
Apple security blunder exposes Lion login passwords in clear text - Empro
http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963
======
tptacek
I can't name a single person who ever used "Legacy Filevault"; that's the
"encrypt your home directory" thing from Leopard. This issue doesn't impact
Lion FDE at all. Lots of people use Lion FDE.

Even the subhed on this story is misleading, and the lede paragraph seems to
go out of its way to bury the true article lede, which is "if you're using
FileVault home directory encryption, this impacts you" --- instead, it says
"in specific configurations".

More generally: can anyone name a single case where ZDNet has broken a story
we cared about? Even in this case, ZDNet is rehashing stuff published
elsewhere earlier.

~~~
mrich
I find it interesting how Apple is defended when they make security blunders,
while Microsoft was heavily slammed back in the day.

It is simply inacceptable that a user basically reported the issue on their
support forum and didn't even get an answer back.

~~~
tptacek
Every single time the topic of Microsoft's security track record has come up
on HN, I've waded in to point out what a great job Microsoft has done. Here's
one of my highest rated comments from several years ago:

<http://news.ycombinator.com/item?id=577684>

Now, I don't disagree with your general point: Microsoft gets more scrutiny
than Apple does on HN about security, and Apple enjoys an inflated perception
of platform security here --- I attribute that to a general Unix bias, by the
way, and not to Apple fandom.

But please be careful to note that _I'm not a part of that phenomenon_. You
will, if you dig, find comments of mine that are critical of Apple security;
you will probably not find comments critical of Microsoft's security
practices.

(To be clear: securing a whole platform is an incredibly difficult job, and
platform software security talent is some of the hardest to find in the whole
industry; both Apple and Microsoft take this stuff seriously and, compared to
2002, both do a fantastic job. Also: the security of the iOS platform is a
different story than of the OS X platform.)

~~~
zobzu
I don't see how comment history makes a separate comment more truthful. If
anything, it makes people less likely to have proper critical thinking because
they know you.

Which is exactly what he points out about your comment, but related to Apple.
You know Apple thus you're less likely to criticize them properly.

It doesn't mean what you wrote is entirely wrong, but I think he has a point.
MS is very harshly criticized for any security issue, no matter how small, and
hey, that's probably a good thing.

For Apple if there's any possibility we find them.. excuses.. really? (and the
"I don't know anyone who used file vault before!" sounds terrible, to be
honest)

~~~
gruseom
tptacek has been the most prominent defender of Microsoft's security practices
on HN for years. Everything you guys are saying about how Apple get off easy
while MS get slammed, he has said repeatedly and more coherently. And out of
direct experience to boot.

It just didn't happen to be - and still isn't - relevant here.

~~~
zobzu
My point is that it doesn't matter. For example if you follow my thread of
comments some are going to be rated way up and actually be pretty insightful.

You'll notice sometimes I'm also wrong and make errors. You could get a strong
opinion of me either way (good, or bad) by reading that.

If we were to know pretty well each person (like they do in smaller forums or
places where the nickname and history is highlighted), we'd always agree and
disagree with the same persons in _general_ (there's always exceptions).

And the person's reply was made on a single post, which I think is the way to
go.

I don't know if HN nicks are small and history not as easy to follow as in
some other sites on purpose, but I like it.

Now, I've been way off topic, sorry :)

Slightly more on topic tho: MS ain't perfect security wise either, even thus
they've made huge progress. Microsoft research also has very interesting
attempts such as Singularity or Gazelle. I don't know any other company doing
that. That's one place I'd want to work for MS.

------
greghinch
While I agree that this is a security hole and it should be fixed, a headline
like that is completely misleading and a scare tactic to drive eyeballs to the
article. This flaw only would affect a very small subset of users, but the
headline makes it sound like everyone just had their passwords compromised

~~~
sakopov
What I got out of the article seems to be more important than the number of
users this could impact.

1\. A vital piece of the operating system was compiled with debug flags
intact. 2\. Apple's lack of response on the issue.

I think this goes hand-in-hand with recent Kaspersky statement about Apple's
poor security considerations.

~~~
bilbo0s
Those are definitely the two 'take-aways'. If there is a hole here... there
may be other holes that might be REAL security threats.

Other people are correct as well, in that the headline is link bait. I was
expecting to find a way to get clear text passwords from my test OSX Lion
setup. I can't actually do that on my test system, and I'd wager the vast
majority of hackers can't pull that off either. At least not without changing
the setup.

Of course... probably my fault for believing you could.

~~~
Zr40
> If there is a hole here... there may be other holes that might be REAL
> security threats.

The presence or absence of a specific issue is not indicative of the presence
or absence of any other issues.

~~~
micaeked
the presence of issues indicates higher probability of more issues

------
Xuzz
Note: only applies to people using the old "FileVault" on Lion, not the new
"FileVault2" (the one with full-disk encryption).

------
joshmlewis
So are there literally security researchers that go and poke around of every
release of everything major in the software industry to find things like this?

~~~
ams6110
There are. It's the main reason why "security through obscurity" isn't a good
idea. There are people who spend their working days searching for this kind of
stuff. Log files are probably one of the first places they would look for
clues.

~~~
skeletonjelly
`grep password` isn't the hardest thing to do either

------
vectorpush
Only slightly related, but this thread bears a striking resemblance to another
HN exploit discussion:

<http://news.ycombinator.com/item?id=3925452>

The exact same back and forth:

Wow! This is _really_ bad... but it only affects a small subset of users...
but they knew about it for months and didn't fix it... come on, nobody real
actually _uses_ such a setup... what about me... you're all fanboys, this is
just another example of how your religion doesn't hold security as a core
tenant among its faithful.

------
sliverstorm
Go on, let's hear about how _devoted_ Apple is to security again.

~~~
ams6110
Seems more like a QA problem to me, there should be some tests in the QA of a
final release build that makes sure all the debug flags are turned off.

~~~
sliverstorm
That's my point. "Security" is a complete package, that includes good QA.

------
zobzu
Original link: (not zdnet)

<http://cryptome.org/2012/05/apple-filevault-hole.htm>

------
robomartin
Does anyone else thing that it is slimy for ZDNet interpret clicks to the site
background as the user clicking the ad below the nav-bar?

As an advertiser I would feel defrauded. Not one person clicking on the
background is doing so out of interest in the advertiser's product.

How common is this practice?

~~~
sp332
I'm definitely not seeing that behavior. There was a pop-over ad that I had to
skip though. I guess if that were malfunctioning / transparent, you wouldn't
realize there was an ad frame hovering over the text?

~~~
robomartin
Perhaps I wasn't clear. It's not the white background, it's the patterned
background to the right and left of the content area. To be more precise, they
have two div's with class "skinClick" setup on the right and left of the
"content" div. You click on either one of those and it's the same as having
clicked on the ad just below the nav-bar.

I tested in Safari, Firefox, IE and Chrome, same behavior. There's also the
"Wait, your page is loading" popup ad you mentioned.

~~~
sp332
Oh, I see. Sorry my browser window wasn't that wide, I didn't even notice that
background.

------
millzlane
Steve called, he said "Just don't use it that way".

On a serious note, this has happened before. This is just the first time
anyone has caught it before a patch. The QA at Apple is pretty noteworthy.

------
remixhacker
the Console Message Inspector is pretty useful, it shows a lot of stuff that
is normally hidden.

------
thespin
I thought FireWire was being phased out. (Doubtfully due to security
considerations. If I recall, Intel has something faster that uses a USB port.)

I have some older hardware, which was state of the art when I bought it, that
uses FW.

Is FW going to go the way of PCMCIA and CardBus?

~~~
bodyfour
"Target mode" also works with Thunderbolt. In fact it used to work with SCSI
as well; it far predates OS/X as a feature on Macs. It doesn't work over USB
though.

The stuff in the article about Firewire mode being involved is really a red
herring. You would have the same problem if your stolen laptop were opened up
and the harddrive removed. Firewire target mode is just a less-invasive way of
doing the same thing.

~~~
0x0
BTW, another curious part of firewire (unrelated to target mode) is that a
firewire device can read and write RAM from a running PC, without interaction.
Even when you have "locked the workstation". Random google link:
[http://www.hermann-uwe.de/blog/physical-memory-attacks-
via-f...](http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-
dma-part-1-overview-and-mitigation)

~~~
bodyfour
Yes, a firewire has the ability to do whatever DMA requests it wants. This is
a thruput advantage (especially when processors were slower) since the host
CPU only has to set up the data transfer and the rest can happen in hardware.
Back in the day, FW400 would beat USB2 in most benchmarks even though the raw
bandwidth of USB2 is 20% higher.

The solution to this is to use an IOMMU, which protects memory from DMA
traffic just like the CPU's MMU protects it from userland processes. However,
I don't know if any current Mac laptops do this.

Thunderbolt, ExpressCard, and PCMCIA ports have the same issue although it'd
require some fancier hardware to exploit. I think SD cards as well, but I'm
not 100% sure about that.

USB isn't vulnerable to this because the protocol is more like a network card:
devices send you packets rather than initiating direct DMA.

