Security is an arms race

I read two sobering security articles this morning. The first describes a serious flaw that existed for over a year in Apple's SSL/TLS implementation that allows for man in the middle attacks. This is scary because it existed for so long and because in theory it should have been detected automatically by anyone running a man in the middle penetration test. The second is an article from the economist that describes a method of figuring out a cryptographic key from the sounds that a computer's internal components make while decrypting emails. The attack vector an acoustic crack is most likely a piece of software that (legitimately or illegitimately) gains access to a user's microphone and uses it to obtain the key used to sign data.