As the projects you work on get larger and larger, it becomes increasingly difficult to control. In some discussions yesterday, we clearly identified the vital role of a project manager. Something as simple as making sure the various team members are completing their assigned tasks on time is incredibly important. Without someone diligently maintaining a watchful eye, it's easy for a few significant tasks to slip or miss the target. Those minor errors can then cascade into a critical issue.
One relevant example is a recently announced security patch to the Apple iOS (operating system). The flaw affected the Secure Transport which helps to minimize your exposure to nefarious elements while visiting sites that rely on secure transactions (banks, e-commerce, etc.). Here is a quick summary from an article on the Verge:
....The core of the exploit targets your SSL connection, the encryption behind the little padlock in your browser window you see when visiting webmail or banking sites. The browser knows you’re really talking to the bank because it’s verified the site’s SSL certificate, a kind of proof of identity. But the failure in Apple’s code means SecureTransport isn’t checking the certificates properly, and anyone who wanted could masquerade as your banking site, your email, or worse.
The article goes on to wonder how Apple could have allowed this flaw to go undetected for about 18 months. The explanation seems to lie in the fact that it was quite obscure and perhaps a "needle in a haystack". Still, with a recent move to open source, it is strange that no one in the development community discovered this earlier. It may have been a case where the running assumption is that everything must be fine because it was someone else's responsibility to check!
Here is one theory. It has an ironic ending:
The simpler, less satisfying answer has more to do with the quirks of software development at Apple's massive scale. One insider describes the OS X security framework as a company-wide kitchen sink, an old framework that's been adapted over and over again across different regimes and different products. New code means new bugs that need to be checked, so large portions of the core apps like SecureTransport can go untouched for huge stretches of time. What seems like an obvious fix for a one-man programming team is much more difficult when there are hundreds of coders involved. But even that doesn't answer the question entirely. OpenTransport was made open source with the Mavericks release, which means anyone inside or outside Apple should have been able to track down the faulty code. Some researchers complain about trouble reporting bugs to Apple, but surely something this serious would have warrented someone’s attention. In the end, it was a Google HTTPS engineer who pulled back the curtain, adding insult to injury.
If you have not already done so, you need to update your iPhones and iPads immediately to iOS 7.0.6. That upgrade should fix the vulnerability.
The full article is here: http://www.theverge.com/2014/2/24/5442576/inside-apples-epic-security-flaw
No comments:
Post a Comment