Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Addresses a Bug That Caused Disk Utility in macOS High Sierra To Expose Passwords of Encrypted APFS Volumes (macrumors.com)

Posted by msmash on from the bad-coding dept.

Joe Rossignol, writing for MacRumours: Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra. Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint. [...] Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store.

85 comments

  1. The bug is in Disk Utility GUI volume creation by alispguru · · Score: 4, Informative

    When creating a new volume, it apparently puts the password into the password hints field.

    If you create a new volume using command-line tools, things are fine.

    The encryption is still OK; this bug just leaves the key to the front door under the mat.

    Which is still appalling.

    --

    To a Lisp hacker, XML is S-expressions in drag.
    1. Re:The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 2, Insightful

      How is it able to show the plain text password to begin with? Sounds like the password isn't hashed or encrypted itself to begin with and stored as plaintext somewhere. The system shouldn't know what the password is.

    2. Re:The bug is in Disk Utility GUI volume creation by sbrown7792 · · Score: 4, Interesting
      Right, the system shouldn't know, that's why this is a bug.

      When creating a new volume, [the Disk Utility GUI] apparently puts the password into the password hints field.

      A hint needs to be plaintext to read it later, the error was the utility saving the *password*, not the *hint*, in the hint field.

    3. Re: The bug is in Disk Utility GUI volume creation by mridoni · · Score: 1

      Not necessarily true: if you want the system to be able to mount a volume without user intervention (or boot from it), it must know the whole password, a hasj is not enough for decryption. Of course the password should be properly encrypted with a not easily accessible system-level key.

    4. Re:The bug is in Disk Utility GUI volume creation by AmiMoJo · · Score: 1

      Any idea how long it has been that way?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:The bug is in Disk Utility GUI volume creation by Nidi62 · · Score: 1

      Right, the system shouldn't know, that's why this is a bug.

      When creating a new volume, [the Disk Utility GUI] apparently puts the password into the password hints field.

      A hint needs to be plaintext to read it later, the error was the utility saving the *password*, not the *hint*, in the hint field.

      Maybe they just wanted to be really sure the user got the hint?

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    6. Re: The bug is in Disk Utility GUI volume creation by The+Snowman · · Score: 1

      Not necessarily true: if you want the system to be able to mount a volume without user intervention (or boot from it), it must know the whole password, a hasj is not enough for decryption.

      Why would you password-protect a file or volume to begin with if you want the system to be able to decrypt it without user intervention? The purpose of encryption is to prevent unauthorized access, not allow it.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
    7. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Doing so allows you to "wipe" the entire volume by simply deleting the key - making the encrypted data unrecoverable.

      For example, if you setup a bootup pin and someone fails to guess the pin 10 times in a row, you wipe the decryption key and the entire drive contents are unrecoverable unless you happen to have a backup of the key somewhere else.

      Pretty standard stuff, surprised you had to ask!

    8. Re:The bug is in Disk Utility GUI volume creation by TheFakeTimCook · · Score: 1

      When creating a new volume, it apparently puts the password into the password hints field.

      If you create a new volume using command-line tools, things are fine.

      The encryption is still OK; this bug just leaves the key to the front door under the mat.

      Which is still appalling.

      But it is also fixed.

    9. Re:The bug is in Disk Utility GUI volume creation by TheFakeTimCook · · Score: 1

      Any idea how long it has been that way?

      Well, considering that High Sierra has only been out for a couple of weeks, I'd say about that long.

    10. Re:The bug is in Disk Utility GUI volume creation by TheFakeTimCook · · Score: 1

      Right, the system shouldn't know, that's why this is a bug.

      When creating a new volume, [the Disk Utility GUI] apparently puts the password into the password hints field.

      A hint needs to be plaintext to read it later, the error was the utility saving the *password*, not the *hint*, in the hint field.

      This sounds to me like some "Development" code that got left in the GM by mistake, rather than a fundamental design flaw.

      Happens.

    11. Re:The bug is in Disk Utility GUI volume creation by Anubis+IV · · Score: 2

      The system still doesn't know what the password is. So far as it knows, the thing it's showing you really is the password hint.

      As the GP suggested, the bug isn't technically that the password is being stored in plaintext, though that is a consequence of the bug. Rather, the bug is that the hint's value is being set to the password's value when a user sets up a new encrypted volume in the version of Disk Utility that shipped with High Sierra.

      Thankfully, this only affected users on the latest version of the OS who set up new encrypted volumes using Disk Utility in the time since they upgraded. Existing encrypted volumes are fine, as are encrypted volumes created via any other method. Even so, it's a pretty glaring bug, so I'm glad to hear that it was fixed quickly after hitting the news circuits earlier today.

    12. Re:The bug is in Disk Utility GUI volume creation by Tarlus · · Score: 1

      16 months at a maximum, maybe?

      APFS is still fairly young. I've been nervous about it. Not for reasons such as these, but just the whole "early adoption" thing.

      --
      /* No Comment */
    13. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Also, the hint is lost?

    14. Re: The bug is in Disk Utility GUI volume creation by Brockmire · · Score: 1, Insightful

      If you don't fucking know, no one gives a shit what your guess is.

    15. Re: The bug is in Disk Utility GUI volume creation by Brockmire · · Score: 3, Insightful

      Typical at Apple, where shit like "GotoFail" is a regular occurrence. Shitty developers with nonreviewed code in important security places, no QA and test procedures... bugs can show up in corner cases, but not in THE FUCKING USE CASE. Who the fuck is running things over there?

    16. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      More likely to be something like fields[n] vs fields[n-1] in my opinion.

    17. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Not necessarily true: if you want the system to be able to mount a volume without user intervention (or boot from it), it must know the whole password, a hasj is not enough for decryption. Of course the password should be properly encrypted with a not easily accessible system-level key.

      And how are you protecting the key with which you decrypt the password?

    18. Re: The bug is in Disk Utility GUI volume creation by Richard_at_work · · Score: 1

      Your opinion has even less value than his guess, and yet you still posted it - both of you have the same right to do so.

    19. Re:The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Doesn't having a "hint" imply that the system has stored the actual password somewhere? If not, what is the hint going to do, return an encrypted password?

    20. Re:The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Right because the following makes total sense:

      vol.pass = pass;
      vol.passh = pass; /* Whoops! Shouldn't have added the h at the end! */

      VS.

      vol.password = password;

      #if NDEBUG
      vol.password_hint = password;
      #else
      vol.password_hint = hint;
      #endif

      There's no reason to not use proper conventions. Beyond being lazy. And especially when writing security code.

      Someone go check the old binaries to see if they are a development build. If they are then that's a failed review process. If not, then some idiot made one hell of a typo that shouldn't have been possible in the first place, or they copy pasta'd.

    21. Re:The bug is in Disk Utility GUI volume creation by dissy · · Score: 1

      Doesn't having a "hint" imply that the system has stored the actual password somewhere? If not, what is the hint going to do, return an encrypted password?

      No. It doesn't even come close to implying that. Why would you think such a thing?

      Your username, real name, and the hint are all text value stored in plain text as they should be.
      Your password is a different value stored hashed.

      When you type a password wrong, clicking "show hint" is expected to return *the hint value you entered*

      The hint actually has less to do with your password (nothing) than it has to do with your username (the thing the hint is linked to, just like your name and user icon and everything else)

      If you enter the hint "my 2017 password starting with U and 10 characters", clicking show hint is expected to return exactly that and nothing else.

    22. Re:The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      well apple wasn't wrong. displaying the actual password was a 'hint'. a pretty good one at that.

    23. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      just like linux kernel source code? which has lots of "goto"s

    24. Re: The bug is in Disk Utility GUI volume creation by nazsco · · Score: 1

      if you don't want to wait, here's the diff so you can patch yourself

      - store.volumes.apfs.hint = password
      + store.volumes.apfs.nsahint = password

    25. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Yes it does happen, that's why you have QA. Even the most cursory QA checklist would have picked this up, it amazes me how things like this slip through for companies with ample resources to deploy for testing.

    26. Re: The bug is in Disk Utility GUI volume creation by thegarbz · · Score: 1

      Because some systems are implicitly trusted. Like my removable HDD which I plug in to my home computer, that gets auto-mounted. It doesn't on my laptop*.

      The protection should match the threat. A lot of encryption is to stop basic things like a thief selling a HDD of yours full of data on ebay.

      *But it could be too. Windows 10 relies on your login credentials to protect the key to auto-decrypt drives. This is why having a windows password in place is sufficient to protect bit-locker encrypted drives even if they are configured to automatically mount on the machines.

    27. Re:The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Well Apple users are generally quite clueless about these things. It just works, I have no idea how or why. Actually it doesn't work, and your too stupid to understand.

    28. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      You apparently don't understand the "GotoFail" bug. Here's an explanation, for example.

    29. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      * you are
      or
      * youâ(TM)re

      Not âyour stupidâ(TM).
      Hereâ(TM)s an idea... how about learning English first?

    30. Re: The bug is in Disk Utility GUI volume creation by Anonymous Coward · · Score: 0

      Who the fuck is running things over there?

      Law enforcement. I've been watching LEAs [I call 'em LEAtards] fuck things up for almost half a century. Apple has become so fucked up that dollars-to-donuts they've been commandeered by LEAtards, conducting yet another pointless fishing expedition.

    31. Re: The bug is in Disk Utility GUI volume creation by TheFakeTimCook · · Score: 1

      Typical at Apple, where shit like "GotoFail" is a regular occurrence.

      Shitty developers with nonreviewed code in important security places, no QA and test procedures... bugs can show up in corner cases, but not in THE FUCKING USE CASE.

      Who the fuck is running things over there?

      A REGULAR occurence?!? You mean ONCE, right?

      Just like the bug in BASH that went for 25 YEARS with NONE of the "Many Eyes" spotting it???

      FOAD, tool!

  2. so apple was faster than slashdot? by Anonymous Coward · · Score: 0

    So it seems that Apple fixed the issue faster than slashdot was able to publish its report?

    1. Re:so apple was faster than slashdot? by TheFakeTimCook · · Score: 1

      So it seems that Apple fixed the issue faster than slashdot was able to publish its report?

      Pretty much, yeah.

  3. Get a proper computer by Hognoxious · · Score: -1

    Get a proper computer instead of a fashion accessory, you feckless nonces.

    "It just works", ROFLMA.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re:Get a proper computer by DontBeAMoran · · Score: 1

      And by proper computer, do you mean one that runs Redmond Spyware 10, or one of the many We-Are-The-Borg-systemD OS?

      --
      #DeleteFacebook
    2. Re:Get a proper computer by UnknowingFool · · Score: 1

      If by "proper computer", you mean a certified Unix 03 desktop then by all means get all the choices. Oh wait Apple seems to be one of the few choices left.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    3. Re:Get a proper computer by Anonymous Coward · · Score: 0

      Get a proper computer instead of a fashion accessory, you feckless nonces.

      "It just works", ROFLMA.

      Most of society today needs something that "just works", because they're too stupid to operate anything more advanced. The continuing trend of idiot-proofing every UI confirms this.

      Try not to assume so much next time.

    4. Re:Get a proper computer by Anonymous Coward · · Score: 0

      Devuan, a fork of Debian that tracks the main Debian repos with some substitutions to avoid systemd dependencies.

    5. Re:Get a proper computer by Anonymous Coward · · Score: 0

      Imagine that ... people want something that just works rather than something that is inefficient and needs constant upkeep and maintenance. Idiots! Not me though, that's why I drive a rusty old 50s Buick!

    6. Re:Get a proper computer by WorBlux · · Score: 1

      How useful is certification anyways say vs. LSB?

    7. Re:Get a proper computer by Anonymous Coward · · Score: 0

      With a safety-scissors UI slapped on top and a bunch of restrictions to prevent you from using your own computer how you want. You can't even write to /usr/bin on a Mac, yes that's right even with administrator rights on your own computer Apple does not permit you to do that. The OS is so borked that you have to go through the process of booting into recovery mode and running a utility to disable that crap.

      They have also removed the option to run applications from anywhere from the security settings, you used to be able to choose from only the App Store, App Store and Trusted Developers (you know, trusted by Apple, not the user) and Anywhere, but now they have removed the 'Anywhere' option. The writing is on the wall that it is going in a very user-hostile direction and becoming exactly the opposite of Apple's portrayal of themselves in that 1984 ad.

      Apple apologists (and I'm not necessarily saying you are one at this point) have become that braindead that they are just goosestepping along and telling everybody how Apple is just doing this for your benefit, to protect you from yourself.

    8. Re: Get a proper computer by Anonymous Coward · · Score: 0

      Certification means Apple paid the Open Group to use the Unix trademark. You can still buy a metal vanity license plate with UNIX printed on from the Open Group's webpage it if you want a Unix license of your own.

    9. Re: Get a proper computer by Anonymous Coward · · Score: 0

      I drive a stripped (no options, not even air cond.) 2006 Ford Ranger that has been paid for about 7 years now. Good enough and easy to service.

    10. Re: Get a proper computer by UnknowingFool · · Score: 1

      How much of what you said is true? Unix 03 Certification requires testing and money.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    11. Re:Get a proper computer by UnknowingFool · · Score: 1

      Pretty useful if it's on a bullet list of requirements. "Must be Unix certified" is on a lot of equipment requirements I've seen when looking for Unix equipment.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    12. Re:Get a proper computer by UnknowingFool · · Score: 1

      They have also removed the option to run applications from anywhere from the security settings, you used to be able to choose from only the App Store, App Store and Trusted Developers (you know, trusted by Apple, not the user) and Anywhere, but now they have removed the 'Anywhere' option. The writing is on the wall that it is going in a very user-hostile direction and becoming exactly the opposite of Apple's portrayal of themselves in that 1984 ad.

      Well that's a bold faced lie. I just installed a bunch of applications the other day on a machine. None of which I got from the App Store or "Trusted Developers". I guess is that you don't know that OS X requires you to verify that you want to install something that you got off the Internet with a dialog confirmation. After clicking "Yes, install", it installed and ran fine.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    13. Re:Get a proper computer by WorBlux · · Score: 1

      What? Plain English please. If the only reason is to satisfy bureaucracy, then it doesn't really seem like a reason to me. Sure, you want hardware validated to your OS, but the UNIX specification doesn't include a Hardware Abstraction Layer, so any hardware validation is going to be OS specific and not portable like POSIX is.

      There probably is some legacy stuff floating around out there that nobody understands except that it goes haywire if compiled against anything out of spec, but you aren't going to find it on your average desktop or server.

    14. Re: Get a proper computer by UnknowingFool · · Score: 1

      [sarcasm]I don't know about you but when my company puts out a list of requirements for hardware and software, I just blatantly ignore them when purchasing things with their money. It's how I keep my job. Also the clients are ecstatic that I chose to override their wish list when we purchase for them. They are certain to pay the invoices faster when we ignore the spec sheet. I am showered with awards because I do this.[/sarcasm]

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    15. Re: Get a proper computer by WorBlux · · Score: 1

      Don't be thick. Is there a fundamental technical reason, and does it apply to your average desktop or server? Ya I get that you're a cog in a corporate machine and you have to obey the logic of the machine. The question is weather the machine is operating on good logic or old and broken assumptions that that are costing them money. And you can always sent a proposals back up the chain to modify requirements for reason a-c and x-z.

    16. Re: Get a proper computer by UnknowingFool · · Score: 1

      The day you pay my salary, I'll get advice from you about how not to listen to my company and my clients about their exact requirements. Until then, you're just an arrogant individual who thinks they know more than my clients about what they specified as a requirement. If it says "Must install Redhat Linux ES" that's what they will get. We don't install Ubuntu Linux and tell them they'll save money. If it says x86-64 processors with ECC support, we don't get them a Pentium D and a lecture about how they can use a cheaper processor and ECC is overrated.

      One of the main drivers of Mac purchases: It's realistically the ONLY Unix laptops that are available. Linux laptops you can get from any major manufacturer. Certified Unix laptops are only through Apple. And if they specify "Certified Unix" instead of Linux, they mean it because contrary to what you assume, most of our clients KNOW the difference. There's a reason that's beyond my pay grade and frankly it's probably beyond your pay grade.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    17. Re: Get a proper computer by WorBlux · · Score: 1

      Got it, You don't actually know if there's a technical reason or not, and how widely applicable it is.(Obviously I'm not aware of any otherwise I wouldn't have asked the question) Further, you don't really care as long as you get paid.

    18. Re: Get a proper computer by UnknowingFool · · Score: 1

      Let me make this absolutely clear to you on this point: you have no fucking clue as to why my clients specify "certified Unix" sometimes as they don't detail every single reason behind their requirements. But unlike you I don't presume to know MORE than my client about their needs especially when they make a specific requirement.

      Let me guess about the person that you are: if you were a waiter in a restaurant and a skinny person ordered diet soda, you'd just replace it with regular sofa because they didn't need to lose any weight. The fact that they might be diabetic doesn't matter to you. You know more than them and are willing to risk their lives for your fucking ego.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    19. Re: Get a proper computer by WorBlux · · Score: 1

      I'm the waiter telling you most people can't tell any difference between a $50 dollar bottle of wine and a $500 bottle. Maybe everyone who gets the $500 dollar bottle is a super-taster, but more likely they want to impress someone. Sure there are a few corner cases were you 99.999% need POSIX compatibility, but for most things 99.98% is good enough.

      Pulling a switcheroo is just plain silly and passive-aggressive (and nowhere did I suggest you do that), asking question about underlying technical requirements and new suggestions based on the answers is not.

      So going back to the wine analogy, and my original question. Are the order requirements actually about some vital technical difference in the product, or is it about something else?

    20. Re: Get a proper computer by UnknowingFool · · Score: 1

      I'm the waiter telling you most people can't tell any difference between a $50 dollar bottle of wine and a $500 bottle

      Despite the customer insisting to you that that is exactly what they want. You must hold down a lot of jobs in customer service.

      Maybe everyone who gets the $500 dollar bottle is a super-taster, but more likely they want to impress someone.

      Which would make it of your business, wouldn't it?

      Sure there are a few corner cases were you 99.999% need POSIX compatibility, but for most things 99.98% is good enough.

      Again how do you know what my clients want? You don't do you? You are imposing your opinion based on 0% knowledge of my clients. Thus complete speculation on your part.

      Pulling a switcheroo is just plain silly and passive-aggressive (and nowhere did I suggest you do that), asking question about underlying technical requirements and new suggestions based on the answers is not.

      No I answered your question: You don't know what my client needs are. You assume you know better than them. You also assume I don't know. You also assume that I am allowed to tell you or that you'd understand why. What I did tell you is that when a client makes a specific request that involves acquiring a Mac, they know what they are requesting because they request Linux machines all the time.

      So going back to the wine analogy, and my original question. Are the order requirements actually about some vital technical difference in the product, or is it about something else?

      As I said above: It's none of your business. At times, it's none of my business. The client requests it. We verify the request and then we fulfill the request. We don't try to pretend to be an arrogant asshole and challenge their request.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    21. Re: Get a proper computer by Anonymous Coward · · Score: 0

      The only reason for POSIX is to make software easier to port, it's not supposed to be a magic bullet for 100% compatibility.

      If you can port 99.9% of your code unchanged thanks to POSIX, and modify 0.1% to make it work, you and your client should be very very grateful.

    22. Re: Get a proper computer by UnknowingFool · · Score: 1

      That scenario would great if we wrote code or had any inclination to write or change code. We don't. We will install software and test it to ensure it works. So if a client asks for POSIX compatibility or specifies UNIX 03 or specify LSB 3.1, that's what they get. Because they might install software after we hand over the machines which we don't know about and they won't necessarily tell us.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  4. More LUDDITE lies! by Anonymous Coward · · Score: -1

    AppFS is the appiest app system, so the filthy LUDDITES are trying to ruin it by claiming it's worse than LUDDITE systems like LUDDITE NTFS and LUDDITE Linux!

    Apps!

    1. Re:More LUDDITE lies! by DontBeAMoran · · Score: 1

      If someone could combine the moocow guy, the apps guy and the hosts files guy into one combined, easy-to-read useless post, it would be neat.

      --
      #DeleteFacebook
    2. Re:More LUDDITE lies! by GameboyRMH · · Score: 2

      Apps are for cows, you bunch of non-HOSTS-file-modifying cows! You are all LUDDITE cows that don't use apps and leave your HOSTS files empty. Moo say the cows. YOU COWS. Apps can run on cows, but HOSTS files can block LUDDITE cows.

      Apps!

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  5. Hashing by Anonymous Coward · · Score: 0

    Why does the password even exist to be recovered? I thought the first thing one did is hash the password and use the hash to encrypt/decrypt the volume. Also even the hash is not recorded anywhere, it would need to be entered each time.

    That way if some looked they would not see the password used.

    Of-course if you have the hash and know in detail how the volume is encrypted you can still get at the data, but you would need the hash and the exact method of encryption to do this.

    E.C.P.

    1. Re:Hashing by Anonymous Coward · · Score: 0

      mmmmm..... hash...... salted hash......

    2. Re:Hashing by bws111 · · Score: 1

      It doesn't need to exist. They just copied the wrong field when they saved the hint.

  6. BUY WINDOWS ONLY by Anonymous Coward · · Score: 0

    It's true Windows had some occasional security issues in the past. However, over the years they have all been closed. Meanwhile, Linux and MaxOS boxes are easily hackable and form the backbone of DDOS networks. Linux doesn't even auto-updates!!

    1. Re: BUY WINDOWS ONLY by Brockmire · · Score: 1

      Yum-cron My keyboard knew to autocomplete this and I've never typed that on my phone.

  7. WTF by nniillss · · Score: 1

    How can such a bug in a security sensitive component of OS-X be overlooked in testing?

    1. Re: WTF by Brockmire · · Score: 1

      Par for the course. Nothing was done after GotoFail, after all.

    2. Re:WTF by Anonymous Coward · · Score: 0

      Gotofail was not as bad as open source Heartbleed and Shellshock. Shitty fly by night programmers.

      Open source sucks.

    3. Re:WTF by thegarbz · · Score: 1

      How can such a bug in a security sensitive component of OS-X be overlooked in testing?

      Because the password hint field is often not considered critical functionality, test worthy or even security sensitive?

    4. Re:WTF by antdude · · Score: 1

      Maybe Apple has poor QA testings. Maybe they don't even have a QA department like many companies. Or maybe they ignored it from their external testers. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  8. Understandable common mistake by 140Mandak262Jamuna · · Score: 1
    You see it is common for people to switch the data between two fields when they enter it. Obviously the developer switched the fields and is showing hint for password, and password for hint.

    I once switched the username and password fields while creating the account in Slashdot and I am still living with it ;-)

    But my friend, who runs a small company, got the shock of his life when the bank clerk switched the amount and data while entering some transaction. (It was in Chennai, India, not fully automated banking). The bank debited 12102015 rupees from his account or something.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Understandable common mistake by TheFakeTimCook · · Score: 1

      You see it is common for people to switch the data between two fields when they enter it. Obviously the developer switched the fields and is showing hint for password, and password for hint.

      I once switched the username and password fields while creating the account in Slashdot and I am still living with it ;-)

      But my friend, who runs a small company, got the shock of his life when the bank clerk switched the amount and data while entering some transaction. (It was in Chennai, India, not fully automated banking). The bank debited 12102015 rupees from his account or something.

      That was exactly my thought; that this was a Developer brain-fart, not a design-flaw.

    2. Re: Understandable common mistake by Brockmire · · Score: 1

      Of course it wasn't a design flaw, it's a fucking process fail on the developer, the senior developer in charge, the lead QA manager, etc. How you can't comprehend the numerous fuckups is true Apple Kool-aid shit. Just stop commenting on Apple stories.

    3. Re: Understandable common mistake by TheFakeTimCook · · Score: 1

      Of course it wasn't a design flaw, it's a fucking process fail on the developer, the senior developer in charge, the lead QA manager, etc.

      How you can't comprehend the numerous fuckups is true Apple Kool-aid shit.

      Just stop commenting on Apple stories.

      So, you never make a mistake, right?

      It's not like people click on that Password Hint button very often. And Apple fixed it, PRONTO!

      Jeebus! I hope YOUR work could stand up to such scrutiny...

  9. DontBeAMoran show us you've done better by Anonymous Coward · · Score: -1

    I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

    his hosts program is actually pretty good by xenotransplant

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

    (APK's) work, I've flat out said it's good by BronsCon

    I've tried his hosts file generating software. It works by bmo

    APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

    Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

    I like your host file system by Karmashock

    (NEED MORE? Ask!)

    * It's recommended/hosted by Malwarebytes' hpHosts!

    APK

    P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk

    1. Re:DontBeAMoran show us you've done better by Anonymous Coward · · Score: 0

      Dude you know DontBeAMoran can't. He's just another fake name for his fake life useless do nothing "ne'er-do-well" fuck!

    2. Re:DontBeAMoran show us you've done better by DontBeAMoran · · Score: 1

      You got that right. Anything that requires me to write posts longer than 100 characters is not an op

      --
      #DeleteFacebook
    3. Re:DontBeAMoran show us you've done better by Anonymous Coward · · Score: 0

      You're focusing too much too host file. It's irrelevant if you're using pirated version of Windows and Delphi.

  10. DontBeAMoran = "Run, Forrest: RUN!!!" lol by Anonymous Coward · · Score: 0

    See subject DontBeAMoran: You can't show you've done better (especially earlier)? Nope https://it.slashdot.org/comments.pl?sid=11197935&cid=55317113/

    * QUESTION: What's it like being a USELESS UNIDENTIFIABLE do-nothing "ne'er-do-well" BIG TALKER like you that TRIES to cut someone like ME down & YOU HAVEN'T DONE SQUAT BY COMPARISON?

    APK

    P.S.=> I'll answer the question above for you - it must SUCK to be "your kind" (a FAKE NAME for your FAKE LIFE fuck)... apk

  11. Re: The bug is in Disk Utility GUI volume creatio by Anonymous Coward · · Score: 0

    Lighten up Francine. Youâ(TM)re gonna have a stroke. And you probably suck as a developer so Iâ(TM)m guessing your anger is more directed at your own failures.

  12. DontBeAMoran show us you've done better by Anonymous Coward · · Score: -1

    I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

    his hosts program is actually pretty good by xenotransplant

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

    (APK's) work, I've flat out said it's good by BronsCon

    I've tried his hosts file generating software. It works by bmo

    APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

    Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

    I like your host file system by Karmashock

    (NEED MORE? Ask!)

    * It's recommended/hosted by Malwarebytes' hpHosts!

    APK

    P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk

  13. Lack of clarity by Anonymous Coward · · Score: 0

    For such a serious issue there is a lack of clarity on the extent of the problem and what we need to do to mitigate.

    1. Does the bug apply to apfs-formatted encrypted disk images?
    2. Does the issue persist after the update on volumes/images you have already created? I assume yes, meaning everyone should do what? Just change the password, or does it have to be recreated from scratch?

  14. Hardly surprising this cropped up by Anonymous Coward · · Score: 0

    The 'new' Disk Utlity that has been around since El Capitan is a mess. It had to be updated for reasons apparently, but the old version was far FAR better, to the point that people patched the old verison to run on El Cap, maybe Sierra.

    It constantly does weird and wonderful things and has knackered my disk on more than one occasion, leaving me an unbootable machine that I've had to fix via diskutil from Internet Recovery mode.

  15. DontBeAMoran show us you've done better by Anonymous Coward · · Score: 0

    I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

    his hosts program is actually pretty good by xenotransplant

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

    (APK's) work, I've flat out said it's good by BronsCon

    I've tried his hosts file generating software. It works by bmo

    APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

    Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

    I like your host file system by Karmashock

    (NEED MORE? Ask!)

    * It's recommended/hosted by Malwarebytes' hpHosts!

    APK

    P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk

  16. Fact: You never get the best of me & ran by Anonymous Coward · · Score: 0

    I don't use pirated of Windows or Delphi. THAT lie of yours ="best ya got"? Yes. Like you, It's not squat DontBeAMoran.

    * Additionally - Thanks for PROJECTING your own misdoings loser (trying to place them on ME).

    APK

    P.S.=> You don't have shit to your name (hence your use of UNIDENTIFIABLE anonymous posting)... apk