back to article Apple: Another bug fix. Er, thanks, GCHQ

GCHQ’s CESG (Communications-Electronics Security Group) assurance arm was behind the report of an OS X bug to Apple that the consumer electronics giant patched last week. The UK’s signals intelligence is perhaps better known in security circles for finding and exploiting software vulnerabilities in order to spy on foreign …

  1. Pen-y-gors


    Who gets the bug bounties?

    1. Anonymous Coward
      Anonymous Coward

      Re: Bounties?

      Hmmm, Bounty.

      Sorry, had a Homer Simpson moment.

    2. Quentin Finknottle Again

      Re: Bounties?

      That's how you build a secret slush fund :)

  2. Mage Silver badge

    Attack vs Defence

    That suggests GCHQ know their enough of their enemies (which include governments, terrorists and criminal) know this bug, thus defence is more useful now.

    1. Anonymous Coward
      Anonymous Coward

      Re: Attack vs Defence

      Or it could be inter-departmental squabbling: team A gets better toys than team B, so team B tells Apple to patch the bug the team A was using to collect data from agency X.

    2. amanfromMars 1 Silver badge

      Re: Attack vs Defence

      Does GCHQ yet realise and accept that their own government is an enemy as it tries to protect and defend the indefensible and corupted status quo structures with a covering fabric of blatant lies and designedly dodgy half truthe, as per par in Chilcot revelations

      Or is GCHQ in virtual denial of that reality and reappraised global media application?

      1. Aodhhan

        Re: Attack vs Defence

        I think you need to quit listening to ranting lunatics and stop being lazy. Get your ass up and do some research so you can critically think through things.

  3. PyLETS

    Most bugs best fixed upstream.

    In principle the motivations for this are no different from that of the NSA in publishing and maintaining SELinux. They seem less likely to help maintain platforms in this way unless UK government needs these for high security requirement work.

  4. BasicChimpTheory

    Drafting a consiracy theory. Let me know what you reckon.

    1. Leader of Five-Eyes partnership wants something from Corporate Entity X.

    2. Corporate Entity X does not want to cough.

    3. Leader of Five-Eyes partnership offers to scratch Corporate Entity X's back if etc (Yes. Squid pro ro. /Austin Powers)

    4. Corporate Entity X does not want to appear to have coughed.

    5. Both parties agree to swap desireable info. Leader of Five-Eyes partnership "leaks" info that intel ACTUALLY came from shady Iraeli black hats. Leader of Five-Eyes partnership organises that Five-Eyes cabin-boy pretends he has useful info for Corporate Entity X.

    6. ???

    7. Profit.

    1. Anonymous Coward
      Anonymous Coward

      You want a conspiracy theory ?


      On two separate occasions now I've been tweeting something from my phone, once was a criticism of the IP Bill and the other was bemoaning the fact that history gets written by the winners so the darker areas of the UK's colonial past tend to get whitewashed & our current government is descended from people who thought planting a flag on someone else's soil made it theirs.

      On both of these occasions my camera activated.

      Not the main camera, the selfie camera.

      Now being a paranoid sort of person I've disabled every button & shortcut to the selfie camera on my phone as I'm simply not interested in taking a selfie & I don't want to take any by accident, if I want to turn it on I need to click a couple of icons in the correct sequence. So I might conceivably turn the main camera on by accident but the selfie camera, not a f*cking chance.

      I have a sticker stuck over the selfie camera as well.

      I don't have anything on my phone I'm not completely happy with anyone seeing.

      That good enough for a conspiracy theory ? Anyone think my phone might be compromised ?

      1. DavCrav

        "That good enough for a conspiracy theory ? Anyone think my phone might be compromised ?"

        Well, given that if people were spying on you, they have your phone number, location through GPS, probably name through e-mail and texts, and your number in others' contacts books, etc., giving it away by activating your camera seems maybe silly.

        And you have to remember, you aren't really very important. Let's be honest here, there are hundreds of thousands of people, if not millions, who criticize government policy. We could call them the electorate. The idea that 'they' spy on all these people, actively, would mean tens of thousands of people paid just to read your texts, none of whom then tells anyone that that's what they do for a living.

        1. BasicChimpTheory


          Your broader point is probably fair enough (let me distance myself here from my initial comment as it was at least part in jest) but this:

          "And you have to remember, you aren't really very important."

          is not entirely accurate.

          EVERYONE constantly creates datapoints and datapoints (as opposed to proof/evidence/etc) are pretty much only valuable in aggregate. If you ignore a random nutter spouting anti-government senitment on Facebook then surely you'll miss the opportunity to defer the Facebookolution (that our governments seem to be assuring us is coming?).

          Point is: storage is cheap - they'll keep everything on eneryone.

        2. Anonymous Coward
          Anonymous Coward

          "And you have to remember, you aren't really very important."

          I agree no one is very important in the grand scheme of things, however we know several things about our security services.

          They collect the haystack rather than concentrating on the needles.

          They have expert systems that monitor internet traffic more or less constantly.

          The IP bill seeks to legalise a lot of activities that the security services already perform which are currently illegal, along with extending those activities to everyone from the milk marketing board up.

          And as someone else pointed out storage is cheap, I would also add that processing power is also pretty cheap and an automated system that tries to verify who the random nutter is that is actually holding the smartphone that just sent a message containing words or phrases it is programmed to trigger on is not beyond the bounds of possibility.

      2. BasicChimpTheory

        @AC w/selfie-cam


        Have an upvote.

      3. Anonymous Coward
        Anonymous Coward


        For two years I was followed by BT vans. Everywhere I went a BT Van would turn up. It was seriously weird. Home, work, pub, friends houses. Even my friends started to take the piss about it.

        Once I became a BT customer it stopped (never again). But could I get an engineer when I needed one? Could I fuck.

        Anon 'cos I reckon they're still lurking.

      4. Anonymous Coward
        Black Helicopters

        I think the conspiricy is...

        That Twitter recently added the camera (include camera photo, not "gallery" image) icon to their Twitter app and we still are using muscle memory from the old button placement.

        Black helicopter as thats what will happen when they add the quadcopter icon in a burst of creativity.

      5. Uffish

        Re: "the selfie camera ..."

        There is a simple way to check if anyone is looking:

        - grow a beard

        - get a kalashnikov and prop it up near you

        - get a black flag and drape it casually across the wall behind you

        - take sticker off the front camera and send a rant to El Reg whilst holding the phone so that glimpses of beard, black flag and flag are occasionally seen

        - send another rant in a week's time (if you are able) and we will deduce that it's not our lot watching.

        PS my spell checker objects to "kalashnikov" it suggests Shostakovich instead; I approve wholeheartedly but, in the interests of clarity, I haven't corrected the error.

    2. Anonymous Coward
      Anonymous Coward

      The flaw I see in the theory is that, as a company driven by marketing / image, they don't want the flaws of their shitty software exposed. I think they would be much happier leaving users at risk and this stuff not getting reported so it doesn't interrupt the sale of the shiney

  5. Aodhhan

    Stop overthinking stupid things and use your brain on something productive.

    It's the release of some information about a vulnerability. Don't over think it.

    People get so wrapped up in hate and stupidity. Then instead of thinking through the item objectively, they just repeat something they've 'heard'.

    1. graeme leggett Silver badge

      Re: Stop overthinking stupid things and use your brain on something productive.

      Hard to understand such a secretive thing on basis of too few clues.

      What used to called Kremlinology when it was about guessing Soviet foreign policy based on latest news about tractor production quotas.

  6. DrXym

    I suppose it all boils down to a simple question

    Does the bug put UK / Western countries at greater risk of harm than intelligence services could justify if they left it there to exploit themselves?

  7. Mike 16

    Or it's the fresh paint on a trojan horse

    Apple has been sneaking some nasty surprises into their "upgrades" (which also include "upgrades" to firmware) for years now, so a nice juicy "Must patch now, sky is falling" security alert from mustache-twiddling GCHQ is just the ticket to make users "take their medicine"

    OTOH, friends who bit the El Capitan apple are reporting a lot of USB non-function, so maybe it does enhance security. The software equivalent of putting epoxy in those pesky slots.

    1. Charlie Clark Silver badge

      Re: Or it's the fresh paint on a trojan horse

      OTOH, friends who bit the El Capitan apple are reporting a lot of USB non-function, so maybe it does enhance security

      Was really bad at the start but seemed to have been fixed in 10.11.4

      10.11.5 does indeed seem to contain some major changes relating to the handling of images and particularly videos. As for the Easter Egg: you reboot and get invited to provide Apple with system telemetry…

  8. benderama

    Most likely that this department is responsible for protecting a lot of OSX users in their ranks and this exploit is easier to fix than it is to negate.

  9. Philip Virgo

    It could always be to do with GCHQ wishing to demonstrate that they are worthy hosts for the new National Cyber Centre. We will know if they stop trying to prevent funding for the development of UK security products which block all executable code unless expressly permitted - thus sodding up (technical term) most current attack vectors - and also (potentially) the business models of much of the current on-line industries.

  10. macjules
    Black Helicopters

    I have now uninstalled OSX

    I knew there was something screwy about that update. And as for allowing Samaritan GCHQ/NRO/CIA interference, well I shall never buy a Mac again, or at least not until the next MacbookAir comes out.

    And just in case you think you can change my mind with orbital laser beams, I have my tin foil hat on and so does my cat.

  11. Seajay#

    Market share

    Maybe what this tells us is that Macs are disproportionately bought by decadent Westerners. Therefore the Attacking value of this exploit is low whereas the Defensive value is high.

    ISIS must be either on Windows or Linux. I don't want to start a holy war by saying which one I think it might be.

  12. sturobinson7

    CESG CPA Certified PCoIP Zero Clients have no App OS to compromise.

    The Apple OS exploit is a good reason to take a look at PCoIP zero clients. While you cannot get away from an application OS on your phone or tablet today, you can get desktop clients with no App OS. PCoIP zero clients have no application OS and there is no application data stored on the client. This provides a secure client solution to connect to remote physical or virtual workstations, virtual desktops (VMware Horizon) or Amazon Workspaces managed cloud desktops.

    Amulet Hotkey just announced CESG CPA Certification for their zero clients.

    There is no OS to patch and update, no hard disk drive to be compromised and some unique security features. Only encrypted display pixels are sent to the client for display on the local monitors. Many other security features found here

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like