Apple To Review Software Practices After Patching Serious Mac Bug (reuters.com) 192
Apple said on Wednesday it would review its software development process after scrambling to patch a serious bug it learned of on Tuesday in its macOS operating system for desktop and laptop computers. From a report: "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple said in a statement. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
I just need to know (Score:1, Insightful)
Re: (Score:2)
I don't think they can do that. If anyone can download and compile the MacOS source code, and tweak it to run on different computers, Apple's hardware sales will go down the drain.
Yes, it would get rid of a lot of bugs. But it would also get rid of Apple itself. I'm not saying that would be a bad thing, just that it would be monumentally stupid.
Re: (Score:2)
Also the Darwin kernel, i.e. BSD on Mach, is already open source. Even though BSD is BSD not GPL licensed and they'd be legally allowed to keep their very extensive changes secret, Apple still release their changes
https://opensource.apple.com/s... [apple.com]
The don't release all the kernel mode code though - e.g. they don't release the source code to "Dont Steal Mac OS X.kext"
http://www.osxbook.com/book/bo... [osxbook.com]
They also don't release the source code for the user mode stuff, but then they don't have to.
And it seems like
Re: (Score:2)
Do you really think there's that much demand for MacOS these days?
Apple has about 7.5% of the PC (desktop+laptop) market. That is about half of their peak around 1989 by market share, but way more units sold because the market today is so much bigger. Nearly all of these are laptops, since Apple has mostly abandoned the desktop.
people buy Mac's mostly because they're Apple people, or perceive it as some kind of status thing.
I use a Macbook because MacOS is Unix that "just works".
Re: (Score:2)
I use a Macbook because MacOS is Unix that "just works".
As much as the various hardware limitations, software limitations (max of OpenGL 4.1 in 2017? Come on) and closed, proprietary technology over open standards (Metal over Vulkan, Airplay, Airdrop, Facetime, etc) is annoying I do like that the kernel can be updated without it breaking the display driver and having to go into a terminal to recompile the kernel module just to get the GUI working again. It's all those niche little annoyances that still persist all across Linux that add up to it being a poor user
Re: (Score:2)
Not only is it not Windows, it's Unix. Mac OSX is a user-friendly Unix that runs Office. Try finding anything else like that in the market today.
Re: (Score:2)
I could argue the other way around.
For a smaller company, having your code open source allows for more eyes on the software then what a small company can afford. While the biggest company can hire a lot of people to check and review the code.
If your program such as OS X is very popular and had a lot of features that competitors would love to see how they approached a problem, having it Open source could lead to a lot of excessive copying if not the code directly, duplicating the idea and specifications.
Comment removed (Score:3, Insightful)
Re:Holy shit (Score:5, Insightful)
Talk is cheap. Let's see what the audit finds. And why did previous audits fail to find the flaw?
Re: (Score:2)
They're not auditing the code. They're auditing the process, to find the root cause as to why the software flaw wasn't detected.
Re: (Score:2)
Talk is cheap. Let's see what the audit finds. And why did previous audits fail to find the flaw?
Because it requires a specific, multi-step process to trigger.
Re: (Score:2)
Given the perceived ineptitude required to create the problem, it's kind of the only response they can offer. Looking at their track record, Apple is probably the worst of the big three (OS X/Windows/Linux) in addressing security issues. That said, that still puts them way ahead of most application developers.
But Apple will NOT let you talk about such things (Score:4, Insightful)
Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.
Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment blocked. Based on my years of experiences involving a MacBook Pro (which I still use on a daily basis for certain tasks), I actually think Apple has automated the censorship using sentiment analysis of the draft comment. Or perhaps it's profile-driven by the secret dossiers they have on each of us?
I could write a more substantive response on the topic, but here on Slashdot such a comment would merely be shouted down by pro-Apple fanbois with mod points to burn. Not worth the time, though I will donate a few seconds for a rerun of the capsule version:
Capitalism and communism are dead. Our new religion is corporate cancerism. There is no gawd but profit, and Apple is gawd's chief prophet.
Re: (Score:3)
Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.
Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment blocked. Based on my years of experiences involving a MacBook Pro (which I still use on a daily basis for certain tasks), I actually think Apple has automated the censorship using sentiment analysis of the draft comment. Or perhaps it's profile-driven by the secret dossiers they have on each of us?
I could write a more substantive response on the topic, but here on Slashdot such a comment would merely be shouted down by pro-Apple fanbois with mod points to burn. Not worth the time, though I will donate a few seconds for a rerun of the capsule version:
Capitalism and communism are dead. Our new religion is corporate cancerism. There is no gawd but profit, and Apple is gawd's chief prophet.
Why use so many words? You could have packaged all that into a single sentence:
Blasphemy!! Summon the Holy Inquisition !! BUUUUUUURN THE HERETIC!!!
Re: (Score:2)
If you can't understand what I wrote and actually want to, please feel free to ask for clarification.
If you can't understand what I wrote and don't want to, that's certainly your prerogative.
If you have nothing to say, why don't you just say nothing?
Let me check again. Yes, rereading your so-called reply and making suitable allowances for your poor writing, I can confirm that there is nothing there that has any relevance to anything I wrote. FYI.
Re: (Score:2)
Not a Mac fan, but this is the most honest, respectable response to a mistake I've seen from a corporation in a long time.
Props, Apple.
I agree.
Re: (Score:2)
I'll save my judgement until we see an end to issues like this or "goto fail" after a few years. It was the correct response, but it's easy to say anything that you think people want to hear.
Do you think Apple even does integration or regression testing? I can't imagine "goto fail" would have slipped past if they were, because that's about the most basic "is the functionality working" test you'd start with. That seems like a good place to start.
Re: (Score:2)
Sorry to disagree, if your system has a 'deactivated root sccount' and if you still can log on to it, is probably the least thing anyone is considering to test. Especially in a regression test.
When and how and why did such a vulnarability got introduced? How often do you want your test(er) to click the unlock button?
Re: (Score:2)
That's why I specifically mentioned the "goto fail" issue. That tiny bug completely broke SSL/TLS. How could they not be testing basic functionality like that before it's released?
I'll grant that this particular situation might not have been tested, although to me, testing with root and a blank password seems fairly obvious. But this seems like a more widespread problem for Apple and how they test (or don't test) basic functionality. And I'm not talking about using human testers. This should be 100% au
Re: (Score:2)
Not a good example.
SQLlite, as any data base, can be tested 100% automatically.
To log on with no passwd as root, you first have to come to the idea that this might even be possible.
On the other hand you can easy automate that the passwd file (or shadow passwords) have a password for root.
I actually never came to the idea to log on as root via the gui. But I never needed to.
Re: Holy shit (Score:2)
Re: (Score:2)
Really? I felt it was regular corporate-speak..
As with most things, there's not a lot of substance behind it - where's the offer of compensation etc?
Compensation for what, exactly?
Hold That Software (Score:4, Funny)
Allowing root access without a password? (Score:2, Funny)
This was a known "feature" (Score:3)
This was posted as recently as November 13, as a "solution" to an issue of not having an administrative account: https://forums.developer.apple... [apple.com]
All bugs are also features. (Score:2)
It isn't even just security bugs like this... (Score:5, Interesting)
There's all kinds of cosmetic and usability bugs floating around, and Apple doesn't seem to be in a hurry to fix them. They're the kind of bugs that aren't showstoppers but are still very annoying or can result in bad data.
The Calculator bug in iOS is one example of a recent bug that can produce bad data and wasn't fixed. Until iOS 11.2 (which isn't out yet!) even though it was reported way back in 11.0 beta, before the OS was released to the public.
Another recent issue, though less important, is that the Weather widget will randomly stop updating, so you'll be seeing last night's weather instead of right now. This bug was also reported several versions ago and is as of yet unfixed in the latest 11.2 beta.
I know bugs happen; nobody is perfect. But these are obvious, reproducible bugs that are not being fixed after being reported months prior. What the hell, Apple?
Re: (Score:2)
There's all kinds of cosmetic and usability bugs floating around, and Apple doesn't seem to be in a hurry to fix them. They're the kind of bugs that aren't showstoppers but are still very annoying or can result in bad data.
The Calculator bug in iOS is one example of a recent bug that can produce bad data and wasn't fixed. Until iOS 11.2 (which isn't out yet!) even though it was reported way back in 11.0 beta, before the OS was released to the public.
Another recent issue, though less important, is that the Weather widget will randomly stop updating, so you'll be seeing last night's weather instead of right now. This bug was also reported several versions ago and is as of yet unfixed in the latest 11.2 beta.
I know bugs happen; nobody is perfect. But these are obvious, reproducible bugs that are not being fixed after being reported months prior. What the hell, Apple?
Oooh, how horrible!
A UI bug in the free Calculator App, and an Update bug in the Weather Widget?
Seriously?
Now, let's compare that against Windows and Linux, shall we?
Re: (Score:2)
The thing is I agree with you; the bugs aren't show stoppers. I even mentioned that in my original comment.
But this is evidence that Apple's attention to detail is not what it used to be. These sort of bugs didn't exist prior to iOS 7. I've been using iOS since version 3, and right around the time of iOS 7 there was a noticeable drop in QC which persists to this day.
Re: (Score:2)
My big gripe is that they fail to acknowledge bugs as such: their miserable implementation of SMB, and eliminating FTP and Telnet clients are my two biggest gripes. They are really burning bridges with this crap.
Re: (Score:2)
Yeah, I agree. I don't think it's really an Apple problem, which is why I think they can get a away with it, but a more general "developer" problem. A lot of developers seem to spend endless amounts of time trying to develop new cool features, or else shuffling the UI around, but they don't actually fix some of the very real and fundamental problems that people have.
Working in IT, it's just endless. There are tons and tons of problems with every product that I deal with where it's needlessly complicated
Re: (Score:2)
What the hell, Apple?
Dear Peon,
We're sorry for your inconvenience. We are aware of these "features" and will address them as we feel like it.
In the meanwhile, please feel free to purchase 3rd party apps to solve your needs.
We will appreciate the profit that we make off of your purchases.
Sincerely,
Apple Customer Service
True enterprise level bugs (Score:1)
True enterprise level bugs, only from Apple
Re: (Score:2)
True enterprise level bugs, only from Apple
Oh, really?
Wanna check out some Windows and Linux bug-lists?
Re: True enterprise level bugs (Score:2)
Re: (Score:2)
Please stop replying to every fucking Apple complaint. You look pretty pathetic.
Please go fuck yourself.
Re: (Score:2)
With an Apple?
Think Differently about it (Score:2)
Give 'em a break, they've only been developing software for 40 years
Re: (Score:2)
Now dump the thin is king hardware devs! (Score:3)
Now dump the thin is king hardware devs! and get some real workstations. IMAC pro no ram door come on it's not that hard!
Re: (Score:2)
and pay comcrap $10 per 50G in overages. if you have cell then $10/GIG and upto $15-$20/meg roaming.
Maybe this will take hold elsewhere? (Score:2)
I totally agree that waterfall planning for software doesn't make sense, but IMO neither does Features Features Features, 10 deploys a day, release now/patch later, and all the other things we've gotten as the pendulum shifted all the way to the other side. I'm on the Windows side of the fence and it's been an interesting couple of years watching them run through release release release and gradually slow it down a bit as they see quality dropping.
Operating system or application code, running on machines pe
Maybe they'll fix IOS Appleid popup as well... (Score:5, Interesting)
IOS has a "feature" that the OS pops up a request for your Apple ID credentials at random times. Open Pandora and you'll get a popup. Open pretty much anything and the popup appears. There's no provenance to the pop up so you don't know what part of OS is asking for the credentials or why. Backup works without answering the request as you can be signed into iCloud and still get the pop up.
My response is to dismiss the pop up and continue with what I'm doing but it's a PITA. A naive user will enter their credentials in the hope the "feature" is mollified which it sometimes isn't.
The correct way for IOS to ask for the credential is for the popup to say "Open Settings/icloud ( or whatever) and enter your AppleID." Settings would second the request by posting a little icon indicating there's a response pending ala a text message. An animation within settings would guide the forgetful user if the path is more than one level deep in settings so they'd navigate to the proper IOS setting to satisfy the pop up.The point of all that is you know you're talking to Settings when you provide credentials.
The current scheme is ripe for an app to steal your Apple ID. Write an app that does something kind of useful, wait for the 10th, 20th, run and pop an identical pop up that looks just like the OS popup. The user can't tell if it's the app or IOS asking and enters their credentials. Voila, you have access to the user's Apple ID. A little more elided hacking will circumvent 2 factor if it's enabled.
Too much water has gone under the bridge that I guess an obvious attack is new again.
Apple Security issu*cough*backdoor*cough* (Score:2)
Security breach boilerplate (Score:2)
We greatly regret this error and we apologize
Of course they do. What company would not copy/paste the security breach boilerplate in such a situation? It could even be automated: if +"security flow" +apple yields something in the news, send the press release.
But do the customers deserve freedom? No. (Score:2)
But don't be fooled: one thing Apple remains firm on—Apple's customers don't deserve software freedom [gnu.org]. Apple will continue to pursue its walled garden, ever restrictive practices built around DRM, proprietary software, app store censorship, and so on (see more about how Apple's malware adversely affects its users [gnu.org]). The latest insec
Re: (Score:3)
I translated it as this was a known issue to the underlings, however it never was allowed to be addressed by the middle managers or this problem was a very to spot problem (probably some debug code that didn't get removed) that was allowed to get released.
However compared to other companies, at least Apple is publicly admitting the problem. While some companies may patch the problem, but not state any details about it.
Re: (Score:2)
I'm curious what companies patch the problem and not state any details about it? I've always seem MS and linux distros provide very concise details about exploits and the fixes for them.
Re: (Score:2)
And provides a link to a KB article with all the details... Of course they don't give you all the gory details right in the windows update window.
Re: (Score:1)
I canâ(TM)t reâ(TM)d this crâ(TM)p.
Re: (Score:2)
You mean put in a sack and beat with a stick?
Re: (Score:2)
We apologise again for the fault in the post above. Those responsible for sacking the people who have just been sacked have been sacked.
Re: (Score:3)
Mynd you, moose bites Kan be pretty nasti...
Re: (Score:1)
Apple should start giving a shit about something besides hardware for but a moment.
They do, in the form of animated turd emojis.
All Millennial-developed software has become shit. (Score:2, Informative)
I think this is a much broader problem. This isn't just about Apple. This is about almost all software today that has been developed by Millennial (some people use the term "Hipster") developers.
Millennials have been in the industry for about 10 years now, and these past 10 years have been some of the worst in terms of software quality.
Just look at the destruction they've left behind them. Windows 8, 8.1 and 10. GNOME 3. Firefox 4 and later. Systemd. Wayland. Slashdot Beta. NoSQL. The list goes on and on.
Th
Re: (Score:2)
TL;DR
The last generation of programmers are too focused on the shiny.
Re: (Score:2)
That's a really bad summary. Yes, part of the problem is that Hipsters care too much about looks. But you ignored the other serious problems that the GP mentioned:
1) Hipsters go out of their way to be ignorant. They don't want to learn about security, so we get atrocious security flaws in the software they write. They don't want to learn SQL, so we get atrocious NoSQL databases to deal with. They don't want to learn about how their users use software, so we get awful UIs. They don't want to learn C++, so we
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
First, you're wrong. Windows 95 was very simple compared to modern versions of Windows. There's always cutting-edge work going on. Modern versions of Windows would scoff at the attacks available in the late 90s, and a 90s OS would be totally pwned today.
Second, the educators, who are usually not m
Re: (Score:2)
Re: (Score:2)
The Wikipedia page on Gedit lists Paoli Maggi as the top person involved. Maggi got his Ph.D. in 2002, and is hence not a millennial. If you dislike modern interfaces, blame Generation X.
There's a lot of crap out there by millennials. There's a lot of crap out there by Gen Xers. There's a lot of crap out there by Boomers.
You know? I'm going to blame this crap on Generation X, since it's usually Gen X that makes the bad decisions.
Re: (Score:2)
You're blaming the wrong people. Millennials didn't give the go-ahead for Windows 8; that decision was made by considerably older people. Millennials implemented a lot of it, but they were working to somebody else's stupid ideas and inane specs. If they'd have tried to give it a decent UI, they'd have been fired.
Systemd? Lennart Poettering was born in 1980, and that's generally considered to be the previous generation.
They're focused on aesthetics and trendiness? Do you know one consistent thing a
Re: (Score:2, Insightful)
I'm sorry... Apple's hardware is the GOOD bit?
Fuck...
Re: Maybe... just maybe. (Score:5, Insightful)
It *used* to be. Now their hardware is nothing more than a gratuitously expensive appliance.
If I could easily run OSX on non-apple hardware, I'd do it in a heartbeat. (And when I say run, I mean perfectly, flawlessly, without something not working right)
I'm still using a 2010 MBP because every version they put out afterward is more and more annoying. Can't replace the battery. Can't replace storage. Can't replace ram. Now you don't even get a USB 3 or HDMI port. It's offensive.
They claim that it's "future proofing" the machine. That's nothing but a lie to mask their efforts to gouge the crap out of people on dongles.
Re: Maybe... just maybe. (Score:5, Interesting)
Even OS X has gone from great to "meh". I don't see many companies bothering to write Mac specific games. macOS is the only mainstream OS with no iSCSI capability. Apple is sitting on a ton of cash, they might as well throw a bit to make macOS a generation or two ahead of the pack. A few ideas that Apple can do:
1: Things like hierarchical storage volumes, where when accessing a file, macOS will fetch it, or prompt you to connect the media (external HDD, CD, etc.) so it can access it. That way, you can store documents locally, have them get moved to iCloud, and transparently backed up to Time Machine, as well as a third party cloud provider (Amazon S3, Wasabi, Backblaze, etc.) It handles where the files and their backups are and warns the user if backups are not accessible... the user just accesses them through a volume. Security/encryption can be done at a file/folder level, so files can be easily shared or secured.
2: Better enterprise-tier management, as in being able to be managed via GPOs. Companies would move to Macs en masse if they could be managed as easily as the Windows desktops.
3: Better remote access, perhaps bring Back to my Mac up to par with LogMeIn or TeamViewer, with two-factor authentication, as well as optional authentication to the machine.
4: The ability to virtualize macOS for VDI systems.
5: The XServe back, with a built in hypervisor and license. It would be nice if it were bundled with ESXi, to help with item #4.
Apple has so much cash, it is surprising why they haven't just tossed some man-hours into keeping well ahead of their competition with their products.
Re: (Score:3)
I hate that Slashdot doesn't let you mod in the same thread you posted in. I'd totally give this a +1. I agree entirely.
The only saving grace is that they haven't fucked up Mac OS as badly as Microsoft has fucked up Windows.
Although apparently you *can* have multiple users log in remotely to a single computer, VDI style. The problem is that they use some variation of VNC so your trapped in the resolution of the physical monitor. Apparently some company tried to put out an RDP server for OSX but Apple sh
Re: (Score:2)
JAMF Pro is a nice utility... but, boy, it is not cheap. IMHO, this functionality should be part of the OS. The "server app" is also something that needs revisited. In the real world, other than MDM capabilities, something like LANrev/JAMF shouldn't be required.
PXE/NetBoot is also important. Maybe some way to have the machine grab code from a local server rather than Apple when there is no usable software on the drive, and one doesn't have a USB flash drive ready.
Re: (Score:2)
Not going to happen. The advantage of running OSX on Apple hardware is that that's what it's designed to run on. There's no reason why it should have what it needs to run on a Dell or a homebuilt.
Re: (Score:2)
Correct.
I manage several hundred of them, however.
Re: Maybe... just maybe. (Score:2)
Absolutely! Every PC laptop has a direct PCI ssd that can read at 3GB/s and has 4 40Gb external connections that can also drive multiple 4K displays. /s
Re: (Score:2)
commodity PC hardware
Except the trackpad. And the logic board is custom-designed, like all laptops are, so sure, it's made of PC parts, but that's because it's an intel-based personal computer, so exactly how else you'd like them to make it is hard to understand.
And the keyboard, which is also custom-built, and so nice that many actual PC laptops copy its design. And the hinge, which actually feels solid, and that magnet-closed lid, which has also been very widely copied, and is perfectly engineered.
Often I hear the complaint t
Re: (Score:2)
That's a lot less true of the iPhone. Apple designs the CPU for that, and does a pretty good job.
Re: (Score:2)
I think in terms of software Apple is a victim of its own success.
iOS is nearly the same as it was back in the original iPhone, sure we got a lot of new stuff in it, but it is based on what was popular. If apple risked Thinking Differently, then their product may scare off customers.
If the iPhone wasn't as popular of a device I expect to see a lot more changes in the iPhone and iOS devices, as well in OS X.
Apples biggest changes in its OS was from 1999 - 2005 Where Apple was nearly dead, and Microsoft was
Re: (Score:2)
iOS is nearly the same as it was back in the original iPhone
It looks a bit similar. It is very, very far from 'nearly the same' in every other respect.
Re: (Score:3)
Re: (Score:3)
It's embarrassing for ./ really. The Content-Type header says "charset=utf-8". And they could have easily fixed the form with a slight tweak to ./'s HTML. Example: <form action="//apple.slashdot.org/comments.pl" method="post" accept-charset="ISO-8859-1">
Re:It tells Mac fanboys right (Score:4, Interesting)
Well other then this one, how many other viruses or gross hacks were there in the past 15 years?
I can remember only 3 or 4 major ones during this time. The rest were on par with the normal security fixes that everyone puts out, mostly getting access to stuff as a user already logged into the system.
Re:It tells Mac fanboys right (Score:5, Informative)
The blank root password attack is only a local privesc in the default config too...
It works over screen sharing, but that's not enabled by default.
It doesn't seem to work on the local login screen, at least on the machine i've tried (plus by default the local login screen shows you a list of users and doesn't let you type a username).
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
Re: (Score:2)
The blank root password attack is only a local privesc in the default config too...
It works over screen sharing, but that's not enabled by default.
It doesn't seem to work on the local login screen, at least on the machine i've tried (plus by default the local login screen shows you a list of users and doesn't let you type a username).
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
Mod Parent Informative...
Re: (Score:3)
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
It's not like that's a minor issue, though. People always go, "Well if you have physical access to the machine, anything goes..." But imagine this scenario: You hate somebody at work and they walk away from their Mac without putting it to sleep. You walk over, gain root access, AND set a password for the root account. So now, even if the machine is put to sleep or switched off, you still have access to it.
Re: (Score:2)
So leaving a logged in session is dangerous, and this bug makes the existing dangerous behaviour a bit worse...
Re: (Score:2)
So, I hate someone at work and they walk away from their patched Mac. I walk over and delete their user files or send an embarrassing email to their entire distribution list of something. Having physical access to the machine with an account logged in is never a minor issue.
Re: (Score:2)
"To exploit on a default system you need to have local access to an unprivileged user account"
You just described every single Mac in use at a corporation, school, and government office. Not to mention a double-digit percentage of home users. I can't even begin to tell you the number of iPhone users that don't have an AppleID. The unwashed masses don't care about security and want the least difficult barrier to using a device which means not creating an AppleID on anything they own.
Re: (Score:2)
Yes, assuming those macs have been upgraded to high sierra... Although in mitigation, high sierra is quite new and schools don't generally upgrade systems right away so i imagine the actual number of systems affected by this to be pretty small.
The biggest risk with any vulnerability is against default setups, as users are more likely to be unaware. If someone has gone to the effort of changing the defaults then they will be more aware of how things are set up. This vulnerability is also not exploitable if y
Re: (Score:2)
Didn't work for me..
By default i was shown a list of users and nowhere to type "root", upon changing that setting it still didn't work.
Also this assumes the system is already booted, or not using disk encryption... If the disk is encrypted you can't login as root to the pre-boot auth screen and therefore can't boot the system. If disk encryption is not in use you can just boot from USB, mount the disk and insert your own password or backdoors anyway.
Re: (Score:2)
It's not really worth arguing about. Anything can get "viruses" or "get hacked", especially when a lot of those "viruses" are trojans and a lot of "hacks" are social engineering.
Macs are pretty solid. They have problems too. Why can't we just get over these petty arguments and stop feeding the trolls?
Re: (Score:2)
Rootpipe (an actual privilege escalation) - the issue with this one was Apple only patched it on the latest greatest OS at the time, but all the other OS's got patched 6 months after a lot of complaining by some seriously smart security experts.
Apple really doesn't take security all that seriously. Biggest example - show me on Apple's website what OS's are supported and which OS's are end of life?
Re: (Score:2)
It depends on the situation. Since AFAIK is requires physical access to the computer, it wasn't really a problem for people with home computers. For people traveling with laptops, or workplaces with Macs, it was a huge security problem.
Re: (Score:3)
It depends on the situation. Since AFAIK is requires physical access to the computer, it wasn't really a problem for people with home computers. For people traveling with laptops, or workplaces with Macs, it was a huge security problem.
It was exploitable over remote desktop, but not over SSH. So, depending on how you have your computer configured, it may have been remotely exploitable (assuming VPN or local network connection, or an insecure router/firewall configuration)
Re: (Score:2)
This just isn't a bug you accidentally introduce into a properly designed auth system. That means either someone was acting maliciously, or the system was designed with extreme incompetence. Since we're talking about Apple, I don't think many fanbois will accept
Re: (Score:2)
Instead of writing "MabCook Pro" you might as well just go with "MacTim Pro" or "MathCook Pro".
Re: (Score:2)
Re: (Score:2)
I thought it required physical access, as well; then I read reports of people being able to access screen sharing and AFP shares using this method. I don't have a system running High Sierra to be able to verify those claims, but it seems plausible.
This just isn't a bug you accidentally introduce into a properly designed auth system. That means either someone was acting maliciously, or the system was designed with extreme incompetence. Since we're talking about Apple, I don't think many fanbois will accept the incompetence explanation, so we'll go with malice to avoid triggering them. Since they allow Apple to maliciously empty their wallets, they seem to be okay with malice... ... ... I write as I check the shipping status of my new MabCook Pro.
But, then, I'm a user, not a fanboi -- and I placed the order before this was made public.
What's the big deal?
Apple already published a simple workaround, which will completely fix the issue until a properly-tested update can be released. (Note: Yesterday's article had a link to an Apple Knowledge Base Article on how to fix the bug temporarily; but now that the Update has been released, MacRumors edited that out of their article, so here's what's left of the original workaround).
https://www.macrumors.com/how-... [macrumors.com]
And in fact, here is the REAL Update:
https://www.macrumors.com/2017... [macrumors.com]
Less than 24 ho
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Your negative assessment is only accurate as far as it goes. If the Slashdot moderation were not so borken (sic), that could explain your lack of an "insightful" mod, though I'd prefer to think it was your omission of the positive side (in the fantasy context of good moderation). I think your missing keyword is "priority", as in security is not a high (or high enough) priority at Apple because something else is. That something else is profit, as summarized in my earlier reply.
Re: (Score:2)
If the Slashdot moderation were not so borken (sic), that could explain your lack of an "insightful" mod
Moderation doesn't matter: karma is just a number on a server somewhere.
I think your missing keyword is "priority", as in security is not a high (or high enough) priority at Apple because something else is.
If Apple puts more priority on security, there are a lot of things they can do (for example, do managers include time in their sprints for the programmers to think about security?)
The reality is though, even if you have really nice processes, if the people writing the code don't care about security, then you'll end up with bugs like this. You can make process requirements that every line of code has a unit test, but then you will get
Re: (Score:2)
Went back to check your original comment. Rather than receive the positive moderation you might deserve, I see that you have received undeserved and meaningless negative moderation. I am certainly not defending either the quality of the moderation or the way it is implemented. However, I think it could be improved. VAST room for improvement. You mentioned karma, which should be part of such improvements. There's a natural symmetry there that is lost in the current approach.
Not sure about the longer second p
Re: (Score:2)
It's not even just that - High Sierra is a mess. I have software crashing on me that never crashed before. For example Preview crashes when I try to open certain PDF files. Or it will crash if I try to rotate an image. I have a brand new Macbook Pro with the touch bar, and it honestly feels like a lemon! That's how bad it is. The display will glitch a lot (display driver bugs?), copying files from an external drive to the internal SSD will cause the machine to freeze and prevent you from doing any work (APF