Someone at Apple – possibly an NSA mole or possibly just an inattentive programmer – made a mistake and left a security hole in iPhone and Macintosh software. The new iPhone update closes the hole; a Mac update is doubtless en route.
Here’s the code. The key passage is:
if(…the certificate checks out…) goto fail; goto fail;
Things to keep in mind:
- Whether or not it was the work of a double agent, this coding blunder will be a legend, a staple of Introduction to Programming for decades to come.
- It’s interesting that we’re at a point where we can talk about an engineer at a computer company as a double agent, and everyone understands.
- This is not likely to affect your privacy. The bug makes it easier for the government to spy on your computer, but it’s not trivial: it probably means a team of people whose job is to bring you down. If the feds want you that badly, it’s likely that they could burgle your house, blackmail your maiden aunt, or threaten your kids.
- But of course, if your computer has secrets that the government would pay serious money to know, this is another reminder.
- I’m with Gruber: the most likely scenario is that someone got sloppy, and an automated testing program at NSA noticed the mistake and said “Look! They forgot to latch the door.”
- I never got onto the Structured Programming bandwagon, but it’s been a decade since I used a goto. There are no gotos in Tinderbox. I do use the unbracketed if statement, which is subject to the same kind of blunder, and actually need to fix one of these every year or two.
- This is an example of a particularly insidious class of bugs. Most of the time, this kind of mistake (a) won’t compile, or (b) crashes right away. Some of the time, this kind of mistake makes no difference. Whoever did this was really unlucky.