Apple's goto fail needs a massive culture change to fix

Apple's goto fail needs a massive culture change to fix

Summary: Apple may be shiny on the surface, but the recently revealed SSL security flaw means that something's rotten inside — or perhaps even poisoned.

SHARE:
TOPICS: Security, Apple
289

"If that Apple SSL thing happened to Microsoft, literal s*** would be pouring down on Redmond right now. Pouring," tweeted @explanoit on Monday. And, as Kyle Maxwell added soon after, "Gates would be holding public executions in the courtyard". Both of these people show signs of knowing a bit about security. Both are, at least metaphorically speaking, 100 percent correct.

Thousands of words have already been written about Apple's little coding oopsie, so I'll just summarise things before moving on to my key point: Apple seems to have a serious cultural problem.

Secure Sockets Layer (SSL) authentication wasn't working in either iOS or OS X. A vast amount of software running on iDevices and Macs believed that their encrypted connections were connecting to the right place, and were being given the visible padlock of security, when they may not have been. Key SSL tests simply weren't being done. Apps could well have been connecting somewhere else — including to an impostor executing a "man in the middle attack", decrypting and monitoring users' data before re-encrypting it and passing it on to the correct destination.

It is of course hilarious that the actual error consisted of the repeated words "goto fail;".

The legendary computing scientist Edsger Dijkstra wrote about the risks of the goto statement in programming languages way back in 1968, in his famous letter Go To Statement Considered Harmful — the text of which is available online, both in the original 1960s-style formatting (PDF) and more modern typography. "The go to statement as it stands is just too primitive, it is too much an invitation to make a mess of one's program," he wrote. Dijkstra instead promoted the discipline of structured programming.

Even though I was indoctrinated in structured programming, I don't think the goto is the real problem here. Anyone can screw up code with an ill-judged copy-paste or a slip of the mouse. We've all been there, right? Pointy-haired managers, think "reply all".

But Apple needs to answer some serious questions.

Why wasn't this broken code spotted by some sort of review process before it ended up in a software build? After all, this sort of mistake can even be picked up by various automated code analysis tools, let alone by human reviewers.

Why wasn't the failure picked up in the testing phase, before the software was published? After all, testing that each step in a security authentication process still works is kind of important.

Why was a patch for iOS released, thereby revealing the existence of the problem and giving security researchers good and evil the opportunity to reverse engineer it and see whether the problem also existed in OS X — which it did — before that operating system was also patched? After all, both operating systems are produced by the same company. Don't these people talk to each other?

I think we have some cultural problems here, folks.

The apparent lack of communication between the iOS and OS X teams is bad enough. But what's far more worrying is how such a serious error could have escaped detection — let's skip the more tinfoil-oriented explanation that it was a deliberate "mistake" to help the NSA, and a programming error gives Apple plausible deniability — and how the impact of the error is magnified by Apple's complete lack of transparency when it comes to security issues.

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available," says Apple. Which means it may know full well about unpatched vulnerabilities, but even if they're being actively exploited, you won't know about them.

Nothing must tarnish the image of Apple's pretty, pretty garden, even if beneath the surface it's rotten. Or poisoned.

That's why I agree with Eugene Kaspersky, head of Kaspersky Lab, who nearly two years ago wrote that when it comes to security, Apple is 10 years behind Microsoft. At the time, I called him a "glorious global megatroll" for that suggestion, but also wrote that Apple's supposed invulnerability is a myth based on ancient history.

Back when Windows was vulnerable to myriad viruses and worms, Bill Gates issued his Trustworth Computing memo and Microsoft completely re-engineered the way it made software. The Security Development Lifecycle (SDL) methodology was the result. Windows was dramatically improved — well, at least from a security standpoint — so much so that the attackers moved up the stack and tore Adobe's products a new one.

Apple's goto fail is a clear sign that the magic garden needs weeding — or even a good dose of Agent Orange, rather than endless Kool-Aid. But the first step in fixing a problem is admitting that it exists, and Apple has yet to do that. It seems that when it comes to security, Apple still couldn't find its butt with both hands. Perhaps it should be using Apple Maps to help. No, wait.

Disclosure: Stilgherrian has travelled to US security events twice as Microsoft's guest, including a briefing on SDL. He uses a MacBook Pro, having been primarily a Mac user since 1985, and an Android phone.

Topics: Security, Apple

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

289 comments
Log in or register to join the discussion
  • Nobody who knows code uses apple

    They just don't have the experience with malware to be any good at security.
    blarelli
    • Clever....

      You're speaking in code right now, aren't you? You guys are too smart.
      rfoto
      • Hardly

        Come on.

        At one stage the article asks

        'Why was a patch for iOS released, thereby revealing the existence of the problem and giving security researchers good and evil the opportunity to reverse engineer it and see whether the problem also existed in OS X — which it did — before that operating system was also patched?"

        ... and he only manages a paragraph before he's taking the diametrically opposite position saying

        "... and how the impact of the error is magnified by Apple's complete lack of transparency when it comes to security issues."

        There's not much smart here.
        Henry 3 Dogg
        • Why

          I noticed the same thing. But I think it's a typo. I think he meant "wasn't." It's the third of a series of questions.
          Gray Hawk
          • Not a crontradiction or typo

            There's no contradiction here, there's no typo here, and there's no "not much smart here".
            He asks in the first paragraph, why they released an iOS patch before they had an OSX patch (since the code is identical). This is a problem, because it does allow researchers to reverse engineer the patch, see what it patches, and allow blackhats to make exploit code. These researchers to not wait around for companies to describe their updates! That said the OSX patch really didn't take long to come out *shrug*.

            The second quote about Apple not being transparent is 100% true. They have the least descriptive update descriptions I have ever seen; they do put out plenty of security patches, but you are not going to know how many holes you did have and how many they fixed, since they are not willing to admit to flaws in their products.

            As for the flaw itself... to me, the flaw is not the use of goto (as much as people love to hate on it, that code snippet is relatively clean...), but rather the lack of {} around the line after each if statement. I ALWAYS* use {} to delineate the code within an if statement, for loop, etc.. If I'd made a little typo like this, it would have been ineffective since both gotos would be within the {}; if I had had a single line of code which I expanded later I couldn't forget to put {} around it later if I already have it.

            *Well, not Python, since it does explicitly use identation for this purpose.
            hwertz
          • FIPS-140 certified meaningless

            The scary thing is this Securetransport code got FIPS-140 Certification!
            The fanbois were ignorantly raving about how the iphone was secure because of this certification and how it is the safest for enterprise.
            Government security certification just got egg on faces.
            warboat
        • re: Hardly

          Have read your comment several times and can't see your point.

          1) Apple's patch for iOS was released. iOS and OSX use the same certificate validation code. But critically, OSX patch not released. This allows hackers to see what's been done to iOS and apply it as an attack on OSX until OSX is patched (v. bad).

          In other words by choosing to update ONLY iOS, not OSX, Apple itself has opened up OSX to attack, by providing the formula.

          i.e. DO NOT use your Mac laptop on any public wifi folks.

          2) Apple only provides information - and patches - when forced to. Witness the Java update fiasco last year etc. (yes compare to Microsoft, which is fast and decisive and open in this regard)

          In other words, Apple is as opaque as possible on this issue. This is what the author says, N.B. the facts of the matter here have been provided not by Apple, but by third party security experts.

          "Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available," ... "even if they're being actively exploited, you won't know about them."

          As security experts know, bad things grow in this hidden space.

          Is this a "*complete* lack of transparency"? As complete as Apple can manage.

          Author's points are pretty well made.
          nowend
          • Microsoft is "fast and decisive and open in this regard"?

            Yet a patch last month was for a flaw that exists in every Microsoft OS since Windows 2K? So a flaw tat went unlatched for 14 years is "fast and decisive and open in this regard" Apple released the patch to fix the OS X flaw within 5 days, of the iOS patch.
            I hate trolls also
          • Depends

            Just because a flaw existed does not mean it was known. Once a flaw is found, MS is very responsive to plugging it. And you have direct access to the security teams at MS as I have personally communicated with them on a 1:1 level. You can also attend TechEd and meet the people that you need to work with inside MS. MS gives you a host of tools to work with security issues and logs files as well. MS is not perfect when it comes to responding to issues but they are far better than Apple.

            Apple is a black box for the most part.
            Rann Xeroxx
          • Not completely true

            Only last week was a report released about a vulnerability that was KNOWN in Windows XP--and still exists in Windows 8.1.
            Vulpinemac
          • potential for massive claims

            if damage could be attributed to this Goto Fail flaw, Apple could be subject to massive claims.
            warboat
        • I beg your pardon????

          What are you talking about?

          Lets look at this chum. You clearly have messed things up on purpose in Apples favor.

          "Why was a patch for iOS released, thereby revealing the existence of the problem and giving security researchers good and evil the opportunity to reverse engineer it and see whether the problem also existed in OS X — which it did — before that operating system was also patched?"

          Simply meaning, the patch for OSX should have been made ready before the patch for iOS was released to avoid OSX being seen as a potential target that it was. Means no more/no less.

          "how the impact of the error is magnified by Apple's complete lack of transparency when it comes to security issues"

          Soooo...your trying to now tell us that...what? That maybe Apple releasing the patch for iOS and not OSX was just a case of Apple letting the world know that the vulnerability existed on OSX for the sake of transparency and that Stilgherrian should know this? Seriously?

          What does the first statement have to do with the second? I think you need a remedial lesson in English. Lets look art the bluntly obvious.

          Stilgherrian complains of the problem with the error being magnified by Apples lack of transparency in security issues. In what way is his statement regarding Apples loose actions of releasing an iOS patch before the OSX patch run counter to Apples always obtuse silence on security matters that Stilgherrian points out?

          You say they are "diametrically opposite"???

          Your just one of these loons around here who spout off nonsense that has absolutely zero connection to anything and I guess you just hope someone reads it and thinks you have a point.

          The dictionary defines that as opposite extremes, yet in this case, one statement has little to do with the other. Not opposites, not the same, not connected in any direct way that could make them opposites.

          Its really hard to stomach this kind of Apple apologist kind of thinking. I have owned and still own Apple devices and like them. I make no apologies for any company that claims feats of magic but only works in deception.
          Cayble
    • iPhone = most vulnerable OS

      1) "iPhone is most vulnerable, least secure smartphone in the market, security firm finds."
      +
      2) very simple feature-phone brings not much
      = Apple has very very poor software engineers confirmed by

      Apple employees are treated like slaves: "I wanted to work at Apple really bad, and now not so much. Walking out on my dream job"

      So what is the real reason of success? It's simple:

      "Study: iPhone owners have ‘blind loyalty’ and will buy anything Apple makes"

      there is no mystery about Apple's success
      Jiří Pavelec
      • Prove it

        Come on Jiri I've asked you for proof of your FUD before with no response. Either you simply do not understand what I mean by bringing proof or - more likely - you have none and your FUD is simply based on lies. Which is it?
        athynz
        • Can't you read?

          You are in denial!
          Foreseen
        • FireEye...

          ...just discovered how to get an app passed in the review process. One step away from adding it to the App Store and I here is nothing to stop it from that point. No telling how long that was there...
          Cory Ducey
          • Charlie Miller proved the false sense of security in the Appstore

            3 years ago.
            The users are still riding on this false sense of security.
            warboat
        • Proof you say?

          SourceFire report from March 2013: “The vast majority of mobile phone vulnerabilities have been found in iPhone. If we combine all the CVE vulnerabilities [Common Vulnerabilities and Exposures] of the remaining three larger players, they still come out at less than a quarter of the iPhone’s CVEs."

          SIMOnlyContracts survey results released February 2014: In a poll of 2,000 iPhone users, 60% admitted to being blindly loyal to Apple and willing to buy almost anything Apple makes. 78% said they couldn't imagine having another type of phone. The secondary rationale for this loyalty? "They like being associated with the brand."
          NameRedacted
          • human nature?

            People are trying to use the Apple loyalty thing as a playing card here with their agenda.

            Considering the 90%+ market had and how so many stayed with the platform despite the endless malware attacks and infections when there was another solution says it all. Apple pushes the style aspect more thus making it more of a target for criticism by those who don't seem to consider as part of a buying decision. I'll bet many like BMW's and other high end cars over Ford Fiestas though. Simply put it's not a card to play here at all.

            At any rate Apple screwed up in coordinating how this was addressed both in the release of the patch and certainly the seemingly lack of testing. I can't say whether they'll learn from this but I tend to side with that they will. Despite some who criticize their focus on security they actually have been learning over the years. Maybe not at the level some want to see but choosing to go with a walled garden approach has done a lot to curb malware on the iPhone and ipad that android struggles with.
            Jim68
          • human nature cont.

            That would be Windows market I'm referring to. Apparently the forum here won't let me edit my post.
            Jim68