There's a wonderful lesson in all of this to any current or future business owner: what is the minimum number of people in your organization that would need to secretly be dishonest to undermine what you do? And how much money is on the line encouraging those people to consider it?
In this case, the answer was one, and the amount of money was millions of dollars. Should we be surprised that it happened?
Though I'm speculating, I think this is where the use of Attack Trees would become a useful analysis tool [1]. As you mention, in a hierarchical setting, where does a connection need to be corrupted/vulnerable to become an issue. Looking into how different agents interact with each other, not only is the question what is the minimum number, but also how would the undermining occur.
No but it demonstrates that there is functionality absent scrutiny; ignorance notwithstanding, it's a condition necessary for the insertion of "secret" back doors.
It doesn't demonstrate that at all. For all we know, hundreds of people inside Apple knew about each of those.
I've worked on popular software (>10 million users) that had Easter eggs. Dozens of people in the company knew about each Easter egg that shipped, including managers. Not everyone is a soulless killjoy.
you're either severely underestimating how easy it is to insert a backdoor or overestimating how competent apple's code review practices are. remember that time you could bypass the root password prompt by putting in nothing?
> how competent apple's code review practices are.
Thousands of developers over a decade have touched code going into iOS & Mac OS and so far have a pretty good track record on internal espionage and back doors.
> remember that time you could bypass the root password
Pretty dumb mistake, but willing to put money on them that it won't happen again. I think you severely underestimate just how competent Apple (and Google, Facebook, or Microsoft) are at their job given the enormous complexity of the problems they solve.
> Thousands of developers over a decade have touched code going into iOS & Mac OS and so far have a pretty good track record on internal espionage and back doors.
Maybe. Or maybe they have an impeccable track record on not getting caught (at least publicly). It's essentially impossible to differentiate the two.
Between those companies developers have checked in tens or hundreds of thousands of exploitable bugs. It's not far-fetched to think that at least one of them might have been intentional.
> It's essentially impossible to differentiate the two.
This sounds like "guilty until proven innocent" logic - maybe we should drown people to prove they're not witches. I'm all for a healthy dose of skepticism, but there's a point it passes into fantasy.
Companies quietly fix problems all the time. Why would anyone disclose anything negative if they are not mandated to, by law? Remember when Uber paid off a hacker and kept the hack under wraps? That is just one example.
This is not guilty until proven innocent, this is just the way most businesses operate.
Even if tomnipotent's estimate is correct, that's still a pretty small number considering what is potentially at stake. Access to iCloud would surely net you enough information to change the balance of power in the world.
Look how difficult it is getting two or more developers to agree on "small" things like code formatting conventions or serialization frameworks. Finding two or more people in such a position that would knowingly break the law by colluding together in some grande conspiracy with the necessary access and privileges to code/production process is the stuff of movies.
> Finding two or more people in such a position that would knowingly break the law by colluding together in some grande conspiracy
This is true only if we were to ignore the following:
organised crime; politicians; all secret services, both domestic and foreign; corporate espionage; opportunity getting the better of people, especially problem gamblers and drug addicts
You obviously have not been watching the news lately. If you had tried to sell the actual events of the last two years as a movie script it would be rejected as too outrageous to be believed. I mean, Donald Trump as President? Seriously?
I'm pretty sure the Chinese government would be capable of planting two or three sleepers in Apple's software division if they decided to.
The valley is a pretty incestuous place and people with specific skills are pretty small in number. It doesn’t seem wacky that someone with nation state budget wouldn’t have a network of influence to get someone hired somewhere.
That’s like saying “we hired the getaway driver, we can rob the bank now, right?” You’ve identified the first step of the plan. There are about nineteen more, and the theoretical network of conspirators required to accomplish this Oscar-winning screenplay would be quite large, which always spells trouble.
To that end, I’m amazed it took that long for the FBI to take down the network in the article. The more people who are read in to criminal activity, the risk exponentially increases, as anybody who has been on either end of investigative leverage can tell you. I’m stunned one person in the early days of this scam, particularly when it started involving colorful people, didn’t flip as a bargaining tool for other things they were into.
It's not uncommon to plant your own puppet as a president/prime minister of a country to make that country's policies favourable to you (CIA has done it numberous times). Planting a software developer cannot be harder.
One of the largest and most secretive companies in the world, the same one obsessed with preventing all leaks from exiting the company, the same one who produces ubiquitous devices with occasional national security implications that interest foreign governments, the same one who deals with serious IP problems in the very example nation you just happened to choose, has no thinking or plans around the well-known threats of industrial espionage or sabotage, is what you’re essentially saying. Consider for a moment whether that could be remotely plausible, and I think you’ll see it isn’t.
I didn't say they have no plans. Obviously they do. But unless you work for Apple, you don't know what they are.
Whatever their plans are, there is some number N of employees who could subvert those plans. It is legitimate to wonder how big that number is, and to note that there is no way for anyone outside of Apple to know.
There are plenty of clever ways to write security-compromising code that would pass any manual review. After all, such code is written by well-intentioned programmers on accident all the time, which is why we have bug bounty programs and a market for exploits.
a backdoor into a bitcoin app/wallet would be far more lucrative and easier to pull off (not that I am giving ideas). Icloud is mostly family pics and useless stuff like that. May as well go for where the money is.
The interesting thing was that theoretically it was more then one person here because the prizes were in the tamper proof bags, the thing that really enabled him to do it was that extra package of tamper resistant seals that were sent to him.
In this case, the answer was one, and the amount of money was millions of dollars. Should we be surprised that it happened?