SERIES: Security Now!
DATE: November 27, 2018
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: Hackers and attackers apparently enjoyed their Thanksgiving, since this week we have very little news to report. But what we do have to discuss should be entertaining and engaging: Yesterday the U.S. Supreme Court heard Apple's argument about why a class action lawsuit against their monopoly App Store should not be allowed to proceed; Google and Mozilla are looking to remove support for FTP from their browsers; and from our “What could possibly go wrong?” department we have browsers asking for explicit permission to leave their sandboxes. We also have some interesting post-Troy Hunt “Are Passwords Immortal?” listener feedback from last week's topic. Then we will discuss the next step in the evolution of RowHammer attacks, which do, as Bruce Schneier once opined, only get better - or in this case worse.
SHOW TEASE: Hey, it's time for Security Now!. Kind of a slow week in security. I guess the hackers took Thanksgiving off. But Steve does have a “What could possibly go wrong?” segment, a picture of something that really did go quite wrong, and a look at the next-generation Rowhammer. They're calling it “ECCploit.” Stay tuned. Security Now! is next.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 691, recorded Tuesday, November 27th, 2018: ECCploit.
It's time for Security Now!, the show where we cover your security and privacy online with our friend, it's kind of like your neighbor, Steve Gibson, if your neighbor were like the king of computing. Hello, Steve.
STEVE GIBSON: Hey, Leo. It's great to be with you again for this post-Thanksgiving episode of Security Now!. In gathering together all of the news of the week, I came up kind of short. Luckily we had a bunch…
LEO: Oh, good. I don't mind.
STEVE: Yeah, I think the hackers and the attackers all…
LEO: They took the week off.
STEVE: They enjoyed their long Thanksgiving week. Of course that's not, I guess, globally celebrated. But anyway, it was slow. We do have some interesting things to talk about. I wanted to give my own take, I saw that you guys led off MacBreak Weekly with it, to talk about what was initially my concern over Apple's presentation yesterday in front of the Supreme Court because we know how important it is to have a curated App Store. And I was like, oh, goodness.
LEO: That's a good point. There's a security angle on this.
STEVE: Oh, it's like all - it's all there is. And we also have Google and Mozilla looking to remove support for, believe it or not, I mean, you will believe it because who uses it anymore, FTP from web browsers.
LEO: Oh, I guess, yeah.
STEVE: It's not gone yet, but it's always been there.
LEO: It's still in there? What a surprise.
STEVE: Yeah, I know. Like whoever uses that? Which is not to say there's anything wrong with FTP. Calm down, you old-timers. It has its purposes.
LEO: I still use it all the time, yeah. I use SFTP.
STEVE: Well, and there are, yes, there are the alternatives people want. Then we have, from our “What could possibly go wrong?” department, browsers considering looking for permission to leave their sandboxes. And it's like, oh, really? We have some interesting post-Troy Hunt “Are Passwords Immortal?” listener feedback from last week's topic. And then we're going to take a close look at the next step in the evolution of Rowhammer attacks.
LEO: Oh, boy.
STEVE: Which do, as Bruce Schneier once opined, only get better. Or maybe worse. Anyway…
LEO: More successful.
STEVE: Yes. As a consequence, and this comes from our friends Herbert Bos and his team, although a different team, at VU [Vrije Universiteit] in Amsterdam. Anyway, they named it ECCploit. And when I was kind of looking at that, I realized, okay, how would you pronounce that? Well, ECC is “eck,” so it's “exploit.”
LEO: Oh, “exploit.” Oh, clever.
STEVE: Oh, and Leo, we have a Picture of the Week that, again, the old-timers here, they'll be like, “Oh, I recognize that. That looks like what I have.” Anyway, a lot of fun I think this week for our listeners, and a bunch of good stuff.
LEO: Awesome. I guess do you want to do the Picture of the Week?
STEVE: I've been staring at it. And I was imagining you accept a job, a new job as the IT guy at some company, and your boss says, oh, and we have an intermittent connection somewhere.
LEO: Can you find it? This is somebody's wire closet. But you know what? I've been in that closet.
STEVE: Oh, I think we all have. I don't know what it is about these closets that evolve this way. Almost without exception they start off neat and planned. In fact, you can see on the back wall it looks like there are some nice loops of a black something, like they're all tacked down. There was like, somebody had this dream of we're just going to have the nicest wire farm. And oh, my goodness. I think my favorite one is this tan one that's coming across the walk path. I mean, it's one thing for them just to be kind of going down on the sides. But, yeah, you have to duck under this one that's going kind of diagonally from left to right.
LEO: Oh, lord. This is not as bad - we weren't as bad. But it is a little bit what it looked like at the Brick House because we rushed over there, and we added stuff. But when we moved here - and really kudos to Alex Gumpel, Burke McQuinn, and John Slanina, our engineering team; and Russell, too. When we moved here, we already kind of knew all the connections, all the boxes. We already had everything. And they took the time. And I'm proud to say our server room does not look like this.
STEVE: Ooh, god. I just noticed. Look at the top in the middle where there's other wires that are looping over and pulling down.
LEO: Oh, no, no. That's ridiculous.
STEVE: So they had to cross over, but they didn't want to block the walk path.
LEO: Oh, geez, Louise. Oh, man.
STEVE: So they hung them over the other wires.
LEO: Oh, man.
STEVE: It's, like, pulling them down. It's like, oh, yikes. Yeah, I think, you know, remember the old saying, no battle plan survives first contact with the enemy. And there's an analogy there. It's like you initially know where everything should go, and you lay things out, and then something comes along, and you've got to change things, and you don't have time. So it's like, okay, well, I'll just do this. Just a kind of hack here, real quick. We'll just run these wires over here, and then I'll get back to this when I have the time. And then something else happens before you are able to fix that last one, and it piles up. And the result is this.
LEO: This is our old wire closet before we moved. And, well, it's not that bad. Although if you go around behind it, it is pretty…
STEVE: That was the basement below?
LEO: Yeah, this is the basement in the Brick House.
STEVE: Yeah, it was, well, and you guys really, you had an advantage of an entire floor that was essentially your wiring closet.
STEVE: I mean, you were able to drill down wherever you were, and you'd be down in a completely available space to then run cables to somewhere else.
LEO: Do you have a picture anywhere of - by the way, there's the engineer, Scotty, who is the patron saint of our closet. Do we have a picture anywhere of our current setup?
STAFF: I can go take one.
LEO: Go take one and send it to me because I want - I'm very proud - John just came in. I'm very proud of what our team did because they made it look beautiful.
STEVE: And it is a challenge.
LEO: And you know it's important because if you have, exactly as you said when you began, if somebody says, hey, there's some intermittent problem, you don't want to be the one that has to go in there.
STEVE: It's like, I can't even see the lights. What are you talking about? They're just, like, totally obscured. So, okay. So while we're waiting for the photo of…
LEO: Much improved.
STEVE: …the pride of your current wiring closet, I wanted to bring up a topic that you guys mentioned on MacBreak Weekly at the top of that podcast, which I took from a Security Now! angle.
LEO: Yeah. And that actually - I'm thrilled you did because we were discussing the Supreme Court hearing yesterday over the - really it was more about the standing of the plaintiffs in a class action lawsuit against Apple, claiming that the App Store was a monopoly.
LEO: And that people should be able to buy apps from other sources on iPhones.
STEVE: Exactly. And that's of course what set me off because we know how unable to make those kinds of decisions end users are. They're just not - they shouldn't have to be, and they're not, equipped to protect themselves. So at issue is whether Apple's App Store, through which as we know it alone can offer and sell applications for its mobile devices, constitutes a monopoly and gives it monopoly power over all sales of iOS platform apps. And as you mentioned before correctly, the lawsuit, which is known as Apple Inc. v. Robert Pepper et al., it's a class action. And I feel as we all do, and as you said on the podcast, these things are generally just for ambulance-chasing attorneys to line their pockets, and the people who are members of the class typically receive pennies.
So this suit has been around for almost a decade, and it argues that Apple's 30% cut, which they take of all App Store sales revenue, is excessive and anti-competitive and amounts to price gouging since consumers have no alternative other than to purchase apps for their devices at Apple's “inflated” prices. On the other hand, come on, like, really? But this issue is, as I said, of interest to us on this podcast because we've often noted that consumers can act unwisely and may be poorly informed about the true dangers of obtaining applications which have not been rigorously scrutinized, vetted, and curated - which is, I think, a vital service that Apple performs, and not easy. I mean, we've often talked about how difficult it is. And yes, they make mistakes.
But largely, for example, it is that and some of the other lockdown, one could argue, monopolistic things that Apple does are what makes the iOS a more secure platform today than Android. And we know that Google has been making efforts to sort of catch up in that regard. So as is often done in the law, and as you mentioned, Leo, Apple is not defending itself against that allegation. But their attorneys said, oh, here's how we'll spin this. What they've been arguing is whether the consumers who are bringing this complaint have grounds for that complaint in the first place. And this is known as “standing.” Apple is arguing with the plaintiffs, essentially, of these litigants, whether or not they have standing to sue Apple over any of this. So, I mean, aside from even looking at the issue.
Apple's taken the position that only its developers who are being charged a 30% sales “commission,” as Apple frames it, on the retail sales of their apps, would be damaged if Apple's conduct was found to be unlawful, and that it would be up to them to complain, that is, “them” the developers, not the end consumer. The precedent which the Supreme Court is revisiting was - and that's the reason it's gone to the Supreme Court after Apple has already won in the appellate court. I mean, so the U.S. Department of Justice has already come down on Apple's side. So it's like, okay, we're taking this to the Supreme Court.
So the precedent was set back in 1977 in a case known as Illinois Brick Co. v. Illinois, which was a dispute in which the court ruled in favor of concrete brick manufacturers. The state of Illinois had sued the brickmakers for allegedly inflating their prices, causing an increase in the cost of public building projects, which of course the State of Illinois was upset about. The court ruled then that, even though the increased brick costs might hurt Illinois indirectly, only the contractors who actually bought the bricks had standing to sue. And so that established what has become known as the Illinois Brick Doctrine, which gets hauled out every time an issue like this comes up. And that says that only the direct purchaser of a good can collect damages from a monopoly holder.
So as I said, the U.S. Department of Justice has already ruled that the Illinois Brick case was controlling here, whereas they're arguing that the Court of Appeals misapplied the Illinois Brick Doctrine, which of course is what they want the Supreme Court to agree to. So Apple argued yesterday that it is not directly selling apps to iPhone users, rather that they're acting as an agent for app developers who ultimately are selling their wares to consumers. And so they're saying, in exchange for the commission Apple takes on app sales, the company provides access to its vast user base and performs other services such as malware detection and so forth.
So anyway, we know where we are on this. One way or the other, it would be a disaster if, I mean, we're a long way away from this happening. But it would be a disaster if the government ever forced iOS apps to be available from anywhere that a user wanted them. The presumption is, oh great, we'll save 30%. First of all, no. It's not, you know, you're not going to get something useful for less than $0.99 or free with in-app purchases. That's just not going to happen. But mostly we lose the ability for Apple to control this very attack-prone surface that our mobile platforms represent and just stop being able to protect consumers from themselves because we just know people would just be downloading stuff from everywhere, and it would be a disaster. So, yikes. And, you know, that's pretty much what you guys said on MacBreak. I thought it was interesting though, that bricks came into it.
LEO: Yeah, I mean, the disaster you're describing is what happens on PCs today. You can download an app anywhere, from anywhere, on a PC. Microsoft has tried with Windows S, Windows 10 S, to make a version of Windows that is only available to the App Store. And the first thing anybody does who gets a PC with Windows 10 S on it is disable that so they can download Chrome and other things. I mean, when you get Chrome, you're not getting it from the Microsoft App Store, you're getting it from Google.
LEO: And I think the right to do that is great. But maybe a mobile platform is a little bit different and should have a restricted App Store. I honestly think, if that's what you want, you should get an Android phone that's more appropriate.
STEVE: Right, right, right.
LEO: But it's an interesting case. I mean, a class action case is not going to change anything.
LEO: Even if they win. Oh, let me show you our wire closet.
STEVE: Oh, yeah, yeah, yeah.
LEO: This is the current - so let me just - just so you remember the wire closet…
STEVE: Oh, come on, really?
LEO: Yeah, from earlier, this is the Picture of the Week. This is our - it's called a Video Hub, which has all the cameras are going into one side and then all of the outputs are going to another side. The whole server room looks like this.
STEVE: That's a thing of beauty.
LEO: Isn't it nice?
STEVE: That really is.
LEO: They're not even showing the best stuff, and there's some beautiful cable bundles and things going through conduit, those cable trays up above, everything is done beautifully.
STEVE: Very nice.
LEO: And it's important to do it that way. We even custom cut these RCA cables to be custom lengths so you wouldn't have a lot of extra stuff.
STEVE: Yup. Very nice.
LEO: They did a beautiful job. I just want to make sure they get - Alex Gumpel and Russell and Burke McQuinn get credit because they just did a fabulous job.
STEVE: Sure, sure.
LEO: Yeah. It's clean; right?
STAFF: They're not RCA.
LEO: They're not, I'm sorry, did I say RCA? They are not RCA cables. They are, what are those things called? BNC, thank you.
STAFF: It's video, SDI.
LEO: SDI BNC cables. So those are the ones that lock. We don't use any of that cheap RCA crap. Isn't that nice? I'm proud of them. I wanted to give them kudos because they did a nice job.
STEVE: Now, if we only knew who was running that closet that's the Picture of the Week, we could send your team over there and…
LEO: Oh, no. They can't have them. They can't have them.
STEVE: You'd see them about five years later after having nervous breakdowns.
LEO: This is only because we moved; right? We were able to - because nobody was going to go in that old rat's nest until we moved.
STEVE: That's right. That's what you do. Once it gets out of control, you just find a new location.
LEO: Just move.
STEVE: Exactly. And you just do it, okay, now this time we know how to do it. So, very nice.
LEO: I mean, those labels, guys, didn't we give you a Brother label maker? Couldn't you do a better, I mean, come on. They're a little handwritten. But other than that.