General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsOn the Timing of iOS’s SSL Vulnerability and Apple’s ‘Addition’ to the NSA’s PRISM Program
the SSL vulnerability was introduced in iOS 6.0. It is not present in 5.1.1 and is in 6.0.
iOS 6.0 shipped on 24 September 2012.
According to slide 6 in the leaked PowerPoint deck on NSAs PRISM program, Apple was added in October 2012.
These three facts prove nothing; its purely circumstantial. But the shoe fits.
Sure would be interesting to know who added that spurious line of code to the file. Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occams Razor explanation would be that this was an inadvertent error on the part of an Apple engineer. It looks like the sort of bug that could result from a merge gone bad, duplicating the goto fail; line.
I see five levels of paranoia:
1. Nothing. The NSA was not aware of this vulnerability.
2. The NSA knew about it, but never exploited it.
3. The NSA knew about it, and exploited it.
4. NSA itself planted it surreptitiously.
5. Apple, complicit with the NSA, added it.
http://daringfireball.net/2014/02/apple_prism
http://support.apple.com/kb/HT6147?viewlocale=en_US&locale=en_US
bemildred
(90,061 posts)And if it isn't they need to ask why not? It should be.
Jesus Malverde
(10,274 posts)They are unlikely to tell us, and its unlikely the government inquire.
We do know the NSA is sitting on a bunch of Zero day exploits that they are keeping unpatched.
bemildred
(90,061 posts)How subtle.
It looks like an accident, but it circumvents that final test. I've done that to myself more than once, both on purpose and by accident. One time was actually in some authentication code I was writing (that one was an accident).
Jesus Malverde
(10,274 posts)bemildred
(90,061 posts)But you have to have revision control once you field it or I'm done trying to figure it out.
And with revision control, you should be able to see what changed and how, and that might help understand how it got there. If there was a prior test that got deleted and left the goto, that would suggest coding error. If not, maybe not.
I don't like goto much, but I found myself using it in authentication dialogs because of the way they work, everything else was uglier.
But Apple may not want to get to close to the idea they are not wizards, hence the silence, they can let NSA take the heat.
Make7
(8,543 posts)Jesus Malverde
(10,274 posts)Another sign that Apple views this as an über-high priority bug: They also issued a patch for iOS 6. Apple doesn't want any users on iOS 6 and likes to brag about how quickly iOS users migrate to the next major version. Over two months ago Apple claimed that 74 percent of iOS devices were running iOS 7. There hasn't been a security update for iOS 6 in almost a year. I'm sure Apple doesn't want to do anything to make it easier for iOS users to stay on iOS 6, but they patched it anyhow. That's how serious it is.
http://www.zdnet.com/apple-and-the-ssltls-bug-open-questions-7000026628/