspriacy)

4) "With all this being said I am shopping for a new TV to make best use of my new Apple TV when it arrives. I write this on a new Macbook Core Duo 2 while listening to my ipod play an audiobook (World War Z) that I bought from iTunes. If you didn't know better you could also say I am a walking commercial for Apple.

OLD lines. Apple's PR push has been "Maynor/Ellch haven't told us anything". Maynor's new line "They backstabbed us by having SecureWorks post an explanation" Apple's new PR line....??? As I'm not part of the vast Apple conspiracy, I have no idea what Apple would say about this.

Screen shot

As I've said many times, the problem with Maynor is when he opens his mouth a new story flies out.


Go look at Matasanos. There is a small healthy discussion going on, and Maynor has tried to help out by posting a screenshot of a crash under 10.4.7.

Where's the Beef?

Ah, what a dream.

When George "Gerbils" Ou responds you can always find hours of entertainment by taking apart his posts.

And his latest is a doozy.

First, read the Macalope's coverage, then come back for highlights.

George starts off today by saying:
Last summer, when I wrote "Vicious orchestrated assault on MacBook wireless researchers," it set off a long chain of heated debates and blogs. I had hoped to release the information on who orchestrated the vicious assault, but threats of lawsuits and a spineless company that refused to defend itself meant I couldn't disclose the details
Let's compare that to what he actually wrote then:
Maynor was even more disgusted with the despicable way this story was set up and then planted in the press though I’ve been asked not to reveal any more details on this time.  What I can tell you is that Maynor and SecureWorks will not be taking this laying down and the fireworks will start in the next couple of days.
Two things pop out. First, George Poo promises to reveal everything in the now famous "couple of days."
Now to the hard evidence. George cites two new things that he didn't reveal before. First, he claims to have seen an email on August 19 that says Fox was asking SecureWorks and Maynor to post a statement on their website that the MacBook itself was not vulnerable to the attack. This email was dated on August 15.
Curious? Look for youself. If you download Maynor's most recent BlackHat DC presentation, you can find it on slide 51.
Now the second piece of evidence that Ou cites is that he talked to Lynn Fox of Apple PR sometime after seeing this email. (We don't know the date). He asked her how MacWorld and the "unoffical Apple blog" got the information on the so-called confession. George says:

I got all my questions answered, but I can't disclose what she said since Fox refused to speak on the record.
How noble of you, George.
There are two problems here. First, George isn't reavealing anything new. That powerpoint presentation was released to the public on March 3, and was shown on Blackhat DC on February 28. This isn't secret information George: it's been out in the public for a month.
Second, the only SECRET information that George apparently has is whatever Lynn Fox told him -- which he claims is off the record -- sometime after the 15th.
Ou cites two websites for publishing reports as part of the vast conspriacy. One published on the 18th, and the other on the 17th. SecureWorks itself posted a modified notice of Fox's notice on their own website on the 18th.
So the vicious conspiracy comes down to two websites publishing information on a public statement Fox made on the 18th, and commenting on a posting that SecureWorks made on the 18th as well.

Wow.

Where's the beef, George?

A new SBW...

George Ou, going at it again.


Longtime readers will remember that on August 20th, Geoge Ou promised the secret information from Maynor/Ellch would be released in a "couple of days"


And now Geoge is back. A month after Maynor released his sources from speaking about his "exploit", George Ou is now saying that "the evidence" will be going up "this week."

Should be fun. Can't wait to still how long this watch lasts....

A Thousand Pardons

So far, no updates on the "Hijack Story". Despite Maynor's claim on March 2, ("the presentation and code samples should be up on both our site (erratasec.com) and the Blackhat site soon.") we still haven't seen the code.

**the presentation is available; and there is a script in the presentation that Maynor may presenting as the "code" in question**

So I wanted to take a step back. This isn't really about Maynor or Ellch, in any case. They are security researchers, after all, and while your can critizie their dicclosure techniques, that is really for the security research community to judge. This blog is about Krebster and his crappy reporting.

More than a few people have emailed me and said "Hey, Krebster isn't so bad, why pick on him?" Fair enough.

Let me details three instances of where Krebster screwed up, and then look at his responses.

The first is this, the "Hijack" story. I won't go into any more details.

The second is a bit more interesting.

In February 2006 Krebs wrote a story for the Washington Post magazine on a 21 year old botnet operator named "0x80". He included a picture in the online version of the story which included photo metadata. From that, slashdotters were able to find WHERE Krebster's anonymous source lived.

Embarrassing mistake. And this is from the Post, which used to go to court to protect sources.

(ED: Poynter has a good roundup of the event.)

But look at Krebster's response, and this is the interesting part.

The Post does a LIVE series of chats with reporters and bloggers.

You can find the one Krebs did here.

Apparently Krebster was asked asked about this, but he refused to comment. The online picture was then later removed.

Quote: Washington, D.C.: Are you aware that the Post failed to scrub the metadata from the images used in this article, leaving information about your town? This was picked up by users of the Web site Slashdot over the weekend. Using other clues in the article, they were even able to guess the intersection where you live. Have you been contacted by law enforcement personnel? Do you intend to take action against the Post?
Brian Krebs: As you know we take our obligations with sources very seriously and I don't want to comment about any speculation about sources.
Editor's Note: This question was edited to remove a specific reference to the town name.

But what we don't see is an apology -- perhaps that was a private matter. But the key thing is that Krebs's mistake in reporting distracted from the original story.

One other incident, which occured in October, is a bit more confusing.

Sean Bonner accused Krebs of plagarising an article from BoingBoing on the board pass hacker getting arrested.

I won't recount the details, but it looks as if Krebs was NOT plagarizing, but working on the story independently. In someways this is a modern day flame war, much like the "Hijack" story, so it is hard to track down. But I think this detail is key (from Krebs's response to orginial blogger):

Sean,
I'll admit I parachuted in on this story when a mutual friend of Mr. Soghoian's pinged me at 6:50 p.m. last night to tell me what was going down, but "plagiarize?" I don't think so.
I spent several hours tracking down FBI field agents, Mr. Soghoian himself, and gathering data from his blog and from other news outlets, no fewer than three of which I cite in the blog. That said, anything taken from those articles was put in double quotes and called out. The main reason I posted my story when I did was that no one who'd covered it had managed to speak with him around the time of the FBI visit and confirm that.
I saw the BoingBoing piece like everyone else, but I never read past the first paragraph. Frankly, I was more interested in the graphic they ran on the top of that post, as even though I'd mirrored Soghoian's site before he took the form down, the PHP back-end code was not mirrored and I was unable to reproduce the boarding pass I'd generated from Chris's site just prior to my calling him for the first time.
I had no idea that BB broke the story: had I been aware of it at the time, I'd have sourced them as the origin.
I am very careful to cite other blogs and writers when I am using or referring to their work. You, too, should be more careful before accusing reporters of such serious charges. Is there a particular paragraph or phrase or quote you'd like to call attention to?
Thanks for reading.

Three points I'd like to make on this:

1) It wasn't about plagarism, it was about attribution; Krebs clearly saw someone else had broken the story before him but did not credit BoingBoing.
2) Once again, Krebs managed to make himself the story, rather than the facts.
3) Did Krebs ever make an apology to BoingBoing?

The common factor in all three stories is Krebs's denial that he made a mistake, he refusal to apologize, and his lack of reporting (rather than technical) skills.

Welcome Daring Fireball / Crazy Apple Rumors readers

I didn't notice until today that both Daring Fireball and Crazy Apple rumors gave me inbound links. Please feel free to explore. If you want to see what set off this entire round of blogging, check this out.

Posted below is a more complete TIMELINE to better understand the "Hijack" story and all the charges going back and forth. Where possible, I've tried to quote Maynor or Ellech directly. In some cases that is hard -- some "journalists" like George Ou refuse to put anything on the record. What is missing from this timeline is citations to the orginial sources. They should be clear to experienced readers, and also can be found in some of my orginial posts. If you see something that bugs you, drop a note and I'll add a citation.


June 3, 2006: The Blackhat agenda is released. Maynor and Ellch are going to talk about device drivers.

June 21, 2006: In a leak, Maynor and Ellch confirm that the Blackhat presentation will be about how to hijack a laptop. No word on the type of laptop or chipset vulnerable.

June 27, 2006: Mac OSX 10.4.7 released.

July 15, 2006: Maynor buys a MacBook and it crashes during setup due to fuzzing of "other devices" MacBooks at this time come with a stock Atheros chipset.

August 1, 2006: Maynor arrives in Las Vegas. Maynor tells Apple that evening "Don’t freak out, although it is using a Mac we are not showing a native exploit. There are native exploits but we are still determining how many other platforms they affect and we will make a full disclosure when this is done.” Maynor also gives private demo to Krebs. We are not told of what version OS the MacBook is running. Quote: Maynor: Yes, it's a device driver. The thing is, there's a flaw in the OS, but I don't want to specifically point to it, so in the video you'll see I used a third-party USB device. What I'm trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that -- when exploited -- give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbook's wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]

August 2, 2006: Blackhat presentation. In an article based in part of the interview last night, Krebs assets "Maynor said he and Ellch have been in contact with Apple, Microsoft and other companies responsible for vetting the device drivers that power the embedded or third-party wireless card devices meant for those systems, and that both companies are working with wireless card vendors and original equipment manufacturers (OEMs) to remedy the problems." However, Krebs's first report from that morning (before the presentation) says it will be done on a Macbook, while the video clearly mentions a "third party card". Confusion erupts.

August 4, 2006: Apple says "“give it [the exploit] to us now.” In return, Maynor says:

"“I’ll work with an engineer to duplicate the vulnerability when I leave Vegas, but if this is a cross platform problem and you don’t coordinate it you could be leaving millions of other users at risk.”
They didn’t care.
Since we were finished with the broadcom work, I felt OK telling them about that problem.
“Fine, if you look at the IE handling code in both the handling of SSIDs in your broadcom code you will find an overly long SSID with cause a trivial stack overflow.”
“Is it like the FreeBSD problem?”
“Yes, it’s a malformed IE.”

On August 8, Maynor sends Apple an encrypted email with a script that shows how to crash a driver with a "overly long SSID". From his emails, it is unclear what version of Mac OS X is vunerable. Also it is unclear right now whether this is an exploit on the Broadcom drivers or the Atheros drivers.

On August 9, Maynor sends Apple information on how to build a linux WIFI box to do their own wireless fuzzing.

On August 15, Maynor sends Apple packet captures, but of a problem with the Macbook Bluetooth stack -- not the wifi problem.

On August 15, Lynn Fox sends Maynor an email with a request to post a note saying the Blackhack demo was done on a 3rd party wifi card.


On August 16, Maynor sends Apple two new emails on the bluetooth problem -- not the MacBook wifi issue.

On August 18, Lynn Fox makes the following statement: ""Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To date, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship. Whatever they are claiming to have found, they haven't shared it with us". In addition, SecureWorks post the following note on their website "Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver -- not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available.".

August 19, 2006: Dave Maynor emails and then talks to George Ou that night. Ou reports (on the 20th)Maynor is:

very disturbed by the whole incident. He had already been receiving hate mail and even death threats at the Black Hat convention but the threats had escalated with this latest fabricated story about him falsifying his research. In one such threat, the person stated "I’m going to f***ing kill you and your dog" to which Maynor replied "I don’t have a dog". Maynor was even more disgusted with the despicable way this story was set up and then planted in the press though I’ve been asked not to reveal any more details on this time

August 20: George Ou posts story about August 19 talk with Maynor and then says “What I can tell you is that Maynor and SecureWorks will not be taking this laying down and the fireworks will start in the next couple of days.

August 26, 2006: George Ou posts story asking “Why is Atheros brought into this?”

September 3, 2006: Ellch makes a posting on a mailing list:

“Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.

September 21, 2006: Apple releases 3 wireless updates.


September 24, 2006: Maynor talks with Jim Thompson of Smallworks. Thompson asks

"Does the bug you say you found exist in the FreeBSD ath driver or the madwifi driver?"

Simple, I thought.

Maynor answered that their "bug" does exist (in both), though they would need to write a different exploit for either.

September 25, 2006: Strong denial by Lynn Fox published verbatim by George Ou.


September 29: Reports have it Maynor can’t speak at Toorcon. Apple and SecureWorks issue statement: “SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC , that it is appropriate.”


September 30: Ellch gives the rant at Toorcon. Some key quotes:

“We give a talk saying that device drivers have lots of bugs. We demo one bug in Apple. A few days later, when Apple starts flaking on a patch, we tell them we are going to do a live demo of it at ToorCon, so it would be a good idea to get it patched before that.”


October 3, 2006: Thompson posts details of his conversation with Maynor and Ellch and adds the following:

I asked Sam what he thought of the Maynor/Ellch/Apple/... situation. Sam is obviously close to the situation and while he might be limited in what he is able to say about anything that involves Apple, he's quite free to discuss any issues that surround the linux madwifi driver and the FreeBSD ath / net80211 drivers.

I'll just quote the man:

My only remark about Ellch/Maynor is that I do not understand why
they've not contacted me as the author of the code. Feel free to pass
on that remark should you talk to them again.


November 12, 2006. As part of the Month of Kernel Bugs, Ellch releases a notice about a flaw in the Broadcom drivers that is based on “by improper handling of 802.11 probe responses containing a long SSID field.”

March 1, 2007. Dave Maynor claims he has discovered three flaws in Mac – in the Broadcom, Atheros and Bluetooth drivers. He does a live demo with a MacBook running 10.4.6 that crashes. He then runs the identical exploit with against a MacBook running 10.4.8 that does not crash, and claims that the only changes to the airport code were the updates that Apple released after the “Hijack”story.

Do Maynor and Ellch have root?

If you look at Glenn's Fleishman's last post on the "Hijack" story, he posits there are two remaining questions:

First, did Maynor and Ellch have a root exploit, not just a way to crash 10.4.6? Maynor has now said unequivocally yes

Second, did Apple lie about what Maynor and Ellch provided?

I tried to answer the second of Glenn's questions a few days ago, and now I want to try and address the first of these.

(John Gruber also has a list of questions, but I think in many ways the questions are too specific. Gruber wants to know if 1) WAS MAYNOR AND ELLCH’S DEMO VIDEO LEGITIMATE? and 2) DO THEY HAVE A WORKING HIJACK EXPLOIT AGAINST ANY APPLE AIRPORT CARD?)

Now, in order to look at Glenn's question you first need to have a model of what Maynor and Ellch did. What follows is guesswork. It is educated guesswork, but it is model to test theories against. As before, we're basing this on mostly on what Maynor as publicly said. I'll try to provide links where appropriate.

First, again, let's add some facts to the timeline:

June 3, 2006: The Blackhat agenda is released. Maynor and Ellch are going to talk about device drivers.

June 21, 2006: In a leak, Maynor and Ellch confirm that the Blackhat presentation will be about how to hijack a laptop. No word on the type of laptop or chipset vulnerable.

June 27, 2006: Mac OSX 10.4.7 released.

July 15, 2006: Maynor buys a MacBook and it crashes during setup due to fuzzing of "other devices" MacBooks at this time come with a stock Atheros chipset.

August 1, 2006: Private demo to Krebs. We are not told of what version OS the MacBook is running. Quote: Maynor: Yes, it's a device driver. The thing is, there's a flaw in the OS, but I don't want to specifically point to it, so in the video you'll see I used a third-party USB device. What I'm trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that -- when exploited -- give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbook's wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]

August 4, 2006: Apple is told details of the problem with Broadcom drivers (“overly long SSID”) because, in Maynor’s words, “…we were finished with the broadcom work” and “this is a cross platform problem and you don’t coordinate it you could be leaving millions of other users at risk.” No other details on what the problem with the Atheros chipset are.

November 12, 2006. As part of the Month of Kernel Bugs, Ellch releases a notice about a flaw in the Broadcom drivers that is based on “by improper handling of 802.11 probe responses containing a long SSID field.”

March 1, 2007. Dave Maynor claims he has discovered three flaws in Mac – in the Broadcom, Atheros and Bluetooth drivers. He does a live demo with a MacBook running 10.4.6 that crashes. He then runs the identical exploit with against a MacBook running 10.4.8 that does not crash, and claims that the only changes to the airport code were the updates that Apple released after the “Hijack”story.

What do we know?

It seems clear that Maynor and Ellch discovered something. What they did discover is that wireless fuzzing will discover flaws in device drivers that might cause crashes. Whether that is the same as what they presented is another story.

Broadcom vs. Atheros

Broadcom drivers were used in PPC macs; the newer MacBooks used an Atheros chipset. Maynor now claims to have discovered problems with both chipsets. Because he can’t (or won’t) release all his emails, he only shows evidence he told Apple about the problems with the Broadcom drivers.

10.4.6 vs. 10.4.8

In his March demo, Maynor runs an exploit against a Mac with 10.4.6 that crashes the Mac – while does nothing against a MacBook with 10.4.8. One key question: is this the same MacBook? Is it possible to have both two partitions with different systems? We also don’t know what internal wireless card was being used, although in at least one report Maynor claims it is an Atheros card.

Maynor is correct that the only changes to the AIRPORT code between 10.4.6 and 10.4.8 are the updates that were released as a result of the internal audit Apple ran after the August Blackhat.

Exploit vs. kernel shellcode

In his presentation released during Blackhat DC, Maynor makes the point “Finding the vulnerabilities was not hard…Writing the kernel shellcode was”. From other sources, which will remain unnamed at this point but were told this information by Maynor, one key difference is that a change in 10.4.7 – unrelated to the Airport code – defeated Maynor’s shellcode. Therefore, under 10.4.7 the Mac would crash, but the shellcode as seen in the video demonstration did not work.

We’re now moving from fact to speculation. Almost every guess I’ve made about this mystery has been wrong so far, but with the new facts we have a much better picture:

1. What Krebs saw:

We now can believe that Maynor has an exploit that will CRASH a MacBook running 10.4.6 with the standard Atheros chipset. However, if you believe Krebs’s account, that is not what he saw. So two possibilities:

1. Krebs saw the real deal. It was a MacBook, running 10.4.6, with the Atheros card and drivers. The wireless exploit was run and the computer hijacked through the shellcode.

What is missing in this picture? A lot. First, the wireless exploit that Maynor demoed in March has STILL not been released. Second, we don’t have any email evidence from Maynor on problems with the Atheros driver. Third, the shell code has not been released (Maynor claims it will also be released in the future). Fourth, if it is a problem with the Atheros driver, no other company that uses the Atheros drivers has been notified. Fifth, the man who maintains the Atheros drivers for Linux has ALSO not been notified of any problems.

2. Krebs saw a modified Mac. It’s clear from Krebs’s account that there was NOT a third party USB card attached to the MacBook. What is NOT clear is whether the MacBook had the stock Airport Extreme card installed. My understanding is the Atheros and Broadcom cards can be swapped out – and that a default MacOSX installation will include drivers for both. If Krebs saw a MacBook being hacked with the Broadcom card installed, then a lot more makes sense. First, we now have some evidence of problems with the Broadcom drivers -- both from Maynor and from the later MoKB exploit. Second, as Maynor says, writing shellcode is hard. Presumably the Atheros and Broadcom exploits are a bit different. Ellch is an old timeMac user. He presumably was testing some of the wireless fuzzing on an older Powerbook, but after July 15, when they bought a new intel MacBook, they released they had not finished working out the shellcode on the Atheros problem. The easy solution was to swap out the wireless cards. Third, I’ve criticized both of them for giving Apple little to no notice for fizing the drivers. However, this scenario makes them do the right thing. By NOT talking about the problems with the Broadcom drivers in public, they had enough time to tell other companies of the problem. Clearly that wasn’t enough, which is why the Broadcom exploit was released to the public in November.

So my bet is on the second door – what Krebs saw was a MacBook with a different internal wireless card.

What did we see in the video?

It’s probably true, as Maynor says, “That was 5 minutes edited together from 4 hours of shooting” and frame by frame analysis is futile.. But there are two telling pieces of information. First, from the video analysis is appeared as if the INTERNAL apple card was being used – both from the MAC address and other evidence (that they were using the upper right menu bar to connect to a wireless network – a USB card might need third party software to do the same). Second, either the MacBook was hijacked using the internal Atheros chipset (so the USB thing was a McGuffin) OR it was hacked with a Broadcom based 802.11 USB card. As far as I know – none of those cards work on a Mac.

The more likely option is that what we saw the same MacBook with a switched internal card. As a proof of concept – fine. But thanks to Krebs’s botched reporting, this turned into a blog and media firestorm. And to answer Glenn's question: Yes -- there is a way to hijack a Broadcom based Intel Mac. However, since that machine only exists after minor surgery, it is just that -- a proof of concept.


All this can be solved by 1) showing evidence that Atheros exploit existed in August; 2) releasing the Atheros exploit, and 3) showing that the shellcode works with the Atheros exploit. NONE of that evidence has been released.

What has been released is evidence that had an exploit on the Broadcom drivers. Assuming all that information is true, you can explain BOTH Krebs’s account and the video demo. There may well be an Atheros exploit – but one without the necessary shellcode for a demo. That would explain why we’re still waiting to see it….