Hacker News new | past | comments | ask | show | jobs | submit login
macOS lock screen: “I just sent my session pass to my whole team” (twitter.com/benoitletondor)
424 points by fofolo on Dec 8, 2017 | hide | past | favorite | 262 comments

Oh, wow - I've reported this problem along with na example exploit to Apple about 6-7 years ago. Never got any recognition for it, but It was fixed some time after that. It's quite sad to see old bugs getting new lives like that.

For those interested, the sample exploitation that I've discovered was connecting any iPod/iPhone device to a OSX laptop while screen was locked was taking the focus away from login prompt 'into' the system, where iTunes was gaining it and from there it was just few OS level keyboard shortcuts from gaining network access to the system, while still locked: launch finder, go to tools folder, launch terminal, launch `nc` in the terminal to get the access via network. Lots of blind typing but it worked more times than not.

I remember seeing something like this with an some version of 10.12 as well. Stupidly it didn't occur to me that it was a security issue.

Hah. I've reported a similar issue with attaching an iDevice to a locked Mac in 2014. In my case, iTunes was opening a new space to restore its window in fullscreen mode, and the desktop contents were revealed while the animation was running (the lockscreen reappeared afterwards). Now I'm disappointed that I didn't try to get keyboard input into the system and fully pwn myself :)

I've seen enough regressions with enterprise stuff that I've wondered what their testing looks like. Of course they've always neglected the enterprise so I gave them the benefit of the doubt about the OS as a whole but now I'm starting to wonder.

> Oh, wow - I've reported this problem along with na example exploit to Apple about 6-7 years ago

Any proofs? Perhaps you can demand a bounty payout or sue them ignoring!

Proofs of what? My story? Don't feel like I need to provide any. Proofs again Apple in lawsuit you're suggesting? I'm not an American, so suing everyone for everything is not really in my custom ;) Rather than them paying me anything after being dragged to court (and I doubt I'd have any chance given disparity between their legal resources and mine) I'd like to get an acknowledgement tied to my name, but I was told not only they don't do that, but also they can't and won't tell me wether I was right and I've found a real security bug. Steve Jobs era secrecy in all its glory.

You can't demand a bug bounty payout, especially because Apple didn't have a bug bounty back then (and their bug bounty today is invite-only).

Also, if you read the rest of the comment, Apple didn't ignore it. They fixed it.

I did read the rest of the comment. So I am asking if someone is either making this up or if not it's important to shame Apple for its secrecy. That's my view on responsible disclosure; either ack someone's hard work or let every bug free in the wild. What's the point when your work isn't being acked?

> What's the point when your work isn't being acked?

To get the bugs fixed?

Also, we don't know why they didn't get recognition. The simplest answer is someone else may have reported it first. But it doesn't really matter. And I really don't see how "secrecy" comes into play here.

With no disrespect to the developers at Apple, et al, each one of these problems that goes viral before reaching “proper” channels is a well-deserved slap in the face of these behemoth organizations.

Perhaps, if the entire tech community regards Apple as a joke, they will start paying attention.

“Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.

Responsible disclosure is about preventing the bug from being exploited before it can be fixed. Knowing about this bug doesn't help me compromise someone else, but it does help me avoid getting compromised.

> but it does help me avoid getting compromised

Only by casual hackers. The pros will probably have been exploiting the flaw for weeks or months against gainful targets.

If there is a reasonable end-user workaround against the vulnerability then I'd argue it's more responsible to publish early and widely than to wait for the vendor.

It becomes greyer if there is no workaround. I'm not sure what I'd support in that case.

The compromise is that I accidentally type my password into Slack and send it out to everyone in the building. There is no hacker involved in this one, and I can fully protect myself by ensuring that my password is going into the password field.

So, security through obscurity. No thanks. I'd rather know about the exploit ASAP so I can implement a workaround, rather than wait months for the vendor to get off their ass while my systems are getting hacked by the hundreds if not thousands of hackers that have 0-day knowledge.

Calling what you describe as "Responsible" is intellectually dishonest.

Perhaps you can write a patch or mitigate effects of (say) an OpenSSL bug. I can't. Certainly not for the myriad of devices that embed well known libraries in firmware images that I don't get to modify myself.

I'd much rather that those things which are remotely exploitable across millions of devices to be kept quite for a small period of time (30-90 days depending on the complexity of the fix required) so that I can get patches from our vendors and schedule an update at the first available opportunity.

You might call it security through obscurity, I call it keeping shit from burning down.

There are numerous potential workarounds besides authoring a patch. And they can be distributed in a user-accessible fashion, like the workaround for the macOS blank root password was.

Not telling the world about it does not keep shit from burning down. Eliminating vulnerable targets is the only thing that does that. And that is more expediently served by full and prompt disclosure.

What do you think it is that I'm calling responsible? I'm in favor of the public disclosure for this particular bug, and that seems to be your position too.

Sorry, I man-read your first sentence then hit reply. Please accept my apology.

But these bugs the kind that anyone could stumble upon, and if they are not security researches their first instinct is to let everyone know about a crazy thing they found. I can't really blame them.

If companies want more responsible disclosure they should introduce harder to find bugs - sneaky edge cases in memory allocation sequences, stuff you'd have to pore over a disassembler for weeks, or slightly weakened PRNGs that would take some serious knowledge of finite fields to discover :-)

presumably if you had access to someone's locked MBP and you could move focus away from the password field you might be able to trick them into revealing their pw; if the setup requires access to an unlocked device it still allows you to leverage temporary access to unlocked device to get a leaked password.

Yes, the manner of disclosure reflects the respect one has for the software vendor. https://twitter.com/mholt6/status/935687749381775362

Responsible disclosure is more or less earned as your resources go to infinity.

This stuff is so amateur though I don't think it is being discovered and handled by security guys. It's just some dev that is annoyed that the lock screen doesn't have total focus which is annoying and insecure and the kid of shit you'd see in the 90s

An interesting comment given that Apple as closer to infinity resources than anyone else.

Indeed, infinitesimally closer ;-)

Who can respect a vendor that assigns engineers to work on the animated poop icon instead of basic security?

contrary to what you may believe, some people need to work on content and should not be touching security. it's absurd to expect apple to fire all their non-security related staff and replace them with a whole organization of engineers that only work on basic security.

I do agree that apple has had a ton of problems in this area and needs to work on it, but this example is very played out and boring.

Yes because I'm sure those same people are also able to work on security.

Someone made the decision, this year we will hire X number of security engineers and Y number of poop animators. Ultimately that guy is Tim Cook.

You can't just hire arbitrary numbers of security engineers. These positions are difficult to fill. There's a good chance that Tim Cook wanted to hire more security engineers than was possible.

"With no disrespect to the developers at Apple, et. al., each one of these problems that goes viral before reaching "proper" channels..."

s/that goes viral before reaching \"proper\" channels//

The fact that the problems existed to begin with is more troubling than whether they became known outside the company or not. IMO.

With an open source UNIX-like OS (like the ones Apple sourced from for parts of macOS), both the developers and the users can watch the commits as they happen. Developers and users anywhere can choose to watch the commits and may be able to detect a series of poor quality ones. At least they can make informed decisions on the relative merits of changes from one version to the next. (Edit: They might choose not to compile or install certain components. I do not use X11. Nor do I use systemd.)

The fact that development of macOS is hidden from those outside Apple and that problems are protected from "going viral" does not make the problems any less of an issue for macOS users.

The issue is not how fast and secretively they fix problems, it is how many problems their developers are introducing into the existing version to begin with.

If there are problems routinely being introduced then no amount of fixing after the fact and behind the scenes is going to make the OS higher quality. Only due care taken before introducing changes will guard against further deterioration of quality level.

(Edit: The mention of open source is not intended to be interpreted as an argument that open source inherently results in better software. Perhaps skill and attention to detail are at cause. This is a debate worth avoiding.

The relevance of the mention of open source is intended to suggest that detecting and avoiding problematic software may be easier for some users, e.g. yours truly, if they can access the source code. As opposed to hoping that Acme Hardware and Software Corporation will quickly and secretly fix all software problems that slipped through their QC procedures. Too late for the user who has already paid for the software and updated to the new version. That argument should not be too controversial.)

In addition to the many xscreensaver bugs over the years that the sibling post mentioned, last year there was a systemd root escalation exploit that was the same class of programming error as Apple's bug that enabled the root account with an empty password. From my understanding, in both cases they misinterpreted the return code's magic number (-1) as something it wasn't.

Also, Linus' Law has some doubters. Things like Heartbleed show that Open Source isn't immune to long-standing, very impactful bugs.

> isn't immune

Why all-or-nothing?

The fact is that free software has transparency as one of its advantages.

When software is closed-source, its users must rely on the developers to maintain that software.

I completely agree it is an advantage and I'm very happy there are options that are mostly Open Source (I say mostly because I'm not a fan of binary drivers, which are often a necessity for decent performance or features).

> Why all-or-nothin?

The parent was citing the existence of a few specific bugs in macOS and Open Source as an alternative (implying it wasn't vulnerable). I really think the "given enough eyeballs, all bugs are shallow" is something Open Source advocates take too much comfort in. The idea does have merit, but there needs to be more study/context to how it plays out in real life.

Another example where this idea fails; there are credible suspicions that the NSA has influenced encryption standards introducing backdoors or known flaws even though the algorithms themselves are publicly known and freely available as well as the implementations.

> too much comfort

That may be true, but the alternative is certainly worse.

I really think you're overstating things because that's not true for a majority of people. A 0-day found in open source code is no different than a 0-day in closed source. In both cases you need to responsibly disclose it to the maintainer and sit and wait for the fix to trickle through support channels. With open source you can attempt to submit a patch.

If I found a bug in ssl, I can't imagine I'd re-compile that and track down every package I use that relies on it and re-compile those. Everyone uses their own build system and managing dependencies suck. I'd try and mitigate the risk against those tools until fixes were distributed through normal channels--just like I would in Windows or macOS.

If I was a large company, with closed source software I would have a vendor agreement to get fixes/changes, with open source I would have the expertise in-house and extra labor (or I'd have an agreement with a support company like Red Hat much like closed source software). A small company likely won't have the expertise in house or the spare bandwidth to mess with those things. For home users it would have to be someone with a serious hobby and specific skills.

Ironically Linux has had so many long standing versions of this exact vulnerability (screensaver issues leading to various forms of terrible disclosure) that it's not even really interesting to talk about them.

I'd send you to the relevant jwz rants but I'd rather spare everyone the goatse-ing...

> “Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.

Also "Responsible disclosure" means absolute nothing to most people who are not security researchers. They don't know about it, even if there is a bounty and they could make a decent profit, they have no idea what those things are. They notice they can get root access or the focus sends their password to Slack and they'll tweet about it.

Especially here, where it’s (probably?) not remotely exploitable.

> probably

Show and focus a window when the user locks their machine.

Yeah. You can do keystroke logging without root but typing into password fields can't be intercepted. This would be a nice complement to that capability.

How do you do that?

    - (void) viewDidAppear{
       [super viewDidAppear];
       [self.passwordfield becomeFirstResponder];

I guess I got down voted for Obj C code, here's the swift version:

   func viewDidAppear(){ 

Having your password in some IRC channel gets remotely exploitable quickly.

If you reused the password, yeah, instant pwnage everywhere. If your local account password isn't used anywhere else, meh, random IRC people don't have physical access to your machine :)

No need to reuse your password. If the machine has sshd enabled, the attacker only has to guess the account name, but that's hopefully a lot easier than guessing the password.

Unless you have remote SSH logon enabled and IRC exposes your IP address.

Depends how you authenticate with your password. You could use pubkey with or without a password. Even if you reuse the password there, even if they have your password, if they don't have your private key they can't authenticate.

Remote logon with passwords allowed and sshd exposed to the whole internet (not behind ISP's NAT, not behind home NAT, port allowed on home firewall, port allowed on laptop firewall).

Yet another reason to only use SSH keys.

No, because if you type in your pw, it will show as stars ;-)

If you look at the "root" issue last week, public shaming seems to be the only way to get Apple to work on problems in macOS.

They didn't even include it into the big bounty, did they?

It feels like they don't give a shit about non-iOS-devices.

we do regard them as a joke, apple is for you non techies that like cool stuff and dont care about being over charged for a metal case .... how many iphone have broken screens.

Apple customers dont care about the tech , they care about cool. This is what Steve Jobs and apple as branded themselves on so thats what you get, cool without good tech. And it wont matter becuase that is not the reason people buy Apple.

Tech community doesnt care about Apple, but the engineers will happily take their money to work on their products. If apple falls programming and computing will go on happily and at least we wont have to build over priced products for a bunch of children to take selfie shots that dont care 2 cents that they have a technical marvel in their hands.

Not to pile on, but my MBP (with "TouchBar" which will assuredly not exist in another year) is always in clamshell mode and connected to two external LG 4K displays. Whether, on which screen(s), or in what state the Mac wakes each morning is completely random. Sometimes it doesn't wake at all. Sometimes I have artifacts on one screen and a desktop on another screen. The sleep/wake sequence is a complete mess, and it doesn't surprise me that the focus might sometimes be on apps running in the user session behind the lock screen.

Wow, I have similar issue. I have an acer 4k monitor at home with both HDMI and Display Ports. I used to use HDMI before to connect it to my 15inch 2016 MBP, and the mac used to crash very often. Close the mac, and connect the dongle with hdmi? crash. So I'd have to restart the mac, and connect the monitor while keeping it open, and then close. But once i disconnect the monitor - crash.

I then got a usb c/thunderbolt to display port for 4k 60fps, and the issues significantly dropped, but it still occasionally happens.

I've noticed this crash as well. i've my MacBook Pro connected to an external monitor via an USB-C/Thunderbolt cable. I close my laptop when I leave work which would put it to sleep/lock and approx. 10% of the time when I come back the next day my machine wouldn't wake up and I've to do a hard restart. I can see some things flashing on my screen but the laptop screen would be completely blank.

Same problems as you, but I disagree on the touchbar. It’s one of the better things Apple has added recently.

But holy hell do they need to work on their external monitor support. Yesterday I had one of my monitors randomly go black for a second. I’ve had audio over usbc just not show up anymore and it refusing to see my gigabit ethernet when waking up unless I unplug the actual ethernet cable. Simply amazing this passed their QA - and Id find it hard to believe no one at Apple uses clamshell mode with two monitors.

> but I disagree on the touchbar. It’s one of the better things Apple has added recently.

Strongly disagree, and I can not conceive of how it could be viewed as "better" than hardware keys. Maybe if they moved it above the FN row and we regained the hardware escape key, while making it a build to order option. Even then, I personally would have no interest in it, and neither would anyone else I know. I do not want to look at my hands while I type, ever.

I don't know how far out it would be but with the changes to their keyboard and the addition of their touchbar I wonder if their long term plan is a touch screen in the bottom half to replace the keyboard and pad. Without some kind of tactile interface I hope I'm wrong about my suspicions.

dear God I hope not.

I wouldn't mind if they made the touch pad into a screen. Probably not that useful, but it wouldn't bother me.

> I wouldn't mind if they made the touch pad into a screen.

You mean like making the laptop LCD a touchscreen?

Like other PC manufacturers have been doing for years?

Ah, but you see when Apple release the iTouch it'll be a whole new paradigm of human-computer interaction! Never before have people been able to control their computers by touching the screens!

… or that's what the fanboys will think.

> Strongly disagree, and I can not conceive of how it could be viewed as "better" than hardware keys.

I hope this is hyperbole, because it shouldn't be hard to understand. The TouchBar is absolutely an improvement. I can't remember the last time I actually used a laptop keyboard's F-keys for anything, but the TouchBar makes that space useful.

> I can't remember the last time I actually used a laptop keyboard's F-keys for anything

Not even F5 in a web browser?

That's Windows. F5 doesn't do anything in Mac browsers.

What? Fn+F5 works fine in chrome.

Funny, I actually tested Chrome before commenting just to make sure it wasn't doing something weird, and F5 definitely doesn't reload Chrome on my computer.

so does cmd + r which is easier to hit I suppose

You never use the ESCAPE key? Apple roped that into the fn keys and removed it

My touch bar computer still has an Esc key. It's part of the touchscreen now instead of a physical button, but it still works the same way and I've never had any problem hitting it without looking.

> I can't remember the last time I actually used a laptop keyboard's F-keys for anything

I use them regularly to switch consoles. MacOS supports multiple consoles, right?

By consoles do you mean terminals? Terminal.app uses ⌘⌥1–9 to switch windows and ⌘1–9 to switch tabs. The F-keys aren't used by Terminal.app at all (well, they're sent to the terminal as an escape sequence).

No, I mean complete GUI heads: completely separate GUI login sessions which use the same screen and can be switched between. Also called 'virtual framebuffers,' I think.

Very awesome. I'm sure that Macs support something similar.

macOS has something called Fast User Switching, which is completely separate login sessions, but you access it through a menu on the right side of the menubar, not with keys.

macOS also has Spaces, which is just virtual desktops, but again, it doesn't use the F-keys to switch between them.

I'm strongly reading GP comments as trolling, given indirect context, but I respect your approach of taking the high road by assuming simple ignorance.

I really wasn't trolling. I've not used macOS for almost twenty years now, so I genuinely didn't know if it supported multiple graphics consoles. I'm not surprised that it does, but I wouldn't have been terribly surprised if it didn't, either.

My (un-trolling) point still stands, though: I use the Function keys on a daily basis, to switch between consoles.

We have many staff with MBP + dual external displays and it's always been the least reliable aspect of the platform. From reading between the lines in the unusually arcane history of support docs on the topic, I've surmised their stance can be summed up as "it might work!" Which of course runs counter to the Apple It Just Works ideal, so they can never come out and admit as such. They've gone to great lengths to squeeze impressive performance out of their stingy graphics hardware choices at the OS level, but there's not much you can do to massage the numbers when adding up pixels, I guess.

For what it's worth (anecdote incoming) I use a touchbar MBP with a Dell UP2414Q, which is driven using multi-stream transport. Effectively its panel is presented to the system as two separate displayport streams running daisy-chained over a single port. Once I found the right cable, everything worked fine. (The first cable was advertised with DP1.2 and MST support, but it would only operate in the legacy mode that dropped down to 30 Hz).

God forbid you try to use this with Windows though. Sometimes half of the screen cuts out, sometimes one side of it shifts by a couple hundred pixels (and wraps the right edge of the image around to a stripe down the middle of the screen), and god knows what other problems that I can't even remember. This was with a GTX 900 series GPU which is definitely "supported."

I used to have it hooked up to my Windows desktop since that's the fast computer with more storage and RAM, so it should be great for stuff like Lightroom. But since the screen doesn't work reliably, I moved that back to my MBP.

A friend with the same screen had identical issues on Windows and a similar solution. It's now on his wife's desk for her to plug her Macbook into.

Display signaling has gotten a lot more complicated than DVI/VGA were, and the reliability problems that have cropped up from that are present across the industry.

Do you have a link for this cable? I am always interested in foisting esoteric firmware and poorly implemented protocol bugs upon myself.

They're USB-C to DisplayPort cables, so these will mainly be useful to people with the 2016-2017 MBP.

MST worked: https://www.amazon.com/gp/product/B01N11K30W/

MST did not work: https://www.amazon.com/gp/product/B06XFG1YKT/

I can't say for sure if it's the cable's fault or if it's the particular combination of cable/computer/screen that has some obscure compatibility problem. Makes me miss the days when a cable was a cable and we could tell people "Just buy any HDMI cable, no need to spend $60 on it."

I use my MBP with 4 different external monitors (all different types, Apple, Samsung, Acer and Dell), two at a time, and it almost always works. Once in a blue moon something glitchy happens, not sure if that's reasonable performance or extraordinary performance given I haven't seen any other platform do as well.

My iMac seems to get a 169 IP on wake-up about once a week

No problems with my Debian or Win 7 boxes which are presumably on the same switch

That's a link-local IPv4 address, typically means that it hasn't got a lease from your DHCP server.

Normally messing with the cable gets it to pick up a proper address.

Strange that other two machines aren't effected if the DHCP server is to blame

Let's all sit and reflect for a moment that Apple was the first (and for a long time, the only) company that used to get sleep/wake "right".

And now I'm sad.

This was one of the reasons I never adopted Linux on a laptop. Power management simply never worked. I used Windows for many years on a ThinkPad with Linux in a VM but this felt dirty. Bought a Mac and life was good. Well it was until 10.13. 50% of wake up events I have to log in to a trashed desktop now.

It makes me long for a computer nailed to a bit of ethernet that is never turned off.

Edit: also I just went through hell trying to get a USB to serial converter working on OSX. Not exactly a crap one, a Keysight U1173B with Prolific chipset.

Are you connecting to an external monitor? Sleep Wake still works fine for me. The other thing is that I didn't import anything from backup. It's a clean install.

Nope just internal screen. This was a clean install too. On 2013 rMBP.

Using external displays, and half the time come back from sleep with most of my apps 95% off screen, it's annoying at best.

In my experience there have been problems for a while with sleep/wake if you have external monitors. I'm running 10.12 (work computer, no option for 10.13 yet), and I have three monitors connected to my MBP. I had to adopt a ritual about disconnecting the first screen, then lifting the lid a bit to activate the internal display, then disconnect the other two monitors, then close the lid. Otherwise more often than not when I woke my computer up next it would not have a usable desktop -- the dock would be on a nonexistent screen and could not be found. I got pretty used to using spotlight to load terminal and blind type 'sudo reboot'.

That's similar to my experience when using HDMI cables. Switched to using USB C -> MiniDP cables and things are better now, except since I can't daisy-chain the two monitors with DisplayPort (the rMBP can't drive them both, a Thinkpad happily would) that means two out of the four USB C ports are used up.

Still getting random freezes sleeping and waking though. Especially if I don't open the internal panel before disconnecting the external monitors and USB hub before putting the laptop to sleep.

what did other companies not get right?

Linux specifically has a horrible track record for sleep/battery management in laptops, and worse recovery. Windows used to be far more buggy, but the long XP era a lot of that was fixed by XP SP3.


I just wish there was an option in Mac to use "PC Shortcuts" in all my apps... it's the only place where some of the key combinations feel truly alien in most apps. I use a "PC" keyboard, but remap CMD to CTRL, ALT to SUPER/WIN, and CTRL to ALT... but in the end, terminal is awkward, and some other shortcuts are hard.

May take the time to figure out how to get VSCode how I like it with the windows/linux shortcuts, but my key bindings.. find/replace are particularly awkward to remember, and usually resort to mouse menus.

Not just a horrible track record, but the current state is also bad. I have a pretty recent Debian install on a bog standard Lenovo which otherwise runs Linux beautifully. It took days of fiddling with conf files and trying things out to get Suspend and Hibernation to work in a sensible way. The kernel, systemd and Gnome all try to do stuff, but they can't seem to agree on who's responsible for what part of power management. This is something that should work out of the box.

I installed Arch on a T460p, and suspend-to-RAM worked out of the box. (And this has been my experience w/ Thinkpads and Linux for well over a decade now. Now, I don't do suspend-to-disk, because I dislike it.)

Yes I've been struggling with the latest Mint, 50% of the time on wakeup I just get a black screen and no responsiveness. I've had dual-screensaver issues, incoorect monitors etc. Really makes it feel hackish.

I also have trouble keeping mac windows where I left them with external displays attached.

I invested $15 in stay https://cordlessdog.com/stay/

I would not say the problem is solved (it's not going to solve artifacts, etc), but it helped me.

I have a similar problem running my touchbar Macbook Pro in clamshell mode via a CalDigit USB-C dock. All sorts of issues with it discovering USB devices when you plug the hub in too.

Yes. One day a week my Logitech USB mouse is not recognized or powered by the MBP. Which day it will be is a crapshoot.

If the Woodway treadmills at the Palo Alto Equinox had the same uptime as my Macbook Pro, I don't think certain Apple execs would be happy.

Really!? Me too. I have the USB discovery problem with two other hubs. It only recently started, maybe since 10.13.1 or so.

Sleep / wake in this kind of setup has always been an issue with my 2013 rmbp. I'm not even on high Sierra. USB stuff doesn't wake up the computer. Opening the lid doesn't wake it up. Sometimes typing on the laptop itself doesn't work and it requires a hard reboot. It's been four years now and I've given up hope that Apple will ever get sleep / wake right.

The reality is that Apple's software is absolute shit. OS X was the only software that wasn't shit. I can't think of a single counterexample otherwise. They take great software (like logic audio) and turn it to shit. It's incredible. Clearly macos follows in the shit tradition of iTunes, the legendary mother of Apple's shit software.

my usb hub and/or keyboard and/or mouse will often not be working when trying to come out of sleep.

Very similar issues here. MBP Touchbar with one external 5K LG display. I love the LG when it works.

Super frustrating when I I sit down and wake up the machine to find both displays flashing. Usually unplugging the LG clears things up, but replugging often results in the brightness on one display being set randomly.

Clamshell mode has notoriously been a problem for many years over a bunch of models. Sleep/wake has usually been way better than Windows or Linux, but has also had it's share of problems. The sleep/wake issues usually get fixed, the clamshell issues from what I've gathered get resolved less often.

I've just bought my first MacBook Pro with a dedicated GPU this year, and I'm having WAY more tiny glitches than with the pure Intel machines I'd had before. (10.13 has thankfully fixed lots of them!) I love my 5K screen, but I hope I'll never have to buy a machine with GPU switching again.

I'm really surprised Apple is still releasing MacBook Pros with gpu switching after all these years. They've always had serious problems and I figure they would stop selling them or make the major changes needed to resolve the issue.

Thankfully, I haven't owned one, but I hear so much. Which sucks, because there are more and more nvidia-specific things I'd like to do on a mac laptop.

I have an OG MBP with the same problem. It's seems to have improved, but I still occasionally get kernel panics (?) when I resume with multiple monitors connected.

Same issues here. I dread having to unplug or shutdown my MBP connected to 2 external monitors because it means I'll have to reconfigure the displays.

I have horrible sleep wake and external monitor problems on both my new macbook pros

FWIW this is a known security bug at Apple. I filed a bug about similar behavior where you can see the desktop briefly without logging in. Apple marked it as a duplicate. https://imgur.com/YxXtU2y

Here are the steps to reproduce:

- Start Mac

- Login

- Turn on Screen Lock: System Preferences > Security > General > Check "Require Password" and Select 5 Seconds.

- Turn on Hot Corner Sleep Display: System Preferences > Mission Control > Hot Corners > Select upper left > Put Display to Sleep > Ok

- Attach external monitor

- Activate hot corner by dragging mouse to upper left corner of screen

- Wait 6 seconds

- Click the mouse to trigger waking the screen

- See brief flash of the desktop without logging in!

The desktop flash happens regularly to me when simply attaching an external monitor to my closed locked machine.

I actually think I've experienced something similar across every OS I've ever used. With Linux distros I was always able to trigger it by opening and closing the lid a few times. With Windows, I don't remember the exact sequence or what version.

Overall, there appears to be something funky with this overlay technique and how things are asynchronously rendered.

I used to get the desktop flash reliably by simplistische disconnecting or reconnecting an external monitor. High Sierra fixed it.

Just FYI, this works on 10.10 (Mavericks).

So, Apple has the most available cash resource of any company out there (or at least close to). Yet, bugs galore, and strange product decisions. The obvious conclusion is that their management is failing to staff accordingly to the work that needs to be done. This could be because they are not aware that work needs to be done, which means engineers are not telling them, or that the management is not succeeding in hiring enough people to do the jobs.

My gut instinct says that a some former people at Apple used to do a lot of undocumented QA work and sanity checks, and that as the company has grown and changed, nobody picked up the slack when they left. Now, they'll have to go through a formal process of re-identifying QA steps that need to exist, and hiring against them. It's been a hell of a month for them, though.

I'm guessing that it's going to be pretty difficult to hire an engineer who is:

- Very good

- Wants to live near Palo Alto

- Is able to live in the US

- Wants to be subjected to Apple's privacy rules

- Wants to work on fixing bugs instead of making new features

In the software engineering game, money only goes so far.

If I could work from a European Apple office, this would be 100% my dream job. When you implement new features, you are slave to your marketing department - I'd hate to waste my time on pointless gimmicks like the macOS Siri UI, for example. Maintenance work is much more satisfying because you're directly serving your users (usually skewing towards power users too!).

Also, I don't think the privacy restrictions would be so bad. Apple's UIKit engineers occasionally chit-chat with indie devs on Twitter.

The problem is that this job would be absolutely futile. If Apple hired 100 great engineers to fix bugs, management would simply double the amount of features that go into each yearly release.

For a company that loves minimalism so much, you've hit it right on the money WRT management.

The TouchBar, while interesting, is the perfect example of this. I'd love to have had it along with the physical buttons - there's plenty of room. Alone, though, it is pretty weird.

I assume that the real problem is that Apple's managers do email and web browsing, and that's it. They probably don't spend enough time in pro apps or trying to be productive to understand that a window manager built in, or physical keys or an improvement to their native text editor would be helpful.

I'm pretty sure you'd find a LOT of people to do that work for $300k/year... Apple has lots of money to go as far as they like.

Yeah, but if you can make $300k a year, you're likely not dedicating your software engineering career to fixing bugs. Also, you can go a few miles south to Los Gatos and work at Netflix and make $400k/year.

I am not an engineer, but from my non-technical POV, this seems ridiculous. Is the cult of building new software really so much more attractive than making the software actually work? I mean, I think this attitude perfectly encapsulates why Apple has problems. Is bug fixing much harder than building the systems from the beginning? Is the difficulty in reading and checking code for errors really hiding the fact that this "unsexy" work of bug fixing involves the actual difficulty?

If, in any other field you found people that only wanted to make first drafts, you'd call them copywriters and designers, not engineers. And even if it is totally normal to eschew bug fixing in favor of drafting, isn't there a salary that would cause people to do it? If so, Apple should just pay that and hire those people - it'll still pay off in the long run.

$400k/year? is that for Principal Engineers and Directors? What would a senior eng make there?

I think that's for Sr. Engineers++. What I heard is that they do an all in compensation plan so your equity, bonus, and salary are all rolled into your salary and then you decide what you want to do with it. On Glassdoor that doesn't seem to match what I was told though.

Only the first issue can't be solved by throwing more money at it.

If someone is good and can't get a Visa to move to the U.S. more money won't help that either.

Money can buy a new engineering office in a more immigration-friendly country.

You're right, but Apple doesn't work like that. They just spent 5 billion dollars on Apple Park attempting to put everyone under one roof. I don't think it's in Apples corporate DNA to outsource core components of their operating system to a more immigration-friendly country.

It means money is not everything. Yet for some reason people seem to think the most expensive stuff is the safest, nicest and the best one. Like they are buying trust or what..

I did something similar too - I was typing in the password while the Mac was being unlocked by the watch using that unlock-with-the-watch feature.

I was used to hammering return a few times to wake the machine up, then typing in the password, then hitting return again.

The few times I hammered return woke the machine, the watch unlocked the mac and the password plus the return key went into the app that had focus which for me also was Slack.

Is it possible that this user had the same thing happen to them? When I disable the watch unlocking, I can't make the password go anywhere but into the login screen (10.13.1 here with last weeks security update applied)

Original Poster replied to my tweet where I asked him if he has an Apple Watch: >Hey Tonny. No I don't have an Apple Watch so it's not related. I did connect an external screen before opening the MBP though, so maybe it's related to that? Note that I can't reproduce it, happened only once so it must be a shady bug.

See https://twitter.com/BenoitLetondor/status/939164367962148864

Because of the short delay between waking the Mac and the display lighting up, I always either use spacebar or command key, or click the trackpad/mouse a couple times to wake.

Return is a dangerous key!

I hit the shift key

I used to hit the Shift key to manually triple-verify keeping my laptop 'alive' during long videos/presentations but have since switched to the Ctrl key. Thanks Sticky keys!

I'm a ctrl freak :D

Same here.. modifier keys are the safest to use.

Hell yes. I wonder wha’s the worst thing someone has done with this? When you hit return and just before the keystroke a pop up comes up and you agree to something you didn’t want. I’ve see a couple of bad ones in the radiology world.

Oh god, popups while you're typing are the worst. I feel like the OS should not even allow it.

No idea how to prevent the issue, but I've been caught mid sentence before and accepted installs, upgrades, random popups, etc. Ones from Skype tend to be the most infuriating / scary..

It's not too difficult. a) only the application with keyboard focus gets to open new windows with keyboard focus less than about two seconds after a keystroke (with no intervening mouse activity). b) no keyboard input into a new window for the first second, unless the user clicks there.

We looked into this while I was Trolltech. Decided against doing it for Qt unilaterally, it's really something the system must do, or else it's too annoying.

But what about pop ups that come from within the application? Anything that has dialogues come up when there is a chance the user might be using enter/return for a different purpose is a bit crap, especially with multi-screen systems where there is a fair chance the user is looking elsewhere. Even just having no pre-selected default would help (so arrow - enter/return would be needed).

Is this an example of what you have in mind: The user is typing at Microsoft Word, and it's not a keyboard shortcut to open the "document properties" window, and Microsoft Word chooses to open another window during the typing and divert keyboard focus there?

I think so, yes. Diverting keyboard focus in the middle of anything should never happen. Should there any exception to this?

This seems like something that should be handled by the application's developer. A different application's popup or focus steal should be managed by the window manager / OS.

My favourite was watching someone perform an MRI with injected contrast - imaging being timed for specific points after injection.

They are just tidying up parameters for a bit of post constrast injection imaging. They hit enter to accept a parameter change just as a notification appeared to trigger the next scan. Basically it missed the key imaging phase and the scan had to be repeated a day later once the injected contrast had been cleared out of the patient’s system. Imaging equipment vendors seem to make custom UI in places where it is unneeded (software buttons which trigger on touch down, not touch up for critical functionality?! Why?) but in places where it would be safer to make something custom they don’t.

Yes, stealing focus by another application should not be permitted by the window manager / OS. Windows XP had a feature or a 3rd party plugin that would simply blink the application in the task bar if it attempted to steal focus. I also seem to remember a similar feature in Gnome 2, though it could be a false memory.

I remember this (I think). The worst offenders that come to mind for me are applications themselves, not other programs or the OS.

Edit: a possible exception being the “please enter your iCloud password” curse I somehow cast on myself sometimes.

Seems plausible. I have replied to the tweet and asked him, see https://twitter.com/TonnyGaric/status/939152498249666562

Hmm, the "Unlocking with Apple Watch..." sequence breaks when you hit a key and then displays the standard password field, so that you can type in your password instead. This seems really unusual.

I worked at an open source shop where almost everyone ran Linux and used IRC for chat. For a while I made the mistake of having the screen black time lower than the screensaver timeout, so I'd unlock my screen and see my password go out in IRC. I ended up changing my password to something that looked like a shell command.

I worked in a mixed shop, and when my Linux box showed the BSOD screensaver, my Windows-aligned co-worker helpfully rebooted my machine for me.

These lock screen issues go back further than 10.13, I believe it was 10.10 or 10.11 my child was able to bypass the lock screen by mashing on the keyboard while the screensaver was fading out the login dialog.

I witnessed it. I was not able to reproduce it in 10-15 minutes of testing. She did NOT type in the password. Just banging on the keyboard, playing with the screensaver.

I have a computer on 10.10. Has this issue.

Lock screens are harder than they first appear: www.jwz.org/xscreensaver/toolkits.html (Which, you'll note, mentions this exact failure case in the "Transfer Grabs?" section.) There's some X-specific stuff in there, but there's a lot of general issues in there, and with just a bit of imagination most or all of the X-specific issues can be seen as general issues as well.

Sadly, he also is fighting against the only solution to this issue.

There has been work to solve this by registering the session, compositor, and screen locker each with the session manager.

If the screen locker (which now can use any toolkit) crashes, the session manager can try to restart it. If it fails again, it just displays "your unlocker has crashed. To unlock this session, open a tty, login, and type `loginctl session-unlock`"

This solves all the issues, but he (and many others) have been fighting against systemd for a while (which fixes this, and so many other issues, which no competing project ever handled)

Fair warning: Jamie doesn't appreciate the discourse this crowd brings to his site. Visit this URL without a referrer for the best results.

No idea why you wouldn't just make it clear the site will open an inappropriate image when linked from HN


Yes hopefully the commenter will edit in time to remove the http:// prefix so that it is not clickable.


>sirsar: JWZ used to detect the hacker news referrer and redirect all links that originated on hacker news to goatse. Now it's only slightly less graphic

Sorry. Pity. It's actually crammed full of good stuff, which is why I linked it. It's a classic easy-looking problem that gets really hard when you get down in the weeds.

Not that it's somehow my place to say it, but I appreciate the spirit of your apology; you too are among the victims who deserve no blame.

Now that the link has been changed, I have no idea what you are talking about.

See the problem is that they don't have to be. An architecture where the screenshield must be a client to the display server like any other application is terrible design and largely an X-ism rather than something fundamental.

N.B. jwz does not like being linked to from HN. Open the link in a new tab.

With treatement like that, I’d prefer to avoid this person and all their content.

That's exactly what he wants from the horde on this site. To not visit his site :)

Your loss. Jamie Zawinski probably helped write a lot of the software you're using right now, and has observed the internet almost since its birth.

Do you know why he has such an aversion to HN?

No -- I don't know him personally -- but I would guess that he thinks it's a pile of amoral greed-heads and ignorant children.

amoral greed-heads and ignorant children.

Basically HN is him when he worked for Netscape and he doesn't like the reminder...

No, because HN is the people he worked for - the people who use him winning the startup lottery to explain away all the losers of that lottery and keep feeding young, impressionable people to the startup destruction machine.

Pretty much that, I reckon. He’s warned anyone who would listen not to work as hard as he did while at Netscape. But at the same time, he did win the startup lottery, so there’s that.

Well, he isn't exactly wrong. But redirecting like that is pretty immature in itself.

I agree. He could just redirect to a blank page but this puts him in a really bad light. I wouldn't care except I frequently browse HN at work when I'm getting settled in in the morning.

Left Slack open with focus, allowed MBP to sleep, woke with space bar, login field had focus, tried with closing lid and opening while Slack was open and focused, again password field functioned as it should, unable to reproduce, macOS 10.13.2

Difficult to reproduce, can be when we lock the session, close the macbook, plug a second screen and re-open. Or in another order. Personally I remember not having the focus on the password input by opening my MacBook onetime, I often plug and unplug screens

I was in a huge lecture hall and the presentation from the head of school was going to talk. He plugged in, turned to look at the display from the projector and it hadn’t come up yet. He types in his username and password and stood there waiting. When the projector came to life he had typed it all into the username field. He fixed it up then displayed his desktop to us with all the pending final exam papers sitting there. No one in the hall showed any obvious sign of realising what had just occurred.

I have slow Macs that I share with family.

I've seen similar behavior when switching users. The full-screen password entry login comes up, but focus is still on regular apps.

I often wonder how many authentication log files contain passwords because people in a hurry append it to the username on accident (not visually confirming the Tab/Enter/switch to the password entry).

This is also vaguely similar to the 'test SSL submit' security technique of first entering enough data into login forms to process a submission, and then entering real login info into the 'login failed' retry page after verifying SSL. This has lost some of its luster as non-SSL form submission has fallen out of wide usage.

Yeah, pretty sure mine is in clear text in some ssh auth.logs. Yeah yeah, I should use encryted keybased login (I try to mostly do it.)

I typically require both when others are involved since proper key security can't be enforced (hardware 2FA is the dream).

AuthenticationMethods requiring both wasn't availabe in OpenSSH prior to v6.2 (May 2013)[1] and I'm on Windows anyway so I went with https://www.bitvise.com/ssh-server.


> I often wonder how many authentication log files contain passwords because people in a hurry append it to the username on accident

Is this why everyone does 2-step login on websites now?

Say what you want about Windows, but no amount of sneakery can steal input focus from Winlogon window station (yes, there's a separate kernel object for that in NT/Win32K).

It is the (secure) desktop, not the window station.

This has been a very sporadic issue that I've seen once or twice per year at most, for quite a while with OS X - somehow, another window is able to steal focus from the login screen. I've never been able to reproduce it reliably or find a common element in all of the times it has happened, but it definitely has happened to me and I've also seen co-workers dropping their login password in a chat window due to this. But it is pretty rare, so hard to pin down.

I've also noticed another thing happening more lately - locking the screen, only to have it automatically unlock itself a second or two later. I always have to make sure it actually stays on the screensaver for a few seconds before I trust it will actually lock.

I'm really bothered. While I had relatively no issues with the fresh OS X update, I'm having a hard time with the iPhone 7 and the new iOS that is supposed to run their flagship device: iPhone 10.

While most of the bugs have disappeared with the recent update, there are still some minor ones that really pisses me off: Screen freezing unresponsively for 30-60 seconds before things get back to control; and music playing randomly (happened a few times. Everything calm. Boom, music starts to play).

I'm pretty sure this mess wasn't here before the update to iOS 11.

Edit: Just found there is a new update. Let's see if they are getting their shit together this time.

Wouldn't be surprised if it was intentional. Apple is known for planned obsolescence for their products, especially iPhones.

I hear this line a lot and yet iPhones get the latest iOS updates for many years after release while many Android phone are lucky to get 1 year of updates.

I would be much happier if Apple didn't "force" me to update my iPad with a pop up message every day. It was running smooth like butter, even with an older version of iOS.

I have had this happen with 10.12 and 10.11 on rare occasions. To my knowledge, I'm not doing anything different on the occasions that it does happen.

It wasn't Slack-specific as I've only started using Slack recently.

It happened to me as well, but with HipChat.

Although this bug still sucks, the class of problems of pasting passwords into chat may have a simple, worthwhile, and general solution. A colleague at a former company always changed the key bindings is his IRC/Jabber client to include a control key with Return for sending a message. Does Slack have this option?

Even more fun if the focus happens to be on a terminal window...

I knew I shouldn't have picked 'rm -rf /' as a password

Oh, you're lucky. Mine is 'rm -rf --no-preserve-root /'.

Haha, tried that a couple of months back before wanting to do a reinstall. The system stopped me with some warning :) I think it was Arch but could have been Ubuntu or Solus.

There's a way to still do the rm -rf / bypassing the warning but you shouldn't do that.

Ever since systemd was a thing, that command has stopped being 'safe'. It no longers solely affect the filesystem. It can wipe your EFI variables and make your comnputer unable to boot at all, even unable to boot installers to reinstall linux.


Don't think of the file system as just the file system. If you keep thinking of / as only meaning 'whatever's in that hard drive' you will not like what you may encounter.

Yep, nowadays rm has a failsafe and requires you to add --no-preserve-root argument if you want to force remove the root folder recursively.

If it's not there, you can always make it be, like I did in past with very similar issue (described in another comment). Quite few people disable/change OS wide keyboards shortcuts ;)

I also typed my apple id password to my peer, not into chat, but into another mac in the same room. Mac keyboards can disconnect and connect to wrong devices if used with them once.

That specific setting was: my keyboard was used to setup his mini, mini was turned off and on later. My keyboard, already properly reconnected to my mac at that time, disconnects on timeout (or for whatever reason it does that few times a day). Mini “grabs” my keyboard when it goes back on air. I wake my sleeping mac via trackpad and try to type my password into focused password field. Non-obviously, no characters appear on my screen.

Definitely done that before. Sent my password through Messages to a friend. After that, I learned to keep the finder or a web browser as the thing in focus before I lock my computer.

Last week I was resizing a window in High Sierra, and I noticed that the Chrome app in the background was also scrolling. That was completely unexpected. It's long been the case that the window doesn't need to be on top for this behavior, but in this case it wasn't just a focus issue, it was that I was in resize mode. Completely jarring when it happened, but seems related.

Sounds like the assumption is that the lack of focus means that the first password got sent to Slack? But it seems more likely that it was the second entry of the password that was sent to Slack, and it was just that the keyboard input was being buffered? (So the first password-enter eventually got processed, and then the second one got processed but after unlock.)

A similar thing happens to me sometimes with 1Password on the web. I'll click the extension's icon and type in my password and realize I'm typing it into a text box on the webpage. I've tried to reproduce it and I can't, so I have no idea what the issue is. It freaks me out though.

Microsoft employee saide. "Same issue as with using windows 10 with multiple monitors/screens."


Could not reproduce that. For me its impossible to not have the password field focused. Hm?

>For me its impossible to not have the password field focused

Maybe Slack or other apps have to call for focus, and MacOS is allowing those calls while it's locked.

Same here. Running 10.12.6

I think this is a 10.13-only bug, likely tied with some of the other password entry bugs that have popped up due to a bunch of rework with how user login/authentication work.

I had this bug once a long, long, LONG time ago, since then my password is a sentence that's doesn't look like a password. Of course I'd still change it if it went out to slack :)

I have ran into this before, figured it was a generic login bug. Now I wonder what/where my login credentials went. Lovely.

I'm always worried about this too... sometimes my session doesn't lock because I was watching a video and I go ahead and type my password before looking when I come back (some websites log all keystrokes).

Not surprised by these bugs any more.

The sheer amount of bugs in High Sierra is ridiculous, with the exception of the root password bug, I've personally experienced the following bugs with my Thunderbolt display:

* In 10.13 or 10.13.1 the built-in web camera was broken. The video would freeze after a few seconds when attempting to use the camera in FaceTime. This was fixed in 10.13.2.

* In 10.13.2 USB audio devices connected to the TB display no longer work properly. After playing audio through the device (USB DAC in my case) for 30-60 seconds, some sort of interference/electrical noise appears for 5-10 seconds every minute or so. I assume this has something to with "Improves compatibility with certain third-party USB audio devices." from the 10.13.2 release notes.

For me it is impossible to update macOS too.

App Store is not working.

Downloading fix from website tells that my fusion drive is not compatible with this kind of install. Use App Store.

I don't even have a fusion drive.

Why you are still using it then? Operating systems are very complicated beasts, none is perfect but I like Linux the most. There are issues too but I feel like I have more control over it.. Sometimes work reasons force people into Mac/Windows though... :(

This sort of shit wouldn’t fucking happen if they put the login/lock screen into its own separate and independent desktop like Windows does.

When Windows is more secure than you, you have big problems.

In case someone thinks desktop Linux is better, it’s not. It’s much worse: https://www.jwz.org/blog/2015/04/i-told-you-so-again/

It is sad. Linux could be better if more people used it. Currently its use for desktop is relatively low. People tend to trust companies more so all they can do now is complain and email company's support department.

FYI, that link now redirects to a somewhat NSFW imgur page mocking HN.

That has been already discussed on this very page at https://news.ycombinator.com/item?id=15879470 .

I know. I think it’s funny. I did try to open it from HN again now and it didn’t redirect me.

This is really Slack's fault for not automatically turning the password into stars. IRC has done that for years!


Reminds me of people being told in chat to hit F10 to enable cheats in Counterstrike Source. Half the gamers would exit immediately.

Have you seen the feature they added to the latest release of BitchX and irssi?

Try it out: /disco party

So weird to have seen this before it was flagged off the front page yesterday... pure coincidence?


Now I feel old...

This is why Windows NT ensures no user process can intercept Ctrl-Alt-Del.

No. It is nothing to do with secure attention.

This is why Windows NT runs the log-on user interface, the screen saver, and the elevation consent UI on separate desktops that have restrictive ACLs disallowing interactive user processes from creating windows there.

The SAS is specifically so no one can hijack/spoof the password dialog. When you enter it you can be 100% certain you are talking to NT.

You're kinda both right. But the focus-protection part has nothing to do with SAS.

Not really sure what you think that adds.

Nobody is denying that the "anti-hijacking" forcing of CTRL-ALT-Delete adds to security, what they're saying is that it has nothing to do with this topic.

This topic is about keyboard input focus. In Windows, due to the process hierarchy the login UI isn't running in the same context as desktop applications, so stealing focus or focus drift couldn't occur.

This topic is about keyboard input focus.

Yes, and the SAS guarantees that after you enter it, nothing else can have keyboard focus. I don't see why this is such a controversial point. You will never come to unlock your NT workstation and find that the keyboard focus is somewhere you don't expect, because you need to enter the SAS first.

> I don't see why this is such a controversial point.

Because It's untrue. The SAS is a sanity check.

If something is spoofing a login screen on your desktop and you press CTRL+ALT+DEL, you will get a system menu instead of a password prompt.

If you are in the login screen, which is able to hook CTRL+ALT+DEL, it will switch to the password prompt.

Here's the clincher: even if you have the SAS disabled (which it is by default on Windows 10) there is still no way for an app to steal focus from the login screen. The keyboard focus assurances are handled by something completely different - protected desktops (these also handle the UAC prompt for the most secure setting).

Full circle: even though nothing can ever steal focus from the login screen (unless it is running within that protected desktop), if you don't use the SAS there is no way for you to know that you are looking at the real Windows login screen.

Normal apps can't, but it is possible to access other desktops, such as the login screen, from a system service. I work on software that does it

The quality of the software and the sacrifice of key functionality in the hardware (dropping of MagSafe, which was a huge differentiator, going to just USB-C ports which almost nothing supports, not even Apple's own in box phone chargers) demonstrates that Apple is purely a design house lately. It has completely faltered on the engineering side. Tim Cook is not an engineer and Jony Ive is not an engineer. There are engineers at the company but they don't seem to be getting a seat at the big table.

You talk as though you're stating facts. However I very much like USB-C for the usual reasons. Of course it's in the early stages, but personally I hook up all my peripherals to my laptop with a single cable. Much convenience.

Yeah, magsafe is paramount to doing professional work on a professional machine.

on .2 already. Never had an unwatch to unlock. The ghost typing happened to me yesterday. I never found out what got my password. hopefully it wasn't slack. I assumed it just went to the "root window" (does quartz have the same concepts as X?) of the lock screen

I usually press control key to wake up every computer (shift doesnt work on some). that one time I woke it up by tapping on the touchpad.

Windows handles this nicely with User Account Control (UAC) and Secure Desktop mode.

Many of OSX's problems come from trying to shoehorn security on top of operating system concepts that were developed in 1969.

I may be wrong, but Slack might be hijacking the window order, there's def some monkey business going on there.

Nothing should be able to hack outside of of the lock screen. That should require some crazy special permissions.

The system allows things like key-triggered screen grabs during the login password window (found this out when my 1 year old hit a bunch of keys), which already seems like nonsense.


What's the threat model here? That someone malicious with physical access to the computer somehow shifts focus to a program they know you have running such that, when you type your password, you send it to the malicious person.

That's a very tenuous exploit, seeing as it relies on physical access and knowledge that the victim is already running a program which would hand the password to the attacker were the password typed into it, and I'm assuming that changing focus once the lock screen is active is even possible.

But once the attacker has physical access, there are more things they can do, I'm certain, making this a rather pointless exploit as well. So disclosure isn't giving anyone a new road into the system, it's just making people aware of a potential security flaw in a way Apple might actually care about.

You don't need physical access to the computer at all. All you need is to make your malware program steal focus the same way Slack does it and then you can have the users password for that computer.

It's good practice to always assume bugs aren't innocuous even if you can't think of a way to exploit it.

Most people not in tech or infosec have never heard of and are totally uneducated about the concept of responsible disclosure. Maybe it needs to be added to high school computer class?

But this doesn't really need to be responsibly disclosed: it's not something someone can use to get into your machine, but rather a way you could accidentally broadcast your credentials somewhere unexpected.

Announcing on Twitter seems more like "hey be careful, make sure your password field is focused."

Yes, you can not get into someone else's Mac. However, what if the last opened application was Terminal? I can think of several scenario where you can do "damage" without logging in—if this bug is real—depending on the last opened application.

So you're going to start typing terminal commands into peoples locked macbooks on the offchance that they've hit this bug and are running a terminal?

Its a flaw that needs to be fixed, for sure, but lets not over-exaggerate the severity as an attack surface. Its much, much more likely that it will cause accidental problems when the owner types something (like in the tweet).

> if this bug is real

Why wouldn't it be? Plenty of people here and on twitter are reporting having hit similar issues (with OS X and even linux, so it doesn't seem completely uncommon).

Plus, even if you understand that, the thrill of having a shot at gaining thousands of followers instantly (like the root empty password guy) if you get lucky and get covered by news outlets is a great incentive for people to not responsibly disclose the security problem. If you responsibly disclose to Apple, it's their mercy to give you any reporting privileges, pay attention to you, and credit you.

That to me is not the right way to think, but in the day and age where number of likes and followers is king, I'd say it's not too irrational.

I've said it before and I'll say it again: You don't need to have heard of "responsible disclosure" to understand that publicly pointing out a bug before it's fixed can lead to people who did not previously know about the bug hearing about it and exploiting it maliciously. That just seems like common sense to me and (I'm willing to bet) many others.

Common scence is highly volatile variable thou..

The #iamroot bug was actually filed mid November with product-security@apple.com according to this weeks ATP - A couple of weeks before it all blew up on Twitter.

I think the cause is more pertinent than the symptom here - Apple don't seem to notice filed bugs unless they blow up on Twitter.

Except this dude on Twitter is. I wonder how many people in tech actually know about responsible disclosure.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact