Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
The bug was probably the result of some code that an NSA mole in apple’s software division dropped in that was only supposed to let the Three letter agencies snoop, but Office Space style, got screwed up by a simple typo and allowed anyone to snoop.
 
True I agree. We do not know whether there was any malicious or wrong yet. But why shouldn't we be curious about finding out? Seems some people would really rather not have any questions asked at all. Who do they work for?
We can certainly be curious, but part of what I was pointing out is that in many instances things like that don't really get public transparency, which has often been the norm. Again, it doesn't mean that it should be in all cases, and this might certainly be one where some more information would be good to have, but it's not strange or new for it all to be dealt with without the details being publicly shared in general, let alone as things are being dealt with.
 
Why didn't they do that when they were first notified? Why did they wait until it went public?
Perhaps investigations and analysis had to be done to understand the issue and what would resolve it or even mitigate it while a resolution is being worked on. Some risk analysis and exposure of the issue was more than likely involved which changed once the issue started to become widespread? All these types of things are fairly typical things that pretty much any company or organization goes through when presented with a potential issue.
 
The agents of the Beast are looking for another way to extort some more money under the pretense of "protecting the people" crap.....lol
Are you implying that Apple, Google, Microsoft, Facebook, etc are just innocent victims and not the servants of the system ?
 
Probably not a good idea to have a congressional hearing about every software bug..

Let Apple's track record about privacy speak for itself.

It's not about the bug itself, it's about Apple's slow, arrogant response to the bug. If Apple cared about privacy beyond a marketing tag line that feeds on a base human fear (as good marketing tag lines do), they would have jumped on the bug and shut things down days earlier. Pure arrogance and neglect on Apple's part.
 
What track record?
  • Their newest hardware product (HomePod) let anyone bypass security to access private messages on a connected iPhone.
  • Their latest software product (Group FaceTime) let anyone bypass security to access audio/video on an iPhone.
  • Their App Store has recently been exposed to be filled with numerous apps breaking the terms of service to sell users' data.

The app store issue is to some extent impossible to avoid. But the other two are strong signs that Apple has some serious security problems. Specifically, critical systems are obviously not receiving adequate security review, and engineers are obviously not receiving proper training about how to write secure software.

Writing secure software is more than just safe string handling, fuzzing, and code-level security; the most important parts are ensuring defense in depth, assuming every client and server is hostile, doing threat modeling to find sensitive targets, figuring out ways to mitigate those threats, etc.

From a threat modeling perspective, there are only two interesting ways to attack a video chat app: passively snoop communication in progress or use the app to passively snoop on someone who is not in a call. Mitigating those two threats should have been a topic of conversation in basically every single meeting all the way through the design process, through implementation, testing, etc. And if they had been, there should be no possibly way that a bug like this could have occurred.

You see, at least three different pieces of code must have failed to do the right thing for this failure to occur.
  • The client failed to recognize that the call had not yet been accepted, and allowed the user to push buttons to move from a two-person chat to a group chat before the connection was live.
  • The server failed to refuse an improper request from the client to convert a two-person chat into a group chat before it was actually connected.
  • The client failed to refuse an improper request to send video and audio data to the server prior to the user accepting the call.
So all evidence points to this being a fairly serious design mistake that permeates the entire architecture, likely caused by everybody assuming that somebody else was responsible for managing the call state and ensuring that all requests were legitimate.

This also strongly suggests that this failure would not have occurred if Apple had published full documentation for FaceTime and made it an open industry standard like SJ promised when he first announced the technology. There were clearly not enough eyes on this technology, and open standards are a great way of increasing the number of eyes.

Apple needs to get back to the values that it held before the iPhone — things like open standards, open source for security-critical operating system components, etc. If it doesn't, these sorts of ridiculous mistakes will just keep happening. And Apple needs better security training. They need these concepts drilled into every new employee from day one. Security is everyone's responsibility.
 
  • Like
Reactions: Khedron
The privacy spin is smoke and mirrors after all.

Big question is, is it a NSA or PLA intended feature? On the surface, Apple seem to be against working with NSA on domestic terrorism while bending backwards to fulfill PLA request to move user iCloud data to China servers so it's not clear.
 
Last edited:
  • Like
Reactions: WatchFromAfar
Probably not a good idea to have a congressional hearing about every software bug..

Let Apple's track record about privacy speak for itself.
Apple has money and brand image to protect. That’s the difference. Every vulture will want a piece of the pie.

Any of them cared about Facebook and Google misusing their certs? Nada.
 
Probably not a good idea to have a congressional hearing about every software bug..

Let Apple's track record about privacy speak for itself.
Well, it's not a hearing, it's a letter requesting information. This is quite normal and has happened numerous times before. Apple will send back a nice letter, and that will probably be the end of it.

I do agree that Apple's record on privacy is far better than most other companies.
 
  • Like
Reactions: heartburn
It's not about the bug itself, it's about Apple's slow, arrogant response to the bug. If Apple cared about privacy beyond a marketing tag line that feeds on a base human fear (as good marketing tag lines do), they would have jumped on the bug and shut things down days earlier. Pure arrogance and neglect on Apple's part.
Quite a few assumptions and jumps to conclusions there.
 
Not as dumb as it looks. Anyone who sees the the "like" count on MR posts irrationally bashing Apple knows there's a constituency there.
 
I probably have an unpopular opinion, but as a software developer myself I have to be empathetic. In the face of a serious security bug, the goal is to release a fix, NOT to release something fast. If there is ANY time in software development to take your time, it's when a security issue is being addressed. I'm sure there are lots of annoyed people who want group FaceTime, but honestly, would you rather have the security bug?

I also understand there being some time between the reporting of the bug and the response. One week is actually quite fast for an organization as large as Apple. A simple bug report has to go through many layers before it reaches the developers. It first has to be taken and triaged, input into a bug tracker, tested, identified (as to whether it's actually a bug or some kind of user error), prioritized and finally evaluated by developers. On top of that, the PR department in a large company has to tread carefully and determine the most appropriate public response to serious bugs. It thus makes sense that you don't make any statement until you are prepared to. (Look at how often people speaking "off-the-cuff" has gotten them in trouble in recent years...)

I'd honestly say for all of this to happen within one week is pretty quick - I'm sure shutting off Group FaceTime at the server level is not something a small team of developers or bug testers can decide - that decision likely had to go through many layers of management, and the fact that the bug triage, testing, identification AND the decision to shut off a major service was ALL done in one week is, to me, impressive.

I'll say this much as well. Any software developer probably knows the experience of being told by a client or other external entity something along the lines of "Oh come on, you're smart, can't you make it happen faster?" A lot of the complaints about things being too slow or the fact that the bug exists in the first place are simply people who don't understand just how complex software development can be, especially when you are as large as Apple.

Keep calm and wait, people. The world isn't ending. The exploit is closed, and Apple is taking their time to make sure the bug is truly fixed. I'm actually against a lot of Apple's current business practices, but in this specific case I think people need to calm down a little.
 
As if:
1. Apple maliciously inserted the bug,
2. Apple can track the innards of legitimate api calls in its apps. If google can’t do it with their vast martlet share how can Apple scrutinize every app at that level. What hyperbole.

No one said it was malicious. The evidence is clear; Apple like to talk a big game on privacy but in practice don't have the competence or willingness to implement it.
[doublepost=1549451440][/doublepost]
It doesn't look like you're making a comparative argument vs other vendors?

If other vendors screw up they should also be questioned. Contrary to Apple's PR they don't actually have some impeccable track record that should give them the benefit of the doubt. Tim has made it clear that under his leadership profit comes above anything else (just like most other companies). Apple deserve no special consideration.
 
  • Like
Reactions: mi7chy
No one said it was malicious. The evidence is clear; Apple like to talk a big game on privacy but in practice don't have the competence or willingness to implement it.
[doublepost=1549451440][/doublepost]

If other vendors screw up they should also be questioned. Contrary to Apple's PR they don't actually have some impeccable track record that should give them the benefit of the doubt. Tim has made it clear that under his leadership profit comes above anything else (just like most other companies). Apple deserve no special consideration.
The evidence isn't actually clear. The conjectures are actually clear.

To a few points:
- Apple has a fairly good track record contrary to your opinion. No company that develops software is 100%.
- Steve started with profits first. What was the price of the original iPhone 1, that got reduced. Tim isn’t do anything Steve didn’t regarding margins and profits.
- Apple doesn’t deserve any special consideration but they don't deserve any special criticism either. Can’t have it both ways.
 
Last edited:
  • Like
Reactions: MacNeb
Wow, contrary to my expectation when reading the first questions, they really did get even more stupid towards the end.
 
I probably have an unpopular opinion, but as a software developer myself I have to be empathetic. In the face of a serious security bug, the goal is to release a fix, NOT to release something fast. If there is ANY time in software development to take your time, it's when a security issue is being addressed. I'm sure there are lots of annoyed people who want group FaceTime, but honestly, would you rather have the security bug?

I also understand there being some time between the reporting of the bug and the response. One week is actually quite fast for an organization as large as Apple. A simple bug report has to go through many layers before it reaches the developers. It first has to be taken and triaged, input into a bug tracker, tested, identified (as to whether it's actually a bug or some kind of user error), prioritized and finally evaluated by developers. On top of that, the PR department in a large company has to tread carefully and determine the most appropriate public response to serious bugs. It thus makes sense that you don't make any statement until you are prepared to. (Look at how often people speaking "off-the-cuff" has gotten them in trouble in recent years...)

I'd honestly say for all of this to happen within one week is pretty quick - I'm sure shutting off Group FaceTime at the server level is not something a small team of developers or bug testers can decide - that decision likely had to go through many layers of management, and the fact that the bug triage, testing, identification AND the decision to shut off a major service was ALL done in one week is, to me, impressive.

I'll say this much as well. Any software developer probably knows the experience of being told by a client or other external entity something along the lines of "Oh come on, you're smart, can't you make it happen faster?" A lot of the complaints about things being too slow or the fact that the bug exists in the first place are simply people who don't understand just how complex software development can be, especially when you are as large as Apple.

Keep calm and wait, people. The world isn't ending. The exploit is closed, and Apple is taking their time to make sure the bug is truly fixed. I'm actually against a lot of Apple's current business practices, but in this specific case I think people need to calm down a little.
Thank you for this post. I think most will ignore it, but I wanted to say something similar to this. While I’m not purely a software developer, I do have to do some. I’m primarily focused on security and think Apple’s handling of this is above expectations. One thing to add is that it is not alwasy easy to turn off a portion of a feature. It’s not as simple as commenting out a few lines of code or flipping a switch. Like you said, once a potential fix is identified, it needs to go through a proper QA, not only to determine that the fix resolved the issue, but to ensure that all the intended features still work properly. I wouldn’t rule it out the feature being removed from an updated releases of iOS and returning in a public beta for more testing.

From a software developer perspective or security perspective, the unrealistic expectations from many of the commenters here are unsettling as it is not possible to meet and in many cases dangerous to try.
 
Those politicians instead of harrasing Apple (which is still valid concer in my opinion) should instead be knocking on Google’s and Facebook’s door and asking similar questions about privacy, misuse of certificates etc. Would love to see that instead.
 
  • Like
Reactions: MacNeb
I applaud the Government for stepping in.
I want to know exactly why apple was NOT aware of the “bug” and why they didn’t tell us before they knew.
I want answers.
[doublepost=1549459593][/doublepost]
More political attention seeking BS! What they should really focus on are these Social media sites that are purposely taking advantage of people rather than mistakes that they don’t even understand and are being fixed.
it’s all about finding ways/excuses to show people why the “government” needs to have control of everything. After all they’re there to protect us.
 
  • Like
Reactions: MacNeb
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.