SoylentNews is people
SoylentNews
from the one-bad-apple-spoils-the-whole-bunch dept.
Papas Fritas writes:
"Last October, Bruce Schneier speculated that the three characteristics of a good backdoor are a low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. He now says that the critical iOS and OSX vulnerability that Apple patched last week meets these criteria, and could be an example of a deliberate change by a bad actor:
Look at the code. What caused the vulnerability is a single line of code: a second "goto fail;" statement. Since that statement isn't a conditional, it causes the whole procedure to terminate ... Was this done on purpose? I have no idea. But if I wanted to do something like this on purpose, this is exactly how I would do it.
He later added that 'if the Apple auditing system is any good, they will be able to trace this errant goto line to the specific login that made the change.'
Steve Bellovin, professor of Computer Science in Columbia University and Chief Technologist of the Federal Trade Commission, has another take on the vulnerability: 'It may have been an accident; If it was enemy action, it was fairly clumsy.'"
(Score: 5, Interesting) by MichaelDavidCrawford on Sunday March 02 2014, @04:02AM
In 1995 and 1996, I was a "Debug Meister" on "The Team Formerly Known As The Blue Meanies" - quality zealots who all used to wear bright blue t-shirts during the development of Mac OS System 7 in the late eighties. We were properly known as "Traditional Operating System Integration". Usually we called ourselves "TradOS".
There was also a "Modern OS Integration" team. I was offered an internal transfer to it, but I had the vague sense that Copland would never ship. :-/
Every single one of us had commit privileges to just about all of Apple's source code. I myself kept around the source to the MacsBug machine debugger. It could dissamble both 68k and PowerPC binaries, and had this really cool ability to dissasemble backwards, that is, a few instructions before a breakpoint. MacsBug did not always get it right but it usually did.
From time to time I'd roll myself a custom feature into MacsBug, to use while isolating some random bug in a new build of either 7.5.2 or 7.5.3. 7.5.2 supported the first PCI bus PowerPC macs - the 7500, 8500 and 9500. 7.5.3 was for the "Speed Bumps", the 7600, 8600 and 9600.
It would not have been hard at all to have observed my colleague going to lunch, then to have stepped into his office then to have made that one-line SSL hack.
There is quite a famous story about how greg robbins, one of the authors of the PowerPC graphing calculator, managed to keep working for a year at apple, despite no longer being a contract programmer there, and no longer getting paid.
It was only when some Apple security guard managed to figure out that greg didn't have card key that he got caught out.
"You're not on the payroll?" asked the guard incredulously.
"No, but there's a lot of work left to do to support the PCI macs."
Greg was one of my fellow debug meisters.
It turns out that the QA lab where he worked - as a contract programmer, he did not have a private office - was right next to my own office.
I'm not dead certain but I have reason to believe that for much of the year that he provide free labor to The Cupertino Fruit Company, quite often I was the one to use my card key to let him into the lab so he could start his workday.
Yes I Have No Bananas. [gofundme.com]