"Not disclose the issue publicly before Apple releases the security advisory for the report."
It also has to be a bug that gives access to secure info, it can't just be any random bug. This probably doesn't do that, it's just assuming it's a boolean type instead of string and failing to assign it. Databases run checks for input types. She claims it's not allowing login so that suggests it was able to store it in the database originally and it's the login from the device that's not allowing it to access it.
I'd have expected a bug like that to be fixed sooner than months but they probably get millions of bug reports every day and they will have to filter the ones that reach the people capable of fixing it.
She "claims she has been on the phone to Apple's customer care for multiple hours about the problem, but to no avail." which is as good as reporting it, even if the customer service person did it on her behalf.
The code to insert is not the same as the code to fetch, so an insert might work whereas a select may not. Also the code may have recently(ish) changed and broken it when it was fine before.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Give me a break. Name one piece of software that has been validated - ever - to be 100% free from bugs. We'll wait.
I'm a software engineer and mistakes happen. You ever make a mistake in your job? How's about applying that accountability to you as well? Should we fire you from your job?
This is what testing if for, and even then it's impossible to test for every possible scenario. Hindsight aside, it's been found and dealt with. Move on.
Considering the complexity of coding such a crucial subsystem like iCloud, I'm surprised it hasn't happened more often.
I'm not excusing sloppy code by sketchy software coders and trying to pass it off as production-quality products. iCloud has been pretty solid and depended-on by many.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Give me a break. Name one piece of software that has been validated - ever - to be 100% free from bugs. We'll wait.
I'm a software engineer and mistakes happen. You ever make a mistake in your job? How's about applying that accountability to you as well? Should we fire you from your job?
This is what testing if for, and even then it's impossible to test for every possible scenario. Hindsight aside, it's been found and dealt with. Move on.
Considering the complexity of coding such a crucial subsystem like iCloud, I'm surprised it hasn't happened more often.
Testing all reasonable inputs for a variable that is to be recorded in a database is essential from a usage standpoint, not to mention a security one. That's especially important in something as widely used and critical as iCloud. The complexity of the underlying system is irrelevant, the inputs should be validated as the first step. Numbers only, symbols only, uppercase only, lowercase only, CamelCase, language keywords, SQL keywords and escape sequences and mixtures of all of the above should be tested. This is exactly the kind of bug that results in a database dump.
I'm not excusing sloppy code by sketchy software coders
No, you're excusing sloppy code by professionals hired by Apple.
'Null' is another one of the special "reserved" words in computing like 'true'; poor programming can wreak havoc on those with those types of names (given or family).
PS: The comment posting function on the article page seems not to work. It filled the box with some other page, which said "the conversation has been closed".
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Give me a break. Name one piece of software that has been validated - ever - to be 100% free from bugs. We'll wait.
I'm a software engineer and mistakes happen. You ever make a mistake in your job? How's about applying that accountability to you as well? Should we fire you from your job?
This is what testing if for, and even then it's impossible to test for every possible scenario. Hindsight aside, it's been found and dealt with. Move on.
Considering the complexity of coding such a crucial subsystem like iCloud, I'm surprised it hasn't happened more often.
I'm not excusing sloppy code by sketchy software coders and trying to pass it off as production-quality products. iCloud has been pretty solid and depended-on by many.
Still, I’d love to take a look at the piece of code that causes the problem.
This reminds me of the problems they have with text messages that shut down the phone. It’s definitely sloppy coding.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Give me a break. Name one piece of software that has been validated - ever - to be 100% free from bugs. We'll wait.
I'm a software engineer and mistakes happen. You ever make a mistake in your job? How's about applying that accountability to you as well? Should we fire you from your job?
This is what testing if for, and even then it's impossible to test for every possible scenario. Hindsight aside, it's been found and dealt with. Move on.
Considering the complexity of coding such a crucial subsystem like iCloud, I'm surprised it hasn't happened more often.
I'm not excusing sloppy code by sketchy software coders and trying to pass it off as production-quality products. iCloud has been pretty solid and depended-on by many.
Off the top of my head, INTEGRITY (a POSIX-compliant RTOS), seL4 (a reimplementation of a lot of L4 for embedded operating systems; Qualcomm's cell modems run it), and PikeOS (a commercial fork of L4 as an RTOS with hypervisor functionality) are all formally verified and are therefore mathematically proven to be free of bugs. Parts of VxWorks (another RTOS) have been formally verified, but not the system as a whole.
Like many companies, Apple has built a firewall between their tech support and their developers for reasons no one can fathom. If you have tried to give a bug report to a tech support person, you will know what I mean. They insist on trying to solve the problem which they can't because it's a bug and they don't have the source code in front of them. You would think that tech support could easily file bug reports and would be encouraged to do so but no. That would be unthinkable!
I've had a couple of oddities come up and found Apple's customer support to be really very good about not wasting my time before the escalate to someone skilled enough to collect the right data and ship it over to the developer side for a resolution. I'm nice about it, but can convey to the front-line person the testing I've already done, and unlike most customer support places, even the front-line people are well enough trained that they can skip the script if I've already covered the initial territory, think logically to check on anything else I might've missed and quickly bump me up if my deal is beyond their level of expertise.
As for a firewall between tech support and developers, I can't think of many developers who would feel they're doing their best work if they're spending time checking with customers to see if they tried rebooting or plugging a device in before calling. On the other side, from a customer support perspective, there are a lot of brilliant developers a good company wouldn't want anywhere near their customers. Seriously. These are very different skill sets.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
So, you have a problem you want fixed, but you're not going to call tech support because you've seen other people post things on the internet about what could be the same problem. Sure, I hate bad tech support as much as the next person, but as I just posted up-thread, at least in my experience, Apple's tech support avoids much of the usual frustrations. Go to their website or their support app, fill in a brief form, and they'll call you. There's no keypad menu maze or waiting on hold just to get the conversation started.
Also, I just logged into my account on iCloud.com in Safari on my iPhone, which just prompted an email notifying me that someone logged into my iCloud account on a browser. So, iOS will even let you try. You probably can't get help if you won't ask for it, and it seems a bit incongruous to claim there's zero accountability if you haven't actually directly asked anyone for it.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Give me a break. Name one piece of software that has been validated - ever - to be 100% free from bugs. We'll wait.
I'm a software engineer and mistakes happen. You ever make a mistake in your job? How's about applying that accountability to you as well? Should we fire you from your job?
This is what testing if for, and even then it's impossible to test for every possible scenario. Hindsight aside, it's been found and dealt with. Move on.
Considering the complexity of coding such a crucial subsystem like iCloud, I'm surprised it hasn't happened more often.
I'm not excusing sloppy code by sketchy software coders and trying to pass it off as production-quality products. iCloud has been pretty solid and depended-on by many.
Off the top of my head, INTEGRITY (a POSIX-compliant RTOS), seL4 (a reimplementation of a lot of L4 for embedded operating systems; Qualcomm's cell modems run it), and PikeOS (a commercial fork of L4 as an RTOS with hypervisor functionality) are all formally verified and are therefore mathematically proven to be free of bugs. Parts of VxWorks (another RTOS) have been formally verified, but not the system as a whole.
There is no way to “mathematically prove” that a computer program will be free of bugs. This is called the “halting problem” in computability theory.
Besides, every computer literate knows that "mission-critical computing" is a totally differemt paradigm than "personal computing". I can order a certain set of error-free functionality and you can deliver that. What we do is not general purpose personal computing. Opening the mission-critical aspects of Apple's infrastructure to discussion is well beyond the scope of this publication and beyond your intentions as well, I think.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Months? Bullshit, that's on you. "Obstructionist" my ass, Apple Support is literally the easiest support system to navigate. If you can't get someone via chat, they'll call you instead of making you wait, and they'll help you with your issue in a friendly manner. It's a website though, so ten bucks say you need to clear your cache and cookies and try again. Or, just whine about it for several more months.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Give me a break. Name one piece of software that has been validated - ever - to be 100% free from bugs. We'll wait.
I'm a software engineer and mistakes happen. You ever make a mistake in your job? How's about applying that accountability to you as well? Should we fire you from your job?
This is what testing if for, and even then it's impossible to test for every possible scenario. Hindsight aside, it's been found and dealt with. Move on.
Considering the complexity of coding such a crucial subsystem like iCloud, I'm surprised it hasn't happened more often.
I'm not excusing sloppy code by sketchy software coders and trying to pass it off as production-quality products. iCloud has been pretty solid and depended-on by many.
Off the top of my head, INTEGRITY (a POSIX-compliant RTOS), seL4 (a reimplementation of a lot of L4 for embedded operating systems; Qualcomm's cell modems run it), and PikeOS (a commercial fork of L4 as an RTOS with hypervisor functionality) are all formally verified and are therefore mathematically proven to be free of bugs. Parts of VxWorks (another RTOS) have been formally verified, but not the system as a whole.
There is no way to “mathematically prove” that a computer program will be free of bugs. This is called the “halting problem” in computability theory.
Besides, every computer literate knows that "mission-critical computing" is a totally differemt paradigm than "personal computing". I can order a certain set of error-free functionality and you can deliver that. What we do is not general purpose personal computing. Opening the mission-critical aspects of Apple's infrastructure to discussion is well beyond the scope of this publication and beyond your intentions as well, I think.
There actually is a way to prove a program is free of bugs. It's called formal verification for a reason. It involves writing a mathematical proof, which can be mechanically verified to be true. Here's the academic paper [PDF] where the developers of seL4 describe how it was done. The short explanation is you use the software specification to build a list of invariants, then prove mathematically that the software satisfies exactly those invariants. To the best of my knowledge, seL4 is the first time this was applied to a whole OS kernel (at least in public), but it has been done several times since.
Saying the halting problem precludes this is like saying the set of real numbers is uncountably infinite, therefore no real number can ever be counted: patently nonsense. The halting problem only applies to the full set of arbitrary programs. Within the set of arbitrary programs, there is a subset which can be proven mathematically to halt. As a trivial disproof of your use of it, consider a program containing only the instruction 'return'. You can mathematically prove the execution time of that specific program, as well as the fact that it will stop executing.
As for "mission-critical computing" versus "personal computing", that's a distinction without a meaningful difference.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
So what happens when you try to log into iCloud.com? Your anecdotal decsription is meaningless. So you don't need it, and you don't want to call Apple about it, but you want to complain here, on the forums...
Amazing how these outlying, one off cases gain immediate traction. And she now thinks she’s entitled to a bug bounty?
Well, it's a bug, and she found it, so why should she not be eligible for a bug bounty?
Because the rules state you can't disclose it publicly until Apple has time to resolve it, and it has to be security related. Read the rules yourself, instead of wasting time posting on the forums, asking why.
This crap just never ends. It's amazing how things can go wrong, and it's irritating how there's zero accountability. In fact, there are armies of geeks out there to defend their pet tech from reasonable criticism, or just defend programming/tech in general.
Semi-related issue of my own:
I haven't been able to log into the iCloud.com website on my Macs for months. It started with my iMac, then also my MacBook Pro. I don't think iOS will let you even try, but by now I am sick of trying. It's not just me, as I've seen people post about it elsewhere (and they apparently had to call Apple Support, which I'm not keen to do just out of how much anxiety these kinds of obstructionist phone systems generate for me, though it supposedly should be a free call because it's about services).
So far, no news sites want to make an issue about it to embarrass Apple into addressing it. Luckily, I don't currently NEED to log in to iCloud.com, but some day I might. I assume I will have to use someone else's computer. I don't even get the login box from my Macs.
Give me a break. Name one piece of software that has been validated - ever - to be 100% free from bugs. We'll wait.
I'm a software engineer and mistakes happen. You ever make a mistake in your job? How's about applying that accountability to you as well? Should we fire you from your job?
This is what testing if for, and even then it's impossible to test for every possible scenario. Hindsight aside, it's been found and dealt with. Move on.
Considering the complexity of coding such a crucial subsystem like iCloud, I'm surprised it hasn't happened more often.
I'm not excusing sloppy code by sketchy software coders and trying to pass it off as production-quality products. iCloud has been pretty solid and depended-on by many.
Off the top of my head, INTEGRITY (a POSIX-compliant RTOS), seL4 (a reimplementation of a lot of L4 for embedded operating systems; Qualcomm's cell modems run it), and PikeOS (a commercial fork of L4 as an RTOS with hypervisor functionality) are all formally verified and are therefore mathematically proven to be free of bugs. Parts of VxWorks (another RTOS) have been formally verified, but not the system as a whole.
I call bullshit. The mathematically proven methods only consider what the mathematicians conceived of during testing. If you are talking statistics, then yeah - you can prove REALLY close down to zero bugs & maybe call it zero, but it still isn't proven to be zero.
Comments
The code to insert is not the same as the code to fetch, so an insert might work whereas a select may not. Also the code may have recently(ish) changed and broken it when it was fine before.
No, you're excusing sloppy code by professionals hired by Apple.
Wired columnist Christopher Null wrote an article back in 2015 about similar shenanigans with his surname:
https://www.wired.com/2015/11/null/
'Null' is another one of the special "reserved" words in computing like 'true'; poor programming can wreak havoc on those with those types of names (given or family).
As for a firewall between tech support and developers, I can't think of many developers who would feel they're doing their best work if they're spending time checking with customers to see if they tried rebooting or plugging a device in before calling. On the other side, from a customer support perspective, there are a lot of brilliant developers a good company wouldn't want anywhere near their customers. Seriously. These are very different skill sets.
Also, I just logged into my account on iCloud.com in Safari on my iPhone, which just prompted an email notifying me that someone logged into my iCloud account on a browser. So, iOS will even let you try. You probably can't get help if you won't ask for it, and it seems a bit incongruous to claim there's zero accountability if you haven't actually directly asked anyone for it.
/s
Besides, every computer literate knows that "mission-critical computing" is a totally differemt paradigm than "personal computing". I can order a certain set of error-free functionality and you can deliver that. What we do is not general purpose personal computing. Opening the mission-critical aspects of Apple's infrastructure to discussion is well beyond the scope of this publication and beyond your intentions as well, I think.
Saying the halting problem precludes this is like saying the set of real numbers is uncountably infinite, therefore no real number can ever be counted: patently nonsense. The halting problem only applies to the full set of arbitrary programs. Within the set of arbitrary programs, there is a subset which can be proven mathematically to halt. As a trivial disproof of your use of it, consider a program containing only the instruction 'return'. You can mathematically prove the execution time of that specific program, as well as the fact that it will stop executing.
As for "mission-critical computing" versus "personal computing", that's a distinction without a meaningful difference.
So what happens when you try to log into iCloud.com? Your anecdotal decsription is meaningless. So you don't need it, and you don't want to call Apple about it, but you want to complain here, on the forums...
I call bullshit. The mathematically proven methods only consider what the mathematicians conceived of during testing. If you are talking statistics, then yeah - you can prove REALLY close down to zero bugs & maybe call it zero, but it still isn't proven to be zero.