I don't see anyone threatening to switch away from Apple or demanding an immediate personal response from Steve Jobs or ranting how this lapse is unforgivable.
And you can't say it's because this bug only affects a small portion of Lion users as the Dropbox bug also only affected 100 accounts.
Then again, it's Apple. I wouldn't normally even bother commenting here, because nobody from Apple cares. My finest rant would have epsilon impact on anyone at Apple, so why bother?
Dropbox, on the other hand, is present here. Someone might be able to convince them to change their practices for the better by getting on their case here.
That doesn't justify meanness, but a different response from this community over an issue from BigIvoryTowerCo versus OneOfOurOwn shouldn't be surprising.
- The dropbox issue was not initially reported as 100 exposed accounts, it was
reported as "Dropbox vulnerable", that's something that alarms about 99% of
the HN readership.
- Dropbox is a YC company.
- Dropbox is exposed to the world and the issue was seemingly
out of users control (until the facts were known).
The OSX issue is a big screwup, but I see no mystery as to the response.
People are a lot more emotional about problems when they're personally affected.
If the victim is small and accessible, with their reputation on the line, you can put them in their place.
When DropBox broke, the community pounced.
Apple can't be bullied.
With DropBox I can just cancel my membership and sign-up somewhere else.
I'm not going to throw out my $1000+ Mac with $1000+ in software on it out the Window, right along with my livelihood of creating software for iOS. I'm not going to cancel my iPhone contract and pay hundreds in penalties too, and throw out all my apps and games and switch to Android. Not happening.
They've got us by the balls here, we just have to let them fix this and move on.
It's not bullying to use your own resources to entice (or force) them to do so in a timely manner.
You're right that no one can threaten Apple and get action, but you're wrong in characterizing the threat as bullying.
Everyone was vulnerable for 4 hours.
My old HN account got shaddowbanned after I talked shit about Dropbox when that happened. The post got a big number of points (more than anything else I had ever posted) and sparked interesting discussion, but I now know better than to question the Hacker News community's Sacred Cows.
>or ranting how this lapse is unforgivable.
I ranted against Dropbox because of the amount of people downplaying the severity, I'm not seeing that with this OS X issue (yet?). With the dropbox password thing, I saw a frequent argument, also used in their encryption scandal, one that really pissed me off. People were defending them with what boiled down to "you're stupid for expecting them to provide any level of service, as reasonable as it may be, unless their underlying tech doesn't force them to provide it".
Being affected by 3 serious regressions in Lion (all filed as bugs and Apple closed them as duplicates, btw) - I get the feeling that Apple could do better at software engineering. (Alarms on iOS if you are still not convinced :) Just the fact that they release software that allows authentication without correct password means that they lack any kind of automated test case verification even for basic functionality - and this is basic functionality we are talking about, not some obscure thing that happens only when dozen different factors are combined or a thing that only happens once in billion tries.
Say what you will about Microsoft but in my several years of using Windows I rarely had these type of glaring issues even with the awful amount of hardware it supports. It might just be that Microsoft was forced to adopt better Engineering practices due to their situation - lot of complexity, huge impact potential, and lot of money at stake - 50% server market and the Server OS shares a whole lot with consumer version etc.
Not trying to troll - just my thoughts on something that I have always wondered - how Engineering culture varies between different successful software companies and to what effect.
I'm an ex-MS employee. One thing that really impressed me about my team at MS is the depth and quality of testing that was done. Unit tests, integration, fuzz, load, UI, regression, etc. All done in extreme depth, extremely efficiently, and across every supported SKU (and when you consider every possible OS, culture and .NET combinations out there, that's a lot)
On the other hand, Apple always nails the user experience - a release like Vista just wouldn't get out the door. But they let other horrendous quality problems through that would and should be caught by better process.
So it sort of illustrates two fairly orthogonal axes of quality and how different companies excel in different directions along those axes.
Yep, I agree. I've been very disappointed with Lion, even taking into account the common "Don't buy an x.0 Apple product", there were some terrible bugs (I was personally bitten by the inability to look up DNS servers after waking from sleep, which I can't believe was missed in testing).
Apple's software quality has been markedly going down. iTunes is a UI mess, and I used to really like it. Safari continues to lag behind the competition (no omnibar/awesome bar? Really?), iWork has stagnated. I suspect the reason is that Apple is growing, and the Eye of Jobs is focused entirely on iOS products, so the quality is being diluted in other areas.
I strongly feel like Apple's leadership is looking f, orward to the day when they can kill off the Mac completely. The line of "we'll always need something for developers to develop on" doesn't make a lot of sense. With Apple on x86, I can see a future where Xcode lives on Ubuntu/Windows.
People have said the same thing about nearly every OS X release (with the possible exception of 10.1). At least Lion doesn't erase your firewire hard drives , or delete your entire home folder  etc etc. The comparative severity of these really bad bugs can be debated, but I think in terms of general quality OS X 10.0 − 10.2 really were quite a lot worse than the more recent releases.
I don't disagree with your general point though, the Mac is obviously not their priority anymore, and hasn't been for a while.
Yeah - it sounds unrealistic for any other company but Apple is not at all shy of ignoring and finally dumping products that don't do great for their bottom line.
Either Xcode on Windows/Linux OR Web IDE - iOS App Development may be offered as a service. You develop on the web and submit code to Apple's server farm where specialized devices compile/deploy/run it and send it to your device to test it - maximum control for Apple. But I think that's a little too sophisticated - so might be a while!
They're doing well these days, but it didn't happen overnight.
Also, although I'm not defending anyone, I've never worked on an operating system before but I can imagine QA isn't a walk in the park.
OS QA is a pain - a huge one for Microsoft given the complexity and volumes involved. The pain is in dealing with unknowns and unpredictable combinations of thousands of different variables and what reaction it produces.
But for something like authentication there must be standard testcases that are automatically executed and verified - blank password authentication, wrong password auth should all be standard test cases that are executed automatically and no software should go out the door until those basics are looking good.
If the latter, the impact is bad, but not as bad (you'll be able to get access to the machine you're sitting at, but not to any server-side resources).
We're all pretty busy lately, too.
(-2. You guys are funny. In case it matters: I'm not being snarky. They really don't).
> Not many people in the security community use Mac servers in such a way that they need LDAP, and of those people, very few are running Lion on their servers.
Therefore, we see that Mr. Ptacek thinks "it went by almost a month without getting picked up by the security community" because "Not many people in the security community use Mac servers".
Enterprises should not be doing immediate upgrades to any operating system, no matter how sparkly. I'm still waiting to upgrade my MacBook, and it's just me. No OS release goes off without a hitch (though there are some pretty impressive Linux releases!).
I've no idea how complex a problem it is to fix, but it is worrying that it seems to be taking a while for Apple to fix it.
Here are several other issues I wrote up a couple of years ago, the last time I was forced to use Mac OS X server: http://edtechdev.wordpress.com/2009/01/31/dont-use-mac-os-x-...
LDAP wasn't originally designed to be an authentication protocol. If Mac clients are using it to make authentication decisions, they had better be requiring SSL/TLS on that connection (and validating the server cert perfectly, too).
Sounds to me like impersonating an LDAP server would grant login to Macs configured thusly.