SERIES: Security Now!
DATE: April 12, 2016
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: Leo and I try to cover all of an insanely busy week's security events and news. A draft of the much-anticipated Burr-Feinstein encryption bill has appeared; news from the FBI on hacking iPhones; browser and Let's Encrypt news; several CCTV malware bits; a bunch of new ransomware; an amazing “You're Doing It Wrong”; and the result of my deep dive into the Open Whisper Systems “Signal” communications protocol that's finally been fully integrated into the world's 1 multiplatform messaging system, WhatsApp, along with two things that MUST be done to get true security.
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. Last week, WhatsApp flipped the switch for encryption for a billion users. But how good is WhatsApp encryption? Steve gives us his analysis, plus all the security news, next on Security Now!.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 555, recorded April 12th, 2016: WhatsApp Encryption.
It's time for Security Now!, the show where we cover your security and privacy in technology. And nobody does a better job than Steve Gibson from GRC.com, the creator of SpinRite, sure. But many don't know he was the person who literally discovered spyware, named it, and wrote the first antispyware tool. He's been a security expert and covering security kind of on his own for some time, and of course for the last 10 years right here on Security Now!.
STEVE GIBSON: Thanks to you.
LEO: Yeah. I'm so glad, you know, one of our most popular shows. And the downloads are going up and up and up. And I guess really with today's climate I'm not surprised.
STEVE: Yeah. I mean, it's a mixed blessing. We have a huge show. We're going to talk about the WhatsApp app and its underlying protocol, which has been renamed Signal, in order to simplify it because no one knows how to pronounce the name of the endangered Axolotl healing newt.
LEO: But it's a good name, A, because you can easily get the domain; but, B, because that's the newt that, as you said, self-healing when its tail gets bit off. It's a salamander or something.
STEVE: It says, ah, not a problem.
LEO: No problem.
STEVE: Just grow another one.
STEVE: But the news did drop this morning, as expected about [gasp] Badlock, which turns out not to be.
LEO: Wasn't that bad. Oh, good.
STEVE: We have a draft of the Burr-Feinstein bill that we've been talking about for several weeks and anticipating; news about the country of Hungary going even further than Burr and Feinstein; news on the iPhone FBI hack; some worrisome news about some innards of Firefox's extension-handling architecture. Let's Encrypt gets a huge new supporter with a gazillion domains. Two weird coincidences - coincidences?
LEO: Yeah, or coinkydinks, depends on…
STEVE: Of CCTV malware.
STEVE: A bunch of ransomware news. An amazing “you're doing it wrong” in the U.K. involving their power meters, which is shocking. And then we'll talk about WhatsApp. And there are two things that must be done, which are not default, if you actually want more than an illusion of security. But if you do those, oh my god, I mean, this is like the LastPass of communications. These guys absolutely nailed it. And it's also interesting that it has taken years.
Back in 2013 they were looking at the OTR protocol, the Off The Record protocol that we talked about once. And it's funny because, in digging deep into this, I remembered some things we had covered in the past, like there was this notion of repudiation where you would want to be able to claim that you never sent that message, if it was in your interest to do so. And you'll remember, Leo, that the crazy OTR protocol, like after the message authentication code had been expired, it deliberately published it, like publicly, in the protocol, in plaintext, just to sort of thumb its nose at anyone trying to prove that somebody sent something. They said, no, we're going to make it impossible to prove that by deliberately expiring authentication keys. But after they're no longer of any value for authenticating the current message, we'll publish the old ones so that no one can come along and say, you know, you actually sent this. Anyway, what is now called the Signal protocol, I'm just all, like, revved up because…
LEO: That's awesome, yeah.
STEVE: …I've spent the last few days digging into it. And they nailed it. I mean, it is just - it is amazing what they've accomplished. So that's the main topic, after we deal with an incredible amount of news of the week.
LEO: All right. Well, we'll get to all of that. And by the way, thank you for joining us on Sunday on TWiT to talk about Burr-Feinstein.
STEVE: Oh, oh, and I keep meaning to say I was so impressed with your explanation at the end of The Tech Guy show on Sunday. I was watching it because of course that was leading into TWiT.
LEO: As your lead-in, yeah.
STEVE: You gave the best, most perfect and correct answer about third-party cookies I've ever heard.
LEO: Oh, good.
STEVE: I mean…
LEO: Well, I learned it all from you, Steve, so…
STEVE: Well, I was holding my breath to think, come on, Leo, yeah, yeah, yeah. I mean, it was better than I could do because it cut out all of the extra stuff, and it was just - it was right for the audience. It was exactly correct in every detail. I was very proud.
LEO: Oh, thank you. Well, I'm very honored because that's, coming from you, extremely, extraordinarily high praise. And I try, I do actually think about you listening when I talk about this stuff and say, what would Steve say? What would Steve say? Yeah, somebody asked what about cookie deletion. And, you know, we talked about what cookies are, why they're not all bad, and what the real information leak risk is.
STEVE: Oh, it was just perfect.
LEO: Yeah, yeah. It's a real privilege to get to do that radio show. Sometimes I think, oh, I want to stop doing it because it's - my weekend's shot. But it's such a privilege to get to talk to normal people and kind of be a conduit from people like you, all of our brilliant experts on the TWiT network, to kind of say to a million - it's a million people every weekend, a million people who are normal, relatively, people, not geeks.
STEVE: More normal, yes.
LEO: More normal.
STEVE: More normal. They are listening to that show, but still…
LEO: Well, they're a little geeky, anyway. But they're also, I figure, like the people who are going to then be asked by their friends and family, well, what does this mean? And so it's kind of a chance for us to kind of set the agenda, to talk about what things are and aren't, and to do so in a non-sensational way, in a way that - and I am lucky because I have the time to, I mean, I probably spent 10 minutes talking about cookies.
STEVE: Oh, and, well, it was the tracking. You got the tracking exactly right.
LEO: Oh, good.
STEVE: Which, you know, that's important.
LEO: Thank you, Steve. All right. I appreciate it. Okay, Steverino.
STEVE: So I did want to pay homage to the 555 timer because this is Episode 555.
STEVE: I mentioned it briefly last week, and a number of people sent me some links to a blog. A guy named Ken Shirriff reverse-engineers classic ICs, classic Integrated Circuits. By that I mean he pops the top off of the lid and then looks at the photomicrograph and works out what the schematic was of the chip. And he's done that both for the later CMOS version of the 555, and for their previous, known as the bipolar transistor version. For anyone who's interested, I put the link at the bottom of the first page of the show notes. I really would recommend anyone who sort of has an interest in engineering, yeah, there's the page you're showing for the bipolar, the earlier version of the 555 timer.
And what was unique about it was that its operation, that is, the functionality it provided at the time, was very simple and very easy to understand. And it turned out you could use it as a building block for all kinds of, like, things that you wouldn't have thought of, not just for, like, creating a waveform at a certain frequency. But, I mean, you could hook it up to popsicles that you put in your mouth to measure the alkalinity of your saliva. I mean, just like bizarre things that were possible. And people just kept coming up with new ideas such that there were books, entire books written about things you could do with this one little chip. It was a little modest eight-pin DIP. It had power and ground and output, and then some little I/O lines that, again, were very simple in what it did.
But it was just this perfect little building block. And I used it like crazy. Lots of people even today are still using them. It still exists because it's just such a perfect little thing to drop in the right place. So for anyone who's interested in a little bit of electricity and electronics, this Ken guy, he's also reverse-engineered, I think it was the 741 that was THE op-amp of the day, and a few other circuits. And he does a beautiful walkthrough of the design decisions and how the part works and so forth. So anyway, I did want to note it on this 555th episode of Security Now!.
LEO: And you've mentioned this before; right? This was the question about timing; right? About how important timing was?
LEO: Or have you not mentioned this before? It feels like you have.
STEVE: I don't know if I've mentioned this. We have talked about timing in other contexts.
LEO: Right, and why that was a significant computer technology.
STEVE: Ah. Right. Good memory, Leo. We were talking about, in fact, that was a Q&A after we were talking about architectures, was why do all computers have a clock? That is, what is it about a clock? And the answer is it's about synchronization, the idea of things being done stepwise, like step by step, instruction by instruction, fetch and store. Everything is about what happens when. And so you need a clock in order to have a when.
LEO: I feel like we were also talking about this yesterday. We had James Gosling on.
STEVE: Someone, actually a friend of the podcast, Simon Zerafa, said that James was talking about PDP-8s.
LEO: Oh, that was it. That was his, like you, his first computer.
LEO: He cut his teeth on PDP-8s, and he was talking about the instruction set. I brought your name up. I mentioned that your goal was to retire and write an operating system for the PDP-8. We were talking about flipping the switches. You've got to watch it. I think you'd really appreciate it.
STEVE: I definitely will.
LEO: And I mentioned the kit.
STEVE: So I imagine it's on Monday's Triangulation.
LEO: Yeah, it was yesterday. And I mentioned the kit, you know, the - now, yours, are yours powered by Raspberry Pis?
STEVE: Those are not. Those were actually - those three are from the 6100 chip, which was manufactured by Intersil. And it was a PDP-8 on a chip. So this minicomputer refused to die and was so popular that it ended up getting itself integrated on a single chip, the 6100. And Bob, whose last name is escaping me right now, who found a cache of these Intersil PDP-8s…
LEO: Right, that's right, yeah, yeah.
STEVE: He said, “I'm going to give them some lights and switches.” And so that's that. But the one you got…
LEO: The kit.
STEVE: And the kit that I have, just a few months ago, that I haven't even opened, I got another three of them because I thought, you know, if one is good…
LEO: Why not, yeah.
STEVE: But anyway, I haven't even opened the box, I'm ashamed to say, because I just, you know, I've got way too much going on. But I will get to it somebody. And that one is powered, that one is basically just an I/O panel for a Raspberry PI. So it's switches and lights that the Raspberry Pi reads and writes dynamically. And then running in software on the Raspberry Pi is a PDP-8 emulator, which exists in open source. There's something called the SIMH, S-I-M-H, project which has captured all of the classic machines in software emulation, for anyone who wants to play, and often still has the OS software and everything else to go along with them.
LEO: He was talking about loading the bootloader by flipping the switches in the front and how the really good guys could go, from memory, [vocalization], and they'd be ready to go.
STEVE: Yup, because you're doing it all the time.
LEO: Yeah, yeah, you're doing it all the time.
STEVE: In fact, the first thing you would check when the machine crashed or died was, did the bootloader survive? Because it was up at the very top of memory. And oftentimes it would just stay there, so that you'd be doing other things, and it'd be time to, like, load another paper tape. And it's like, okay. Is the bootloader still there? Or do I have to put it in again?
LEO: You would enjoy this. Of course Gosling the inventor of Java.
LEO: It was a great conversation.
STEVE: And I want to make sure people understand that Java itself is not, like, the Java…
LEO: Right, it's not the problem.
STEVE: …is not the problem.
STEVE: It was that it got stuck onto the web, like it got stuck into browsers as, oh, wouldn't this be neat. And it's like, no. This is not, I mean, it's the same problem with Flash. Flash, if it was just not used on the web, it would be fine. It would be a way of animating stuff and doing simple little scripted apps and stuff. But when you put something that powerful in a browser so that people you don't know can put their code in it, and it runs on your machine, what could possible go wrong? So, yeah. Java, I mean, I've got Java pretty much installed everywhere, but no browser plugins because it is a very nice cross-platform solution. And it's huge in corporations. Even, I mean, today it's not going away. It's a great, it's a powerful state-of-the-art language.
So the big reveal. We've been waiting for two weeks because this was announced two weeks ago as going to happen on April 12th. And of course it occurred to me, wait a minute, that's Tuesday. And Microsoft's involved, so that's probably tied into Patch Tuesday. And at 10:00 o'clock Pacific time, a little after 10:00, and I set up my web page change bot to watch for changes at 8:30 this morning because it was expected at 9:00 o'clock Pacific time, I think it was 17:00 UTC, and it was an hour later. And so I jumped on it the moment they updated the Badlock dot - I don't remember whether it was com or org. Anyway, that page. And it's like, yawn. As we hoped for the industry's sake, it was not a big deal.
They say there is a possible remote DoS on a publicly exposed SMB server. And as I have commented for the last two weeks, who has a publicly exposed SMB server? Now, we do know that a search through the Internet did find some wacky media server that there were several hundred of in the U.S., but a bazillion of over in Russia. So maybe that's a problem for them. But even users of corporate resources who are operating remotely are all doing so through their corporate VPN these days. And so that protects that completely.
There's also a potential man-in-the-middle vulnerability, meaning that somebody who could intercept an SMB connection - and they talk about ARP spoofing kind of interception, meaning you'd have to be in the network anyway, that not all of SMB protocol is equally well encrypted. And so there are some things to patch.
Now, Microsoft was yawning, too. Simon again found the Knowledge Base article from Microsoft corresponding to this problem. It almost looks like Pi - 314, it starts out, but then it kind of goes off of Pi to 8527, 3148527. And so Microsoft says: “This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle attack. An attacker could then force a downgrade of the authentication level of the SAM and LSAD channels and impersonate an authenticated user. This security update” - wait for it - “is rated important for all supported editions.”
LEO: Kind of important.
STEVE: Important. So, you know, maybe tomorrow.
LEO: Not really. Just a little bit, yeah.
LEO: Sort of important.
STEVE: So unfortunately these guys, they even acknowledged the Heartbleed folks and credited them with the style of prerelease hype that they adopted and tried to create a great logo because everyone thought, oh, Heartbleed had a great logo. So anyway, unfortunately, a great logo doesn't always mean a bad vulnerability. And in this case it's like, eh. Microsoft says, yeah, it's kind of important, you know. It's like, maybe. So anyway, Badlock, yeah, fix it. Patch when you want to. But it's difficult to imagine a scenario where any admin would be running around with their hair on fire after learning about it this morning. They couldn't have SMB exposed publicly. No one really can. And internally, well, you're trusting the people on your Intranet to - they're typically your employees, presumably. But certainly there are some scenarios where you could have an adversary in the connection.
So this is good to fix. I'm not saying it's nothing. But it's nothing like the last few major, you know, like Bash is bad in every version of Linux ever made because it turns out we're using that behind the scenes, and we didn't know it, or anything like Heartbleed. So, yeah, this is not on the same scale.
However, what is upsetting is, although it isn't law, and we need to remember that, is Burr-Feinstein.
LEO: It's not even - it's really just a discussion draft. And apparently another one has surfaced. According to Mother Jones, there's another discussion draft.
STEVE: And do we know how it compares? I haven't heard that.
LEO: I have it here. I'll have to look. But go ahead. Why don't you talk about - and I will see if I can…
STEVE: Yeah. So what the Burr-Feinstein legislation says is, unfortunately, exactly what I was predicting. And that is that, on demand, anyone who is encrypting something must provide it in plaintext, must have a means to provide it in plaintext. They're not legislating the means. They're not requiring a backdoor. They're not weakening encryption. And that's the most important point I want to get through this discussion is this isn't, per se, weakening encryption. But by being able to compel decryption, it certainly does weaken privacy.
So we need to, I think, just from a technical standpoint for this podcast's sake, and its listeners, I want to draw a distinction between this notion of encryption technology and encryption policy. So what this is addressing is encryption policy. And it's saying that anyone who is encrypting - and that's the breathtaking part of this, too. We discussed this on Sunday's TWiT. I meant to have the PDF up so I could quote from it again as I did on Sunday. Yeah, here it is, I found it. Because in the discussion draft, as it's called, they talk about the “covered entity.” The covered entity is someone, for example, in the position of Apple, who is providing a smartphone technology and device and communications infrastructure which provides encryption.
So this is just breathtaking in its sweep. They define it formally as the term “covered entity” means a device manufacturer, a software manufacturer, an electronic communications service, a remote computing service, a provider of wire or electronic communications service, a provider of a remote computing service, or any person who provides a product or method to facilitate a communication or the processing or storage of data. So that last phrase, “any person who provides a product or method.” I mean, that's the world. I mean, that's everybody.
And then the other part that we highlighted on Sunday, which is sort of stomach-churning, is they describe this as, like the main line, the first line, “to require the provision of data in an intelligible format to a government pursuant to a court order and for other purposes.” So this is under court order, a government. And I was like, what do they mean, “a government”? Like this is a U.S. law, so it's only going to pertain to U.S. entities.
LEO: But it could be a county or city government.
STEVE: That's exactly right. They define - and this is just horrifying. They define, for the purpose of this document, the term “government” means - and I'm reading from the draft - “the government of the United States and the government of the District of Columbia or any commonwealth, territory, or position” - oh, I'm sorry - “or possession of the United States or an Indian tribe or of any state or political subdivision thereof.” Meaning Andy in Mayberry can say, hey, we want you to decrypt this phone. I mean, the mayor, who's a subdivision of the county, that's a subdivision of the state, can say, oh, yeah, we want you to decrypt this for us. So anyway, that's where we are today. Again, not law, just discussion.
The last thing I heard, Leo, was that something had been sent back to the executive branch for further examination. What we heard a couple weeks ago was that the President was not going to weigh in on this either way, although of course we did hear that disturbing rhetoric from SXSW, where he talked about us fetishizing - I can't say it.
STEVE: Thank you.
LEO: When you say it that way, it really sounds terrible.
STEVE: Wow, yeah.
LEO: Do not fetishize your phone.
STEVE: Yes. And in fact what he's saying is we're fetishizing - okay, I can't say it. We fetishize…
LEO: We're doing that thing to the phone again.
STEVE: Our encryption is what we're fetishizing.
LEO: Yeah, fetishizing. We're fetishizing privacy, frankly. I mean, that's the logical conclusion.
STEVE: Well, and that - yes, yes. And so that's the thing I - if our audience gets anything, it's just I just want to draw the distinction. This is compelling a breach of privacy. Now, the ivory tower academics go crazy, saying there's no way to do that without weakening security. Well, tautologically that's true. But in fact, as the WhatsApp system is going to demonstrate later in this podcast, which is just - it is a master work of crypto technology. It is absolutely possible, if people want to design a system that securely provides that facility, for it to be done. People are saying no, no, no, it can't be done. Sorry, it can be done.
But the problem is we get - that's a distraction. I think we want to stay focused on the policy question, at what level and to what degree are we as a society, in the U.S. at least, going to decide where this lands? To what degree do we want a government order to allow our privacy to be breached, to be opened, to be decrypted, however you want to put it. That's where we should focus our attention because the technology can be done, if people want it to be done. And so it will be interesting to see how this goes. We don't know what Obama is going to say.
LEO: And they haven't even proposed it as a bill.
STEVE: Right, right, right, right. And now of course we've got a wacky election for the President. I don't know where this even falls along partisan lines. To me it doesn't feel like a partisan issue, Republicans versus Democrats. It feels way bigger than party and any kind of ideology. This is, I mean, it should be bigger. Were you able to find anything new?
LEO: No, this Mother Jones article is just - it's not even showing the text, just saying - it's just kind of pointing out that the staff - it says: “Senators Dianne Feinstein and Richard Burr apparently have very unreliable staff, as yet another discussion draft of the national security bill they're jointly sponsoring has been leaked to the press. They really need to tighten up their operation.” But they don't - it doesn't - it looks, I mean, it's just another draft of the same thing, I guess.
STEVE: Yeah. And so what we see is the intent. What this shows is the intent, which is - and that's - we've seen it in the rhetoric over on the law enforcement side, where they march out terrorism and child pornography and all of that, and say how can it be that Apple is encouraging terrorists to use their encryption technology? It's like, oh, lord. Okay. Unfortunately for their argument, so are all of the law-abiding citizens who would like the benefit of this technology for our privacy. So anyway, I do have an acronym, or an abbreviation, to go with this. Of course TNO has now been - is legend for Trust No One. It occurred to me that the proper abbreviation for this, the whole discussion that sums it up is DOD, Decryption On Demand.
LEO: Ah, I like it.
STEVE: Because that's what we're talking about, the idea that, yes, the Internet is going dark. And you guys had a great discussion after I left the conversation on Sunday's TWiT about the metadata because it is the case that law enforcement is drowning in surveillance technology. I mean, there's more surveillance capability today than there has ever been. I don't know about where you guys live, but any street corner here in Southern California has four cameras mounted on every streetlight pointing in all directions. And, I mean, and lots of networking going on, and all kinds of surveillance.
So anyway, DOD, Decryption On Demand, that's really what this comes down to is at what level does a need need to rise to in order to force a company to decrypt, if there is any. Maybe we decide collectively there is no level, that privacy should be absolute. Again, I'm going from the Constitution, which does not guarantee absolute privacy. It just guarantees reasonable privacy against search and seizure and does use the court system to provide search warrants that allow law enforcement to breach someone's privacy. It seems to be that, again, that's - I'm not an attorney or a constitutional scholar. But I'll be surprised if we don't end up with something like that. And the good news is people are going to go kicking and screaming. But I think we don't have to have a larger loss of security and encryption and privacy than what the law decides we're going to end up with.
But this is the U.S. Hungary's government has gone crazy. MappingMediaFreedom.org had an article - which is a good thing because I can't read Hungarian - and they linked to it. And I thought, well, maybe it's English because sometimes you get lucky. It's like, no. I don't even know what Google Translate would do with this. Anyway, the article in Mapping Media Freedom, the headline was “Hungary: Government plans to criminalize the use of encrypted services.”
So in their translation of the Hungarian news, they wrote: “The Hungarian government plans to criminalize the use of applications for encrypted communication. The measure is part of a new anti-terrorism legislation package put forward by the Interior Ministry and was first presented on the 31st of March by Janos Lazar, the Minister heading the Prime Minister's Office. If the package is implemented in its present form” - again, pending legislation, so this isn't law yet, but, again, shows intent - “anyone caught using encrypted software can be punished by two years in prison. The providers would be obliged to ensure access to the content of the encrypted messages, and they would have to provide the identification data of the users as well as the IP address used for registration. Failure to comply qualifies as a misdemeanor and is also punishable with a two-year prison sentence. The anti-terrorism package also contains provisions regarding an increase of surveillance in public spaces and enables the Interior Ministry to prohibit mass events.” Wow.
LEO: Yeah, you always get these reactions when there's, you know, because of the refugee crisis in Hungary. You always get these kinds of overreactions.
STEVE: Yeah. Yeah.
LEO: It's not a law at this point.
STEVE: Yeah, right. But it does, it says, okay, we're just going to outlaw encryption.
LEO: Yeah, crazy.
STEVE: Can't use it in this country.
LEO: Crazy. I could see that happening here.
STEVE: Yeah. So there's been additional news coming directly from the mouth of my favorite person.
STEVE: FBI Director James Comey.
LEO: Oh, James Comey.
STEVE: And longtime listeners will remember that I had us play his blatant lie to Congress into the podcast a few months before Snowden revealed it to be exactly that. When he was directly asked by a senator on the Intelligence Committee, who had sent the list of questions that he would be asked days before, and his staff had vetted them, and he was fully prepared. And he was scratching his head and says, “No, Senator, we are not performing any mass data collection on U.S. citizens, not wittingly.” Ugh. Anyway, yes. He said last Wednesday…
LEO: It was Clapper, not Comey, I think.
STEVE: Oh, wait. You're right.
LEO: We've got enough nitwits in the intelligence community…
STEVE: Sorry, sorry, sorry. Clapper, James Clapper.
LEO: …that it's easy to confuse General Clapper.
STEVE: Oh, yes. Thank you, Leo.
LEO: Clapper, Comey…
STEVE: Everything I just said is not this guy.
LEO: No, Comey's said equally stupid things. But he…
STEVE: Yeah, he's on the same team.
LEO: Yeah, he's on the same team, yeah.
STEVE: So he said that the government had purchased, quote, “a tool” from a private party in order to unlock the iPhone used by, of course, as we know, one of the San Bernardino shooters. Quoting Comey, he said: “The people we bought this from, I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting it, and their motivations align with ours.”
LEO: I hope they're better than the FBI is.
STEVE: Well, yeah. And it seems to me their motivations are commercial.
LEO: Yeah. They're not aligned at all.
STEVE: Exactly. And the FBI's are law enforcement.
STEVE: And they sold this tool, for commercial benefit, to the FBI. And if anybody else wants a copy, here's the price. It probably has six digits. But there's nothing aligned about it.
LEO: Good point.
STEVE: So Comey also said that the purchased tool could only be used on, quote, “a narrow slice of phones” that does not include the newest Apple models or the 5s. So not the 5s or the 6. Comey said the government was currently considering whether to tell Apple how it pulled off the hack. He said, quote: “We tell Apple, then they're going to fix it. Then we're back where we started from. We may end up there. We just haven't decided yet.” Well, isn't it nice to have all the cards in your hand. Anyway, so while that doesn't exactly confirm how the hack worked, some of the reporting wrote that the distinction being drawn here may suggest that it's specifically the lack of the Secure Enclave on the iPhone 5c's…
LEO: That makes sense.
STEVE: …A6, yes, the A6 system on a chip that renders the phone vulnerable. And then of course we got the Secure Enclave with the A7 SoC appearing in the 5s and subsequent phones, which does make sense. I did see just this morning and didn't have a chance, it was on the right-hand column of the Hacker News, that a company was claiming they were closing in on a hack for the 6. But closing in is way different than having it. So you either, you know, you don't have it until you do. So it's not clear what “closing in” means, except for their marketing.
LEO: What? That's not good.
Now, of the top 10 most popular extensions, number one is Adblock Plus. And they could find no problem there. But Video Download Helper they found 13 different problems; Firebug, one; NoScript, seven; DownThemAll!, 19; Greasemonkey, 20; Web of Trust with the maximum at 34. Flash Video Downloader had five; FlashGot Mass Downloader had eight; and Download YouTube Videos had two. So those are the top 10; nine of those had one or more, in some cases 34, different problems. The Mozilla people responded, and they said [clearing throat], “Yeah, we're…”
LEO: Yeah. Yeah.
STEVE: “This is a problem.”
LEO: Yeah, we know about it, yeah.
STEVE: And as we talked about a couple weeks ago, Firefox wasn't attacked during the most recent competition of…
LEO: Pwn2Own, yeah.
STEVE: Yeah, exactly, Pwn2Own, because it's like no - it's regarded as a soft target. Now, for this to be exploited, you would - and what they did, they have some proof of concept. You need to get a malicious extension into the browser. Mozilla has both automated and human extension verification, extension auditing. So they have an automated process that looks for API usage. And then somebody reads through it. Well, we know that both are prone to failure. We've discussed the failure modes of both of those problems at various times in the last couple years.
LEO: And you probably remember this about seven years ago, that the NoScript guy used this to modify Adblock Plus to whitelist NoScript in Adblock Plus.
LEO: Do you remember that? I don't know if you remember that. There's a whole apology on his blog. “I'm sorry. I shouldn't have done this. I will regret it forever.” This was seven years ago.
STEVE: Yeah, Giorgio.
LEO: Yeah. And which may explain why Adblock Plus is on the list as having no exploitability. I have a feeling they hardened themselves against this; right?
STEVE: Exactly. They put themselves - they wrapped themselves up so nobody could have access to their stuff from the outside. I bet you're right, Leo. I bet that's why they are the one exception is they, like, okay, no.
LEO: Yeah, Closure's from LISP. That's a LISP technique, widely used LISP technique, yeah.
STEVE: So anyway, I don't think this is, I mean, I'm not leaving Firefox. I'm looking for - I hope there are the resources available to rearchitect it. As we said a couple weeks ago when we were talking about Pwn2Own, they really do need - it's time to say, okay, time to restart. It's because Microsoft, yeah, Microsoft bit the bullet and abandoned their IE codebase and started over, like from scratch. I mean, imagine if you could do that now, knowing today what we know, versus still having IE6 code lingering in IE11, and it causing problems. It would be current standards. It would do everything right. You would have a team trained up on security. I mean, anyone writing a browser today, security is number one. I mean, I would put that behind standards compliance. Make it secure first; and then, yes, we have standards now. So implement as much of that as you can. But, boy, it's got to be secure.
And as we've learned in that Pwn2Own competition, Edge, the new browser from Microsoft, it won. It had the fewest problems. And specifically because Microsoft did bite the bullet and just say, okay, we may have been second, because the Mozilla browser was first, and then IE was second, I think. No, there were some text browsers, too, before that, too. But still, in terms of browsers that are still around, it was just time to say goodbye.
Coincidentally, yesterday, we did get an update to Firefox, 45.0.2, up from 0.1, although it didn't do anything about this, and it wasn't a huge change. It was just an incremental update.
LEO: Some might say this is the brain damage that came from C and has been propagated through these kinds of procedural languages ever since.
STEVE: Yeah. And I also think it's just there wasn't the focus that there originally…
LEO: But namespaces, no, you know, computer science has understood the necessity of separating namespaces for a long time. It's pretty fundamental. You don't want to clobber somebody else's variable because you use the same name.
STEVE: Need to go to steve.grc.com.
LEO: Wow, you're getting fancy with the subdomains here.
LEO: Have you ever used a subdomain before? That's a new one on me. Oh, you've got a blog.
STEVE: Well, okay. So, and it's a WordPress blog.
LEO: HTTPS, baby.
STEVE: Yes, baby.
LEO: That's nice. With Let's Encrypt; right?
STEVE: Yes, and you can look at the security certificate, and you will see that it is a Let's Encrypt certificate.
LEO: All right. Let me look at the details here. Valid certificate, server certificate. Let me view it. I like it because they give it a nice little gold stamp, very beautiful, from tls.automatic.com. Of course that's the parent company. Let's Encrypt Authority X3. Nice, Steverino.
STEVE: Yeah. So with this move they began a couple months ago, actually in January. And as of yesterday, or I'm sorry, no, as of the 8th, 4/8, April 8th, they announced that it was everywhere on the mass number of domains. All the people with custom domains, anything hosted by WordPress.com now has HTTPS. So all of the logon tokens, the session cookies, all of the - well, the works. And so it's just a major nice big step in terms of total domain coverage for Let's Encrypt is all of the WordPress blogs.
LEO: Huge, huge. Fantastic.