mergeconflict257 James: [00:00:00] Frank, I am to believe that you are a security expert. Is that correct? Frank: [00:00:14] No, James, I don't know who would mislead you in that direction? Probably me at one point, I probably said I'm not a real security expert, but I do like to talk about security. How about that? Uh, James: [00:00:25] yeah, that's good. I mean, we tried to get Trey hunt down by trying to me and I didn't, I didn't do anything except for, you know, Troy hunt is off open sourcing. Have I been postponed and doing awesome things in the dinette community, but that would be a cool interview to get on one time to talk about the thing that we're going to talk about today, but we're not going to do that. We're just going to pretend like we know exactly what we're talking about. Frank, Frank: [00:00:47] do I even know what we're talking about? See, I think Troy should be able to read our minds too. So like, he should just, you should have just shown up. James: [00:00:56] I'm obviously talking about CVE 20, 21, three oh seven, four seven. Frank: [00:01:01] Oh, good. Old CVE, 2021, three oh seven, four seven. I like to remember it because it ends in seven 47. I, that's not true at all. Hello. We are talking about the miracles, uh, security hole that has been found in the, uh, M one chip. And I, I need to mind this miracles is spelled with a one or the, I should be it's important because get it. It's an James: [00:01:29] M one. I see, I see what they did there. That was very clever. It's like a code red, like the, the mountain Dew code red. They were drinking some code red mountain Dew. And I'm like, well, we're going to name this. So Frank: [00:01:41] th th this is sad. Let me start by saying this is sad. I'm sad because the one has been perfect up till now. Right? It's just the perfect chip. James: [00:01:48] Uh, yeah, in fact, I've been using my Mac book air a whole lot more. It's definitely outside, uh, in the, you know, on the couch, just all over the place, programming, watching videos, and it is a delightful machine. That's very snappy and I'm, I'm very impressed by it. And you know, all the things, even the new M one IMAX, lot of really positive reviews going on. So yes, this is a bit sad, you know, that. Our little M one chip, you know, will soon need to be modified in some way to potentially. Fix this miracles. Uh, it's not even a, I guess that's a bug. It's a vulnerability ish. It's it? Cause it's not a, you know, there's other things out there. Like when often we talk about security, we're thinking about malware, cyber attacks, but then there are the things like in the silicone, you know, I think about Spectre and meltdown, those different things that impacted, uh, Intel and AMD and arm based machines. And those were patched at a soft, I don't even, I don't even know whatevers. On it. And there's like, there's like firmware or something like in Chimp or something. Frank: [00:02:57] Frank magic, magic. Uh, I don't believe this one's actually patchable. The reason the Intel chip is patchable is because the code that the chip is, the processor is actually executing is not. X86 the way we think of it. It actually recompiled x86 into a proprietary Intel format that the chip processes and it's actually that translation unit that can be, uh, changed. And so when those security vulnerabilities came out, which I remember very clearly, because I had just spent a lot of money on my new iMac pro and I lost. It's like 20 to 30% of my performance because of that stupid security, vulnerable and Intel chips, which was very, very annoying. And it's funny how security is because it's all about levels and possibilities. And is this theoretically possible? Does this compromise? The security of the machine. What does the security of the machine encompass, you know, uh, is it accessible through the web? There are so many ways to rank, uh, uh, the severity of these vulnerabilities and from what I've been able to read so far, not to spoil it, but this one, uh, security hole doesn't seem to be too James: [00:04:15] terrible. No. Yeah. The miracles CVE 2021, three oh seven four seven, vulnerability designation, uh, apparently violates an OSPF security model. And what they're saying is that there's ways of sending packets of information, uh, on. Malicious applications that were installed, they can transmit data to and from each other. Okay. So, uh, this isn't like one application is reaching into, let's say the key chain and grabbing something, or let's say, and as user defaults and reading information from another, another application that would be bad, uh, or a good example is like sandbox. You know, private data or whatever it can reach in and, and, and, and access something, uh, without being granted, what this is happening is, yeah, it can basically sends packets of information to, and from another application that is listening and trying to transmit data for it. So it has to be two or more of these applications, which means that you would have had to install two or more of these applications, or for example, um, you know, maybe a, a hacker or developer would put this in all of their applications to send packets of information to, and from their other applications. And that could be malicious or not malicious at the same time. Yeah, Frank: [00:05:51] it's kind of funny how it is because you need two apps to conspire with each other to transmit data and having come from the sandbox world. At first, I was like, well, this seems kind of silly, but. It is something that we've never been able to do really in iOS, they've baked in a million, uh, iOS and Mac in this case, uh, they've baked in a million different process. Control API is by which the operating system can make sure that two apps are communicating with each other in a safe manner and that they don't have access to anything. Uh, naughty or anything, they shouldn't have access to. What is incepted about this one or insidious? I don't know which word to use there, uh, is that these two apps can communicate with each other without the Colonel ever getting involved. So the kernel cannot enforce its security model. So that is definitely the vulnerability side. That is definitely a mistake that I think that's what they're saying. Like that should just not be possible. And I honestly don't understand what communication channel they're using aside from. It does seem to be registers. So just plain old, good old fashioned CPU registers. Somehow some of those are getting, um, leaked through between the two processes. James: [00:07:06] Yeah, my understanding. Yeah. My understanding is, is that it's the same thing that they are using the CPU system registers from the user space that is being able to write and read, you know, from these random registers in. And like you said, there are ways of apps that communicate. Today that the S the O asking kind of enforce some limitations, or at least some visibility, you know, files, sockets, things like that. They'll, there'll at least be some knowledge of that happening. This is sort of like a backdoor almost into these registers registrars, registered, registering registrars, if you will. Um, that, that goes into it. That that's what it's I think Frank: [00:07:48] about. Yeah. And actually I just read something real quick. Breaking news, breaking news. Uh, the security hole seems to be about two bits wide, so it's not even the full register. It's just these two little control bits on one of the CPU system registers what a funny little bug. And I'm surprised because you would think that, um, All these chips, I guess I've always assumed that the M one is basically an eight, 15 or a 16, whatever it would be, but Apple's been making these chips for awhile. And I know people have been hacking away at the iPhone. So I kind of assumed that it was a perfect chip, you know, or the design was kind of perfect. It's a silly assumption obviously to make, especially as an engineer, I should be a little bit ashamed, but they have had such a good track record that something like this is, um, Pretty interesting. Yeah. James: [00:08:43] And because of how this vulnerability, uh, pairs and the registrars, it would have to be a physical change to the chip. Now, there is some interesting things there. We actually got asked on Twitter to discuss this. And again, we're not security experts, but they're reading through some of the, uh, C files that were online and some of the different discussion, you know, on a Mac it's a little bit. You know, what's the, what's the use case here for it? You know, you're installing applications, you know, you're doing stuff, but what's to stop someone from just writing random bits of data to sort of, you know, like what of apple installs and an update to the O S and then the, the, you know, O S just writes random bits nonstop to these registrars and like, you know, Scrambles your stuff, right? So there's, there's, uh, some, some issues here, even with just how it's being accessed with these random bits from the registrar. Frank: [00:09:46] Yeah, you, you even gave me an example, which is what actually kind of piqued my interest in this bug. Because at first I was like, eh, you know, it seems so minor, but then you brought up a good one and I'm going to give an example here, but I want to make it clear. This is not happening. This, this company is not involved. I'm just going to use this as an example. Okay. Just an example. Facebook who doesn't like to pick on Facebook, sorry, Facebook, I'm going to pick on you. Uh, imagine that they have nefarious ideas and they want data from apps that apple does not want to give them, but they want that data. Uh, but we all put the Facebook SDK and to our apps because we want to talk to the face. Fuck. So there's millions and billions of apps out there with it. Facebook SDK, this little side channel thing would allow for Facebook to communicate from the SDK to. Uh, running Facebook app, it would have to be tricky because like on iOS apps really don't run at the same time or at least they try not to, but on Mac, definitely a more common thing. And the reason I keep bringing up iOS is the new iPad has an M one chip in it. It's not clear whether, um, it has this vulnerability also, but, uh, is that true? I'm sorry. I'm side tabulating myself here. Uh, is there any word on whether this affects the iPad? James: [00:11:05] Oh, I don't know, actually, because the iPad does, I must because yeah, same shit. Same shit. I mean, they could have made tweaks. They don't necessarily say specifically if it is impacting the iPad, but I think you're right. Frank: [00:11:21] Yeah, for sure. Well, so either way, this creates a back channel that, um, evil, evil people could definitely exploit and they would do that. I feel like a lot of that's going to get caught pretty quickly, but it does open up the possibility because the point of this is the kernel can't enforce its security model on those two bits of data that you get to communicate through. James: [00:11:46] Yeah. Uh, that, that would be the. The biggest issue is if they decide to roll out the to every single iPhone this fall, you know, one, they probably have an M one X chip as what we're thinking anyways. And it would be something even maybe special for the, you know, M one M or I dunno, whatever, it might be something special for it. Uh, but I think the other thing too is. If that was to occur, then you're right. Someone like a Facebook or some other ad SDK or analytics software could slip this data. And the biggest, the biggest reason why this is important by the way on iOS. And what'd be fascinating about this iPad iOS stuff too. I did not even think of this with the new iPad pro is. Um, and it says here in another article, I'm reading on apple insider, that it would, it does affect every single. Every single thing, including iOS. Um, and the biggest issue there is if you were, let's say a keyboard application. Okay. Which has. No internet connectivity, no way to get to anything right. That that's one use case that could be bad because you could slip data to another app or another SDK that's reading data and writing data, or like you were saying, if it was an analytics, SDK, or some other SDK that tons of people have installed, uh, as a developer, you don't know what that thing is doing, unless you're. Trying to go through. And of course people would probably figure out it's doing that. But the thing there is because of that new privacy. Pop-up thing. You can imagine these companies wanting to get around it. Right. And that would be the thing is they could send bits and data that they know about a user over make the ads better is that, but you could see where it could, it could and potentially have, um, some issues unless they were able to catch that in the app review process. Frank: [00:13:51] Man, you're freaking me out about the keyboard example. I mean, at some point they would get caught because they would have to upload the data for it to be like an effective whatever, you know, they would have to leave the phone at some point, but, and hopefully someone who would realize that at some point, but yeah. Um, wow. That's a, that's a scary example. The trick with security, as I said, was the priorities I was thinking about. Um, these funny bugs we used to have back when I was working at Microsoft, that was working on, I actually am technically a security professional because I worked on a security part of a piece of software. And I had to be like Mr. Security and put on my gray hat. White hat, whatever happened. James: [00:14:35] You're supposed to security. You put on the security. Yeah, yeah, yeah. Frank: [00:14:39] Big S on it. Yeah. Uh, and I was working on the codex for graphics file format. So JPEG Jeff. Um, what's the other one? Ping and TIFF. Oh, that's the worst. James: [00:14:51] TIF is the worst. It's always riddle to Canon and, uh, You have to send printers all this data. And we had software that was sort of like auto, auto, not auto cab and more like Photoshop, but for printing, doing CAD drawings and things and TIF. W and PDFs are always the worst and you'd always see security flaws or issues with tips and things like that because it's a very, very, very, very old, uh, file format in general. So Frank: [00:15:19] anyways, continue. It's it's not just that it's old. It's just that it's powerful. Um, it has like jump statements and it, where like the reader is supposed to advance. X bites, which might be inside or outside of your buffer. So you better check all your buffers and be very careful and you can even get into infinite loops. I can tell it, go to here, go to there and do an infinite recursion. The security around TIF is amazing, but some of the most insidious I'm going to, I'm just going to keep using that word today. Uh, bugs were what we call denial of service. Where actually that, that tip example was a perfect example of it. The dyno service bugs, where you tell the operating system to open this file and it gets hung in an infinite loop and you're like, oh gosh, like, Is that a security flaw and the reason no one really wanted to make it a security was because there were a lot of ways you could do that. But at some point we had to say, yeah, that is a security flaw because you are. Eating a CPU and yes, browsers can be smart. They can check how much of the CPU they're eating and they can back off. And there are ways for apps to protect themselves, but we decided fundamentally the operating system needs to protect itself. And so I actually got the job. It was one of the more fun ones because you weren't like, um, necessarily, um, Right. Breaking into the computer and getting the pass codes and all that stuff, but it was like, Hey, can I, can I drive your little library insane to the point where it just eats up all, all the system resources I can and dos a computer all by itself. James: [00:17:03] Yeah, that'll do it. And you know, you see this all the time. When we talk about security things, you know, you, you see all these updates to iOS or to Android, there'll be small little patches, you know, iOS 14 dot six just came out like really soon after 14 dot five. And I'm pretty sure that there was some. You know, I don't know what the security flood, but there's always something that's like some WebKit thing or some image thing or some encoded. I remember there's like an encoded message string that you could send people that would like cause some issue or something and yeah, software's hard and hardware's hard and CPU's man, that's gotta be real hard. Frank: [00:17:41] Well, the buck stops at the CPU is the problem. And this is where they unpatched ability of the is the problem here, because for as much as I hated my up to 30% CPU loss on my Intel machine from specter and friends, they were able to patch it or disable that hardware. I don't know exactly how they patched it, but things got slower by at least they were secure. I hate that word also, but you know, It was secure. This is horrible. And as far as we can tell, it's not patchable. And so we're stuck with it. Yeah. Uh, were you around for when the first Pentiums came out and they all like, gosh, it was only like six or nine months after the very first Pentiums came out. We were all excited. We were done with the four 80 sixes. It had new instructions, it was very advanced. And then it had a bug in division. Do you remember James: [00:18:37] that? No, I did not remember that. Frank: [00:18:40] Oh, it was hilarious. They screwed up floating point division. I think it was. And there were just a million examples. You could give it where it would give the wrong result and then people, or it might've been square root. It was one of those two. Uh, and. I think they patched it or basically every compiler in the world for about a year or two would work around the bug because Intel was Mia, Copa, everything. And so that, one's a weird one because it's not even security. That was just a flat-out bug. But I'm old enough to remember that happening. So these smaller bugs don't really phase me too much. James: [00:19:21] Wow. That's fascinating. Yeah. I feel like we've come a long ways and whatever the team did, they spent a long, long time. I mean, this has been out for what eight, nine, 10 months now at this point, and it's pretty solid. I would say that this is the, this is the concern, right? Which is not really a concern based on the current limitations. That being said there. Are potential ways. Like we talked about to, to exploit it a little bit more, if it was on more of every single iOS device or the next gen iOS device. But I imagine that once they tweak and tune even further, you're going to see less and less and less issues. And you see very rare CPU. Vulnerabilities less so than software. Right? However, they're not non-existence they are, they exist. Which means everyone anything's possible. Right. And I think that it's pretty good sign that it's been so long. And this is, this is the severity. Now, if there's security experts listening, we would love to hear from you go to emerge conflict that I've found. There's a contact button. There's a discord channel. You can tell us how wrong or how right we are. But, uh, overall, I, I read the articles. I read the blogs from the people. I watched the videos of the people and I, I wasn't. I was like, Hey, cool. Like that's no good find. Frank: [00:20:54] Depressing. It's James: [00:20:55] impressive. It's impressive when people find stuff like that. So. Frank: [00:21:00] I mean specter. How did they ever find spec? I don't know. I, there, there are some geniuses out there. So hats off white, black, and gray hats, all hats off to you, all your hackers. Cause it's, it's pretty cool stuff. I will admit to that much. Um, but you know, The one has been doing so well. I think we're still in that funny phase where software is letting down the So I'm I'm, you know, and by that, I mean, when I run, uh, a lot of SDKs specifically, cause we're all developers, we're running a lot of SDKs and uh, all the big packages are being slow to update. To it. Um, I finally got a Python version working that could actually do some stuff. I was pretty proud of that, but, um, I haven't been able to get, um, a lot of other developer tools to work on Intel. So we're still in this funny phase of, I think the software is letting down the M one more than the M one one's letting us down. I think we're still far on that side of history. Start waiting for the SDKs James: [00:22:04] to catch up. Yeah. You know, overall, I agree with you. That's been my biggest. I would say with it, it hasn't been terrible. In fact, there's quite a few good articles. I put out one, there was another one, uh, from some of the folks at Tellerik that poet on the, on the visual studio, blogs, talking about how they do set up and get Docker things to work and kind of work around some of the limitations today as things upgrade. But I will say overall, I've been pretty impressed with my normal development. I. Do you believe that the more severe issue is at least for the best development that I've seen running into is the new, uh, big Sur requirement for ex-co 12 dot five. That seems to be a big fiasco right now. So beyond that, uh, I think everything with the M one Frank: [00:22:58] is great. I'm sorry, I missed that. What is that fiasco? Uh, James: [00:23:03] it has nothing to do with anything that we've been talking about. So loud sidetrack, so real quick, real quick. Yeah. So it's, uh, it's uh, as we think about software, you know, and we think about developments offer, especially on or new hardware, there's all different things we're talking about. Does Docker run does no JS run? Does Homebrew run all this stuff, but then there's some things that have nothing to do. With that, but it's more of an OSTP lock-in right. Which is a X code 12 dash five requires big, sir. And you know, what is lacking in cloud hosted max solutions, big server machines. Frank: [00:23:45] Yeah. I actually noticed that one of my get hub actions broke and I was like, well, I don't know what to do now because they had, they did not have, um, X code, 12.5 installed. I figured that's just one of those things where they'll get it up and running. Eventually big server was a big change. I don't, you know, we, we talk about it sometimes on this podcast, but, um, I keep running into software that doesn't work with it. Talking about SDKs that don't work with. The finding SDKs that work with big Sur is hard. They did something really interesting. All the system libraries, like all the actual code that the system is running. It all sits in one giant file. Just one big glob of data. And so like all these old developer tools, right. I would say, you know, reference this library and that library used to be a file and a directory, all unit C is no longer. That's not how it works. It's in this giant globby thing that no tools know how to handle. I guessing the it's called a cache. It's not called a glob. I'm guessing that was something that came from iOS. Uh, because it's an efficiency thing, you know, you only have to load this thing into virtual memory. Once all the apps can hit it from virtual memory, uh, life is good, but, uh, all these developer tools that are trying to reference these libraries individually cannot find it. And it's, it's not any of like the system tools. It's always the clever tools that, you know, try to go look in your user live directory to see what's installed. It's the clever tools are all failing and it turns out. Developers are clever. And we like the right clever tools and a lot of them broke on big Sur. So you're right now. Now I get what fiasco you're talking about. Yeah, James: [00:25:36] there's does seem to be this influx of things are getting a little bit more tricky. There's more security models coming in. And, you know, even for me, even to test all the different operating systems, obviously iOS is an ongoing concern testing, you know, different. CPU's is a big concern for me too. I feel like I don't really have to worry about that on windows and maybe that's me. Like, I don't really care if it's an AMD or an Intel or even an arm chip. Like if it compiles, it basically runs. However, you know, I. I sometimes I'm like, okay, well it's running on big Sur, like, oh, it's an M one. Like, is it actually something different? I know it's not, but like I've had my stream timer for some people like, they'll install it. And they're like, for some reason, it just can't read the, if it can't read the file, it can't read the file. Like, I don't know. I was like, I don't just give it full disc access or whatever, you know, in the dropdown. And they're like, well, that worked. That's great. Right. And I'm like, nothing changed. Like I've. Yeah. But thousands of people have installed that in all different things. And I'm like, I don't know if that's an M one thing or something else. I can't read, bro. It isn't an iCloud thing. Like there's all these weird use cases where I'm just like, I don't, I don't know what's going on anymore. And, uh, uh that's okay. Sometimes I guess. Frank: [00:26:54] Yeah. Tell me about it. I'm trying to write an IDE that lives in a sandbox. You know what? People's project files have references to files all over the hard drive everywhere. It's so hard to load that stuff in a sandbox. Uh, just want to give another shout out. I do this about every six months and a CRL. Has a security bookmarks. If you want to have reliable file access in iOS and Mac, get your NSRL to you consider realize the security bookmark and you can Unser realize it. And if it ever goes stale, you can ask the user to open the file again, but it guarantees that you'll have access to that file. And a really cool thing about it is if that file just so happens to be an iCloud, then it would show up in iOS also that one bookmark. Would show up in both. Anyway, I just wanted to give a quick shout out because anytime dealing with the sandbox is so hard. So I feel like anytime I have a little pro tip for the sandbox, I have to give it James: [00:27:52] pro tips with Frank ch. Frank: [00:27:56] How, how can we have a security episode without talking about the sandbox? Because I guess that's the joke or two, is that the sandbox didn't help. We got those two bits through, on the register, thanks to the miracle bug. Uh, it stinks, especially, you know, So much of my life is based around trying to figure out how to do things under the sandbox, but it turns out there's been a leak the whole time sandbox has a leak, two bits wide James: [00:28:23] it's uh, yeah, that is, that is something to think about. I was, I was. Listening and watching a lot of the, the apple and epic showdown, the court cases and, and, you know, oh boy, Craig Federighi was talking a little bit about, you know, how Mac itself is a little bit more leaky because, because there's less, there is a lot of security precautions, but because you can install things separately and there's ways to do, you know, it's a desktop operating system. It's not as locked down, whereas the app store is this, but to your point is. Hey, there's, there's things that even the operating systems, operating systems sometimes can't control. And that is a bit, a bit scary, but I guess that's every computer that we've ever used. So I can't be too. I can't be too, like, Worried about it. Like I'm not going to return my M one, you Frank: [00:29:10] know? No. So after 29 minutes about talking about security, I'm going to end with, I really don't care about security. I've been using unsecure computers forever. Um, I, I guess I care about the security of my bank account and that's roughly about it. So as long as banks, you are not off the hook, you have to do all this stuff, but for all other users really do you really care if they get your photos? I don't, I don't care. But, um, you know what, that's a privileged statement to make. And I will say I'm lucky that it applies to me, but, uh, security. I'm lucky that security is not that important to me, but I'll try to care more. James: [00:29:54] I'm in a mixed bag. I think that security, you know, I became an iPhone user because of the security model. You know what I mean? Right. Yeah. I use, um, apple maps because of the security model. So to me, security is, am. and the dedication to security is there. And I think what we're maybe waiting about, and maybe by the time this podcast comes out, who knows it's going to be the first day of WWDC. No, one's going to be listening to this podcast. We'll be listening to it later. Uh, you know, I believe that apple will fix it or, you know, in the next iteration or address something or do something, you know, I'm, I'm sure that it's probably all hands on deck over there. I have to imagine. Frank: [00:30:40] Yeah. Um, I'm curious if they'll address it. A lot of times they don't like, you know, they have software security bugs all the time. Um, they're constantly getting patched and they never talk about those. Maybe. I, I can't think of any WWDC where they've talked about a security patch, but. Maybe for specter. Maybe that one came up I'm now I'm actually kind of curious. So it'll be interesting to see if they mention it at all. My guess is not. James: [00:31:10] Yeah, well, we'll find out, let us know what you think about security just in general, but ran into the show, merge conflict.ifm. And if you want a topic covered, you can always tweet at us at James at merge conflict. FM. We literally talked about this today because you asked us to do so. So I hope everyone found it. Entertaining a little bit. I know I did Frank. Frank: [00:31:33] Uh, yeah, I'm I'm I'm still gonna say I'm a little bit sad. The, the will always be perfect in my heart, but it's like nine nines now. It's not a million nines of reliability. James: [00:31:43] Yeah. It's like that. Um, uptime. It's it's 99.999999999. Frank: [00:31:50] Yeah. It's still enough nines. I still love you at one. Yeah, I still love James: [00:31:55] you. I'm one. You're you're good. I go, well, thanks everyone for tuning in. That's going to do it for this. Week's podcast until next week. I'm James Matsa Magno and Frank: [00:32:04] I'm Frank Krueger. Thanks for listening. Peace.