[conspire] 21st century web platforms

Rick Moen rick at linuxmafia.com
Sat Feb 15 23:30:51 PST 2020


Quoting Ruben Safir (ruben at mrbrklyn.com):

> it became apartant that the objective-C platform for ios phones could
> never be secured  because every object in the platform could be easily
> accessed for core methods through simple mesaaging from any extetnal
> source.
> 
> that is the inherent problem with dcom messaging and ole
> 
> you cant control the messages objects recieve and objects are loaded
> with both documented and undocumented methods waoting for triggers
> 
> at one time, i heard a wonderful and detailed podcast on this subject,
> about 2014? but i cant find it.  it was really detailed snd very
> thorough, but i cant find it.  but this was part of the reason for
> replacing objectiveC   you just cant secure it.  

Possibly this Nov. 3, 2015 screed by Steve Gibson on 'Security Now':
https://twit.tv/shows/security-now/episodes/532
Looks like he finally gets to the point around 1:49:00.

I've spent decades being extremely underwhelmed by Mr. Gibson.  Even
a stopped clock is right twice a day, of course.  He's a middlebrow
showman and promoter who doesn't actually understand the first thing
about computing technology, let alone security.  (All the rubbish he's
_even now_ still spewing about Spinrite is just embarassing.)

My admittedly very bigoted hunch is that Gibson's analysis on the cited
point (can't secure anything built on Obj-C because undocumented APIs
exist and because there's no conceivable alternative to fully trusting
applications that can call them, because dynamic binding of strings,
blah blah, etc.) _might_ be in-full-context underinformed bullshit like
most of everything else he's said for the past 40 years, but I don't
have time or domain knowledge adequate to vet what he says.

Of course, it's entirely possible if not likely that the podcast you
have in mind is from someone who's far less of a dolt (who served as
Gibson's source, e.g., a 13-page paper he mentions several times).

However...

Deirdre says a key point he says just before 2:00:00 is sadly correct,
that Apple dealt at one point with the threat from dangerous functions
by deleting references to them from header files, i.e., de-documenting
them, which of course is security theatre and a truly terrible decision.
And his further comments on that point and further Apple follies seem
valid, too, if he's correct that that is _all_ Apple was doing about the
called-functions problem.

_But_ Gibson has a consistent pattern of spewing misinformation on
account of being underinformed, and I greatly doubt he has all the
relevant facts here, either.  (E.g., I hear no recognition whatsoever
that iOS apps run chrooted.)

And what he says at 2:07:00, etc., about the C language being securable
because it supports only static binding of strings whereas Obj-C poses 
dangers because it can do dynamic binding at runtime is hilariously
wrong, as is obvious from the fact that everything that runs Obj-C is
_written in C_.

Necessary disclosure:  I was interviewed on-air in 1997 by the same guy,
Leo Laporte, who is the show host here, about the Linux community and
about Windows Refund Day.  He was gracious and competent, but everything
needed to be dummied-down for a general computerist audience, which was
just a little depressing to experience.





More information about the conspire mailing list