How Apple dodged the Heartbleed bullet

24

Comments

  • Reply 21 of 68
    Quote:

    Originally Posted by Nobodyy View Post

     

    http://www.quora.com/Whose-fault-is-the-Heartbleed-bug

     

    I think the answers here, and specifically the first, generally reflect my feelings about this. 


    "You could blame the author, but he did this work for free, for the community, and with the best of intentions."

     

    Well, the road to hell is paved with good intentions.

     

    I believe open source to be the correct way of developing and distributing software. But I do not believe in working for free. And I do not accept apologetic nonsense such something being done "for free". That's exactly where the GPL bullshit becomes intense.

     

    The Free Software Foundation pays salaries to a lot of people, including Linus Torvalds. Why are they incapable of funding projects of such significance and importance? Torvalds drives a Mercedes, those guys work for free. It seems to me that the FSF brings social inequality to a whole new level - select few take the money, the rest work for free. In the past even slaves were fed by their masters, you know ...

  • Reply 22 of 68
    gatorguygatorguy Posts: 20,038member
    solipsismx wrote: »
    My bad. I thought you were quoting those two lines from their two paragraph statement about open source because it said "Open Source […] makes Mac OS X a more […] secure operating system" and that it's easier to fix.

    Gotcha and no prob. I posted that to SuddenlyNewton to note that Apple too considers open-source solutions to generally be secure for the stated reasons. Then something like like Heartbleed pops up to call those supposed security advantages into question.
  • Reply 23 of 68
    mstonemstone Posts: 11,510member

    Does anyone know if Apple is using OS X as their primary ecommerce solution. They were using webobjects at one point but I don't see many references to that platform anymore. I wonder if they are using some other flavor of UNIX which does use OpenSSL but they were either using the older version which was not vulnerable or they were quick on the patch of the new one. In their data centers, I really doubt they are running OS X, but just a speculation on my part. OS X may be safe but are Apple's servers actually running OS X?

  • Reply 24 of 68
    jexusjexus Posts: 373member
    Quote:

    Originally Posted by capasicum View Post

     

    The Free Software Foundation pays salaries to a lot of people, including Linus Torvalds. Why are they incapable of funding projects of such significance and importance?


    Because OpenSSL is NOT "Free"(as in Freedom) Software. It is merely Open Source, which is not the same as Free Software. Stallman and the FSF have made it clear that the two are different(in their opinion). Here and Here.

     

    OpenSSL is dual licensed under an Apache and 4 clause BSD license.  You want "Free" transport layer security? Here is GnuLTS.

     

    Personally I think it's silly of them, but that is their official stance.

  • Reply 25 of 68
    d4njvrzfd4njvrzf Posts: 797member
    Quote:
    Originally Posted by Gatorguy View Post





    One of the primary reasons Apple gives for using open-source solutions is "Open Source methodology makes Mac OS X a more robust, secure operating system, as its core components have been subjected to the crucible of peer review for decades. Any problems found with this software can be immediately identified and fixed by Apple and the Open Source community."



    Pretty shocking when a big ol' rock like this pops out of the ground after two years.

    Why does this bug make that quote "shocking"?  Even if it's not always true in practice, open source code certainly has the potential to be more secure than closed-source code. Actually what's probably more accurate is:  *well-funded* open source projects (e.g. not OpenSSL) have the potential to be more secure than closed-source projects. 

     

    Security isn't just about how many bugs there are in a codebase; it's also about how quickly a project responds to the discovery of bugs. The main effect of the source code being publicly available is to enable researchers to pin down the precise lines of code responsible for bugs and therefore speed up the patching process. In the case of Heartbleed, the security researchers not only reported the problem to OpenSSL but also contributed the patches (http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902), which were rolled out the same day the flaw was disclosed to the public.

  • Reply 26 of 68
    gatorguygatorguy Posts: 20,038member
    d4njvrzf wrote: »
    Why does this bug make that quote "shocking"?  Even if it's not always true in practice, open source code certainly has the potential to be more secure than closed-source code. Actually what's probably more accurate is:  *well-funded* open source projects (e.g. not OpenSSL) have the potential to be more secure than closed-source projects. 

    Security isn't just about how many bugs there are in a codebase; it's also about how quickly a project responds to the discovery of bugs. The main effect of the source code being publicly available is to enable researchers to pin down the precise lines of code responsible for bugs and therefore speed up the patching process. In the case of Heartbleed, the security researchers not only reported the problem to OpenSSL but also contributed the patches (http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902), which were rolled out the same day the flaw was disclosed to the public.

    Thanks for the input. I'll rephrase then... I was shocked to find out SSL wasn't actually secure.
  • Reply 27 of 68
    solipsismxsolipsismx Posts: 19,566member
    gatorguy wrote: »
    Thanks for the input. I'll rephrase then... I was shocked to find out SSL wasn't actually secure.

    According to a recent thread on AI the solution is do absolutely nothing to protect your valuables because no security is guaranteed.
  • Reply 28 of 68
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by SolipsismX View Post

     
    According to a recent thread on AI the solution is do absolutely nothing to protect your valuables because no security is guaranteed.


    I can only comment on our experience with upgrading our SSL servers, but the Windows 2012 upgrades have been very problematic. We were scoring "F" on all of our Server 2003 servers in terms of SSL security even though none were vulnerable to Heartbleed. Windows 2012 r2 is just a mess but I guess it is secure. More reports to follow.

  • Reply 29 of 68
    I am curious as to why filemaker which is within the very blood of apple was on open sale and still is, and was hit too. Of course rather nastily by this. Patched. Up quickly of course, but nevertheless on the same boat with everyone outside apple. Strange...
  • Reply 30 of 68
    asciiascii Posts: 5,941member

    The other thing about open source that a lot of people don't realise is that it's mostly developed by companies anyway, not some Utopian ideal of the citizenry spontaneously developing their own solutions. Look at the Linux commits, 75% from companies.  http://apcmag.com/linux-now-75-corporate.htm

    Surprise, surprise most people want to get paid when they work.

  • Reply 31 of 68
    haggarhaggar Posts: 1,568member
    Quote:
    Originally Posted by Gatorguy View Post





    One of the primary reasons Apple gives for using open-source solutions is "Open Source methodology makes Mac OS X a more robust, secure operating system, as its core components have been subjected to the crucible of peer review for decades. Any problems found with this software can be immediately identified and fixed by Apple and the Open Source community."



    Pretty shocking when a big ol' rock like this pops out of the ground after two years.

     

    Apple touts open source when it is convenient for them.

  • Reply 32 of 68
    solipsismxsolipsismx Posts: 19,566member
    haggar wrote: »
    Apple touts open source when it is convenient for them.

    As opposed to when it's inconvenient for them? Do you really expect any company to say, "We use open source code when we think it will make our products worse"? :no:
  • Reply 33 of 68
    Quote:

    Originally Posted by Jexus View Post

     

    Because OpenSSL is NOT "Free"(as in Freedom) Software. It is merely Open Source, which is not the same as Free Software. Stallman and the FSF have made it clear that the two are different(in their opinion). Here and Here.

     

    OpenSSL is dual licensed under an Apache and 4 clause BSD license.  You want "Free" transport layer security? Here is GnuLTS.

     

    Personally I think it's silly of them, but that is their official stance.


     

    My bad for not checking the OpenSSL license. Thanks for fixing that up for me. Now my post looks a bit idiotic. Nevertheless, there are enough examples of idiocy on the part of FSF such as the GCC monolithic structure.

  • Reply 34 of 68
    Actually, IMO, Apple's deprecation of OpenSSL means that Apple users face far *more* risk from Heartbleed than users of other operating systems. Although the version of OpenSSL that Apple shipped wasn't affected (because it is ancient), the official recommendation was that if developers required OpenSSL, they should link in their own copy as part of their app. This means:

    1. All those apps are now affected because they didn't use Apple's old version.
    2. Every app with its own OpenSSL library must be updated individually, unlike a system-installed library.

    I don't know how many apps we're talking about here, but I doubt it's zero.
  • Reply 35 of 68
    d4njvrzfd4njvrzf Posts: 797member
    Quote:
    Originally Posted by capasicum View Post

     

     

    My bad for not checking the OpenSSL license. Thanks for fixing that up for me. Now my post looks a bit idiotic. Nevertheless, there are enough examples of idiocy on the part of FSF such as the GCC monolithic structure.


    While LLVM/Clang is a better designed compiler, it's also quite a bit newer than GCC. It's easier to rewrite something from scratch when you have hindsight, and when you don't have the responsibility of supporting other projects. For instance, the Linux kernel relies on GCC-specific extensions to C and can only be compiled using GCC (see http://www.ibm.com/developerworks/linux/library/l-gcc-hacks/). At any rate, GCC's "monolithic structure" hasn't seemed to hinder its portability (http://en.wikipedia.org/wiki/GNU_Compiler_Collection#Architectures). 

  • Reply 36 of 68
    knowitallknowitall Posts: 1,182member
    nobodyy wrote: »
    This is entirely false.
    No, "The latter being as simple as just trying a bad cert in safari. See if that worked." is just a fact.
    Three other major mistakes where made: if you use a label named 'gotofail' it is assumed that this means certain failure, this wasn't the case and is very misleading, using curly brackets is essential in C and wasn't used and the compiler didn't report "unreachable code" so the build environment wasn't configured properly.
  • Reply 37 of 68
    It's very good, that Apple has own thinking.
    Besides Apple, I'm using password manager - Sticky password, and I have my passwords on my computer. Not in cloud.
  • Reply 38 of 68
    It's very good, that Apple has own thinking.
    Besides Apple, I'm using password manager - Sticky password, and I have my passwords on my computer. Not in cloud.
  • Reply 39 of 68

    It's very good, that Apple has own thinking.

    Besides Apple, I'm using password manager - Sticky password, and I have my passwords on my computer. Not in cloud. 

  • Reply 40 of 68
    nobodyynobodyy Posts: 377member
    knowitall wrote: »
    No, "The latter being as simple as just trying a bad cert in safari. See if that worked." is just a fact.
    Three other major mistakes where made: if you use a label named 'gotofail' it is assumed that this means certain failure, this wasn't the case and is very misleading, using curly brackets is essential in C and wasn't used and the compiler didn't report "unreachable code" so the build environment wasn't configured properly.

    I clearly state that I was talking about OpenSSL's Heartbeat, not the gotofail. Maybe if you had quoted my entire post you'd have seen that in the second sentence instead of jumping all over nothing.

    But also, it's silly to call curly brackets essential ;) and while I understand that it contributed to the masking of the gotofail issue, it's hardly a mistake, just an alternative form. I agree with you otherwise on the other things, but like I said in my post, as all make mistakes and a programmers life is hard because of human error and logical thinking is very prone to it.
Sign In or Register to comment.