I wanted to make a few clarifications about goto fail now that the patch has dropped, the dust has settled, and I’ve had a little time to chillax.
I want to start out by being crystal clear about one thing – I like Apple’s products. Both my wife and I like and use iThings and Macbooks; I like and use TouchID, and OS X is my primary OS both at home and at work. I’m a fan of Apple. That’s why this whole goto fail debacle made me so mad – Apple started with this beautiful, elegant, *wonderful* machine, and then screwed it up by giving all of my passwords to anyone with the balls to attempt any of the 15-year-old vulnerabilities in Ethernet and TCP/IP that we fixed with SSL.
You do realize that’s what goto fail did, right? You know how we laugh at people that use telnet to remote admin their machines? Goto fail broke the “secure” in “secure sockets layer” and reduced it effectively to plaintext, and then did the same thing for a whole bunch of other protocols. Ethernet is horribly insecure, TCP/IP has a whole world of native vulnerabilities, and things like wifi and bluetooth don’t exactly make things better – and we fix *all* of this with SSL. No matter what kind of network you were on, your “secured” connections could be peeked inside of, just for the asking. Thanks, Apple, for telling the entire freaking planet that they could do this. For four days.
Please, Apple, learn a lesson – *never* drop a critical patch for only one platform when it affects both platforms. Both together or not at all; it’s better to withhold the patch a few days longer than to tell the world there’s a bug you could drive a tank through.
Some other random things:
- The Guardian (among others) have been claiming that I was “until recently in charge of Apple’s core OS X security”. Uh, why would “Core OS Security Researcher” or “Hacker Princess” make you think I was running the show? C’mon people, basic research please.
- If I had anything to do with this code while I was at Apple, or if I had been in any way responsible for its security, don’t you think it would be rather stupid of me to go swearing at Apple on the internet about this bug? Take a moment and think about that for a second.
So yeah, I’m back to being a happy iThing user again, at least until the next time I find a reason to go yelling at Apple about something.
Okay, Internets – it’s all safe to come out again now. Big hugs <3