It is absolutely abnormal for companies like Apple to release core security bugs this shallow that could have been easily discovered by straightforward unit tests and static analysis tools.

This is why it's a big deal.

The other reason why this is no big deal (anymore) is that the Snowden leaks have shown that the NSA has total control over all iPhones.

Why should we even bother talking about bugs like this anymore? Pure distraction.

Which is worse: the NSA having total control over all iPhones (citation? I obviously haven't been paying enough attention), or the NSA and all the (other) bad guys in the world having total control ...? Sure, they're both terrible, but I'd take the former over the latter.

> the Snowden leaks have shown that the NSA has total control over all iPhones

You mean: had total control over all the original iPhones that they could get physical access to. (back when jailbreaking was extremely simple and common)

Where does the "physical access" part come from? And if that was the case, why would it be impossible now?

One of the sources: http://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-repo...

From the slide on your very link: "The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capability will be pursued in a future release."

Basically how it worked was they jailbroke your iPhone and installed spyware on it. Is it quite likely that today, 7 years later, they have a remote 0day to do the same? Absolutely. But there's no proof that "the NSA has total control over all iPhones".

What strikes me is that the bug looks like a typo but it implements a logic error and that logic error pretty much negates everything the library represents itself as doing and what the library represents itself as doing is providing a foundation upon which signals security relies.

Suppose a contractor was hired by the NSA to write an exploit with equivalent function. How could it be crafted more cleverly?