Actually, Not Much Better at All This Late Than Never

Let’s say I tell you I have in my pocket a frog that can recite the entire alphabet. You doubt it, and ask me to show you. I refuse. You ask me to show it to a trusted third party. I refuse.

A year later, I show you a frog who can recite the alphabet. That’s certainly something. But it doesn’t prove I had the frog in my pocket a year ago.

Which brings me to David Maynor, and his publication last week of a Wi-Fi driver vulnerability affecting Mac OS X 10.4.7 — a vulnerability more or less matching the one he and Johnny Ellch claimed to discover in summer 2006, but which they refused to prove or demonstrate, sparking a rather remarkable controversy.1

If you missed or forgot it, or, oddly enough simply wish to relive it, here are the major pieces I wrote on the matter:

Here’s the nut of my criticism: A serious claim must be backed by proof of some sort. Maynor and Ellch’s claims last year were made with no proof other than a suspicious demonstration on video. That’s the root of every dispute and problem that followed. All I wanted to see was proof; it was more skepticism than criticism.

Compare and contrast with a story from this summer: the case of Charles Miller and Independent Security Evaluators. Miller and his colleagues discovered a serious vulnerability in MobileSafari on the iPhone shortly after it shipped, a vulnerability which they claimed could be exploited to take complete control of the iPhone system.

They proved it by demonstrating the exploit, in detail, to a reporter from The New York Times. They created a web site with additional details. They provided complete technical details to Apple, which fixed the bug in the 1.0.1 iPhone update.

Here’s what Apple spokeswoman Lynn Fox — she who supposedly led an “orchestrated attack” against Maynor and Ellch — told The Times regarding Miller’s iPhone exploit:

“Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We’re looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security.”

No backlash. No criticism from the Mac media. No questions regarding the veracity of their claim. Why? Because he provided proof when he made the charge. That’s all there is to it.

  1. Worth pointing out: Maynor’s paper describes an attack that leads to a kernel panic. He claims it can be exploited to instead inject code and, rather than crash, take over the machine — but this is not described in the paper. Maynor claims two more papers are forthcoming. ↩︎