Slashdot Mirror
macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com)
Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.
The difference is you can find out exactly what a Linux file manager does, while how MacOS works is a proprietary trade secret.
But RedHad sqandered that advantage with systemd and Gnome 3
> these cached thumbnails are stored on non- ... content stored on
> encrypted hard drives,
> encrypted containers.
This does not make sense. If the hard drives are encrypted by FileVault; the storage location for these thumbnails would be encrypted too. Where else is this cache supposed to live? I'm pretty sure that Apple does not add an extra, secret, non-encrypted drive to everyone's Macs so as to cache these silly little images. And as if the summary weren't bad enough, it gets worse when you read the article. QuickLook isn't new, as they claim. It was introduced as part of Leopard, more than a decade ago. And a quick check on my CLI shows that TEMPDIR is very much part of my encrypted root volume. I'm thinking these people are not the "macOS security experts" they claim to be; and msmash failed as an editor in not properly vetting the article he chose to post.
Imagine all the people...
That's an awfully obscure point to know for an OS that is supposed to both be secure and 'just work'. Put those two together, and security should just work, not require you to understand this distinction. Your comment amounts to, "you're encrypting it wrong".
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Doesn't matter, it shouldn't be on option to be left open. It might be ok if it explained that "Apple reserves the right to copy any data from another device to your system drive so do not assume all data is encrypted unless your system drive is encrypted". But I doubt it says that, because that alone would be confusing to people, so they should just not automatically copy data off an encrypted drive, period.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
and then when it crashes and you can't slave it into another system to get data from it, you're hosed.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
I'm pretty sure users have to wait a whole second for the thumbnails to be generated if the Thumbs.db file cannot be written to the media.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
I live in a universe where the same people come to me each month for their email password. Let those people buy Macs with default encryption? They exist everywhere and you would have a PR nightmare. C'mon, this isn't a dreamworld we get to live in.
~/.cache/thumbnails -> /dev/null