This show is guest-hosted by Bart Busschots of the Let’s Talk Apple and Let’s Talk Photography podcasts. Bart gives us the low-down on the Goto Fail bug, Dave Allen reviews the Sony NEX6 Camera, Bart reviews Worms 3 for iOS & OS X, and Antonio Rosario joins Bart for Chit Chat Across the Pond to talk about Switch to Manual.
Macworld Nosillacastaways Party Plug:
Allison asked me to remind you that if you’re going to go to Macworld, she hopes you’ll come to the NosillaCastaways party at Jillians on Friday night 28 March from 6-8pm. Be sure to sign up for the party so the scary bouncers will let you in. Go to podfeet.com and click on NosillaCastaways Party 2014 in the tab in the menu bar, or click on this link.
The double secret password to get in is ClarifyRules!
For everyone who can’t attend, Kevin and Steve are valiantly working out how to have a Google Hangout on Air so that people from far away can talk to people at the party. Our first test wasn’t a raging success but they’ll get there!
Goto Fail
Before we get stuck into Security Lite proper, I want to talk about the most significant Apple security bug in quite some time, and probably the most apt-looking line of code on the planet:
goto fail;
Seriously, the above is an actual line of C code from Apple’s SSL library, and, it’s the one that triggered the bug! Well, that identical line shows up many times in the source code without being a bug, but it got duplicated, and, the second copy is what unleashed the problems.
Summary:
A bug was found in Apple’s SSL Library
The bug affected:
- OS X 10.9 Mavericks
- iOS 6 & 7
- Apple TV
The above have all now been patched – so update ASAP
What happened:
Something I always tried to hammer home to my students when I used to teach programming at a university was to always code defensively – now (a little too late since I haven’t taught programming in a decade) Apple have provided the absolute perfect example.
Two facts are at the nub of this problem:
- In C, indentation is used only to make code readable by humans, it has no meaning at all to the computer, and no effect on how the code is interpreted
- if statements that only control execution of one line of code can be written without that one line of code being contained within braces. if statements that contain more than one line of code must be braced.
When programming defensively, you ALWAYS brace your if statements, regardless of how many lines of code they control. You do this because in the future, another programmer may come along and add a second line of code inside your if statement. They will definitely indent the code so it LOOKS like part of your if statement, but, they can very easily fail to notice that the statement is un-braced, and inadvertently create a nasty bug.
What happens in these situations is that the programmer things the line of code they added is only going to execute when the condition in the if statement evaluates to true, but, in actual fact, since and un-braced if only acts on a single line of code, their second line is ALWAYS executed.
This is what happened to Apple. The section of code that controls the validation of SSL Certificates consists of a series of checks, and the result of each check is evaluated by an un-braced if statement, if the check failed, the one line “goto fail;” is executed. Somehow, presumably by good old fashioned human error, one copy of the line “goto fail;” was duplicated in one of the if statements in the middle of the series of validation checks. Because Apple were using unbraced ifs, that meant that the checks after the accidentally duplicated line became unreachable because the second “goto fail” line would ALWAYS fail.
You might imagine that if you ALWAYS go to fail, the bug would result in no SSL cert being valid, but, alas, no, the bug actually had the opposite effect, because, the fail code at the end of the goto checked the error code that had triggered the failure, and, since there had been no real failure, there was no error code, so, the code did nothing, and the end result was that a number of vital certificate checks always returned true.
What it means:
The effect of the bug was that Apple’s SSL library would accept some invalid certificates as valid, hence enabling Man-in-the-Middle (or MITM) attacks against OS X, iOS & Apple TV. In effect, if an attacker could see your internet traffic, they could intercept it without you knowing, and see everything you thought you were encrypting with Apple’s SSL, including Safari web traffic, Mail.app email traffic, App Store purchases, and iCloud traffic.
It’s very hard for an attacker to get in the middle between you and the internet at home, but, it’s very easy for an attacker to do that on public wifi. So, if you have used Safari, Mail.app, the App Store, or iCloud on public wifi once in the last few years there is a non-zero chance that your passwords were intercepted, along with all the other content of your communications.
What you need to do:
You definitely need to update all your Apple devices NOW.
Friend of the show and IT security pro George Starcher is recommending people change their Apple ID passwords and I’d add to that that it might be wise to change the passwords on any email accounts you check with Mail.app.
A small mitigation against some of this is that FireFox and Chrome use their own SSL libraries, so surfing on those was safe.
Some Concerns:
This is a colossally embarrassing bug for Apple. It leads to two disturbing possible conclusions:
- Apple’s quality control sucks – there are automated code analysis tools that detect bugs like this, and Apple should be using them. All code should be code reviewed, and that goes double for such security critical code, so why was this glaringly obvious bug not spotted for so long? Large software projects are run through automated test suites – surely one of those tests should have been “do invalid certs fail to validate”?
- This was not an accident – it was intentional but plausibly deniable – this bug was introduced a few weeks before the date that the Snowdon leaks show Apple being added to PRISM program – did the CIA make Apple put the bug there, or did they just find it really quickly? http://daringfireball.net/2014/02/apple_prism
Security Lite:
Important Security Updates:
The only updates of note are all from Apple – and there are many, and the patch more than just the SSL bug!
- SSL patch for iOS 6 – http://support.apple.com/kb/HT6146
- SSL patch for iOS 7 – http://support.apple.com/kb/HT6147
- SSL patch for Apple TV – http://support.apple.com/kb/HT6148
- OS X Mavericks 10.9.2 & Security Updates 2014-001 for OS X 10.7 Lion & 10.8 Mountain Lion – http://support.apple.com/kb/HT6150 (Fixes SSL bug and more)
- Safari 6.1.2 & 7.0.2 – http://support.apple.com/kb/HT6145
- QuickTime 7.7.5 for Windows – http://support.apple.com/kb/HT6151
Important Security News:
- Kickstarter breached – no credit card numbers accessed, but usernames, email addresses, phone numbers, and hashed passwords were taken (this leaves users vulnerable to spear-phising attacks, but the hashes strong, so all but the weakest passwords should be safe) – http://nakedsecurity.sophos.com/2014/02/16/kickstarter-breached-change-your-passwords/
- A flaw has been discovered in iOS7 that allows apps running in the background to monitor touch events and key presses – this theoretically enables key logging – the bug exists in non-jailbroken iPhones, but the risk is low because Apple know about the bug, and should be able to detect any apps that do it and boot them from the App Store (assuming such apps even got in, where there is no evidence any did) – http://arstechnica.com/security/2014/02/new-ios-flaw-makes-devices-susceptible-to-covert-keylogging-researchers-say/
- The OS X Bitcoin stealing trojan Bitcoin Thief now spreading through pirated versions of Angry Birds – reminder, don’t pirate software, it’s immoral AND bloody dangerous! – http://www.macobserver.com/tmo/article/bitcoin-stealing-mac-malware-spreads-to-pirated-versions-of-angry-birds
- Google takes the creapy up a notch with Streak – a free browser plugin that lets you see who opened your emails where and when – Google have added tracking images into emails sent from Gmail to enable this – i.e. Google have stooped to the level of spammers (‘do no evil’ – how ironic that’s become) – your only protection is to disable the rendering of remote images in your mail client – this is a good idea anyway, because this same technique is used by spammers to track people and verify that email addresses are real and emails are being opened – http://nakedsecurity.sophos.com/2014/02/27/how-emails-can-be-used-to-track-your-location-and-how-to-stop-it/
Suggested Reading:
- The recent spate of credit card breaches is being made worse for customers because credit card printing companies are struggling to keep up with the demand for replacement cards – http://krebsonsecurity.com/2014/02/card-backlog-extends-pain-from-target-breach/
- GCHQ & NSA – collaborate to save webcam images from Yahoo users – this was not targeted at suspects, and 1.8 million users were spied on during a 6 month period in 2008 – I’d say the government spying on people through their webcams counts as truly Orwellian! – http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
- US house of representatives passes a watered down cellphone unlocking bill – http://www.macobserver.com/tmo/article/house-passes-cellphone-unlocking-bill-packed-with-disappointment
- MasterCard are piloting a cellphone geolocation solution to protect credit cards – your card could only be used from within the area covered by the cell tower your phone is currently connected to – http://nakedsecurity.sophos.com/2014/02/26/mastercard-aims-to-reduce-card-fraud-with-smartphone-geo-location-technology/
- If you live in the US, and you care about the internet, you should probably read this article from the verge – the title uses a word Americans find naughty (but with which Irish people have no problem), but the article itself is not profane, and is very insightful – http://www.theverge.com/2014/2/25/5431382/the-internet-is-fucked
- Finally – lets end on some good news – we talked a few weeks ago about how hackers had used social engineering to deprive Naoki Hiroshima of his valuable @N Twitter handle – well, Twitter have finally restored the account to it’s rightful owner (say the delay was because they were helping law enforcement investigate the matter) – http://thenextweb.com/twitter/2014/02/26/happy-ending-n-restored-rightful-owner/
Dave Allen Review’s Sony NEX 6 Camera …
Worms 3 for iOS & OS X
Problem to be solved?
None really – this one is purely for fun 🙂
- Worms itself is a game with a very long history – the first release was in 1995 – for the whole history see wikipedia: http://en.wikipedia.org/wiki/Worms_(series)
- I admit to having a real soft spot for it because many hours of my teenage life were spent in front of the original play station with between 1 and 3 friends playing worms into the small hours of the night
- This is the third version of the game to come to iOS, and it’s the first to unite the iOS and OS X versions – more on that later
- You could probably best sum up worms as a turn-based platform strategy game – neither strategy nor dexterity are enough to win on their own, you really do need both.
- The basic premise is that was has broken out between rival gangs of worms (4 worms per team), and armed with an implausible and often humorous array of weapons, each team takes it in turns to attack the other. There is a time-limit on the length of your turn, and you get fire one weapon per turn.
- You have the basic weapons you’d expect, hand grenades, a bazooka, dynamite, and an array of guns
- As an homage to the old Gorillas game that shipped with DOS one of the most powerful weapons is the banana bomb
- Similarly, the Holy Hand Grande is an homage to Monty Python, and also very destructive
- There are also utterly bizarre weapons like the exploding sheep, and it’s more modern cousin, the flying super-sheep
- Some weapons are environmental, you can trigger and earthquake or an astroid strike for example
- As well as weapons there are also utilities, like parachutes to allow you to safely descend from big heights, a ninja rope to swing Tarzan-like across the landscape, and a jetpack for ultimate mobility.
- There are different weapons modes for games so sometimes you only have a subset of weapons available, you’ll have an infinite supply of some weapons, and a finite supply of others, and some weapons only become active after a certain number of rounds of turns have passed (normally the most destructive weapons) – generally speaking the longer the game goes on the more damage you can unleash per turn.
- Both weapons and utilities can be picked up in crates that are randomly dropped on the landscape, and heath packs can be picked up too
- The landscape is also littered with dangers – land mines and barrels of explosive liquid are randomly dotted across the landscape, and any crate that has not been collected is highly explosive – this leads to the ironic situation that a health crate that drops next to one of your worms when it’s not their turn is as much of a liability as an opportunity – if some one shoots at it it will blow up and injure you rather than making you healthier!
- Some things also explode into patches of fire that can flow down the landscape and injure worms.
- Just like there are time-limits per turn, there are also over-all limits, and when a given threshold is passed (determined by the weapons mode), sudden death mode is triggered – in sudden death mode the water begins to rise and drown the worms lower down in the landscape, and all worms go down to 1 health point.
- So far I’m describing Worms as we have known it for many years, but Worms 3 brings some new and very exciting new elements to the game
- Firstly, a LOT of work has gone into online gaming. You can set up a Worms account which will sync the team you design between all your devices, and now your online games also sync between devices, so you can start a game against a stranger on the other side of the world on your iPad, take your next turn on your iPhone, and your next one on your Mac!
- Speaking of online games – you can challenge people you know to friendlies, or, you can play a ranked game against a randomly chosen opponent – more on this later
- Strategically, the first of two big changes in Worms 3 is the introduction of different classes of worm. In the past as worm was a worm was a worm, but now you can have scouts, soldieries, scientists, and heavies – each have their own strengths and weaknesses, so you need to assemble your team to best suit your preferred strategy.
- The second big strategic change is the introduction of cards
- Cards can be used to alter the game physics in some way – adding a whole new layer of strategy to the game.
- Cards come in three levels, bronze, silver and gold. Bronze cards are cheap, gold cards are expensive, and silver cards are somewhere in-between.
- Example cards: your worms are immune from fall damage, enemy worms take extra fire damage, your worms get double the jetpack fuel for one turn, your opponent is prohibited from using any utilities in their next turn. Your worms are invisible to the enemy for on round, you trigger a solar flare and all the mines, crates, and barrels in the landscape explode, you trigger an earthquake, you trigger a flood, you prevent your opponent from playing any cards in their next turn and so on and so forth.
- Many of these cards can be intelligently combined – e.g. a very expensive but very effective combo is to get your worms high in the landscape in an enclosed space, then play the earthquake card to shake your enemy worms down to lower parts of the landscape, then trigger a flood to hopefully drown them all while your worms remain safe high up in the landscape. This combo is deadly, but, it’s very costly, costing two gold cards. Also, it can be easily combatted by ensuring you always keep at least one worm high up and and enclosed. Another nice combo is to play the card that doubles the fire damage for your opponent, with the card that reduces it for your worms, with the card that triggers a solar flare causing lots of explosions and hence lots of fire.
- There are limits on how many cards you can play – you only get to bring 10 cards into any one game, and you can only play 3 cards during any one turn. Turns are split into three phases – play cards, take your turn, play cards. Some cards can only be played before, some only after, and some can be played before or after.
- So what does it mean for cards to be ‘expensive’? We’re NOT talking real money. There is no way to use your wallet as a shortcut here, you have to earn your in-game coins in-game, and you then use these coins to buy cards.
- You can can earn in-game coins in a number of ways – you can complete the single-player missions for gold, you can play online ranked games for gold (if you win you get 100 coins, if you lose 30, so you are rewarded for completing games), and finally you get a loyalty bonus each consecutive day that you launch the game (bit of a bug in this, you have to actually exit and re-launch once a day to get the bonuses). The loyalty bonuses build up, so if you log in 7 days in a row you get a big bonus indeed. You then use the coins you earn to buy cards.
- Since Worms is an inherently turn-based game it’s very well suited to online play – you can have many games going at once, and you get a push notification when it’s your turn. There is a limit to how long you can leave a game in limbo by not taking your turn, but it’s two or three days, not a matter of hours or minutes. If you fail to take your go for a few days you will forfit the game – your opponent gets 100coins, and you get none at all.
- I have about 6 games on the go all the time, and I’m really enjoying the game – you see so many different strategies, and there is always a new approach to try!
Both versions of the app cost $4.99:
- iOS (universal) – https://itunes.apple.com/ie/app/worms3/id596677177?mt=8
- OS X – https://itunes.apple.com/ie/app/worms-3/id725534367?mt=12
Re the Goto Fail bug, I tend to side on the “stupid programmer mistake, combined with poor QC” argument. Errors such as the one made are trivially simple to make and happen All. The. Time. How do I know this? Because I have done it! No matter how careful you are, things like this slip through the cracks, ESPECIALLY in high pressure environments – working 90+ hour work weeks, being pressured by management to SHIP THE PRODUCT NOW GODDAMMIT, coupled with lack of sleep and good healthy food, not seeing the wife/girlfriend/boyfriend/kids, etc. And lord knows, we’ve seen plenty of examples of how companies have poor QC, so I’m not surprised that this would slip through the QC net (if they even had one in place).
Defensive coding is definitely a help, and since I have adopted that practice, my “stupid error rate” has gone down significantly.
Yes, the date when the bug was inserted is curiously close to the PRISM announcement date. But I would tend to chalk that up to a staggeringly improbable (but still possible) coincidence. Which does happen.
Hopefully this will serve as a wake-up call to Apple and other companies, not to mention the software engineers that work at same, and will compel them to code defensively, put in place better QC, etc.
What an AWESOME show! Steve and I loved listening to it while half a world away. Loved every minute of it. Great job, Bart!
Bart, excellent show and guest. I am sorry to hear about your Garagaband mishap. When I was looking for an alternative to Garageband for podcast editing years ago, David Allen of the Mac 20 Questions podcast, which I had been a guest on, recommended Amadeus Pro, which it turned out I had owned from a previous bundle purchase. I tried it and haven’t looked back since. Some things I like are that it can handle a much wider range of volume adjustment – and you can adjust volume by highlighting a section and making a menu pick as well as by drawing curves. It also handles a wide range of formats and has some nice batch processing/automation features and good noise reduction. My favorite features involve routine editing, though. When you delete a section, it automatically joins the surrounding sections, and it can do a “trial edit”. Highlight a section and press ‘e’ and it plays back the sound without that section. If it’s wrong, highlight again and try again. MUCH faster than do the edit, play the sound, and undo. it is well supported and comes with a good manual which is downloaded and placed into your help menu the first time you run it.
There is a trial version at the web site (www.hairersoft.com) and it is also in the Mac App Store. I haven’t found anything better for editing podcasts, regardless of price of platform. Logic, which I also own, is to me more oriented toward professional music production, the extra features beyond Garageband’s don’t make much difference for podcasts.
Thanks for all the comments folks!
Both here and on Twitter people are recommending Amadeus pro – it’s a bit on the expensive side, while Amadeus Lite is priced in the range price range I’d happy to pay – does anyone know the difference between the two? And would the lite version be good enough to, say, edit the NosillaCast?
Cheers,
Bart.
It was indeed a great show. I was kinda sad when you had to cut off Antonio. A few points on your discussion.
It’s not just Canon who use Tv and Av. Pentax do, too. They also have TAv (where the camera sets the ISO only) and the rather odd Sv (which would annoy Nikon users!) which lets you set the ISO easily while the camera does the other two. The best part on my K-5 is the ability to start in either Tv or Av mode and simply by moving “the other” control wheel, switching to TAv on the fly. It’s very handy for the situations you described where you can “see what the camera says” and then tell it what you really want.
My K-5 has an ISO range of 80 – 51,200 and I find I can easily use up to 6,400 without noticing any serious noise, so I don’t doubt the new 400,000 ISO camera will have a LOT of usable range. I frequently use 2,000 or 3,200 in low light conditions without a second thought.
Regarding switches moving to the outside of the camera, I found in the Pentax range that as you went up the range more buttons appeared. That is a big part of why I bought into their top model (in 35mm format). I far prefer to use switches and buttons to directly manipulate settings than dig around in menus.
Another far cheaper option is to drag a copy of the old version of GarageBand from another Mac to your new Mac and use that! Most Mac apps will do that so it might work?
About goto fail; What I can’t understand is how this went unnoticed for so long. I simply can’t be the only one that has services that use SSL using a self-signed certificate. The very first thing that I expect to see when I open a browser to my own site is a warning that tells me that the certificate is not valid. I can’t get my mind around the lack of such warning not alerting someone at some point that there is something wrong with Safari. Everytime I hear this reported I can’t help wondering why this is not addressed. Maybe I’m missing something.
Bert
Bert – the important thing to remember is that the bug did not short-circuit all tests on the certificates, so not all invalid certificates were inadvertently passed as valid. Instead, only a subset of invalid certs passed, making the problem much less obvious.
Here’s another way to explain the bug to people, Bart. It’s a music video about it: http://youtu.be/tQms037U72w