<html><head></head><body><div class="ydp98413c40yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">I decided to give a listen to the show. I don't pretend to be anything like a security expert and was hoping I might learn something.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">What I heard was lots of blah, blah, blah. There was an ad for bed sheets, and promotion of some website that sells some kind of training. When I thought that Gibson was about stop just rambling and say something with technical content, he rambled about what he had said in previous shows, or made a big thing that he had just learned something important and that we all should stay tuned because it was important. <br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">I was about to close the window, but Rick's email gave me a clue to skip the first 2 hours. The discussion about Apple and iOS started by pointing at a bad actor in China who had found security holes and was sharing it with others. If only this one bad guy had just kept quiet then iOS many might still _believe_ that 3rd party aps don't pose any security risk.<br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">The bit about Apple's business plan IMO is parallel to some other businesses we have discussed. The company has a promising product and it is being well received. Then they made some changes and sales increased even more. Then it is discovered that there is now a serious flaw that hadn't been a problem with the initial offering. But now the product is such a huge profit maker the company execs don't want to say anything negative. In fact they actively attempt to avoid the subject and don't mention it in documentation and training.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Anyway, you can list me as another person who is extremely underwhelmed by Mr. Gibson. I would have preferred a random video of cats.<br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><br></div></div><div id="ydp3e92ebb5yahoo_quoted_2873408653" class="ydp3e92ebb5yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Saturday, February 15, 2020, 11:31:29 PM PST, Rick Moen <rick@linuxmafia.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div>Quoting Ruben Safir (<a href="mailto:ruben@mrbrklyn.com" rel="nofollow" target="_blank">ruben@mrbrklyn.com</a>):<br><br>> it became apartant that the objective-C platform for ios phones could<br>> never be secured because every object in the platform could be easily<br>> accessed for core methods through simple mesaaging from any extetnal<br>> source.<br>> <br>> that is the inherent problem with dcom messaging and ole<br>> <br>> you cant control the messages objects recieve and objects are loaded<br>> with both documented and undocumented methods waoting for triggers<br>> <br>> at one time, i heard a wonderful and detailed podcast on this subject,<br>> about 2014? but i cant find it. it was really detailed snd very<br>> thorough, but i cant find it. but this was part of the reason for<br>> replacing objectiveC you just cant secure it. <br><br>Possibly this Nov. 3, 2015 screed by Steve Gibson on 'Security Now':<br><a href="https://twit.tv/shows/security-now/episodes/532" rel="nofollow" target="_blank">https://twit.tv/shows/security-now/episodes/532</a><br>Looks like he finally gets to the point around 1:49:00.<br><br>I've spent decades being extremely underwhelmed by Mr. Gibson. Even<br>a stopped clock is right twice a day, of course. He's a middlebrow<br>showman and promoter who doesn't actually understand the first thing<br>about computing technology, let alone security. (All the rubbish he's<br>_even now_ still spewing about Spinrite is just embarassing.)<br><br>My admittedly very bigoted hunch is that Gibson's analysis on the cited<br>point (can't secure anything built on Obj-C because undocumented APIs<br>exist and because there's no conceivable alternative to fully trusting<br>applications that can call them, because dynamic binding of strings,<br>blah blah, etc.) _might_ be in-full-context underinformed bullshit like<br>most of everything else he's said for the past 40 years, but I don't<br>have time or domain knowledge adequate to vet what he says.<br><br>Of course, it's entirely possible if not likely that the podcast you<br>have in mind is from someone who's far less of a dolt (who served as<br>Gibson's source, e.g., a 13-page paper he mentions several times).<br><br>However...<br><br>Deirdre says a key point he says just before 2:00:00 is sadly correct,<br>that Apple dealt at one point with the threat from dangerous functions<br>by deleting references to them from header files, i.e., de-documenting<br>them, which of course is security theatre and a truly terrible decision.<br>And his further comments on that point and further Apple follies seem<br>valid, too, if he's correct that that is _all_ Apple was doing about the<br>called-functions problem.<br><br>_But_ Gibson has a consistent pattern of spewing misinformation on<br>account of being underinformed, and I greatly doubt he has all the<br>relevant facts here, either. (E.g., I hear no recognition whatsoever<br>that iOS apps run chrooted.)<br><br>And what he says at 2:07:00, etc., about the C language being securable<br>because it supports only static binding of strings whereas Obj-C poses <br>dangers because it can do dynamic binding at runtime is hilariously<br>wrong, as is obvious from the fact that everything that runs Obj-C is<br>_written in C_.<br><br>Necessary disclosure: I was interviewed on-air in 1997 by the same guy,<br>Leo Laporte, who is the show host here, about the Linux community and<br>about Windows Refund Day. He was gracious and competent, but everything<br>needed to be dummied-down for a general computerist audience, which was<br>just a little depressing to experience.<br><br><br><br>_______________________________________________<br>conspire mailing list<br><a href="mailto:conspire@linuxmafia.com" rel="nofollow" target="_blank">conspire@linuxmafia.com</a><br><a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="nofollow" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br></div>
</div>
</div></body></html>