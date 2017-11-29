Apple To Review Software Practices After Patching Serious Mac Bug (reuters.com) 120
Apple said on Wednesday it would review its software development process after scrambling to patch a serious bug it learned of on Tuesday in its macOS operating system for desktop and laptop computers. From a report: "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple said in a statement. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
I don't think they can do that. If anyone can download and compile the MacOS source code, and tweak it to run on different computers, Apple's hardware sales will go down the drain.
Yes, it would get rid of a lot of bugs. But it would also get rid of Apple itself. I'm not saying that would be a bad thing, just that it would be monumentally stupid.
Also the Darwin kernel, i.e. BSD on Mach, is already open source. Even though BSD is BSD not GPL licensed and they'd be legally allowed to keep their very extensive changes secret, Apple still release their changes
https://opensource.apple.com/s... [apple.com]
The don't release all the kernel mode code though - e.g. they don't release the source code to "Dont Steal Mac OS X.kext"
http://www.osxbook.com/book/bo... [osxbook.com]
They also don't release the source code for the user mode stuff, but then they don't have to.
And it seems like
Do you really think there's that much demand for MacOS these days? Back in the day when Windows was utter crap and MacOS had features Windows didn't, sure, there was a market for cheap MacOS clones. But these days, people buy Mac's mostly because they're Apple people, or perceive it as some kind of status thing.
Anybody interested enough to make a MacOS build for generic hardware is already using Linux - or can get by quite well on Windows these days. I'd bet that at this point there's more of a market fo
I could argue the other way around.
For a smaller company, having your code open source allows for more eyes on the software then what a small company can afford. While the biggest company can hire a lot of people to check and review the code.
If your program such as OS X is very popular and had a lot of features that competitors would love to see how they approached a problem, having it Open source could lead to a lot of excessive copying if not the code directly, duplicating the idea and specifications.
I translated it as this was a known issue to the underlings, however it never was allowed to be addressed by the middle managers or this problem was a very to spot problem (probably some debug code that didn't get removed) that was allowed to get released.
However compared to other companies, at least Apple is publicly admitting the problem. While some companies may patch the problem, but not state any details about it.
Exactly!
I'm curious what companies patch the problem and not state any details about it? I've always seem MS and linux distros provide very concise details about exploits and the fixes for them.
And provides a link to a KB article with all the details... Of course they don't give you all the gory details right in the windows update window.
You mean put in a sack and beat with a stick?
We apologise again for the fault in the post above. Those responsible for sacking the people who have just been sacked have been sacked.
Mynd you, moose bites Kan be pretty nasti...
Well other then this one, how many other viruses or gross hacks were there in the past 15 years?
I can remember only 3 or 4 major ones during this time. The rest were on par with the normal security fixes that everyone puts out, mostly getting access to stuff as a user already logged into the system.
The blank root password attack is only a local privesc in the default config too...
It works over screen sharing, but that's not enabled by default.
It doesn't seem to work on the local login screen, at least on the machine i've tried (plus by default the local login screen shows you a list of users and doesn't let you type a username).
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
The blank root password attack is only a local privesc in the default config too...
It works over screen sharing, but that's not enabled by default.
It doesn't seem to work on the local login screen, at least on the machine i've tried (plus by default the local login screen shows you a list of users and doesn't let you type a username).
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
Mod Parent Informative...
So basically every Mac in every school where students use a generic login.
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
It's not like that's a minor issue, though. People always go, "Well if you have physical access to the machine, anything goes..." But imagine this scenario: You hate somebody at work and they walk away from their Mac without putting it to sleep. You walk over, gain root access, AND set a password for the root account. So now, even if the machine is put to sleep or switched off, you still have access to it.
So leaving a logged in session is dangerous, and this bug makes the existing dangerous behaviour a bit worse...
It's not really worth arguing about. Anything can get "viruses" or "get hacked", especially when a lot of those "viruses" are trojans and a lot of "hacks" are social engineering.
Macs are pretty solid. They have problems too. Why can't we just get over these petty arguments and stop feeding the trolls?
Holy shit (Score:5, Insightful)
Not a Mac fan, but this is the most honest, respectable response to a mistake I've seen from a corporation in a long time.
Props, Apple.
Talk is cheap. Let's see what the audit finds. And why did previous audits fail to find the flaw?
Has systemd ever been fully audited?
Unless you're talking about OpenBSD, open source projects really aren't any better when it comes to being audited.
The Heartbleed and Shellshock bugs actually show that the opposite is true - it's common for widely used open source projects to have serious security flaws that for undetected for years, despite their code being in plain sight.
They're not auditing the code. They're auditing the process, to find the root cause as to why the software flaw wasn't detected.
Talk is cheap. Let's see what the audit finds. And why did previous audits fail to find the flaw?
Because it requires a specific, multi-step process to trigger.
Given the perceived ineptitude required to create the problem, it's kind of the only response they can offer. Looking at their track record, Apple is probably the worst of the big three (OS X/Windows/Linux) in addressing security issues. That said, that still puts them way ahead of most application developers.
Citation needed.
But Apple will NOT let you talk about such things (Score:2, Insightful)
Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.
Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment bl
Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.
Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment blocked. Based on my years of experiences involving a MacBook Pro (which I still use on a daily basis for certain tasks), I actually think Apple has automated the censorship using sentiment analysis of the draft comment. Or perhaps it's profile-driven by the secret dossiers they have on each of us?
I could write a more substantive response on the topic, but here on Slashdot such a comment would merely be shouted down by pro-Apple fanbois with mod points to burn. Not worth the time, though I will donate a few seconds for a rerun of the capsule version:
Capitalism and communism are dead. Our new religion is corporate cancerism. There is no gawd but profit, and Apple is gawd's chief prophet.
Why use so many words? You could have packaged all that into a single sentence:
Blasphemy!! Summon the Holy Inquisition !! BUUUUUUURN THE HERETIC!!!
As with most things, there's not a lot of substance behind it - where's the offer of compensation etc?
Really? I felt it was regular corporate-speak..
As with most things, there's not a lot of substance behind it - where's the offer of compensation etc?
Compensation for what, exactly?
Not a Mac fan, but this is the most honest, respectable response to a mistake I've seen from a corporation in a long time.
Props, Apple.
I agree.
I'll save my judgement until we see an end to issues like this or "goto fail" after a few years. It was the correct response, but it's easy to say anything that you think people want to hear.
Do you think Apple even does integration or regression testing? I can't imagine "goto fail" would have slipped past if they were, because that's about the most basic "is the functionality working" test you'd start with. That seems like a good place to start.
Sorry to disagree, if your system has a 'deactivated root sccount' and if you still can log on to it, is probably the least thing anyone is considering to test. Especially in a regression test.
When and how and why did such a vulnarability got introduced? How often do you want your test(er) to click the unlock button?
Hold That Software (Score:2, Funny)
Allowing root access without a password? (Score:2, Funny)
It depends on the situation. Since AFAIK is requires physical access to the computer, it wasn't really a problem for people with home computers. For people traveling with laptops, or workplaces with Macs, it was a huge security problem.
It depends on the situation. Since AFAIK is requires physical access to the computer, it wasn't really a problem for people with home computers. For people traveling with laptops, or workplaces with Macs, it was a huge security problem.
It was exploitable over remote desktop, but not over SSH. So, depending on how you have your computer configured, it may have been remotely exploitable (assuming VPN or local network connection, or an insecure router/firewall configuration)
This just isn't a bug you accidentally introduce into a properly designed auth system. That means either someone was acting maliciously, or the system was designed with extreme incompetence. Since we're talking about Apple, I don't think many fanbois will accept
Instead of writing "MabCook Pro" you might as well just go with "MacTim Pro" or "MathCook Pro".
Re: (Score:2)
I thought it required physical access, as well; then I read reports of people being able to access screen sharing and AFP shares using this method. I don't have a system running High Sierra to be able to verify those claims, but it seems plausible.
This just isn't a bug you accidentally introduce into a properly designed auth system. That means either someone was acting maliciously, or the system was designed with extreme incompetence. Since we're talking about Apple, I don't think many fanbois will accept the incompetence explanation, so we'll go with malice to avoid triggering them. Since they allow Apple to maliciously empty their wallets, they seem to be okay with malice...
... ... I write as I check the shipping status of my new MabCook Pro.
But, then, I'm a user, not a fanboi -- and I placed the order before this was made public.
What's the big deal?
Apple already published a simple workaround, which will completely fix the issue until a properly-tested update can be released. (Note: Yesterday's article had a link to an Apple Knowledge Base Article on how to fix the bug temporarily; but now that the Update has been released, MacRumors edited that out of their article, so here's what's left of the original workaround).
https://www.macrumors.com/how-... [macrumors.com]
And in fact, here is the REAL Update:
https://www.macrumors.com/2017... [macrumors.com]
Less than 24 ho
This was a known "feature" (Score:3)
This was posted as recently as November 13, as a "solution" to an issue of not having an administrative account: https://forums.developer.apple... [apple.com]
All bugs are also features. (Score:2)
Your negative assessment is only accurate as far as it goes. If the Slashdot moderation were not so borken (sic), that could explain your lack of an "insightful" mod, though I'd prefer to think it was your omission of the positive side (in the fantasy context of good moderation). I think your missing keyword is "priority", as in security is not a high (or high enough) priority at Apple because something else is. That something else is profit, as summarized in my earlier reply.
If the Slashdot moderation were not so borken (sic), that could explain your lack of an "insightful" mod
Moderation doesn't matter: karma is just a number on a server somewhere.
I think your missing keyword is "priority", as in security is not a high (or high enough) priority at Apple because something else is.
If Apple puts more priority on security, there are a lot of things they can do (for example, do managers include time in their sprints for the programmers to think about security?)
The reality is though, even if you have really nice processes, if the people writing the code don't care about security, then you'll end up with bugs like this. You can make process requirements that every line of code has a unit test, but then you will get
It isn't even just security bugs like this... (Score:5, Interesting)
There's all kinds of cosmetic and usability bugs floating around, and Apple doesn't seem to be in a hurry to fix them. They're the kind of bugs that aren't showstoppers but are still very annoying or can result in bad data.
The Calculator bug in iOS is one example of a recent bug that can produce bad data and wasn't fixed. Until iOS 11.2 (which isn't out yet!) even though it was reported way back in 11.0 beta, before the OS was released to the public.
Another recent issue, though less important, is that the Weather widget will randomly stop updating, so you'll be seeing last night's weather instead of right now. This bug was also reported several versions ago and is as of yet unfixed in the latest 11.2 beta.
I know bugs happen; nobody is perfect. But these are obvious, reproducible bugs that are not being fixed after being reported months prior. What the hell, Apple?
There's all kinds of cosmetic and usability bugs floating around, and Apple doesn't seem to be in a hurry to fix them. They're the kind of bugs that aren't showstoppers but are still very annoying or can result in bad data.
The Calculator bug in iOS is one example of a recent bug that can produce bad data and wasn't fixed. Until iOS 11.2 (which isn't out yet!) even though it was reported way back in 11.0 beta, before the OS was released to the public.
Another recent issue, though less important, is that the Weather widget will randomly stop updating, so you'll be seeing last night's weather instead of right now. This bug was also reported several versions ago and is as of yet unfixed in the latest 11.2 beta.
I know bugs happen; nobody is perfect. But these are obvious, reproducible bugs that are not being fixed after being reported months prior. What the hell, Apple?
Oooh, how horrible!
A UI bug in the free Calculator App, and an Update bug in the Weather Widget?
Seriously?
Now, let's compare that against Windows and Linux, shall we?
My big gripe is that they fail to acknowledge bugs as such: their miserable implementation of SMB, and eliminating FTP and Telnet clients are my two biggest gripes. They are really burning bridges with this crap.
Yeah, I agree. I don't think it's really an Apple problem, which is why I think they can get a away with it, but a more general "developer" problem. A lot of developers seem to spend endless amounts of time trying to develop new cool features, or else shuffling the UI around, but they don't actually fix some of the very real and fundamental problems that people have.
Working in IT, it's just endless. There are tons and tons of problems with every product that I deal with where it's needlessly complicated
True enterprise level bugs (Score:1)
True enterprise level bugs, only from Apple
True enterprise level bugs, only from Apple
Oh, really?
Wanna check out some Windows and Linux bug-lists?
Think Differently about it (Score:2)
Give 'em a break, they've only been developing software for 40 years
Auditing is the first step (Score:2)
Now dump the thin is king hardware devs! (Score:3)
Now dump the thin is king hardware devs! and get some real workstations. IMAC pro no ram door come on it's not that hard!
and pay comcrap $10 per 50G in overages. if you have cell then $10/GIG and upto $15-$20/meg roaming.
Maybe this will take hold elsewhere? (Score:2)
I totally agree that waterfall planning for software doesn't make sense, but IMO neither does Features Features Features, 10 deploys a day, release now/patch later, and all the other things we've gotten as the pendulum shifted all the way to the other side. I'm on the Windows side of the fence and it's been an interesting couple of years watching them run through release release release and gradually slow it down a bit as they see quality dropping.
Operating system or application code, running on machines pe
Maybe they'll fix IOS Appleid popup as well... (Score:3)
IOS has a "feature" that the OS pops up a request for your Apple ID credentials at random times. Open Pandora and you'll get a popup. Open pretty much anything and the popup appears. There's no provenance to the pop up so you don't know what part of OS is asking for the credentials or why. Backup works without answering the request as you can be signed into iCloud and still get the pop up.
My response is to dismiss the pop up and continue with what I'm doing but it's a PITA. A naive user will enter their credentials in the hope the "feature" is mollified which it sometimes isn't.
The correct way for IOS to ask for the credential is for the popup to say "Open Settings/icloud ( or whatever) and enter your AppleID." Settings would second the request by posting a little icon indicating there's a response pending ala a text message. An animation within settings would guide the forgetful user if the path is more than one level deep in settings so they'd navigate to the proper IOS setting to satisfy the pop up.The point of all that is you know you're talking to Settings when you provide credentials.
The current scheme is ripe for an app to steal your Apple ID. Write an app that does something kind of useful, wait for the 10th, 20th, run and pop an identical pop up that looks just like the OS popup. The user can't tell if it's the app or IOS asking and enters their credentials. Voila, you have access to the user's Apple ID. A little more elided hacking will circumvent 2 factor if it's enabled.
Too much water has gone under the bridge that I guess an obvious attack is new again.
Kindergarten? (Score:1)
It's embarrassing for
./ really. The Content-Type header says "charset=utf-8". And they could have easily fixed the form with a slight tweak to ./'s HTML. Example: <form action="//apple.slashdot.org/comments.pl" method="post" accept-charset="ISO-8859-1">
TL;DR
The last generation of programmers are too focused on the shiny.
That's a really bad summary. Yes, part of the problem is that Hipsters care too much about looks. But you ignored the other serious problems that the GP mentioned:
1) Hipsters go out of their way to be ignorant. They don't want to learn about security, so we get atrocious security flaws in the software they write. They don't want to learn SQL, so we get atrocious NoSQL databases to deal with. They don't want to learn about how their users use software, so we get awful UIs. They don't want to learn C++, so we
While you're on the money about the fact there's a specific subculture that is regressive and counter-productive to software quality that is apparently belligerently persisting to fight against industry best practices, should we really be using the word "Hipster" as a label for them? Don't get me wrong, I've got no special love for "Hipsters", and all their tight-pants flannel-wearing beard-sporting shenanigans, I'm not sure they actually have anything to do with this. As far as I can tell it seems to be
Re: (Score:2)
Did you even read the GP comment? It covers that very clearly:
When you're doing cutting edge work, you'll make cutting edge mistake
I'm sorry... Apple's hardware is the GOOD bit?
Fuck...
It *used* to be. Now their hardware is nothing more than a gratuitously expensive appliance.
If I could easily run OSX on non-apple hardware, I'd do it in a heartbeat. (And when I say run, I mean perfectly, flawlessly, without something not working right)
I'm still using a 2010 MBP because every version they put out afterward is more and more annoying. Can't replace the battery. Can't replace storage. Can't replace ram. Now you don't even get a USB 3 or HDMI port. It's offensive.
They claim that it's "fu
Correct.
I manage several hundred of them, however.
I think in terms of software Apple is a victim of its own success.
iOS is nearly the same as it was back in the original iPhone, sure we got a lot of new stuff in it, but it is based on what was popular. If apple risked Thinking Differently, then their product may scare off customers.
If the iPhone wasn't as popular of a device I expect to see a lot more changes in the iPhone and iOS devices, as well in OS X.
Apples biggest changes in its OS was from 1999 - 2005 Where Apple was nearly dead, and Microsoft was