On Friday Apple announced a bug in their implementation of SSL/TLS and released iOS 7.0.6 as a security patch. At the time of this writing the desktop version of OS X as yet to get a similar patch and remains vulnerable. The first article I saw that had an explanation of the bug came from Kevin Poulsen over at Wired and outlines what is the now famous ‘goto fail;’ bug.
People are coming down on both sides of the fence including John Gruber over at Daring Fireball. Yesterday he posted On the Timing of iOS’s SSL Vulnerability and Apple’s ‘Addition’ to the NSA’s PRISM Program which has some good points about when the vulnerability was introduced and when it was added to the NSA’s toolkit. John outlines a few possibilities for what happened but excluded one theory that I’ve been proposing since we started our show.
It’s well-known that there is a vibrant black market for software exploits and that iOS is the top-dog where payouts are concerned. I jokingly laid out a scheme in our earlier episodes where talented engineers go to work at Apple or Google with the sole intent to embed as many exploits as possible for a year or two, leave the company, then sell the exploits to the highest bidder. To pull this off you’d need to cover your tracks as best you can by making the bugs look like innocuous mistakes so if you were found out by your peers you could feign ignorance. Or better yet check in as a colleague so the repository logs don’t trace back to you. This goto bug could be as simple as a double-tap paste issue when the coder accidentally hit command-v twice OR a very clever way to bypass SSL without anyone finding out for a long time. I’ve scolded my junior programmers to bracket their if/then/else clauses because things like this happen all the time, which is what makes this the perfect cover.
Believe what you will, but if I was running Apple I’d be going over every single check-in the programmer responsible has ever committed. Just to be sure…
We’ll definitely be discussing this topic on the next Grumpy Old Geeks podcast. If you want to hear more about it then subscribe now to get it automatically delivered!