Two Black Hat Talks On Apple Security Cancelled

An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

Marketing?

[KDR_11k]

Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.

Re:Marketing?

[Bloodhound+Alpha]

The Marketing policy, not the company's policy. Obviously the company releases patches, but marketing, in relation to the public, pretends there are no issues. Quite a difference really.

Re:Marketing?

[mikael_j]

Sounds like just about every large ISP I've had the "pleasure" of working with. A small ISP's president will go issue a press release saying "Lightning took out two of our DSLAMs last night but it will be fixed ASAP", they'll most likely also record an automated message informing customers calling tech support about this. A large ISP OTOH will most likely keep quiet as long as possible, then issue a small notice on their website stating "Some of our customers are currently experiencing technical difficulties, our intarweb experts are investigating the problem and hope to have it fixed soon" and no information to customers calling tech support other than "There are 173 customers ahead of you, the wait time is 2 hours and 12 minutes".

/Mikael

Re:Marketing?

[catmistake]

well, not that I'm in love with it, but maybe its "we'll cross that bridge when we come to it."

Re:Marketing?

[sqlrob]

Or releasing patches that don't fix what they say they fix? Could've sworn I've seen that somewhere with some company recently

Re:Marketing?

[fortyonejb]

It's somewhat of a sad fact that this has been considered as fair and normal practice in the industry. Maybe because no real "safety" issues can be dragged into the mess, people who are not in the know simply do not care.

Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.

Re:Marketing?

Fools go bananas about apple BECOZ OMG IT SO SAEF!111

Re:Marketing?

[falcon5768]

Well the issue is from a marketing perspective it DOES look bad, but from USER perspective it looks good, but only to those of us in the industry who care, which is NOT who marketing is going after.

Re:Marketing?

[billcopc]

When product issues come up, auto makers must make their shortcomings public

Um, no. Recalls are a business strategy like any other. The lawyers sit down with the accountants, figure out total costs for a recall and a class-action lawsuit, and pick the cheaper of the two.

You'd be shocked to find out how often the lawsuit actually ends up cheaper. That's largely because class-action settlements have a very narrow scope, and only a small portion of the customer base will actually join the class.

Re:Marketing?

Only when the stories are posted around the world? That too - just half assed?

It's difficult to see what sucks more - company's ridiculous policies or it's fanbois.

Re:Marketing?

[Goaway]

Apple is quiet about everything. This is not a case of Apple trying to cover up security problems, it's merely that Apple talkes about nothing, ever, and that includes security policies.

Re:Marketing?

[Bloodhound+Alpha]

Indeed, that is their strategy. It does serve though, to cover up security problems, and get people used to them acting secretive because, well, they are secretive.

Re:Marketing?

[Achromatic1978]

Shades of MS my ass. Cite, please: "last time MSFT pulled a security talk from a conference".

Idiot.

Re:Marketing?

[Truekaiser]

thats because job's is a egomaniac. any flaw means there was a mistake and egomaniacs think they never make mistakes.

Re:Marketing?

[alex4u2nv]

Its a very good practice to leave holes open for script kiddies.

--
Hide the problem until there's an avalanche in your face?

Re:Marketing?

Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

Only safety issues. Reliability problems are frequently buried or the affected customers are "bought off" to keep the issue secret.

Re:Marketing?

My dealings with AT&T have been better. They lost connectivity for my local area, and after I entered my phone number they notified me that it was a regional problem and would be fixed in the next 3 days. It was kind of annoying to know that they could only estimate 3 days when I lost both telephone and dsl service, but they fixed it within about 8 hours.

Re:Marketing?

[Leading+Stoker]

When will any of the computer companies understand: what isn't said is just as bad, as what is said?

Hello, Marketing and PR 101??

The very folks who know about security flaws, won't get much more insight in the "how and what", as they already did the probing to find out. But the general public can learn how a company really treats this aspect in their organization. End users r-e-a-l-l-y need to know that such companies do understand that security flaws aren't something to put on the backburner to fix, but to fix them ASAP. Too many wait to release them in the next patch (which could take months to roll out).

Then companies wonder why their slick marketing and PR doesn't help their sales? The sales won't come if a company is so arrogant to protect it's very users from it's own product!

Re:Marketing?

[piltdownman84]

Sounds like my ISP. They never except any blaim. A few months ago my Internet goes out. I call me brother 4 blocks away and his is down as well. I verify with a coworker that his Internet is down as well. I then call tech support wait on hold for thirty minutes. When I ask when Internet will be back in my area they claim everything is fine and try to talk me through the "check your modem, are you using a router? etc.." lines. After trying to explain that the problem isn't just me the tech insists that I unplug my router and do all their silly tests. The tech finally agrees to check for outages in my area is I first try all his tests. I reluctantly agree, and surprise surprise the person on the phone can't solve my problems by direct connecting my computer, unplugging and replugging everything. After all this the person on the phone tells me there isn't any reported outages in my area and I must be wrong. They offer to go through the unplugging and resetting again and if that didn't work they would schedule a tech to come out set me up. At that point I couldn't be polite anymore and said I couldn't waste any more of my time with them. I called my brother and his internet was still down and he had given up on his phone call as soon as they wanted him to test his hardware. My internet came back the next day, and now when my internet goes out I just go to the office if I really need it. Thank God for the lack of any competition.

Re:Marketing?

[assassinator42]

Are you talking about the outage in the Midwest at approximately 1 AM EDT Friday? I'd cite that as an example of an ISP not telling customers the cause of a problem. All I've heard is that it was a regional problem, probably caused by some problems with maintenance. I thought it might have something to do with patching the DNS servers which, according to DoxPara, were vulnerable for quite some time after the exploit surfaced but now appear not to be. They'll never tell us the cause, though.
Unless someone has some information I don't.

Re:Marketing?

[porcupine8]

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Re:Marketing?

[mjwx]

The Marketing policy, not the company's policy. Obviously the company releases patches, but marketing, in relation to the public, pretends there are no issues. Quite a difference really.

But all apple does is marketing, the entire company revolves around the impression it creates of its products not the product itself. Put simply, marketing policy is company policy.

Re:Marketing?

This is not a troll it is the truth. Someone cite when the last time MS did shite like this was.

Re:Marketing?

[Poltras]

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Damn, you forgot the first rule!

Re:Marketing?

[Rakarra]

The Marketing policy, not the company's policy

You do not understand Apple. They are a marketing-driven company, to the extent that marketing makes the company decisions. You can't push anything through if they refuse to give their blessing.

Re:Marketing?

[ScrewMaster]

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

I'd say it's more likely that legal got wind of it, not marketing.

Re:Marketing?

[BPPG]

No, that would entail denying and not fixing nor releasing patches. But, Apple do that, you zealous troll.

Why deny something nobody is talking about? And it's not like the security team was going to reveal all of the latest 0 days, they would be talking about stuff like how they learn about 0 days, and their reaction time to exploits, their methods of implementing different patches, policies, priorities, etc;.

Re:Marketing?

[Ilgaz]

With a community like this (yes, I use mac) it will work.

Of course the über trolls and PR on "other side" makes it worse and gives community the much needed false trust. You figure out a very evil security breach on OS X, it has been verified by Apple too but... You give the job to PR team and they come up with "Mp3 virus!!!" stupidness.

How would people trust your alerts (most of are real) later? Or DOS'ing people's default browser via jp2 exploit just to show off? Anyway, I just say we need a really working, mac focused heuristic security solution without stupid PR before OS X/Mac marketshare hits 20%.

Re:Marketing?

[Ilgaz]

It is a stupid thing especially considering OS X updates. Should I social engineer people to get a clue if my Nvidia driver managing to make WindowManager use 40% CPU on any Aqua Progress Bar is updated?

"This issue is fixed in next release", "We will include updated drivers in next release" and even "You are full of crap, there is no such thing" would work.

Re:Marketing?

You have no idea if what you wrote is true or not.

Re:Marketing?

[pha7boy]

that's not trolling (though I would have kept the language more civil). MS is not in the habit of pulling stuff like that, or at least I have not heard of them doing do.

Re:Marketing?

[NateTech]

People don't realize that cheap service comes with no guarantees. Step up to business-class service (from any carrier, or cable company) and get Service Level Agreements in writing -- and you get money back in your pocket every time the line goes down.

Apple Security

1. Cancel Security Talks
2. ???
3. Profit!

Re:Apple Security

[PC+and+Sony+Fanboy]

Profit only goes to the black hat accepting money to shut up, so apple doesn't have to fix things right now.

Re:Apple Security

[dangitman]

It's Apple. Shouldn't that be:

1. Profit!
2. ???
3. There is no step three.

Re:Apple Security

[aliquis]

Unless:

1. Profit!
2. Steve Jobs quit/dies/..
3. ???

Personally I'd be happy with:
1. Flash dies (if not possible Adobe release better flash version for macs.)
2. Apple "get" gaming.
3. Apple sell hardware for a decent price.
4. Apple sell well-speced machines.
5. Apple focus on OS X and not lots of other bullshit.

But maybe that's just me ;)

If nothing of the above would be possible (and it's not very likely to happen) this would work to:
1. The free software desktops gets some commercial quality software in all genres.
2. Nah, I'm done.

Sounds very logic to me.

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?

You must be a veteran here but new on the job market.

Re:Sounds very logic to me.

[vertinox]

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.

For a term holder then yes, but if you are a long term, then bad PR like this isn't desirable for company image over the course of several years.

Besides, just because you don't disclose the exploit, doesn't mean it goes away.

Re:Sounds very logic to me.

[timmarhy]

as apposed to an exploit (which apple ignores or doesn't look into) turning into the equivalent of the code red worm? brilliant PR work there son.

Re:Sounds very logic to me.

[lostmongoose]

The problem is not that they need permission. The problem is that they need permission from *marketing*. This should be the legal team's job. When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."

Re:Sounds very logic to me.

[vague+disclaimer]

**The problem is that they need permission from *marketing*.**

And the evidence that this is the case? The word of some "spokesman" for Black Hat.

Right. That's me convinced!

Re:Sounds very logic to me.

[boyfaceddog]

When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."

This is APPLE you are writing about. Apple is a gigantic marketing company wrapped around a very tightly controlled core of engineers. There are pockets of other groups (legal, manufacturing, etc) inside the marketing layer but those too are tightly controlled. Nothing escapes the marketing layer. Nothing.

Not that there's anything wrong with that, mind you.

Re:Sounds very logic to me.

[vague+disclaimer]

Oh please. Show me a source independent of Black Hat then you can mod me anyway you like, until then grow the fuck up.

Re:glowbull warmongering nazis' 'free ride' cancel

[B4light]

tl;dr

too scared

[sylverboss]

Again, this is the perfect example of not admitting that there is a "problem" and willing to fix it ... SB

Shhh, if we don't admit anything

[CrypticSpawn]

I guess, Apple is still very much old school; when it comes to admitting their mistakes. Or they just might believe in security thru obscurity. Either way this move, put them in the lime light even more. Great work marketing. Someone deserves to be fired...

Re:Shhh, if we don't admit anything

[Sancho]

I wish there was an "incomprehensible grammar" mod....

Perceived security through obscurity

...it sounds like. That's "(perceived security) through obscurity", not "perceived (security through obscurity)". Well, mabye that too.

Re:Marketing == American lawyers

[MyLongNickName]

preferred method should be beating to death by a stick.
My guess is you lack the upper body strength to pick up a stick.

definately MS's doing

[timmarhy]

i don't know how, but this is definitely MS's fault. those sneaky pricks at MS have found a way to force apple into using their patented security model.

Re:definately MS's doing

Yeah, because Apple and MS are sooo different. MS is the evil proprietary company, while Apple is just sunshine, open source and ponies.

Re:definately MS's doing

[Tom90deg]

Well, of course! Apple is the underdog. Never mind the fact that is has the number one selling music player, and the market share is increasing, and that iTunes is extremely popular, and people are killing others for a iPhone...

Oh wait. Maybe Apple ISN'T the underdog. Maybe its practices are just the same as any other large company that wants to make a profit. It's no different from any others in that respect, in fact, it may be worse, as people excuse Apple for a lot, as they still think of it as the underdog.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Steve is not impressed

[bxwatso]

This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.

I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.

Re:Steve is not impressed

[eclectic4]

"This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this."

Why? I didn't read anywhere in this article that stated Mac OS X is less secure than Windows... as it would be just plain silly.

"I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much."

You may be right. But it doesn't change the fact that more and more consumers are simply realizing that Apple sucks less than Microsoft in almost every area. But, I can only assume that's what you meant would be the benefit of people "perceiving" Apple as underdogs, as you also didn't state this. Suggesting that being perceived as underdogs would increase sales is, well... also very silly.

Re:Steve is not impressed

So because Apple isn't giving a security talk, their software is somehow less secure than Vista?

Yeah, that makes sense.

Re:Steve is not impressed

[bxwatso]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS. In that regard, MS is more proactive. Personally, I find both OS's acceptable regarding security.

I do think that a lot of people are turned off by the size of MS more than the quality of its products. A lot of people want something different to express themselves. Even when Apple truly sucked (and it did), a fair number of people stuck with them presumably to distance themselves from the giant and evil MS.

Re:Steve is not impressed

[azav]

You are absolutely correct. It still sucks, it just sucks less.

I remember the Apple internal code name for their sound manager in or around 1989. It was called Barking Pumpkin and their motto was "it just sucks less."

Re:Steve is not impressed

[Smurf]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS.

Probably. But do take into account that the engineers (i.e., the people who actually KNOW the technical details) WANTED to have the discussion.

The decision to cancel it came from marketing, those who don't understand the technical details but are reasonably afraid that someone might pull a rabbit from their hat and make Macs look bad.

Re:Steve is not impressed

[porcupine8]

Not necessarily - if they are more secure than Vista, but less secure than the current public perception, then why would they want to bring public perception of their security down, even if it's still higher than Vista?

Re:Steve is not impressed

[Serious+Callers+Only]

I do think that a lot of people are turned off by the size of MS more than the quality of its products.

Or maybe it's their mediocre products and utter disregard for their customers and partners that turns people off?

Re:Steve is not impressed

[WNight]

Yes, that is the knee-jerk reaction you'd expect from marketing.

The problem is that it's overriding Engineering's attempts to actually improve the product.

Maybe someone should be afraid that a hacker WILL pull a rabbit from his hat, and use it to demonstrate the flaws of their security model. A code-red level worm, now, would be a huge market killer.

Re:Steve is not impressed

[Troglodyt]

When you say "if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS" you're assuming the marketing department are being rational.

Re:Steve is not impressed

[bxwatso]

Fair enough. Marketing is society's solution for what to do with psychopaths and morons.

That being said, I suspect Steve J. made this decision.

Re:Steve is not impressed

[azav]

Oh my god. I'm reporting that the software is not perfect and stating a historical precedent and I'm marked a Troll? You've got to be kidding me.

Re:Steve is not impressed

"...people are turned off by the size of MS more than the quality of its products."

Funny, this is the inverse of what Steve Jobs said in Triumph of the Nerds.
http://www.youtube.com/watch?v=WfALGcDNEDw

Personally, I am turned off by Microsoft's third rate products.

Apple Marketing is the "best".

Apple's marketing is genius.

A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/

Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.

It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/

I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".

But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").

Re:Apple Marketing is the "best".

[Dog-Cow]

I've always been prompted for my password when performing admin actions under OS X.

Re:Apple Marketing is the "best".

Trust me, if you are logged in using the out of the box default account which is admin, asking for your password is done merely a courtesy.

Re:Apple Marketing is the "best".

[the+99th+penguin]

It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/

I can't see that anywhere in the link you're citing, could you please point out where it says that? To have a proper discussion about things we need facts not unfounded accusations. I don't have any problem believing Apple might have done something like that but I need a proper link.

Re:Apple Marketing is the "best".

The link is poorly placed and points out Apple's claims, and not the vulnerability which is very old and very well known.

Here is a recent but overcomplicated "how to" for abusing the built-in feature that allows you to Get Root on 10.5.4

There are still some Apple-related talks left:

[secmartin]

While it's pretty sad to hear that their security team is not allowed to speak, there are still two talks about Apple products left: Jesse Dâ(TM)Aguannoâ(TM)s talk about rootkits for OS X, and Petko D. Petkov who announced he might provide some details about a 0-day attack against Quicktime.

I haven't been fucked like that since the NextCube

[billcopc]

Rule #1: You do not talk about Apple flaws
Rule #2: You DO NOT talk about Apple flaws
Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
Rule #4: Only two sentences to an argument
Rule #5: One argument at a time
Rule #6: No punch, no daiquiris
Rule #7: Cover-ups will go on as long as they have to
Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

Re:wtf you guys talking about?

[KDR_11k]

It takes only one bad guy to figure that out by himself and you'll get owned, you have to know the exploit yourself to know what measures could be taken to prevent it.

It just doesn't surprise me...

I doesn't surprise me Apple's marketing team doesn't allow comment on practices, fixes or developments... they don't even get back to the people finding issues like Jon Longoria on the Spaces theoretical vulnerability. I emailed him to see if he had gotten comment and was told noone would talk with him to discuss the problem or attempt a fix. RE: http://thereformed.org/2008/05/03/theory-apple-osx-spaces-vulnerable/ . I don't really get wtf is wrong with Apple, I think they're locking up under the strain of their evolving popularity. Apple, you've actually broken into the real industry and not the hobbyist, its time to put your pants on and get open about your problems and what you're doing to fix them!

Not Surprised

I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.

I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.

But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Defcon, and even H.O.P.E. are far better choices than Black Hat.

There are more conferences out there that have the same "hacker spirit" but aren't as hard-core like NotaCon which has more of a social atmosphere to it.

But I digress, plan to see more of these types of cancellations at Black Hat in the future since the corporations just are looking for another excuse to line their pockets with more money. The fees for this Conference are astronomical, anywhere between $1300.00 to $5000.00 PER TALK compared to The Last H.O.P.E. where the price was ~$80.00 total as in you pay $80.00 and you get to go to EVERYTHING.

-VK

Re:Not Surprised

[the_B0fh]

You've not been to defcon, have you? Blackhat's just a paid prequel to defcon - all the folks who talk at blackhat typically talk at defcon as well.

Here's a serious flaw with FileVault

[azav]

1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.

At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.

Re:Here's a serious flaw with FileVault

I've never even used OSX, but I have to believe that you missed a couple of steps in your repro. Someone in there, there MUST be a couple of "ignore low space warning messages, click 'cancel'" or something equivalent. Probably at least around steps 4 and 5. If it does warn and the user continues, it seems they would be in an unsupportable environment anyway. If it doesn't warn about space (and I can't believe it wouldn't; from everything I hear about it - it is well designed), then it would be time to get a different OS.

Re:Here's a serious flaw with FileVault

[lukas84]

As i understood it, one user can fuck up another users account, without the need for administrative privileges.

This *is* an issue.

Re:Here's a serious flaw with FileVault

I haven't tried that, but can believe it, certainly for systems prior to 10.4.7. Have you demonstrated this behavior on a system later than 10.4.7?

I've seen a few Filevault instances become corrupt. Apple appears not to have thoroughly considered the implications of its Filevault implementation, or at least didn't consider it very carefully prior to OS X 10.4.7.

The way Filevault (roughly) works is that the AES encrypted content is stored on a sparse disk image with the key for those data encrypted through 3DES (that is in turn unlocked by your account password). The problem, or one of the problems, is that prior to OS X 10.4.7 the AES key was stored at the end of the disk image. When data are added to such an image, where the added data require the actual space used by the image be enlarged, the key must be logically moved to accommodate the operation. Then if something goes wrong at just the wrong moment, there is a possibility the key may be nuked. Since it's presently impractical to brute force a 128-bit AES key, and assuming you can't find a copy of that key in a backup or hidden away somewhere in the disused space on your drive, then your data are as good as gone. Moving the key is bad.

The workarounds are two fold:
First, if you're running OS X 10.3 or any system prior to 10.4.7, upgrade to OS X 10.4 or 10.5, then patch it to the latest release -- beyond 10.4.7! Then disable Filevault and re-enable it. Doing so will re-encrypt the data so you get an image in the later version of the Filevault that puts the headers at the front of the image.

Second, immediately after you create a new Filevault instance or an encrypted disk image, make a copy of the image before you add any data. Make a copy of any existing encrypted sparse images if they were created on a version of OS X prior to 10.4.7. Then, if need be, use the copy to recover the AES key when the image is corrupted.

NOTE: Prior to 10.4.7 the key was kept in roughly the last 4KB of the file and end with the string "cdsaencr". On modern encrypted images it's at the front of the image and the key begins with "encrcdsa".

Either way, if the key gets corrupted the entire image is hosed so it's a good idea to keep a copy of the key someplace else.

Re:Here's a serious flaw with FileVault

[azav]

Yep. That's correct.

After I found this out and knowing how often I fill my my root drive, there is no way in hell I'm using FileVault. It is a license to lose everything.

Re:Here's a serious flaw with FileVault

[bill_mcgonigle]

Here's another: You can't use Time Machine properly if you use FileVault. Backup or encryption, pick one.

Re:Here's a serious flaw with FileVault

[azav]

What's the nature of the flaw? How does it fail?

Re:Here's a serious flaw with FileVault

[bill_mcgonigle]

What's the nature of the flaw? How does it fail?

It won't back anything up if you're logged in, and then if you log out, it'll only backup the disk image, not the files inside it. Which pretty much defeats the whole point of the thing.

Re:I haven't been fucked like that since the NextC

[haggus71]

This is Jobs. Jobs has bitch-tits.

The sad thing is

[ILongForDarkness]

Apple makes pretty good products. But in some ways their business practices are worse than Microsofts. They are so secretive that it is scary. They add to it by attacking the PC industry and saying how their product is better but all they will give you for information is press releases. At least MS is finally being more open with want is going on in the background with things like Channel 9 and versus blogs. There is a line where you have to protect company interests but it shouldn't compromise the customers' ability to make an informed choice.

Re:The sad thing is

What gave Apple life was FreeBSD. What made it irrelevant in the past will continue to in the future. Apple will self destruct just by it's mentality.

Re:The sad thing is

apple is dependent on the consumer's lack of ability to make an informed choice.

Re:The sad thing is

[ScrewMaster]

I'd say it's more like Apple is dependent upon the consumers in their chosen market segment being (to a certain degree) computer illiterate. And let's face it, computer illiterates aren't likely to make an informed choice when it comes to buying a computer or choosing an OS. All they can do is follow marketing fluff about simplicity and ease-of-use.

Now, that's no dig at Apple's products ... by and large they deliver on what their market-droids promise. It's just that Apple made the conscious choice to target people who are often really too stupid to use a computer.

Re:Marketing == American lawyers

[Macthorpe]

And the brainpower to work out which end of the stick to hit someone with...

Re:I haven't been fucked like that since the NextC

Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

Rule #34: There's an iPod silhouette poster of it. No exceptions.
Rule #35: If there isn't an iPod silhouette of it, Jobs will make an iPod silhouette advertisement of it.

(MOAR!)

Perception is that Apple is lax on security

[synthespian]

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.

Re:Perception is that Apple is lax on security

[mjwx]

Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.

On the contrary,

Apple has always been like this, OS X has always practised security through obscurity and used takedown orders and NDA's to hide flaws. The simple fact that people are only just beginning to see this is proof of the great job that Apple marketing has been doing. As always it's impossible to carry on a lie forever.

Reality Distortion

Apple reality distortion has been been going on since the Apple ][ days, lying about sales, and popularity "We're #1" (Behind Radio Shack and Commodore...) Saying less is better (more flexible! just add bunches of cards), etc.

Such current ones I note are: the bolstering of 'intuitive' and 'just works' Those are actually brought over from old MacOS days. OSX may be prettier but the UI guidelines for intuitive behavior deied with Mail and AddressBook, and printer management. Just works only applies to mac-to-mac when networking, try to do Linux or Windows Servers and your milage may vary.

Also with the change from AppleWorks to iWork take a chunk out of compatibility too (AppleWorks at least had a Windows version).

We've been using Macs here since the floppy-only Plus and SE and there was quite a usability hit with OSX - maybe networking has improved (SMB) but application,usability and interfaces became really confused.

Worry about Apple, people may be jumping from Windows for one reason or another to easily soon end up with similar lock-in on the Mac. We will still use Macs here, as they are initially more secure then Windows and easy to use but I tread carefully not to employ dead-end applications like iWork and lock us into only Macs.

Re:Reality Distortion

[argent]

Intuitive? It's still light years ahead of Windows and Gnome/LDE.

Just works? That was always bullshit. Mac OS classic never "just worked", Mac OS classic was *shit*. What it had was that it was all very simple, and the ways it went together were very simple, so you could fix it when it broke without being any kind of geek. OS X, now, that's pretty damn close to "just works".

Printers? I'm still having problems getting Windows to handle printers at work. They just show up on OS X.

Don't lock yourself into dead end applications. And that includes Microsoft Office, which gets changed incompatibly every time a new version comes out. The applications I most depend on are the ones I have the source code to, and some of them are the same ones I was using almost 30 years ago.

Marketing Rules

[Nom+du+Keyboard]

Obviously Marketing rules at Apple. And you're surprised -- why?

One day in Vegas

[EEPROMS]

Hacker "Hai dude your OS is insecure"
Apple "No, it is perfectly secure"
Hacker" Seriously, duuuude, watch me hack your machine"
Apple "Can't be done, our software was blesses by the gods of Steve"
Hacker" Duude, Im not kidding Im in your machine, watch as I buy some child porn with your credit card"
Apple "Ha, all a figment of your imagination, our marketing department says we have the best operating system in existence"
FBI "excuse me sir I would like to talk to you regarding the purchase of illicit child porn"
Apple [while being dragged away] "I can assure you this has nothing to do with our operating system "
Hacker "hmm bummer, did that fed have a macbook, he looks like an anal sex type of guy to me heh"
[clickety clickety]

Solution:

[e4g4]

chmod go-w ~/Public/Drop\ Box

Admittedly - it is a problem, but it certainly has a workaround.

Re:Solution:

[Ilgaz]

So Apple could add that sh thing to recent security updates postflight script, it would take like 100 bytes?

That is the issue. It was exact same command to secure Input Managers in users home directory input managers on Tiger. I did it (as I have legit stuff), everything worked flawlessly. Why didn't they do it? They later admitted issue and made Input Managers function in /Library/Input Managers owned by root on Leopard.

A script like TIGER on Linux could really make OS X almost rock secure but developers afraid of "you broke my machine, you killed my cat" people doesn't ship it.

Misalignment with Snow Leopard

[jjgm]

This is a stumbling block on Apple's road to the enterprise. That's out of alignment with the technology plan for Snow Leopard server, which includes many new features directly aimed at supporting the mid-sized enterprise.

Combine that with the general trend towards browser-as-client, and with the advent of VMware Fusion and Parallels, and at a time when there's no compelling case to deploy Vista during a desktop refresh. Apple have significant position to attack the enterprise desktop & backend.

However: transparency, rapid response, and disclosure rule the day with competent corporate security teams and this kind of a malarky just won't wash with my guys.

Re:Misalignment with Snow Leopard

[interventka]

Stopped reading at [insert buzzword here], but you are correct--presenting themselves as the most closed option available will not help Apple attract enterprise customers.

Security?

Apple Security? That seems like one of them there oxymorons, like Fiscal Conservative, or Republican Thought.

Anyone who knows anything knows Apple and Security don't even belong in the same language, much less sitting next to each other in a sentence.

marketing policy or marketing police?

Hallo, zis is Herr Flick of ze Gestapo, you are not allowed to speak publicly about security matters of the Reich. You may kiss me now Helga.

Here's what's wrong with FileVault:

1. It only encrypts home directory; /tmp, /var/log, and what have you are still unencrypted

2. Turning on FileVault doesn't automatically enable encrypted SWAP (minor problem, as it is easily addressed)

3. When computer goes into safe sleep, contents of RAM are written to disk - the key is in plain text!

4. Volume Key is unlocked from log in password. This is massively inconvenient, as I would like to have the crypto well protected, but my user account - not so much. So I wound up having a 30 character login password.

5. MOST DISCONCERTING: The Volume key is actually encrypted using the login password. This is common cryptographic practice, as it allows for password changes and more cryptographically secure keys for disk encryption. However, the encryption used on the volume key is 3DES, with effective key length of 112 bits. This significantly reduces the key space (from 128 bit AES used on FileVault) .

Later versions of FileVault can also use 1024bit RSA to encrypt the volume key. In this case, the cryptographic strength is ~80bits.

Have you tried this with OS X 10.4.7?

I'm curious if this works with Filevault accounts created under OS X 10.4.7 or later versions of OS X?

10.4.7 changed the way the AES key is stored. Before it was at the end of the Filevault disk image, which meant the key would have to be rewritten when the disk image expanded, which meant there was a dangerously high probability it might not be saved back correctly, thus rendering the image unusable. Since 10.4.7 it has been at the beginning of the disk image, so it never needs to be rewritten.

If the problem the parent described was due to the (encrypted) AES key not being rewritten, then 10.4.7 should have fixed it.

Apple doe NOT get brownie points for how it originally chose to store the key, among other Filevault design deficiencies. {insert frowny face here}

Please let us know...

You don't know the power of the Marketing Force!

[stmok]

Hackers: We're gonna present security issues with Apple solutions at the Black Hat Conference in Vegas! Its going to be great!

Apple Marketing: *Waves hand*...There are no security issues with Apple products.

Hackers: There are no security issues with Apple products.

Apple Marketing: You will withdraw your presentations.

Hackers: We will withdraw our presentations.

Apple Marketing: You want to be in Apple's "PC and Mac" TV ads.

Hackers: We want to be...No we don't!

Hmm.. nice

[referal]

Information is very clear... sounds interesting.. Thanks friend:) regards, www.elechub.com

Re:Hmm.. nice

Information is very clear...
sounds interesting..
Thanks friend:)
regards,
www.elechub.com

I wonder if someone's captcha was "broken".

They learned this from OpenBSD

[interventka]

I find it amusing that the Darwin kernel and MacOS X system software evolved from OpenBSD, another secretive project run by a paranoid lunatic.

Quote out-of-context

[stewbacca]

The "marketing got wind of it" quote from the summary is attributed to the Blackhat organizer, not Apple's marketing department. There's you daily dose of slashdot bias for ya.

OS X: The Sacred OS for Blessed Machines.

[sethstorm]

(completely ignoring any issues of intentional inaccuracy)

The difference between DeRaadt and Jobs is how they want things fixed.

DeRaadt gets the issue solved. Jobs takes a page from Cisco and IBM by sending lawyers until the person is gone from the earth.

Re:OS X: The Sacred OS for Blessed Machines.

[interventka]

I won't ignore that the OpenBSD team actually gets things done, but both are more or less run on a dictatorial model and developers who disagree with that model quickly find themselves on the outside looking in.

Hmm fake.

I am pretty sure charles edge did not figure this out and just canceled because he did not have any....code!

very true

[ILongForDarkness]

Where I work we made printer drivers and presets for each floor of the building. All the users have to do is go to a website click on a link, then double click on the installer and keep pressing okay. Even with a 2 page instruction at the website where they get the download most can't figure out how to install it themselves, and this is at a research institute where everyone at least has a Bsc. That is the typical market for Apple users: people that have no desire to learn computers but just want to use it for a specfic task.

One thing that bugs me about Apple products is they take ease of use over functionality. For example power setting for laptop doesn't let you step down the speed of the CPU you just set it to some warm and fuzzy "Better Energy Savings" and hope the designers got it right. Often I need tools that a real UNIX would have so I got MacPorts and mode the hell out of it so that I can do what I'm used too.