
APFS encrypted plaintext password found in another log file - chmars
https://www.mac4n6.com/blog/2018/3/30/omg-seriously-apfs-encrypted-plaintext-password-found-in-another-more-persistent-macos-log-file
======
oneplane
This is rather crappy QA or the lack of verification of the QA process at
Apple. I really hope they pick up the slack they have been forming over the
past ~5 years, it's starting to get predictably bad.

~~~
asveikau
Could also be bad hiring. Mistakes do happen, sure, but the only instances in
which I personally noticed a dev accidentally slipping personal data into a
log file, they tended to have other issues in their work like an unusually
high bug count.

~~~
tzs
Language can be a contributing factor. In a language that includes a generic
dump routine that can convert an arbitrary data structure into a useful string
representation, or that makes it easy to write such a routine if one is not
built in, people tend to use that facility to convert things for logging.

Then later someone adds a sensitive field to some data structure, and if
anything is logging that structure it will pick up the new field.

In a language like C, where I don't think you can write a nice
dump_arbitrary(void * data) function, and so if someone wants to log something
they have to write a routine specifically to deal with that particular thing,
when someone adds a sensitive field to a struct it does not automatically go
into logs. It only goes in if someone specifically updates the logging code to
know about the new field.

~~~
asveikau
> In a language that includes a generic dump routine that can convert an
> arbitrary data structure into a useful string representation, or that makes
> it easy to write such a routine if one is not built in, people tend to use
> that facility to convert things for logging.

I'm reminded of one such system I did in C#, where I knew ahead of time that
some fields passed to the logger may contain user data. I added a [Sensitive]
attribute that a property accessor can be tagged with, and the logger
reflected upon this and replaced contents with a placeholder if it was there.

So I don't really buy that as too compelling an excuse. People who are
mindful, careful about what they are doing, and respectful of the user will
engineer, document, and evangelize solutions.

------
radicaldreamer
There are so many security holes in the latest MacOS release, I’m wondering if
it’s currently the least secure desktop OS.

Vulnerabilities are one thing but these issues are simple enough for non-
technical end users to exploit on anyone’s computers.

~~~
gregoriol
Not sure about least secure, but clearly least production ready: High Sierra
is like a public beta of the version to come.

~~~
beamatronic
My IT department told me yesterday to avoid High Sierra at all costs! Is this
the norm?

~~~
1123581321
Blindly updating a work machine to a brand-new release isn’t a good idea
regardless of the OS.

In High Sierra’s case, it took until the .2 release before we were fine with
it.

Keep in mind that IT departments (including myself here) like to have
important things to say about software updates, especially when it’s about the
OS that requires a lot less IT work. :)

~~~
radicaldreamer
Exactly, iOS and Mac developers excepted, very little productivity gain comes
from updating to the latest version of the OS right away before all the
compatibility kinks have been worked out.

A lot of people have a (completely understandable) weakness for the latest and
greatest though.

~~~
mcny
I thought just apple filesystem (assuming you're on SSD) would be enough to
make you want to upgrade.

~~~
DuskStar
More like a new, not-yet-battle-tested, proprietary filesystem is enough of a
reason NOT to upgrade...

------
post_break
This is just embarrassing. It's not like Apple is spread so thin because of
poor sales or a corporate shake up. There's really no excuse for all of these
core bugs.

~~~
api
The iPhone was so successful it ate the company. Everything else is an
afterthought to "sell more phones." Security takes a back seat to animojis and
better cameras.

The mobile market has plateaued, so this will harm the company long term.
Success defines and then limits you.

~~~
threeseed
This is just nonsense. I worked at Apple in the years after the iPhone launch
and nothing changed. And companies are comprised of many teams and so they are
more than capable of working on more than one thing at once.

Now as I've mentioned before the real blame can be attributed to the switch to
Agile. There has been a noticeable increase in the frequency of OSX/iOS point
releases since then. But also a subsequent decrease in quality.

Apple has realised this which is why there are focusing more on quality and we
have seen already the results of this with the last OSX/iOS update where we've
never had a X.6 point release for a while.

~~~
api
Thanks! That's interesting. I've always thought and always heard that Mac had
ceased to be important to Apple and was almost EOLed due to the iPhone, but
your take is also very plausible.

I have yet to see an Agile/Scrum organization that doesn't have runaway
technical debt. The entire Agile/Scrum process discourages the "craft" aspects
of development _unless they are explicitly included in each sprint,_ and a
very few managers do that because these aspects are hard to tie to a specific
customer story.

------
konceptz
Before we just jump on Apple we should probably see if we can recreate the
issue.

The article stated that another user could not replicate this issue and the
original researcher was also unable to replicate after a possible stealth
update.

~~~
hannibalhorn
I can confirm I found my password in my install.log. I just zero'd it out, but
definitely not an ideal situation...

~~~
zf00002
On 10.13.4, my install.log does not have my password that I can find.

~~~
hannibalhorn
I already ran shred on the log to erase all traces, so I can't be more
specific, but I know I did a fresh install (not an upgrade) of the whatever
the latest High Sierra was at the time in mid-November...

------
justincormack
There are definitely some issues with files ending up with contents of other
files, particularly with sparse files and nearly full disks, presumably due to
new allocations not being zeroed. Hard to replicate, but not impossible. We
filed a bug and it was closed as a duplicate. Possibly fixed in todays 10.3.4
release, can't confirm yet.

~~~
aeontech
What was the openradar id, out of curiosity? That sounds really disconcerting

------
crankylinuxuser
So, is the iPhone full of these as well?

Has anyone did a public audit of the leaked secure enclave firmware? I know
there's that company who sells the black haxx0r boxes for $15k or $30k.

Long question short: do we have a secure cell we can buy/make?

~~~
a_t48
I thought the deal was that they would let you use the box once for 30k, not
give the box to you.

~~~
saagarjha
There was an on-site version as well that sold for significantly more.

------
llao
So, did no one grep -R --as-text "my password" / before?

~~~
saagarjha
~/.bash_history:42: grep -R --as-text "my password" /

~~~
rlkf
If the environment variable HISTCONTROL contains the keyword ignorespace, then
commands starting with a space won't be saved in the history list; usable in
situations like this. (Of course, the command will be visible in the process
list, so if you are on a shared system, it is still not a good idea)

------
ams6110
Good illustration of why command line utilities should not take passwords as a
parameter. They should always be provided as prompted input or via a pipe if
it needs to be scripted.

------
fwgwgwgch
I was planning to ditch my android for iPhone but reports like this make me
worried.

Can we have a reasonable discussion without fanboy ism about what is the most
secure phone right now?

(reply only if you have a security background)

~~~
BuildTheRobots
I think it's impossible to talk about "most secure" with out being more clear
who you're trying to protect against.

Rogue apps, hackers, law enforcement and state actors are 4 different attack
vectors that jump to mind that all have different mitigations.

We'd also have to talk about how usable you expect the phone to be afterwards;
for example if to make it secure we have to disable wifi, mobile-data and
apps, is there any point in having a smart phone in the first place?

