If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(LA Times)   Did the NSA put the worm in your Apple?   (latimes.com) divider line 35
    More: Followup, NSA, Gotofail, osx, Daring Fireball, John Gruber, worms, security bug, bugs  
•       •       •

2790 clicks; posted to Geek » on 24 Feb 2014 at 8:03 AM (29 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



35 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2014-02-24 08:05:57 AM
Not yet, but they finally brought in the noise. The funk's been here for hours.


/Thanks Obama!
 
2014-02-24 08:12:38 AM
....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...
 
2014-02-24 08:24:57 AM

nulluspixiusdemonica: ....er...No. Because even the NSA has standards.


No they don't.  Any and everything they can possibly monitor and/or penetrate, they will.

Why?  Because if it's known that X can't be penetrated by the NSA, the "bad guys" will use X.  And I put "bad guys" in quotes because not all the people the NSA monitors are actual, you know, bad guys.
 
2014-02-24 08:27:33 AM
The Apple Insider blog insisted in a lengthy post that the focus on Apple's security problem this weekend was part of a broader conspiracy between the media and Samsung.

Oh god. Suck my farts.
 
2014-02-24 08:31:22 AM

nulluspixiusdemonica: ....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...


Because it's impossible for something nefarious to be added to software anyone can change.
 
2014-02-24 08:33:55 AM
dittybopper:  No they don't.  Any and everything they can possibly monitor and/or penetrate, they will.

I was, of course, referring to the actual code.....
http://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html
 
ZAZ [TotalFark]
2014-02-24 08:38:06 AM
I would have spotted that in a code review. With good source control practices NSA should not have been able to pay off enough people to get it through a serious change control process.

On the other hand, it's easy to imagine a duplicated line coming from an automated merge not subject to code review.  You may only have to pay off one person in that scenario, or it could just happen.
 
2014-02-24 08:44:19 AM

Kyosuke: Because it's impossible for something nefarious to be added to software anyone can change.


I'm thinking your dealings with open-source is likely very limited.
 
2014-02-24 08:46:27 AM

ZAZ: I would have spotted that in a code review. With good source control practices NSA should not have been able to pay off enough people to get it through a serious change control process.

On the other hand, it's easy to imagine a duplicated line coming from an automated merge not subject to code review.  You may only have to pay off one person in that scenario, or it could just happen.


But from iOS6 to iOS7? and on Macs? Is this consistency in programming fail or conspiracy success?

/adjusts tinfoil hat
 
2014-02-24 08:47:01 AM

nulluspixiusdemonica: dittybopper:  No they don't.  Any and everything they can possibly monitor and/or penetrate, they will.

I was, of course, referring to the actual code.....
http://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html


Meh.

It's the sort of thing that's actually pretty clever:  So long as it's undetected, no one is the wiser.  Once it is detected, however, there is enough plausible deniability there that you can say "Hey, this is just a boneheaded mistake".

It doesn't even have to be something the NSA actually had Apple insert on purpose:  It could be a mistake they (the NSA) detected and exploited without letting Apple know about it, because it opened up some previously unavailable ways to attack PFS traffic.
 
2014-02-24 08:52:32 AM

dittybopper: It could be a mistake they (the NSA) detected and exploited without letting Apple know about it


What I want to know is... where was the NSA even involved in anything to do with this? Some CT had a brainfart and suddenly NSA!

Code review should have had a screaming fit about this... Given it made it to production says more "half-assed controls process" and less "nefarious intent"....

There are far more creative, less obvious, approaches to crippling SSL...
 
2014-02-24 08:56:34 AM

nulluspixiusdemonica: ....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...


The "open source will be much more secure because issues will be spotted faster" idea sounds like it makes a lot of sense in theory, whereas in practice there was a gaping flaw in Debian's SSL because somebody left something commented out in the random number generation and nobody noticed. . .  for two years.
 
2014-02-24 09:01:43 AM
Looked like a bad merge caused by source control software rather than a cut & paste bug. But whatever.
 
2014-02-24 09:06:43 AM

nulluspixiusdemonica: dittybopper: It could be a mistake they (the NSA) detected and exploited without letting Apple know about it

What I want to know is... where was the NSA even involved in anything to do with this? Some CT had a brainfart and suddenly NSA!

Code review should have had a screaming fit about this... Given it made it to production says more "half-assed controls process" and less "nefarious intent"....

There are far more creative, less obvious, approaches to crippling SSL...


But none quite so deniable...
 
2014-02-24 09:41:21 AM
Also, apparently the NSA is responsible for putting the Benzedrine in Mrs. Murphy's Ovaltine, along with putting the overalls in her chowder.
 
2014-02-24 09:54:05 AM

iremo: nulluspixiusdemonica: ....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...

The "open source will be much more secure because issues will be spotted faster" idea sounds like it makes a lot of sense in theory, whereas in practice there was a gaping flaw in Debian's SSL because somebody left something commented out in the random number generation and nobody noticed. . .  for two years.


When everyone assumes someone else is looking for mistakes, no one is looking for mistakes.
 
2014-02-24 10:12:13 AM
No Strings Attached could lead to some backdoor action.
 
2014-02-24 10:25:28 AM

nulluspixiusdemonica: ....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...


http://opensource.apple.com/source/Sec urity/Security-55471/libsecurity _ssl/lib/sslKeyExchange.c

Yep, totally closed source development. If only they would release the code. Those bastards.
 
2014-02-24 10:44:10 AM
Security at the desktop is really nothing more than a security blanket. Once the packets leave your machine and are in the wild, you might as well be inviting the NSA over for a cup of coffee while they watch you type.

For all the encryption that we have going on you can bet that they have ways around it. If they don't have a master key to something, rest assured that
billions are being spent creating those master keys.

Seven proxies aren't even enough these days.

 img.fark.net
 
2014-02-24 10:45:50 AM
img.fark.net

I bet the NSA did this.
 
2014-02-24 10:52:36 AM

Mad_Radhu: [img.fark.net image 622x415]

I bet the NSA did this.


I sense a new meme. Instead of the "Thanks Obama!" it can be "Thanks, NSA!"
 
2014-02-24 11:02:41 AM

aspAddict: Security at the desktop is really nothing more than a security blanket. Once the packets leave your machine and are in the wild, you might as well be inviting the NSA over for a cup of coffee while they watch you type.

For all the encryption that we have going on you can bet that they have ways around it. If they don't have a master key to something, rest assured that
billions are being spent creating those master keys.

Seven proxies aren't even enough these days.

 [img.fark.net image 400x400]


No computerized device is completely secure.  Even if you have the absolute best encryption possible, if you've got unecrypted data on the device, and it's connected to the outside World, then the NSA/GCHQ/BND/Etc. doesn't have to break the encryption, they can merely side-step it.
 
2014-02-24 11:20:20 AM

nulluspixiusdemonica: dittybopper:  No they don't.  Any and everything they can possibly monitor and/or penetrate, they will.

I was, of course, referring to the actual code.....
http://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html


This is why you always always always use { } for control statements. There are no exceptions. None. You did not just think of one.
 
2014-02-24 11:28:27 AM
I was told Apple products couldn't get viruses and worms.
 
2014-02-24 11:45:03 AM

iremo: nulluspixiusdemonica: ....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...

The "open source will be much more secure because issues will be spotted faster" idea sounds like it makes a lot of sense in theory, whereas in practice there was a gaping flaw in Debian's SSL because somebody left something commented out in the random number generation and nobody noticed. . .  for two years.


Would it have been noticed at all with closed source?
 
2014-02-24 12:34:11 PM

hamiltonjdavid: Looked like a bad merge caused by source control software rather than a cut & paste bug. But whatever.


That's what I've been saying. It's made worse by a terrible test suite that clearly didn't test all the obvious conditions.
 
2014-02-24 12:46:15 PM

nulluspixiusdemonica: ....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...


This is sounding more and more like some test code that was inserted to make a testbed easier to run.  Don't want to get real certs installed on all the test servers, so I'll just add this "stop warning me" line of code to the build.  Oops - forgot to pull that thing out because there wasn't a sev. 1 bug listed against that code build to make sure it was pulled out...  And we ship it.

Had something very similar to this happen to me on some production code that was pushed.  Worked great in the test bed - blew up in production instantly.  Bug was traced back to a tester "adding" something to get their test cases to pass...  That was an uncomfortable week for the source code control team.
 
2014-02-24 12:53:31 PM

RoyBatty: hamiltonjdavid: Looked like a bad merge caused by source control software rather than a cut & paste bug. But whatever.

That's what I've been saying. It's made worse by a terrible test suite that clearly didn't test all the obvious conditions.


THis!  The big problem with GUI driven applications is that they are a bear to get tested right.  Because UI changes seem to happen all the time, nobody goes through the pain of setting up test scripts correctly - they have a human drive it.  So running the test cases are "slow" and "is a block to deployment".  So it gets skipped or simplified.  Can't regression it fast enough.  Since this was down in the depths of a library there should have been an automated test application - and it should have been going "Um guys...  test case 250 is supposed to return fail... not pass."  But I bet you they just test it through a Safari build.

Development takes 90% of the time allotted.  Testing takes the other 90%.  The question is just when the testing takes place - before or after you deploy it.
 
2014-02-24 01:24:18 PM

MadHatter500: RoyBatty: hamiltonjdavid: Looked like a bad merge caused by source control software rather than a cut & paste bug. But whatever.

That's what I've been saying. It's made worse by a terrible test suite that clearly didn't test all the obvious conditions.

THis!  The big problem with GUI driven applications is that they are a bear to get tested right.  Because UI changes seem to happen all the time, nobody goes through the pain of setting up test scripts correctly - they have a human drive it.  So running the test cases are "slow" and "is a block to deployment".  So it gets skipped or simplified.  Can't regression it fast enough.  Since this was down in the depths of a library there should have been an automated test application - and it should have been going "Um guys...  test case 250 is supposed to return fail... not pass."  But I bet you they just test it through a Safari build.

Development takes 90% of the time allotted.  Testing takes the other 90%.  The question is just when the testing takes place - before or after you deploy it.


On one project I was on, the test suites, written in bash and sometimes c and sometimes java, took about 3 hours to run and generated tens of megabytes of uninterpreted log files.

So most people a) never ran them, and b) were of the opinion that if their routine was running correctly, it was time to check it in.

I took a couple of hours a day. I did. For several weeks. And I wrote a tcl framework around most of the tests, and rewrote the tests that took the longest because they would worked by spawning some process and literally sleeping for ten minutes and hoping it finished, so I rewrote them using expect, and anyway reduced the entire suite from about 3 hours to about 10 minutes, and reduced the megabytes of log files to a series of drill down html reports capturing everything from environmental variables to system load to any errors that occurred but that presented at the top level as a one page report listing the tests, the subsystem and their status. (It also generated a standardized .csv of all of the reports).

As a benefit when we discussed system status in our meetings by examining failing parts of the system, I think all of us now found it easier to understand what other parts of the system were doing, and also understand what parts were fragile, or slow.

My only regret was writing it in tcl and not using the opportunity to learn python (or ruby).

And yes, I was almost fired for that, since yep, I certainly had ignored project deadlines and supervisor instructions to fix the damn thing, although in the long run, it almost certainly was key to the manager and to delivering what we delivered on time and working.

I have yet to figure out how to get permission for side projects that often turn out to be extremely critical to success.
 
2014-02-24 01:36:19 PM
An Apple Spokesman has a statement:

i.imgur.com

To see the image animate and make sound, please download iTunes. You must be on the latest Apple operating system. Plus please deposit 3 thousand dollars into the Apple iSwiss bank account that is now displaying on your Apple product.
 
2014-02-24 03:40:32 PM

nulluspixiusdemonica: ....er...No. Because even the NSA has standards. This is copy-pasta junk courtesy of closed source development...


You mean the source code that's available on Apple's website under an open source license is closed source? Explain, please.
 
2014-02-24 06:03:57 PM

aspAddict: Security at the desktop is really nothing more than a security blanket. Once the packets leave your machine and are in the wild, you might as well be inviting the NSA over for a cup of coffee while they watch you type.

For all the encryption that we have going on you can bet that they have ways around it. If they don't have a master key to something, rest assured that
billions are being spent creating those master keys.

Seven proxies aren't even enough these days.

 [img.fark.net image 400x400]


I VPN through the NSA datacenters. It's fast and saves us both time and hassle.
 
2014-02-24 07:29:13 PM

ReverendJynxed: I VPN through the NSA datacenters. It's fast and saves us both time and hassle.


me too. i even pay for the pleasure. it saves on taxes and government spending.
 
2014-02-24 07:57:53 PM

SN1987a goes boom: I was told Apple products couldn't get viruses and worms.


This exploit involves neither a virus nor a worm, but nice try.
 
2014-02-25 02:17:12 AM

ReverendJynxed: I VPN through the NSA datacenters. It's fast and saves us both time and hassle.


I've been thinking about printing out my web activity on a weekly basis and sending it to them in the mail with a note that says, "Just in case you lose your copy of what cat videos I watched this week, here is a summary."
 
Displayed 35 of 35 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report