RUSH: I’m gonna give you the short version right now because my e-mail is overflowing. “You said you were gonna explain this Apple security thing!” Here it is, in a nutshell, folks. It’s not time to panic. There’s so much media on it. In the tech media and in the standard news media, think of Apple as the Republicans. They’re despised and they’re hated.
The only difference is, Apple is number one and very successful and knows exactly what they’re doing. The Republicans don’t. There’s no comparison between Apple and Republicans in terms of achievement, accomplishment, but in terms of being hated and despised, they’re very close. What this security flaw is — and it primarily would affect you if you’re on a public Wi-Fi network, like at an airport or a Starbucks or any other kind of Internet cafe.
If you are on your home network, make sure it’s password protected, but even then, nobody’s gonna target your home network. They can’t get to it. It’s too small. Don’t worry about hackers. Maybe your corporate network, it’s the same thing. Really vulnerable… Well, I don’t want to even put it that way. Your biggest vulnerability is on a private network, and what’s happened is, there is a line of code that doesn’t exist that enables… It’s called a man-in-the-middle attack.
The way to visualize this is you’re in Starbucks and you’re on your Mac, and you’re using the Web browser Safari, and there’s a hacker in there, and he’s able to follow everything you do. That’s the security flaw. Therefore, if you go online to pay a bill, the hacker sees your data and everything you need to get online and connect to your bank. Now, there are no reports of this exploit having been used yet. It’s not easy to do. The hacker would have to be extremely proficient.
But the vulnerability is there.
That is the simplest way to explain it. It enables hackers to eavesdrop on online interactions. When you log on to another website, that website has a certificate of authenticity that is signed that talks to your browser. That’s all encrypted, and every website you log on to sends an encrypted confirmation back to your browser that it is the website your browser thinks you’re talking to.
If you’re online at Bank of America, Bank of America has a certificate on their website, it’s signed, and it sends back a confirmation to your browser that, yep, you indeed are talking to the Bank of America website. The hacker is able to get in and emulate the website and tell your computer that it’s Bank of America, or whatever other website that you’re talking to. You have to be on a public network for this to even be applicable — and even then, there are ways around it.
You can use the Chrome or Firefox browsers. They are not vulnerable. So this vulnerability existed on iPhones and iPads, and that was patched on Friday afternoon. They’re now secure. The media is scratching its head over why Apple has not patched the Mac OS X. Now, the sideline interesting thing about this is, is this an actual bug (’cause it’s just one line of code), or is this something done on purpose to allow the NSA in? ‘Cause it is said that this bug existed with the introduction of I think OS 10.8.
The NSA’s PRISM system is what was revealed by Edward Snowden. They put out a PowerPoint chart of Snowden’s leaks, and indicated that the NSA claimed that they were able to tap into Apple in October of 2012. This bug occurred September 2012, and so some people are asking if this was actually a bug or actually a door left open for the NSA. Apple isn’t saying anything, and Apple hasn’t patched the Mac, and people are wondering why, ’cause it’s just one line of code.
Now, here’s one of the reasons why they may not have patched it. The delivery system for software updates comes from the Mac App Store. That’s where the software update is. It is also vulnerable in addition to the browser. So they might have the fix, but they might not have a secure way of getting the fix to you. There is also a new software upgrade coming for Mavericks, 10.9.2. It’s imminent.
Apple could be waiting to roll the patch into that update, and they might not want to do two updates separately. All of this is speculation, ’cause Apple isn’t talking. But the bottom line is, if you’re on a Wi-Fi network at home, and it’s password protected, the odds of this man-in-the-middle attack being able to get into your system are practically nil. If your Wi-Fi system at home cannot be accessed outside your home or outside your property, you’re good.
That’s such a small network, and, especially, if it’s password protected, a hacker’s not even gonna waste his time. They’re gonna go after as many users as they can get at one time, and that’s why they target public networks. Now, this is really, folks, the bare essence of this. You can find, if you want to go onto various blogs, all kinds of detailed technical explanations for what SSL means and TLS means. Those are the two areas where the bug is.
But it all has to do with encrypted links between your browser and the website you’re visiting and the signed certificates of authenticity that those websites send back to tell your browser that, yep, it is indeed Bank of America you’re talking to. A hacker can get in there and pretend — well, make your browser think and make you think — that you’re talking to Bank of America when you’re not. The fix is gonna be here soon.
I mean, it has to be imminent. It’s just one line of code.
The curiosity about whether this was done to enable the NSA, or, there’s a body of thought out there that thinks the NSA is responsible for this. Let me try to explain one more element of this. Hackers are everywhere and they’re constantly testing operating systems for vulnerabilities and ways in. The Mac traditionally has been the safest and most secure operating system going, for viruses and bugs like this. The NSA has automated attack programs. They’re constantly attacking any computer network they can find to find out if there is a bug.
This bug would show up in an automated attack. The NSA tries to find a vulnerability in OS 10.9 they would find it right away, they would see it, they’d say, “A-ha.” If they didn’t see it they might see the vulnerability, be able to write the hack themselves. The NSA has some of the sharpest software engineer, code breakers the world has produced. So it’s multilayered in terms of unanswered questions. It’s really pretty simple to explain what’s happened. What’s not known, it’s just one line of code, it’s called “goto fail.” One word is in the line of code twice, and the second appearance embedded on its own line is the bug, and it’d be easy to take it out.
There’s a school of thought that says, no, it’s not just that simple. In iOS, iPhone, iPad, it was easy, but the Mac OS is much more complicated, it may be more than just one line of code. Nobody knows because Apple isn’t talking. So does that help explain it? Let me ask Dawn, ’cause Dawn doesn’t care about this. Did I explain it? I don’t mean to be insulting, but most people don’t care about this stuff. As long as it works, that’s cool. And if there’s a potential for harassment, they want to know. I’m not trying to be critical of any of these public networks, but I’m just telling you, if you use a Mac and Safari, you’re gonna be using 10.9 for this, by the way, maybe parts of 10.8.
But the point is, just stay away from public networks for awhile. Stay away from untrusted networks. “Well, what’s untrusted?” It means if you can’t, in your own mind, trust the network that you’re on to be secure, don’t use it. If you have to, use cellular data. Get a hot spot and use AT&T or Verizon cellular data on your Mac for a while, or use Ethernet, connected by wire, if you have a chance to do that. There are any number of ways around this.
RUSH: Now, let me add one thing to this Apple security bug. Any time technical matters are discussed, the people hearing it routinely don’t understand what they’re hearing and get it wrong and start spreading rumors based on what they are sure they heard. In this case, me. I just want to be very clear about something. In order for the hacker, the attacker, the man in the middle to fool you into thinking that you are talking to Bank of America, and you’re not, you’re talking to him, the hacker, he has to be on the same Wi-Fi network you’re on.
So if you are on your home Wi-Fi network, the Wi-Fi network that your router uses in your house or in your apartment, the hacker has to be on that network, which means the hacker would practically have to be within your eyesight. But a public network like Starbucks, where anybody can get into it, and it knows no limits or size, that’s a whole different matter. That is a ripe target for a hacker. Your home network or anything else similarly small is not going to be worth the effort.
If you’re on a secure network, a hacker cannot pull any of this off. He has to be on the same network you are on. So I don’t want anybody misunderstanding, thinking you go online, you talk to your bank, and that any hacker anywhere in the world can get in and hack you. This security flaw does not permit that. All of this must happen on the same network that you are on. If you have a password protected network — and most people do — that’s generally gonna be enough to send some hacker somewhere else easier. And again, there are no reported hacks.
Now, that doesn’t mean there haven’t been. The hacker might not brag about it. But there haven’t been any reports of identity theft or anything of the sort since this all was first learned on Friday. This hack, this bug has been in existence for over a year. I don’t know who all has known about it. I don’t know if anybody has successfully exploited it.
Another question, how was it discovered? Was it discovered with a routine quality control check by Apple software engineers? Was it discovered by somebody attempting to exploit it? There’s a lot of unanswered questions here about it. But, yeah, for example, it’s not just your browser. It’s your mail program, Facebook, a hacker could exploit this bug and get in the middle of any of those website links if, again, the hacker is on the same network you are on.
If you’ve got a little router at home or in your home office or whatever, the hacker has to be within range of your network, your Wi-Fi network, and the odds of that are very small. So you’re not wide open and there are things you can do to button up your security until this is patched, which it will be. Some people thought it would happen over the weekend. Some thought certainly yesterday. That’s why people are wondering, “What’s Apple waiting for?” Well, there is this new software upgrade, 10.9.2, that’s coming. They may roll it into that. Who knows. But we’ll all find out soon enough.
RUSH: Just one more thing on this and then we’ll be done with it. Apple’s getting a lot of grief for not making a big deal out of this. They sent the software patch for the iPhones and the iPads out on Friday at four o’clock in the afternoon when nobody notices anything. I actually think that it was wise for Apple not to make a big to-do about this because all that would have done would have been waving a big, white flag or red flag to the bull, to the hackers, to have been trumpeting some vulnerability. I think they played it just right. Besides, the media’s gonna do that anyway, which they are in the process of doing. Which is why I wanted to bring a little bit of proportion and reason to it.
RUSH: (interruption)What do you mean, what is my theory? (interruption) Oh, you want to know what I think, how it happened? (interruption) Oh. Oh. Okay. I don’t think this is complicated at all. Snerdley wants to know how I think this whole thing with the security flaw occurred. I think the NSA found it. That’s what they’re paid to do. Ladies and gentlemen, the National Security Agency or whatever it is…
The NSA is constantly looking and trying to find vulnerability in every computer operating system there is in their charted effort to track down bad guys who intend to do harm to the United States. So Apple announces a new operating system. It was iOS 6 for the iPhone, and about the same time, I think, it was Mountain Lion for the Mac, 10.8. So what the NSA does is, they’ve got an automated program.
Every time a new OS hits, they bombard it, looking for ways into it — and they found one with iOS 6. They found this security flaw. They found this one line of code that was there. What nobody knows is, was it an accident or a quality control fail, or was it purposely done to let the NSA into your computer? Nobody knows. Nobody will ever know that. But I think it was the NSA that found it. This is what they do.
So a month after they found it, they then went public — well, they didn’t go public. Snowden took it public. When Snowden announced the existence of the PRISM system, which is the NSA’s… Remember when the news came out and the NSA said that these companies were participating with them? I think the news was that these companies had allowed the NSA into their servers through the back door, and Microsoft was one of the companies.
Google was one of the companies, too, and they said that Apple was added in October of 2012. Well, the exploit has been traced back to September of 2012, and that kind of looks interesting to people following this. But I think the Apple OS is the most secure operating system for consumers that there ever has been. It’s not even comparable to Windows. The hackers that do viruses don’t even try with Apple. The most success they have is with what are called “phishing attacks.” That’s when you get an e-mail that looks official from, name it, could be anybody. ExxonMobil, Apple itself.
These people come up with fake e-mails with a link that you are to click.
Usually it’s some kind of crisis bit of news, a question about your bank account, a question about this or that. You click the link to either solve the problems or to find out what it is. You click the link, and they’ve got you. That’s about the extent of it, and even those are covered well. I think the NSA found this, pure and simple. Now, it took a while for it to be discovered, and they’re gonna patch it. It’s that simple. That’s my theory. But that’s all it is: A theory.
RUSH: Well, well, well, no sooner, ladies and gentlemen, than do I explain to you the security flaw, Apple just dropped the patch. Apple just dropped an update to Mavericks 10.9.2 now available via software update, and it’s got the SSL patch in it. So all you gotta do is go to software update, Mavericks on your Mac and upgrade to — (interruption) No, no, no. I’m not working the inside. No, of course not. I’m not working on the inside with Apple. This is just one of the strangest coincidences out there. Well, it is imminent because it’s like the seventh beta. I do beta testing. We’ve been on seven betas of this thing since December. Anyway, it dropped. The patch is there.
I’ve got Kristen here from Lexington, Kentucky, who wants to take me to task over some of this. Hi, Kristen.
CALLER: Hi. How are you?
RUSH: Good. Very good. Thank you.
CALLER: Actually, I just want to make one correction to what you are saying. I work in IT security, and I think it’s a little bit dangerous to tell people that it’s okay, that their home networks won’t be targeted in an attack like this and that they would have to see people physically who might be the attacker. Because if you go to a conference like DEFCON you’ll see antennas that are specially made to go after home networks and to broadcast them from large distances, and people do get targeted on their home networks. So I just wanted to make that clear.
RUSH: Okay, fair enough. But the odds of that —
CALLER: The odds do go down, but if you think about somebody strolling a neighborhood in a large city, they can grab quite a few wireless networks and make quite a few attacks to a small —
RUSH: That’s a good point, I have to confess that you could troll Manhattan and pick up quite a few, especially if they’re not password protected, the vulnerability would be huge. You’re absolutely right.
CALLER: Absolutely. So that was my only comment. Other than that, I enjoy your show.
RUSH: Well, I appreciate that. You know, normally — let me tell, Kristen, what happens, if I start talking, let’s say — you know, I’m a radio talk show. So I start talking about any scientific subject, the experts will call me and tell me, “You idiot! You buffoon! You don’t know what you’re talking about, shut up. You don’t know anything. You’re just giving people all kinds of…” but you didn’t do that. You said the only thing you got wrong was it’s not so much safe for small networks. Other than that you didn’t rip into me.
CALLER: No, I don’t tend to rip into people, but at the same time I don’t like people to get a false sense of security, either.
RUSH: Well, I wasn’t trying to promote a false sent of security. I was trying to avoid people panicking over this.
CALLER: Right. And I don’t disagree. Fear and doubt are not good things to spread around, but, no, I wasn’t gonna rip into you by any stretch of the imagination.
RUSH: Well, that just means I didn’t say much wrong. If I had of, you would have.
RUSH: All right. Are you gonna upgrade, go do the patch, or do you use Mac?
CALLER: I have already patched all my devices and I don’t have a Mac itself, but I have an iPad and an iPhone.
RUSH: Oh, so you did that on Friday, then? Okay.
RUSH: All right. Well, I appreciate the call, Kristen. That’s a good point. The trolls could easily drive around an average city block in Manhattan where you could run into a whole host of private networks that would extend outside the building, if they’re not password protected. That is a good point. (interruption) Satellite. The Wi-Fi that you have on an airplane when you’re flying is satellite. It’s beaming down to you, and that’s why it’s slow. Yeah, the aircraft has all the equipment. Usually some aircraft are incapable of it because the tail fin has to be wide enough at the top for a miniature satellite dish in there to get the signal, and if it’s not modified, then they can’t do it.
So all the hardware is on board the airplane. There is a network called Aircell which does beam up, and they use the cell tower network and somehow beam up, but it’s not in use by that many. Normally ocean liners and aircraft are serviced by satellite. (interruption) Well, yeah, you’d have to just double up. I don’t really know how they would go about increasing the speed on a Wi-Fi network in the air. (interruption) No. You don’t have enough bandwidth to stream video. Well, I shouldn’t say. Actually, it can be done, but I don’t think on an airliner.
Sometimes certain places I can do it. It depends on the connection. It really is weird. You ought to see the map, you ought to see the coverage map, it’s called BBML, Broad Band Multi-Link. That’s what Wi-Fi in airplanes is called, BBML, and they got their own coverage map. When you leave one satellite coverage area, go to another, you’ll lose service for a minute, maybe two, while it catches up. And if you don’t know that, you think, “Oh, my God, my Internet’s down, oh, no.” You start panicking and you get mad and you call people.
Nope. Gotta look at the satellite coverage map. It takes awhile for the system to handshake with the new satellite. And that may not be as fast a connection. So whereas you might be able to stream Netflix while you’re flying over St. Louis, by the time you get to Kansas City, you can’t, ’cause you’re on a different satellite, speaking theoretically here. It all has to do with speed and packet loss, packet drop. Now, look, enough of this. People don’t care about this. I’m off track here. Besides, they’ve issued the patch.
RUSH: Keith in Westfield, Indiana, welcome to the EIB Network. Hello.
CALLER: Hello. Nice to talk to you. Honor.
RUSH: Thank you, sir.
CALLER: I’ve been listening about what you’ve been saying about the Apple thing, and sounds to me like you know a lot. I would not call you uneducated about that. One of the things that people might like to know. Maybe you should remind your users — I appreciate you not wanting to scare people — is that they really should know how their websites flow, how they progress from screen to screen. There’s a lot of websites now, especially you mentioned Bank of America, that specifically use a multifactor authentication.
That’s where it’s actually something that’s brought back from the bank or whatever the business is that they should recognize as, like, their security image or sometimes they call it something else, like a passphrase, and that they should recognize that before they type in their password. So it will be on the password screen, and they want to make sure that, like, it’s a picture of a dog or a picture of a cat, that that’s your picture before you type in your password, ’cause the hackers can’t get that information. They can’t go to the bank and say, “Hey, what’s the security image for this particular user.
RUSH: Yeah. Right. If you see a screen that they ask you to type what you see, and it looks like elongated, stretched-out letters of the alphabet, you’re right. That’s a form of security protection. Look, the websites engage in all kinds of encryption and the way they communicate with each other, with signed certificates to prove authenticity. I mean, it is serious business, and the people that are trying to exploit that are also very serious, and it’s tough work staying ahead of ’em. People who do this are amazing. The code guys, these people that do this are just great. They have my profound, utmost respect.