By Joe Barr
September 04, 2006
Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now
infamous "faux disclosure"  at Black Hat and DEFCON last month.
Ellch and co-presenter Dave Maynor have gone silent since then,
fueling speculation that the entire presentation may have been a hoax.
Ellch finally broke the silence in an email to the Daily Dave security
mailing list  over the weekend, and one thing is clear: he is
chafing under the cone of silence which has been placed over the two
Ellch explains their silence since the presentations in his email by
Secureworks absolutely insists on being exceedingly responsible and
doesn't want to release any details about anything until Apple
issues a patch. Whether or not this position was taken after a
special ops team of lawyers parachuted in out of a black helicopter
is up for speculation.
He also went on to explain that while the debate was centered in the
Mac blogger community, it made no sense to discuss it because most of
them wouldn't understand the explanation if he gave it, adding, "Since
this conversation has moved into a venue of people who can actually
grasp the details of this, I'm ready to start saying something."
Ellch then breaks down the elements of the vulnerability and possible
exploits, but in the context of Intel drivers rather than Apple's,
asking and then answering the obvious question of why he did so when
he wrote: "Why am I switching the subject from Apple's bug to Intel's?
Because it's patched, and Secureworks has no influence over what I say
regarding this one."
He buttressed his explanation of how he crashed the Intel Centrino
driver by creating a race condition by flooding it with UDP packets
and disassociation requests with links to dumps of crashes he caused
using this technique.
Ellch notes that a crash caused this way doesn't guarantee a
successful exploit, saying "If you're lucky, your UDP packet will end
up on the stack. If you're less lucky, a beacon packet from a nearby
network will end up on the stack. In the case where I successfully
overwrote eip (Extended Instruction Pointer), the UDP packet was 1400
He also responded to criticisms that he and Maynor have simply been
"playing the media" instead of reporting an actual vulnerability and
You know, of all the comments I see, the ones that 'we played the
media' make the least sense. Have you ever seen me in the news
before? No. Have I ever talked to a reporter before? No. Am I doing
a very good job of winning this PR smear campaign lynn fox ignited?
No. If I was so deft at manipulating the media, would I be
explaining myself on dailydave praying that a few technically
competent people will actually get it?
I contacted Ellch by email after reading his post and asked if he was
claiming Apple is the cause of their silence. He replied:
Let's just say its pretty obvious I'm not happy about being silent.
So much so that i'm releasing non-apple bugs to convince people that
we do in fact know what we're talking about.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/