

Apple SSL/TLS bug is possibly a deliberate job - yuvadam
https://gist.github.com/alexyakoubian/9151610/revisions

======
archgrove
Or, it was a stupid mistake. The kind that happens every day, in every
program, in the known universe.

If we're going to entertain conspiracy theories, I favour "A rogue Google
agent snuck in to Apple headquarters and edited the file whilst the user was
out for lunch". Or perhaps Zergloids. Come on people, we're getting as bad as
Slashdot over here!

~~~
yuvadam
Did you look at the diff? Did you see that it is the only diff in that hunk?
Do you not agree that that is - at the very least - suspicious?

~~~
archgrove
Yes, I looked at the diff. A diff like the author probably had been looking
through all day. You've never missed a line? They probably thought it was just
whitespace changes or, you know, just missed it entirely.

If we're going to claim this is deliberate, then the same accusation can be
levelled at _every_ security bug ever introduce in an edit. This is not
evidence, it's just trolling.

------
abalone
"Bug is possibly an inside job"

And the author of that headline is possibly beating his wife.

~~~
babesh
Maybe but let's not assume that the author is male.

~~~
lstamour
... let's not assume being the point of the comment. :)

------
chavesn
If I understand correctly this is the diff between two releases of this code,
and we have no way of knowing what each checkin, including the culprit,
actually looked like.

So even though at the two end points we see the addition of only one line in a
block (which is being touted as the justification for this accusation), the
intermediate steps could have included the addition and subtraction of other
lines in that block.

(A plausible example might be the addition of another hash updating if
statement + goto fail, then the removal of only the if statement.)

------
pencilo
As a security person I enjoy blaming the NSA and conspiracies as much as
anyone.

That said sorry but I don't buy this. Just seeing a diff with that one + makes
me more inclined to believe there was an if(...) goto fail that someone
removed without removing the statement as well.

There is more than enough incompetence in our industry that a deliberate job
is completely unnecessary, why bother when engineers break security all the
time anyways?

------
kevinday
For the lazy: the interesting part is on line 630.

~~~
officialjunk
when was that change made?

~~~
yuvadam
The diff is between the two relevant releases of this code - 10.8.5 [1] and
10.9 [2].

[1] -
[http://opensource.apple.com/source/Security/Security-55179.1...](http://opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/lib/sslKeyExchange.c)

[2] -
[http://opensource.apple.com/source/Security/Security-55471/l...](http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c)

~~~
officialjunk
thanks!

------
yalogin
There is a phrase that I really like - Never attribtue to malice that which
can be adequately explained by stupidity.

Even if its Apple and really tempting to target I don't buy it.

------
rootein
Aren't all bugs inside jobs?

