Corrente

If you have "no place to go," come here!

"Apple continues to hide its rotten security from consumers"

The "goto fail;" bug really is pretty bad and affects millions of people. If you've got an iOS system, or run OS X Maverick, be sure to upgrade.

It would sure be nice to know the "goto fail;" bug wasn't part of an NSA scam; that it ws a bug, not an exploit.

For techies, here's the code with the bug, and how the bug was found.

For managers, here's an essay on cultural problems at Apple, and software development at Apple.

Basically, yikes. Looks like there's oodles of code inside Apple products that isn't nearly as sleek as the packaging. Yeah, who knew, but this particular code was also open sourced, and took 18 month to come to light...

0
No votes yet

Comments

transcriber's picture
Submitted by transcriber on

Jacob Appelbaum talked about an Apple back door to the NSA in our crowd-sourced transcript of last month:

Jacob Appelbaum: Here’s an iPhone back door.

So DROPOUTJEEP, so you can see right there. So, SMS, contact list retrieval, voicemail, hot microphone, camera capture, cell tower location. Cool. Do you think Apple helped them with that? I don’t know. I hope Apple will clarify that. I think it’s really important that Apple doesn’t.

Here’s a problem. I don’t really believe that Apple didn’t help them. I can’t prove it yet, but they literally claim that any time they target an iOS device, that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. I’m not sure which one it is. I’d like to believe that since Apple didn’t join the PRISM program until after Steve Jobs died that maybe it’s just that they write shitty software. We know that’s true.

More here (Marcy Wheeler three days ago), here and here (comments exchange -- Juniper/Juno routers vector? also the nsa program may go back to 2007. Idea is for nsa to commandeer your computer.)

Rangoon78's picture
Submitted by Rangoon78 on

Sent from my iPhone
By all means get an Android!

Speaking [this January] at the Reuters Global Media and Technology Summit in London, Eugene Kaspersky, chief executive officer of Kaspersky Lab, said the mobile devices that use Android operating systems are more vulnerable, since Apple has strict controls and does not allow third-party applications, the Chicago Tribune reports

Jon Gruber:

"It seems pretty clear that DROPOUTJEEP was/is a jailbreak — full control, but requires access to the device. It’s not some sort of remote switch they can flip. Der Spiegel’s information dates back to 2008, but I think it’s pretty safe to assume that anything the jailbreak community can do, the NSA can do better. If you’re an NSA target and they get their hands on your iPhone, game over."

★ Friday, 3 January 2014

http://daringfireball.net/linked/2014/01/03/dropoutjeep

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products.

[…]
Appelbaum’s conclusion, that all Apple iPhones are vulnerable to some backdoor that is either a risk to Apple users or that Apple helped to create, is simply not backed up at all by the fact that physical access to the device is necessary to be able to hack it.
http://www.forbes.com/sites/timworstall/2013/12/31/appelbaums-extraordin...

transcriber's picture
Submitted by transcriber on

The whole point of the NSA Quantum programs, as I understand it from the Der Spiegel slideshow, is to do man-in-the-middle or man-on-the-side intrusion into your computer and take it over or be the parasite in a race between real and parasite servers. Your Forbes article is gone to me now (could you update your link?), but I wonder is physical access required if it's done via coding and (/or>) routers? The Validator thing the iPhone backdoor Dropoutjeep apparently works with is mentioned in the Der Spiegel interactive graphic of spy gear under the routers category, specifically in regard to Juniper and Juno routers. In the emptywheel comments links above, the reply about the routers says:

Juniper/Juno routers are used by the big Internet backbone companies, if the bad guys wanted to monitor or target the traffic, this is one kind of equipment they would infiltrate to run that operation. If they control the j/j equipment they would be able to see from the header information that the data was for an iPhone or Android or Windows or whatever type of cell phone being used.

Maybe I am totally misunderstanding this? Bruce Schneier's 2/27 post Is the iOS SSL Flaw Deliberate? and all 146 comments never mention Dropoutjeep back door, even though a search of his site turns up several posts about it, like here. Changing search term to Validator turns up even more. Yet not together.

Thanks.