“Two recently-discovered flaws in Apple iOS and Mac OS X have security experts openly asking whether the software vulnerabilities represent backdoors inserted for purposes of cyber-espionage,” Ellen Messmer reports for Network World. “There’s no clear answer so far, but it just shows that anxiety about state-sponsored surveillance is running high.”
“‘One line of code — was it an accident or enemy action? I don’t know, but it’s the kind of bug I’d put in,’ remarked Bruce Schneier, chief technology officer at Co3 Systems, about the flaw in Apple OS X SSL encryption that was revealed last week,” Messmer reports. “Schneier, a cryptography expert, alluded to the Apple SSL flaw during his presentation on government surveillance Tuesday at the RSA Conference in San Francisco. The point, he says, is that the U.S. National Security Agency as well as other governments involved in aggressive mass surveillance are going to take any means necessary, including finding ways to put backdoors into commercial products, such as by code tampering.”
“Security vendor FireEye Tuesday revealed yet another Apple software flaw that it says allows for key-logging of iOS devices such as iPhones,” Messmer reports. “Was this just a simple coding mistake or something more sinister, such as a backdoor purposefully put into iOS 7.0?”
Read more in the full article here.
Related articles:
Rush Limbaugh explains OS X ‘GotoFail’ security flaw, says Apple ‘played it just right’ – February 25, 2014
Apple fixes OS X ‘GotoFail’ security flaw after four days of snowballing criticism – February 25, 2014
Apple releases OS X Mavericks 10.9.2 – February 25, 2014
Apple on OS X ‘GotoFail’ flaw: – February 25, 2014
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014
Not much surprises me with regards to this anymore.
I continue to be surprised by the level of paranoia. If Apple was going to install a backdoor for the NSA (and I do *not* believe that they have done so or will do so in the future), then it would not be so obvious.
This was, plain and simple, a stupid coding error that should have been caught at some point of the code review/quality control process. Apple screwed up. It happens.
I agree.
This could be stupid coding error, and could be not.
Remember that Apple can unlock passworded iPhone, they have queue for authorities for that.
This is only possible because Apple intentionally left backdoor (they would call that “bug” if it will be found). Sometimes those backdoor are so intricate — for example, you have to perform totally weird sequence of physical and touch buttons presses/touches, that it could be never found.
Code is not open source, so this is the way to do it.
No. SSL bug is a bonehead coding error. Key loggers are on all platforms. Most malware are key loggers.
Well, I’m not sure it’s accurate to say ‘most malware are key loggers’. Most tend to be Trojan horse botware that turn your machine into a spambot.
Having said that, however, once a Mac is owned, key logging is dirt easy.
Note that there are A LOT of ‘legal’ key loggers for Mac, commonly used on commercial/enterprise computers to keep track of workers. They’re also very common among other networks where there is a considerable ‘LUSER’ factor, clients on the network that attract malware and other problems via their behavior. This can include home computer surveillance by mummy and duddy.
Spelling error due to my modern slang illiterate spell checker: “…once a Mac is PWNED…” 😉
The ability to edit your own posts, I want an app for that. 🙂
Tell me about it.
I can edit stuff I post at The Guardian, ArsTechnica, The Register, TechDirt, blahblahblah. But not here at MDN because of the limitations of goofy WordPress. 🙁
an NSA agent walks into a bar, the bartender says I got a joke for you, the NSA agent says “heard it.”
Wow…..I like it!
😆 Clever fellow.
Reword…
An NSA agent walks into a bar. The bartender says, “I got a joke for you.” The NSA agent replies, “I heard all your jokes.”
brevity is the soul of wit.
If they really wanted this to be less obvious they should have had a ‘;’ behind the if statement and have only 1 ‘goto fail:’. And not put it in open source code…
“And not put it in open source code…”
Exactly!
[tin foil hat goes on] Maybe they’re trying to divert attention from the more nefarious code four lines below. Mwahaahaa. [tin foil stays on]
1) How sick that we have to be paranoid about our own US government. Well done #MyStupidGovernment. You raped yourselves, destroying the Fourth Amendment to the US Constitution. Telling you to go frack yourselves is now redundant. Next step: Impeachment.
2) The crap-coding that caused the Apple SSL flaw is very recent, within the past year. Therefore, I tend to consider the justified paranoia factor to be very low. But we’ll never know, no doubt, unless we have another patriot whistleblower bring this further treasonous crime into public view.
∑ = There are more important problems to consider. What’s with this key logging thingy? Back to research mode…
Wow, someone dinged me down to one star! Work for the NSA? Or just oblivious? There’s lots of oblivious going around these days. 😛
you big ol’ conspiracy theorist!
http://www.nationaljournal.com/tech/nsa-wants-to-expand-phone-database-because-of-privacy-suits-20140226
OMF, it just keeps getting more surreal:
The Obama administration asked a federal surveillance court on Wednesday for permission to hold millions of phone records longer than the current five-year limit.
A five-year limit on holding ILLEGAL, UNCONSTITUTIONAL mass surveillance records of US citizens on US soil.
No Obama administration, you get a ZERO-year limit to hold Fourth Amendment destroying mass surveillance records of US citizens on US soil. GO TO JAIL, go directly to jail. Do not pass Go. Do not collect $200. You blithering idiots.
#MyStupidGovernment at work. 😛
The OBAMA administration asked a federal surveillance court on Wednesday for permission to hold millions of phone records longer than the current five-year limit.
OBAMA Team: Help Us Spy On You Better
NSA Tries–but Fails–to Collect Data on Most Calls
Secret Court Approves OBAMA’s Changes to NSA Phone Sweeps
The Justice Department argued that data needs to be maintained as evidence for the slew of privacy lawsuits filed in the wake of the Edward Snowden’s leaks about National Security Agency surveillance. The American Civil Liberties Union, the Electronic Frontier Foundation, and other groups are suing to shut the program down, claiming it violates the constitutional rights of millions of Americans.
Hey NSA: One reason the EFF is able to sue you is because I GAVE THE EFF MONEY! Come and get me! I’m an actual patriot. You belong in jail.
“Come and get me!”
That can be arranged, unless, of course, you can be granted asylum in Russia.
Or China. 🙄 Not Snowden’s best move by any means. Oops.
I can find no fault with Snowden, unquestionably the most courageous man of this generation.
No offense, but you’re really full of shit.
none taken, difficult to be offended from someone who calls themselves “Just wow!”
I like seeing as many POVs as possible in order to get a 3D view of anything. My beef with Snowden is that Iceland repeatedly offered him asylum, and he ignored them repeatedly. He chose to remain in China (albeit Hong Kong) then fly off to Russia. Both countries are criminal nations I would NEVER wish anyone to live. They are scum next to the USA, even now. So Snowden offers them some sort of legitimacy by going there? EXTREMELY bad judgement, IMHO.
That garbage aside, thank goodness for Snowden’s bravery, insight and sacrifice. He has been an EXCELLENT spokesman and has handled this issue brilliantly. I wish he could simply return to the USA without prosecution and live a life worthy of a loyal US citizen.
I think he didn’t consider Iceland because US spooks would simply come get him there. However, “darn tootin’, don’t fsck with ol’ Vlad The Impaler Putin.” Hence, Mother Russia.
I forgot to add my usual line that: I’m sure there’s more to all of this than I can comprehend. I don’t know his motivation. I simply can’t approve of his choice of havens. They were choices, albeit with unknown other forces in force.
He may have been concerned with an imminent eruption of the Katlan volcano. CIA specialists are widely knowledgeable.
Or maybe he’s a teetotaler. I’m told that alcohol is de rigueur for surviving the Icelandic winter. 😉
Derek is welcome here, in NL. We spy too, but are allowed to give the government hell about it.
>>> 1) How sick that we have to be paranoid about our own US government. Well done #MyStupidGovernment. You raped yourselves, destroying the Fourth Amendment to the US Constitution. Telling you to go frack yourselves is now redundant. Next step: Impeachment.
Correct me if I’m wrong, but aren’t the people that are doing this the same people that would implement the “impeachment”, and the same people that wrote the laws making all of this illegal?
My head hurts.
NO laws were written to allow mass surveillance of US citizens on US soil. If there had been, they’d be on the way to the US Supreme Court for revocation. NO, the so-called ‘Patriot Act’ does NOT attack the Fourth Amendment of the US Constitution in any way. Instead, it created FISA, which demands that all secret surveillance go through the FISA courts, aka FISC.
The problem is that, among other things, the W. Bush and Obama administrations BROKE the Patriot Act by either:
A) Skipping the FISA courts entirely, which lead to legal action during the W. Bush administration,
OR
B) LYING to the FISA courts about what they were actually doing, which is now extremely well documented. (FU Mr. Clapper!)
OR
C) Bullying the FISA courts into ILLEGALLY allowing mass surveillance, which has been documented to have happened A LOT, and continues right now!
As for who does the impeaching, that would be that shite hole called the US Congress. I only know of ONE senator who has pointed out that all mass surveillance is unconstitutional at all times. That is Rand Paul, a quirky libertarian.
Then we have a worthless judge who threw out an ACLU case against these crimes, claiming that mass surveillance is ‘legal’, which any 6th grader knows is bullshit. What was this criminal judges name? Oh yeah. US district judge William Pauley.
So yeah. How do we get this vast gang of treasonous scam impeached and tried for treason when THEY are the criminals?
My only source of hope is the rise of viable, representative THIRD parties. To hell with both Democrats and Republicans, who have both brought these crimes and decadence upon all citizens of the USA.
secret courts are constitutional?
There’s a question!
I’m too burned from the day to research the law regarding the subject. I suspect some other folks here know the answer off the top of their head.
I can relieve your exhaustion: yes, they are blatantly unconstitutional, it was a only a rhetorical question.
The constitutional standard for all search warrants is probable cause of crime. FISA, however, established a new, different and lesser standard — thus unconstitutional on its face since Congress is bound by, and cannot change, the Constitution — of probable cause of status. The status was that of an agent of a foreign power. So, under FISA, the feds needed to demonstrate to a secret court only that a non-American physically present in the U.S., perhaps under the guise of a student, diplomat or embassy janitor, was really an agent of a foreign power, and the demonstration of that agency alone was sufficient to authorize a search warrant to listen to the agent’s telephone calls or read his mail.
Over time, the requirement of status as a foreign agent was modified to status as a foreign person. This, of course, was an even lesser standard and one rarely rejected by the FISA court. In fact, that court has rarely rejected anything, having granted search warrants in well over 97 percent of applications. This is hardly harmless, as foreign persons in the U.S. are frequently talking to Americans in the U.S. Thus, not only did FISA violate the privacy rights of foreigners (the Fourth Amendment protects “people,” not just Americans); it violated the rights of those with whom they were communicating, American or non-American.
It gets worse. The Patriot Act, which was enacted in 2001 and permits federal agents to write their own search warrants in violation of the Fourth Amendment, actually amended FISA so as to do away with the FISA-issued search warrant requirement when the foreign person is outside the U.S. This means that if you email or call your cousin in Europe or a business colleague in Asia, the feds are reading or listening, without a warrant, without suspicion, without records and without evidence of anything unlawful.
It’s just causing a feeding frenzy.
Spooks=FUD=FUDfighters
The reality is, spy’s do spy things, since the advent of Stuxnet, anything is possible. Every company might have a code moding mole. However, I thought it was standard practice in debugging, to check for dead code, right before compiling. A dead code check would have caught this, I think.
Ideal conditions vs financial mandates will usually be a big problem. “I WANT IT YESTERDAY!” “I WANT IT CHEAP!” tend to be the usual cries from software clients. Therefore, every possible corner gets cut. The code doesn’t get documented (which is a supremely expensive short term shortcut!). Crap code isn’t vetted. (This too can be an incredibly expensive self-damnation).
Short term thinking, long term disaster. If there’s a mantra for our times, that’s it.
Please shut me up! Sorry to dominate the conversation. Too much caffeine.
But Apple is known for having good code. It’s Microsoft that produced spaghetti code. Have things come to having good hardware cut the software?
I have no insight into that at Apple. I know Apple keep a limit on the number of internal coders on particular projects. We had 10.9.2 beta iterating for months, which was kind of odd. Clearly, Apple had other coding priorities going on. I have no idea what they were.
The challenge of course is to balance time and money and come out on target with whatever budget is set, for whatever reason. Good luck with that.
“Other coding priorities” = “inserting new back doors for NSA.”
It’s nauseating to realize you might be correct.
If the NSA was honorable, if they cared about the law, I might not care! But they’re plain old fascist about the entire endeavor, FUDing us all into approval of their crimes, puke, gag, barf.
Messmer makes up something out of the blue without a shred of evidence to back up her vapor-idea and then throws out “There’s no clear answer so far” as if it is an ongoing investigation.
“Hey Ellen, we need a story for Wednesday, go make something up”
My vapor-idea? It was a developers shortcut that they forgot to take out of the finished product.
Ridiculous. The NSA, FBI, Homeland Security, etc. have far more sophisticated methods of collecting data than logging every Mac OS X user’s keystrokes and trying to figure out whether Joe is organizing a terrorist cell or surfing porn.
Conspiracy theorists please go back down to the basement.
Ridiculous is trying to actually use a government website..but I guess the ACA site is just one of them there ol’ conspiracies.
No kiddin’
If the NSA wants to get into all your computers, the methods are going to be enormously more powerful and enormously more effective than this stupid little bug.
save us Obama Messiah!
There is no benefit under any circumstances to put in a back door, as the people who search for them may indeed be far smarter than the people who put them in.
That means they might exploit them for years undetected.
Build sound code by all means necessary.
Anyone can put the source code into a GREP editor and do hundreds of different forms of text checking for various syntax, formatting and simple character errors in a very short time and then follow it up with very sophisticated code checking routines.
I would have thought that extremely sophisticated error checking is just routine in a large company like Apple at this point. This error must have simply not been checked for.
One of my duties in a prior life was regression testing for a very complex set of applications that gathered tens of GB of data daily, stored it in an Oracle DB, analyzed it, displayed it, and performed customer billing based on it. It took 4 of us 8 weeks every time an update was made to the application suite to check it out before deployment. First we developed a list of application requirements. From these we developed test cases for each and every feature and function. The test cases were then converted to test lab items. There were dozens of categories, with hundreds of test lab items to be performed in each category, usually several per function. Each test lab item had to be set up and run manually for review by one of us. This involved creating data including all possible characteristics, to be run through the test lab item. Each test lab item might have from 5 to 30 or so detailed steps.
Running through hundreds of these test lab items per day was tedious and boring. There was great temptation to take shortcuts, but having to record the procedures and outcomes in a reviewable form discouraged that, and any such fudging would have been immediately traceable if something like this piece of code would have showed up. A test lab item written for this particular application and this instance of code in particular would have required that we could establish an SSL connection with an authenticated server, and that an unauthenticated server, or a spoofed server would have been rejected. We would have had to demonstrate and record the method and results in our testing application’s database. But in the end, if we simply wanted to cut corners we could have done it. We could have reported a test item as “successful” when it wasn’t and assumed that nobody would ever actually look at the test records.
I think this is what happened at Apple. I think someone under a lot of pressure to deliver fully tested and functional software “yesterday” simply took a shortcut and hoped for the best.
It’s pretty simple to accomplish this if you think about it.
Find Apple software engineers working on the specific parts of the OS you want to compromise. Offer the engineers large sums of money to introduce bugs. Wait until you receive the all clear.
Sit back and report in your documents that Apple was “added” to PRISM.
If I was Tim Cook, I’d be investigating everyone who had access to that code, tracking when the changes were made and working backwards.
Hmm you know ppl, this MIGHT be the reason Scotty F got ditched by Timmy…sure there was a war between Ive and SF and no Jobs to protect him anymore but maybe he was a NSA mole…Eric S definately was a google mole (self evident)
As I said before, IOS 7 has a back door.
Hey Derek Currie, you do have a lot to say today. Not that I disagree with any of it.
However, with all your loose talk about the government and NSA you might find some black Suburbans pull up in front of your house soon. These are not good, honorable people you are speaking of.
Be careful my friend.
“… backdoors for government spooks”?
There’s a lot of those kind of women now.
I think it’s the aliens attempting to gather enough information about our stupid species, so they can easily colonize and take over… Where the hell do you think all the “reality” TV shows came from? They’re just a distraction, so we don’t notice until it’s too late.
Sorry, but the reality shows are just us doing ourselves in. Alien invaders merely need exercise a modicum of patience, as we advance in our stupification, until they can easily slither in and take over.
This is100% NSA and dont believe this is coincidence.
I understand that Amazon is fresh out of tinfoil hats, but I wouldn’t trust the ones on eBay, some of them aren’t tinfoil…