July 31st, 2008

Black Hat talk on Apple encryption flaw pulled

Posted by Nathan McFeters @ 7:11 pm

Categories: Apple, Black Hat, Black Hat Las Vegas, Hackers, Microsoft, Research, Vulnerability research, Zero-day attacks, ~Special Series~

Tags: Black Hat, Researcher, Apple Inc., Flaw, Security, Nathan McFeters

Brian Krebs from the Washington Post “Security Fix” Blog reported that one of the talks slated for next week’s Black Hat convention on a previously undiscovered flaw in Apple’s FileVault encryption system has been canceled, the researcher citing confidentiality agreements as the reason he will not be speaking.

The article states:

Charles Edge, a researcher from Georgia, had been slated to discuss his research on a weakness that could be used to defeat FileVault encryption on the Mac. But sometime last week, Black Hat organizers pulled his name and presentation listing from its schedule of talks.

Contacted via cell phone, Edge said he signed confidentiality agreements with Apple, which prevents him from speaking on the topic and from discussing the matter further.

Ah, the week before Black Hat, almost as much fun as Black Hat itself. It’s like the week before Christmas. It’s unfortunate we will have to miss out on this research.

I find it interesting that Apple is more than happy to let its own employee, Alex Ionescu, discuss flaws in the Microsoft Windows Kernel, but not willing to allow another researcher to talk about Apple. Perhaps Microsoft does not have an NDA with Alex, so they can’t force the issue, but I think it is pretty strange that it is fine for one of Apple’s researchers to discuss issues facing Microsoft, but it is unreasonable for another researcher to discuss issues facing Apple.

CORRECTION:  Alex Ionescu is not — and never was — an Apple employee.  He was once an intern at Apple.

In any case, I’m glad Alex is speaking, please don’t take this as a call out against his talk. In fact, his talk is one of those that I’m most looking forward too… I just wish that Charles Edge would be allowed to present his research as well, NDA or no NDA.

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.