[conspire] 21st century web platforms

[Rick Moen]

Quoting Paul Zander (paulz at ieee.org):

> I decided to give a listen to the show.  I don't pretend to be
> anything like a security expert and was hoping I might learn
> something.

If you want to learn more about security, there are _excellent_ places
to do so, but sadly Leo Laporte's show on the subject, despite him being
an urbane radio host, is almost certainly not among them.  It's, as you
suggest, a news digest show, and the biggest problem is that neither
Laporte nor Mr. Gibson his (apparently frequent) guest commenter
actually understands the subject.

I can firmly recommend:  Bruce Schneier's blog ('Schneier on Security'), 
Brian Krebs's blog ('Krebs on Security'), Schneier's several books
on security for the intelligent layman (such as _Beyond Fear_ and _Liars
and Outliers_), and an old favourite:  RISKS Digest.

https://www.schneier.com/
https://krebsonsecurity.com
https://www.schneier.com/books/
https://catless.ncl.ac.uk/Risks/

Oh, and one other thing:  The original first edition of _Firewalls and
Internet Security: Repelling the Wily Hacker_ by Cheswick and Bellovin
is offered free of charge by the authors in PDF format.  It's a classic:
Although nominally all about a specialised subtopic, how to design and
construct your own Unix-based firewall, in the process of reading and
fully understanding it, I learned a whole hell of a lot about real
computing security.

I could also recommend, if only for their kick-ass attitude and
accumulated wisdom, a lot of the Internet essays of Marcus Ranum that he
keeps at ranum.com.  Ranum is cynical, funny as all hell, and deeply
knowledgeable about the subject.


> I was about to close the window, but Rick's email gave me a clue to
> skip the first 2 hours.  The discussion about Apple and iOS started by
> pointing at a bad actor in China who had found security holes and was
> sharing it with others.  If only this one bad guy had just kept quiet
> then iOS many might still _believe_ that 3rd party aps don't pose any
> security risk.

As usual, the problem is that Gibson was tragically underinformed (to be
polite, though one could equally say 'totally out of his depth').  As
one of the Reddit guys put it (part of what I quoted earlier):

  This Chinese "hacked" x-code just inserts some extra but 
  normal code into the app, code that does normal app things
  but just not intended by the app developers.

And the other Redditor added:

  Privileged platform functions can only be accessed via RPC (Apple's
  flavor is called XPC), and all XPC connections need to be allowed
  using an appropriate entitlement. Apple won't allow arbitrary entitlements
  for App Store apps, and entitlement blob is a part of a signed binary, so
  they're not forgeable in runtime.

  What they're talking about are private APIs, and those aren't privileged
  (at least not supposed to be), and you can access those just as easily
  in C calling function addresses directly instead of names.

Gibson had absolutely no knowledge of the sandboxing and of the _actual_
restrictions on access to privileged platform functions, and recited a 
bunch of drivel about how Obj-C's dynamic string bindings supposedly 
prevented Apple from restricting what third-party iOS apps can do.
He therefore spoke as if it were the case that Obj-C code had inherently
uncontrollable access to functions that is inherently not a problem with 
C code (untrue), and as if the ability to reach private APIs of any kind
equated to zero platform security (also untrue).

So, basically the entire basis of what he said was a misinterpretation
of the private APIs problem, crossed with an incompetent assessment of 
what dynamic string binding implies and doesn't imply -- with the result
that his analysis was utter bullshit.

Ruben, come clean on us, please:  Was this really the podcast that
impressed you so much with the supposed inherent security hopelessness
of Obj-C?  I'm not finding any other such podcast, and this one matches
the date range you mentioned.  (You remembered 2014, and this one was
from 2015.)


> Anyway, you can list me as another person who is extremely
> underwhelmed by Mr. Gibson.  I would have preferred a random video of
> cats.

Gibson popped up as a sudden software celebrity and frequent speaker in
the 1980s, back when I was one of the newsletter staff at Diablo PC User
Group in Walnut Creek.  Gibson's firm Gibson Research Corporation
(grc.com) suddenly showed up in 1985.  His big first moneymaker was a
hard disk utility called Spinrite (1988), which claimed to do all sorts
of magic things to make hard disks more reliable and improve their
durability and performance, and in reality Spinrite in its heyday was
practically a one-trick pony:  It tested MFM-type hard drives to find
the best-performing interleave setting, and then (destructively; i.e.,
you'll need to restore from backup) rewrote the low-level formatting
information with the new interleave factor.  

For those unfamiliar with that now-obsolete hard drive concept:
https://en.wikipedia.org/wiki/Interleaving_(disk_storage)

If you actually knew something about MFM hard drives (decades obsolete
by now), you realised that _you didn't need Spinrite to accomplish this_,
but Gibson sold a ton of copies anyway.

In recent decades, his firm has seemed to be mostly flogging a new
moneymaker, a ridiculous online service called ShieldsUP.
https://en.wikipedia.org/wiki/ShieldsUP

It was in listening to the man flog this service for the first time that
I realised Gibson doesn't merely not know security, but rather he
worsens that problem with a subtractive process whereby he continually
also 'learns' and seeks to pass along to others knowledge that is simply
untrue.  People who listen to this idiot for too long need to be coaxed
back upwards to zero _before_ they can learn anything real on the
subject.

I could do a whole rant here about why his service and its foundational
assumptions are rubbish, but I've gone on long enough already.