How Did Apple Screw Up Their Security?

 Computing, Security  No Responses »
Nov 292017
 

If you have not already heard about it, Apple made a mindbogglingly stupid mistake with the latest release of macOS (previously known as OSX), leaving their users open to an incredibly easy exploit that would give anyone full access over an Apple in their hands. Or in some cases, remotely.

The externally visible effect of the vulnerability is that a standard Unix account (root) that was supposed to be disabled was left with a blank password. Apple uses a very common Unix security mechanism that means the root account is unnecessary as an ordinary account (i.e. nobody logs in as root), although the account has to exist so that legitimate privilege escalation works.

As an alternative, Apple uses sudo (and graphical equivalents) so that members of a certain group can run commands as root. Nothing wrong with that.

To keep things safe, Apple disabled the root account and because the account was disabled, left the password blank.

It turns out that the vulnerability was caused by a bug in Apple’s authentication system which resulted in blank passwords being reset and the account enabled. But it is more complicated than that; Apple made a number of mistakes :-

  1. The bug in the authentication system. Of course no software is bug-free, but bugs are still mistakes. Of course because no software is bug-free, it makes sense to take extra precautions to avoid bugs causing a cascade of problems.
  2. The root password should have been set to a random value to prevent access if the account was accidentally enabled.
  3. Apple’s test suite which hopefully they use to verify that new releases don’t contain previously identified bugs should also check for this vulnerability.

Although the precise details don’t matter as it’s the principle of defence in depth.

Hemisphere and Curves

Apple’s New Macbook Pro(s) (October 2016)

 Computing  No Responses »
Oct 302016
 

Meh.

With the sole exception of the touchscreen key strip that replaces the function keys, there’s pretty much nothing that interesting about the new Macbook Pro machines from Apple. That is not to say they are not nice machines, but they are a bit under-specified for a “pro” laptop tag, although I suspect that quite a few people complaining about the lack of a dedicated GPU in the 13″ model fail to realise that most serious professionals do most of their heavy number crunching in the cloud and not on a light-weight laptop.

macbook-pro

 

And frankly any laptop is light-weight compared to a rack-based server with a case full of Teslas.

A laptop is essentially a creative tool for accessing “the cloud” for anything that requires a real computer, and a 13″ Macbook Pro is fine for that (although the trendy tax is a touch high).

Now onto the function key replacement: As a devotee of the keyboard, I’m somewhat reluctant to cheer the replacement of real keys with a touch screen, but it could be quite a neat feature. In the old days when we used function keys much more widely than we do now, on-screen labels for what the function keys did were not uncommon … look at the bottom of the following screenshot :-

norton-textra-writer-21-4

 

And the ill-fated Apricot Computers had a competitor to the IBM PC which came with a keyboard that had six “soft keys” with LCD panels.

So Apple has not done anything new here, but when did they? Their core skill is taking technical innovations and making them user-friendly; I don’t have a problem with that.

This keyboard could be useful in many ways – in addition to resurrecting the old “function key labels” in a more usable way, there is also the possibility of using them to insert symbols that we should be using, but rarely do so because they are not to be found on our normal keyboards. Depending on your proffesion (or inclination), we have different symbols we could or should be using – perhaps the copyright symbol ©, the interrobang ⁤‽, or more. Of course how useful it becomes will be down to the relevant software developers.

What’s Missing From The New Mac Pro

 Computing  No Responses »
Jun 122013
 

Apple’s teaser of their replacement for the venerable Mac Pro has raised quite a few hackles “out there” amongst a certain kind of Mac Pro prospective customer. They’re wrong.

It is quite possible that Apple has done some extensive research on whether internal expansion with storage and PCIe cards is necessary or not. And it is quite possible that most of the old Mac Pros had not been expanded in this way.

But Apple are wrong too (and of course I’m right whilst everyone else is wrong  :-P): Internal expansion is important for some people, and they are quite possibly the sort of people that you don’t want to antagonise. Specifically the enthusiasts who would rather keep their storage internal, who want to add accelerator cards of one kind or another, etc.

Whilst the enthusiasts may not be the majority of Apple’s customers, they do have a certain amount of influence. People asking the enthusiasts at the moment may well get told to get an old Mac Pro right now so they are not limited by the expansion capabilities of the new Mac Pro.

And there’s a way that Apple could have done both; kept the neat design of the new Mac Pro, and allow the enthusiasts to have “internal” expansion. And it could be done by simply allowing the new form factor to expand the case through the base – allow it to “click” onto a PCIe expansion cage, or a two-drive enclosure.

Sure that would require some sort of special bus in the base, and a sensible way of attaching cases to the base in a secure enough manner. But it would also mean that the new Mac Pro was as expandable as the old without the use of the cable tangle that most external devices require.

Take a look behind most large tower PC’s and you’ll find a tangle of cables attaching screens, keyboards, mice, external drives, and odder devices. Apple’s new Mac Pro will just make this worse when they could have done something even more radical and showed the industry how to improve the situation.

Apple Demonstrates Its Stupidity Again

 Computing  No Responses »
Nov 032012
 

Previously I ranted about how Apple had “complied” with a UK court order by criticising the decision made by the UK courts and implying they had gotten it wrong. Now Apple have been dragged into court again to explain their lack of compliance, and been ordered to remove their previous statement and replace it with another whose wording has been dictated by the court.

Apple in a mind-blowing exhibition of stupidity tried to claim that whilst it would take just 24 hours to take down their previous statement, it would take up to 14 days to put up a replacement statement. For “technical reasons”.

Now as it happens, in addition to writing drivel on this website (where the only delay “technical reasons” might impose would be due to an infrastructure failure/upgrade, but “personal reasons” might well impose a 14-day delay), I have been involved in more “corporate” websites where content management systems can indeed impose “technical reasons” for a delay in updating a website. But not 14 days! More like a few hours, or at most 24 hours.

And if a content management system does impose a long delay in publishing website updates, it is always possible to bypass the CMS to publish emergency updates. Even if it is necessary to “break” the CMS to do so.

It may very well be that an internal approval process within Apple’s CMS normally requires 14 days for an update to be published. In which case the reason for the supposed 14 day delay is for “business reasons” rather than “technical reasons”.

Of course there is also another possibility. Given that Apple have recently launched new products, they may be very reluctant to put anything up on their home page (which the revised court order now requires) which distracts from their new product. You do have to wonder if this mysterious delay for “technical reasons” is in fact so that nobody gets distracted from the pretty pictures of Apple’s new products.

That would be very, very silly of them.

The court evidently did not think much of Apple’s excuse of why they could not put up a replacement statement promptly and have given them 48 hours to comply. So either Apple has to comply within 48-hours – demonstrating that they lied in court, or has to come up with detailed technical reasons why they cannot comply – which will demonstrate they are surprisingly incompetent when it comes to technical matters.

Neither alternative is comfortable for Apple executives, but this position is all their fault.

Apple’s Enforced “Apology”

 Computing  No Responses »
Oct 262012
 

Apple actually lost a court case recently, and as part of the settlement they were asked to publish an apology in both printed media and on their website. Which may well come close to the letter of what they were obliged to publish, but in no way comes close to the spirit … and indeed may well be contempt of court. The relevant part of the apology reads:

However, in a case tried in Germany regarding the same patent, the court found that Samsung engaged in unfair competition by copying the iPad design. A U.S. jury also found Samsung guilty of infringing on Apple’s design and utility patents, awarding over one billion U.S. dollars in damages to Apple Inc. So while the U.K. court did not find Samsung guilty of infringement, other courts have recognized that in the course of creating its Galaxy tablet, Samsung willfully copied Apple’s far more popular iPad.

Or to re-phrase it: The UK courts are complete idiots and should pay closer attention to the judgements reached in the US and Germany which of course have far wiser judges. If I were that UK judge I would order Apple to pay “over one billion dollars” to the court and prohibit Apple from selling any products in the UK until it was paid.

You do have to wonder just how dumb the relevant executives at Apple are. When you are forced into publishing an apology, the sensible thing is to do just that … and not try and weasel out of the apology by saying “but ….”.

 

 Older Entries  Newer Entries