Oh, wow - I've reported this problem along with na example exploit to Apple about 6-7 years ago. Never got any recognition for it, but It was fixed some time after that. It's quite sad to see old bugs getting new lives like that.
For those interested, the sample exploitation that I've discovered was connecting any iPod/iPhone device to a OSX laptop while screen was locked was taking the focus away from login prompt 'into' the system, where iTunes was gaining it and from there it was just few OS level keyboard shortcuts from gaining network access to the system, while still locked: launch finder, go to tools folder, launch terminal, launch `nc` in the terminal to get the access via network. Lots of blind typing but it worked more times than not.
Hah. I've reported a similar issue with attaching an iDevice to a locked Mac in 2014. In my case, iTunes was opening a new space to restore its window in fullscreen mode, and the desktop contents were revealed while the animation was running (the lockscreen reappeared afterwards). Now I'm disappointed that I didn't try to get keyboard input into the system and fully pwn myself :)
I've seen enough regressions with enterprise stuff that I've wondered what their testing looks like. Of course they've always neglected the enterprise so I gave them the benefit of the doubt about the OS as a whole but now I'm starting to wonder.
Proofs of what? My story? Don't feel like I need to provide any. Proofs again Apple in lawsuit you're suggesting? I'm not an American, so suing everyone for everything is not really in my custom ;) Rather than them paying me anything after being dragged to court (and I doubt I'd have any chance given disparity between their legal resources and mine) I'd like to get an acknowledgement tied to my name, but I was told not only they don't do that, but also they can't and won't tell me wether I was right and I've found a real security bug. Steve Jobs era secrecy in all its glory.
I did read the rest of the comment. So I am asking if someone is either making this up or if not it's important to shame Apple for its secrecy. That's my view on responsible disclosure; either ack someone's hard work or let every bug free in the wild. What's the point when your work isn't being acked?
> What's the point when your work isn't being acked?
To get the bugs fixed?
Also, we don't know why they didn't get recognition. The simplest answer is someone else may have reported it first. But it doesn't really matter. And I really don't see how "secrecy" comes into play here.
With no disrespect to the developers at Apple, et al, each one of these problems that goes viral before reaching “proper” channels is a well-deserved slap in the face of these behemoth organizations.
Perhaps, if the entire tech community regards Apple as a joke, they will start paying attention.
“Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.
Responsible disclosure is about preventing the bug from being exploited before it can be fixed. Knowing about this bug doesn't help me compromise someone else, but it does help me avoid getting compromised.
Only by casual hackers. The pros will probably have been exploiting the flaw for weeks or months against gainful targets.
If there is a reasonable end-user workaround against the vulnerability then I'd argue it's more responsible to publish early and widely than to wait for the vendor.
It becomes greyer if there is no workaround. I'm not sure what I'd support in that case.
The compromise is that I accidentally type my password into Slack and send it out to everyone in the building. There is no hacker involved in this one, and I can fully protect myself by ensuring that my password is going into the password field.
So, security through obscurity. No thanks. I'd rather know about the exploit ASAP so I can implement a workaround, rather than wait months for the vendor to get off their ass while my systems are getting hacked by the hundreds if not thousands of hackers that have 0-day knowledge.
Calling what you describe as "Responsible" is intellectually dishonest.
Perhaps you can write a patch or mitigate effects of (say) an OpenSSL bug. I can't. Certainly not for the myriad of devices that embed well known libraries in firmware images that I don't get to modify myself.
I'd much rather that those things which are remotely exploitable across millions of devices to be kept quite for a small period of time (30-90 days depending on the complexity of the fix required) so that I can get patches from our vendors and schedule an update at the first available opportunity.
You might call it security through obscurity, I call it keeping shit from burning down.
There are numerous potential workarounds besides authoring a patch. And they can be distributed in a user-accessible fashion, like the workaround for the macOS blank root password was.
Not telling the world about it does not keep shit from burning down. Eliminating vulnerable targets is the only thing that does that. And that is more expediently served by full and prompt disclosure.
What do you think it is that I'm calling responsible? I'm in favor of the public disclosure for this particular bug, and that seems to be your position too.
But these bugs the kind that anyone could stumble upon, and if they are not security researches their first instinct is to let everyone know about a crazy thing they found. I can't really blame them.
If companies want more responsible disclosure they should introduce harder to find bugs - sneaky edge cases in memory allocation sequences, stuff you'd have to pore over a disassembler for weeks, or slightly weakened PRNGs that would take some serious knowledge of finite fields to discover :-)
presumably if you had access to someone's locked MBP and you could move focus away from the password field you might be able to trick them into revealing their pw; if the setup requires access to an unlocked device it still allows you to leverage temporary access to unlocked device to get a leaked password.
This stuff is so amateur though I don't think it is being discovered and handled by security guys. It's just some dev that is annoyed that the lock screen doesn't have total focus which is annoying and insecure and the kid of shit you'd see in the 90s
contrary to what you may believe, some people need to work on content and should not be touching security. it's absurd to expect apple to fire all their non-security related staff and replace them with a whole organization of engineers that only work on basic security.
I do agree that apple has had a ton of problems in this area and needs to work on it, but this example is very played out and boring.
You can't just hire arbitrary numbers of security engineers. These positions are difficult to fill. There's a good chance that Tim Cook wanted to hire more security engineers than was possible.
"With no disrespect to the developers at Apple, et. al., each one of these problems that goes viral before reaching "proper" channels..."
s/that goes viral before reaching \"proper\" channels//
The fact that the problems existed to begin with is more troubling than whether they became known outside the company or not. IMO.
With an open source UNIX-like OS (like the ones Apple sourced from for parts of macOS), both the developers and the users can watch the commits as they happen. Developers and users anywhere can choose to watch the commits and may be able to detect a series of poor quality ones. At least they can make informed decisions on the relative merits of changes from one version to the next. (Edit: They might choose not to compile or install certain components. I do not use X11. Nor do I use systemd.)
The fact that development of macOS is hidden from those outside Apple and that problems are protected from "going viral" does not make the problems any less of an issue for macOS users.
The issue is not how fast and secretively they fix problems, it is how many problems their developers are introducing into the existing version to begin with.
If there are problems routinely being introduced then no amount of fixing after the fact and behind the scenes is going to make the OS higher quality. Only due care taken before introducing changes will guard against further deterioration of quality level.
(Edit: The mention of open source is not intended to be interpreted as an argument that open source inherently results in better software. Perhaps skill and attention to detail are at cause. This is a debate worth avoiding.
The relevance of the mention of open source is intended to suggest that detecting and avoiding problematic software may be easier for some users, e.g. yours truly, if they can access the source code. As opposed to hoping that Acme Hardware and Software Corporation will quickly and secretly fix all software problems that slipped through their QC procedures. Too late for the user who has already paid for the software and updated to the new version. That argument should not be too controversial.)
In addition to the many xscreensaver bugs over the years that the sibling post mentioned, last year there was a systemd root escalation exploit that was the same class of programming error as Apple's bug that enabled the root account with an empty password. From my understanding, in both cases they misinterpreted the return code's magic number (-1) as something it wasn't.
Also, Linus' Law has some doubters. Things like Heartbleed show that Open Source isn't immune to long-standing, very impactful bugs.
I completely agree it is an advantage and I'm very happy there are options that are mostly Open Source (I say mostly because I'm not a fan of binary drivers, which are often a necessity for decent performance or features).
> Why all-or-nothin?
The parent was citing the existence of a few specific bugs in macOS and Open Source as an alternative (implying it wasn't vulnerable). I really think the "given enough eyeballs, all bugs are shallow" is something Open Source advocates take too much comfort in. The idea does have merit, but there needs to be more study/context to how it plays out in real life.
Another example where this idea fails; there are credible suspicions that the NSA has influenced encryption standards introducing backdoors or known flaws even though the algorithms themselves are publicly known and freely available as well as the implementations.
I really think you're overstating things because that's not true for a majority of people. A 0-day found in open source code is no different than a 0-day in closed source. In both cases you need to responsibly disclose it to the maintainer and sit and wait for the fix to trickle through support channels. With open source you can attempt to submit a patch.
If I found a bug in ssl, I can't imagine I'd re-compile that and track down every package I use that relies on it and re-compile those. Everyone uses their own build system and managing dependencies suck. I'd try and mitigate the risk against those tools until fixes were distributed through normal channels--just like I would in Windows or macOS.
If I was a large company, with closed source software I would have a vendor agreement to get fixes/changes, with open source I would have the expertise in-house and extra labor (or I'd have an agreement with a support company like Red Hat much like closed source software). A small company likely won't have the expertise in house or the spare bandwidth to mess with those things. For home users it would have to be someone with a serious hobby and specific skills.
Ironically Linux has had so many long standing versions of this exact vulnerability (screensaver issues leading to various forms of terrible disclosure) that it's not even really interesting to talk about them.
I'd send you to the relevant jwz rants but I'd rather spare everyone the goatse-ing...
> “Responsible disclosure” is great stuff for creating a culture of free outsourcing of tech companies’ most imporant feature (security) to the same people that paid those companies thousands of dollars for that privilege.
Also "Responsible disclosure" means absolute nothing to most people who are not security researchers. They don't know about it, even if there is a bounty and they could make a decent profit, they have no idea what those things are. They notice they can get root access or the focus sends their password to Slack and they'll tweet about it.
Yeah. You can do keystroke logging without root but typing into password fields can't be intercepted. This would be a nice complement to that capability.
If you reused the password, yeah, instant pwnage everywhere. If your local account password isn't used anywhere else, meh, random IRC people don't have physical access to your machine :)
No need to reuse your password. If the machine has sshd enabled, the attacker only has to guess the account name, but that's hopefully a lot easier than guessing the password.
Depends how you authenticate with your password. You could use pubkey with or without a password. Even if you reuse the password there, even if they have your password, if they don't have your private key they can't authenticate.
Remote logon with passwords allowed and sshd exposed to the whole internet (not behind ISP's NAT, not behind home NAT, port allowed on home firewall, port allowed on laptop firewall).
we do regard them as a joke, apple is for you non techies that like cool stuff and dont care about being over charged for a metal case .... how many iphone have broken screens.
Apple customers dont care about the tech , they care about cool. This is what Steve Jobs and apple as branded themselves on so thats what you get, cool without good tech. And it wont matter becuase that is not the reason people buy Apple.
Tech community doesnt care about Apple, but the engineers will happily take their money to work on their products. If apple falls programming and computing will go on happily and at least we wont have to build over priced products for a bunch of children to take selfie shots that dont care 2 cents that they have a technical marvel in their hands.
Not to pile on, but my MBP (with "TouchBar" which will assuredly not exist in another year) is always in clamshell mode and connected to two external LG 4K displays. Whether, on which screen(s), or in what state the Mac wakes each morning is completely random. Sometimes it doesn't wake at all. Sometimes I have artifacts on one screen and a desktop on another screen. The sleep/wake sequence is a complete mess, and it doesn't surprise me that the focus might sometimes be on apps running in the user session behind the lock screen.
Wow, I have similar issue. I have an acer 4k monitor at home with both HDMI and Display Ports. I used to use HDMI before to connect it to my 15inch 2016 MBP, and the mac used to crash very often. Close the mac, and connect the dongle with hdmi? crash. So I'd have to restart the mac, and connect the monitor while keeping it open, and then close. But once i disconnect the monitor - crash.
I then got a usb c/thunderbolt to display port for 4k 60fps, and the issues significantly dropped, but it still occasionally happens.
I've noticed this crash as well. i've my MacBook Pro connected to an external monitor via an USB-C/Thunderbolt cable. I close my laptop when I leave work which would put it to sleep/lock and approx. 10% of the time when I come back the next day my machine wouldn't wake up and I've to do a hard restart. I can see some things flashing on my screen but the laptop screen would be completely blank.
Same problems as you, but I disagree on the touchbar. It’s one of the better things Apple has added recently.
But holy hell do they need to work on their external monitor support. Yesterday I had one of my monitors randomly go black for a second. I’ve had audio over usbc just not show up anymore and it refusing to see my gigabit ethernet when waking up unless I unplug the actual ethernet cable. Simply amazing this passed their QA - and Id find it hard to believe no one at Apple uses clamshell mode with two monitors.
> but I disagree on the touchbar. It’s one of the better things Apple has added recently.
Strongly disagree, and I can not conceive of how it could be viewed as "better" than hardware keys. Maybe if they moved it above the FN row and we regained the hardware escape key, while making it a build to order option. Even then, I personally would have no interest in it, and neither would anyone else I know. I do not want to look at my hands while I type, ever.
I don't know how far out it would be but with the changes to their keyboard and the addition of their touchbar I wonder if their long term plan is a touch screen in the bottom half to replace the keyboard and pad. Without some kind of tactile interface I hope I'm wrong about my suspicions.
Ah, but you see when Apple release the iTouch it'll be a whole new paradigm of human-computer interaction! Never before have people been able to control their computers by touching the screens!
> Strongly disagree, and I can not conceive of how it could be viewed as "better" than hardware keys.
I hope this is hyperbole, because it shouldn't be hard to understand. The TouchBar is absolutely an improvement. I can't remember the last time I actually used a laptop keyboard's F-keys for anything, but the TouchBar makes that space useful.
Funny, I actually tested Chrome before commenting just to make sure it wasn't doing something weird, and F5 definitely doesn't reload Chrome on my computer.
My touch bar computer still has an Esc key. It's part of the touchscreen now instead of a physical button, but it still works the same way and I've never had any problem hitting it without looking.
By consoles do you mean terminals? Terminal.app uses ⌘⌥1–9 to switch windows and ⌘1–9 to switch tabs. The F-keys aren't used by Terminal.app at all (well, they're sent to the terminal as an escape sequence).
No, I mean complete GUI heads: completely separate GUI login sessions which use the same screen and can be switched between. Also called 'virtual framebuffers,' I think.
Very awesome. I'm sure that Macs support something similar.
macOS has something called Fast User Switching, which is completely separate login sessions, but you access it through a menu on the right side of the menubar, not with keys.
macOS also has Spaces, which is just virtual desktops, but again, it doesn't use the F-keys to switch between them.
I'm strongly reading GP comments as trolling, given indirect context, but I respect your approach of taking the high road by assuming simple ignorance.
I really wasn't trolling. I've not used macOS for almost twenty years now, so I genuinely didn't know if it supported multiple graphics consoles. I'm not surprised that it does, but I wouldn't have been terribly surprised if it didn't, either.
My (un-trolling) point still stands, though: I use the Function keys on a daily basis, to switch between consoles.
We have many staff with MBP + dual external displays and it's always been the least reliable aspect of the platform. From reading between the lines in the unusually arcane history of support docs on the topic, I've surmised their stance can be summed up as "it might work!" Which of course runs counter to the Apple It Just Works ideal, so they can never come out and admit as such. They've gone to great lengths to squeeze impressive performance out of their stingy graphics hardware choices at the OS level, but there's not much you can do to massage the numbers when adding up pixels, I guess.
For what it's worth (anecdote incoming) I use a touchbar MBP with a Dell UP2414Q, which is driven using multi-stream transport. Effectively its panel is presented to the system as two separate displayport streams running daisy-chained over a single port. Once I found the right cable, everything worked fine. (The first cable was advertised with DP1.2 and MST support, but it would only operate in the legacy mode that dropped down to 30 Hz).
God forbid you try to use this with Windows though. Sometimes half of the screen cuts out, sometimes one side of it shifts by a couple hundred pixels (and wraps the right edge of the image around to a stripe down the middle of the screen), and god knows what other problems that I can't even remember. This was with a GTX 900 series GPU which is definitely "supported."
I used to have it hooked up to my Windows desktop since that's the fast computer with more storage and RAM, so it should be great for stuff like Lightroom. But since the screen doesn't work reliably, I moved that back to my MBP.
A friend with the same screen had identical issues on Windows and a similar solution. It's now on his wife's desk for her to plug her Macbook into.
Display signaling has gotten a lot more complicated than DVI/VGA were, and the reliability problems that have cropped up from that are present across the industry.
I can't say for sure if it's the cable's fault or if it's the particular combination of cable/computer/screen that has some obscure compatibility problem. Makes me miss the days when a cable was a cable and we could tell people "Just buy any HDMI cable, no need to spend $60 on it."
I use my MBP with 4 different external monitors (all different types, Apple, Samsung, Acer and Dell), two at a time, and it almost always works. Once in a blue moon something glitchy happens, not sure if that's reasonable performance or extraordinary performance given I haven't seen any other platform do as well.
This was one of the reasons I never adopted Linux on a laptop. Power management simply never worked. I used Windows for many years on a ThinkPad with Linux in a VM but this felt dirty. Bought a Mac and life was good. Well it was until 10.13. 50% of wake up events I have to log in to a trashed desktop now.
It makes me long for a computer nailed to a bit of ethernet that is never turned off.
Edit: also I just went through hell trying to get a USB to serial converter working on OSX. Not exactly a crap one, a Keysight U1173B with Prolific chipset.
Are you connecting to an external monitor? Sleep Wake still works fine for me. The other thing is that I didn't import anything from backup. It's a clean install.
In my experience there have been problems for a while with sleep/wake if you have external monitors. I'm running 10.12 (work computer, no option for 10.13 yet), and I have three monitors connected to my MBP. I had to adopt a ritual about disconnecting the first screen, then lifting the lid a bit to activate the internal display, then disconnect the other two monitors, then close the lid. Otherwise more often than not when I woke my computer up next it would not have a usable desktop -- the dock would be on a nonexistent screen and could not be found. I got pretty used to using spotlight to load terminal and blind type 'sudo reboot'.
That's similar to my experience when using HDMI cables. Switched to using USB C -> MiniDP cables and things are better now, except since I can't daisy-chain the two monitors with DisplayPort (the rMBP can't drive them both, a Thinkpad happily would) that means two out of the four USB C ports are used up.
Still getting random freezes sleeping and waking though. Especially if I don't open the internal panel before disconnecting the external monitors and USB hub before putting the laptop to sleep.
Linux specifically has a horrible track record for sleep/battery management in laptops, and worse recovery. Windows used to be far more buggy, but the long XP era a lot of that was fixed by XP SP3.
Aside:
I just wish there was an option in Mac to use "PC Shortcuts" in all my apps... it's the only place where some of the key combinations feel truly alien in most apps. I use a "PC" keyboard, but remap CMD to CTRL, ALT to SUPER/WIN, and CTRL to ALT... but in the end, terminal is awkward, and some other shortcuts are hard.
May take the time to figure out how to get VSCode how I like it with the windows/linux shortcuts, but my key bindings.. find/replace are particularly awkward to remember, and usually resort to mouse menus.
Not just a horrible track record, but the current state is also bad. I have a pretty recent Debian install on a bog standard Lenovo which otherwise runs Linux beautifully. It took days of fiddling with conf files and trying things out to get Suspend and Hibernation to work in a sensible way. The kernel, systemd and Gnome all try to do stuff, but they can't seem to agree on who's responsible for what part of power management. This is something that should work out of the box.
I installed Arch on a T460p, and suspend-to-RAM worked out of the box. (And this has been my experience w/ Thinkpads and Linux for well over a decade now. Now, I don't do suspend-to-disk, because I dislike it.)
Yes I've been struggling with the latest Mint, 50% of the time on wakeup I just get a black screen and no responsiveness. I've had dual-screensaver issues, incoorect monitors etc. Really makes it feel hackish.
I have a similar problem running my touchbar Macbook Pro in clamshell mode via a CalDigit USB-C dock. All sorts of issues with it discovering USB devices when you plug the hub in too.
Sleep / wake in this kind of setup has always been an issue with my 2013 rmbp. I'm not even on high Sierra. USB stuff doesn't wake up the computer. Opening the lid doesn't wake it up. Sometimes typing on the laptop itself doesn't work and it requires a hard reboot. It's been four years now and I've given up hope that Apple will ever get sleep / wake right.
The reality is that Apple's software is absolute shit. OS X was the only software that wasn't shit. I can't think of a single counterexample otherwise. They take great software (like logic audio) and turn it to shit. It's incredible. Clearly macos follows in the shit tradition of iTunes, the legendary mother of Apple's shit software.
Very similar issues here. MBP Touchbar with one external 5K LG display. I love the LG when it works.
Super frustrating when I I sit down and wake up the machine to find both displays flashing. Usually unplugging the LG clears things up, but replugging often results in the brightness on one display being set randomly.
Clamshell mode has notoriously been a problem for many years over a bunch of models. Sleep/wake has usually been way better than Windows or Linux, but has also had it's share of problems. The sleep/wake issues usually get fixed, the clamshell issues from what I've gathered get resolved less often.
I've just bought my first MacBook Pro with a dedicated GPU this year, and I'm having WAY more tiny glitches than with the pure Intel machines I'd had before. (10.13 has thankfully fixed lots of them!) I love my 5K screen, but I hope I'll never have to buy a machine with GPU switching again.
I'm really surprised Apple is still releasing MacBook Pros with gpu switching after all these years. They've always had serious problems and I figure they would stop selling them or make the major changes needed to resolve the issue.
Thankfully, I haven't owned one, but I hear so much. Which sucks, because there are more and more nvidia-specific things I'd like to do on a mac laptop.
I have an OG MBP with the same problem. It's seems to have improved, but I still occasionally get kernel panics (?) when I resume with multiple monitors connected.
FWIW this is a known security bug at Apple. I filed a bug about similar behavior where you can see the desktop briefly without logging in. Apple marked it as a duplicate. https://imgur.com/YxXtU2y
Here are the steps to reproduce:
- Start Mac
- Login
- Turn on Screen Lock: System Preferences > Security > General > Check "Require Password" and Select 5 Seconds.
- Turn on Hot Corner Sleep Display: System Preferences > Mission Control > Hot Corners > Select upper left > Put Display to Sleep > Ok
- Attach external monitor
- Activate hot corner by dragging mouse to upper left corner of screen
- Wait 6 seconds
- Click the mouse to trigger waking the screen
- See brief flash of the desktop without logging in!
I actually think I've experienced something similar across every OS I've ever used. With Linux distros I was always able to trigger it by opening and closing the lid a few times. With Windows, I don't remember the exact sequence or what version.
Overall, there appears to be something funky with this overlay technique and how things are asynchronously rendered.
So, Apple has the most available cash resource of any company out there (or at least close to). Yet, bugs galore, and strange product decisions. The obvious conclusion is that their management is failing to staff accordingly to the work that needs to be done. This could be because they are not aware that work needs to be done, which means engineers are not telling them, or that the management is not succeeding in hiring enough people to do the jobs.
My gut instinct says that a some former people at Apple used to do a lot of undocumented QA work and sanity checks, and that as the company has grown and changed, nobody picked up the slack when they left. Now, they'll have to go through a formal process of re-identifying QA steps that need to exist, and hiring against them. It's been a hell of a month for them, though.
If I could work from a European Apple office, this would be 100% my dream job. When you implement new features, you are slave to your marketing department - I'd hate to waste my time on pointless gimmicks like the macOS Siri UI, for example. Maintenance work is much more satisfying because you're directly serving your users (usually skewing towards power users too!).
Also, I don't think the privacy restrictions would be so bad. Apple's UIKit engineers occasionally chit-chat with indie devs on Twitter.
The problem is that this job would be absolutely futile. If Apple hired 100 great engineers to fix bugs, management would simply double the amount of features that go into each yearly release.
For a company that loves minimalism so much, you've hit it right on the money WRT management.
The TouchBar, while interesting, is the perfect example of this. I'd love to have had it along with the physical buttons - there's plenty of room. Alone, though, it is pretty weird.
I assume that the real problem is that Apple's managers do email and web browsing, and that's it. They probably don't spend enough time in pro apps or trying to be productive to understand that a window manager built in, or physical keys or an improvement to their native text editor would be helpful.
Yeah, but if you can make $300k a year, you're likely not dedicating your software engineering career to fixing bugs. Also, you can go a few miles south to Los Gatos and work at Netflix and make $400k/year.
I am not an engineer, but from my non-technical POV, this seems ridiculous. Is the cult of building new software really so much more attractive than making the software actually work? I mean, I think this attitude perfectly encapsulates why Apple has problems. Is bug fixing much harder than building the systems from the beginning? Is the difficulty in reading and checking code for errors really hiding the fact that this "unsexy" work of bug fixing involves the actual difficulty?
If, in any other field you found people that only wanted to make first drafts, you'd call them copywriters and designers, not engineers. And even if it is totally normal to eschew bug fixing in favor of drafting, isn't there a salary that would cause people to do it? If so, Apple should just pay that and hire those people - it'll still pay off in the long run.
I think that's for Sr. Engineers++. What I heard is that they do an all in compensation plan so your equity, bonus, and salary are all rolled into your salary and then you decide what you want to do with it. On Glassdoor that doesn't seem to match what I was told though.
You're right, but Apple doesn't work like that. They just spent 5 billion dollars on Apple Park attempting to put everyone under one roof. I don't think it's in Apples corporate DNA to outsource core components of their operating system to a more immigration-friendly country.
It means money is not everything. Yet for some reason people seem to think the most expensive stuff is the safest, nicest and the best one. Like they are buying trust or what..
I did something similar too - I was typing in the password while the Mac was being unlocked by the watch using that unlock-with-the-watch feature.
I was used to hammering return a few times to wake the machine up, then typing in the password, then hitting return again.
The few times I hammered return woke the machine, the watch unlocked the mac and the password plus the return key went into the app that had focus which for me also was Slack.
Is it possible that this user had the same thing happen to them? When I disable the watch unlocking, I can't make the password go anywhere but into the login screen (10.13.1 here with last weeks security update applied)
Original Poster replied to my tweet where I asked him if he has an Apple Watch:
>Hey Tonny. No I don't have an Apple Watch so it's not related. I did connect an external screen before opening the MBP though, so maybe it's related to that?
Note that I can't reproduce it, happened only once so it must be a shady bug.
Because of the short delay between waking the Mac and the display lighting up, I always either use spacebar or command key, or click the trackpad/mouse a couple times to wake.
I used to hit the Shift key to manually triple-verify keeping my laptop 'alive' during long videos/presentations but have since switched to the Ctrl key. Thanks Sticky keys!
Hell yes. I wonder wha’s the worst thing someone has done with this?
When you hit return and just before the keystroke a pop up comes up and you agree to something you didn’t want.
I’ve see a couple of bad ones in the radiology world.
Oh god, popups while you're typing are the worst. I feel like the OS should not even allow it.
No idea how to prevent the issue, but I've been caught mid sentence before and accepted installs, upgrades, random popups, etc. Ones from Skype tend to be the most infuriating / scary..
It's not too difficult. a) only the application with keyboard focus gets to open new windows with keyboard focus less than about two seconds after a keystroke (with no intervening mouse activity). b) no keyboard input into a new window for the first second, unless the user clicks there.
We looked into this while I was Trolltech. Decided against doing it for Qt unilaterally, it's really something the system must do, or else it's too annoying.
But what about pop ups that come from within the application? Anything that has dialogues come up when there is a chance the user might be using enter/return for a different purpose is a bit crap, especially with multi-screen systems where there is a fair chance the user is looking elsewhere. Even just having no pre-selected default would help (so arrow - enter/return would be needed).
Is this an example of what you have in mind: The user is typing at Microsoft Word, and it's not a keyboard shortcut to open the "document properties" window, and Microsoft Word chooses to open another window during the typing and divert keyboard focus there?
This seems like something that should be handled by the application's developer. A different application's popup or focus steal should be managed by the window manager / OS.
My favourite was watching someone perform an MRI with injected contrast - imaging being timed for specific points after injection.
They are just tidying up parameters for a bit of post constrast injection imaging.
They hit enter to accept a parameter change just as a notification appeared to trigger the next scan. Basically it missed the key imaging phase and the scan had to be repeated a day later once the injected contrast had been cleared out of the patient’s system.
Imaging equipment vendors seem to make custom UI in places where it is unneeded (software buttons which trigger on touch down, not touch up for critical functionality?! Why?) but in places where it would be safer to make something custom they don’t.
Yes, stealing focus by another application should not be permitted by the window manager / OS. Windows XP had a feature or a 3rd party plugin that would simply blink the application in the task bar if it attempted to steal focus. I also seem to remember a similar feature in Gnome 2, though it could be a false memory.
Hmm, the "Unlocking with Apple Watch..." sequence breaks when you hit a key and then displays the standard password field, so that you can type in your password instead. This seems really unusual.
I worked at an open source shop where almost everyone ran Linux and used IRC for chat. For a while I made the mistake of having the screen black time lower than the screensaver timeout, so I'd unlock my screen and see my password go out in IRC. I ended up changing my password to something that looked like a shell command.
These lock screen issues go back further than 10.13, I believe it was 10.10 or 10.11 my child was able to bypass the lock screen by mashing on the keyboard while the screensaver was fading out the login dialog.
I witnessed it. I was not able to reproduce it in 10-15 minutes of testing. She did NOT type in the password. Just banging on the keyboard, playing with the screensaver.
Lock screens are harder than they first appear: www.jwz.org/xscreensaver/toolkits.html (Which, you'll note, mentions this exact failure case in the "Transfer Grabs?" section.) There's some X-specific stuff in there, but there's a lot of general issues in there, and with just a bit of imagination most or all of the X-specific issues can be seen as general issues as well.
Sadly, he also is fighting against the only solution to this issue.
There has been work to solve this by registering the session, compositor, and screen locker each with the session manager.
If the screen locker (which now can use any toolkit) crashes, the session manager can try to restart it. If it fails again, it just displays "your unlocker has crashed. To unlock this session, open a tty, login, and type `loginctl session-unlock`"
This solves all the issues, but he (and many others) have been fighting against systemd for a while (which fixes this, and so many other issues, which no competing project ever handled)
>sirsar: JWZ used to detect the hacker news referrer and redirect all links that originated on hacker news to goatse. Now it's only slightly less graphic
Sorry. Pity. It's actually crammed full of good stuff, which is why I linked it. It's a classic easy-looking problem that gets really hard when you get down in the weeds.
See the problem is that they don't have to be. An architecture where the screenshield must be a client to the display server like any other application is terrible design and largely an X-ism rather than something fundamental.
No, because HN is the people he worked for - the people who use him winning the startup lottery to explain away all the losers of that lottery and keep feeding young, impressionable people to the startup destruction machine.
Pretty much that, I reckon. He’s warned anyone who would listen not to work as hard as he did while at Netscape. But at the same time, he did win the startup lottery, so there’s that.
I agree. He could just redirect to a blank page but this puts him in a really bad light. I wouldn't care except I frequently browse HN at work when I'm getting settled in in the morning.
Left Slack open with focus, allowed MBP to sleep, woke with space bar, login field had focus, tried with closing lid and opening while Slack was open and focused, again password field functioned as it should, unable to reproduce, macOS 10.13.2
Difficult to reproduce, can be when we lock the session, close the macbook, plug a second screen and re-open. Or in another order. Personally I remember not having the focus on the password input by opening my MacBook onetime, I often plug and unplug screens
I was in a huge lecture hall and the presentation from the head of school was going to talk. He plugged in, turned to look at the display from the projector and it hadn’t come up yet. He types in his username and password and stood there waiting. When the projector came to life he had typed it all into the username field.
He fixed it up then displayed his desktop to us with all the pending final exam papers sitting there. No one in the hall showed any obvious sign of realising what had just occurred.
I often wonder how many authentication log files contain passwords because people in a hurry append it to the username on accident (not visually confirming the Tab/Enter/switch to the password entry).
This is also vaguely similar to the 'test SSL submit' security technique of first entering enough data into login forms to process a submission, and then entering real login info into the 'login failed' retry page after verifying SSL. This has lost some of its luster as non-SSL form submission has fallen out of wide usage.
I typically require both when others are involved since proper key security can't be enforced (hardware 2FA is the dream).
AuthenticationMethods requiring both wasn't availabe in OpenSSH prior to v6.2 (May 2013)[1] and I'm on Windows anyway so I went with https://www.bitvise.com/ssh-server.
Say what you want about Windows, but no amount of sneakery can steal input focus from Winlogon window station (yes, there's a separate kernel object for that in NT/Win32K).
This has been a very sporadic issue that I've seen once or twice per year at most, for quite a while with OS X - somehow, another window is able to steal focus from the login screen. I've never been able to reproduce it reliably or find a common element in all of the times it has happened, but it definitely has happened to me and I've also seen co-workers dropping their login password in a chat window due to this. But it is pretty rare, so hard to pin down.
I've also noticed another thing happening more lately - locking the screen, only to have it automatically unlock itself a second or two later. I always have to make sure it actually stays on the screensaver for a few seconds before I trust it will actually lock.
I'm really bothered. While I had relatively no issues with the fresh OS X update, I'm having a hard time with the iPhone 7 and the new iOS that is supposed to run their flagship device: iPhone 10.
While most of the bugs have disappeared with the recent update, there are still some minor ones that really pisses me off: Screen freezing unresponsively for 30-60 seconds before things get back to control; and music playing randomly (happened a few times. Everything calm. Boom, music starts to play).
I'm pretty sure this mess wasn't here before the update to iOS 11.
Edit: Just found there is a new update. Let's see if they are getting their shit together this time.
I hear this line a lot and yet iPhones get the latest iOS updates for many years after release while many Android phone are lucky to get 1 year of updates.
I would be much happier if Apple didn't "force" me to update my iPad with a pop up message every day. It was running smooth like butter, even with an older version of iOS.
Although this bug still sucks, the class of problems of pasting passwords into chat may have a simple, worthwhile, and general solution. A colleague at a former company always changed the key bindings is his IRC/Jabber client to include a control key with Return for sending a message. Does Slack have this option?
Haha, tried that a couple of months back before wanting to do a reinstall. The system stopped me with some warning :) I think it was Arch but could have been Ubuntu or Solus.
There's a way to still do the rm -rf / bypassing the warning but you shouldn't do that.
Ever since systemd was a thing, that command has stopped being 'safe'. It no longers solely affect the filesystem. It can wipe your EFI variables and make your comnputer unable to boot at all, even unable to boot installers to reinstall linux.
Don't think of the file system as just the file system. If you keep thinking of / as only meaning 'whatever's in that hard drive' you will not like what you may encounter.
If it's not there, you can always make it be, like I did in past with very similar issue (described in another comment). Quite few people disable/change OS wide keyboards shortcuts ;)
I also typed my apple id password to my peer, not into chat, but into another mac in the same room. Mac keyboards can disconnect and connect to wrong devices if used with them once.
That specific setting was: my keyboard was used to setup his mini, mini was turned off and on later. My keyboard, already properly reconnected to my mac at that time, disconnects on timeout (or for whatever reason it does that few times a day). Mini “grabs” my keyboard when it goes back on air. I wake my sleeping mac via trackpad and try to type my password into focused password field. Non-obviously, no characters appear on my screen.
Definitely done that before. Sent my password through Messages to a friend. After that, I learned to keep the finder or a web browser as the thing in focus before I lock my computer.
Last week I was resizing a window in High Sierra, and I noticed that the Chrome app in the background was also scrolling. That was completely unexpected. It's long been the case that the window doesn't need to be on top for this behavior, but in this case it wasn't just a focus issue, it was that I was in resize mode. Completely jarring when it happened, but seems related.
Sounds like the assumption is that the lack of focus means that the first password got sent to Slack? But it seems more likely that it was the second entry of the password that was sent to Slack, and it was just that the keyboard input was being buffered? (So the first password-enter eventually got processed, and then the second one got processed but after unlock.)
A similar thing happens to me sometimes with 1Password on the web. I'll click the extension's icon and type in my password and realize I'm typing it into a text box on the webpage. I've tried to reproduce it and I can't, so I have no idea what the issue is. It freaks me out though.
I think this is a 10.13-only bug, likely tied with some of the other password entry bugs that have popped up due to a bunch of rework with how user login/authentication work.
I had this bug once a long, long, LONG time ago, since then my password is a sentence that's doesn't look like a password. Of course I'd still change it if it went out to slack :)
I'm always worried about this too... sometimes my session doesn't lock because I was watching a video and I go ahead and type my password before looking when I come back (some websites log all keystrokes).
The sheer amount of bugs in High Sierra is ridiculous, with the exception of the root password bug, I've personally experienced the following bugs with my Thunderbolt display:
* In 10.13 or 10.13.1 the built-in web camera was broken. The video would freeze after a few seconds when attempting to use the camera in FaceTime. This was fixed in 10.13.2.
* In 10.13.2 USB audio devices connected to the TB display no longer work properly. After playing audio through the device (USB DAC in my case) for 30-60 seconds, some sort of interference/electrical noise appears for 5-10 seconds every minute or so. I assume this has something to with "Improves compatibility with certain third-party USB audio devices." from the 10.13.2 release notes.
Why you are still using it then? Operating systems are very complicated beasts, none is perfect but I like Linux the most. There are issues too but I feel like I have more control over it.. Sometimes work reasons force people into Mac/Windows though... :(
It is sad. Linux could be better if more people used it. Currently its use for desktop is relatively low. People tend to trust companies more so all they can do now is complain and email company's support department.
This is why Windows NT runs the log-on user interface, the screen saver, and the elevation consent UI on separate desktops that have restrictive ACLs disallowing interactive user processes from creating windows there.
Nobody is denying that the "anti-hijacking" forcing of CTRL-ALT-Delete adds to security, what they're saying is that it has nothing to do with this topic.
This topic is about keyboard input focus. In Windows, due to the process hierarchy the login UI isn't running in the same context as desktop applications, so stealing focus or focus drift couldn't occur.
Yes, and the SAS guarantees that after you enter it, nothing else can have keyboard focus. I don't see why this is such a controversial point. You will never come to unlock your NT workstation and find that the keyboard focus is somewhere you don't expect, because you need to enter the SAS first.
> I don't see why this is such a controversial point.
Because It's untrue. The SAS is a sanity check.
If something is spoofing a login screen on your desktop and you press CTRL+ALT+DEL, you will get a system menu instead of a password prompt.
If you are in the login screen, which is able to hook CTRL+ALT+DEL, it will switch to the password prompt.
Here's the clincher: even if you have the SAS disabled (which it is by default on Windows 10) there is still no way for an app to steal focus from the login screen. The keyboard focus assurances are handled by something completely different - protected desktops (these also handle the UAC prompt for the most secure setting).
Full circle: even though nothing can ever steal focus from the login screen (unless it is running within that protected desktop), if you don't use the SAS there is no way for you to know that you are looking at the real Windows login screen.
The quality of the software and the sacrifice of key functionality in the hardware (dropping of MagSafe, which was a huge differentiator, going to just USB-C ports which almost nothing supports, not even Apple's own in box phone chargers) demonstrates that Apple is purely a design house lately. It has completely faltered on the engineering side. Tim Cook is not an engineer and Jony Ive is not an engineer. There are engineers at the company but they don't seem to be getting a seat at the big table.
You talk as though you're stating facts. However I very much like USB-C for the usual reasons. Of course it's in the early stages, but personally I hook up all my peripherals to my laptop with a single cable. Much convenience.
on .2 already. Never had an unwatch to unlock. The ghost typing happened to me yesterday. I never found out what got my password. hopefully it wasn't slack. I assumed it just went to the "root window" (does quartz have the same concepts as X?) of the lock screen
I usually press control key to wake up every computer (shift doesnt work on some). that one time I woke it up by tapping on the touchpad.
The system allows things like key-triggered screen grabs during the login password window (found this out when my 1 year old hit a bunch of keys), which already seems like nonsense.
What's the threat model here? That someone malicious with physical access to the computer somehow shifts focus to a program they know you have running such that, when you type your password, you send it to the malicious person.
That's a very tenuous exploit, seeing as it relies on physical access and knowledge that the victim is already running a program which would hand the password to the attacker were the password typed into it, and I'm assuming that changing focus once the lock screen is active is even possible.
But once the attacker has physical access, there are more things they can do, I'm certain, making this a rather pointless exploit as well. So disclosure isn't giving anyone a new road into the system, it's just making people aware of a potential security flaw in a way Apple might actually care about.
You don't need physical access to the computer at all. All you need is to make your malware program steal focus the same way Slack does it and then you can have the users password for that computer.
It's good practice to always assume bugs aren't innocuous even if you can't think of a way to exploit it.
Most people not in tech or infosec have never heard of and are totally uneducated about the concept of responsible disclosure. Maybe it needs to be added to high school computer class?
But this doesn't really need to be responsibly disclosed: it's not something someone can use to get into your machine, but rather a way you could accidentally broadcast your credentials somewhere unexpected.
Announcing on Twitter seems more like "hey be careful, make sure your password field is focused."
Yes, you can not get into someone else's Mac. However, what if the last opened application was Terminal? I can think of several scenario where you can do "damage" without logging in—if this bug is real—depending on the last opened application.
So you're going to start typing terminal commands into peoples locked macbooks on the offchance that they've hit this bug and are running a terminal?
Its a flaw that needs to be fixed, for sure, but lets not over-exaggerate the severity as an attack surface. Its much, much more likely that it will cause accidental problems when the owner types something (like in the tweet).
> if this bug is real
Why wouldn't it be? Plenty of people here and on twitter are reporting having hit similar issues (with OS X and even linux, so it doesn't seem completely uncommon).
Plus, even if you understand that, the thrill of having a shot at gaining thousands of followers instantly (like the root empty password guy) if you get lucky and get covered by news outlets is a great incentive for people to not responsibly disclose the security problem. If you responsibly disclose to Apple, it's their mercy to give you any reporting privileges, pay attention to you, and credit you.
That to me is not the right way to think, but in the day and age where number of likes and followers is king, I'd say it's not too irrational.
I've said it before and I'll say it again: You don't need to have heard of "responsible disclosure" to understand that publicly pointing out a bug before it's fixed can lead to people who did not previously know about the bug hearing about it and exploiting it maliciously. That just seems like common sense to me and (I'm willing to bet) many others.
The #iamroot bug was actually filed mid November with product-security@apple.com according to this weeks ATP - A couple of weeks before it all blew up on Twitter.
I think the cause is more pertinent than the symptom here - Apple don't seem to notice filed bugs unless they blow up on Twitter.
You've obviously never filed a bug with Apple if you think you could get bug bounty money, or really anything other than "FILED AS DUPLICATE OF RDAR://198017630131903".
I think in the specific case of apple, this serves a nice purpose. I believe macOS has lost a bit of love from the company, and so it’s a nice way (if not the only way) to make management listen.
Apple has a bug bounty program where they'll legitimately pay you to report bugs directly to them. What's with everyone reporting them to Twitter instead and forgoing the extra cash?
People post on twitter because it actually gets a quick response. According to Lemi Orhan Ergin, the root password bug had been reported to directly to Apple five days before his tweet, but there was no response/fix. Then he tweeted about it, and it was fixed the next day.
There's a case to be made for public shaming, sometimes. You're leaving it up to Apple to decide whether they want to pay you or not; they might deny the bounty for some reason, while still fixing the bug. Now you get nothing, in addition to having given Apple time to sweep the issue under the carpet and bury it under a change-log with language that heavily downplays the severity (e.g. "CVE -
A buffer overflow could cause an application window behind the lockscreen to retain focus".
Posting it on Twitter, however, draws attention to Apple's waning security practices and how such glaring holes manage to slip past their peer review. It sparks public outrage, and may serve as a wake-up call to the company.
the bounties are low. and registering to those things require some loss of anonymity before you do get paid.
those are users dogfooding a product they paid for. and probably well off already, so the twitter bragging rigths is more valuable than the loss of anonymity + $500.
This doesn't seem like it would qualify under their categories. Not to mention, their bug bounty program info is nowhere to be found. I see tech sites reporting that they offer one but nothing on any apple site.
For those interested, the sample exploitation that I've discovered was connecting any iPod/iPhone device to a OSX laptop while screen was locked was taking the focus away from login prompt 'into' the system, where iTunes was gaining it and from there it was just few OS level keyboard shortcuts from gaining network access to the system, while still locked: launch finder, go to tools folder, launch terminal, launch `nc` in the terminal to get the access via network. Lots of blind typing but it worked more times than not.