rothwell.im

by Jonathan Rothwell

Goto FAIL: the aftermath

The huge TLS/SSL bug in OS X has finally been patched in OS X 10.9.2. The fix was about four days too late (seriously, would fixing a single line of code and re-issuing it as a delta 10.9.1.1 update have been too hard?) but as always, it’s better late than never. (Naturally, if you’re a Mac user on Mavericks, or an iOS user on 7.0.5 or earlier, you should update your machine now.)

Many words have been said about the bug itself, unearthed in Apple’s TLS stack. Many have (unfairly) blamed the goto command, which is slightly suspect: one could easily have allowed a similar bug to creep in using functional calls and return values. (I’m not sure I agree with the use of goto in this particular case, but it’s not the cause of the problem.) Others have suggested that, had the programmer been conditioned to hit ^I (in Xcode, or ⌘⇧F, had they been using Eclipse or a similar IDE) before pushing, they might’ve spotted the bug, or at least increased the chance it might’ve been picked up during a code review.

Judging by the diff (mirrored on GitHub), it looks unlikely that the duplication of the goto fail happened as a result of a merge conflict.1 It would also be astonishing if Apple didn’t have any unit test coverage on such an important part of the security stack, or at least a vigorous code review process. Code review doesn’t always work: sometimes the programmers reviewing the code are overworked, tired, distracted, drunk, etc., much like the programmers who wrote the code.

An interesting theory was posited on Daring Fireball: the bug first appeared in iOS 6, which was released a short time before iOS was ‘added’ to the NSA’s PRISM programme. I still think that it is unlikely Apple (or any large technology company) would agree to build in a backdoor at the beck and call of an espionage agency. The chain of people that would need to agree to such a thing (and also be sworn to silence), from managerial positions right down to the developer who commits the code, is just too long; furthermore, it also assumes that all executives of all companies are easily bribable micromanagers with fine control over their codebase, with no moral compass whatsoever and in cahoots with the Pentagon/Fort Meade. One person is easier to bribe or plant than a whole chain.

So, the way I see it, there are three possibilities:

  1. The goto fail bug was introduced by accident and is a bona fide software defect. Apple has no automatic testing on this stack (or the test suite is incomplete, or it’s ignored when it fails.) Therefore Apple’s software development policies are shocking. The NSA has better auto-testing than Apple, picked up this defect and (probably) exploited it.
  2. The goto fail bug was introduced by accident and is a bona fide software defect. Apple did have automatic testing on this stack, but a programmer (probably a junior programmer, or an inexperienced QA engineer or test monkey) couldn’t work out why the test for SSLVerifySignedServerKeyExchange was failing, and so set it to be ignored or deleted it. This is extremely bad practice, but I can believe it happened. The NSA picked up this defect and (probably) exploited it.
  3. The goto fail bug was a backdoor deliberately inserted by someone (a planted Apple employee or a contractor) in the pay of a third party. This person also snaffled the automatic test coverage at the same time. No-one noticed, or bothered to question, why this code was removed.

Of course, we’ll likely never know the exact reason why this bug slipped through the net. But there are lessons to be reminded of from the whole sorry affair anyway: patches for critical defects must be issued immediately, and auditing and auto testing is important!

  1. This assumes, of course, that there was only one programmer working on this file for iOS 6/OS X 10.9 and there were no internal (i.e. between Apple employees’ repos) merge conflicts in the interim.

[LINK] Smart devices on the internet of things a disaster waiting to happen

Missed this the first time round, but here’s Peter Bright at Ars discussing the disaster waiting to happen when your manufacturer drops support for your smart fridge.

Our fridges, cars, and TVs are not even on a two-year replacement cycle. Even if you do replace your TV after it's a couple years old, you probably won't throw the old one away. It will just migrate from the living room to the master bedroom, and then from the master bedroom to the kids' room. Likewise, it's rare that a three-year-old car is simply consigned to the scrap heap. It's given away or sold off for a second, third, or fourth "life" as someone else's primary vehicle. Your fridge and washing machine will probably be kept until they blow up or you move houses.

Even Microsoft have been known to drop support for platforms leaving customers out in the dark (I know this from experience, having tried to activate a GfWL copy of Halo 2)—so it’s impossible to see how companies like Samsung, or, god forbid, Electrolux or Russell Hobbs, will continue to provide updates for these smart devices of any kind.

Writer Nope

I’m really not sure what to make of iA Writer Pro.

The original Writer was (and remains) my short-form word processor of choice. Speed, markdown syntax highlighting, superb typography, zero distractions. It feels like a machine, something that just reliably helps in the process of churning out thousands upon thousands of words.

Looking at Writer Pro, it looks like the idea of a distraction-free writing tool has been somewhat lost in translation.

Of course, throwing the baby out with the bathwater is not necessarily a bad thing. My current go-to editor for long form projects, Ulysses III, metamorphosed from a Scrivener-a-like version 2.1 to a completely new version 1.0, based around plain-text editing and gluing sheets together. The results were remarkable, and I managed to write 55,000 words of a novel in Ulysses this year: it is, as stands, the closest thing I can find to writing perfection.

Unfortunately, as a rewrite, Writer Pro falls short. Firstly, there’s the process of finding your document in the first place.

[LINK] Everyday sexism: The Peacock Problem

This woman [Marie Skłodowska-Curie] had to fight her entire life. She was the first female lecturer, the first woman to win a Nobel prize and the only person ever to win Nobel prizes in Physics and Chemistry. She had to fight every single day and even her successes people credited to her husband. It makes me so mad! She was even turned away from university because she didn’t have a penis. How utterly, utterly insane. Where could we be now if we hadn’t repressed half of our society throughout our entire history?

Jamie Gallagher’s tale of putting a group of wolf-whistling teenage boys in their place during a science talk: sobering stuff, but unsurprising. Good on him for taking a stand: I hope that, in time, others will learn to do the same, and not be passive when women are demeaned by schoolchildren.

[LINK] Porsche-Design BlackBerry Z10 not a parody

Having failed spectacularly to take itself private, BlackBerry’s latest scheme is a Z10 produced in conjunction with Porsche Design. It costs $2250, and I have trouble believing they’ll shift any, even given this astonishing feature set:

Dubbed the P’9982, the device is essentially a more ostentatious version of the poorly received BlackBerry Z10, crafted from stainless steel and crocodile leather, and — bizarrely — touted with a “special series of PIN numbers” that will make its owners “instantly recognizable in the exclusive world of Porsche Design smartphone owners.”

Twentieth Anniversary Macintosh for the ages, anyone?