Slashdot Mirror
Apple Addresses a Bug That Caused Disk Utility in macOS High Sierra To Expose Passwords of Encrypted APFS Volumes (macrumors.com)
Joe Rossignol, writing for MacRumours: Brazilian software developer Matheus Mariano appears to have discovered a significant Disk Utility bug that exposes the passwords of encrypted Apple File System volumes in plain text on macOS High Sierra. Mariano added a new encrypted APFS volume to a container, set a password and hint, and unmounted and remounted the container in order to force a password prompt for demonstration purposes. Then, he clicked the "Show Hint" button, which revealed the full password in plain text rather than the hint. [...] Apple has addressed this bug by releasing a macOS High Sierra 10.13 Supplemental Update, available from the Updates tab in the Mac App Store.
When creating a new volume, it apparently puts the password into the password hints field.
If you create a new volume using command-line tools, things are fine.
The encryption is still OK; this bug just leaves the key to the front door under the mat.
Which is still appalling.
To a Lisp hacker, XML is S-expressions in drag.
And by proper computer, do you mean one that runs Redmond Spyware 10, or one of the many We-Are-The-Borg-systemD OS?
#DeleteFacebook
If someone could combine the moocow guy, the apps guy and the hosts files guy into one combined, easy-to-read useless post, it would be neat.
#DeleteFacebook
If by "proper computer", you mean a certified Unix 03 desktop then by all means get all the choices. Oh wait Apple seems to be one of the few choices left.
Well, there's spam egg sausage and spam, that's not got much spam in it.
It doesn't need to exist. They just copied the wrong field when they saved the hint.
Apps are for cows, you bunch of non-HOSTS-file-modifying cows! You are all LUDDITE cows that don't use apps and leave your HOSTS files empty. Moo say the cows. YOU COWS. Apps can run on cows, but HOSTS files can block LUDDITE cows.
Apps!
"When information is power, privacy is freedom" - Jah-Wren Ryel
How can such a bug in a security sensitive component of OS-X be overlooked in testing?
I once switched the username and password fields while creating the account in Slashdot and I am still living with it ;-)
But my friend, who runs a small company, got the shock of his life when the bank clerk switched the amount and data while entering some transaction. (It was in Chennai, India, not fully automated banking). The bank debited 12102015 rupees from his account or something.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
So it seems that Apple fixed the issue faster than slashdot was able to publish its report?
Pretty much, yeah.
You got that right. Anything that requires me to write posts longer than 100 characters is not an op
#DeleteFacebook
Yum-cron My keyboard knew to autocomplete this and I've never typed that on my phone.
How useful is certification anyways say vs. LSB?
How much of what you said is true? Unix 03 Certification requires testing and money.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Pretty useful if it's on a bullet list of requirements. "Must be Unix certified" is on a lot of equipment requirements I've seen when looking for Unix equipment.
Well, there's spam egg sausage and spam, that's not got much spam in it.
They have also removed the option to run applications from anywhere from the security settings, you used to be able to choose from only the App Store, App Store and Trusted Developers (you know, trusted by Apple, not the user) and Anywhere, but now they have removed the 'Anywhere' option. The writing is on the wall that it is going in a very user-hostile direction and becoming exactly the opposite of Apple's portrayal of themselves in that 1984 ad.
Well that's a bold faced lie. I just installed a bunch of applications the other day on a machine. None of which I got from the App Store or "Trusted Developers". I guess is that you don't know that OS X requires you to verify that you want to install something that you got off the Internet with a dialog confirmation. After clicking "Yes, install", it installed and ran fine.
Well, there's spam egg sausage and spam, that's not got much spam in it.
What? Plain English please. If the only reason is to satisfy bureaucracy, then it doesn't really seem like a reason to me. Sure, you want hardware validated to your OS, but the UNIX specification doesn't include a Hardware Abstraction Layer, so any hardware validation is going to be OS specific and not portable like POSIX is.
There probably is some legacy stuff floating around out there that nobody understands except that it goes haywire if compiled against anything out of spec, but you aren't going to find it on your average desktop or server.
[sarcasm]I don't know about you but when my company puts out a list of requirements for hardware and software, I just blatantly ignore them when purchasing things with their money. It's how I keep my job. Also the clients are ecstatic that I chose to override their wish list when we purchase for them. They are certain to pay the invoices faster when we ignore the spec sheet. I am showered with awards because I do this.[/sarcasm]
Well, there's spam egg sausage and spam, that's not got much spam in it.
Don't be thick. Is there a fundamental technical reason, and does it apply to your average desktop or server? Ya I get that you're a cog in a corporate machine and you have to obey the logic of the machine. The question is weather the machine is operating on good logic or old and broken assumptions that that are costing them money. And you can always sent a proposals back up the chain to modify requirements for reason a-c and x-z.
The day you pay my salary, I'll get advice from you about how not to listen to my company and my clients about their exact requirements. Until then, you're just an arrogant individual who thinks they know more than my clients about what they specified as a requirement. If it says "Must install Redhat Linux ES" that's what they will get. We don't install Ubuntu Linux and tell them they'll save money. If it says x86-64 processors with ECC support, we don't get them a Pentium D and a lecture about how they can use a cheaper processor and ECC is overrated.
One of the main drivers of Mac purchases: It's realistically the ONLY Unix laptops that are available. Linux laptops you can get from any major manufacturer. Certified Unix laptops are only through Apple. And if they specify "Certified Unix" instead of Linux, they mean it because contrary to what you assume, most of our clients KNOW the difference. There's a reason that's beyond my pay grade and frankly it's probably beyond your pay grade.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Got it, You don't actually know if there's a technical reason or not, and how widely applicable it is.(Obviously I'm not aware of any otherwise I wouldn't have asked the question) Further, you don't really care as long as you get paid.
Let me make this absolutely clear to you on this point: you have no fucking clue as to why my clients specify "certified Unix" sometimes as they don't detail every single reason behind their requirements. But unlike you I don't presume to know MORE than my client about their needs especially when they make a specific requirement.
Let me guess about the person that you are: if you were a waiter in a restaurant and a skinny person ordered diet soda, you'd just replace it with regular sofa because they didn't need to lose any weight. The fact that they might be diabetic doesn't matter to you. You know more than them and are willing to risk their lives for your fucking ego.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm the waiter telling you most people can't tell any difference between a $50 dollar bottle of wine and a $500 bottle. Maybe everyone who gets the $500 dollar bottle is a super-taster, but more likely they want to impress someone. Sure there are a few corner cases were you 99.999% need POSIX compatibility, but for most things 99.98% is good enough.
Pulling a switcheroo is just plain silly and passive-aggressive (and nowhere did I suggest you do that), asking question about underlying technical requirements and new suggestions based on the answers is not.
So going back to the wine analogy, and my original question. Are the order requirements actually about some vital technical difference in the product, or is it about something else?
I'm the waiter telling you most people can't tell any difference between a $50 dollar bottle of wine and a $500 bottle
Despite the customer insisting to you that that is exactly what they want. You must hold down a lot of jobs in customer service.
Maybe everyone who gets the $500 dollar bottle is a super-taster, but more likely they want to impress someone.
Which would make it of your business, wouldn't it?
Sure there are a few corner cases were you 99.999% need POSIX compatibility, but for most things 99.98% is good enough.
Again how do you know what my clients want? You don't do you? You are imposing your opinion based on 0% knowledge of my clients. Thus complete speculation on your part.
Pulling a switcheroo is just plain silly and passive-aggressive (and nowhere did I suggest you do that), asking question about underlying technical requirements and new suggestions based on the answers is not.
No I answered your question: You don't know what my client needs are. You assume you know better than them. You also assume I don't know. You also assume that I am allowed to tell you or that you'd understand why. What I did tell you is that when a client makes a specific request that involves acquiring a Mac, they know what they are requesting because they request Linux machines all the time.
So going back to the wine analogy, and my original question. Are the order requirements actually about some vital technical difference in the product, or is it about something else?
As I said above: It's none of your business. At times, it's none of my business. The client requests it. We verify the request and then we fulfill the request. We don't try to pretend to be an arrogant asshole and challenge their request.
Well, there's spam egg sausage and spam, that's not got much spam in it.
That scenario would great if we wrote code or had any inclination to write or change code. We don't. We will install software and test it to ensure it works. So if a client asks for POSIX compatibility or specifies UNIX 03 or specify LSB 3.1, that's what they get. Because they might install software after we hand over the machines which we don't know about and they won't necessarily tell us.
Well, there's spam egg sausage and spam, that's not got much spam in it.