The bug was probably the result of some code that an NSA mole in apple’s software division dropped in that was only supposed to let the Three letter agencies snoop, but Office Space style, got screwed up by a simple typo and allowed anyone to snoop.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
U.S. Committee Sends Letter to Tim Cook Asking for Answers About Group FaceTime Eavesdropping Flaw
- Thread starter MacRumors
- Start date
- Sort by reaction score
We can certainly be curious, but part of what I was pointing out is that in many instances things like that don't really get public transparency, which has often been the norm. Again, it doesn't mean that it should be in all cases, and this might certainly be one where some more information would be good to have, but it's not strange or new for it all to be dealt with without the details being publicly shared in general, let alone as things are being dealt with.
Why didn't they do that when they were first notified? Why did they wait until it went public?
Perhaps investigations and analysis had to be done to understand the issue and what would resolve it or even mitigate it while a resolution is being worked on. Some risk analysis and exposure of the issue was more than likely involved which changed once the issue started to become widespread? All these types of things are fairly typical things that pretty much any company or organization goes through when presented with a potential issue.
Are you implying that Apple, Google, Microsoft, Facebook, etc are just innocent victims and not the servants of the system ?
It's not about the bug itself, it's about Apple's slow, arrogant response to the bug. If Apple cared about privacy beyond a marketing tag line that feeds on a base human fear (as good marketing tag lines do), they would have jumped on the bug and shut things down days earlier. Pure arrogance and neglect on Apple's part.
The app store issue is to some extent impossible to avoid. But the other two are strong signs that Apple has some serious security problems. Specifically, critical systems are obviously not receiving adequate security review, and engineers are obviously not receiving proper training about how to write secure software.
Writing secure software is more than just safe string handling, fuzzing, and code-level security; the most important parts are ensuring defense in depth, assuming every client and server is hostile, doing threat modeling to find sensitive targets, figuring out ways to mitigate those threats, etc.
From a threat modeling perspective, there are only two interesting ways to attack a video chat app: passively snoop communication in progress or use the app to passively snoop on someone who is not in a call. Mitigating those two threats should have been a topic of conversation in basically every single meeting all the way through the design process, through implementation, testing, etc. And if they had been, there should be no possibly way that a bug like this could have occurred.
You see, at least three different pieces of code must have failed to do the right thing for this failure to occur.
- The client failed to recognize that the call had not yet been accepted, and allowed the user to push buttons to move from a two-person chat to a group chat before the connection was live.
- The server failed to refuse an improper request from the client to convert a two-person chat into a group chat before it was actually connected.
- The client failed to refuse an improper request to send video and audio data to the server prior to the user accepting the call.
This also strongly suggests that this failure would not have occurred if Apple had published full documentation for FaceTime and made it an open industry standard like SJ promised when he first announced the technology. There were clearly not enough eyes on this technology, and open standards are a great way of increasing the number of eyes.
Apple needs to get back to the values that it held before the iPhone — things like open standards, open source for security-critical operating system components, etc. If it doesn't, these sorts of ridiculous mistakes will just keep happening. And Apple needs better security training. They need these concepts drilled into every new employee from day one. Security is everyone's responsibility.
The privacy spin is smoke and mirrors after all.
Big question is, is it a NSA or PLA intended feature? On the surface, Apple seem to be against working with NSA on domestic terrorism while bending backwards to fulfill PLA request to move user iCloud data to China servers so it's not clear.
Big question is, is it a NSA or PLA intended feature? On the surface, Apple seem to be against working with NSA on domestic terrorism while bending backwards to fulfill PLA request to move user iCloud data to China servers so it's not clear.
Last edited:
Apple has money and brand image to protect. That’s the difference. Every vulture will want a piece of the pie.
Any of them cared about Facebook and Google misusing their certs? Nada.
Well, it's not a hearing, it's a letter requesting information. This is quite normal and has happened numerous times before. Apple will send back a nice letter, and that will probably be the end of it.
I do agree that Apple's record on privacy is far better than most other companies.
Quite a few assumptions and jumps to conclusions there.
Not as dumb as it looks. Anyone who sees the the "like" count on MR posts irrationally bashing Apple knows there's a constituency there.
I probably have an unpopular opinion, but as a software developer myself I have to be empathetic. In the face of a serious security bug, the goal is to release a fix, NOT to release something fast. If there is ANY time in software development to take your time, it's when a security issue is being addressed. I'm sure there are lots of annoyed people who want group FaceTime, but honestly, would you rather have the security bug?
I also understand there being some time between the reporting of the bug and the response. One week is actually quite fast for an organization as large as Apple. A simple bug report has to go through many layers before it reaches the developers. It first has to be taken and triaged, input into a bug tracker, tested, identified (as to whether it's actually a bug or some kind of user error), prioritized and finally evaluated by developers. On top of that, the PR department in a large company has to tread carefully and determine the most appropriate public response to serious bugs. It thus makes sense that you don't make any statement until you are prepared to. (Look at how often people speaking "off-the-cuff" has gotten them in trouble in recent years...)
I'd honestly say for all of this to happen within one week is pretty quick - I'm sure shutting off Group FaceTime at the server level is not something a small team of developers or bug testers can decide - that decision likely had to go through many layers of management, and the fact that the bug triage, testing, identification AND the decision to shut off a major service was ALL done in one week is, to me, impressive.
I'll say this much as well. Any software developer probably knows the experience of being told by a client or other external entity something along the lines of "Oh come on, you're smart, can't you make it happen faster?" A lot of the complaints about things being too slow or the fact that the bug exists in the first place are simply people who don't understand just how complex software development can be, especially when you are as large as Apple.
Keep calm and wait, people. The world isn't ending. The exploit is closed, and Apple is taking their time to make sure the bug is truly fixed. I'm actually against a lot of Apple's current business practices, but in this specific case I think people need to calm down a little.
I also understand there being some time between the reporting of the bug and the response. One week is actually quite fast for an organization as large as Apple. A simple bug report has to go through many layers before it reaches the developers. It first has to be taken and triaged, input into a bug tracker, tested, identified (as to whether it's actually a bug or some kind of user error), prioritized and finally evaluated by developers. On top of that, the PR department in a large company has to tread carefully and determine the most appropriate public response to serious bugs. It thus makes sense that you don't make any statement until you are prepared to. (Look at how often people speaking "off-the-cuff" has gotten them in trouble in recent years...)
I'd honestly say for all of this to happen within one week is pretty quick - I'm sure shutting off Group FaceTime at the server level is not something a small team of developers or bug testers can decide - that decision likely had to go through many layers of management, and the fact that the bug triage, testing, identification AND the decision to shut off a major service was ALL done in one week is, to me, impressive.
I'll say this much as well. Any software developer probably knows the experience of being told by a client or other external entity something along the lines of "Oh come on, you're smart, can't you make it happen faster?" A lot of the complaints about things being too slow or the fact that the bug exists in the first place are simply people who don't understand just how complex software development can be, especially when you are as large as Apple.
Keep calm and wait, people. The world isn't ending. The exploit is closed, and Apple is taking their time to make sure the bug is truly fixed. I'm actually against a lot of Apple's current business practices, but in this specific case I think people need to calm down a little.
No one said it was malicious. The evidence is clear; Apple like to talk a big game on privacy but in practice don't have the competence or willingness to implement it.
[doublepost=1549451440][/doublepost]
If other vendors screw up they should also be questioned. Contrary to Apple's PR they don't actually have some impeccable track record that should give them the benefit of the doubt. Tim has made it clear that under his leadership profit comes above anything else (just like most other companies). Apple deserve no special consideration.
Would you say so even when you are told that juicy pictures taken in your bedroom are spreading in the internet?
The evidence isn't actually clear. The conjectures are actually clear.
To a few points:
- Apple has a fairly good track record contrary to your opinion. No company that develops software is 100%.
- Steve started with profits first. What was the price of the original iPhone 1, that got reduced. Tim isn’t do anything Steve didn’t regarding margins and profits.
- Apple doesn’t deserve any special consideration but they don't deserve any special criticism either. Can’t have it both ways.
Last edited:
Thank you for this post. I think most will ignore it, but I wanted to say something similar to this. While I’m not purely a software developer, I do have to do some. I’m primarily focused on security and think Apple’s handling of this is above expectations. One thing to add is that it is not alwasy easy to turn off a portion of a feature. It’s not as simple as commenting out a few lines of code or flipping a switch. Like you said, once a potential fix is identified, it needs to go through a proper QA, not only to determine that the fix resolved the issue, but to ensure that all the intended features still work properly. I wouldn’t rule it out the feature being removed from an updated releases of iOS and returning in a public beta for more testing.
From a software developer perspective or security perspective, the unrealistic expectations from many of the commenters here are unsettling as it is not possible to meet and in many cases dangerous to try.
I applaud the Government for stepping in.
I want to know exactly why apple was NOT aware of the “bug” and why they didn’t tell us before they knew.
I want answers.
[doublepost=1549459593][/doublepost]
I want to know exactly why apple was NOT aware of the “bug” and why they didn’t tell us before they knew.
I want answers.
[doublepost=1549459593][/doublepost]
it’s all about finding ways/excuses to show people why the “government” needs to have control of everything. After all they’re there to protect us.
Really? They are upset over a software bug but ok with FB and Google business model?