GOTO FAIL:The next time you feel bad about coding, refer to this.
February 25, 2014
I hope I'm not the only one who spotted this on Wired.com, but it's nice to know that even the biggest baddest a$$es in coding make mistakes. This isn't one that would throw a compilation in xCode though-or even get noticed.
Do you see it? Here's how Wired explains it:
This function is called when a iPhone connects to an encrypted site over SSL: it’s meant to verify that the encryption key is being vouched for — digitally signed — by the operator of the website.
But look at how it isn't encapsulated. This isn't python, so tabbing isn't enough. That second "if" doesn't enforce conditionality on the second goto line, so it skips right past the third error check (hashOut) and fails anyway.
Apple publishes their source at least, and while I don't have any interest in reading the whole thing, it's good and bad they publish this. At least they've patched it, but ssl encryption is pretty much what keeps your phone/MID from getting compromised by anyone within your wifi range-a fast reading black hat with access to this info wouldn't have needed a second glance to know exactly how to scan a network for vulnerable devices and gain access to any information on them.
But security isn't my main concern with this blog-what I wanted to do was to point out how easy it is to make a mistake that doesn't cause problems until it's too late. Especially in a non-encapsulated language (like python, meaning parent/child blocks of code aren't kept in curly braces or parentheses) imagine a cliff sensor routine with a redundant function call like that. You'd have the Roomba doing its impression of a Slinky.
I think though that I'm mostly comforted by this. First, I'm comforted that Apple does publish it's source. While it does make certain exploits possible, it also makes it easier to catch when security experts at other institutions are double checking their work and holding their feet to the fire. I'm also comforted that while I do use an iOS7 device with SSL encryption, I know enough about our home network configuration to have been protected via other means while I'm on that network (and that I rarely have used it in a setting outside that network, and when I have I've been the closest thing to a black hat in the vicinity.) But mostly, I'm comforted that the number one tech company in the world, ostensibly competing for the best talent and paying insane wages, still gets people who can paste something twice and cause a catastrophic non-failure in a product release (in other words that these programming super-humans aren't that much better than me.)