High Sierra ROOT ACCESS bug is a Leadership NOT tech problem

 

Yesterday Tuesday Nov 28, Apple Inc got called out. Bad.

After the latest operating system update anyone can log into your Apple computer with hilariously minimal effort.

Depending on how your computer is configured physical access is not needed.

This could be the worst software bug of the decade.

Hyperbole? Not if you consider that Apple is the most profitable company (not software company….any company) in America. With 45.7 billion dollars of 2016 profit they had all of the resources anyone could dream of having to create the best product(s) and software possible.

For the rest of us who are working, building, and functioning in software companies it’s important to understand that this is a leadership problem not a technology problem.

The Reaction

As of  this morning November 29th 2017 apple has not yet released an official statement or fix/update/patch.

On twitter, blogs, and forums worldwide the entire computer industry (Hobbyists, IT OPs, Devs, QA, InfoSec, etc.) is reacting with:

  • Judgment
  • Scorn
  • Disappointment
  • Analysis
  • Ridicule

Shade is being thrown. Monday morning quarterbacking is happening with blame being pointed toward programmatic irresponsibility, quality control failure, and enterprise-level complacency.

dumpster

Behind these threads of risk escalation, debugging, and schadenfreude memes is fear on the part of the tech community.

Not from the potential consequences of the macOS High Sierra vulnerability but from the unspoken reality that the events leading up to this snafu have more to do with how companies, projects, and software releases are run than how the software is built.

Did the technical people screw up?

Yes.

The problem is Apple Inc. has some of the most skilled, intelligent, and well-compensated technical people in the industry.

A LinkedIn search for their currently employed engineers produces a result of 25k+ impressive human beings. If this group of experts can fail just imagine the risks facing a normal sized dev team with less resources.

These people are specialists who have not screwed up something as important as login security for a good while. So what changed?

To understand and learn from apple’s mistake we can’t exclusively try to solve the tech problem or tech people problem.

Key Takeaways

Rather than cast blame on the builders or testers we should reflect on how Apple created the conditions whereby macOS High Sierra was “delivered” with a critical, preventable defect.

One obvious example is greed; Apple has the highest dividend-paying stock in the world. Perhaps this caused leadership to prioritize initiatives with a profit-based goal in such a way that compromised quality?

Apple’s recent product direction strongly leans towards a mass-appeal marketing-strategy and ammunition against competition.

Recent feature highlights include:

  • Emoticons
  • Large-scale mobile hardware
  • Touch bar technology on laptop
  • Touch ID on laptop
  • Gesture software navigation/home button removed

In a Dec 2016 article writer Mark Gurman describes organizational changes at Apple that also reflect this.

In another sign that the company has prioritized the iPhone, Apple re-organized its software engineering department so there’s no longer a dedicated Mac operating system team. There is now just one team, and most of the engineers are iOS first, giving the people working on the iPhone and iPad more power

This seems like a non-trivial change.

Non-negotiable deadlines/features can also be one of the conditions that lead to mission-critical failures like the recent Root Access Vulnerability.

This can be exacerbated by sales strategies dependent on a synchronized product launch and non-dev, non-tester leadership that does not have open, honest, and pragmatic communication with the technology experts they need to trust.

Watch for red flags:

  • The primary measure of success is meeting the deadline instead of quality or product value
  • Crunch Time Silence. Devs heads down and hustling on an increased scope of functionality instead of negotiating features
  • Compromised testing timelines

Look inward and upward at the leaders in your organization, especially anyone who has never coded or tested before in their working lives. Responsibility lies with the non-technical people who created the conditions that the technical people have to work under.

No one will remember this release for the new emoticon support, this is the deployment where anyone could log in as root.