Archive for June 5, 2014

Thursday, June 5, 2014

Apple Has (Partly) Lifted the NDA for Beta Releases

Ole Begemann:

I am not a lawyer, but if I am reading this correctly, it means that beta version of the operating systems and SDKs are still under NDA, but Apple allows developers to discuss new APIs and features that have been introduced at WWDC in public. That should cover pretty much all the new stuff in iOS 8, Yosemite and the Developer Tools.

Chris Adamson:

The interim scenario we’ve been living in since then — no talking about the unreleased version, even though we all have it on our laptops — is still frustrating and fairly absurd. I wonder if either Apple’s going to give us an official clarification, or people are going to just go ahead and start talking. It would be nice for the conversation to be led by the top developers, speakers, and instructors instead of the rumor-mongers, for a change.

Counterparts Lite 1.1

Soon after releasing version 1.0, Michel Fortin has announced a new version of Counterparts Lite that adds support for XLIFF files, as well as license leases so that developers can provide licenses to translators. I’ve been testing it for a week or so, and it’s a great app.

SSL/TLS MITM Vulnerability

Andy Greenberg:

On Thursday, the OpenSSL Foundation published an advisory warning to users to update their SSL yet again, this time to fix a previously unknown but more than decade-old bug in the software that allows any network eavesdropper to strip away its encryption. The non-profit foundation, whose encryption is used by the majority of the Web’s SSL servers, issued a patch and advised sites that use its software to upgrade immediately.

Masashi Kikuchi:

The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.

Fuzzing may have worked. However, as the history (see below) shows, knowledge of TLS/SSL implementation seems vital.