Apple: "Yes, we've heard of it."
A security flaw in iOS 9 allows anyone who has a locked Apple iThing in their hand to view its contacts and photos without having to enter a passcode. A chap called Jose Rodriguez has posted a YouTube video demonstrating the design blunder, which exploits Siri to access information on the handset from the PIN unlock screen. …
not who writes it.
The more complex you make an OS, the more likely it is that one of the contributors will screw up something. Unfortunately, they mostly don't keep good records of previous gaffes and rarely let the same person(s) do the same work on the new OS. THAT at least would make it difficult to forget "lessons learned". Changing people around like musical chairs doesn't help. "Multi-tasking" is only beneficial for the HR department not anyone else.
And the funny thing is, this same shit happens with Apple, Microsoft, Linux greybeards, Google, etc, etc.
Argh!! Common Sense!! Get the pitchforks and torches!! ;)
Mind.... It *is* a bit ..silly.. that the security of the primary user entry point to [fruity device x] hasn't been triple-checked, followed up by some devious-mind "would it stand up against this?" attempts. Just to be sure.
With complexity as it is, people have come to expect some ratholes in the dusty corners, but to bodge the lock on the front door? Now that's a serious Gaffe.
"not who writes it" [Citation needed]
Not being able to complex write software that is completely free of obscure bugs is one thing; using what must be the equivalent of yellow "police line - do not cross" tape to "block" a front gate instead of an actual proper door and lock is just ludicrous and predictably results in all the headaches you can expect from such a rinky-dink solution. And no, it doesn't get any more excusable because most of the usual
suspects idiots seem to be doing it. It just highlights that NO ONE actually gives a damn about any level of security (except the hackers, natch).
you make an OS, the more likely it is that one of the contributors will screw up something.
Yes, in an old-fashioned monolithic design, but all you bright young things spent ages after coming off your CS degree courses explaining loudly and slowly to us old-timers that the new, ultra-modularized world of OO design would make that a thing of the past because each class would be small, simple and easy to test (and presumably regression test, though I never saw that mentioned in print).
I guess a poor workman still blames his/her tools, even when they have bright'n'shiny new names.
No, you just need to enter a really long password and then you can bypass the lock screen ENTIRELY and have access to everything! At least Apple users will have a fix for this bug in a few weeks at most. How long will you have to wait for the lock screen bug to be fixed on your phone? Assuming you ever get a firmware update for it?
I have to admit that this is where Apple's model comes in to its own. How many devices can run iOS 9, and therefor need testing, compared to Android? Google can't test them all, so it's down to the manufacturers - they get android for free, after all. The flip side of that is that there's no dodging the blame here by Apple.
Have apple just pushed out a silent patch?
About an hour ago I was able to exploit the flaw as described in the article. Now when I select Message or Mail etc. in the share screen (previously allowing me to enter that App and subsequently see the photos and contacts etc.) the phone bounces me straight to a screen asking for Touch ID or Passcode.
No, they probably can't be found by chance. They can, however, be found by someone with a lot of time on their hands and the willingness to try a huge number of random prods at the system to see if it has any holes, in exchange for some momentary fame on the intarwebs. Such people do exist: 35 years ago they were pressing random buttons on calculators to get them into funny and interesting states and solving Rubik's cubes, today they poke at phones. I think doing interesting things to calculators and cubes was, well, more interesting, sadly.
And presumably no-one get's struck by lightning by chance either. Anyone struck by lightning must be being paid by lightning competitors or doing it on purpose. Someone had heretical access to God's Great Weather Plan and stood in a spot where they knew they would get struck.
Funny thing about chance... of the "1 in a XXXX" expression of probability, that "1" is a dead certainty... on that one occasion.
And in the case of a repeatable phenomenon, you only need be aware of what's happening on that 1 time and then you can repeat it without running into those pesky odds each time.
The more complex the product....
The longer it takes to write...
And to fix...
The longer it takes to get to market....
Marketing and Sales can't wait to do it properly so....
PHBs step in and demand a release ASAP before the devs can test it thoroughly and *BINGO* there you have an utterly ridiculous and avoidable security risk!
Which in turn ensures that with bad press means the marketing dept gets to do double shifts stamping out the fires, 'cos as we all know marketing depts are always the boil on the bum of any company, have neither scruples nor morals!
The Apple fans should quietly accept the abuse they now receive. It's not so easy once you start to pump some real volume is it?
Just go ahead and say it fanbois: "We were loudmouthed twits when MSFT had a problem and now we will silently suffer our just returns."
Biting the hand that feeds IT © 1998–2020