if (myCondition) doSomething(); // good
if (myCondition) {
doSomething();
} // good enough
if (myCondition)
doSomething(); // bad
doSomething(); // whoops
And this slips into the security cody for a major OS for a year? My bet is on the NSA, I just wouldn’t bet too much. Still, this is in line with their $250 million dollar a year program to covertly influence companies to sabotage software…
This image summarizes that bug and the $250 million dollar a year program:
Every security bug looks stupid when it is found. In fact all bugs do.
And that $250 million program might well be a straight COMSEC program that some idiot colonel is describing as a SIGINT program because they really really wanna make general.
The real damage done by the NSA here is that everyone is chasing ghosts. They have diminished public trust and sabotaged an industry that is recognized as critical to national security.
It doesn’t much help sitting round complaining either. When I suggested that the NSA be shut down, everyone fired and its machines set to mining BitCoin to repay the damage they have done to society it was to end a round of one-upmanship in NSA bashing. Sure its fun but it doesn’t get anything done.
I love how the patch conveniently requires me to upgrade my phone OS from 6 to 7. Some of us don’t like 7! We think it’s ugly and a little too My Little Brony. I guess I’ll have to take the risk that some criminal isn’t that interested in my BoingBoing account.
I’m amused that everyone thinks Apple is so infallible. Sure, the NSA could be doing this, but Apple doesn’t have the best track record at security or bothering to patch those holes. I mean who releases a security fix for iOS and then there’s no emergency patch for OSX? It’s a fucking one liner.
Or, a very smart person who accidentally cut and pasted a line of code twice and didn’t notice it. Even the most brilliant minds occasionally have a brainfart.
True, but the NSA actually has a 250 million dollar program to produce exactly this kind of result. Until they get rid of said program, they deserve to be excoriated every time there’s a serious security bug.
Man I think the difference is that people - even non tech people - have come to understand that there is malware and viruses out there and Apple has made a specific point of marketing themselves as a secure option which doesn’t need any (or at most, minimal) management. Also the penetration of Apple devices means that some very powerful people with very secret secrets use iphones and if they had known that everything wasn’t as secure as they’d been told then they might have taken better precautions with how they used the phone.
The second point about M$ is IMO not relevant to versions 7 onwards. If you have auto updates activated for vital security updates (which it nags you to on install) then you’ve got very little chance of having any real problems. If you’re running something like avast! for active virus and web exploit protection then even the darkest, malwariest recesses of the internet have little chance of successfully mounting an attack on your machine.
The code at fault compiles without warning when using the -wall switch, but throws warnings when using a more specific warning enable switch that also throws many warnings that are unhelpful.
The problem wasn’t caused by using C; The problem was caused by:
not using braces;
not using proper indent;
not conducting proper code review.
The last is the most important. Someone, somewhere, signed off on this, and if it was a single person, then that person needs to be augmented by a code review team.
The existence of this bug was masked by the existence of yet-another bug in curl, the utility that handles URLs, that fails to validate the hostname in SSL certificates in certain situations.
If that bug had been patched earlier, the behaviour that was observed earlier would have been investigated further, rather than attributed to the curl bug.
Apple had a reputation in the early 2000’s of having a turnaround on squashing reported bugs, measured in days.
This incident will hopefully be an impetus to change the culture in Apple for the better.
I’m still waiting for Mac OSX 10.9.1 to be updated. I suppose that owners of iOS devices are somewhat more willing to connect to strange networks, but macbooks run MacOSX too…
Apple has made a specific point of marketing themselves as a secure option which doesn’t need any (or at most, minimal) management.
That’s been true for the most part. Many security experts have tested Mac OS X out of the box and saw the advantages compared to Windows which is vastly less secure out of the box.
Microsoft has also marketed itself as a secure choice, which is an absolute joke. My point is that Mac users don’t go around saying that their Apple devices are impervious to all security threats. Meanwhile, I see plenty of Windows users talk out of their ass and claim most Apple users do this.
Case and point straight from within this very this thread right here: …I’m amused that everyone thinks Apple is so infallible."
If someone is dull enough in the head to mistake the marketing of a company with the thoughts and feelings of real people, then I pity them.
Also the penetration of Apple devices means that some very powerful people with very secret secrets use iphones and if they had known that everything wasn’t as secure as they’d been told
You can say that about Android, Microsoft, etc. as well.
If you’re running something like avast! for active virus and web exploit protection then even the darkest, malwariest recesses of the internet have little chance of successfully mounting an attack on your machine.
That’s incredibly untrue. I assume (and hope) you’re not an IT security professional? Zero day attacks flow through anti-malware apps such as Avast like butter. Many people are compromised and don’t even know it.
I suggest you go check your bank account for small micro-payments ASAP. Hahaha… Gawd…
I’m amused that everyone thinks Apple is so infallible.
Who are these mythical beasts? I sure haven’t met them.
I mean who releases a security fix for iOS and then there’s no emergency patch for OSX?
Microsoft has been guilty of this as well. Actually, every company that makes software has been guilty of delayed security patches even for dire exploits. I’m not sure why you’re pinning that all on Apple alone.
This doesn’t excuse Apple from being sloppy, but please don’t pretend they are the only company guilty of this. Microsoft has a horrible track record unless one only focuses on mainstream media outlets that cows to them.
Um, at what point was I defending Microsoft @Cowicide? I never once mentioned Microsoft or any other company in this thread.
Yes, Microsoft is shit at security, but this particular bug is on Apple and I’m pissed because my laptop remains unpatched.
My point, if you missed it, was that programmers can and do make stupid mistakes. (Which is why we have tests, continuous builds, code review, static analysis and whole bunch of other tools and process to catch the worst of it.) You shouldn’t always jump to the conclusion that it was the NSA, until there’s a bit more evidence, because Occam’s razor says we’re perfectly capable of breaking it ourselves.
