Hacker News new | comments | ask | show | jobs | submit login
Apple security blunder exposes Lion login passwords in clear text (zdnet.com)
240 points by Empro on May 6, 2012 | hide | past | web | favorite | 109 comments

I can't name a single person who ever used "Legacy Filevault"; that's the "encrypt your home directory" thing from Leopard. This issue doesn't impact Lion FDE at all. Lots of people use Lion FDE.

Even the subhed on this story is misleading, and the lede paragraph seems to go out of its way to bury the true article lede, which is "if you're using FileVault home directory encryption, this impacts you" --- instead, it says "in specific configurations".

More generally: can anyone name a single case where ZDNet has broken a story we cared about? Even in this case, ZDNet is rehashing stuff published elsewhere earlier.

I find it interesting how Apple is defended when they make security blunders, while Microsoft was heavily slammed back in the day.

It is simply inacceptable that a user basically reported the issue on their support forum and didn't even get an answer back.

Every single time the topic of Microsoft's security track record has come up on HN, I've waded in to point out what a great job Microsoft has done. Here's one of my highest rated comments from several years ago:


Now, I don't disagree with your general point: Microsoft gets more scrutiny than Apple does on HN about security, and Apple enjoys an inflated perception of platform security here --- I attribute that to a general Unix bias, by the way, and not to Apple fandom.

But please be careful to note that I'm not a part of that phenomenon. You will, if you dig, find comments of mine that are critical of Apple security; you will probably not find comments critical of Microsoft's security practices.

(To be clear: securing a whole platform is an incredibly difficult job, and platform software security talent is some of the hardest to find in the whole industry; both Apple and Microsoft take this stuff seriously and, compared to 2002, both do a fantastic job. Also: the security of the iOS platform is a different story than of the OS X platform.)

I don't see how comment history makes a separate comment more truthful. If anything, it makes people less likely to have proper critical thinking because they know you.

Which is exactly what he points out about your comment, but related to Apple. You know Apple thus you're less likely to criticize them properly.

It doesn't mean what you wrote is entirely wrong, but I think he has a point. MS is very harshly criticized for any security issue, no matter how small, and hey, that's probably a good thing.

For Apple if there's any possibility we find them.. excuses.. really? (and the "I don't know anyone who used file vault before!" sounds terrible, to be honest)

tptacek has been the most prominent defender of Microsoft's security practices on HN for years. Everything you guys are saying about how Apple get off easy while MS get slammed, he has said repeatedly and more coherently. And out of direct experience to boot.

It just didn't happen to be - and still isn't - relevant here.

My point is that it doesn't matter. For example if you follow my thread of comments some are going to be rated way up and actually be pretty insightful.

You'll notice sometimes I'm also wrong and make errors. You could get a strong opinion of me either way (good, or bad) by reading that.

If we were to know pretty well each person (like they do in smaller forums or places where the nickname and history is highlighted), we'd always agree and disagree with the same persons in general (there's always exceptions).

And the person's reply was made on a single post, which I think is the way to go.

I don't know if HN nicks are small and history not as easy to follow as in some other sites on purpose, but I like it.

Now, I've been way off topic, sorry :)

Slightly more on topic tho: MS ain't perfect security wise either, even thus they've made huge progress. Microsoft research also has very interesting attempts such as Singularity or Gazelle. I don't know any other company doing that. That's one place I'd want to work for MS.

> Also: the security of the iOS platform is a different story than of the OS X platform.

Interested in this. More secure or less? Any thoughts on it?

Way more secure. To be fair: I've come to this opinion via other, smarter researchers.

Microsoft may be pretty good in reacting to security issues, but many of the holes are results of mind-bogglingly stupid design decisions that are in a class of their own. ActiveX, anyone?

The parent comment isn't defending Apple; @tptacek is pointing out that this issue won't impact a large number of users, that the headline is misleading, and that maybe ZDNet is sensationalizing a minor issue.

It sounded defensive to me. "name a single case where ZDNet has broken a story we cared about" sounded like ZDNet should have shut up about this very important issue. It doesn't matter that they are not the first reporting it, their readers may thank them for it.

I think if your presumption is that my whole experience of ZDNet's security reporting is "when they happen to hit the HN front page", that's a reasonable reading. But it's not. I'm a software security person. I also know Ryan Naraine, well enough that we'd spot each other and say "hi" in a crowd. (I like Ryan, but ZDNet?). I've been interviewed by ZDNet people (we avoid press now).

I'm offering a carefully considered assessment: HN would probably be better off if we just banned ZDNet and venues like ZDNet. Ryan Naraine and Dancho Danchev have other outlets to write in that might make it to HN.

"I've been interviewed by ZDNet people (we avoid press now)."

Curious if one of the reasons for that is that it makes you a target?

That's not it. It's just, very minimal potential upside, lots of annoying downsides. Re-read everything you've read on HN about "being careful talking to the press", assume that --- unlike most startups --- the press is seeking you out pretty regularly, and then consider the mental energy required to minimize the downsides.

YMDV. I'm not even selling a high ticket item but back when I courted the press (simply by writing emails whenever a topic I knew about was mentioned) I've had results that have well paid for themselves in a) the effort and b) the misquotes and annoying downsides. (In one case my small company at the time was mentioned right next to AT&T in a list of 4 companies mentioned.)

I really can't imagine how it wouldn't pay for you (business wise) to be mentioned given what you do in mainstream press. In order to be mentioned in mainstream press it pays to have mention elsewhere as a starter. I can see a CEO with a security problem reading a quote of yours in the WSJ and handing the tearout to someone with the instructions to contact you about some issues they are dealing with. I can see links and quotes from both online and offline mention of your name appearing on your website and giving you and edge on your competition.

By the way mention on your website such as "Our work has been featured in Network World, eWeek, Forbes, Macworld, Wired, and the Washington Post, and at conferences ranging from Black Hat to Gartner" and links to or copies of said articles will not produce the same results. And if the articles are old that is why you need fresh mention.

That said I can totally see (which is why I asked) how a security researcher frequently mentioned in the press, like a former boxer sentenced to prison, becomes a juicy target and that is definitely a downside.

Couple things:

* In my particular line of business, the quality of one's website has vanishingly little to do with success. We have a cookie-cutter front page that says cookie-cutter things; its purpose is to confirm that we are, in fact, a real business. It succeeds at that.

* I have no doubt whatsoever that people outside software security, or maybe even new entrants in software security, have much to gain from press hits. But "fresh hits" do very little for us.

* Only a very small minority of our business is "event driven", such as when a CEO realizes he has an immediate security problem. We're an engineering service. In the overwhelming majority of cases, we're working for other engineers and their product managers who've known for ages that they need help with security; we get engaged when it makes sense in the budget and the dev cycle to engage us.

We're one of the largest pure, dedicated software security firms; we're also one of the more mature/established of them. Most of our business tomorrow will come from executing competently today; people who can reliably flush security flaws out of arbitrary pieces of software are in short supply and high demand.

> I find it interesting how Apple is defended when they make security blunders, while Microsoft was heavily slammed back in the day.

Given that we have a plurality of OS X users on HN (according to the last poll), it's not surprising that post-purchase rationalization is a common response to such articles.

"Post-purchase rationalization"? What a weird thing to say.

Not weird at all. It's a documented phenomenon in marketing research: http://www.jstor.org/discover/10.2307/3150288?uid=3739744...

Since its effect is directly proportional to the cost of the purchase in question, it would make sense that relatively expensive objects, such as smartphones and computers, would trigger a correspondingly stronger negative reaction to criticism of said product.

I'm not doubting that there is post-purchase rationalization. It's just weird to read it from my comment. You think the functioning of OS X's home directory encryption makes me feel threatened because I'm a Mac person?

tpacek is a person who says things about Apple. Not all people who say things about Apple are tpacek.

Saying "people defend the products they buy, sometimes wrongly" is not in any way controversial, and wasn't (in my opinion) about your comments.

Huh? It was a direct response to my comment.

No, it wasn't. It was directly in response to another comment someone else made, not you. They asked a general question, and this person answered that general question. Your comment might have sparked that general question, but it was not the focus of it.

Seriously, not everything need revolve around your one comment. FFS.

What are you Mr Miyagi ?

That is NOT correct.

Dissonance model has been shown to not be proportional to price. Which is intuitive as you see fervent defending of brands for products such as beer, wine, websites etc which are relatively low cost or have no cost to the user.

It's a well known behavior, once people have made a commitment they move from analyzing objectively to defending their choice. Not saying it is in play here, but it isn't really unheard of.

[1] http://en.m.wikipedia.org/wiki/Choice-supportive_bias

Dan Gilbert's TED Talk does a great job demonstrating this (http://www.ted.com/talks/dan_gilbert_asks_why_are_we_happy.h...).

Not really, it's very common, people defend things they have an interest in.

>Given that we have a plurality of OS X users on HN (according to the last poll), it's not surprising that post-purchase rationalization is a common response to such articles.

"Post-purchase rationalization", even if we are to take the sketchy "studies have shown route", goes for major stuff, not for each and every fault or bug in a bought product.

People ARE able to talk ill about their products, and in fact Mac and Windows and Linux users speak ill of their systems each and every bloody day. We even have mottos, like "FTFF".

"Back in the day", Microsoft didn't make security blunders. It made things fundamentally insecure as a matter of policy, and could get away with it because they had a virtual monopoly.

This significant difference informs how people respond, regardless of the nature of the blunder.

mrich, no company's engineers can be expected to spend their days reading every single thread on the company's support forum. I wonder if the researcher(s) reported the issue using Apple's Bug Reporter? It has a special category for Security.

What does "support" mean then? They absolutely should have staff skimming the forums and escalating important issues.

The post was made on the Enterprise servers forum. https://discussions.apple.com/thread/3715366

If your company sells software to businesses, the standards are a little higher. Either you make sure such a bug cannot slip through by testing, or you have to make it up in support by at least reading all the new customer questions.

How much effort is it to read the first post of every new thread started there? I bet it can be done by one guy who has basic knowledge of computers, heck just hire a Genius bar guy. :)

This comment doesn’t defend Apple. It doesn’t make any value judgments about Apple at all. It merely attacks the article.

Given that the article is pointing out a security hole in OSX, any attack of the article is an implicit defense of Apple.

When something is factually wrong it’s factually wrong. That’s it. There is nothing else to it.

Nobody said that there is no security hole and no problem.

The comment did not point out anything factually incorrect in the article. The claim was that the author didn't know anyone who engaged in the practices which would lead to a security breach. That's anecdote, not evidence - even given the poster's experience in security there's reason to suspect that such experience would be primarily with Mac installations which take security more seriously than Apple's marketing department portrays it.

Oh come on! Don’t be so dense.

Eh? I used it.

I used "Legacy Filevault" before it was legacy. Then, when I upgraded to Lion, it took some additional months for me to get around to the FDE upgrade. I had to move around a lot of data to make room.

I consider this a pretty big deal.

I'm in the same boat; been using FileVault since day one.

I just checked and, sure enough, my cleartext password is visible if I run:

  $ sudo cat /var/log/asl/* | strings | grep 'password ='
So if my laptop were lost or stolen not only would the encryption be worthless, but my login password is available too. This is a big hole.

Guess today's a good day to switch to FDE

And pray that it doesn't have a similar hole that gets discovered a few months down the line...

You're the one person I know, now. Most everyone I knew that cared to encrypt their laptops (to be clear: that includes my whole team) used PGP WDE. My impression of legacy "homedir" Filevault is that it randomly ate homedirs.

I used it for many years, so did many people I know. Never got any "impressions" about it. It had its (many) flaws, but worked fine for me and was certainly better than no encryption at all.

UNCLE. I'm wrong. People used homedir Filevault.

I stand by (most of) my original comment.

"and was certainly better than no encryption at all."

Evidently not!

I never had legacy FileVault eat my homedir, but I did have issues with it forgetting what program was supposed to be used to open what kinds of files. Very strange, that.

From memory this was due to LaunchServices not waiting until the home directory was completely mounted, and thus launching with default prefs.

There was a workaround I had running for a while in a large deployment in the form of a logouthook that would copy the relevant prefs to a location that LaunchServices would find it before FileVault finished mounting the home directory.

There were a lot of corporate/education deployments running "legacy" FileVault who hadn't invested in PGP WDE or other commercial options, and I bet they haven't all upgraded instantly to the new FileVault when they moved to Lion.

>You're the one person I know, now.

Which means nothing at all, especially since hackers are not known for their extended social circles. It's also the dictionary definition of "anecdotal evidence".

If you want to gauge how many people used the old FileVault, well, one of the ways would be to compare old FileVault support mailing list traffic to the traffic for lists of other OS X offerings.

But it does appear to affect anyone that does NOT use full disk encryption. If I were to venture to guess, I would estimate that the vast majority of Mac OS Lion customers do not use full disk encryption.

For those that do, you're lucky. For everyone else, this is horrible.

I agree with the comments that if this type of issue was found in a Microsoft product, I suspect there would have been a patch issued in less than a month and probably much sooner. Is Apple just sticking is head in the sand or do they just hope that no one notices the problem while they (slowly) work on getting a fix into a future release?

Or is it that having to do a special patch for this means that Apple has to admit that they have security issues like Microsoft has had to deal with? I'd love to know the reasoning at Apple about why this wasn't fixed as soon as they found out about it.

Are you saying that this affects anyone not using filevault? If so, I think you are mistaken- looking at the original post(http://cryptome.org/2012/05/apple-filevault-hole.htm), it appears to be only those using filevault on Lion, and of those, only the people using the legacy mode thereof.

This is more than just Filevault. This is /any/ user mount of an AFP share, so things like shared user directories, which are common in large organizations, are also vulnerable. The issue here is that this security vulnerability exists, 3 months after it was publicly reported. Surely it wouldn't take that long to release a patch for a pretty critical vulnerability.

So that's a good point, but I feel compelled to point out that I've never seen a large organization with AFP shared user directories.

There are far more important vulnerabilities --- clientside drive-by remote code execution, for instance --- that have gone unpatched for longer than this. Do I think 3 months is a reasonable time-to-fix? No comment.

Can these far more important vulnerabilities be fixed as easily as turning off a debug flag?

Personally, in the rare cases when a fix is easy I'd expect it to be deployed promptly (and 3 months doesn't sound reasonable to me).


What do you mean? I just mounted an AFP share and my password did not end up in the syslog.

Okay, re-reading the bug reports, from here and other places, it involves mounting an AFP-mounted home directory. So an average user mount wouldn't log to syslog, but if your home directory was set for a remote mount, or a loopback afs mount, it would be. I'd need a lion box to properly test on; I'd given up on OS X a few years back because I got tired of Apple's idea of Just Fucking Works.

>I can't name a single person who ever used "Legacy Filevault"; that's the "encrypt your home directory" thing from Leopard.

I tried it a few times. The saying "fool me once, shame on you, fool me twice, shame on me" hit home for me the second or third time I had to waste time cleaning up a corrupted home directory.

The Lion version seems to work great.

>"This issue doesn't impact Lion FDE at all. Lots of people use Lion FDE."

Wouldn't it be the case that if a person used the same password for full disk encryption that has been exposed by the security flaw, that Lion FDE security would be compromised?

In other words, this seems to be a case where an isolated software flaw creates the potential to exploit a common wetware security flaw.

The claim the ZDnet appears to be making is that this flaw is most likely to make its appearance felt in environments with lots of Macs and a need for backwards compatibility or flexible support for employees with Mac laptops.

It looks to me like the risk is to any ecosystem which supports heterogeneous OSX configurations - e.g. the VP of Sales Macbook may be an attack vector due to the way in which he uses it at home.

Is the password written to disk if I am not using FileVault or FileVault2 in Lion?

Even then, I would not want my password be written to disk. This would be a serious problem for me.

I don't know about breaking stories anyone cares about, but sometimes they post stories I find interesting, just never about Apple

Story involves Apple - Overblown, not a threat, everyone is dumb, anyone reporting it is a moron, etc.

Story involving anyone else - Critical fault of enormous consequence demonstrating profound incompetence, anyone not reporting it is a moron, etc.

I'm sorry, Mr. Ptacek, but the other poster who calling you a "fanboy" is perhaps onto something: You needn't have even made a post because everyone could have predicted with certainty exactly what you were bound to say.

That doesn't accurately reflect tptacek's posting history at all. I've seen him defend Microsoft's security practices and for that matter the TSA's security practices, often when others are saying there is a critical fault of enormous consequence. While his views may be a little more pro-establishment than most folks here, I've never seen him act specifically pro-Apple. I think you should read his comment history and then consider apologizing.

I hope I've never said anything pro-TSA on HN.

Well, "pro" in the sense of giving them credit for being well-meaning though mistaken; rather than malicious and wildly incompetent as many would have it.

I think you should read his comment history and then consider apologizing.

Obviously I am well aware of his comment history, hence why I made the original point. While I don't argue with the premise that, yes, there may have been occasions where he was less than severe on non-Apple, as a whole, he has a profound, unavoidable pro-Apple bias that is impossible to ignore.

User 'sohn managed to say the same thing in far fewer words downthread.

You are a brainless fanboy.

It's funny that this got voted back up from light grey. One might have a morbid interest in the list of people who cast such votes.

I'll admit I find it horrifying that Apple gets caught dumping a password into a debug log (that the log was enabled by default is a simpler mistake) and your response, as the resident security expert is basically "nothing to see here, no one uses that feature anyway" without even a nod to the fact that it's a real hole. That it has become the top comment on a very large thread is even more upsetting.

This isn't a minor issue, it's a huge mistake. It's the kind of thing Microsoft did for years when security wasn't part of their culture. I simply can't imagine you reacting that way to software from any other source.

I guess when you spend most of every week finding horrible security flaws, most of them remotely triggerable (since those are the ones clients care most about) it's hard to get too riled up about about an egregious log file hygiene issue that affects only a tiny minority of OSX users.

Or, differently: do you really think that people who can run commands in your Terminal window can't already take control of the OS X kernel?

Also: I object to being designated HN's "resident security expert", and I didn't put my comment at the top of this thread.

While I agree that this is a security hole and it should be fixed, a headline like that is completely misleading and a scare tactic to drive eyeballs to the article. This flaw only would affect a very small subset of users, but the headline makes it sound like everyone just had their passwords compromised

What I got out of the article seems to be more important than the number of users this could impact.

1. A vital piece of the operating system was compiled with debug flags intact. 2. Apple's lack of response on the issue.

I think this goes hand-in-hand with recent Kaspersky statement about Apple's poor security considerations.

Those are definitely the two 'take-aways'. If there is a hole here... there may be other holes that might be REAL security threats.

Other people are correct as well, in that the headline is link bait. I was expecting to find a way to get clear text passwords from my test OSX Lion setup. I can't actually do that on my test system, and I'd wager the vast majority of hackers can't pull that off either. At least not without changing the setup.

Of course... probably my fault for believing you could.

> If there is a hole here... there may be other holes that might be REAL security threats.

The presence or absence of a specific issue is not indicative of the presence or absence of any other issues.

the presence of issues indicates higher probability of more issues

2. Apple's lack of response on the issue.

The takeaway I got was that nobody actually tried to contact Apple's various security contacts and instead just posted on forums.

Note: only applies to people using the old "FileVault" on Lion, not the new "FileVault2" (the one with full-disk encryption).

So are there literally security researchers that go and poke around of every release of everything major in the software industry to find things like this?

There are. It's the main reason why "security through obscurity" isn't a good idea. There are people who spend their working days searching for this kind of stuff. Log files are probably one of the first places they would look for clues.

`grep password` isn't the hardest thing to do either

> There literally security researchers that go and poke around of every release of everything [snip] in the software industry to find things like this


Yep. Some are white hats hoping to either make money or reputation by discovering flaws. Don't think that these flaws don't get discovered; sometimes pentest experts discover flaws and keep them in their arsenal for a particularly difficult assessment. Other times, it's a blackhat who discovers them and sells them in the underground world. If you want to experience a jolt, visit www.exploitdb.com and search for vulnerabilities in your favorite software. And be sure that for every exploit listed, there are a few that are kept hush hush.

Yes, they are called "hackers" .. Especially the black hat kind.

It's actually a very lucrative business if you keep the security bugs secret and sell them on the market. Google "Vupen" for an example.

Only slightly related, but this thread bears a striking resemblance to another HN exploit discussion:


The exact same back and forth:

Wow! This is really bad... but it only affects a small subset of users... but they knew about it for months and didn't fix it... come on, nobody real actually uses such a setup... what about me... you're all fanboys, this is just another example of how your religion doesn't hold security as a core tenant among its faithful.

Go on, let's hear about how devoted Apple is to security again.

You could have made the same point in a less inflammatory way. Next time, please do.

Apologies. Sometimes it just seems I can only catch the attention of the zealots with something a little inflammatory.

Why "catch the attention of the zealots" at all? Isn't that just an admission of trolling?

To hopefully convince a few to recant and acknowledge at least one flaw. I don't mind realistic zealots, only the willfully blind ones.

There is no point to doing this. It's a waste of cycles. People believe what they want to believe, and will only change their mind when they want to.

Your own point, that the ones that bug you are the "willfully blind" ones... do you expect to be able to change someone's mind when they are very intentional about not doing so?

What has worked well for me in dealing with this is to just recognize that we're all at different stages of life, and maybe someday these "willfully blind" will gain perspective and see the broader truth.

The best thing is not to try to force them to see reason, but to demonstrate reason yourself and recognize that at any given point only some people are ready to see reason.

Others may be ready in the future, but they simply aren't now.

Seems more like a QA problem to me, there should be some tests in the QA of a final release build that makes sure all the debug flags are turned off.

That's my point. "Security" is a complete package, that includes good QA.

It's a bit worrying that people noticed this 3 months ago, and there have been no fixes.

Yeah, that seems like a no-brainer to me. Even my company's small 2-person software 2-person QA team has a release test to make sure all debug parameters are shut off. The software won't even run if a debug parameter is on without some special shim that only us devs have.

Does anyone else thing that it is slimy for ZDNet interpret clicks to the site background as the user clicking the ad below the nav-bar?

As an advertiser I would feel defrauded. Not one person clicking on the background is doing so out of interest in the advertiser's product.

How common is this practice?

I'm definitely not seeing that behavior. There was a pop-over ad that I had to skip though. I guess if that were malfunctioning / transparent, you wouldn't realize there was an ad frame hovering over the text?

Perhaps I wasn't clear. It's not the white background, it's the patterned background to the right and left of the content area. To be more precise, they have two div's with class "skinClick" setup on the right and left of the "content" div. You click on either one of those and it's the same as having clicked on the ad just below the nav-bar.

I tested in Safari, Firefox, IE and Chrome, same behavior. There's also the "Wait, your page is loading" popup ad you mentioned.

Oh, I see. Sorry my browser window wasn't that wide, I didn't even notice that background.

Steve called, he said "Just don't use it that way".

On a serious note, this has happened before. This is just the first time anyone has caught it before a patch. The QA at Apple is pretty noteworthy.

the Console Message Inspector is pretty useful, it shows a lot of stuff that is normally hidden.

I thought FireWire was being phased out. (Doubtfully due to security considerations. If I recall, Intel has something faster that uses a USB port.)

I have some older hardware, which was state of the art when I bought it, that uses FW.

Is FW going to go the way of PCMCIA and CardBus?

"Target mode" also works with Thunderbolt. In fact it used to work with SCSI as well; it far predates OS/X as a feature on Macs. It doesn't work over USB though.

The stuff in the article about Firewire mode being involved is really a red herring. You would have the same problem if your stolen laptop were opened up and the harddrive removed. Firewire target mode is just a less-invasive way of doing the same thing.

BTW, another curious part of firewire (unrelated to target mode) is that a firewire device can read and write RAM from a running PC, without interaction. Even when you have "locked the workstation". Random google link: http://www.hermann-uwe.de/blog/physical-memory-attacks-via-f...

Yes, a firewire has the ability to do whatever DMA requests it wants. This is a thruput advantage (especially when processors were slower) since the host CPU only has to set up the data transfer and the rest can happen in hardware. Back in the day, FW400 would beat USB2 in most benchmarks even though the raw bandwidth of USB2 is 20% higher.

The solution to this is to use an IOMMU, which protects memory from DMA traffic just like the CPU's MMU protects it from userland processes. However, I don't know if any current Mac laptops do this.

Thunderbolt, ExpressCard, and PCMCIA ports have the same issue although it'd require some fancier hardware to exploit. I think SD cards as well, but I'm not 100% sure about that.

USB isn't vulnerable to this because the protocol is more like a network card: devices send you packets rather than initiating direct DMA.

Not possible anymore on locked (screen saver, login screen) Macs with Lion's FDE enabled.

That's what I was thinking of when I mentioned security. Maybe it's irrelevant to this story, but I thought it was interesting when I read it.

Most current Macs have a Thunderbolt port, which is quite fast. I don't doubt that USB 3 ports will start to appear in the coming years, too.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact