[conspire] 21st century web platforms

paulz at ieee.org paulz at ieee.org
Sun Feb 16 19:06:20 PST 2020 

 I decided to give a listen to the show.  I don't pretend to be anything like a security expert and was hoping I might learn something.
What I heard was lots of blah, blah, blah.  There was an ad for bed sheets, and promotion of some website that sells some kind of training.   When I thought that Gibson was about stop just rambling and  say something with technical content, he rambled about what he had said in previous shows, or made a big thing that he had just learned something important and that we all should stay tuned because it was important.  

I was about to close the window, but Rick's email gave me a clue to skip the first 2 hours.  The discussion about Apple and iOS started by pointing at a bad actor in China who had found security holes and was sharing it with others.  If only this one bad guy had just kept quiet then iOS many might still _believe_ that 3rd party aps don't pose any security risk.

The bit about Apple's business plan IMO is parallel to some other businesses we have discussed.   The company has a promising product and it is being well received.  Then they made some changes and sales increased even more.  Then it is discovered that there is now a serious flaw that hadn't been a problem with the initial offering.  But now the product is such a huge profit maker the company execs don't want to say anything negative.  In fact they actively attempt to avoid the subject and don't mention it in documentation and training.
Anyway, you can list me as another person who is extremely underwhelmed by Mr. Gibson.  I would have preferred a random video of cats.


   On Saturday, February 15, 2020, 11:31:29 PM PST, Rick Moen <rick at linuxmafia.com> wrote:  
 
 Quoting Ruben Safir (ruben at mrbrklyn.com):

> it became apartant that the objective-C platform for ios phones could
> never be secured  because every object in the platform could be easily
> accessed for core methods through simple mesaaging from any extetnal
> source.
> 
> that is the inherent problem with dcom messaging and ole
> 
> you cant control the messages objects recieve and objects are loaded
> with both documented and undocumented methods waoting for triggers
> 
> at one time, i heard a wonderful and detailed podcast on this subject,
> about 2014? but i cant find it.  it was really detailed snd very
> thorough, but i cant find it.  but this was part of the reason for
> replacing objectiveC  you just cant secure it.  

Possibly this Nov. 3, 2015 screed by Steve Gibson on 'Security Now':
https://twit.tv/shows/security-now/episodes/532
Looks like he finally gets to the point around 1:49:00.

I've spent decades being extremely underwhelmed by Mr. Gibson.  Even
a stopped clock is right twice a day, of course.  He's a middlebrow
showman and promoter who doesn't actually understand the first thing
about computing technology, let alone security.  (All the rubbish he's
_even now_ still spewing about Spinrite is just embarassing.)

My admittedly very bigoted hunch is that Gibson's analysis on the cited
point (can't secure anything built on Obj-C because undocumented APIs
exist and because there's no conceivable alternative to fully trusting
applications that can call them, because dynamic binding of strings,
blah blah, etc.) _might_ be in-full-context underinformed bullshit like
most of everything else he's said for the past 40 years, but I don't
have time or domain knowledge adequate to vet what he says.

Of course, it's entirely possible if not likely that the podcast you
have in mind is from someone who's far less of a dolt (who served as
Gibson's source, e.g., a 13-page paper he mentions several times).

However...

Deirdre says a key point he says just before 2:00:00 is sadly correct,
that Apple dealt at one point with the threat from dangerous functions
by deleting references to them from header files, i.e., de-documenting
them, which of course is security theatre and a truly terrible decision.
And his further comments on that point and further Apple follies seem
valid, too, if he's correct that that is _all_ Apple was doing about the
called-functions problem.

_But_ Gibson has a consistent pattern of spewing misinformation on
account of being underinformed, and I greatly doubt he has all the
relevant facts here, either.  (E.g., I hear no recognition whatsoever
that iOS apps run chrooted.)

And what he says at 2:07:00, etc., about the C language being securable
because it supports only static binding of strings whereas Obj-C poses 
dangers because it can do dynamic binding at runtime is hilariously
wrong, as is obvious from the fact that everything that runs Obj-C is
_written in C_.

Necessary disclosure:  I was interviewed on-air in 1997 by the same guy,
Leo Laporte, who is the show host here, about the Linux community and
about Windows Refund Day.  He was gracious and competent, but everything
needed to be dummied-down for a general computerist audience, which was
just a little depressing to experience.



_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20200217/31410d11/attachment.html>

More information about the conspire mailing list