Slashdot Mirror
Apple Finally Removes DigiNotar Certs In Safari
Trailrunner7 writes "Apple has finally released a fix for the certificate trust issue caused by the attack on DigiNotar, more than a week after the fraudulent certificates were identified and other browser vendors moved to revoke trust in them. While Microsoft, Mozilla and Google had been communicating with users about the issue and pushing out new versions and updates to eliminate the compromised certificate authorities from their browsers, Apple had been mum about the attack and hadn't given any indication of when it might issue an update for Safari. On Friday the company published a security advisory for Mac OS X users, saying that it was removing DigiNotar's certificates from its trust list."
Yeah, curse those MAC addresses!
Oh, wait, I'm sorry, you're just another retard that capitalizes the whole word instead of the first letter. It's a proper noun, not an acronym, you dimwit.
In Apple World, something like this is hardly as critical as releasing the new iPhone...
It's because they took our Jobs!
So, it took them 1 week to come out with an update to patch their browser? That doesn't seem an egregious delay to me. I haven't yet patched any of my other browsers yet. I'd be surprised if most users patch within the week of bugfix releases anyway.
And if I understand it, this "security hole" is basically that you won't get bad-certificate warnings if you visit certain fraudulent sites... which isn't likely to happen unless you're clicking links in phishing emails.
This hyperbole about apple being slow seems like hot air to me.
I just applied the fix and now I have to restart my Mac. What the hell? Is my MacBook masquerading as a Windows machine all of the sudden?
It just works. After a slight delay.
Diginotar was just the beginning of the reports, but truth is, CAs have been broken for a long time and SSL sessions that depend on CA certs are useless. A couple weeks ago, there was a handy how-to page to show how you can go into Mac OS X's keychain to reject Diginotar... one CA entry down, but several hundred others. If you think the NSA, Mossad, MI6, and fifty other countries haven't slipped MitM SSL boxes on various trunks hoping to score a session depending on these CAs, you're deluded.
[
Did you know that "Macs" and "Safari" are not the same things? Just asking, cause you seem confused.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Well played sir.
Except of course when they don't. When you create a culture of careless idiots by making them think they are invulnerable to any threats this is the only way to handle them.
Care to explain how this is a case of Macs not "just working"? Or how may "careless idiots" were adversely affected by this?
This looks like simple mindless anti-Apple trolling.
If they just came out and said "Yeah we got screwed too" they might have some credibility, but instead they have to act like something like this doesn't actually affect them and quietly sweep the dirt under the rug.
"Got screwed"? How, exactly? This is exactly how the system is supposed to work.
On the other hand of that is the legion of careless users that are made even more careless because they have been given the false belief that they are impervious to any kind of cyber threat. If they just said "Yeah all that 'most secure' stuff we've been telling you is utter nonsense" then they might lose a moron or two to the competition.
So, where are all the infected Macs? And where are all these people who say Macs are "impervious to any kind of cyber threat"? Straw men don't count, I'm talking about actual human beings.
The problem with you anti-Apple trolls is that you rail against an imagined Mac user being screwed over by an imagined Apple, neither of which *actually* exist. Apple isn't evil, Mac users aren't idiots. There are millions of highly intelligent, technologically adept people who use and prefer Macs. What's so difficult to understand about this? Just because a smart person likes a system you don't like, that's not an affront to you. There are smart people who happily use Macs, Windows, Linux...
Why so insecure?
On Slashdot, an "Apple Apologist Fanboi" is anybody who doesn't incessantly whine in a shrill voice about how awful Apple and Steve Jobs are, annoying anyone within a four-mile radius, most of whom don't care one way or the other.
That post is full of crap. So, the battery goes after 2 years. You either replace the part yourself (which involves opening the case up) or you take it back to Apple and have it replaced by them. You certainly do not have to trash the laptop. He then goes on to say buy the Macbook Pro - which suffers from exactly the same issues...
Details on replacing the battery. http://www.apple.com/support/macbookair/service/battery/ - details on replacing the battery.
And while I'm not an Apple "fanboi", I have owned a number of Apple products and none of them have died, even when well past their expected 3-4 year lifetime (anyone expecting modern consumer electronics to last longer than that is living on borrowed time or in denial about build quality and the world of commercial exploitation that we live in).
http://www.onlinenewspapersz.com/2011/08/colombia-daily-online-newspapers.html
Why so insecure?
Hey, he's running Windows to begin with... /hides
Apple only cares about the sale of the product, not support
Sales of their products are affected by support.
that's why so many of their products fail 2-3 years off shelf life conveniently after warranty.
Then, why do so many *MORE* of their products *NOT* fail 2-3 years after warranty? You imply some sort of "planned failure" to get people to buy new products, but Apple (like most quality brands) take a different tact, and instead come out with new and improved products to entice new sales. And Apple, specifically, is having no problem whatsoever getting people to buy their new products.
That wouldn't happen if they kept failing on people.
And, what does this have to do with the story in question anyway?
Apple's fundamental problem is that they don't know how to MANAGE security. They don't know how to communicate. They don't know how to be up-front and honest about what they're doing. They don't know how to set clear expectations. Microsoft learned this a long time ago. (Incidentally, Linus won a pwnie for his silent patching a few years back I think.)
I do security
When will we get the updates on our mobile phones so those who uses mobile banking will be protected too?
1. What about Safari for Windows? 2. So...Leopard was released less than four years ago, after Windows Vista came out in 2006, yet Apple can't be bothered to patch it?
Around here you have to HATE HATE HATE everything in the world with a smug, superior sneer or else you're called a "fanboi"!
Right now this moment, Update Manager is telling me this:
This wasn't in yesterday's updates. This Ubuntu box is my daily machine, not something that's turned on every once in a while. Updates are set to check Daily.
Apple has consistently been slow to fix security issues like this in the past so it is no surprise they were last to address the issue,
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
While he is a troll, having worked in support (at a University in Oregon) with Apple users they do often say the following repeatedly:
"Mac's don't get viruses"
"My Mac is secure"
Why do they do this? Its what the employees at the Apple store say (seriously - ask any sales person about viruses, root certs or exploits - the answer always is "nope - we don't get those")! None of them have any idea what a trusted root certificate authority is, or why being compromised is such a big problem.
In other news, Microsoft posts security bulletins 4 days early, scrambles to fix mistake.... oh, sorry I didn't realizes /. was in "bash apple" mode again.
The real Sig captains the Northwestern. This one captains
I repair my stuff, it is a nice hobby, you feel as good as a maker but you work way less because, most of the time, it is the simple things that breaks. I only had to replace an IC once in my life and it was in 2010, the faulty component was a DAC in a receiver from 1995. 75% of what I have repaired was broken due to an old capacitor that had leaked or new capacitor that had bulged*1 and when I replace something like a capacitor, I always over-spec the voltage and the Tmax. Depending on it's usage in the design I might double the Farad too. The rest were easy to test components like a voltage regulator or a diode.
*1:
There are 2 frequent problems with the modern electrolytic capacitor.
1-There was a bad batch of branded clone from china and those damm components are still around.
2- Stupid capacitors location by stupid (or malicious) engineering. ex: Samsung LCD TV power supplies engineers had the brilliant idea to place 2 caps rated for 85C very near a heat-sink hot enough that it can evaporate water on contact. They could have been located further from the heat-source as they had a lot of empty space on that PCB. And I said malicious engineering as the caps break usually the year after the warranty is over.
Jehovah be praised, Oracle was not selected
"Got screwed"? How, exactly? This is exactly how the system is supposed to work.
No, Google, Mozilla, and even Microsoft showed how the system is supposed to work. Apple sat on its hands for nearly two weeks, while its users were still exposed to possible rogue certificates because apparently Apple didn't think removing the CA's root certificate from the user's Keychain should also remove its EV certs.
While he is a troll, having worked in support (at a University in Oregon) with Apple users they do often say the following repeatedly:
"Mac's don't get viruses"
"My Mac is secure"
Both are true. Neither mean (what the OP said), "they are invulnerable to any threats" or "they are impervious to any kind of cyber threat".
Android is still vulnerable, as is iOS BTW.
Once again, stock iOS is vulnerable, whereas jailbroken ones can have iSSLFix installed on them. In addition to patching an extremely boneheaded certificate vulnerability and providing cert blacklists for iOS devices that have not received new firmware, the DigiNotar CA was blacklisted via a patch almost a week ago.
Anyone with a jailbroken iOS device that doesn't have the patch should download and install it. You can simply search for it in Cydia.
Boot Windows, Linux, and ESX over the network for free.
Worth noting that, keeping in line with maximizing a forced adoption of the latest cat, the fix is only available for those using the latest version of Snow Leopard or Lion. At least at this time (5 PM CDT, 9 Sep 2011) the rest of the MacOS universe can go suck an egg...
Just like the case of adopting Lion. If you want to skip a cat and not have to pay for Snow Leopard, tough luck, compadre. Lion ONLY installs on top of Snow Leopard.
It's only for OS 10.6.8 and 10.7.1. Users of PowerPC Macs can't use any OS after 10.5.8, and many users of Intel based Macs won't update past 10.6.6 because 10.6.7/10.6.8 introduce some significant compatibility issues. It's great that they released a fix, but it's only a fix for 50%-80% of the user base. I guest the rest have to manually remove the Diginotar root cert?
make imaginary.friends COUNT=100 VISIBLE=false
Taking a week to get a critical patch done is the point with it's competitors exceeding them by a mile, as there are almost no AV vendors for Macs, Apple is responsible.
Going back to discussion though about why it takes apple a week to do things: Apple is great on presentation, however when i pay 3k for something I don't expect it to go out in 2-3 years, Maybe the airbook was a bad example, all laptops have replaceable batteries lo, on that note I didn't bother reading the article too closely, replicating the google search brings up dozens morel, let's look at the other product lines, ipods and iphones, battery dies, the service > the value of the device after that time period. This is clearly a f'in trap, thanks for being blinded by the presentation to see it, how hard would it to be to make a battery replaceable in an iphone as in oh say an android, its not so apple's design is deliberate?
You striving to be creative apple users sure are blind... apple != value.
On that note I still like my touch rofl if only for its faster than standard interface and beautiful screen, but I know I will be buying a permanent doc for it to become a radio in 3 years because the battery life will probably be under 30 minutes.
To be fair, this affects everything that uses the system certificates - anything from cURL to Chrome. Safari is included in that list. Almost every other desktop app is also affected - so something like a desktop RSS reader that pulls from Google Reader was equally vulnerable. Firefox (and maybe others) manage their own CA certs so they weren't directly affected, but had this been patched earlier it might have been that Firefox was the application that is still vulnerable.
Still, don't feed the trolls.
How are sites slashdotted when nobody reads TFAs?
No updates for this one? :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
You might want to fact check yourself. The news was released on Monday. MS patched on Tuesday. Apple on Friday. Unless I'm mis-counting, that's not quite a week (4 days to be exact).
World fails to notice.
Film at 11...
Perhaps for the same reason that windows users think that because they have an anti virus program installed that they are immune to all malware. I should say some windows users. People are people and computer security is sufficiently complex that the majority don't really care to put in the brainpower required to understand it. So they end up repeating marketing bs. I happily use all of Mac, windows and Linux. And I feel that each of them sucks in their own special ways.
WTH? no 10.5 support?. Leopard came out in 2007, latest version is around 2 years old. In the mean time, a 10-year old OS gets the update. It can't be *that* hard to update 10.5 machines, they just *don't want* to. I mean people who bought dual and quad-core G5s are still probably using them, heck I'm still using a single G5. Planned obsolescence at its finest
Important yes. Critical? Not really. Even if they managed to cut a cert for a big site, they still have to then entice the user to go to such a site and also trick their DNS via man in the middle into thinking it's actually on Google.com or whatever they've issues.
Serious, yes. Critical? Not so much.
Yeah, the news came out on Monday. Last Monday. It's been a week and four days.
This is just typical Apple. To them, security problems don't exist. They're all happily wandering about aimlessly in Steve Jobs' backyard like a bunch of mindless sheep. Content to shrug off anything that may do grievous harm to their esthetically pleasing brushed aluminum paradise. To those Mac users who actually are security minded, you're not included in this. At least you guys have a clue, more of one than the fanboys and everyone in Cupertino.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Actually, no. We claim that Macs are the best computers.
Apple sales people are not allowed to position statements like "we don't get those". There are carefully crafted positioning statements around everything in the Apple economy. Like it or not, it brings a consistency to the brand. I think the Apple retail market has been pretty successful--because the salesforce doesn't go around making rogue statements like you posit.
Granted, most people IN THE WORLD don't know what a root cert authority is, let alone the salesforce at an Apple store.
Laughable. Apple likes to make money, and selling support is one way to do that. Providing good support has gone a long way to build a loyal fan base and repeat customers as well.
AppleCare is one of the few computer company tech support divisions that actually makes money. Selling extended support after 1 year (not 2-3 years like you stated) is a money maker. Doing so also means having to support devices that are no longer sold. If you bought extended warranty for your xserve in January, you get support for 3 years after the last one was sold. Seems fair to me. Other companies lose money with support because they try to appease the random slashdot nerd still running his Pentium IV + Voodoo II card + Soundblaster card.
And if Apple didn't care about support, they'd offshore it to India, yet their support is headquartered in Austin, where they take the calls. Surely Austin is more expensive than Bangalore? So why do it there? Oh yeah, Apple doesn't care about support, so they'd rather use the better-yet-more-expensive Austin base of operations....riiiiight.
You don't get to be #1 in consumer satisfaction with customer support ratings for every year JD Powers has tracked it by not caring about support.
AV software on a Mac...hahah, funny.
The reason it took them a week is because they are in the middle of their second update (10.7.2) of a new OS release. Is Windows in the middle of a service pack for Win7? Did Win 7 come out less than 6 weeks ago? Does Microsoft have thousands of developers NOT working on OS X.7.2 right now?
Please provide link to single system hacked by this issue. Cheers.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It's pretty easy to figure out the logic behind this one, actually. There were known fraudulent google certs, known fraudulent Windows Update certs and known fraudulent mozilla.org certs faked. Were there any apple.com certs?
If I have been able to see further than others, it is because I bought a pair of binoculars.
And for any reasonable person, the first statement is true.
Mac's don't get viruses.
Its not that they are immune, we all know thats not the case, its that they aren't targeted.
However, none of that changes the fact that from a practical perspective, Mac's don't get viruses.
I could defend the second one too, if you stop being so technical and think like users not techies. Users use words like 'secure' to mean a completely different thing than techies.
Having worked in desktop support for any length of time at all, you'd already know that if you had a clue considering the biggest problem in tech support is generally what the user says is not what you think it is, but you clearly aren't bright enough to figure that part out so I doubt you'll get any more of my explanation anyway.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Yeah, curse those MAC addresses!
Oh, wait, I'm sorry, you're just another retard that capitalizes the whole word instead of the first letter. It's a proper noun, not an acronym, you dimwit.
You really had that much trouble working out that by 'MAC' he meant 'Mac' even after he implied it was a product of Apple and stated it was a computer? You fucking moron, but i suppose when you're that stupid you're too fucking braindead to attack the validity of his post so you'll resort to criticizing his grammar.
"Mac's don't get viruses" "My Mac is secure"
Both are true.
False, by that moronic statement you can also conclude the same is true of Windows.
"Mac's don't get viruses"
"My Mac is secure"
Both are true.
False, by that moronic statement you can also conclude the same is true of Windows.
No, you can't. Antivirus software is a must for PCs, unless you are particularly diligent (and even then, it's still a very good idea to at least manually scan occasionally). Antivirus software is *NOT* necessary on a Mac, even if you are especially careless.
Neither claim implies the absolute. No one is saying that no Mac ever gets infected, nor is anyone saying that every PC gets infected. Why do nerds seem to have such a hard time seeing the world in anything other than binary?
Cool samefag, bro.