Slashdot Mirror
Apple To Review Software Practices After Patching Serious Mac Bug (reuters.com)
Apple said on Wednesday it would review its software development process after scrambling to patch a serious bug it learned of on Tuesday in its macOS operating system for desktop and laptop computers. From a report: "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple said in a statement. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
Not a Mac fan, but this is the most honest, respectable response to a mistake I've seen from a corporation in a long time.
Props, Apple.
A government is a body of people notably ungoverned - AC
I translated it as this was a known issue to the underlings, however it never was allowed to be addressed by the middle managers or this problem was a very to spot problem (probably some debug code that didn't get removed) that was allowed to get released.
However compared to other companies, at least Apple is publicly admitting the problem. While some companies may patch the problem, but not state any details about it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
You're releasing it wrong.
Well other then this one, how many other viruses or gross hacks were there in the past 15 years?
I can remember only 3 or 4 major ones during this time. The rest were on par with the normal security fixes that everyone puts out, mostly getting access to stuff as a user already logged into the system.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
That's what I call courage
I think this is a much broader problem. This isn't just about Apple. This is about almost all software today that has been developed by Millennial (some people use the term "Hipster") developers.
Millennials have been in the industry for about 10 years now, and these past 10 years have been some of the worst in terms of software quality.
Just look at the destruction they've left behind them. Windows 8, 8.1 and 10. GNOME 3. Firefox 4 and later. Systemd. Wayland. Slashdot Beta. NoSQL. The list goes on and on.
The Gedit text editor is an excellent example of how formerly-usable software has been destroyed. This is what Gedit used to look like. At that point it had a sane, easy-to-use, functional UI. This is what Gedit has become. It's like 50+ years of accumulated experience and knowledge has been discarded for no good reason, and the end result is a disaster.
What we have is a generation of software devs who are far too focused on aesthetics and trendiness, with little to no care put toward usability, security, and reliability. They go out of their way to ignore everything we've learned about doing things right. They do things their own way, and it's a disaster.
This isn't even a get-off-my-lawn situation. Many of us who are appalled by these developments are late Gen X'ers. We aren't even that much older than the Millennials who have caused so many problems! In fact, many of us spend our days trying to bring some sanity to otherwise disastrous workplaces. We remember how software used to be developed, yet we're so outnumbered by Millennials that we just can't keep up.
It was excusable when security flaws and usability problems were accidentally introduced by earlier generations because they were doing pioneering work, and the concepts behind these security flaws and usability problems hadn't even been discovered yet. But the industry should be far beyond that now. The knowledge is there, it's just that Millennials choose to totally ignore it.
This was posted as recently as November 13, as a "solution" to an issue of not having an administrative account: https://forums.developer.apple...
There's all kinds of cosmetic and usability bugs floating around, and Apple doesn't seem to be in a hurry to fix them. They're the kind of bugs that aren't showstoppers but are still very annoying or can result in bad data.
The Calculator bug in iOS is one example of a recent bug that can produce bad data and wasn't fixed. Until iOS 11.2 (which isn't out yet!) even though it was reported way back in 11.0 beta, before the OS was released to the public.
Another recent issue, though less important, is that the Weather widget will randomly stop updating, so you'll be seeing last night's weather instead of right now. This bug was also reported several versions ago and is as of yet unfixed in the latest 11.2 beta.
I know bugs happen; nobody is perfect. But these are obvious, reproducible bugs that are not being fixed after being reported months prior. What the hell, Apple?
That's a really bad summary. Yes, part of the problem is that Hipsters care too much about looks. But you ignored the other serious problems that the GP mentioned:
1) Hipsters go out of their way to be ignorant. They don't want to learn about security, so we get atrocious security flaws in the software they write. They don't want to learn SQL, so we get atrocious NoSQL databases to deal with. They don't want to learn about how their users use software, so we get awful UIs. They don't want to learn C++, so we get a terrible language like Rust.
2) There are too many Hipsters. No matter how much effort responsible programmers put in trying to fix the many problems created by Hipsters, these responsible programmers will always fall behind just because the Hipsters crank out so much crap at such a fast pace. It's like riots and looting, where a relatively small number of police officers and store owners are absolutely overwhelmed by a much larger crowd of thugs.
I'd like to add another problem:
3) Too few people are willing to identify the real problem: Hipsters. The blame is placed on companies or entire open source projects, for example, rather than the Hipsters who are responsible for the problems. It really doesn't help that the Hipsters have adopted Codes of Conduct into their projects that they then use against anyone who dares point out the problems they've caused. That's why Rust has turned into the mess that it is, for example. Criticism and pointing out of flaws is strictly forbidden within Hipster-dominated software projects.
I don't think they can do that. If anyone can download and compile the MacOS source code, and tweak it to run on different computers, Apple's hardware sales will go down the drain.
Yes, it would get rid of a lot of bugs. But it would also get rid of Apple itself. I'm not saying that would be a bad thing, just that it would be monumentally stupid.
Because it's 2017 and the green site STILL can't handle Unicode?
The blank root password attack is only a local privesc in the default config too...
It works over screen sharing, but that's not enabled by default.
It doesn't seem to work on the local login screen, at least on the machine i've tried (plus by default the local login screen shows you a list of users and doesn't let you type a username).
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It depends on the situation. Since AFAIK is requires physical access to the computer, it wasn't really a problem for people with home computers. For people traveling with laptops, or workplaces with Macs, it was a huge security problem.
It was exploitable over remote desktop, but not over SSH. So, depending on how you have your computer configured, it may have been remotely exploitable (assuming VPN or local network connection, or an insecure router/firewall configuration)
Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.
Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment blocked. Based on my years of experiences involving a MacBook Pro (which I still use on a daily basis for certain tasks), I actually think Apple has automated the censorship using sentiment analysis of the draft comment. Or perhaps it's profile-driven by the secret dossiers they have on each of us?
I could write a more substantive response on the topic, but here on Slashdot such a comment would merely be shouted down by pro-Apple fanbois with mod points to burn. Not worth the time, though I will donate a few seconds for a rerun of the capsule version:
Capitalism and communism are dead. Our new religion is corporate cancerism. There is no gawd but profit, and Apple is gawd's chief prophet.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Now dump the thin is king hardware devs! and get some real workstations. IMAC pro no ram door come on it's not that hard!
Mynd you, moose bites Kan be pretty nasti...
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
It's embarrassing for ./ really. The Content-Type header says "charset=utf-8". And they could have easily fixed the form with a slight tweak to ./'s HTML. Example: <form action="//apple.slashdot.org/comments.pl" method="post" accept-charset="ISO-8859-1">
“Common sense is not so common.” — Voltaire
Apple's response is just PR-driven BS, and your comment does NOT deserve the "insightful" moderation the shills and sakura gave it. The only insight from your comment is that you have minimal contact with Apple.
Try and honestly criticize Apple in an Apple-controlled venue and you will find out what total lack of respect means in a profit-dominated context. For example, if you had tried to describe this rather horrendous security problem and gotten too negative, I predict you would have found your comment blocked. Based on my years of experiences involving a MacBook Pro (which I still use on a daily basis for certain tasks), I actually think Apple has automated the censorship using sentiment analysis of the draft comment. Or perhaps it's profile-driven by the secret dossiers they have on each of us?
I could write a more substantive response on the topic, but here on Slashdot such a comment would merely be shouted down by pro-Apple fanbois with mod points to burn. Not worth the time, though I will donate a few seconds for a rerun of the capsule version:
Capitalism and communism are dead. Our new religion is corporate cancerism. There is no gawd but profit, and Apple is gawd's chief prophet.
Why use so many words? You could have packaged all that into a single sentence:
Blasphemy!! Summon the Holy Inquisition !! BUUUUUUURN THE HERETIC!!!
It *used* to be. Now their hardware is nothing more than a gratuitously expensive appliance.
If I could easily run OSX on non-apple hardware, I'd do it in a heartbeat. (And when I say run, I mean perfectly, flawlessly, without something not working right)
I'm still using a 2010 MBP because every version they put out afterward is more and more annoying. Can't replace the battery. Can't replace storage. Can't replace ram. Now you don't even get a USB 3 or HDMI port. It's offensive.
They claim that it's "future proofing" the machine. That's nothing but a lie to mask their efforts to gouge the crap out of people on dongles.
Also the Darwin kernel, i.e. BSD on Mach, is already open source. Even though BSD is BSD not GPL licensed and they'd be legally allowed to keep their very extensive changes secret, Apple still release their changes
https://opensource.apple.com/s...
The don't release all the kernel mode code though - e.g. they don't release the source code to "Dont Steal Mac OS X.kext"
http://www.osxbook.com/book/bo...
They also don't release the source code for the user mode stuff, but then they don't have to.
And it seems like they already get the benefit of any 'many eyes make all bugs shallow' effect from opening up the kernel.
'Many eyes make all bugs shallow' is bogus anyway. It's not like many people are going to sit, read the source to something and find a vulnerability. And even if they did there's nothing to stop them selling it to someone other than the vendor - e.g. Russian/Chinese mafia, NSA, GCHQ etc probably all pay better.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
IOS has a "feature" that the OS pops up a request for your Apple ID credentials at random times. Open Pandora and you'll get a popup. Open pretty much anything and the popup appears. There's no provenance to the pop up so you don't know what part of OS is asking for the credentials or why. Backup works without answering the request as you can be signed into iCloud and still get the pop up.
My response is to dismiss the pop up and continue with what I'm doing but it's a PITA. A naive user will enter their credentials in the hope the "feature" is mollified which it sometimes isn't.
The correct way for IOS to ask for the credential is for the popup to say "Open Settings/icloud ( or whatever) and enter your AppleID." Settings would second the request by posting a little icon indicating there's a response pending ala a text message. An animation within settings would guide the forgetful user if the path is more than one level deep in settings so they'd navigate to the proper IOS setting to satisfy the pop up.The point of all that is you know you're talking to Settings when you provide credentials.
The current scheme is ripe for an app to steal your Apple ID. Write an app that does something kind of useful, wait for the 10th, 20th, run and pop an identical pop up that looks just like the OS popup. The user can't tell if it's the app or IOS asking and enters their credentials. Voila, you have access to the user's Apple ID. A little more elided hacking will circumvent 2 factor if it's enabled.
Too much water has gone under the bridge that I guess an obvious attack is new again.
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
It's not like that's a minor issue, though. People always go, "Well if you have physical access to the machine, anything goes..." But imagine this scenario: You hate somebody at work and they walk away from their Mac without putting it to sleep. You walk over, gain root access, AND set a password for the root account. So now, even if the machine is put to sleep or switched off, you still have access to it.
Breakfast served all day!
I'm not sure millennials are to blame. Driving this breakneck pace of software development is corporations looking to make a quick buck with little thought or care given to security or quality. It's crank it out or we'll get someone who can. So they inspire this sort of crapfest.
I don't believe in karma, I just call it like I see it.
Even OS X has gone from great to "meh". I don't see many companies bothering to write Mac specific games. macOS is the only mainstream OS with no iSCSI capability. Apple is sitting on a ton of cash, they might as well throw a bit to make macOS a generation or two ahead of the pack. A few ideas that Apple can do:
1: Things like hierarchical storage volumes, where when accessing a file, macOS will fetch it, or prompt you to connect the media (external HDD, CD, etc.) so it can access it. That way, you can store documents locally, have them get moved to iCloud, and transparently backed up to Time Machine, as well as a third party cloud provider (Amazon S3, Wasabi, Backblaze, etc.) It handles where the files and their backups are and warns the user if backups are not accessible... the user just accesses them through a volume. Security/encryption can be done at a file/folder level, so files can be easily shared or secured.
2: Better enterprise-tier management, as in being able to be managed via GPOs. Companies would move to Macs en masse if they could be managed as easily as the Windows desktops.
3: Better remote access, perhaps bring Back to my Mac up to par with LogMeIn or TeamViewer, with two-factor authentication, as well as optional authentication to the machine.
4: The ability to virtualize macOS for VDI systems.
5: The XServe back, with a built in hypervisor and license. It would be nice if it were bundled with ESXi, to help with item #4.
Apple has so much cash, it is surprising why they haven't just tossed some man-hours into keeping well ahead of their competition with their products.
I hate that Slashdot doesn't let you mod in the same thread you posted in. I'd totally give this a +1. I agree entirely.
The only saving grace is that they haven't fucked up Mac OS as badly as Microsoft has fucked up Windows.
Although apparently you *can* have multiple users log in remotely to a single computer, VDI style. The problem is that they use some variation of VNC so your trapped in the resolution of the physical monitor. Apparently some company tried to put out an RDP server for OSX but Apple shut them down. RDP support on Mac would be phenominal.