Whimsical Doublespeak
I’ve decided to continue pointing out where Mac people have no busniess making comments or articles about security.
This week, say hello to John Gruber of Daring Fireball!
External security — the threat of vulnerabilities that would allow malfeasants to compromise a victim’s iPhone — is a serious matter.
Hang on a second. Daring Fireball’s John Gruber is starting to talk about security after he got his head handed to him by HD Moore?</b></a> Oh this should be delicious.
The conversation that I just cited between HD Moore and our dear friend John Gruber is about the macbook wifi demonstration. At the time, John Gruber had “challenged” David Maynor to hijack a macbook in front of him. Much to the chagrin of Gruber, Maynor showed little interest.
From HD Moore’s email:
This isn't even a personal attack against them; it's that they lack the technical skills required to understand this problem.
and later, a more blunt evaluation from Maynor:
John Gruber’s approval means nothing in the security community.
So dear reader, why should we be concerned about John Gruber these days? If anything he’s like the village idiot. Though, the village idiot is recognized by townspeople for what he is. Daring Fireball is still taken seriously. When Gruber speaks, thousands of fanboys hang on to his every word for comfort.
External security — the threat of vulnerabilities that would allow malfeasants to compromise a victim’s iPhone — is a serious matter.
This is a given. I’m glad that he’s changed tune slightly compared to his past comments, but let’s face it, he’d be foolish to deny that there aren’t vulnerabilities in the iPhone: They’re being used to unlock the device.
As it stands in the current iPhone OS, all processes run as the root user
This has been discussed extensively by Rixstep here and here. It’s thanks to UID 0, that we’re able to unlock the iPhone so easily. All hackers have to do is find a vector where they crash the application and insert code behind it to run. There is no privilege escalation required. This isn’t news to anyone who keeps tabs on security stuff.
So when a buffer overflow can be exploited to allow remote code execution, that code can do anything.
Okay, we’re still doing good. We’re still being reasonable. Still being logical.
To allow third-party iPhone apps to run today would be to trust those third-party developers not to write code with any security flaws.
What???? HUH????
Okay, suddenly we’re going to accuse 3rd party developers of introducing security flaws? Wow. Somehow 3rd party apps are the ones that need fixing, and that everything Apple does is stellar.
Which makes no sense, because he already said a few sentences before that he realizes that Apple made a bit of a boo-boo with the decision to run everything at the root level.
Or did he?</b>
Yes dear reader. Brace for impact.
And the hysteria over the iPhone’s current “everything runs as root” situation is overblown.
As a footnote to the above, John Gruber states the following:
Emphasis is mine.
It certainly is a curious question why all iPhone apps run as root. I don’t know the answer.</b> But I’ll bet there’s an interesting engineering trade-off involved somewhere. If you think the reason is laziness or ignorance on the part of the iPhone OS X engineers, you’re an idiot. </blockquote> If you don't know, then don't comment. Simple as that. I don't care to know why Apple's engineering staff decided that they were going to run everything as root. It's not important to me to try to bend my mind in a way it won't bend. The end result is that the iPhone is insecure and will not be taken seriously. I'd like to see Gruber tell the people at NASA thatyou’re an idiotI'm sure they would probably say what David Maynor said. Basically that you're a nobody, and it would be a stretch to care. Anyway, I'll leave you with a last bit of Gruber's wisdom. While reading this, try to read it with a critical eye. Perhaps postulate that Gruber doesn't really understand what root entails.But all of your data — your email, your address book, your documents, everything your apps can read or write without administrator authentication — is vulnerable to any sort of hypothetical buffer overflow exploit on the Mac, and would be on the iPhone, too, even if iPhone apps didn’t all run as root. Sure, root privileges allow an exploit to do anything, but the most important thing on your system is your personal data, and an exploit doesn’t need root privileges to access that.A good friend told me a twist on an old expression. "They Sky Is The Limit" doesn't apply to root on the computer system. "With root, there is no sky," he said. At least if a piece of malicious code were to execute, in an ideal iphone situation (Read: No running as root) the worst it could do was play with your information. The system is still protected. It wouldn't be able to drop nasty keylogging or recording software to keep tabs on you, or whatever they can imagine. That isn't the case. There is no sky. There is no limit. Either way, Gruber decides to address the root problem (which he already stated is not a problem??) with "some sort of sandbox" to keep people safe.Applications on your Mac don’t run as root; they run under your user account.What the iPhone needs before Apple will allow third-party apps to run is some sort of sandbox, a way to prevent application processes from being able to access things they shouldn’t be allowed to accessYeah. We call that the principle of least privilege. It means not running your stuff as root. It's not that fancy, it's not sophisticated. It's been done for 30 years in the UNIX world. Microsoft just started catching on, though they didn't really pay full attention, when they started the UAC paradigm. John Gruber's decision to add complexity by making some "sort of sandbox" is a terrible idea.(Hint: This isn't Javascript. Which speaking of, has had it's fair share of breaking out of the sandbox problems). So on one hand it's not a problem and anyone who says that it is according to Gruber is "an idiot," while on the other hand Gruber takes out his computer hat and decides that we should have a "sandbox or something" (is the sandbox running as root???) for 3rd party applications. We'll ignore the question of "What happens when they break out of the sandbox," or any other questions because we're not going to put serious thought into a solution made by a guy that maybe can't even make a W3C compliant website. (Hint: no doctype.)External security — the threat of vulnerabilities that would allow malfeasants to compromise a victim’s iPhone — is a serious matter.Sure. Keep contradicting yourself. EDIT: It seems that Wired has picked up on this subject as well. IPhone's Security Rivals Windows 95 Fairly accurate title.