Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.
There's no engineering team working on software? I wonder who wrote this code, then trained monkeys?
Things like security, coding style, and review are taxes. You have to pay your taxes because it's necessary, but you don't see a immediate benefit from them. If they had discipline and required braces on if statements, then the programmer would have gotten an error and instantly fixed it. The bug would have lasted a whole minute, and nobody would have ever known about it. (In the strictest organizations, those who do safety critical stuff, the coder would have had to log that error so they would have had metrics). They didn't pay their taxes, and now look what happened.
The product managers, design teams and engineers, and most importantly senior leadership, need to understand the value of these taxes, ensure they are paid. Otherwise they will gain a reputation of being slow and unreliable (Blackberry) or insecure (Android) and people will stop buying their products. What's the use of designing such a thin phone if nobody buys it?
Really? I didn't know that! So, I guess they don't all work for Apple. Probably the iOS code is some kind of external OS and Apple has nothing to do with it. I that case I have no complains at all. It's not Apple fault. Not their OS, sorry! Please Apple, please, concentrate all of your resources to make the next iPhone 0.00000001 mm thinner! That's what I really want!
Um, the people involved with the thickness of iPhone are not the same employees involved with source code. Last time I checked mechanical engineers are not software engineers. :rolleyes:
The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?
Maybe Apple should fire their entire software engineering team since, according to you, they obviously have poor engineering practices all around. What I find ironic is this apparently first appeared in iOS 6 which was released under Forstall and yet there are people who claim Apple is doomed if they don't bring Forstall back.
Maybe Apple should fire their entire software engineering team since, according to you, they obviously have poor engineering practices all around. What I find ironic is this apparently first appeared in iOS 6 which was released under Forstall and yet there are people who claim Apple is doomed if they don't bring Forstall back.
Thanks for putting words in my mouth. I said the entire incident shows poor engineering practices, not that all software engineers there were bad. I didn't say anybody should be fired, but when things like this happen it starts at middle level management and above.
This is where Google shines, they're fundamentally run by nerds. It's also where Google fails, it seems they are more interested in the taxes, like new programming languages and codecs and HTML extensions rather than actual product development.
If this is as serious as some suggest, why hasn't Apple released a patch for Mavericks yet? One would assume if someone gets compromised it wouldn't take two seconds to file a lawsuit. I can't imagine Apple would want to expose itself to that. I guess I'm trying to understand if this really is as bad as some are suggesting, or, if it's just the weekend with nothing else to talk about and this will find its way to the back page come tomorrow when MWC starts and Samsung introduces their new phone.
If this is as serious as some suggest, why hasn't Apple released a patch for Mavericks yet? One would assume if someone gets compromised it wouldn't take two seconds to file a lawsuit.
This was obviously not published on Apple's timeline, somebody found or exploited it. Why was the Apple TV, which doesn't have anything important on it, patched before Mavericks? If Apple was half competent and they were in control, they would have released everything at once.
Have you ever seen anybody sued for software defects? Microsoft? Doesn't work that way. Your license agreement in big letters says they are not liable, and there's never been a precedent for holding a company liable for negligence in consumer grade PC software.
This was obviously not published on Apple's timeline, somebody found or exploited it. Why was the Apple TV, which doesn't have anything important on it, patched before Mavericks? If Apple was half competent and they were in control, they would have released everything at once.
Have you ever seen anybody sued for software defects? Microsoft? Doesn't work that way. Your license agreement in big letters says they are not liable, and there's never been a precedent for holding a company liable for negligence in consumer grade PC software.
So let's see, Apple has poor engineering practices and is not competent or in control. Guess that means someone should be fired then?
So let's see, Apple has poor engineering practices and is not competent or in control. Guess that means someone should be fired then?
More words in my mouth. I said Apple is not in control of the disclosure timeline of this bug. The cat got out of the bag before Apple had a chance to fully react.
I didn't say anybody should be fired. I am saying there are serious software engineering issues that are evident by the open source code on security critical software and a comprehensive organizational review and changes are necessary.
I predict your next claim is saying that I am now blaming Tim Cook on this bug, and it's not really a bug and just made up by Android fans.
More words in my mouth. I said Apple is not in control of the disclosure timeline of this bug. The cat got out of the bag before Apple had a chance to fully react.
I didn't say anybody should be fired. I am saying there are serious software engineering issues that are evident by the open source code on security critical software and a comprehensive organizational review and changes are necessary.
I predict your next claim is saying that I am now blaming Tim Cook on this bug, and it's not really a bug and just made up by Android fans.
You said: "If Apple was half competent and they were in control, they would have released everything at once." "If Apple was half competent" seems to me like you don't think they that are competent (at least in this area). I never suggested that you think someone should be fired. I said that. IF this is as serious as some suggest and millions of people are/have been at risk since iOS 6 over a line of code that should have been caught in code review, then yes I think someone should be fired over it.
The worst case is for public wifi if you check email or do any digital banking but someone would have to be pretty much dumping all traffic from a public hotspot at all times in the hope that someone doing something worthwhile comes along with a device that had the vulnerability and then exploit it. Now that the exploit is known, it's more likely someone will try targeted attacks but they'd still be in for a long wait dumping public wifi traffic.
That would explain Square sending out an iOS update alert. Finding a retailer using them as their CC processo and over wi-fi would be pretty easy. As quickly as Square responded perhaps they've already seen this vulnerability in action?
It'd be interesting to learn which applications actually really use the Security.framework where the bug resides it, besides Safari that is.
It's probably not even that critical on OSX compared to iOS (where there's little choice) since most applications rather use OpenSSL directly instead of some Apple framework...
I was most impressed that Apple had an iOS patch for this that covered iOS 6 and my aging iPhone 3gs. That's the kind of long-term support, I tell people, that puts iPhones ahead of their competition. Most smartphone makers seem to give no support once a product is discontinued.
I hope Apple does the same with the OS X patch. My MacBook, which I still find useful, won't run any OS X past Lion. It needs a patch too.
Hopefully 10.9.2 will be released, patched, to all any day. I've lost count of the updates I've had!
Is XP SOOL I wonder? This affects all OSs doesn't it? ... so many PCs out there still using it!
This is an Apple specific issue entirely down to their own code. It's not a mistake in a standard or anything, it was an extra line of code unchecked and uncaught by anyone.
Droid, if you're intercepting ssl then it will fix that. Normal http will be as vulnerable as ever.
The tin foil hat brigade which suggests that Apple ( or an employee) added the encryption to the source file, should go onto explain why it was then published in open source.
Well, you can bet that the NSA has been using this MITM attack vector to collect data from as many 'sources of interest' as possible before iOS and OS/X are patched.
Does that mean all my 1Password data being synced via iCloud was sent unencrypted under Mavericks and 7.0.x?
It means that if an application used Apple's secure framework for HTTPS connections, that someone with access to your network or any network inbetween could have replaced the certificate with one they control, seeing the plain text of your communications.
However, 1Password could also encrypt their data on top of this, which would frustrate any analysis, and being in a position to do this would normally be something like the NSA or a poisoned open wifi AP.
It means that if an application used Apple's secure framework for HTTPS connections, that someone with access to your network or any network inbetween could have replaced the certificate with one they control, seeing the plain text of your communications.
However, 1Password could also encrypt their data on top of this, which would frustrate any analysis, and being in a position to do this would normally be something like the NSA or a poisoned open wifi AP.
Comments
Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.
There's no engineering team working on software? I wonder who wrote this code, then trained monkeys?
Things like security, coding style, and review are taxes. You have to pay your taxes because it's necessary, but you don't see a immediate benefit from them. If they had discipline and required braces on if statements, then the programmer would have gotten an error and instantly fixed it. The bug would have lasted a whole minute, and nobody would have ever known about it. (In the strictest organizations, those who do safety critical stuff, the coder would have had to log that error so they would have had metrics). They didn't pay their taxes, and now look what happened.
The product managers, design teams and engineers, and most importantly senior leadership, need to understand the value of these taxes, ensure they are paid. Otherwise they will gain a reputation of being slow and unreliable (Blackberry) or insecure (Android) and people will stop buying their products. What's the use of designing such a thin phone if nobody buys it?
Maybe Apple should fire their entire software engineering team since, according to you, they obviously have poor engineering practices all around. What I find ironic is this apparently first appeared in iOS 6 which was released under Forstall and yet there are people who claim Apple is doomed if they don't bring Forstall back.
Thanks for putting words in my mouth. I said the entire incident shows poor engineering practices, not that all software engineers there were bad. I didn't say anybody should be fired, but when things like this happen it starts at middle level management and above.
This is where Google shines, they're fundamentally run by nerds. It's also where Google fails, it seems they are more interested in the taxes, like new programming languages and codecs and HTML extensions rather than actual product development.
If this is as serious as some suggest, why hasn't Apple released a patch for Mavericks yet? One would assume if someone gets compromised it wouldn't take two seconds to file a lawsuit.
This was obviously not published on Apple's timeline, somebody found or exploited it. Why was the Apple TV, which doesn't have anything important on it, patched before Mavericks? If Apple was half competent and they were in control, they would have released everything at once.
Have you ever seen anybody sued for software defects? Microsoft? Doesn't work that way. Your license agreement in big letters says they are not liable, and there's never been a precedent for holding a company liable for negligence in consumer grade PC software.
So let's see, Apple has poor engineering practices and is not competent or in control. Guess that means someone should be fired then?
More words in my mouth. I said Apple is not in control of the disclosure timeline of this bug. The cat got out of the bag before Apple had a chance to fully react.
I didn't say anybody should be fired. I am saying there are serious software engineering issues that are evident by the open source code on security critical software and a comprehensive organizational review and changes are necessary.
I predict your next claim is saying that I am now blaming Tim Cook on this bug, and it's not really a bug and just made up by Android fans.
That would explain Square sending out an iOS update alert. Finding a retailer using them as their CC processo and over wi-fi would be pretty easy. As quickly as Square responded perhaps they've already seen this vulnerability in action?
EDIT: Gruber gives a tip-of-the-hat to the tinfoilers.
http://daringfireball.net/2014/02/apple_prism
It's probably not even that critical on OSX compared to iOS (where there's little choice) since most applications rather use OpenSSL directly instead of some Apple framework...
I hope Apple does the same with the OS X patch. My MacBook, which I still find useful, won't run any OS X past Lion. It needs a patch too.
Hopefully 10.9.2 will be released, patched, to all any day. I've lost count of the updates I've had!
Is XP SOOL I wonder? This affects all OSs doesn't it? ... so many PCs out there still using it!
I think it's an Apple-specific issue that time-wise began with iOS6 release.
Hopefully 10.9.2 will be released, patched, to all any day. I've lost count of the updates I've had!
Is XP SOOL I wonder? This affects all OSs doesn't it? ... so many PCs out there still using it!
This is an Apple specific issue entirely down to their own code. It's not a mistake in a standard or anything, it was an extra line of code unchecked and uncaught by anyone.
Droid, if you're intercepting ssl then it will fix that. Normal http will be as vulnerable as ever.
The tin foil hat brigade which suggests that Apple ( or an employee) added the encryption to the source file, should go onto explain why it was then published in open source.
We don't know if that was the actual bug, either.
Well, you can bet that the NSA has been using this MITM attack vector to collect data from as many 'sources of interest' as possible before iOS and OS/X are patched.
Does that mean all my 1Password data being synced via iCloud was sent unencrypted under Mavericks and 7.0.x?
It means that if an application used Apple's secure framework for HTTPS connections, that someone with access to your network or any network inbetween could have replaced the certificate with one they control, seeing the plain text of your communications.
However, 1Password could also encrypt their data on top of this, which would frustrate any analysis, and being in a position to do this would normally be something like the NSA or a poisoned open wifi AP.
That's my thinking but I've reached out to 1Password to get something more definitive. It turns out they were already working on an answer: http://blog.agilebits.com/2014/02/23/1password-security-doesnt-depend-on-ssl/