No surprise here to anyone who's ever worked for a startup—making software products secure isn't high on anyone's list. That's not what brings in customers, and hence additional funding. Until someone gets hurt, that is. Jenna Wortham and Nicole Perlroth, 2 March 2014 When Start-Ups Don't Lock the Doors http://www.nytimes.com/2014/03/03/technology/when-start-ups-dont-lock-the-doors.html?nl=todaysheadlines&emcŪit_th_20140303
Apple Rolls Out CarPlay Giving Drivers a Smarter, Safer & More Fun Way to Use iPhone in the Car CarPlay Premieres with Leading Auto Manufacturers at the Geneva International Motor Show GENEVA--March 3, 2014--Apple today announced that leading auto manufacturers are rolling out CarPlay, the smarter, safer and more fun way to use iPhone in the car. CarPlay gives iPhone users an incredibly intuitive way to make calls, use Maps, listen to music and access messages with just a word or a touch. Users can easily control CarPlay from the car's native interface or just push-and-hold the voice control button on the steering wheel to activate Siri without distraction. Vehicles from Ferrari, Mercedes-Benz and Volvo will premiere CarPlay to their drivers this week, while additional auto manufacturers bringing CarPlay to their drivers down the road include BMW Group, Ford, General Motors, Honda, Hyundai Motor Company, Jaguar Land Rover, Kia Motors, Mitsubishi Motors, Nissan Motor Company, PSA Peugeot CitroŽn, Subaru, Suzuki and Toyota Motor Corp. http://www.apple.com/pr/library/2014/03/03Apple-Rolls-Out-CarPlay-Giving-Drivers-a-Smarter-Safer-More-Fun-Way-to-Use-iPhone-in-the-Car.html
Karl Bode, 3 Mar 2014 The single coffee cup craze has been rolling now for several years in both the United States and Canada, with Keurig, Tassimo, and Nespresso all battling it out to lock down the market. In order to protect their dominant market share, Keurig makers Green Mountain Coffee Roasters has been on a bit of an aggressive tear of late. As with computer printers, getting the device in the home is simply a gateway to where the real money is: refills. But Keurig has faced the `problem' in recent years of third-party pod refills that often retail for 5-25% less than what Keurig charges. As people look to cut costs, there has also been a growing market for reusable pods that generally run anywhere from five to fifteen dollars. Keurig's solution to this problem? In a lawsuit (pdf) filed against Keurig by TreeHouse Foods, they claim Keurig has been busy striking exclusionary agreements with suppliers and distributors to lock competing products out of the market. What's more, TreeHouse points out that Keurig is now developing a new version of their coffee maker that will incorporate the java-bean equivalent of DRM—so that only Keurig's own coffee pods can be used in it: ... http://www.techdirt.com/articles/20140227/06521826371/keurig-will-use-drm-new-coffee-maker-to-lock-out-refill-market.shtml https://s3.amazonaws.com/s3.documentcloud.org/documents/1031250/treehouse-v-greenmountain.pdf http://www.canadianbusiness.com/companies-and-industries/keurig-2-single-serve-coffee-pod-drm/
Robert X. Cringely, Infoworld, 28 Feb 2014 The umpteenth violation of our Internet privacy proves once again the dearth of common sense among us Web users http://www.infoworld.com/t/cringely/yahoo-breach-exposes-naked-truth-about-online-security-237460 opening text: The hits just keep on coming. Yesterday's news that Brit spy mongers recorded the video chats of 1.8 million Yahoo users over six months left me numb, as if I had inhaled a frosty Slurpee full of Novocain. Yahoo claims no knowledge of the theft—yeah, I said it, because that's what it is -- but that declaration is worthy of more than a little skepticism.
Dan Gillmor, *The Guardian*, 28 Feb 2014 The NSA leaks created everyday interest in products built to protect. At a security pow-wow turned sour, that's a good thing. http://www.theguardian.com/commentisfree/2014/feb/28/snowden-privacy-products-trustycon-2014 In the nearly nine months since the Edward Snowden revelations began on this website, some of the most jaw-dropping surveillance news has involved a company called RSA, which for years has been one of the top computer security firms in the world. Boiled down, RSA is alleged to have weakened a core element of a widely used encryption product at the behest of the National Security Agency, receiving $10 million in the process of providing a `back door' for government snooping. RSA issued what amounted to a non-denial denial after Reuters' Joseph Menn broke a key part of the story back in December. This week, at its annual cyber-security conference here in San Francisco, the company was on defense at an event usually reserved for looking forward, not back. Its CEO said that any weakness was inadvertent, at least on RSA's part, and not the result of some nefarious deal with the US government. Respected cryptographer and university professor Matt Blaze summed it up nicely: “Everyone to RSA: Did you deliberately sell us out, or are you incompetent? RSA: We're incompetent.'' It's too early to tell whether this incompetence—or betrayal, take your pick—will hit RSA and its $51bn parent company, EMC, where it should: on the bottom line. And despite a boycott by some scheduled speakers here, the RSA conference was well-attended. As one security expert who's expressed contempt for the company's behavior told me, it's still his best chance to catch up, face-to-face, with other top people in this still burgeoning field. But the episode did spark another gathering, held Thursday across the street from where RSA held its conference, where the topic of the moment wasn't security, per se. It was trust, a commodity in short supply these days. `TrustyCon'—short for the Trustworthy Technology Conference—came together in a hurry after Mikko Hypponen, chief research officer for F-Secure, a Finnish security company, announced in January, in a public letter to RSA, that he was canceling his scheduled RSA conference talk and that his own company would skip the event entirely. Hypponen, a rock star in the computer security world, gave the opening keynote at TrustyCon instead. It was a pessimistic assessment of technology users' chances to have a computing and communications they can genuinely trust in an age when nation-states have taken over as the most dangerous—even malicious -- hackers on Earth. “Our worst fears turned out to be fairly accurate,'' Hypponen said of what's transpired in the security world over the past few years. And he's right: in the past nine months, it's become clear that many of the people once derided as paranoid were, if anything, understating the reality of how much we're all being watched. Certainly, Thursday's revelation on this website that spy services had become outright peeping toms by hijacking webcam images would have sounded ridiculous not so long ago. Alas, from betrayal rose a glimmer of hope in this insidery community -- that privacy might make an everyday comeback, and maybe even sell. At TrustyCon, for example, technologists updated the audience on an important security service for whistleblowers and the journalists to whom they leak documents. This was `SecureDrop', a project started by the late Aaron Swartz and now run by the Freedom of the Press Foundation which ensures safe communications by relying on the Tor web-anonymity system. No one says SecureDrop is perfect. But it is easy to use and robust, a vast improvement over what journalists have typically deployed. [...]
Princeton Professor and USACM Council Co-Vice-Chair Ed Felten gave the final talk at TrustyCon on 27 Feb 2104. This begins at 6:32:33 (six and one half hours into the day's events). Mikko Hypponen's keynote (see the previous RISKS item from Dan Gillmor) runs from 0:15:27 to 1:04:20. http://www.youtube.com/watch?v=lkO8SNiDSw0? The subject matter of TrustyCon (Trustworthy Technology Conference) might really be thought of as UnTrustyCon, referring to the `Untrustworthy confidence game' that it pervasively exposes.
This week, Apple rushed out a patch for its iOS 7 and iOS 6 operating systems to fix a serious security issue. Before I explain further, let me just say this: If you've gotten the prompt to update and you haven't, do it now. If you're still running older versions of iOS on your iPhone, iPod, or iPad, update now. Done? O.K., good. - - - - Apple Issues Fix for Security Problem on Macs Molly Wood, *The New York Times* blogs, 25 Feb 2014 http://bits.blogs.nytimes.com/2014/02/24/apples-serious-security-issue-update-your-iphone-or-ipad-immediately/ Apple has finally issued a security update to its OS X Mavericks software for Macintosh computers, patching a bug that could have let hackers eavesdrop on supposedly encrypted connections and steal everything from usernames and passwords to location data. Version 10.9.2 comes four days after Apple patched iOS, its mobile operating system, to close the same hole. The OS X update addresses several security issues, including the so-called `goto fail' code bug, which Apple said could allow an attacker to capture or modify data in sessions users believe are protected by the Secure Sockets Layer (SSL) or Transportation Layer Security (TLS) encryption methods. ... http://bits.blogs.nytimes.com/2014/02/25/apple-issues-fix-for-security-problem-on-macs/
Oh look, a misplaced goto statement that short-circuits a security procedure. Squirrel! It is amazing to me that, once the specific defect is disclosed (and the diff of the actual change has also been published), the discussion has devolved into one of coding style and whose code is better. I remember similar distractions around the Ariane 501 defect too, although in that case there was nothing wrong with the code—the error was that it was being run when it wasn't needed and it was not simulation tested with new launch parameters under the mistaken assumption that if the code worked for Ariane 4, it should work for Ariane 5. It is not about the code. It is not about the code. It is not about goto. It is not about coming up with ways to avoid introducing this particular defect by writing the code differently. I say this is all about the engineering and delivery process that allowed this gaff to be introduced into production code for a security-important procedure and allowed to remain there until someone noticed externally. The coding style could have been perfect, with the code still not establishing security correctly and it would have been put into the live release, all else being equal. Some of the offered alternatives, I daresay, offer many ways to inject a comparable defect that is much less apparent. The defect was introduced when code was being patched to change the signature of some of the functions being called. This strikes me as a classic lapse about not testing what is thought to be obvious, although I have no idea what the actual scenario was. There are any ways the particular defect could have been detected and remedied well before the code was committed to the code base. A walkthrough would likely catch it, assuming a skilled human other than the original programmer simply read through it. I bet explaining it on a walkthrough would probably have led the originator to notice it. A pretty-printer (or any IDE that reflows indentation) would point it out. So would a modern IDE that identifies unreachable code. Any practical code-coverage testing would reveal it too. Furthermore, it is incomprehensible to me that a change to security- important code wasn't subjected to regression testing and confirmation of the procedure. For that matter, I'm a little disappointed that a review and commit by a senior technical-staff member was evidently not required. What's appalling to me is the evident absence of risk management and procedures for detection and mitigation of regressions. It is incumbent on all of us to stand back from the code and look at the process by which injection of a regression was allowed to sit there and fester all this time.
... algol, curlies, bad code, fortran, oo ... Or Apple could just read the fine manual for the compiler they presumably downloaded together with the rest of xBSD: gcc -Wunreachable-code -Werr would've told them: cc1: warnings being treated as errors ... In function 'SSLVerifySignedServerKeyExchange': ,.. error: will never be executed Dimitri Maziuk BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
There's not enough space or patience in comp.risks to re-litigate the GOTO wars. However, for anyone interested in a deep understanding of the issues, you can start with Steele & Sussman's excellent paper `LAMBDA: The Ultimate Imperative' (and then read most of the papers in the computer science literature that reference this one): http://dspace.mit.edu/bitstream/handle/1721.1/5790/AIM-353.pdf In particular, one must have a thorough understanding of the term `continuation-passing style' before it is possible to have a useful discussion on the subject of GOTO's.
Please report problems with the web pages to the maintainer