I work for a CA. All our security breaches have appeared on the front page of the national press so Apple is getting off lightly in comparison. But even though our record is vastly better than any of the vendors it is fashionable to blather about the CA security model being a failure etc. etc.
The interface between the cryptography and the real world is the place where the security issues are hardest. But we have controlled those problems to the point they have almost vanished while it seems nobody can write correct code.
Actually the versions of Windows since XP are all pretty solid. Apple solved their security problems with the jump to OSX and implementing mandatory access controls on the critical system functions. When Microsoft tried to do that on Windows, lazy sysadmins tried to avoid the upgrade.and clung to Windows XP despite the known security issues.
Most of the machines running XP today were bought after it was replaced by Vista. And most of them are in businesses.
Not just Apple. Why did we rely on Apple to do all the checks?
When I talked to Apple about it I thought it was just an issue with Apple Mail because thats the only app that I was looking at and it was an error I expected to find. I never thought to check Safari because it never crossed my mind that it might be a general error. And I wasnāt at all surprised when I could dump out the SSL traffic with a proxy because it wasnāt the first mail client I had looked at.
The error would have been caught by Visual Studio though. Their compiler detects unreachable code and gives a warning. But GCC stopped doing that recently, allegedly because the optimizer causes different results on different platforms but I canāt see why the platform dependent optimizer would be involved.
The issue isnāt just C or which language - the issue is that there is evidently no testing of the library code. Iād expect a testing suite run against the SSL code, e.g. present a valid certificate, check it works - present an invalid certificate and check it fails, etc. Maybe itās easier to make that kind of error when you write in C, but the real issue is having apparently no mechanism to detect critical errors.
Absolutely. And itās not just Apple at fault here.
Why was nobody else doing this testing for such a critical component? When I worked in process control I had to check out the PID controllers before they went on plant. We didnāt trust the manufacturers claims.
What it certainly wasnāt is a deliberately induced bug. Apple made the code open source. Which is a good practice. But still, nobody was checking it seems.
Actually the versions of Windows since XP are all pretty solid
Perhaps for you if you are hardening it with good security practices, but certainly not for many average users. I think a lot of Windows users are getting a false sense of security because the mass media doesnāt report on major security issues on Windows like they used to. People are numb to it at this point and the media doesnāt get enough profitable traffic from the coverage.
On the other hand, when a major Apple security flaw is discovered thatās barely propagating worth a shit and exploited against only a small percentage of Mac users, the mainstream news will tend to cover it fairly extensively because itās novel.
Thereās also a lot of false equivalency at play. For example, the media will run stories on RATs and ignore the fact that itās much more difficult to enslave Mac users than Windows users, etc. and disproportionately focus on instances where Macs are compromised.
Personally, I appreciate it overall since the disproportionate media coverage helps to make Macs safer by bringing attention to flaws.
I agree with you that Mac OS X made Apple much more secure. Before OS X, there were viruses and trojans propagating fairly well in OS 9, etc.
I am not going to ascribe this to the laziness of a single person, nor an institutional failure. This is right in line with secret TELCO rooms and dragnet collection of āmetadataā.
Do you think it could really, possibly be accidental?
Duplicating a line of code accidentally in an IDE is pretty easy as there are keyboard shortcuts that do this, but checking it in without realizing it, not having the build fail, and having no one else code review is a process failure.
I generally would never apply malice to an action when pure incompetence will do.
I wouldnāt say that, heh. Thereās plenty of exploits that get discovered in Windows, Mac and Linux that go unreported for various reasons (and are only known/shared by a select few).
Itās sometimes for nefarious, criminal reasons, but also as a tool for hacktivists as well. The government via quasi-governmental entities gets into the publicsā computers via āundocumentedā exploits and hacktivists do the same in kind to the government.
If you lurk among the darker tunnels and especially if you can hack into criminal hackersā communications (along with those quasi-governmental entities, etc.), thereās plenty of zero day exploits to pluck. Not to mention all the patched flaws that apathetic users havenāt bothered to apply to their systems that are dire holes, but donāt get nearly enough media attention.
Thereās even advantages to using older operating systems if one knows its weaknesses and mitigates them. For example, thereās a reason l only use 10.9.x for testing and even though I use a Mac for regular Internet usage, I was unaffected by this current āunknownā bug.
I generally would never apply malice to an action when pure incompetence will do.
The NSA thanks you for your understanding
Agreed. Apple is known for a lot of things, but āpure incompetenceā isnāt one of them. That said, I wouldnāt be surprised if this was just ineptitude on the part of a few sleep-deprived employees who are increasingly stretched thin by a mega-corp with its fingers in too many pies.
In what way? To me that would require an insider to come forward and show plans that this was an intentional flaw. Thatās basically what Snowden bravely exposed with the NSA, but I donāt see that here (yet).
Donāt get me wrong, I think you may be correct that someone, somewhere looked the other way for the NSA.
I mean, I donāt know how many times people have told me that the Apple iSight cameraās green light is āhardwiredā and canāt be defeated. People kept saying this as fact, but I kept questioning the statements because no one was providing hard evidence.
Welp, later I found out that I can disable the green light on the Apple iSight camera by attacking its chip. Therefore, I can spy on someone via their Apple Macās video cam without the green light coming on. Something many āexpertsā told me and everyone else was impossible.
So, conventional wisdom can certainly be very, very wrongā¦ Thatās for sure.
That is one way of looking at it, sure. I have personal suspicions that some of the larger exploits which allowed for easier spying at several other companies were not at all accidental, So, when the news is something like this, which appears to be a massive oversight and entirely atypical behavior from a company that prides itself on being the opposite, my hackles raise a but. I am sure the PR people are surprised by it; I do wonder if the entire team which designed the protocol is surprised.
As overcomplicated as it sounds, it just seems to me to be a more obvious explanation than Apple making such a massive mistake accidentally, especially in light of Snowden. It is certainly plausible, and more plausible with every revelation. In the same way you like to go back and quote times when you were right, maybe some day I will get to do that on this issue?
The stray goto is too primitive to be an NSA job. The NSA hack is on Appleās version of llvm, and it is designed to re-insert the extra goto into the binary when Apple patch the source codeā¦
It is too obvious to be NSA. The NSA does not go round doing stuff that is certain to be caught.
Nobody was checking at Apple.
As for there being bugs nobody tells about. My personal policy is not full disclosure. I tell the vendor and if they donāt fix it then I go up their chain which in my case reaches high enough to get something fixed. But I donāt do bug hunting as a habit, I just tell folk about the bugs I happen to find.
I agree, itās likely an Apple screw upā¦ but, then again, it sure was helpful while it lasted and thereās plenty of plausible deniability for the NSA as well.
I mean, surely thereās no NSA, CIA or quasi-governmental moles that work at tech companies. Thatād be preposterous.
The NSA does not go round doing stuff that is certain to be caught.
Thatās highly debatable, especially when you consider plausible deniability.
Nobody was checking at Apple
A bit strange, that is. But, it appears to be true.
But I donāt do bug hunting as a habit, I just tell folk about the bugs I happen to find.
Sure, thatās the life of a white hat. The grey hat hacktivists, black hat criminals and overzealous governmental/quasi-governmental entities are another story.
ā¦ This sort of subtle bug deep in the code is a nightmare," wrote Googleās security expert Adam Langley on his blog. "I believe that itās just a mistake, and I feel very bad for whomever might have slipped in an editor and created it.
ā¦ But others wondered whether the code was a deliberate attempt to create a backdoor for government spy agencies. They pointed to the fact that some researchers have discovered that the bug first appeared in a version of iOS 6 at about the same time that slides released by Edward Snowden indicate that the National Security Agency claimed it had established a backdoor into some products by Apple. āItās purely circumstantial,ā wrote noted Apple follower John Gruber who writes the Daring Fireball blog. āBut the shoe fits.ā
ā¦ the security concern is a rare one for Apple. For years, the Mac operating system gained a reputation for having superior security to Microsoftās Windows operating systemā¦ Indeed, several critics said the concerns over the Gotofail bug were overblown. And they noted that cybersecurity experts have routinely detected far more security holes in Googleās Android operating system.
