How Apple dodged the Heartbleed bullet

13

Comments

  • Reply 41 of 68
    lightknightlightknight Posts: 2,312member
    desuserign wrote: »
    I don't know anyone who would say open source = security (If anyone does I've got some free open source software I can give them!) But open source does equate to transparency, which it seems (counterintuitively enough) is a prerequisite to verifiable security. Clearly Apple thinks so.

    Exactly this. The whole article bases itself on two assumptions:
    - there are no other exceedingly bad bugs allowing injection in Apple's code, hence OSS is a worse method than closed source
    - the fact Heartbleed is the worse bug of the two is not purely luck

    It appears to me, both statements are unlikely to be true.
    -
  • Reply 42 of 68
    lightknightlightknight Posts: 2,312member
    ascii wrote: »
    The other thing about open source that a lot of people don't realise is that it's mostly developed by companies anyway, not some Utopian ideal of the citizenry spontaneously developing their own solutions. Look at the Linux commits, 75% from companies.  http://apcmag.com/linux-now-75-corporate.htm
    Surprise, surprise most people want to get paid when they work.

    That raises different issues, from a few orders of magnitude more complex than the ones raised (?) by the article ( is OSS really safer than closed source, and are the benefits of OSS offset by the unpredictability of API changes).
    My take on closed source is clear, openness at least allows people to search for issues, even though whether they actually do is still their own responsibility, and as for unpredictability, Apple is not known for backward compatibility, which may or may not be a good thing.

    All in all, your statement is true, but responding to it appropriately seems to require a few PHDs in sociology, economy and ethnology, and addressing the consequences would require conscious effort of our civilizations, which I am afraid is a bit unlikely.
  • Reply 43 of 68
    lightknightlightknight Posts: 2,312member
    solipsismx wrote: »
    As opposed to when it's inconvenient for them? Do you really expect any company to say, "We use open source code when we think it will make our products worse"? :no:

    Samsung's marketing department has raised a few eyebrows in recent years. Also, breakdancing being all the rage has convinced me just anything is possible in modern advertisement, so... Why not?
  • Reply 44 of 68
    knowitallknowitall Posts: 1,648member
    nobodyy wrote: »
    I clearly state that I was talking about OpenSSL's Heartbeat, not the gotofail. Maybe if you had quoted my entire post you'd have seen that in the second sentence instead of jumping all over nothing.

    But also, it's silly to call curly brackets essential ;) and while I understand that it contributed to the masking of the gotofail issue, it's hardly a mistake, just an alternative form. I agree with you otherwise on the other things, but like I said in my post, as all make mistakes and a programmers life is hard because of human error and logical thinking is very prone to it.

    Your right I overlooked that, sorry.
    I quoted you in full now.
    I disagree about the curly brackets, form is essential, as is shown by the mistake.
    I know al about making mistakes while programming and choosing the right form and environment is what prevents it from happening.

    Edit: come to think of it the communication industry is essentially sidestepped and later eradicated by the internet and the computer (they still don't know what hit them) but this had some consequences like using C instead of for example ADA for communications. We all know how (type) unsafe C is.
  • Reply 45 of 68
    mstonemstone Posts: 11,510member

    Looks like it is now being revealed that Google was the one that discovered the Heartbleed bug but they didn't tell the US government or the OpenSSL community. They only told their close partners requiring NDA agreements and fixed their own machines. It was a couple weeks later that it was made public by way of Finland security researchers. The timeline doesn't mention Apple specifically but apparently Facebook, Yahoo, Twitter, Dropbox, and other Google competitors were of the last to know. The fact that Google did not alert Cisco and Juniper is particularly suspicious.

     

    http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

  • Reply 46 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    Looks like it is now being revealed that Google was the one that discovered the Heartbleed bug but they didn't tell the US government or the OpenSSL community. They only told their close partners requiring NDA agreements and fixed their own machines. It was a couple weeks later that it was made public by way of Finland security researchers. The timeline doesn't mention Apple specifically but apparently Facebook, Yahoo, Twitter, Dropbox, and other Google competitors were of the last to know. The fact that Google did not alert Cisco and Juniper is particularly suspicious.

    http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html
    According to Heartbleed.com there were three people involved in the discovery. The Sydney Herald just left out a bit in their story from last Tuesday.
    http://heartbleed.com/
  • Reply 47 of 68
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Gatorguy View Post

     
    According to Heartbleed.com there were three people involved in the discovery. The Sydney Herald just left out a bit in their story from last Tuesday.

    http://heartbleed.com/

    They didn't leave out anything of the sort. They say that Codenomicon also discovered it more than two weeks later if you can call that discovered. Codenomicon was just the first to publicize it. The fact that Codenomicon bought the Heartbleed.com domain name on April 5 when they learned of the bug, a full 2 weeks after it was discovered which could lead some to suspicion that they have some agenda to spin the timeline differently.

  • Reply 48 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    They didn't leave out anything of the sort. They say that Codenomicon  co-discovered it more than two weeks later if you can call that co-discovered.

    Ah, thanks then. As far as not advising the US Government it makes sense. Google, Apple, MS and others have already been burned several times by intelligence agencies taking advantage of backdoors and coding errors. Patch then tell'em about it makes sense from a security standpoint. It could also give them an opportunity to test whether the NSA or other agencies were already actively exploiting it, perhaps the testing the Finns were doing.

    It appears everyone who knew about it prior to April 8th, from Google to Codenomicon to Redhat to SSL team members, was trying to keep it under wraps until all the patches were readied.
  • Reply 49 of 68
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Gatorguy View Post

     
    Ah, thanks then. As far as not advising the US Government it makes sense. Google, Apple, MS and others have already been burned several times by intelligence agencies taking advantage of backdoors and coding errors. Patch then tell'em about it makes sense from a security standpoint. It could also give them an opportunity to test whether the NSA or other agencies were already actively exploiting it, perhaps the testing the Finns were doing.


    But they never did tell them and they didn't tell Cisco and Juniper either who could have cut the vulnerability off at the edge routers. Google has proven once again they cannot be trusted. If the NSA was exploiting it then they are liars and that will definitely come back to bite them - Snowden duex. Although it is curious why the NSA wasn't the one to discover this months ago. That is the sort of thing they are supposed to be monitoring for our safety.

  • Reply 50 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    But they never did tell them and they didn't tell Cisco and Juniper either who could have cut the vulnerability off at the edge routers. Google has proven once again they cannot be trusted. If the NSA was exploiting it then they are liars and that will definitely come back to bite them - Snowden duex.

    Yes the Finns told US security officials according to your link but did three days of tests before doing so. As for Cisco and Juniper not yet being in the loop when someone publicly released news of Heartbleed that goes back to all involved trying to keep things quiet by advising those they've found found vulnerable one at a time and only after agreeing to NDA's. Someone obviously broke their agreement with a premature leak creating even more problems. Had everyone done as they were asked all the patches, including those at Cisco/Juniper would probably been in place before the reveal. The damage would have been much worse if the existence of Heartbleed been announced before any systems had the opportunity to be patched.

    Why do you think all the players wanted NDA's? It was to keep the flaw out of sight of "bad guys" until the fixes were in place. It wasn't being evil, it was handling it just the way they should have. As long as any major system was vulnerable everyone was potentially vulnerable.
  • Reply 51 of 68
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by Gatorguy View Post

     
    It appears everyone who knew about it prior to April 8th, from Google to Codenomicon to Redhat to SSL team members, was trying to keep it under wraps until all the patches were readied.


    Except they didn't tell any governments, any of the big social networks, banks, or the infrastructure providers. Why?

  • Reply 52 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    Except they didn't tell any governments, any of the big social networks, banks, or the infrastructure providers. Why?

    They appeared to have a systematic plan to patch thing up for every provider beginning with the backbone. Take a look at the types of companies first notified. Unfortunately someone opened their mouth before all the networks and systems providers had been quietly advised. Once that happened everything broke loose.
  • Reply 53 of 68
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Gatorguy View Post

     
    They appeared to have a systematic plan to patch thing up for every provider beginning with the backbone. 


    Which backbone? It wouldn't be a huge leap to wonder if Google planned to never inform it's competitors even though those competitors also represent many of Google's users. Could it be that Google would like nothing better than having the media publicize that the likes of Yahoo was compromised, which is exactly what happened? So much for Google being concerned about the security of their users first. It is also suspicious why Akamai lied about how they learned of the bug and even after changing their story they refuse to say how they learned about it. Something smells fishy to me and since Google discovered it I suspect them first.

  • Reply 54 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    Which backbone? It wouldn't be a huge leap to wonder if Google planned to never inform it's competitors even though those competitors also represent many of Google's users. Could it be that Google would like nothing better than having the media publicize that the likes of Yahoo was compromised, which is exactly what happened? So much for Google being concerned about the security of their users first. It is also suspicious why Akamai lied about how they learned of the bug and even after changing their story they refuse to say how they learned about it. Something smells fishy to me and since Google discovered it I suspect them first.

    What would be the advantage? All their users would still be vulnerable.

    Why would the OpenSSL core team want to keep it quiet? Why did Redhat try to keep it quiet? I guess they were all in cahoots against . . . ummm. who?
  • Reply 55 of 68
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Gatorguy View Post

     
    What would be the advantage? All their users would still be vulnerable.



    Why would the OpenSSL core team want to keep it quiet? Why did Redhat try to keep it quiet? I guess they were all in cahoots against . . . ummm. who?

    I've already speculated why Google might want to withhold the info from their competitors. As far as OpenSSL and Redhat, they each learned of the problem one and two days respectively before it went public and the reason for the delay was that the leader of the OpenSSL team lives in India and the alert was sent to him while he was asleep and the other members of the OpenSSL committee did not want to overstep their authority until he was able to awake. By the time that happened Codenomicon had already spilled the beans. That is a little more than 24 hours delay compared to a few weeks that Google kept the secret.

  • Reply 56 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    I've already speculated why Google might want to withhold the info from their competitors. As far as OpenSSL and Redhat, they each learned of the problem one and two days respectively before it went public and the reason for the delay was that the leader of the OpenSSL team lives in India and the aleart was sent to him while he was asleep and the other members of the OpenSSL committee did not want to overstep their authority until he was able to awake. By the time that happened Codenomicon had already spilled the beans. That is a little more than 24 hours delay compared to a few weeks that Google kept the secret.

    A few weeks? Codemonicon learned of it on April 2nd and kept it under wraps. They told CERT 3 days later. OpenSSL was officially advised on 1st and wanted it kept quiet, shared only under NDA, until the 9th.

    Neither April 1st or 2nd is "several weeks later". Your initial reaction may have been Google should have just openly announced the find on March 21st but I can't imagine you'd still disagree that disclosing it in an orderly and quiet manner was the best way to handle it.
  • Reply 57 of 68
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Gatorguy View Post

     
    OpenSSL was officially advised on 1st and wanted it kept quiet, shared only under NDA, until the 9th.


     


    Neither April 1st or 2nd is "several weeks later". 


    I was unaware that OpenSSL required any NDAs. It was my understanding that only Google was requiring NDAs.

     

    I said a few weeks not several, but perhaps I should have said a couple weeks.

  • Reply 58 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    I was unaware that OpenSSL required any NDAs. It was my understanding that only Google was requiring NDAs.

    I said a few weeks not several, but perhaps I should have said a couple weeks.

    OpenSSL and RedHats "Under embargo" is essentially the same as NDA. And March 21st to April 1st is 10 days, not even two weeks. As you didn't comment on whether it would have been a good idea to keep the information as private as possible until all the majors had an opportunity to patch, I'll assume you do not and still think all the players should have publicized it as soon as they became aware. I don't immediate disclosure to the US government would have been wise and would possibly have led to a whole lot more than an attack on the Canadian IRS. The Feds could well have prevented Google from disclosing it at all under a National Security order. If the NSA was actively taking advantage of it I think that's exactly what would have happened.

    As one of the Debian devs put it ""I think we would have managed to handle it properly if the embargo didn't break."
  • Reply 59 of 68
    mstonemstone Posts: 11,510member
    Quote:



    Originally Posted by Gatorguy View Post

     
    As you didn't comment on whether it would have been a good idea to keep the information as private as possible until all the majors had an opportunity to patch, I'll assume you do not and still think all the players should have publicized it as soon as they became aware. 


    If you consider Akamai and CloudFlare as bigs and the federal government, banks, router / infrastructure providers and social media as not big then I consider you confused.

  • Reply 60 of 68
    gatorguygatorguy Posts: 24,178member
    mstone wrote: »
    If you consider Akamai and CloudFlare as bigs and the federal government, banks, router / infrastructure providers and social media as not big then I consider you confused.
    I'd consider you naive if you think the US government should have been notified at first discovery. It could have been the first and last disclosure of it depending on how useful it was to intelligence agencies.
Sign In or Register to comment.