Slashdot Mirror
Apple Addresses a Bug That Caused Disk Utility in macOS High Sierra To Expose Passwords of Encrypted APFS Volumes (macrumors.com)
Joe Rossignol, writing for MacRumours: Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra. Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint. [...] Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store.
When creating a new volume, it apparently puts the password into the password hints field.
If you create a new volume using command-line tools, things are fine.
The encryption is still OK; this bug just leaves the key to the front door under the mat.
Which is still appalling.
To a Lisp hacker, XML is S-expressions in drag.
So it seems that Apple fixed the issue faster than slashdot was able to publish its report?
Why does the password even exist to be recovered? I thought the first thing one did is hash the password and use the hash to encrypt/decrypt the volume. Also even the hash is not recorded anywhere, it would need to be entered each time.
That way if some looked they would not see the password used.
Of-course if you have the hash and know in detail how the volume is encrypted you can still get at the data, but you would need the hash and the exact method of encryption to do this.
E.C.P.
And by proper computer, do you mean one that runs Redmond Spyware 10, or one of the many We-Are-The-Borg-systemD OS?
#DeleteFacebook
If someone could combine the moocow guy, the apps guy and the hosts files guy into one combined, easy-to-read useless post, it would be neat.
#DeleteFacebook
If by "proper computer", you mean a certified Unix 03 desktop then by all means get all the choices. Oh wait Apple seems to be one of the few choices left.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Get a proper computer instead of a fashion accessory, you feckless nonces.
"It just works", ROFLMA.
Most of society today needs something that "just works", because they're too stupid to operate anything more advanced. The continuing trend of idiot-proofing every UI confirms this.
Try not to assume so much next time.
It's true Windows had some occasional security issues in the past. However, over the years they have all been closed. Meanwhile, Linux and MaxOS boxes are easily hackable and form the backbone of DDOS networks. Linux doesn't even auto-updates!!
Apps are for cows, you bunch of non-HOSTS-file-modifying cows! You are all LUDDITE cows that don't use apps and leave your HOSTS files empty. Moo say the cows. YOU COWS. Apps can run on cows, but HOSTS files can block LUDDITE cows.
Apps!
"When information is power, privacy is freedom" - Jah-Wren Ryel
How can such a bug in a security sensitive component of OS-X be overlooked in testing?
I once switched the username and password fields while creating the account in Slashdot and I am still living with it ;-)
But my friend, who runs a small company, got the shock of his life when the bank clerk switched the amount and data while entering some transaction. (It was in Chennai, India, not fully automated banking). The bank debited 12102015 rupees from his account or something.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Devuan, a fork of Debian that tracks the main Debian repos with some substitutions to avoid systemd dependencies.
Imagine that ... people want something that just works rather than something that is inefficient and needs constant upkeep and maintenance. Idiots! Not me though, that's why I drive a rusty old 50s Buick!
Dude you know DontBeAMoran can't. He's just another fake name for his fake life useless do nothing "ne'er-do-well" fuck!
You got that right. Anything that requires me to write posts longer than 100 characters is not an op
#DeleteFacebook
See subject DontBeAMoran: You can't show you've done better (especially earlier)? Nope https://it.slashdot.org/comments.pl?sid=11197935&cid=55317113/
* QUESTION: What's it like being a USELESS UNIDENTIFIABLE do-nothing "ne'er-do-well" BIG TALKER like you that TRIES to cut someone like ME down & YOU HAVEN'T DONE SQUAT BY COMPARISON?
APK
P.S.=> I'll answer the question above for you - it must SUCK to be "your kind" (a FAKE NAME for your FAKE LIFE fuck)... apk
Lighten up Francine. Youâ(TM)re gonna have a stroke. And you probably suck as a developer so Iâ(TM)m guessing your anger is more directed at your own failures.
How useful is certification anyways say vs. LSB?
With a safety-scissors UI slapped on top and a bunch of restrictions to prevent you from using your own computer how you want. You can't even write to /usr/bin on a Mac, yes that's right even with administrator rights on your own computer Apple does not permit you to do that. The OS is so borked that you have to go through the process of booting into recovery mode and running a utility to disable that crap.
They have also removed the option to run applications from anywhere from the security settings, you used to be able to choose from only the App Store, App Store and Trusted Developers (you know, trusted by Apple, not the user) and Anywhere, but now they have removed the 'Anywhere' option. The writing is on the wall that it is going in a very user-hostile direction and becoming exactly the opposite of Apple's portrayal of themselves in that 1984 ad.
Apple apologists (and I'm not necessarily saying you are one at this point) have become that braindead that they are just goosestepping along and telling everybody how Apple is just doing this for your benefit, to protect you from yourself.
Certification means Apple paid the Open Group to use the Unix trademark. You can still buy a metal vanity license plate with UNIX printed on from the Open Group's webpage it if you want a Unix license of your own.
I drive a stripped (no options, not even air cond.) 2006 Ford Ranger that has been paid for about 7 years now. Good enough and easy to service.
For such a serious issue there is a lack of clarity on the extent of the problem and what we need to do to mitigate.
1. Does the bug apply to apfs-formatted encrypted disk images?
2. Does the issue persist after the update on volumes/images you have already created? I assume yes, meaning everyone should do what? Just change the password, or does it have to be recreated from scratch?
The 'new' Disk Utlity that has been around since El Capitan is a mess. It had to be updated for reasons apparently, but the old version was far FAR better, to the point that people patched the old verison to run on El Cap, maybe Sierra.
It constantly does weird and wonderful things and has knackered my disk on more than one occasion, leaving me an unbootable machine that I've had to fix via diskutil from Internet Recovery mode.
You're focusing too much too host file. It's irrelevant if you're using pirated version of Windows and Delphi.
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
(APK's) work, I've flat out said it's good by BronsCon
I've tried his hosts file generating software. It works by bmo
APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat
Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad
I like your host file system by Karmashock
(NEED MORE? Ask!)
* It's recommended/hosted by Malwarebytes' hpHosts!
APK
P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk
How much of what you said is true? Unix 03 Certification requires testing and money.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Pretty useful if it's on a bullet list of requirements. "Must be Unix certified" is on a lot of equipment requirements I've seen when looking for Unix equipment.
Well, there's spam egg sausage and spam, that's not got much spam in it.
They have also removed the option to run applications from anywhere from the security settings, you used to be able to choose from only the App Store, App Store and Trusted Developers (you know, trusted by Apple, not the user) and Anywhere, but now they have removed the 'Anywhere' option. The writing is on the wall that it is going in a very user-hostile direction and becoming exactly the opposite of Apple's portrayal of themselves in that 1984 ad.
Well that's a bold faced lie. I just installed a bunch of applications the other day on a machine. None of which I got from the App Store or "Trusted Developers". I guess is that you don't know that OS X requires you to verify that you want to install something that you got off the Internet with a dialog confirmation. After clicking "Yes, install", it installed and ran fine.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I don't use pirated of Windows or Delphi. THAT lie of yours ="best ya got"? Yes. Like you, It's not squat DontBeAMoran.
* Additionally - Thanks for PROJECTING your own misdoings loser (trying to place them on ME).
APK
P.S.=> You don't have shit to your name (hence your use of UNIDENTIFIABLE anonymous posting)... apk
What? Plain English please. If the only reason is to satisfy bureaucracy, then it doesn't really seem like a reason to me. Sure, you want hardware validated to your OS, but the UNIX specification doesn't include a Hardware Abstraction Layer, so any hardware validation is going to be OS specific and not portable like POSIX is.
There probably is some legacy stuff floating around out there that nobody understands except that it goes haywire if compiled against anything out of spec, but you aren't going to find it on your average desktop or server.
[sarcasm]I don't know about you but when my company puts out a list of requirements for hardware and software, I just blatantly ignore them when purchasing things with their money. It's how I keep my job. Also the clients are ecstatic that I chose to override their wish list when we purchase for them. They are certain to pay the invoices faster when we ignore the spec sheet. I am showered with awards because I do this.[/sarcasm]
Well, there's spam egg sausage and spam, that's not got much spam in it.
Don't be thick. Is there a fundamental technical reason, and does it apply to your average desktop or server? Ya I get that you're a cog in a corporate machine and you have to obey the logic of the machine. The question is weather the machine is operating on good logic or old and broken assumptions that that are costing them money. And you can always sent a proposals back up the chain to modify requirements for reason a-c and x-z.
The day you pay my salary, I'll get advice from you about how not to listen to my company and my clients about their exact requirements. Until then, you're just an arrogant individual who thinks they know more than my clients about what they specified as a requirement. If it says "Must install Redhat Linux ES" that's what they will get. We don't install Ubuntu Linux and tell them they'll save money. If it says x86-64 processors with ECC support, we don't get them a Pentium D and a lecture about how they can use a cheaper processor and ECC is overrated.
One of the main drivers of Mac purchases: It's realistically the ONLY Unix laptops that are available. Linux laptops you can get from any major manufacturer. Certified Unix laptops are only through Apple. And if they specify "Certified Unix" instead of Linux, they mean it because contrary to what you assume, most of our clients KNOW the difference. There's a reason that's beyond my pay grade and frankly it's probably beyond your pay grade.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Got it, You don't actually know if there's a technical reason or not, and how widely applicable it is.(Obviously I'm not aware of any otherwise I wouldn't have asked the question) Further, you don't really care as long as you get paid.
Let me make this absolutely clear to you on this point: you have no fucking clue as to why my clients specify "certified Unix" sometimes as they don't detail every single reason behind their requirements. But unlike you I don't presume to know MORE than my client about their needs especially when they make a specific requirement.
Let me guess about the person that you are: if you were a waiter in a restaurant and a skinny person ordered diet soda, you'd just replace it with regular sofa because they didn't need to lose any weight. The fact that they might be diabetic doesn't matter to you. You know more than them and are willing to risk their lives for your fucking ego.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm the waiter telling you most people can't tell any difference between a $50 dollar bottle of wine and a $500 bottle. Maybe everyone who gets the $500 dollar bottle is a super-taster, but more likely they want to impress someone. Sure there are a few corner cases were you 99.999% need POSIX compatibility, but for most things 99.98% is good enough.
Pulling a switcheroo is just plain silly and passive-aggressive (and nowhere did I suggest you do that), asking question about underlying technical requirements and new suggestions based on the answers is not.
So going back to the wine analogy, and my original question. Are the order requirements actually about some vital technical difference in the product, or is it about something else?
I'm the waiter telling you most people can't tell any difference between a $50 dollar bottle of wine and a $500 bottle
Despite the customer insisting to you that that is exactly what they want. You must hold down a lot of jobs in customer service.
Maybe everyone who gets the $500 dollar bottle is a super-taster, but more likely they want to impress someone.
Which would make it of your business, wouldn't it?
Sure there are a few corner cases were you 99.999% need POSIX compatibility, but for most things 99.98% is good enough.
Again how do you know what my clients want? You don't do you? You are imposing your opinion based on 0% knowledge of my clients. Thus complete speculation on your part.
Pulling a switcheroo is just plain silly and passive-aggressive (and nowhere did I suggest you do that), asking question about underlying technical requirements and new suggestions based on the answers is not.
No I answered your question: You don't know what my client needs are. You assume you know better than them. You also assume I don't know. You also assume that I am allowed to tell you or that you'd understand why. What I did tell you is that when a client makes a specific request that involves acquiring a Mac, they know what they are requesting because they request Linux machines all the time.
So going back to the wine analogy, and my original question. Are the order requirements actually about some vital technical difference in the product, or is it about something else?
As I said above: It's none of your business. At times, it's none of my business. The client requests it. We verify the request and then we fulfill the request. We don't try to pretend to be an arrogant asshole and challenge their request.
Well, there's spam egg sausage and spam, that's not got much spam in it.
The only reason for POSIX is to make software easier to port, it's not supposed to be a magic bullet for 100% compatibility.
If you can port 99.9% of your code unchanged thanks to POSIX, and modify 0.1% to make it work, you and your client should be very very grateful.
That scenario would great if we wrote code or had any inclination to write or change code. We don't. We will install software and test it to ensure it works. So if a client asks for POSIX compatibility or specifies UNIX 03 or specify LSB 3.1, that's what they get. Because they might install software after we hand over the machines which we don't know about and they won't necessarily tell us.
Well, there's spam egg sausage and spam, that's not got much spam in it.