U.S. Committee Sends Letter to Tim Cook Asking for Answers About Group FaceTime Eavesdropping Flaw

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 5, 2019.

  1. SPUY767 macrumors 68020


    Jun 22, 2003
    The bug was probably the result of some code that an NSA mole in apple’s software division dropped in that was only supposed to let the Three letter agencies snoop, but Office Space style, got screwed up by a simple typo and allowed anyone to snoop.
  2. C DM macrumors Sandy Bridge

    Oct 17, 2011
    We can certainly be curious, but part of what I was pointing out is that in many instances things like that don't really get public transparency, which has often been the norm. Again, it doesn't mean that it should be in all cases, and this might certainly be one where some more information would be good to have, but it's not strange or new for it all to be dealt with without the details being publicly shared in general, let alone as things are being dealt with.
  3. I7guy macrumors P6


    Nov 30, 2013
    Gotta be in it to win it
    The one in iOS 7?
  4. IG88 macrumors 6502


    Nov 4, 2016
    Why didn't they do that when they were first notified? Why did they wait until it went public?
  5. TonyC28 macrumors 65816


    Aug 15, 2009
    Is there any chance this was done intentionally by some programmer?
  6. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Perhaps investigations and analysis had to be done to understand the issue and what would resolve it or even mitigate it while a resolution is being worked on. Some risk analysis and exposure of the issue was more than likely involved which changed once the issue started to become widespread? All these types of things are fairly typical things that pretty much any company or organization goes through when presented with a potential issue.
  7. grad macrumors regular

    Jun 2, 2014
    Are you implying that Apple, Google, Microsoft, Facebook, etc are just innocent victims and not the servants of the system ?
  8. MarkB786 macrumors 6502a

    Sep 20, 2016
    Rocky Mountains, USA
    It's not about the bug itself, it's about Apple's slow, arrogant response to the bug. If Apple cared about privacy beyond a marketing tag line that feeds on a base human fear (as good marketing tag lines do), they would have jumped on the bug and shut things down days earlier. Pure arrogance and neglect on Apple's part.
  9. mkldev macrumors regular

    Apr 1, 2003
    The app store issue is to some extent impossible to avoid. But the other two are strong signs that Apple has some serious security problems. Specifically, critical systems are obviously not receiving adequate security review, and engineers are obviously not receiving proper training about how to write secure software.

    Writing secure software is more than just safe string handling, fuzzing, and code-level security; the most important parts are ensuring defense in depth, assuming every client and server is hostile, doing threat modeling to find sensitive targets, figuring out ways to mitigate those threats, etc.

    From a threat modeling perspective, there are only two interesting ways to attack a video chat app: passively snoop communication in progress or use the app to passively snoop on someone who is not in a call. Mitigating those two threats should have been a topic of conversation in basically every single meeting all the way through the design process, through implementation, testing, etc. And if they had been, there should be no possibly way that a bug like this could have occurred.

    You see, at least three different pieces of code must have failed to do the right thing for this failure to occur.
    • The client failed to recognize that the call had not yet been accepted, and allowed the user to push buttons to move from a two-person chat to a group chat before the connection was live.
    • The server failed to refuse an improper request from the client to convert a two-person chat into a group chat before it was actually connected.
    • The client failed to refuse an improper request to send video and audio data to the server prior to the user accepting the call.
    So all evidence points to this being a fairly serious design mistake that permeates the entire architecture, likely caused by everybody assuming that somebody else was responsible for managing the call state and ensuring that all requests were legitimate.

    This also strongly suggests that this failure would not have occurred if Apple had published full documentation for FaceTime and made it an open industry standard like SJ promised when he first announced the technology. There were clearly not enough eyes on this technology, and open standards are a great way of increasing the number of eyes.

    Apple needs to get back to the values that it held before the iPhone — things like open standards, open source for security-critical operating system components, etc. If it doesn't, these sorts of ridiculous mistakes will just keep happening. And Apple needs better security training. They need these concepts drilled into every new employee from day one. Security is everyone's responsibility.
  10. mi7chy, Feb 5, 2019
    Last edited: Feb 5, 2019

    mi7chy macrumors 603


    Oct 24, 2014
    The privacy spin is smoke and mirrors after all.

    Big question is, is it a NSA or PLA intended feature? On the surface, Apple seem to be against working with NSA on domestic terrorism while bending backwards to fulfill PLA request to move user iCloud data to China servers so it's not clear.
  11. pika2000 macrumors 601

    Jun 22, 2007
    Apple has money and brand image to protect. That’s the difference. Every vulture will want a piece of the pie.

    Any of them cared about Facebook and Google misusing their certs? Nada.
  12. CarlJ macrumors 68030


    Feb 23, 2004
    San Diego, CA, USA
    Well, it's not a hearing, it's a letter requesting information. This is quite normal and has happened numerous times before. Apple will send back a nice letter, and that will probably be the end of it.

    I do agree that Apple's record on privacy is far better than most other companies.
  13. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Quite a few assumptions and jumps to conclusions there.
  14. Analog Kid macrumors 601

    Analog Kid

    Mar 4, 2003
    Not as dumb as it looks. Anyone who sees the the "like" count on MR posts irrationally bashing Apple knows there's a constituency there.
  15. WatchFromAfar macrumors 65816


    Jan 26, 2017
    Just because other vendors are bad too does that make it OK for Apple?
  16. fmillion macrumors member

    Jun 16, 2011
    I probably have an unpopular opinion, but as a software developer myself I have to be empathetic. In the face of a serious security bug, the goal is to release a fix, NOT to release something fast. If there is ANY time in software development to take your time, it's when a security issue is being addressed. I'm sure there are lots of annoyed people who want group FaceTime, but honestly, would you rather have the security bug?

    I also understand there being some time between the reporting of the bug and the response. One week is actually quite fast for an organization as large as Apple. A simple bug report has to go through many layers before it reaches the developers. It first has to be taken and triaged, input into a bug tracker, tested, identified (as to whether it's actually a bug or some kind of user error), prioritized and finally evaluated by developers. On top of that, the PR department in a large company has to tread carefully and determine the most appropriate public response to serious bugs. It thus makes sense that you don't make any statement until you are prepared to. (Look at how often people speaking "off-the-cuff" has gotten them in trouble in recent years...)

    I'd honestly say for all of this to happen within one week is pretty quick - I'm sure shutting off Group FaceTime at the server level is not something a small team of developers or bug testers can decide - that decision likely had to go through many layers of management, and the fact that the bug triage, testing, identification AND the decision to shut off a major service was ALL done in one week is, to me, impressive.

    I'll say this much as well. Any software developer probably knows the experience of being told by a client or other external entity something along the lines of "Oh come on, you're smart, can't you make it happen faster?" A lot of the complaints about things being too slow or the fact that the bug exists in the first place are simply people who don't understand just how complex software development can be, especially when you are as large as Apple.

    Keep calm and wait, people. The world isn't ending. The exploit is closed, and Apple is taking their time to make sure the bug is truly fixed. I'm actually against a lot of Apple's current business practices, but in this specific case I think people need to calm down a little.
  17. Khedron macrumors 6502a

    Sep 27, 2013
    No one said it was malicious. The evidence is clear; Apple like to talk a big game on privacy but in practice don't have the competence or willingness to implement it.
    --- Post Merged, Feb 6, 2019 ---
    If other vendors screw up they should also be questioned. Contrary to Apple's PR they don't actually have some impeccable track record that should give them the benefit of the doubt. Tim has made it clear that under his leadership profit comes above anything else (just like most other companies). Apple deserve no special consideration.
  18. chris1958 macrumors newbie

    Jan 9, 2018
    Would you say so even when you are told that juicy pictures taken in your bedroom are spreading in the internet?
  19. I7guy, Feb 6, 2019
    Last edited: Feb 6, 2019

    I7guy macrumors P6


    Nov 30, 2013
    Gotta be in it to win it
    The evidence isn't actually clear. The conjectures are actually clear.

    To a few points:
    - Apple has a fairly good track record contrary to your opinion. No company that develops software is 100%.
    - Steve started with profits first. What was the price of the original iPhone 1, that got reduced. Tim isn’t do anything Steve didn’t regarding margins and profits.
    - Apple doesn’t deserve any special consideration but they don't deserve any special criticism either. Can’t have it both ways.
  20. Taipan macrumors 6502

    Jun 23, 2003
    Wow, contrary to my expectation when reading the first questions, they really did get even more stupid towards the end.
  21. Nick05 macrumors member


    Aug 5, 2011
    Thank you for this post. I think most will ignore it, but I wanted to say something similar to this. While I’m not purely a software developer, I do have to do some. I’m primarily focused on security and think Apple’s handling of this is above expectations. One thing to add is that it is not alwasy easy to turn off a portion of a feature. It’s not as simple as commenting out a few lines of code or flipping a switch. Like you said, once a potential fix is identified, it needs to go through a proper QA, not only to determine that the fix resolved the issue, but to ensure that all the intended features still work properly. I wouldn’t rule it out the feature being removed from an updated releases of iOS and returning in a public beta for more testing.

    From a software developer perspective or security perspective, the unrealistic expectations from many of the commenters here are unsettling as it is not possible to meet and in many cases dangerous to try.
  22. cocky jeremy macrumors 68040

    cocky jeremy

    Jul 12, 2008
    Columbus, OH
  23. mlody macrumors 6502a

    Nov 11, 2012
    Windy City
    Those politicians instead of harrasing Apple (which is still valid concer in my opinion) should instead be knocking on Google’s and Facebook’s door and asking similar questions about privacy, misuse of certificates etc. Would love to see that instead.
  24. bruinsrme macrumors 603


    Oct 26, 2008
    I applaud the Government for stepping in.
    I want to know exactly why apple was NOT aware of the “bug” and why they didn’t tell us before they knew.
    I want answers.
    --- Post Merged, Feb 6, 2019 ---
    it’s all about finding ways/excuses to show people why the “government” needs to have control of everything. After all they’re there to protect us.
  25. MacBH928 macrumors 68030


    May 17, 2008
    Really? They are upset over a software bug but ok with FB and Google business model?

Share This Page