Or, it was a stupid mistake. The kind that happens every day, in every program, in the known universe.
If we're going to entertain conspiracy theories, I favour "A rogue Google agent snuck in to Apple headquarters and edited the file whilst the user was out for lunch". Or perhaps Zergloids. Come on people, we're getting as bad as Slashdot over here!
Yes, I looked at the diff. A diff like the author probably had been looking through all day. You've never missed a line? They probably thought it was just whitespace changes or, you know, just missed it entirely.
If we're going to claim this is deliberate, then the same accusation can be levelled at every security bug ever introduce in an edit. This is not evidence, it's just trolling.
Not really, most editors support the ability to duplicate a line using CMD+D, including AppCode by JetBrains. In my case, using Colemak, S is mapped to D, and so if I'm in the wrong keyboard layout, I'll go to save and end up duplicating a line, then saving by hitting the right key. If I'm not careful, I'll have saved a duplicate line without noticing.
Similarly, given how the rest of the changes seemed to be attempts to rename and clean up the API, I expect that it was a junior intern cleaning up code as a whole. It would be more interesting to see the history of the commits, but that's not public (that I know of). It does highlight how we get that data with Google's Android, even though the development and release process is basically the same.
If I understand correctly this is the diff between two releases of this code, and we have no way of knowing what each checkin, including the culprit, actually looked like.
So even though at the two end points we see the addition of only one line in a block (which is being touted as the justification for this accusation), the intermediate steps could have included the addition and subtraction of other lines in that block.
(A plausible example might be the addition of another hash updating if statement + goto fail, then the removal of only the if statement.)
As a security person I enjoy blaming the NSA and conspiracies as much as anyone.
That said sorry but I don't buy this. Just seeing a diff with that one + makes me more inclined to believe there was an if(...) goto fail that someone removed without removing the statement as well.
There is more than enough incompetence in our industry that a deliberate job is completely unnecessary, why bother when engineers break security all the time anyways?
22 comments
[ 0.20 ms ] story [ 53.0 ms ] thread[1] - http://opensource.apple.com/source/Security/Security-55179.1...
[2] - http://opensource.apple.com/source/Security/Security-55471/l...
If we're going to entertain conspiracy theories, I favour "A rogue Google agent snuck in to Apple headquarters and edited the file whilst the user was out for lunch". Or perhaps Zergloids. Come on people, we're getting as bad as Slashdot over here!
If we're going to claim this is deliberate, then the same accusation can be levelled at every security bug ever introduce in an edit. This is not evidence, it's just trolling.
Similarly, given how the rest of the changes seemed to be attempts to rename and clean up the API, I expect that it was a junior intern cleaning up code as a whole. It would be more interesting to see the history of the commits, but that's not public (that I know of). It does highlight how we get that data with Google's Android, even though the development and release process is basically the same.
And the author of that headline is possibly beating his wife.
Even if its Apple and really tempting to target I don't buy it.
So even though at the two end points we see the addition of only one line in a block (which is being touted as the justification for this accusation), the intermediate steps could have included the addition and subtraction of other lines in that block.
(A plausible example might be the addition of another hash updating if statement + goto fail, then the removal of only the if statement.)
That said sorry but I don't buy this. Just seeing a diff with that one + makes me more inclined to believe there was an if(...) goto fail that someone removed without removing the statement as well.
There is more than enough incompetence in our industry that a deliberate job is completely unnecessary, why bother when engineers break security all the time anyways?