George Ou

There seems to be a lot of talk about a potential kill switch in Windows Vista, but that would be very good news for Linux and open source adoption in most of the world and perhaps even college campuses.  The tighter the anti-piracy controls on Microsoft software is, the wider the adoption of Linux.

A person in China for example making $300 a month will save up and spend $400 on a computer.  They will spend 100 Yuan (about $12) on home grown software but they will never spend $100 on software when they can buy a black market copy for $1.  If that wasn't available or if Microsoft made it impossible to use the software because of WGA, they'll simply stop using Windows and stop using Microsoft Office and use Linux and Open Office.  In Government agencies in the third world, this is often the case unless they're able to negotiate an extremely low price from Microsoft.  Even Bill Gates admitted that people can't buy software until the economic standards are raised in the third world.

There is a similar dynamic with college students though not as extreme with American college students since they have a little more money.  College students also have the academic versions of the software available to them but even that's a problem for some.  Many college students will resort to copied software but when those same students graduate and join the work force and have money, they become loyal paying customers.  If they can't copied software then they'll simply use free Linux and Open Source solutions and they'll continue to do so even when their economic status changes.

Microsoft has more or less always turned a blind eye towards individuals who use pirated Microsoft software though they'll implement a few hurdles to using it such as the lack of updates and patches or they'll turn off Aero functionality in Windows Vista.  Is it possible Microsoft could suddenly harden their stance on unauthorized copies of Microsoft software?  It certainly is, but it would be a great boon to Linux and Open Source.

Two of the presenters at the ToorCon 8 event embarrassed themselves by pulling a prank on the media and Mozilla.  The two claimed to have remotely compromised Mozilla Firefox when in fact they had only crashed it.  They have now backpedaled and retracted their statement with this letter to Mozilla stating that it was meant to be "humorous" but no one in the security community found it to be amusing.  As for the claim that they had 30 zero-day vulnerabilities, Mischa Spiegelmock blamed his co-presenter Andrew Wbeelsoi and said he had nothing to do with it.  Unfortunately for Spiegelmock, the time to speak up would have been Saturday during the presentation.

Taking the cautious and responsible approach, Window Snyder (Chief of Mozilla security) was still concerned about the crash in Mozilla Firefox and is treating it as a potentially serious flaw.  Snyder stated that Spiegelmock was cooperating with Mozilla.

VMware is releasing a beta of their P2V (Physical to Virtual) converter tools (link via betanews).  P2V lets you pull a physical server in to a virtual server and is a critical component of server virtualization.

It's interesting how controversies like the Apple Wi-Fi fiasco can give birth to new blogs.  Securosis started right after Black Hat 2006 covering the Apple Wi-Fi controversy and now David Burke who contributed two critical thinking pieces (here and here) to my blog has now started his own blog.

David Maynor was blocked at the last minute to appear at Toorcon 8 in San Diego and Jon "Johnny Cache" Ellch was stuck with no speaking partner or presentation.  A lot of stories have been quoting this talk and some bloggers have been characterizing it negative in various ways even though they weren’t there, but this is the actual video.

Another zero-day threat hits Microsoft Internet Explorer 5 and 6 just after Microsoft issued an emergency out-of-cycle patch for the VML threat.  This new critical threat had been known for 2 months but missed September's patch Tuesday.  Microsoft is expected to patch it next Tuesday but attacks are already being seen in the wild.

Apple on Friday issued patches for 15 vulnerabilities most of which are remotely exploitable.  Issues such as Safari, Flash Player, code-executing JPEG2000 images, privilege escalations in the kernel, code-executing PICT images, and other components in Mac OS X were patched.

[UPDATE October 3: This was mostly a prank] At Toorcon 8 in San Diego, Joris Evers is reporting that two hackers are claiming to have 30 exploits for Mozilla Firefox.  They disclosed one of the issues with enough detail that it could probably be reproduced by other hackers.  Mozilla's security chief Window Snyder is taking the threat seriously and was upset by the fact that the exploit was released to the public without any notification to Mozilla.  A security staffer from Mozilla attempted to "persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets".  Unfortunately, the hackers do not plan to disclose them.  Evidence for the other 29 exploits were not shown.  The hackers stated it was problem in Firefox's implementation of JavaScript and that it was a "complete mess".   Snyder admitted that "if it is in the JavaScript virtual machine, it is not going to be a quick fix". [UPDATE October 3: This was mostly a prank]

Oh, and Blizzard and their WOW customers aren't having a good week either.  It would seem that a lot of World of Warcraft players are being targeted for their passwords through Malware and keyloggers.  Once the password thieves have the passwords, they can turn around and sell off virtual goods for real money.

In a possible repeat of what happened at last year's Black Hat convention with Mike Lynn and Cisco , I've just received word from Elizabeth Clarke who is the VP of Corporate Communications at SecureWorks that David Maynor will not be presenting at Toorcon.  Even as late as yesterday when I talked with Maynor on IM, Maynor was going to reveal all on Saturday.  Maynor had indicated in the past that SecureWorks wasn't keen on his presentation and he had told them that he was going anyways.  I tried to contact Clarke and Maynor for immediate comments without success but one would have to assume that SecureWorks has issued explicit instruction to David Maynor not to give the public presentation.

Maynor along with his friend Jon "Jonny Cache" Ellch is giving a technical lecture at Toorcon Seminars today and were planning to unload everything about the Apple Wi-Fi controversy tomorrow.  When I heard this announcement from SecureWorks PR, I was just getting ready to leave for the airport for Toorcon.  I still intend to go because we may see injunctions fly tomorrow.

In place of the presentation tomorrow, SecureWorks released this statement.

SecureWorks statement:
SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC , that it is appropriate.

The statement seems to be an attempt to cool things down but it's about a month too late as far as I'm concerned.  I had known since last month that CERT had been notified of the full details of this vulnerability by SecureWorks and CERT could play the role of a neutral arbitrator on this whole mess.  However, this thing has become far too heated and it's difficult for Apple to agree to give SecureWorks any credit when they've backed themselves in to a corner with the statements they have made.  Apple's Lynn Fox has raised this to a boiling level by strongly refusing to give any credit to SecureWorks, Maynor or Ellch.  But in her strong denial, Fox essentially implied that David Maynor didn't even know the difference between FreeBSD and OS X and supplied Apple with things like crash dumps and driver disassemblies that had nothing to do with Apple Products.  As David Burke points out, Apple continued to request more information from someone they're implying is an idiot and even started an internal audit on account of what they're calling irrelevant information.

I saw this article from linuxdevices.com and I couldn't believe my eyes.  E-Way Technology Systems is a company from Taiwan that is selling a tiny 200 MHz x86-compatible fanless mini PC with 128 MB RAM, Fast Ethernet, and front loading compact flash slot for $99 at single quantities!  Of course this wouldn't be very useful as a full desktop computer, but it is the perfect low-power fanless zero-moving-part silent appliance at an unbelievably low price.  Here are some of the things you can do with this hundred dollar box.

• Citrix or Terminal Server thin client (you'll need to add keyboard, mouse, and a display).  By the time you add those things, you might be up to $300 but it's multiples cheaper than other thin clients.
• Small office or home office Asterisk PBX to support a couple of phones and voice mail boxes (So long as you don't try to transcode anything).
• Change to a board with no video and audio but with multiple Ethernet ports and this can become a killer IPCop appliance.
• The front loading CF (Compact Flash) slot is super convenient for firmware upgrades since you can easily extract the CF card and flash the image from a regular computer.
• It could probably serve as a Linux Wi-Fi appliance as well with an

But this hundred dollar unit is a little under powered and I couldn't help but wonder if there is a more powerful solution.  I went to E-Way's website and found this 800 MHz fanless mini-ITX system with 256 MB RAM for a mere $199 at single quantities ($150 at 300 units).  But even at $199, you can't even build a mini-ITX system this cheap in component costs alone!  Mini-ITX components are usually very expensive.

It doesn't have the front loading CF slot but it has a PXE boot ROM and very good performance characteristics.  This unit can use CF or hard drives in the thicker model.  This would probably make the perfect PBX system if it was coupled with something like the Astrabank-8 which is a USB device that provides 8 analog phone ports for analog phones or fax machines.  The performance and hard drive would allow it to handle many more users and voice mail boxes.

It could probably handle DVD playback with ease since it has MPEG 2 acceleration though I doubt if it will handle HD video play back.  As a media PC, it has limitations because it lacks HD component out and only has a DB-15 VGA port and no DVI.  But it would probably make a killer car PC since it doesn't use a lot of power (no more than 20 watts) and you could hook up an LCD panel to it.  It's small enough to easily mount under the car seat.  As a firewall appliance, it would need to have more Ethernet ports though I'm not sure if that's an option with this mini chassis or not.  E-Way does sell 3 and 4 port fanless systems that are perfect for the firewall appliance which may even be fast enough to do in-line virus scanning for a small number of users.

So what's the catch with this outfit?  They seem to be a bit slow and inundated with requests for information.  Ordering from them can be a bit trick if you read their order instructions.  Obviously the more you buy the better off you are since you only have to go through the ordering hassle once.

Request US$ quote by email for current cost and spec. Please request quote for items not shown. Price shown is typical US$ for large quantity lot. Cost or image or specs are subject to change. To preserve our low costs, payment is funds wire at time of order, or L/C with deposit for large quantity. One year warranty for pre-authorized defect repair or replace, shipping cost covered by customer.

Would this stop me from trying to order something from them?  No because the prices are just too good and you can't find anything even remotely close in raw component prices.  Just the mini-ITX chassis alone is often more than $100 and you have to spend another $50 on the power supply.  These conditions are primarily intended for resellers.  So far I haven't found any resellers offering these things.  A computer store could probably buy them at quantities of 300 and sell them at twice the cost to individual consumers.  System integrators that sell pre-packaged appliances and support would also benefit greatly from this source.  Still, I would love to see an online discounter carry these in the USA that is geared to sell and support these things even if I had to pay an extra 15% over the single quantity pricing.

Norhtec also sells a slightly less powerful 166 MHz mini-PC for $120 (single "eval" unit) plus $35 shipping which can bolt on to the standard VESA holes of a LCD panel as seen in the picture on the right for super convenience.  The difference is that you can actually order the thing from their website with a credit card which beats having to send a money order.  Norhtec won't sell in bulk unless you're talking about units of 1000 or above.

At the fall 2006 IDF (Intel Developer’s Conference), Intel widened its lead in the Server and Desktop market by trotting out four quad core server processors and a 2.66 GHz quad core "Extreme Edition" desktop processor.  But no one told these real-world applications that the Intel quad core chips are "fake"These quad core chips will be available in November only 4 months after Intel shipped its first Core 2 based product.

The server parts will be 1.6, 1.86, 2.33, and 2.66 GHz.  The two lower-end parts will operate with two 1066 MHz memory channels and the two higher end parts will operate with two 1333 MHz memory channels.  All quad core server chips have a TDP (Thermal Design Power) of 80 watts except for the 2.66 GHz part which will operate at 120 watts.  AMD’s latest "Socket F" dual core Opteron processors are rated at 95 watt TDP for most of the product line and 119 watt TDP for the highest end 2.8 GHz part.  Considering the fact that we’re comparing a quad core Intel CPU to a dual core AMD CPU, it’s a massive lead in power consumption for Intel because you would need twice as many AMD CPUs to match the same number of cores which would nearly double the power requirement (and price) on AMD.

Note that AMD servers use registered DIMMs while Intel Servers uses more power hungry FB-DIMMs which require an extra 4 to 5 watts per DIMM.  This would mean that an Intel server with four 2 GB FB-DIMMs will use an extra 18 watts for the memory and a server with eight 2 GB FB-DIMMS will use an extra 36 watts of power for the memory.   This difference in memory architecture would cut in to Intel’s lead depending on how many DIMMs are used but Intel there is no doubt that Intel’s lead is solid.

The 2.66 GHz quad core extreme desktop processor has a TDP of 130 watts.  While 130 watts is on the high side, it’s the first quad core processor that is still lower power than the old Intel Pentium 4 "Netburst" CPUs and only slightly more than a 125 watt 2.8 GHz AMD FX-62 dual core processor.  Even more alarming for AMD is the fact that on a clock for clock basis, a single 2.4 GHz Core 2 core is faster than a single 2.8 GHz Athlon core.  AMD is touting its yet-to-be-released "4×4" dual-socket dual-core desktop product as a possible Core 2 Duo killer but that could potentially ramp the TDP envelop to around 200 watts for both sockets not to mention a large premium on the cost of a dual-socket motherboard.  The more expensive and power hungry AMD 4×4 solution probably won’t come close to the new quad core Intel CPUs unless there is a radical boost in the architecture of AMD CPUs.

There are some in the industry along with AMD that are labeling these new Intel quad core CPUs as "fake" quad cores because they use two dies on a single CPU package.  Unfortunately for AMD, no one told these real-world applications that the Intel quad core chips are "fake" because they show almost a doubling of performance in Video encoding tasks.  The gap is even more than double when the quad core is unleashed and overclocked to 3.33 GHz.  Furthermore, these 25% boost numbers are on the conservative side because one of the vendors was showing a liquid cooled 3.75 GHz quad core game machine at IDF.  That’s a massive 41% overclock on a quad core Intel CPU that already has a massive lead to begin with!  The best liquid cooled AMD FX-62 processors max out at around 25% in overclocking but still can’t compete with Intel’s dual-core processors let alone the quad cores.  Since quad core CPUs go for roughly the same price as the high-end dual core parts when they came out, there’s no doubt that the demand for these "fake" quad core processors will be high in the power user market.

For now, even the AMD four socket advantage in the Server market has melted away since it’s about half the price to build a two socket quad core server compared to a four socket dual core AMD server.  AMD will come out with their quad core CPUs that come on a single die in the middle of 2007 promising to consume no more power than the existing dual core processors which should be slightly lower than Intel’s current quad core CPUs.  The problem is that Intel is not standing still and Intel will be releasing 50 watt quad core processors in the first quarter of 2007 before AMD even begins to ship their first quad core CPU.  But will Intel actually deliver on their promise for lower power quad cores in Q1 2007?  So far all of the Intel Core 2 products in Server, Desktop, and Mobile have come on time so there is little reason to believe otherwise and AMD will have quite a bit of catching up to do.

David Burke who is a very sharp reader decided to chime in on Apple’s seemingly firm denial that SecureWorks supplied nothing of significance to Apple for the Apple Wi-Fi security patch.  This isn’t the first time Mr. Burke has weighed in here on Real World IT, he took John Gruber’s logic apart last time based on what little evidence Gruber supplied.  This time, he takes Apple’s Lynn Fox to task for her reply.

David Burke writes:
George, I just thought I would send you this email as I have just read your article on Tech Republic where Lynn Fox answered a lot of the questions I have noted coming up on the issue of what SecureWorks delivered to Apple in regard to the Macbook wireless exploit.

I was actually quite happy at first to see that Apple was giving such direct “yes and no” answers for a change, but quite frankly before I was halfway through it I felt like pulling my hair out.

Lets first look at how Lynn answers the first question;

George Ou:
Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?

Lynn Fox:
The only vulnerability mentioned by David Maynor was FreeBSD vulnerability CVE-2006-0226. This does not affect Apple products

Ok George, while that implies that Maynor is such a horrible security expert he doesn’t even know what vulnerabilities might work on a Mac, who knows? I do not know Maynor and certainly can’t swear he would know better, but the important thing is, Lynn is telling us here that all information Apple got from Maynor was in relation to a FreeBSD vulnerability CVE-2006-0226, which has no application to any Apple products.

Now let’s look at the very next question Lynn Fox answers;

George Ou:
Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?

Lynn Fox:
No. Packet captures were promised repeatedly but never delivered.

Now we know George that she is talking about packet captures for the FreeBSD vulnerability CVE-2006-0226, which has no application to any Apple products. We know that because she says that’s all that Maynor discussed, so that’s what the packet captures would be for.

What I do not follow here George is what in the heaven did she get Maynor to repeatedly promise to send packet captures for an exploit that had no application to an Apple product? I mean…repeatedly? And promise? This makes absolutely no sense of any kind. If Maynor was contacting her on his own and repeatedly promising for some reason to send packet captures for a vulnerability that had no application to an Apple product, peculiar as that would have been, why didn’t Apple just tell Maynor to get lost and stop bugging them as the packet captures were of no use?

This isn’t some kind of legalese issue here either George, this is just common sense. It’s obvious that something is up here with this whole packet capture issue. Lynn Fox says on the one hand Maynor only talked of one vulnerability, which didn’t apply to Apple products, and on the other hand they got Maynor to repeatedly promise to send packet captures? Something is rotten in Denmark without further explanation on that.

And what’s with all these subsequent responses to questions;

George Ou:
Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?

Lynn Fox:
No. While SecureWorks did provide a driver disassembly, it did not indicate a Wi-Fi vulnerability in any Apple product.

George Ou:
Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?

Lynn Fox:
No. While we received crash dumps from SecureWorks, they didn’t have anything to do with Mac OS X or any other Apple product.

She starts with a no, and then says yes, both times, and of course, these same things they were given must have been to do with the FreeBSD issue, after all, she said its all Maynor discussed, yet there were repeated promises made for packet captures and this makes no sense.

What makes matters worse George, is did I not read that after they were notified by Maynor of the exploit they decided to do an internal audit on their own? I really do not understand the logic behind such a chain of events. Consider; Lynn Fox has essentially said that Maynor supplied them with information that didn’t even apply to Apple products, yet they wanted packet captures and eventually decided they had to do an internal audit on their own. Why? Maynor apparently gave them less then absolute zero according to Lynn Fox. Did Apple decide to do this internal audit based on the fact that Maynor showed them a vulnerability that applied only to non Apple computers? No way.

You do not have to be a rocket scientist to see what may be at issue here George. I’m not 100% sure what’s going on here George but if it is true that Maynor has time stamped communications showing certain particulars were communicated to Apple from Maynor, and Apple did indeed work to repeatedly secure promises from Maynor to send packet captures, the evidence so far indicates that something beyond the FreeBSD issue was either discussed, or Apple had a way of making use of the FreeBSD issue in such a way that although the specific issue may not exist on Apple products it was a link to something that was.

What’s going on? Once again this ends up answering little.

- End of email -

Yes, this all sounds very strange David and you’ve given me a new level of respect for the legal profession.  I thought something was strange about those responses but just couldn’t put my finger on it.  You’ve cleared that up nicely, thank you.

(Note on internal audit)
As reported by Brian Krebs, Anuj Nayar said: "Basically, what happened is SecureWorks approached Apple with a potential flaw that they felt would affec tthe wireless drivers on Macs, but they didn’t supply us with any information to allow us to identify a specific problem. So we initiated our own internal product audit, and in the course of doing so found these flaws."

I posed some questions to Apple when I wrote "Apple patches Wi-Fi but refuses to give researchers due credit" to try and pin down exactly what Apple acknowledges to have received from SecureWorks or not.  I was a bit surprised when I got all of them answered based on my past experience so I will have to give Apple some credit for not dodging any of the questions this time and answering in a straight forward manner.  The answers also surprised me since this puts Apple and the two security researchers David Maynor and Jon Ellch on a collision course at Toorcon 2006 and there is no backing out at either end.  [Update 11:59 PM: David Burke gives a great analysis to the following response.]

Here is the word-for-word email response from Director of Mac PR Lynn Fox:

George,

Answers to your questions are below.

We noticed that there was a question on your blog for us that was not included in your below email (on packet captures), so we’ve also answered that question for you too.

• Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?

The only vulnerability mentioned by David Maynor was FreeBSD vulnerability CVE-2006-0226. This does not affect Apple products.

• Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?

No. Packet captures were promised repeatedly but never delivered.

• Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?

No. While SecureWorks did provide a driver disassembly, it did not indicate a Wi-Fi vulnerability in any Apple product.

• Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?

No. While we received crash dumps from SecureWorks, they didn’t have anything to do with Mac OS X or any other Apple product.

• Did SecureWorks ever point to the location of the vulnerable code of said Wi-Fi vulnerabilities?

No.

• Do any of the current patches released by Apple match any of the characteristics of the information provided by SecureWorks?

No.

I’d also like to comment on this excerpt from your post:

"’Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products’

Now this statement has come back to haunt Apple. Ironically, I had accidentally stumbled upon this when I asked Maynor and Ellch in my video interview if the Wi-Fi vulnerability was anything "like" the FreeBSD hack back in January. I could have sworn I got a funny reaction from Maynor and Ellch but I figured they only reacted that way because not many people knew about the FreeBSD flaw. Little did I know at the time that I had actually stumbled upon the truth and that the Apple Wi-Fi flaw was EXACTLY like the FreeBSD flaw because it’s all the same code."

The code flaws we addressed with the Wi-Fi security updates we released on September 21 are not based on the same code as the FreeBSD flaw.

We think this helps clarify what we’ve been saying all along and helps put this topic to rest.

Feel free to post my email to your blog word-for-word to avoid any confusion.

Lynn Fox

Director, Mac PR

Apple

Things keep getting more interesting every day.  More to come on this.

A few months ago I declared: "It’s time to toss out your (desktop) antivirus software!"  As far as I was concerned, running desktop antivirus software was a liability in and of itself because "Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you."  The effectiveness of antivirus software is also questionable since it won’t work at all for zero-day exploits that haven’t been updated yet.  Well now there seems to be another good reason to toss out that antivirus software.

Everyone has always suspected antivirus software of slowing computers down (at least through anecdotal evidence), but no one has ever been able to really quantify it precisely.  A young English gentleman in the UK who goes by "Oli" has posted this wonderful analysis on "What really slows Windows down" and posted some detailed measurements on the effects of typical desktop software and security suites.

The desktop Antivirus suites all appear to make your PC run slower than a 5 year old computer when it comes to slowing hard drive I/O down which is the biggest factor in PC wait times.  Norton Internet Security 2006 was the worst resource hog, McAfee VirusScan Enterprise 8 was the second worst, but Norton Internet Security 2007 seemed to have improved to the third worst resource hog.  Trend Micro PC-cillin AV 2006 was the fourth worst resource hog and Microsoft’s Live OneCare had significantly lower overhead.  Surprisingly, AVG 7.1 free antivirus software came in with extremely low overhead compared to any of the other Antivirus suites so if you must run something, AVG might be the way to go and you certainly can’t argue with the price.

As anyone who knows me would know, I personally never use Antivirus or Anti-spyware software and neither has most of my expert friends or colleagues and we never get viruses even while running as full administrator.  When my family members use the computer, I set them to standard users and the worst I’ll ever need to do is nuke their account and recreate it if something bad happens.  I’m also careful to only give them read only access to family photos and files so that they can’t ever accidentally delete them or click on some Malware that would delete them.  Now how do I know I don’t have any viruses?  I do manually conduct occasional scans of the hard drive for viruses and spyware and I never find any.

[UPDATE 9/25/2006: The word "due" was dropped from the title because it is now disputed by Apple.  Apple has issued a strong denial that anything useful was given to them and responded to this blog in detail.]

After all the controversy, it turns out that there really are critical vulnerabilities in Apple's Wi-Fi drivers that affect Intel and PowerPC based Macs described in three separate CVEs.  After more than six weeks of Apple's spin that strongly implied there was no Wi-Fi vulnerability and six weeks of conspiracy theories that this whole thing was a fabricated stunt to garner attention for some fake security researchers, Apple released three critical patches before next week's Toorcon event where security researchers David Maynor and Jon Ellch are planning to release details on the Apple Wi-Fi exploit and more.

The controversy started around the original report from Brian Krebs "Hijacking a Macbook in 60 seconds" who reported from Black Hat 2006 on August 2nd about security researchers David Maynor and Jon Ellch.  The Mac press balked at Krebs' claim that this was a Macbook being hacked because the official demo given at Black Hat 2006 only pertained to third party drivers and hardware.  But Krebs stood his ground and clarified that he wasn't talking about the "official" on-the-record demo, but rather the private demo he got from David Maynor and even released a word-for-word audio transcript.  Krebs insisted that he witnessed a hack on a stock Macbook with no third party devices plugged in.

The story had gone dormant for 2 weeks until August 17 when an orchestrated* assault launched against David Maynor and Jon Ellch that accused SecureWorks (company David Maynor works for) of changing their story.  Jim Dalrymple of MacWorld called the research a misrepresentation and other IDG publications followed.  Blogger David Chartier even declared that "SecureWorks admits to falsifying MacBook wireless hack" and Digg amplified the bogus stories on a grand scale.  Frank Hayes of ComputerWorld even referred to Maynor and Ellch as "quack hackers" (Frank Hayes is an honorable man and apologized).  The problem is that none of these publications did any basic research because SecureWorks NEVER changed their story, never misrepresented, and never admitted falsifying the MacBook wireless hack.  The original video had clearly stated within the first 20 seconds that the demo pertained to third party drivers and hardware yet we have not seen a single correction from any of these publications.

As a result of the faulty reporting, tens of thousands of websites have declared Maynor and Ellch as frauds.  Some conspiracy websites even popped up and claimed the original SecureWorks video demo was a "magic show".  Anyone who defended Maynor and Ellch in the media was equally attacked by these fanatics.  The list of defenders was thin and included myself, Brian Krebs, and Rich Mogull.  I provided one of the most vigorous defenses of Maynor and Ellch and received a ton of heat over it.  A blog site dedicated to attacking Brian Krebs was created and one of the more vulgar Mac blogs refers to me as the security b****.   Even with the confirmation of the Apple Wi-Fi exploit, these sites continue their attack.

Apple was very careful to spin the news Thursday when they spoke to reporters about the patch.  According to CNET reporter Joris Evers "Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday".  Many of the critics have taken this to mean that these patches aren't the ones Maynor revealed to Brian Krebs at Black Hat and that it doesn't vindicate them.  But if we examine the comments from Apple closely, it's technically a true statement because the official demo given at Black Hat pertained specifically to third party hardware and drivers but it has nothing do with whether SecureWorks and David Maynor informed Apple of a vulnerability or not.

When pushed to clarify the issue, Apple would only say to Joris Evers "In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs …  They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit".  I approached Apple to clarify the issue and asked the following questions regardless of what Apple defined as "evidence".

• Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?
• Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?
• Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?
• Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?
• Did SecureWorks ever point to the location of the vulnerable code of said Wi-Fi vulnerabilities?
• Do any of the current patches released by Apple match any of the characteristics of the information provided by SecureWorks?

So far, I have yet to receive any reply from Apple.  These questions are critical because any competent researcher or engineer would be able to replicate an attack if given all of the above information and even the packet captures alone should have been enough.  When I had previously contacted Apple's Lynn Fox, she would only vaguely answer my questions but refused to say anything on the record.  Furthermore, Apple is playing this off as a "preemptive" effort to strengthen Apple's wireless drivers "found internally" with no credit given to SecureWorks, Maynor, or Ellch.  But the timing of this patch release is awfully coincidental with next week's Toorcon event.

Speaking of Apple driver vulnerabilities, I had accurately pin pointed the driver issue last month when I reported on Atheros' non-role in this whole affair.  As I stated, Atheros was not responsible for this issue since the flaw exists above the I/O kit in the upper-layer driver code of Mac OS X which is identical to the code in FreeBSD.  A critical remote exploit FreeBSD flaw was found back in November 2005 and an official CVE was issued in January.  One critic (the one who called the SecureWorks video demo a "magic show") claimed this was preposterous because the MacBook Pro was shipped in February 2006 and surely Apple would have patched something that was known for three months.  Apple spokesperson Lynn Fox went as far as denying any risk with the FreeBSD vulnerability to Brian Krebs.

"Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products"

Now this statement has come back to haunt Apple.  Ironically, I had accidentally stumbled upon this when I asked Maynor and Ellch in my video interview if the Wi-Fi vulnerability was anything "like" the FreeBSD hack back in January.  I could have sworn I got a funny reaction from Maynor and Ellch but I figured they only reacted that way because not many people knew about the FreeBSD flaw.  Little did I know at the time that I had actually stumbled upon the truth and that the Apple Wi-Fi flaw was EXACTLY like the FreeBSD flaw because it's all the same code.

So where do we go from here?  Next week at the Toorcon security conference, Maynor and Ellch will present their findings on Apple to settle this once and for all.  I'll be there to cover the event and ask questions.  If anyone in the audience wants to ask Maynor and Ellch any questions but can't attend Toorcon, please post them in the talkback below and I'll try to get them answered for you.  I will be posting video of the interview.

* People are still demanding that I provide proof of an "orchestrated" assault.  I had originally stated that I would release the details within days but I could not get authorization from the source.  SecureWorks PR had promised to release an FAQ over a month ago but they haven't delivered anything and they seemed content to not rock the boat and allow the vicious attacks on Maynor and Ellch to go unanswered.  This information will be released next week at Toorcon as well.

First of all, I want to welcome Mary Jo Foley to ZDNet blogs.  I’ve had a blast debating some of her columns within the last few years correcting her when needed.  Fellow blogger Ed Bott has also debated Mary Jo Foley in a recent post where he pointed out how absurd it was to claim that "Vista will NEVER run on a $1000 PC".  This time, Mary Jo has pulled out the big bad Vista application compatibility boogie man Windows Vista preemptively breaks every Malware application to date and even referenced the time she blamed Windows XP SP2 firewall for breaking tons of applications when nothing could be further from the truth.

The problem is that Vista isn’t complete and to be honest, those applications that break (mostly from UAC) really need to be broken for the sake of security.  Microsoft has gotten criticism for giving root-level permissions to all users by default in Windows XP, but many of those same critics criticize Windows Vista for attempting to fix it.  Part of the blame goes to Microsoft for not making it easy to seamlessly shift between a standard user and root user in pre-Vista operating systems but much of the blame goes to lazy software vendors who write sloppy applications that rely on root-level permissions.  Now that UAC does go out of its way to make a locked down user permission model workable, it gets bashed for being too inconvenient and blamed for breaking applications.  UAC isn’t what’s breaking the application, it’s the sloppy risky coding of the application bumping up against a locked down Vista permission model that is to blame.  Of course Microsoft isn’t just sitting by telling the ISVs (Independent Software Vendors) it’s there problem, they’ve provided simple to use tools like the Standard User Analyzer to help ISVs fix their code.

But there is an even easier way to make a sloppy legacy application work in Windows Vista and that’s called shimming.  (more…)

After some testing on the VML zero-day exploit for Internet Explorer, I have managed to verify that hardware-enforced DEP will prevent the exploit from launching.  IE will simply generate a DEP error asking you if you want to make a DEP exception for Internet Explorer (which you should say NO) and crash Internet Explorer.  Without hardware-enforced DEP, my test machine would have been owned by a ton of Malware from the websites I was testing on.

This is the third time in a row that hardware-enforced DEP has preemptively protected me from a zero-day Internet Explorer exploit.  The first time I verified this was with the WMF exploit, the second time was a zero-day IE exploit this March.  Therefore I highly recommend people enable DEP protection in Windows XP SP2 and Windows Server 2003 SP1 and never buy a CPU without NX or XD capability.  This DEP guide I did earlier this year is still relevant.  It doesn’t have the newer CPUs listed but they all have DEP capability except the cheapest Socket A CPUs from AMD.  But even with hardware-enforced DEP enabled, it is still a good idea to implement the workarounds for this VML exploit.

According to this blog (via Alex from Sunbelt BLOG), even software-enforced DEP will mitigate this VML issue.  This was not the case in the WMF zero-day exploit when only hardware-enforced DEP would work which means it isn’t worthless in all situations.  So even if you don’t have a modern CPU, you should follow this guide and implement DEP.  I’m a bit nervous about software-enforced DEP because Microsoft originally stated that it would work against the WMF exploit and then had to retract that claim.  But it’s better than nothing I guess.

On Monday, Sunbelt researcher Adam Thomas discovered a new undocumented zero-day exploit for Internet Explorer that attacks IE’s VML (Vector Markup Language) rendering code and it’s being actively exploited in the wild especially on porn sites.  This is the second zero-day exploit this month for Microsoft Internet Explorer that was released soon after Microsoft’s patch Tuesday yet Microsoft will not commit to a fix until October’s patch Tuesday on the 10th which is nearly three weeks away.  The same thing happened in March of this year when Microsoft refused to provide an out-of-band patch for Internet Explorer until the following patch Tuesday.  This means that users of Microsoft Internet Explorer will be wide open to an attack unless they implement the emergency work-around to disable VML rendering in Internet Explorer.

Like the WMF exploit work-around, users will need to issue a command to disable VML rendering until the official patch comes out.  The commands are:

Disable VML
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

Enable VML
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

To execute these commands, simply hit the "Start" button and click "Run".  Cut-paste the disable VML command in to the line and click ok.  You will get a "RegSvr32" popup notice that says DllUnregisterServer in … succeeded.  Once the patch is available and you’ve applied it, repeat the process with the enable VML command.

IT departments can disable or enable this on an enterprise scale using Active Directory Group Policies and Jesper Johansson has produced these instructions to help you with the Group Policy method (via Sunbelt BLOG via Sandi).  It is highly recommended that IT departments take advantage of these instructions since it isn’t practical to implement the work-around manually on a large number of computers.  This can also be done via login-script technology but that only gets applied when users log in to their computer while connected to the network and may not take affect for a large number of users.  The Group Policy method is refreshed proactively ever 15 minutes or so and all the clients will benefit from it.

Other options include installing Opera or Mozilla Firefox though it’s still a good idea to implement the above work-arounds since Internet Explorer is still present on the system.  Note that Mozilla comes with its own set of vulnerabilities which in the last year was higher than Internet Explorer so you’ll have to patch that code as well.  Opera had critical vulnerabilities too but no where as many as Mozilla Firefox or Internet Explorer.  Even so, Mozilla and Opera vulnerabilities are targeted less often because it’s much easier and fruitful to attack the dominant browser.

PC enthusiasts are paying twice the money for a slower hard drive with a quarter of the storage capacity

In the storage or any other technology industry, the golden rule of marketing is that larger numbers sell.  Regardless of what the numbers mean, large numbers are the only thing easily understood by the vast majority consumers and storage is no exception.  Conventional wisdom in the server and home enthusiast market says that more expensive high-RPM hard drives translate to better performance, but is this really true?  I’m going to debunk this myth once and for all and prove to you that not only are you paying more money but you’re getting less storage and less performance.

Storage performance for the vast majority of applications other than the rare case of the video distribution database or uncompressed HD video storage relies almost solely on low access times which translates directly to higher IOPS (Input Output Per Second).  Database applications such as ERP and CRM rely heavily on IOPS performance while the role of transfer rate performance is nearly insignificant.  This is precisely why high-end database systems will use solid state flash-based storage even though flash memory tends four times slower than hard drives in terms of raw transfer rate.  The hard drive would be like the dragster trying to compete against a "slower" formula one racing car which is like flash memory in a street race with lots of tight turns.  The name of the game for most applications when looking for the ideal hard drive is the device with the highest IOPS and the lowest access times.

Let’s look at a typical 147 GB high-end 15000 RPM hard drive with a super low average seek time of 3.7 milliseconds.  Average seek time is defined as the average time it takes the read/write head to move from one random track to another track on the hard drive.  We also need to account for rotational latency and the 15000 rotations per minute translates to 250 rotations per second which is 4 milliseconds per rotation.  This means that the average rotational latency is 2 milliseconds because it can be anywhere from 0 to 4 milliseconds.  Since the overall access time is determined by the sum of the average rotational latency and the average seek time, this high-end 15000 RPM hard drive has an average access time of 5.7 milliseconds.

This means it takes an average of just over 1/175th of a second for the hard drive to jump from one random location to another which means it can do a theoretical average of 175 IOPS for zero-size files.  If the operations were for files averaging 32 KB and we know that 150 of these files adds up to 4.8 megabytes of data that needs to be transferred which would consume less than 1/10th of a second since the hard drive is capable of copying more than 10 times that data in one second.  This means it would mean that the hard drive would spend a little less than 10% of the time doing actual data transfer instead of seeking for data which would lower our IOPS results by approximately 10% for 32 KB data blocks which means we should expect to see 158 IOPS.  How accurate is this calculation?  If we look up Storage Review’s database for hard drive performance and we jump to "IOMeter File Server - 1 I/O", we see that the Seagate Cheetah 15K.4 hard drive gets 159 IOPS in real world testing which means the prediction was accurate.

Now let’s take a look at a 300 GB 10000 RPM hard drive that costs slightly more than the 147 GB 15000 RPM hard drive.  This 10K RPM drive has an average rotational latency of 3 milliseconds which is 50% higher than the 15K RPM drive.  It has an average seek time of 4.3 ms which is half a millisecond slower than the 15K RPM drive.  Therefore the 10K RPM drive has an average access time of 7.3 milliseconds which means it can do a maximum of 137 IOPS for zero-size files.  For 36 KB files, it would take up roughly 10% of the IOPS performance which means we should expect to see around 124 IOPS.  Looking at the Storage Review performance database again, we see the actual benchmarked value is 124 IOPS.

So we have an obvious performance winner right since 159 IOPS is better than 124 IOPS?  Not so fast!  Remember that the 15K RPM drive is less than 1/2 the size of the 10K RPM drive.  This means we could partial stroke the hard drive (this is official storage terminology) and get much better performance levels at the same storage capacity.  The top 150 GB portion of the 10K drive could be used for performance while the second 150 GB portion of the 10K drive could be used for off-peak archival and data mirroring.  Because we’re partial stroking the drive using data partitions, we can effectively cut the average seek time in half to 2.15 ms.  This means the average access time of the hard drive is cut to 5.15 ms which is actually better than the 15K RPM hard drive!  The partial stroked 10K RPM drive would produce a maximum of 194 IOPS which is much better than 175 IOPS of the 15K RPM drive.  So not only do we get an extra 150 GB archival drive for slightly more money, the active 150 GB portion of the drive is actually a better performer than the entire 147 GB 15K RPM drive.

But this is a comparison on server drive components and we can actually see a more dramatic effect when we’re talking about the desktop storage market.  In that market, you will actually pay DOUBLE for 1/4th the capacity on 73 GB 10K SATA RPM drives than typical 300 GB 7200 RPM SATA hard drives.  Now the speed difference is more significant since the 7200 RPM drives have typical average seek times in the 8.9 millisecond range and you have to add 4.17 milliseconds average rotational latency for a relatively pathetic access time of 13.07 milliseconds.  The 10K RPM SATA drive designed for the enthusiast performance desktop market has an average access time of 7.7 milliseconds.  But since the 300 GB 7200 RPM drive is 4 times bigger than the 73 GB 10K drive, we can actually use quarter stroking and end up with a high-performance 75 GB partition along with a 225 GB partition we can use for large file archival such as a DVD collection.

By quarter stroking the 300 GB drive, we can actually shave 6.68 ms off the seek time which means we’ll actually end up with an average access time of 6.4 milliseconds which is significantly faster than the 10K RPM "performance" drive.  This means that PC enthusiasts are paying twice the money for a slower hard drive with a quarter of the storage capacity!

HDTVs are getting cheaper especially when you’re talking about older close out models that they’re becoming very common in the home.  Personal video storage on a home network is also getting very popular but getting that video to the HDTV isn’t easy without paying for an expensive and extremely limited function HD media extender appliance.  But with a little spare time and some cheap commodity PC hardware you can build a superior HDTV media extender that can easily be upgraded to a full fledged media center machine for $300.

List of parts (including shipping)*

* Note that I simply picked some low-price online retailers at random and I’m not necessarily endorsing them.  I’m only including the links for your reference.  It may be worth it to get everything from one or two vendor and you may be able to reduce some of the shipping costs and it’s easier to track the parts.  There are plenty of places on the web to search for these kinds of deals.

I did not go with a smaller format machine because it would actually cost a lot more money and lack the flexibility for upgrades such as TV/HDTV tuner cards and additional hard drives.  The smaller machines are also worse on noise levels because they’re crammed in to a smaller space with louder faster rotating small fans.  The power supply happens to be 300 watts which is smaller than usual but it’s still about 200 watts over kill for this particular application.  Keeping the power supply smaller also increases power efficiency so there is no point in going out for a 500 watt power supply.  A good 330 watt power supply is actually over kill for the highest end fully loaded Intel Core 2 Duo computer.

I went with the AMD Sempron 2800+ because it has plenty of computing power for a multimedia extender or even an HD PVR.  The motherboard has PCI-Express slots which you’ll need for the video card and 4 SATA ports and 2 PATA IDE ports.  The ATI X1300 video card I listed is actually a superb performer for video play back and can even be used for some light gaming.  The X1300 is particularly attractive because it has no fan and therefore is completely silent and it has HDTV component analog output common on all HDTVs.  If you have a DVI on your HDTV then that would be ideal but HDMI would be your second choice although most versions don’t support non-interlaced input.  If you have an HDMI interface on your HDTV, you’ll need to get a DVI to HDMI cable.  Your worst choice for HDTV is the analog component option and you’ll need a component cable.

The hard drive is just something to store the OS on if you’re only going to use this as a media extender.  If you want to use this for DVR functionality, consider a $90 320 GB hard drive which offers a great bang for the buck.  You might even buy 2 or 3 of them if you’re going to use this as a DVR and a centralized file server.  You will want a gigabit Ethernet card if you’re going to use this as a file server which will cost anywhere from $15 to $40 for a desktop adapter.

The RAM is sufficient if you keep the number of services running to a minimum though it wouldn’t hurt to add another 256 MBs of RAM.  MythTV has become a phenomenon on Linux and it installs fairly easily on any modern desktop Linux distribution like Ubuntu Linux and you can’t really argue about the price of either.  MythTV may be the killer app for Linux that allows Linux to penetrate the home market.  An OEM license for Windows will cost at least $70 and that doesn’t include media center functionality!  In a follow up blog, I’ll go over some TV and HDTV tuner cards.

I had the opportunity this week to speak with Window Snyder who just joined Mozilla as the lead security strategist.  Snyder was most recently a principal founder and CTO at Matasano Security and was a senior security strategist for Microsoft heavily involved in their security development lifecycle.  It’s no wonder why Mozilla would want to downplay the number and frequency of exploits. To kick off her new role at Mozilla, Snyder gave me a presentation that sought out to change the way people measure security.

The key issue raised by Snyder was that the current metrics for evaluating the security of a product is flawed.

• The current metrics that the industry uses to measure the security of a product is based on the number and frequency of vulnerabilities in a product
• Commercial vendors don’t always patch everything
• Commercial vendors patch flaws through service packs and version upgrades which may hide the actual number of flaws

Citing people like Dan Geer and Allen Jones, Snyder and Mozilla believes that security metrics should be based on the following factors.

• Days of risk (time between disclosure and patch)
• Transparency of the patch process
• Security of the architecture
• Scope of fixes

I raised some issues and objections during the presentation because I don’t believe that the "current method" based on how Mozilla defines them are completely flawed.  For example, how can we not look at the frequency and number of critical remotely exploitable flaws in a particular product?  A product that has a constant and plentiful stream of remotely exploitable flaws regardless of how good the "transparency" or the "architecture" is still stinks no matter how much perfume you spray on it.  While Microsoft has had a steady stream of problems with Internet Explorer, there is no getting around the fact that Mozilla Firefox within the last year has had a higher number and frequency of exploits.  It’s no wonder (more…)

Tom Shinder gives a great summary and overview of the new features of Microsoft’s ISA firewall software.  One of the features that caught my eye was the addition of web server farm load balancing.  With the recent acquisition of Whale Communications which is an SSL VPN specialist, ISA 2006 is becoming much more competitive in the world of application layer firewall appliances.