This woman worked on security. When a bug was found with security, she bitches about it in such a negative way that will attract attention. I wonder what part of security she worked on. She is a known hacker and she missed this. Or she introduced it.
Paget left Apple in February for Tesla (interesting since Apple has been talking to Tesla). iOS 7 received its NIST FIPS 140-2 validation in November while Paget was still at Apple. The interesting thing is the iOS CoreCrypto Module more than likely contains the SSL coding and the NIST test lab didn't find it. They also didn't find the error in iOS 6, which was approved awhile ago. If you feel like this is an NSA conspiracy, it would make sense, since the NIST test lab (private lab not operated by our government) could have been persuaded by the NSA to skip over this error and not report it. If you believe it was a simple error, then why didn't the test lab find it, why didn't all the government entities responsible for testing their iOS and OSX implementations not find it, and why didn't Apple's security Q&A team find it? We're not just talking about Apple missing it, we're also talking about every vendor that makes use of the SSL encryption process missing it since it's also their responsibility to test how it works within their environment. In other words, everybody missed it and everybody is at fault for not identifying it earlier.
I don't understand why I have seen safari challenge me about self signed certs etc. it looks from the bug that any cert could spoof any client. It is strange it was missed.
The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?
Yes it was a bug, but as I read it was only one duplicated line of code.
Yes it was a serious bug, but to take advantage of it, required someone very knowledgeable setup in a public WiFi area trying to intercept others data.
Apple fixed the problem within a few days of the problem going public, amazing response by Apple.
Not waiting for patch Tuesday on patch month and not ignoring the problem as other SW developers have done.
Several of my friends using iphone had their email compromised in the last 6 months. I'm paranoid and had to setup some fake emails to use on my iphone to avoid my real emails got hacked. What a pain. Maybe smart phone is not for me, or I'm just too paranoid...
What makes you think your Email was compromised on or because of the iPhone?
I suggest you look into your Email provider.
BTW all Gmail is compromised by Google, they don't respect anyones privacy.
Paget left Apple in February for Tesla (interesting since Apple has been talking to Tesla). iOS 7 received its NIST FIPS 140-2 validation in November while Paget was still at Apple. The interesting thing is the iOS CoreCrypto Module more than likely contains the SSL coding and the NIST test lab didn't find it. They also didn't find the error in iOS 6, which was approved awhile ago. If you feel like this is an NSA conspiracy, it would make sense, since the NIST test lab (private lab not operated by our government) could have been persuaded by the NSA to skip over this error and not report it. If you believe it was a simple error, then why didn't the test lab find it, why didn't all the government entities responsible for testing their iOS and OSX implementations not find it, and why didn't Apple's security Q&A team find it? We're not just talking about Apple missing it, we're also talking about every vendor that makes use of the SSL encryption process missing it since it's also their responsibility to test how it works within their environment. In other words, everybody missed it and everybody is at fault for not identifying it earlier.
Interesting points. An inside job to create and passover this bug is certainly a possibility.
BTW anyone going from very profitable Apple to welfare company Telsa must have had a grudge against Apple.
Yes it was a bug, but as I read it was only one duplicated line of code.
Yes it was a serious bug, but to take advantage of it, required someone very knowledgeable setup in a public WiFi area trying to intercept others data.
Apple fixed the problem within a few days of the problem going public, amazing response by Apple.
Not waiting for patch Tuesday on patch month and not ignoring the problem as other SW developers have done.
Comments
Also via Forbes, Kristen Paget (ex-Apple security) is not happy.
This woman worked on security. When a bug was found with security, she bitches about it in such a negative way that will attract attention. I wonder what part of security she worked on. She is a known hacker and she missed this. Or she introduced it.
Paget left Apple in February for Tesla (interesting since Apple has been talking to Tesla). iOS 7 received its NIST FIPS 140-2 validation in November while Paget was still at Apple. The interesting thing is the iOS CoreCrypto Module more than likely contains the SSL coding and the NIST test lab didn't find it. They also didn't find the error in iOS 6, which was approved awhile ago. If you feel like this is an NSA conspiracy, it would make sense, since the NIST test lab (private lab not operated by our government) could have been persuaded by the NSA to skip over this error and not report it. If you believe it was a simple error, then why didn't the test lab find it, why didn't all the government entities responsible for testing their iOS and OSX implementations not find it, and why didn't Apple's security Q&A team find it? We're not just talking about Apple missing it, we're also talking about every vendor that makes use of the SSL encryption process missing it since it's also their responsibility to test how it works within their environment. In other words, everybody missed it and everybody is at fault for not identifying it earlier.
The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?
Yes it was a bug, but as I read it was only one duplicated line of code.
Yes it was a serious bug, but to take advantage of it, required someone very knowledgeable setup in a public WiFi area trying to intercept others data.
Apple fixed the problem within a few days of the problem going public, amazing response by Apple.
Not waiting for patch Tuesday on patch month and not ignoring the problem as other SW developers have done.
Several of my friends using iphone had their email compromised in the last 6 months. I'm paranoid and had to setup some fake emails to use on my iphone to avoid my real emails got hacked. What a pain. Maybe smart phone is not for me, or I'm just too paranoid...
What makes you think your Email was compromised on or because of the iPhone?
I suggest you look into your Email provider.
BTW all Gmail is compromised by Google, they don't respect anyones privacy.
Paget left Apple in February for Tesla (interesting since Apple has been talking to Tesla). iOS 7 received its NIST FIPS 140-2 validation in November while Paget was still at Apple. The interesting thing is the iOS CoreCrypto Module more than likely contains the SSL coding and the NIST test lab didn't find it. They also didn't find the error in iOS 6, which was approved awhile ago. If you feel like this is an NSA conspiracy, it would make sense, since the NIST test lab (private lab not operated by our government) could have been persuaded by the NSA to skip over this error and not report it. If you believe it was a simple error, then why didn't the test lab find it, why didn't all the government entities responsible for testing their iOS and OSX implementations not find it, and why didn't Apple's security Q&A team find it? We're not just talking about Apple missing it, we're also talking about every vendor that makes use of the SSL encryption process missing it since it's also their responsibility to test how it works within their environment. In other words, everybody missed it and everybody is at fault for not identifying it earlier.
Interesting points. An inside job to create and passover this bug is certainly a possibility.
BTW anyone going from very profitable Apple to welfare company Telsa must have had a grudge against Apple.
Except on the Mac