Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected

So people are saying this is an NSA bag job? I'm not sure I would believe that. It's probably just a programmer goof.

This software are usually written by teams of different people writing different parts of the whole program and then the parts are integrated and tested. Chances are either it was an integration error, or someone overlooked a test routine or something because if it IS the NSA that did this, well, then that just changes the whole world. Doesn't it...

----------
Parise said:
Walt Disney World allows guests resort wide to connect and use their wireless connection free of charge. So, with an average attendance of roughly 150k people a day, and lets say that 10% of them use an iPhone, 15,000 people (at least) are at risk of some jackass hacker posting up on a bench stealing any information they thought was "secure".
Click to expand...

I was vacationing in Northern Lower Michigan at a resort I'll decline to mention (in case there are any lawsuits pending) and was trying to get out on the intertubes, and having some really S---L---O---W--- access times, so I started poking around the network to see what was on it. I did a subnet scan and found a number of devices and just took a look at some of the more interesting names. Every one of them was locked up, except one...

It was a dentist from New York, staying at an ancillary building from the main building, and he was WIDE OPEN :eek:! I was looking at his pictures, his documents, his desktop... I could have tweaked his nuts it I had wanted...

I found a name. A HAH! I trudged down to the front desk and asked if 'Mr X' was staying there. They confirmed that he was. I then said that they should warn 'Mr X' that his notebook was WIDE OPEN :eek: on their network. Someone suggested that perhaps I should offer my services to the (idiot) nice 'Mr X', but I declined because I really didn't want to have to tell him that I read many (MANY!) documents before I got his name, and really was glad (SO GLAD) that he wasn't my dentist... I didn't look around their network again (Honest!) after that... I wonder what happened... :cool::D

Actually I can probably guess what happened...
 
one question....

If The article states that Apple doesn't say weather OS X is affected, then how does HE know ?

Is he saying he's smarter than Apple ?

Apple knows what they are doing and if this is a fake, then it would be a good intention to cause a stir amongst all Apple users..

Apple has just told me that there is nothing in the regarding an update, since they don't even know about any SSL issue.

I know Apple keeps there secrets, but why would they keep a security issue they care about all their users, a secret ?
 
Tech198 said:
one question....

If The article states that Apple doesn't say weather OS X is affected, then how does HE know ?

Is he saying he's smarter than Apple ?

Apple knows what they are doing and if this is a fake, then it would be a good intention to cause a stir amongst all Apple users..

Apple has just told me that there is nothing in the regarding an update, since they don't even know about any SSL issue.

I know Apple keeps there secrets, but why would they keep a security issue they care about all their users, a secret ?
Click to expand...
Apple said they are aware of the issue and are going to fix it very soon, so clearly it's affected and they are working on fixing that: http://www.reuters.com/article/2014/02/22/us-apple-encryption-idUSBREA1L10220140222

There's no secret as it's been already disclosed and commented on by Apple too, and will have more information about it when Apple releases an update to fix it in OS X.
 
furi0usbee said:
If Apple (and all companies) don't work with independent, third party security firms, this is one reason why they should. Increasingly we are putting our most private information in the cloud and transmitting it daily.
Click to expand...

Some of "us" are. Some of "us" are NOT. Some of "us" have suspected putting your personal information in the "Cloud" (i.e. a server connected to the Internet) is a REALLY REALLY BAD idea. But people will never learn until a disaster strikes. It is that way with literally everything in this world. They don't fix train crossings and put in traffic lights until after someone (usually several) people have died there even though statistics for unsafe activities are almost always available before such disasters.

Putting things in the "Cloud" is a matter of convenience and NOTHING else. Storage on devices is higher than it has ever been and frankly, your entire tax records for an entire lifetime would fit on a thumb drive from 12 years ago. What's this "need" to put everything online other than some Orwellian nightmare cooked up by those that envision some grand network, nay a unified world order where servers have everything on them and computing devices are just terminals? Uh, that sort of thing is very 1970s and pointless today. There's too much risk and too little reward. But try telling that to the Facebook Generation that thinks tweeting when they're taking a dump is important for people to know. ;)

NO system is hack proof. NO system is 100% secure. Every time someone thinks it is so, someone smarter shows up and prove them wrong. The NSA can park their van outside yourself and see what you're typing on a computer that isn't even connected to the Internet unless your entire house is shielded for EM radiation. Yeah, that's REALITY not some fantasy fiction. I guess Edward Snowden didn't get to try that one out personally or it'd be all over the news too.

Meanwhile, those that do their banking and other activities online would be well advised to use something like Firefox instead of Safari in the mean time (frankly, I've always hated Safari and I just keep finding out it's not my imagination). Notice how fast they got an iOS update out and how OS X users are still sitting there with the vulnerability going strong.... Apple doesn't give a crap about Macs compared to iPhones.
 
MagnusVonMagnum said:
NO system is hack proof. NO system is 100% secure. Every time someone thinks it is so, someone smarter shows up and prove them wrong. The NSA can park their van outside yourself and see what you're typing on a computer that isn't even connected to the Internet unless your entire house is shielded for EM radiation. Yeah, that's REALITY not some fantasy fiction. I guess Edward Snowden didn't get to try that one out personally or it'd be all over the news too.

Meanwhile, those that do their banking and other activities online would be well advised to use something like Firefox instead of Safari in the mean time (frankly, I've always hated Safari and I just keep finding out it's not my imagination). Notice how fast they got an iOS update out and how OS X users are still sitting there with the vulnerability going strong.... Apple doesn't give a crap about Macs compared to iPhones.
Click to expand...

Tha NSA outside our house ? No point in putting the scare in everyone

Plus, Safari would be just fine..... since the SSL/TLS is only if you use the browser on open access points, or invite your friends over on the same network...

Be all, end all i say.... If you treat yourself right, then there isn't a problem, regardless of security.. Not saying it shouldn't be fixed, but it only affects those who who their machines this way...

So, my person view, is since I don't do any of this, expose myself on an open access point, share access with other people, then i have nothing to worry about...

Ergo,, its not as bad as it may seem depends on what you do.




C DM said:
Apple said they are aware of the issue and are going to fix it very soon, so clearly it's affected and they are working on fixing that: http://www.reuters.com/article/2014/02/22/us-apple-encryption-idUSBREA1L10220140222

There's no secret as it's been already disclosed and commented on by Apple too, and will have more information about it when Apple releases an update to fix it in OS X.
Click to expand...


I just talked to an Apple hire up, and they confirmed it..... so ya your right...


I never believe these security issues by someone else,, i always feel the need i need to know from Apple's own mouth. depends on the source of course.
 
Last edited:
Tech198 said:
Tha NSA outside our house ? No point in putting the scare in everyone
Click to expand...

I'm simply saying they can do it, not that they're there. :D Frankly, I think the whole thing is overblown. WTF do I care if the NSA sees something like my phone records? It'd be quite a boring view for them, I can guarantee that. They might find a good pizzeria in town, though.

Plus, Safari would be just fine..... since the SSL/TLS is only if you use the browser on open access points, or invite your friends over on the same network...
Click to expand...

I'm not in such a habit, but I see quite a few Macbooks everywhere from Airport terminals to coffee shops. Sometimes it's just an OSX setting that lets the information out. I was in a hotel in Niagara Falls one time and someone's iTunes library was clearly set to open (without password) sharing since I could easily view all their music and videos from my own Macbook. I doubt they wanted it that way. They had a nice selection of Japanese music and quite a Sinatra collection to peruse. ;)

I'm no expert on SSL, etc., but that web site that tested my browser confirms the problem and I'm not on any public anything right now or even WiFi. So I figure if a web site can make the bug fail, then it might be a risk on certain web sites as well as snooping on open WiFi ones.


Ergo,, its not as bad as it may seem depends on what you do.
Click to expand...

I'd simply like Apple to treat OS X in a timely fashion rather than a second cousin as they have been for several years now.
 
mw360 said:
So are Apple going to block all these vulnerable apps from running until a fix is available? Or is that kind of calling-out just reserved for Flash.
Click to expand...

Well if Apple pushes a block to all these vulerable apps, they would be blocking the ability to fix any of these apps too (since they would be using Software Update to fix this and that's vulnerable too).
 
A nice dose of reality.

As revealed on No Agenda Show - this programming no-no, the open ended goto statement, appeared 4 weeks before the Prism slide showed Apple had signed up for Prism.

Every one of the tech companies now complaining about openness and surveillance sold out their customers years ago to the government, for immunity from prosecution, should a customer want to come after them. Too late, they realise the error of their ways, and want to appear to be on the side of their customers.

Jobs held out against this. Maybe the government has something they're holding over Cook, but the era of trusting Apple is over.

Mr Flash, Kevin Lynch, responsible for the least secure software EVER, has taken control of Apple Technologies from Bob Mansfield, and Adobe uses Insight and Omniture to profile using "ad tracking" for intelligence services - likely the iPhone ad tracking reported recently.

Apple may still be the most trustworthy tech company, but we've lost the battle. Everything is wide open now. The Internet is a military technology, released to the public to get individuals and all commerce addicted to its possibilities, and now we're paying the price - the surveillance state.

Nothing is private. Anyone opposed to the military industrial complex agenda is by definition, the enemy, and now they have the citizenry under their complete control.

The only bright light here is that the backdoor Apple inserted is so simple and detectable, it's like they weren't really trying to hide it. Fight the good fight Tim!

NSA should be protecting the nation's communications, so NOBODY can read them. Instead it opens them up so ANYBODY can read them. This is no accident, no unintended consequence. You are supposed to feel naked and afraid, and that's why CIA employee Snowden has successfully executed "his mission" as he called it on German television recently - to make everyone feel afraid. The technology revealed in the 'leaks' is 30 years old and completely outdated now, no great loss.

If you need some comfort, you don't tell the rat he's in the maze, unless you've lost control of the amount of data you have to process and can't keep everyone under surveillance the way you used to. Don't believe for a second that the data isn't there if you need to be silenced, just that keeping up with it all is getting out of hand.

Nothing to hide? Today. Things change. Laws change. And do you know all the connections everyone you communicate with has? There only needs to be the implication, in this guilty 'till proven innocent society.
 
PinkyMacGodess said:
So people are saying this is an NSA bag job? I'm not sure I would believe that. It's probably just a programmer goof.

This software are usually written by teams of different people writing different parts of the whole program and then the parts are integrated and tested. Chances are either it was an integration error, or someone overlooked a test routine or something because if it IS the NSA that did this, well, then that just changes the whole world. Doesn't it...

----------



I was vacationing in Northern Lower Michigan at a resort I'll decline to mention (in case there are any lawsuits pending) and was trying to get out on the intertubes, and having some really S---L---O---W--- access times, so I started poking around the network to see what was on it. I did a subnet scan and found a number of devices and just took a look at some of the more interesting names. Every one of them was locked up, except one...

It was a dentist from New York, staying at an ancillary building from the main building, and he was WIDE OPEN :eek:! I was looking at his pictures, his documents, his desktop... I could have tweaked his nuts it I had wanted...

I found a name. A HAH! I trudged down to the front desk and asked if 'Mr X' was staying there. They confirmed that he was. I then said that they should warn 'Mr X' that his notebook was WIDE OPEN :eek: on their network. Someone suggested that perhaps I should offer my services to the (idiot) nice 'Mr X', but I declined because I really didn't want to have to tell him that I read many (MANY!) documents before I got his name, and really was glad (SO GLAD) that he wasn't my dentist... I didn't look around their network again (Honest!) after that... I wonder what happened... :cool::D

Actually I can probably guess what happened...
Click to expand...


I was at a university on the network once and I was using iPhoto. An iPhoto shared library appeared in the side bar. I figured, hey, maybe another photographer who had some interesting photos to share!

Connect...

Nope, they were personal private photos. And when I say private, I mean PRIVATE. There were some very, shall we say, intimate images...
 
Denial from apple that security issue exists

I am currently having an online chat with an Apple Ireland customer service rep and he/she is stonewalling on whether or not there is any security problems with OS X.

"From what I am seeing, at this point we cannot provide internal information that hasn’t been released to the public. Which is why I am not finding a lot of information about it. We are not affiliated with Forbes or any other third party companies claiming an update or SSL risk. I can say though that if theres a risk we do address it as soon as possible and if this is the case we should be releasing a update soon."

He/she mentions Forbes because I sited their report on the issue.

I think this is very shoddy and reckless of Apple to refuse to tell us paying customers just what is going on.
 
4 days and still no fix released!! What is going on at Apple? Are they all on vacation this week, or just lazy?

----------
albusseverus said:
As revealed on No Agenda Show - this programming no-no, the open ended goto statement, appeared 4 weeks before the Prism slide showed Apple had signed up for Prism.
Click to expand...

Does this explain why Apple are so reluctant to fix it? They would get in trouble with the NSA? I guess no-one wants to get in trouble with the NSA!
 
Reason077 said:
4 days and still no fix released!! What is going on at Apple? Are they all on vacation this week, or just lazy?

----------



Does this explain why Apple are so reluctant to fix it? They would get in trouble with the NSA? I guess no-one wants to get in trouble with the NSA!
Click to expand...
Yeah...that's why it's already fixed in iOS where there are way more users.

----------
John The Bad said:
I am currently having an online chat with an Apple Ireland customer service rep and he/she is stonewalling on whether or not there is any security problems with OS X.

"From what I am seeing, at this point we cannot provide internal information that hasn’t been released to the public. Which is why I am not finding a lot of information about it. We are not affiliated with Forbes or any other third party companies claiming an update or SSL risk. I can say though that if theres a risk we do address it as soon as possible and if this is the case we should be releasing a update soon."

He/she mentions Forbes because I sited their report on the issue.

I think this is very shoddy and reckless of Apple to refuse to tell us paying customers just what is going on.
Click to expand...
Apple isn't really going to comment on it until they have a fix out for it so they can tell you how to actually fix it.
 
Did you forgot to take coffee today?

Thunderhawks said:
Yep! Apple sucks and it's time go go back to Windoof! And, I think Tim Cook should be publicly shot, all Apple stores force closed by the government, all remaining stock of Apple products burned and the whole computer science should be done away with. Just unacceptable that humans involved make errors.

What was wrong with drumming or pigeons anyway?
Click to expand...
 
PinkyMacGodess said:
It passes 'the test', but the website says that they examined the 'versions'. Did they actually test them too?
Click to expand...
Well, initially it might say the following:

"Safe.

We have examined your OS and browser version information and have determined you are not at risk without actually running the test. You may force the test to run anyway."

You can then select "force the test to run anyway" which will lead you to:

"Safe.

We have examined your OS and browser version information and determined that an active vulnerability test was appropriate. Fortunately, your browser correctly aborted loading our test image upon seeing an invalid ServerKeyExchange message."

Meaning that an actual test was executed.
 
Not very good research

This isn't very good research. All he's done is get a list of applications that use Apple's Security framework. That framework does a lot more than just SSL, so his "research" is not very useful.

The only applications which would be affected by this bug are those that use the Secure Transport section of that framework. That's a relatively small number of apps, overall.
 
MITM attacks can defeat SSL even without this bug if the user doesn't manually verify the certificate credentials by looking at the organizations name attributed to the certificate. This can be done using ettercap in combination with SSLstrip and other programs for such activities.

Even then a cross site scripting vulnerability in a client side app, such as the browser, which are found all the time can allow SSL credentials to be compromised via the ever so common phishing emails.

Most users don't know how to adequately protect themselves from those types of compromises so the presence of this issue doesn't really make unknowledgeable users less secure anyway.

This doesn't mean that this issue shouldn't be treated seriously but it isn't the end of the world that the media is making it out to be.
 
..... if people want all their info known thats fine, just as long as you never touch mine :)

I'll make sure of that by not telling.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back