So there is a MOLE inside of Apple. This spy probably caused the recent security vulnerabilities with passwords on IOS. These mistakes are so basic, no experienced programmer should have caused them. They were deliberately introduced into IOS.
So there is a MOLE inside of Apple. This spy probably caused the recent security vulnerabilities with passwords on IOS. These mistakes are so basic, no experienced programmer should have caused them. They were deliberately introduced into IOS.
The problem wasn’t that the bugs were introduced; the problem was that they weren’t discovered. Whether or not they were introduced deliberately is not the issue.
The other thing is that the source code being released should not compromise the security of the operating system. If it does, then Apple has some tidying up to do.
So there is a MOLE inside of Apple. This spy probably caused the recent security vulnerabilities with passwords on IOS. These mistakes are so basic, no experienced programmer should have caused them. They were deliberately introduced into IOS.
Yeah no. As an actual enterprise software engineer of two decades, I can tell you nothing is simple and issues usually arise from multiple unexpected conditions.
What’s your experience? And which iOS issues are you referring to?
It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period.
I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing.
How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
I fully agree. And my experiences are similar. No cloud access whatsoever, any hardware port is locked and only accessible with special rights. Even then, only certified hardware actually works, such as USB sticks that are encrypted and only decryption other certified machines. And for sure forget about emailing stuff to the outside world. Still, however, I would not rule out the chance of the one forgotten device in the cellar, or some other hole.
It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period.
I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing.
How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
It’s not quite that simple. As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource. Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource. GitHub is the equivalent for programmers...
The problem is Apple should have noticed their code leaving the building (they have the resources to do so). Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).
The problem is we don’t know how the files left. They weren’t directly uploaded to GitHub. They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled). Remember this was probably done by a proficient programmer... there is always a way. It could have been by screenshots of code, then reconstructed as text/code. You could encrypt the files, then send them by email (bypassing the file scanning).
The point is there is no way to create a perfectly protected environment. You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building. But we’re talking about software for connected mobile devices... no work would get done.
At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late.
Basically things like this are inevitable. The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s. Hopefully they find most of the bugs before the bad guys do...
I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here? At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”.
Well, my first question would be how could a “low-level” employee have clearance to access source code, the keys to the kingdom?
Yeah that is the Billion $ questions, usually source code access is control to what subsystems you work on, only upper level people would have full access to all the code and code branches. There is more to this store which is not being told.
Low level here obviously means kernel, drivers, firmware , whatever... Has nothing to do with clearance.
Ah good point! That makes sense, but I expect most people will interpret that in the more mainstream "just a flunky" sense.
It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period.
I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing.
How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
It’s not quite that simple. As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource. Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource. GitHub is the equivalent for programmers...
The problem is Apple should have noticed their code leaving the building (they have the resources to do so). Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).
The problem is we don’t know how the files left. They weren’t directly uploaded to GitHub. They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled). Remember this was probably done by a proficient programmer... there is always a way. It could have been by screenshots of code, then reconstructed as text/code. You could encrypt the files, then send them by email (bypassing the file scanning).
The point is there is no way to create a perfectly protected environment. You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building. But we’re talking about software for connected mobile devices... no work would get done.
At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late.
Basically things like this are inevitable. The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s. Hopefully they find most of the bugs before the bad guys do...
I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here? At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”.
Where there is a will, there is a way...
Take the code and imbed it in images in cats. Can you read your emails outside of the office? Send the encrypted email to yourself (so that it never leaves the Corp. email system).
You could make email attachments forbidden entirely, which also help with phishing scams, but you just handicapped your users.
The best you can do (in many situations) is have forensic evidence to nail people’s asses to the wall after the fact.
Networks are generally pretty good at perimeter defense, battling malicious internal people (or just stupid users) is really hard.
I can think about dozens of ways to bypass any security measures. How about creating a private Facebook page, and posting the code there. Or, loggging into your banking site and pasting the code into account notes. Many of the sites these days create secure connections, it’s not possible to monitor everything.
Computer security is really about deterrence. If someone is attacking from outside of the network, create enough layers to get through they look for an easier target. Nothing is truly secure, it’s just a matter of having enough resources behind the attack.
The problem is: Momma said “crime doesn’t pay” it really does...
It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period.
I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing.
How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
It’s not quite that simple. As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource. Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource. GitHub is the equivalent for programmers...
The problem is Apple should have noticed their code leaving the building (they have the resources to do so). Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).
The problem is we don’t know how the files left. They weren’t directly uploaded to GitHub. They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled). Remember this was probably done by a proficient programmer... there is always a way. It could have been by screenshots of code, then reconstructed as text/code. You could encrypt the files, then send them by email (bypassing the file scanning).
The point is there is no way to create a perfectly protected environment. You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building. But we’re talking about software for connected mobile devices... no work would get done.
At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late.
Basically things like this are inevitable. The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s. Hopefully they find most of the bugs before the bad guys do...
I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here? At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”.
Where there is a will, there is a way...
Take the code and imbed it in images in cats. Can you read your emails outside of the office? Send the encrypted email to yourself (so that it never leaves the Corp. email system).
You could make email attachments forbidden entirely, which also help with phishing scams, but you just handicapped your users.
The best you can do (in many situations) is have forensic evidence to nail people’s asses to the wall after the fact.
Networks are generally pretty good at perimeter defense, battling malicious internal people (or just stupid users) is really hard.
I can think about dozens of ways to bypass any security measures. How about creating a private Facebook page, and posting the code there. Or, loggging into your banking site and pasting the code into account notes. Many of the sites these days create secure connections, it’s not possible to monitor everything.
Computer security is really about deterrence. If someone is attacking from outside of the network, create enough layers to get through they look for an easier target. Nothing is truly secure, it’s just a matter of having enough resources behind the attack.
The problem is: Momma said “crime doesn’t pay” it really does...
Maybe she meant it doesn’t pay morally, if you have a little guy on your shoulder.
It still doesn't make any sense that the coding environment at this level is not fully isolated. There should be no way to move code from the site. Period.
I work in the financial industry, and things are locked down to the point that you cannot access a working USB port to connect anything, and email/attachment access is insanely controlled or outright restricted. Every packet is sniffed. For a company like Apple, I would think the restrictions would/should be even greater. You cannot simply "have faith" people will do the right thing.
How this was not firewalled (no email, no internet, no functional ports for external devices, etc.) is mystifying...This does not seem to a be the real story, and the premise of the theft and "quotes" seem downright silly...
It’s not quite that simple. As an IT person (not a programmer) YouTube and the internet in general is a tremendous resource. Companies might want to block YouTube (For example) to keep employees from wasting time, but it’s also an important resource. GitHub is the equivalent for programmers...
The problem is Apple should have noticed their code leaving the building (they have the resources to do so). Basically you take a hash (fingerprint) of important files and monitor if that hash (file) goes out to an external IP address (leaves the building).
The problem is we don’t know how the files left. They weren’t directly uploaded to GitHub. They might have been taken home on a corporate laptop (work from home or consultant scenario) or USB drive (which can be disabled). Remember this was probably done by a proficient programmer... there is always a way. It could have been by screenshots of code, then reconstructed as text/code. You could encrypt the files, then send them by email (bypassing the file scanning).
The point is there is no way to create a perfectly protected environment. You can airgap (no network connections) the programmers machines and outlaw electronic devices in the building. But we’re talking about software for connected mobile devices... no work would get done.
At some point you have to rely on NDA’s and an army of lawyers as a protective/deterrent, but people often don’t think about the consequences until it’s to late.
Basically things like this are inevitable. The only good thing is it’s code from a few generations ago, and an army security specialists are going to be examining the code in hopes of getting the $200,000 bug bounty’s. Hopefully they find most of the bugs before the bad guys do...
I would assume that emailing to any non corporate email address is not possible for employees that basically would have no corporate need to do so. And you can also prohibit sending encrypted attachments, at least to the outside world, or non explicitly whitelisted recipients. Screenshots might be a way, but that would be a lot of shots to be taken I’d assume. How many loc are we talking here? At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”.
Where there is a will, there is a way...
Take the code and imbed it in images in cats. Can you read your emails outside of the office? Send the encrypted email to yourself (so that it never leaves the Corp. email system).
You could make email attachments forbidden entirely, which also help with phishing scams, but you just handicapped your users.
The best you can do (in many situations) is have forensic evidence to nail people’s asses to the wall after the fact.
Networks are generally pretty good at perimeter defense, battling malicious internal people (or just stupid users) is really hard.
I can think about dozens of ways to bypass any security measures. How about creating a private Facebook page, and posting the code there. Or, loggging into your banking site and pasting the code into account notes. Many of the sites these days create secure connections, it’s not possible to monitor everything.
Computer security is really about deterrence. If someone is attacking from outside of the network, create enough layers to get through they look for an easier target. Nothing is truly secure, it’s just a matter of having enough resources behind the attack.
The problem is: Momma said “crime doesn’t pay” it really does...
I get your point. Just for the sake of it: in the cases I know of you could not access your Corp email except from Corp devices if you had a specific clearance. So your cat would stay always on Corp machines and still you can’t get it off. No Facebook or other social media. No banking web site or any internet. Well that’s depending on the specific levels and I’m talking military and sensitive engineering groups in other industries here. No phones allowed with cameras. No screen recording on the PC possible etc. So really I guess one needs some quite sophisticated tools - and then it’s likely that you have a “custOmer” already for your theft. But you won’t share this to guys who shares this only with his best friend who only shares this with his best friend who accuse Tyler posts it on GitHub.... But as said in the beginning: all a question of criminal energy plus how strong and consequent the system safeguards actually are.
I think of the line from 3 Days of the Condor (IIRC):
”Oh (my), you have no idea of the damage you’ve done.”
I think we will see that the damage is significant and worthy of these people getting lifetime federal prison sentences. (Not only as a punishment but as a deterrent for the next asshats that think it would be fun to steal and possess critical code for whatever from whoever. I say this as a person who never condemned the actions of Snowden because he was motivations seem legitimate.)
By their actions, these idiots have put every Apple customer at risk.
I hope Apple has already mitigated the risk to user info or will be able to do so.
I think of the line from 3 Days of the Condor (IIRC):
”Oh (my), you have no idea of the damage you’ve done.”
I think we will see that the damage is significant and worthy of these people getting lifetime federal prison sentences. (Not only as a punishment but as a deterrent for the next asshats that think it would be fun to steal and possess critical code for whatever from whoever. I say this as a person who never condemned the actions of Snowden because he was motivations seem legitimate.)
By their actions, these idiots have put every Apple customer at risk.
I hope Apple has already mitigated the risk to user info or will be able to do so.
A former Kentucky judge who ran a sex trafficking ring and used his position of power coerce girls and women is up for parole after 4 years and only has a $100k fine.
Apple isn't hiding low level kernel code in basements. It needs to be accessed by their engineers and is probably on some internal git server. And if this guy was a low level engineer he would have full rights to it, in fact Apple may give full rights to everybody so somebody at a higher layer can investigate an issue they may be seeing.
The way to protect against this is to make sure that the employees know they will lose their job, reputation and may face criminal proceedings for deliberate violations and export of internal code.
Apple isn't hiding low level kernel code in basements. It needs to be accessed by their engineers and is probably on some internal git server. And if this guy was a low level engineer he would have full rights to it, in fact Apple may give full rights to everybody so somebody at a higher layer can investigate an issue they may be seeing.
The way to protect against this is to make sure that the employees know they will lose their job, reputation and may face criminal proceedings for deliberate violations and export of internal code.
For such a person, they don’t think in terms of long-term damage or harm.
Well, my first question would be how could a “low-level” employee have clearance to access source code, the keys to the kingdom?
Because Apple orchestrated this story to force compliance on updating the software and purchasing phones capable of iOS 10
Stats on the adoption rates of new iOS in the previous 5 years should tell you, that you do not need to orchestrate anything to switch users to a newer version of iOS. This is not some Android with its long tail of old OS versions, spanning 7-10 major OS releases, for fux sake. Of course, looking at that stats might disprove your conspiracy theory...
Comments
Your tin-foil hat is extra shiny.
I like him. He’s funny!
His story: A spy goes to all the trouble to steal Apple’s ‘secret sauce’ then posts evidence of his misdeed on GitHub.
Should we we call this spy “Inspector Clouseau”?
https://m.youtube.com/watch?v=SXn2QVipK2o
What’s your experience? And which iOS issues are you referring to?
At the end I agree with you that it comes down to the amount of criminal energy. And the value of the “prize”.
Take the code and imbed it in images in cats. Can you read your emails outside of the office? Send the encrypted email to yourself (so that it never leaves the Corp. email system).
You could make email attachments forbidden entirely, which also help with phishing scams, but you just handicapped your users.
The best you can do (in many situations) is have forensic evidence to nail people’s asses to the wall after the fact.
Networks are generally pretty good at perimeter defense, battling malicious internal people (or just stupid users) is really hard.
I can think about dozens of ways to bypass any security measures. How about creating a private Facebook page, and posting the code there. Or, loggging into your banking site and pasting the code into account notes. Many of the sites these days create secure connections, it’s not possible to monitor everything.
Computer security is really about deterrence. If someone is attacking from outside of the network, create enough layers to get through they look for an easier target. Nothing is truly secure, it’s just a matter of having enough resources behind the attack.
The problem is: Momma said “crime doesn’t pay” it really does...
But as said in the beginning: all a question of criminal energy plus how strong and consequent the system safeguards actually are.
”Oh (my), you have no idea of the damage you’ve done.”
I think we will see that the damage is significant and worthy of these people getting lifetime federal prison sentences. (Not only as a punishment but as a deterrent for the next asshats that think it would be fun to steal and possess critical code for whatever from whoever. I say this as a person who never condemned the actions of Snowden because he was motivations seem legitimate.)
By their actions, these idiots have put every Apple customer at risk.
I hope Apple has already mitigated the risk to user info or will be able to do so.
The way to protect against this is to make sure that the employees know they will lose their job, reputation and may face criminal proceedings for deliberate violations and export of internal code.
This is not some Android with its long tail of old OS versions, spanning 7-10 major OS releases, for fux sake.
Of course, looking at that stats might disprove your conspiracy theory...