Arrogance Redefined
Thanks to the AppleInsider forum, I came across this piece of blogging art. To save you a click I am going to translate the article into plain English, John Gruber’s style.
Today I interviewed with Apple for a security researcher position, it’s a position that has been open since something like August of 2005 and now I know why. Before I detail what occurred in the interview, let me elaborate upon my motivations behind being interested in a position with Apple.
Everybody says Apple is slow with regard to security and so do I. Heck, they cannot even hire a security researcher.
First let me say, I am not a huge Apple fan, honestly the commercials drive me up a wall because they’re largely filled with disinformation.
Because, you know, commercials are the only source of truth and wisdom. Being an integral part of mass media, they convey highly objective information in a precise fashion. That is, except when they are Apple’s.
I am not part of the ‘cult of mac’, but I am generally not someone who hates Apple either. However there is one thing that I am fairly certain of, they have the most insecure mainstream operating system currently on the market, and they’re about five years behind the curve in regards to security.
See? I’m trying to be as objective as possible. You can trust me. Mac OS X sucks.
I’m sure plenty of people will turn their nose up at that statement, but let me explain. If we look at it from a coders perspective, it’s NeXT dressed up as Unix for Halloween, except it lacks the evolution that has occurred throughout the Unix world, and the evolution that has made it’s [sic] way into Redmond as well.
Alright, I know you are going to say there has not been a single Mac OS X virus in the wild in its six years of existence. Anyway, it sucks because the names of Cocoa classes begin with NS, which stands for NeXTSTEP, which is an operating system written in the 80s. See? I’m well-read. By the way, did you like my Halloween joke? I’m smart.
On my PPC powerbook, the stack, heap, .data and .bss are all executable, my understanding is that on Intel mac’s this is not the case, however they’re lacking any form of ASLR, which makes the non-executable stack/et cetera more or less useless. Even more, the GCC on my Apple CD is missing stack smashing protection (SSP formerly ProPolice), which is something that comes in GCC by default, which means that they had to rip the extra security out of the compiler. A lot of people are mistakenly under the impression that SSP is only stack cookies, which is something it does implement, but it also does other rather unique things that make it a really great feature, namely it will reorder variables to minimize the damage of potential overflow.
Oh, and I know many computer-related acronyms which help me look like I know what I’m talking about. I even make an attempt to explain what stack smashing protection does to you, ignorant Mac zealots. Don’t get it? Heh, I knew you wouldn’t be able to.
So we have a relatively soft target platform, we also have an incredible monoculture never dreamed of in the windows world, not only is everyone running the same OS, but they’re largely running the same hardware, or rather one of a few different types of hardware, this means that you have only 3 or 4 targets, whether it be userland or kernel exploitation, which means that by and large any exploit found will work fairly well, think about that for a moment in the context of a worm.
Did I say Mac OS X sucks? Sure it does because it lacks true diversity like gazillions of half-baked drivers for Windows. It’s very hard to write a working virus for Windows because there exist so many holes in it that you don’t even know where to start. Compare that diversity to Macs. You have only 3 or 4 configurations with essentially the same code base. Guess which is easier to patch hack?
But, my dear mac friend, you may say, ‘oh but the firewall!’, and as previously pointed out by Jay Bealle, the firewall is useless as implemented. To bypass the TCP filter, you just need to fragment your packets because it will accept any fragment, to bypass the UDP filter you just need a source port of 53 or 67, because it allows anything with these source ports through.
If you are noob enough to not know who Jay Bealle is, try Google. See? He says your firewall is useless. It’s implemented in such a lame way that you cannot remove the rule 2065 (allow tcp from any to any frag). Oh, your default ipfw configuration blocks incoming UDP packets from the port 53? Nevermind, it’s useless anyway. I’m just too busy researching security to look at my ipfw rules or use a spell-checker.
So we have a soft platform, with a faulty firewall, and then one of the biggest dangers to OSX – its user base, how many times have you seen a random OSX user make some comment about not needing anti-virus or really to have any true concerns in regards to security, after all everyone is targetting [sic] windows, right? That is a very dangerous perspective that one of these days will eat the OSX [sic] user base alive, or so one can hope anyways.
Let me re-iterate for you, dumb pieces of a user base. Mac OS X sucks. What makes Mac OS X even worse is its user base. I’m talking to you, guys! And do I hope this dangerous perspective will eat you alive, got it? You deserve it, fools.
So we have an uneducated user base, a soft platform, a faulty firewall and what else? One of the things that came out of the Month of Apple bugs that I found interesting was the format string bugs in the AppKit framework. Why? Because these are APIs written in Cupertino, and used by the same people in Cupertino, and they misused them horribly leading me to believe that they simply don’t understand the dangers…
Ha! I like how impressive my voice sounds. Ooh, baby. Those guys in Cupertino are idiots. Am I clear?
Let me make sure my point is crystal clear here, Apple defined these APIs, then they misused their own APIs in a very elementary way…
Now get it? Because I’m trying to be very specific here.
…while I am on the subject of the Month of Apple Bugs (which to be bluntly honest left me mostly unimpressed), these were bugs that were largely found, as I understand it, by fuzzing, feeding random data in a semi-intelligent manner to the applications.
Oh, and those guys behind MoAB are morons too.
So we have a faulty firewall, a soft platform, ignorant users and developers that don’t truly understand what they’re doing and extreme monoculutre; what we really have is a recipe for disaster.
I have to repeat myself because you, my dear readers, are too stupid to understand a thing.
So when I looked at Apple, I saw a company in distress, I see a company whose future is intersects [sic] with a major security incident, and naively, I wanted to help. The Apple team is running towards the cliff in a date with destiny, and that’s not a threat, thats a prophecy.
Repeat after me, Apple is DOOOMED and I’m here to save the world. Meet the Batman.
So my interview started around 1330 [sic] and I was greeted by a gentlemen [sic] who told me basically what they do and then proceeded to tell me that their phone was ‘half-duplex’ and that they could either talk or listen, but not both at the same time. I find this incredibly hard to believe, but I opted to not comment on treating me like an idiot and dumbing down the point that if I give a long answer I should pause every so often, thanks, I almost forgot how to talk to people, but with your guidance I’m sure I’ll do great!
I’m sure they had full-duplex phones in the 14th century. Anyway, who uses a phone in half-duplex? Normally people on both ends speak simultaneously because 1) the technology allows it and 2) why listen if you can speak yourself?
The interview started with pretty simple questions, they’re going to ask me system calls and I’m going to tell them what they do and any security implications it might have. The first one was fork() .. Okay well it um, fork’s a process, or create a child process, security implications would be largely the inheritance of file descriptors and that a fault in either one of the processes wouldn’t affect the other, as opposed to threads.
Yeah, I had read the man page…
They wanted more, but I couldn’t think of anything and I still can’t…
…but that was so long ago I can’t remember the details. So what?
…then I was asked how a process would drop its privileges, and I mentioned setuid()/setgid() and we discussed that some and then I was asked how I would drop privileges if I wanted to regain them later, and I commented that it probably wasn’t the answer they were directly looking for but that what I would do would be to keep a parent management process that listened on a Unix socket to perform privilege seperation [sic] and that if a child wanted to restore it’s [sic] privileges that it would make a request to the parent to create a new privileged child and pass on the file descriptors.
Well, he got me here. I would do that in an obfuscated manner to make it too obscure for even a seasoned hacker.
Here’s what shocked me, I was told I was wrong (!!)…
Me? Wrong? He must be fucking crazy. He’s gonna rue it.
…they were obviously looking for some about saved/effective uid’s and such but that’s pointless because you might as well never had dropped your privileges, or to say it another way, if you can regain your privileges, you never dropped them.
I did not understand anything he said.
I was then asked about how if I had this *large* code base of like 30,000 lines of code and like two days to audit it, what would I do. Firstly, let me comment that 30,o00 lines is not large, its fairly common, but whatever.
Famous security researches like me audit millions of lines of code every day because it’s very easy, much easier than to write code. More on that later.
I said that I’d look for usage of functions known to have problems traditionally and look at the core internal API and see if it can be misused. They asked me how I would do that, kind’ve making it sound like I was oversimplifying the situation and I commented that it typically wasn’t that hard, grep or look at the filenames as there is typically things like alloc.c or similar, then work backwards from there.
I said it’s trivial – use grep, dammit. Look at file names and when you find alloc.c there’s a security hole.
This again was met with resistance and I said that it isn’t like this is hypothetical, this is what I do for a living and then they said something like ‘While I can appreciate that you supposedly do this for a living, I was asking for a real answer’ at which point I had enough and told them that I didn’t like their fucking attitude and that this type of arrogance is why Apple is in the midst of such a security nightmare, that I wasn’t interested any longer in a position with them and then proceeded to hang up.
I said I use grep for a living. He said he likes grep too, but it doesn’t solve a problem of auditing 30 thousand lines of other people’s code in two days. I said, “Fuck you. Apple be damned. I ain’t gonna answer interview questions because it’s humiliating.”
Then about five minutes later I got a call back from the recruiter, asking what had happened and she started to laugh when she repeated back my line about the security nightmare and I realized what the problem really is, they’re mistaking beginners luck for skill. When I say beginners luck, I don’t mean beginner to the computer industry, but rather beginner to the ‘real’ industry…
Why do people laugh at me when I say something ridiculous in earnest? Aha, that’s because they are noobs. Well, Apple has been making personal computers for 30 years, but that’s not a real industry. In fact, the computer industry has never been real enough for me. It’s fairly illusory, I must say. Close your eyes now. You don’t see your Mac any longer? Yeah, that’s exactly what I’m talking about.
…up until OSX [sic] they were a tinker toy OS that was largely disregarded, then they stepped up and put themselves on the same level with Microsoft and Unix, and they seem to think that just because no one has ripped them apart means that no one can. Even worse they don’t seem to recognize that their arrogance makes enemies, and generally speaking they’re not the types of enemies that a software vendor wants.
Yes, you heard it here first. When Microsoft made a high-end operating system called DOS, Apple was toying with their kids-oriented graphical user interfaces. When Microsoft was busy patching Windows against thousands of real viruses, Apple was playing with Quartz, Core Audio, Core Video and Spotlight. No serious hackers are going to be interested in a tinker toy OS when there’s a real challenge to create a botnet of millions of computers.
Remember, I am the prophet, I am the only one. I shall summon an army of hackers that can rip Apple apart in two minutes.
So fuck it, here’s to you Apple and to your future insecurity, I wanted to help you and instead you just ended up with another person interested in auditing your software.
Boy, am I fucked. I’ve just screwed another interview and my father is going to spank the hell out of me.