Sometimes a bug can produce more interesting results than what you originally intended.
On all my machines I run a program I wrote called Data Fence ("In Review" at Apple for 5 weeks now!). It lets you write regular expressions to define a set of data to watch. Any program you did not approve to access a data file matching that regular expression generates an alert with an optional audio alarm.
My regular expression and access types for Keynote version 6 documents are:
The reason I have a trailing "/?" and have the access marked as a directory is that Keynote version 6 documents are actually special directories called bundles. I wanted to catch any malware (well, anything I haven't approved) looking into the contents of a Keynote bundle.
The regular expression can catch someone specifying the path named "foo.key" as well as "foo.key/".
The problem with the regular expression is that it also represents directories with names like "foo.keybler" or ".keychain_reauthorize". In fact, that last one Google triggers. Here is an example from today:
So these are false positives. But they really piqued my interest today because of the dramatic OpenSSL bug being reported today. Web sites need to revoke their old certificates and create new ones. This is probably one of the biggest vulnerabilities hitting the Internet in a while, and I am wondering if this ".keychain_reauthorize" directory has anything to do with Google addressing this in Chrome?
I can fix this regular expression fairly easily, but I've left it there for now because it is an interesting way to watch what Google is doing to my system behind my back. Interesting, very interesting.