Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> What do all these earlier mistakes have in common, apart from the obvious: being exemplars of “catastrophic loss of structural integrity”? They all date from before 2013. That’s how we know the NSA wasn’t involved.

I get that this is trying to make fun of the response to Apple's "goto fail;", but this logic ("These similar errors predate 2013 → Apple's similar error was not an NSA backdoor") seems rather faulty. There are a number of flaws with this line of reasoning. To name a few:

* The NSA could have been involved with backdoors before 2013 (unlikely in Debian, but mentioning 2013 is a bit of a red herring)

* Apple could have been encouraged to insert a backdoor and did so in a way that gave them plausible deniability (either because the NSA specified that, or because they wanted to cover their behinds)

Whether or not this incident was the result of the NSA's prompting is something we'll probably never know[0], but this article doesn't do much to argue one way or the other.

[0] The only way we could know is if someone literally came out and admitted it (or someone like Snowden were to leak it). It's possible to prove the existence of something (ie, a backdoor attempt), but impossible to prove the absence of something.



My takeaway was that the NSA could have been involved in all the above, we just weren't paying as much attention before ;-)

Of course, whether the NSA was involved or not isn't the point of this article. The point is that high severity one-liner bugs have been made before.

I feel partly to blame. Until my comment on HackerNews revealing where the source code was, no one seemed willing to post more details about the bug (based on Twitter posts). But I think it will end well, as more people will pay attention to the code in future. Sadly, Apple has yet to share revised source code for the 10.9.2-shipping security library that I'm aware of.


What you've argued is faulty logic was actually sarcasm. One major clue is that the previous paragraph also contained heavy sarcasm.


Uh yeah, you're right. I'm surprised that didn't jump off the page at me but hey, I read the comments first and then the article too, failing "like a good banker", meaning succeeding in not spotting the bullshit but not any worse than my fellow hn-ers who also upvoted it.

I amazed your at bottom of the comments. But then again I was silly enough to upvote the parent before I read the full text.

"A sound banker, alas, is not one who foresees danger and avoids it, but one who, when he is ruined, is ruined in a conventional and orthodox way with his fellows, so that no-one can really blame him" - JM Keynes


The logic at the end is still in parody mode. Flawed is the point.


It's pointless to discuss whether this is an intentional flaw or a mistake because the problem lies in code review and tool. As someone has said in the past to me that compiler can catch these errors, well, if so, what flags do they use and should we have a standard list of flags to enable to test these problems? Do we have tools to show these errors instead of going through a 1000 pages compiled log?


i don't think it's pointless to discuss. sometimes it is sometimes it isn't.

in the apple case though the two revision numbers we have are 55179.13 and 55471. i don't know how apple numbers, so i'm not entirely sure what the .13 is, but theoretically we could have 292 patches between the two we see publicly.

it's impossible for us to know if there would have been a code change that could have caused a merge conflict at that place.


> impossible to prove the absence of something.

If p => q, then ¬q => ¬p. So if p is "The goto fail was setup by the NSA", then surely we can come up with a reasonable q which could be (dis)provable?


would it be something like this:

  if "setup by the NSA" then "goto fail"
I can think of a q that disproves p then!

  not goto fail.
problem is

  goto fail.
since q is true, p is either false or true, with no distinction either way. So... impossible to prove.


Nope. P is "the nsa is responsible for goto fail".

A possible q could be "someone from nsa communicated with someone from apple"

Another possible q could be "goto fail was introduced on purpose"

These specific qs might be difficult/impossible to disprove, but that doesn't mean that there is no q we can disprove.


[deleted]


I thought it was sarcasm. It's funny because there is an unbraced if and a goto, but the error is sonewhere else




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: