I can't name a single person who ever used "Legacy Filevault"; that's the "encrypt your home directory" thing from Leopard. This issue doesn't impact Lion FDE at all. Lots of people use Lion FDE.
Even the subhed on this story is misleading, and the lede paragraph seems to go out of its way to bury the true article lede, which is "if you're using FileVault home directory encryption, this impacts you" --- instead, it says "in specific configurations".
More generally: can anyone name a single case where ZDNet has broken a story we cared about? Even in this case, ZDNet is rehashing stuff published elsewhere earlier.
I used "Legacy Filevault" before it was legacy. Then, when I upgraded to Lion, it took some additional months for me to get around to the FDE upgrade. I had to move around a lot of data to make room.
But it does appear to affect anyone that does NOT use full disk encryption. If I were to venture to guess, I would estimate that the vast majority of Mac OS Lion customers do not use full disk encryption.
For those that do, you're lucky. For everyone else, this is horrible.
I agree with the comments that if this type of issue was found in a Microsoft product, I suspect there would have been a patch issued in less than a month and probably much sooner. Is Apple just sticking is head in the sand or do they just hope that no one notices the problem while they (slowly) work on getting a fix into a future release?
Or is it that having to do a special patch for this means that Apple has to admit that they have security issues like Microsoft has had to deal with? I'd love to know the reasoning at Apple about why this wasn't fixed as soon as they found out about it.
This is more than just Filevault. This is /any/ user mount of an AFP share, so things like shared user directories, which are common in large organizations, are also vulnerable. The issue here is that this security vulnerability exists, 3 months after it was publicly reported. Surely it wouldn't take that long to release a patch for a pretty critical vulnerability.
>I can't name a single person who ever used "Legacy Filevault"; that's the "encrypt your home directory" thing from Leopard.
I tried it a few times. The saying "fool me once, shame on you, fool me twice, shame on me" hit home for me the second or third time I had to waste time cleaning up a corrupted home directory.
>"This issue doesn't impact Lion FDE at all. Lots of people use Lion FDE."
Wouldn't it be the case that if a person used the same password for full disk encryption that has been exposed by the security flaw, that Lion FDE security would be compromised?
In other words, this seems to be a case where an isolated software flaw creates the potential to exploit a common wetware security flaw.
The claim the ZDnet appears to be making is that this flaw is most likely to make its appearance felt in environments with lots of Macs and a need for backwards compatibility or flexible support for employees with Mac laptops.
It looks to me like the risk is to any ecosystem which supports heterogeneous OSX configurations - e.g. the VP of Sales Macbook may be an attack vector due to the way in which he uses it at home.
Story involves Apple - Overblown, not a threat, everyone is dumb, anyone reporting it is a moron, etc.
Story involving anyone else - Critical fault of enormous consequence demonstrating profound incompetence, anyone not reporting it is a moron, etc.
I'm sorry, Mr. Ptacek, but the other poster who calling you a "fanboy" is perhaps onto something: You needn't have even made a post because everyone could have predicted with certainty exactly what you were bound to say.
While I agree that this is a security hole and it should be fixed, a headline like that is completely misleading and a scare tactic to drive eyeballs to the article. This flaw only would affect a very small subset of users, but the headline makes it sound like everyone just had their passwords compromised
So are there literally security researchers that go and poke around of every release of everything major in the software industry to find things like this?
There are. It's the main reason why "security through obscurity" isn't a good idea. There are people who spend their working days searching for this kind of stuff. Log files are probably one of the first places they would look for clues.
Yep. Some are white hats hoping to either make money or reputation by discovering flaws. Don't think that these flaws don't get discovered; sometimes pentest experts discover flaws and keep them in their arsenal for a particularly difficult assessment. Other times, it's a blackhat who discovers them and sells them in the underground world. If you want to experience a jolt, visit www.exploitdb.com and search for vulnerabilities in your favorite software. And be sure that for every exploit listed, there are a few that are kept hush hush.
Wow! This is really bad... but it only affects a small subset of users... but they knew about it for months and didn't fix it... come on, nobody real actually uses such a setup... what about me... you're all fanboys, this is just another example of how your religion doesn't hold security as a core tenant among its faithful.
I'm definitely not seeing that behavior. There was a pop-over ad that I had to skip though. I guess if that were malfunctioning / transparent, you wouldn't realize there was an ad frame hovering over the text?
"Target mode" also works with Thunderbolt. In fact it used to work with SCSI as well; it far predates OS/X as a feature on Macs. It doesn't work over USB though.
The stuff in the article about Firewire mode being involved is really a red herring. You would have the same problem if your stolen laptop were opened up and the harddrive removed. Firewire target mode is just a less-invasive way of doing the same thing.
[+] [-] tptacek|14 years ago|reply
Even the subhed on this story is misleading, and the lede paragraph seems to go out of its way to bury the true article lede, which is "if you're using FileVault home directory encryption, this impacts you" --- instead, it says "in specific configurations".
More generally: can anyone name a single case where ZDNet has broken a story we cared about? Even in this case, ZDNet is rehashing stuff published elsewhere earlier.
[+] [-] mrich|14 years ago|reply
It is simply inacceptable that a user basically reported the issue on their support forum and didn't even get an answer back.
[+] [-] stickfigure|14 years ago|reply
I used "Legacy Filevault" before it was legacy. Then, when I upgraded to Lion, it took some additional months for me to get around to the FDE upgrade. I had to move around a lot of data to make room.
I consider this a pretty big deal.
[+] [-] Osiris|14 years ago|reply
For those that do, you're lucky. For everyone else, this is horrible.
I agree with the comments that if this type of issue was found in a Microsoft product, I suspect there would have been a patch issued in less than a month and probably much sooner. Is Apple just sticking is head in the sand or do they just hope that no one notices the problem while they (slowly) work on getting a fix into a future release?
Or is it that having to do a special patch for this means that Apple has to admit that they have security issues like Microsoft has had to deal with? I'd love to know the reasoning at Apple about why this wasn't fixed as soon as they found out about it.
[+] [-] Sanddancer|14 years ago|reply
[+] [-] ben1040|14 years ago|reply
I tried it a few times. The saying "fool me once, shame on you, fool me twice, shame on me" hit home for me the second or third time I had to waste time cleaning up a corrupted home directory.
The Lion version seems to work great.
[+] [-] brudgers|14 years ago|reply
Wouldn't it be the case that if a person used the same password for full disk encryption that has been exposed by the security flaw, that Lion FDE security would be compromised?
In other words, this seems to be a case where an isolated software flaw creates the potential to exploit a common wetware security flaw.
The claim the ZDnet appears to be making is that this flaw is most likely to make its appearance felt in environments with lots of Macs and a need for backwards compatibility or flexible support for employees with Mac laptops.
It looks to me like the risk is to any ecosystem which supports heterogeneous OSX configurations - e.g. the VP of Sales Macbook may be an attack vector due to the way in which he uses it at home.
[+] [-] biafra|14 years ago|reply
Even then, I would not want my password be written to disk. This would be a serious problem for me.
[+] [-] Tloewald|14 years ago|reply
[+] [-] huggyface|14 years ago|reply
Story involving anyone else - Critical fault of enormous consequence demonstrating profound incompetence, anyone not reporting it is a moron, etc.
I'm sorry, Mr. Ptacek, but the other poster who calling you a "fanboy" is perhaps onto something: You needn't have even made a post because everyone could have predicted with certainty exactly what you were bound to say.
[+] [-] sohn|14 years ago|reply
[+] [-] greghinch|14 years ago|reply
[+] [-] sakopov|14 years ago|reply
1. A vital piece of the operating system was compiled with debug flags intact. 2. Apple's lack of response on the issue.
I think this goes hand-in-hand with recent Kaspersky statement about Apple's poor security considerations.
[+] [-] sceptre|14 years ago|reply
[deleted]
[+] [-] Xuzz|14 years ago|reply
[+] [-] joshmlewis|14 years ago|reply
[+] [-] ams6110|14 years ago|reply
[+] [-] stcredzero|14 years ago|reply
Fixed.
[+] [-] greedo|14 years ago|reply
[+] [-] amalter|14 years ago|reply
[+] [-] toemetoch|14 years ago|reply
[+] [-] vectorpush|14 years ago|reply
http://news.ycombinator.com/item?id=3925452
The exact same back and forth:
Wow! This is really bad... but it only affects a small subset of users... but they knew about it for months and didn't fix it... come on, nobody real actually uses such a setup... what about me... you're all fanboys, this is just another example of how your religion doesn't hold security as a core tenant among its faithful.
[+] [-] sliverstorm|14 years ago|reply
[+] [-] DenisM|14 years ago|reply
[+] [-] ams6110|14 years ago|reply
[+] [-] zobzu|14 years ago|reply
http://cryptome.org/2012/05/apple-filevault-hole.htm
[+] [-] robomartin|14 years ago|reply
As an advertiser I would feel defrauded. Not one person clicking on the background is doing so out of interest in the advertiser's product.
How common is this practice?
[+] [-] sp332|14 years ago|reply
[+] [-] millzlane|14 years ago|reply
On a serious note, this has happened before. This is just the first time anyone has caught it before a patch. The QA at Apple is pretty noteworthy.
[+] [-] remixhacker|14 years ago|reply
[+] [-] thespin|14 years ago|reply
I have some older hardware, which was state of the art when I bought it, that uses FW.
Is FW going to go the way of PCMCIA and CardBus?
[+] [-] bodyfour|14 years ago|reply
The stuff in the article about Firewire mode being involved is really a red herring. You would have the same problem if your stolen laptop were opened up and the harddrive removed. Firewire target mode is just a less-invasive way of doing the same thing.
[+] [-] Zr40|14 years ago|reply