Even the subhed on this story is misleading, and the lede paragraph seems to go out of its way to bury the true article lede, which is "if you're using FileVault home directory encryption, this impacts you" --- instead, it says "in specific configurations".
More generally: can anyone name a single case where ZDNet has broken a story we cared about? Even in this case, ZDNet is rehashing stuff published elsewhere earlier.
It is simply inacceptable that a user basically reported the issue on their support forum and didn't even get an answer back.
Now, I don't disagree with your general point: Microsoft gets more scrutiny than Apple does on HN about security, and Apple enjoys an inflated perception of platform security here --- I attribute that to a general Unix bias, by the way, and not to Apple fandom.
But please be careful to note that I'm not a part of that phenomenon. You will, if you dig, find comments of mine that are critical of Apple security; you will probably not find comments critical of Microsoft's security practices.
(To be clear: securing a whole platform is an incredibly difficult job, and platform software security talent is some of the hardest to find in the whole industry; both Apple and Microsoft take this stuff seriously and, compared to 2002, both do a fantastic job. Also: the security of the iOS platform is a different story than of the OS X platform.)
Which is exactly what he points out about your comment, but related to Apple. You know Apple thus you're less likely to criticize them properly.
It doesn't mean what you wrote is entirely wrong, but I think he has a point. MS is very harshly criticized for any security issue, no matter how small, and hey, that's probably a good thing.
For Apple if there's any possibility we find them.. excuses.. really? (and the "I don't know anyone who used file vault before!" sounds terrible, to be honest)
It just didn't happen to be - and still isn't - relevant here.
You'll notice sometimes I'm also wrong and make errors. You could get a strong opinion of me either way (good, or bad) by reading that.
If we were to know pretty well each person (like they do in smaller forums or places where the nickname and history is highlighted), we'd always agree and disagree with the same persons in general (there's always exceptions).
And the person's reply was made on a single post, which I think is the way to go.
I don't know if HN nicks are small and history not as easy to follow as in some other sites on purpose, but I like it.
Now, I've been way off topic, sorry :)
Slightly more on topic tho: MS ain't perfect security wise either, even thus they've made huge progress. Microsoft research also has very interesting attempts such as Singularity or Gazelle. I don't know any other company doing that. That's one place I'd want to work for MS.
Interested in this. More secure or less? Any thoughts on it?
I'm offering a carefully considered assessment: HN would probably be better off if we just banned ZDNet and venues like ZDNet. Ryan Naraine and Dancho Danchev have other outlets to write in that might make it to HN.
Curious if one of the reasons for that is that it makes you a target?
I really can't imagine how it wouldn't pay for you (business wise) to be mentioned given what you do in mainstream press. In order to be mentioned in mainstream press it pays to have mention elsewhere as a starter. I can see a CEO with a security problem reading a quote of yours in the WSJ and handing the tearout to someone with the instructions to contact you about some issues they are dealing with. I can see links and quotes from both online and offline mention of your name appearing on your website and giving you and edge on your competition.
By the way mention on your website such as "Our work has been featured in Network World, eWeek, Forbes, Macworld, Wired, and the Washington Post, and at conferences ranging from Black Hat to Gartner" and links to or copies of said articles will not produce the same results. And if the articles are old that is why you need fresh mention.
That said I can totally see (which is why I asked) how a security researcher frequently mentioned in the press, like a former boxer sentenced to prison, becomes a juicy target and that is definitely a downside.
* In my particular line of business, the quality of one's website has vanishingly little to do with success. We have a cookie-cutter front page that says cookie-cutter things; its purpose is to confirm that we are, in fact, a real business. It succeeds at that.
* I have no doubt whatsoever that people outside software security, or maybe even new entrants in software security, have much to gain from press hits. But "fresh hits" do very little for us.
* Only a very small minority of our business is "event driven", such as when a CEO realizes he has an immediate security problem. We're an engineering service. In the overwhelming majority of cases, we're working for other engineers and their product managers who've known for ages that they need help with security; we get engaged when it makes sense in the budget and the dev cycle to engage us.
We're one of the largest pure, dedicated software security firms; we're also one of the more mature/established of them. Most of our business tomorrow will come from executing competently today; people who can reliably flush security flaws out of arbitrary pieces of software are in short supply and high demand.
Given that we have a plurality of OS X users on HN (according to the last poll), it's not surprising that post-purchase rationalization is a common response to such articles.
Since its effect is directly proportional to the cost of the purchase in question, it would make sense that relatively expensive objects, such as smartphones and computers, would trigger a correspondingly stronger negative reaction to criticism of said product.
Saying "people defend the products they buy, sometimes wrongly" is not in any way controversial, and wasn't (in my opinion) about your comments.
Seriously, not everything need revolve around your one comment. FFS.
Dissonance model has been shown to not be proportional to price. Which is intuitive as you see fervent defending of brands for products such as beer, wine, websites etc which are relatively low cost or have no cost to the user.
"Post-purchase rationalization", even if we are to take the sketchy "studies have shown route", goes for major stuff, not for each and every fault or bug in a bought product.
People ARE able to talk ill about their products, and in fact Mac and Windows and Linux users speak ill of their systems each and every bloody day. We even have mottos, like "FTFF".
This significant difference informs how people respond, regardless of the nature of the blunder.
If your company sells software to businesses, the standards are a little higher. Either you make sure such a bug cannot slip through by testing, or you have to make it up in support by at least reading all the new customer questions.
How much effort is it to read the first post of every new thread started there? I bet it can be done by one guy who has basic knowledge of computers, heck just hire a Genius bar guy. :)
Nobody said that there is no security hole and no problem.
I used "Legacy Filevault" before it was legacy. Then, when I upgraded to Lion, it took some additional months for me to get around to the FDE upgrade. I had to move around a lot of data to make room.
I consider this a pretty big deal.
I just checked and, sure enough, my cleartext password is visible if I run:
$ sudo cat /var/log/asl/* | strings | grep 'password ='
Guess today's a good day to switch to FDE
I stand by (most of) my original comment.
There was a workaround I had running for a while in a large deployment in the form of a logouthook that would copy the relevant prefs to a location that LaunchServices would find it before FileVault finished mounting the home directory.
There were a lot of corporate/education deployments running "legacy" FileVault who hadn't invested in PGP WDE or other commercial options, and I bet they haven't all upgraded instantly to the new FileVault when they moved to Lion.
Which means nothing at all, especially since hackers are not known for their extended social circles. It's also the dictionary definition of "anecdotal evidence".
If you want to gauge how many people used the old FileVault, well, one of the ways would be to compare old FileVault support mailing list traffic to the traffic for lists of other OS X offerings.
For those that do, you're lucky. For everyone else, this is horrible.
I agree with the comments that if this type of issue was found in a Microsoft product, I suspect there would have been a patch issued in less than a month and probably much sooner. Is Apple just sticking is head in the sand or do they just hope that no one notices the problem while they (slowly) work on getting a fix into a future release?
Or is it that having to do a special patch for this means that Apple has to admit that they have security issues like Microsoft has had to deal with? I'd love to know the reasoning at Apple about why this wasn't fixed as soon as they found out about it.
There are far more important vulnerabilities --- clientside drive-by remote code execution, for instance --- that have gone unpatched for longer than this. Do I think 3 months is a reasonable time-to-fix? No comment.
Personally, in the rare cases when a fix is easy I'd expect it to be deployed promptly (and 3 months doesn't sound reasonable to me).
I tried it a few times. The saying "fool me once, shame on you, fool me twice, shame on me" hit home for me the second or third time I had to waste time cleaning up a corrupted home directory.
The Lion version seems to work great.
Wouldn't it be the case that if a person used the same password for full disk encryption that has been exposed by the security flaw, that Lion FDE security would be compromised?
In other words, this seems to be a case where an isolated software flaw creates the potential to exploit a common wetware security flaw.
The claim the ZDnet appears to be making is that this flaw is most likely to make its appearance felt in environments with lots of Macs and a need for backwards compatibility or flexible support for employees with Mac laptops.
It looks to me like the risk is to any ecosystem which supports heterogeneous OSX configurations - e.g. the VP of Sales Macbook may be an attack vector due to the way in which he uses it at home.
Even then, I would not want my password be written to disk. This would be a serious problem for me.
Story involving anyone else - Critical fault of enormous consequence demonstrating profound incompetence, anyone not reporting it is a moron, etc.
I'm sorry, Mr. Ptacek, but the other poster who calling you a "fanboy" is perhaps onto something: You needn't have even made a post because everyone could have predicted with certainty exactly what you were bound to say.
Obviously I am well aware of his comment history, hence why I made the original point. While I don't argue with the premise that, yes, there may have been occasions where he was less than severe on non-Apple, as a whole, he has a profound, unavoidable pro-Apple bias that is impossible to ignore.
This isn't a minor issue, it's a huge mistake. It's the kind of thing Microsoft did for years when security wasn't part of their culture. I simply can't imagine you reacting that way to software from any other source.
Or, differently: do you really think that people who can run commands in your Terminal window can't already take control of the OS X kernel?
Also: I object to being designated HN's "resident security expert", and I didn't put my comment at the top of this thread.
1. A vital piece of the operating system was compiled with debug flags intact.
2. Apple's lack of response on the issue.
I think this goes hand-in-hand with recent Kaspersky statement about Apple's poor security considerations.
Other people are correct as well, in that the headline is link bait. I was expecting to find a way to get clear text passwords from my test OSX Lion setup. I can't actually do that on my test system, and I'd wager the vast majority of hackers can't pull that off either. At least not without changing the setup.
Of course... probably my fault for believing you could.
The presence or absence of a specific issue is not indicative of the presence or absence of any other issues.
The takeaway I got was that nobody actually tried to contact Apple's various security contacts and instead just posted on forums.
The exact same back and forth:
Wow! This is really bad... but it only affects a small subset of users... but they knew about it for months and didn't fix it... come on, nobody real actually uses such a setup... what about me... you're all fanboys, this is just another example of how your religion doesn't hold security as a core tenant among its faithful.
Your own point, that the ones that bug you are the "willfully blind" ones... do you expect to be able to change someone's mind when they are very intentional about not doing so?
What has worked well for me in dealing with this is to just recognize that we're all at different stages of life, and maybe someday these "willfully blind" will gain perspective and see the broader truth.
The best thing is not to try to force them to see reason, but to demonstrate reason yourself and recognize that at any given point only some people are ready to see reason.
Others may be ready in the future, but they simply aren't now.
As an advertiser I would feel defrauded. Not one person clicking on the background is doing so out of interest in the advertiser's product.
How common is this practice?
I tested in Safari, Firefox, IE and Chrome, same behavior. There's also the "Wait, your page is loading" popup ad you mentioned.
On a serious note, this has happened before. This is just the first time anyone has caught it before a patch. The QA at Apple is pretty noteworthy.
I have some older hardware, which was state of the art when I bought it, that uses FW.
Is FW going to go the way of PCMCIA and CardBus?
The stuff in the article about Firewire mode being involved is really a red herring. You would have the same problem if your stolen laptop were opened up and the harddrive removed. Firewire target mode is just a less-invasive way of doing the same thing.
The solution to this is to use an IOMMU, which protects memory from DMA traffic just like the CPU's MMU protects it from userland processes. However, I don't know if any current Mac laptops do this.
Thunderbolt, ExpressCard, and PCMCIA ports have the same issue although it'd require some fancier hardware to exploit. I think SD cards as well, but I'm not 100% sure about that.
USB isn't vulnerable to this because the protocol is more like a network card: devices send you packets rather than initiating direct DMA.